From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <pve-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
	by lore.proxmox.com (Postfix) with ESMTPS id 290F41FF189
	for <inbox@lore.proxmox.com>; Fri, 21 Mar 2025 14:51:54 +0100 (CET)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
	by firstgate.proxmox.com (Proxmox) with ESMTP id 332FC1FC9D;
	Fri, 21 Mar 2025 14:50:00 +0100 (CET)
From: Fiona Ebner <f.ebner@proxmox.com>
To: pve-devel@lists.proxmox.com
Date: Fri, 21 Mar 2025 14:48:44 +0100
Message-Id: <20250321134852.103871-25-f.ebner@proxmox.com>
X-Mailer: git-send-email 2.39.5
In-Reply-To: <20250321134852.103871-1-f.ebner@proxmox.com>
References: <20250321134852.103871-1-f.ebner@proxmox.com>
MIME-Version: 1.0
X-SPAM-LEVEL: Spam detection results:  0
 AWL -0.041 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 DMARC_MISSING             0.1 Missing DMARC policy
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
Subject: [pve-devel] [PATCH container v5 24/32] add LXC::Namespaces module
X-BeenThere: pve-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
Reply-To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: pve-devel-bounces@lists.proxmox.com
Sender: "pve-devel" <pve-devel-bounces@lists.proxmox.com>

The module includes a run_in_userns() helper to run a Perl subroutine
in a user namespace.

The first use case is running the container backup subroutine for
external providers inside a user namespace. That allows them to see
the filesystem to back-up from the containers perspective and also
improves security because of isolation.

Heavily adapted from code by Wolfgang from the pve-buildpkg
repository.

Originally-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
[FE: add $idmap parameter, drop $aux_groups parameter
     use different fork helper
     use newuidmap and newgidmap binaries]
Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
 src/PVE/LXC/Makefile      |  1 +
 src/PVE/LXC/Namespaces.pm | 60 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 61 insertions(+)
 create mode 100644 src/PVE/LXC/Namespaces.pm

diff --git a/src/PVE/LXC/Makefile b/src/PVE/LXC/Makefile
index a190260..4b05e98 100644
--- a/src/PVE/LXC/Makefile
+++ b/src/PVE/LXC/Makefile
@@ -5,6 +5,7 @@ SOURCES= \
 	Create.pm \
 	Migrate.pm \
 	Monitor.pm \
+	Namespaces.pm \
 	Setup.pm \
 	Tools.pm
 
diff --git a/src/PVE/LXC/Namespaces.pm b/src/PVE/LXC/Namespaces.pm
new file mode 100644
index 0000000..e4b1e5f
--- /dev/null
+++ b/src/PVE/LXC/Namespaces.pm
@@ -0,0 +1,60 @@
+package PVE::LXC::Namespaces;
+
+use strict;
+use warnings;
+
+use Fcntl qw(O_WRONLY);
+use Socket;
+
+use PVE::Tools;
+
+use constant {CLONE_NEWNS   => 0x00020000,
+              CLONE_NEWUSER => 0x10000000};
+
+my sub set_id_map($$) {
+    my ($pid, $id_map) = @_;
+
+    my @gid_args = ();
+    my @uid_args = ();
+
+    for my $map ($id_map->@*) {
+	my ($type, $ct, $host, $length) = $map->@*;
+
+	push @gid_args, $ct, $host, $length if $type eq 'g';
+	push @uid_args, $ct, $host, $length if $type eq 'u';
+    }
+
+    PVE::Tools::run_command(['newgidmap', $pid, @gid_args]) if scalar(@gid_args);
+    PVE::Tools::run_command(['newuidmap', $pid, @uid_args]) if scalar(@uid_args);
+}
+
+sub run_in_userns(&;$) {
+    my ($code, $id_map) = @_;
+    socketpair(my $sp, my $sc, AF_UNIX, SOCK_STREAM, PF_UNSPEC)
+	or die "socketpair: $!\n";
+    my $child = sub {
+	close($sp);
+	PVE::Tools::unshare(CLONE_NEWUSER|CLONE_NEWNS) or die "unshare(NEWUSER|NEWNS): $!\n";
+	syswrite($sc, "1\n") == 2 or die "write: $!\n";
+	shutdown($sc, 1);
+	my $two = <$sc>;
+	die "failed to sync with parent process\n" if $two ne "2\n";
+	close($sc);
+	$! = undef;
+	($(, $)) = (0, 0); die "$!\n" if $!;
+	($<, $>) = (0, 0); die "$!\n" if $!;
+	return $code->();
+    };
+    my $parent = sub {
+	my ($pid) = @_;
+	close($sc);
+	my $one = <$sp>;
+	die "failed to sync with userprocess\n" if $one ne "1\n";
+	set_id_map($pid, $id_map);
+	syswrite($sp, "2\n") == 2 or die "write: $!\n";
+	close($sp);
+    };
+    PVE::Tools::run_fork($child, { afterfork => $parent });
+}
+
+1;
-- 
2.39.5



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel