Having the "subcommand" first is more conventional and will make it more natural for future extensions I have planned. Signed-off-by: David Gibson --- test/lib/setup | 28 ++++++++++++++-------------- test/nstool.c | 28 ++++++++++++++-------------- 2 files changed, 28 insertions(+), 28 deletions(-) diff --git a/test/lib/setup b/test/lib/setup index 3bd434b..e6180b1 100755 --- a/test/lib/setup +++ b/test/lib/setup @@ -77,8 +77,8 @@ setup_pasta() { layout_pasta - context_run_bg unshare "unshare -rUnpf ${NSTOOL} ${STATESETUP}/ns.hold hold" - __target_pid=$(${NSTOOL} ${STATESETUP}/ns.hold pid) + context_run_bg unshare "unshare -rUnpf ${NSTOOL} hold ${STATESETUP}/ns.hold" + __target_pid=$(${NSTOOL} pid ${STATESETUP}/ns.hold) context_setup_nsenter ns -U -n -p --preserve-credentials -t ${__target_pid} @@ -126,9 +126,9 @@ setup_passt_in_ns() { [ ${DEBUG} -eq 1 ] && __opts="${__opts} -d" [ ${TRACE} -eq 1 ] && __opts="${__opts} --trace" - context_run_bg pasta "./pasta ${__opts} -t 10001,10002,10011,10012 -T 10003,10013 -u 10001,10002,10011,10012 -U 10003,10013 -P ${STATESETUP}/pasta.pid --config-net ${NSTOOL} ${STATESETUP}/ns.hold hold" + context_run_bg pasta "./pasta ${__opts} -t 10001,10002,10011,10012 -T 10003,10013 -u 10001,10002,10011,10012 -U 10003,10013 -P ${STATESETUP}/pasta.pid --config-net ${NSTOOL} hold ${STATESETUP}/ns.hold" wait_for [ -f "${STATESETUP}/pasta.pid" ] - __ns_pid=$(${NSTOOL} ${STATESETUP}/ns.hold pid) + __ns_pid=$(${NSTOOL} pid ${STATESETUP}/ns.hold) context_setup_nsenter qemu "-t ${__ns_pid} -U -n -p --preserve-credentials" context_setup_nsenter ns "-t ${__ns_pid} -U -n -p --preserve-credentials" @@ -189,16 +189,16 @@ setup_two_guests() { [ ${PCAP} -eq 1 ] && __opts="${__opts} -p ${LOGDIR}/pasta_1.pcap" [ ${DEBUG} -eq 1 ] && __opts="${__opts} -d" [ ${TRACE} -eq 1 ] && __opts="${__opts} --trace" - context_run_bg pasta_1 "./pasta ${__opts} --trace -l /tmp/pasta1.log -P ${STATESETUP}/pasta_1.pid -t 10001,10002 -T 10003,10004 -u 10001,10002 -U 10003,10004 --config-net ${NSTOOL} ${STATESETUP}/ns1.hold hold" - __ns1_pid=$(${NSTOOL} ${STATESETUP}/ns1.hold pid) + context_run_bg pasta_1 "./pasta ${__opts} --trace -l /tmp/pasta1.log -P ${STATESETUP}/pasta_1.pid -t 10001,10002 -T 10003,10004 -u 10001,10002 -U 10003,10004 --config-net ${NSTOOL} hold ${STATESETUP}/ns1.hold" + __ns1_pid=$(${NSTOOL} pid ${STATESETUP}/ns1.hold) context_setup_nsenter passt_1 -U -n -p --preserve-credentials -t ${__ns1_pid} __opts= [ ${PCAP} -eq 1 ] && __opts="${__opts} -p ${LOGDIR}/pasta_2.pcap" [ ${DEBUG} -eq 1 ] && __opts="${__opts} -d" [ ${TRACE} -eq 1 ] && __opts="${__opts} --trace" - context_run_bg pasta_2 "./pasta ${__opts} --trace -l /tmp/pasta2.log -P ${STATESETUP}/pasta_2.pid -t 10004,10005 -T 10003,10001 -u 10004,10005 -U 10003,10001 --config-net ${NSTOOL} ${STATESETUP}/ns2.hold hold" - __ns2_pid=$(${NSTOOL} ${STATESETUP}/ns2.hold pid) + context_run_bg pasta_2 "./pasta ${__opts} --trace -l /tmp/pasta2.log -P ${STATESETUP}/pasta_2.pid -t 10004,10005 -T 10003,10001 -u 10004,10005 -U 10003,10001 --config-net ${NSTOOL} hold ${STATESETUP}/ns2.hold" + __ns2_pid=$(${NSTOOL} pid ${STATESETUP}/ns2.hold) context_setup_nsenter passt_2 -U -n -p --preserve-credentials -t ${__ns2_pid} context_setup_nsenter qemu_1 -U -n -p --preserve-credentials -t ${__ns1_pid} @@ -284,7 +284,7 @@ teardown_passt() { # teardown_pasta() - Exit namespace, kill pasta process teardown_pasta() { - ${NSTOOL} "${STATESETUP}/ns.hold" stop + ${NSTOOL} stop "${STATESETUP}/ns.hold" context_wait unshare teardown_context_watch ${PANE_HOST} host @@ -297,7 +297,7 @@ teardown_passt_in_ns() { context_run ns kill $(cat "${STATESETUP}/qemu.pid") context_wait qemu - ${NSTOOL} "${STATESETUP}/ns.hold" stop + ${NSTOOL} stop "${STATESETUP}/ns.hold" context_wait pasta rm "${STATESETUP}/passt.pid" "${STATESETUP}/pasta.pid" @@ -310,8 +310,8 @@ teardown_passt_in_ns() { # teardown_two_guests() - Exit namespaces, kill qemu processes, passt and pasta teardown_two_guests() { - __ns1_pid=$(${NSTOOL} "${STATESETUP}/ns1.hold" pid) - __ns2_pid=$(${NSTOOL} "${STATESETUP}/ns2.hold" pid) + __ns1_pid=$(${NSTOOL} pid "${STATESETUP}/ns1.hold") + __ns2_pid=$(${NSTOOL} pid "${STATESETUP}/ns2.hold") nsenter -U -p --preserve-credentials -t ${__ns1_pid} kill $(cat "${STATESETUP}/qemu_1.pid") nsenter -U -p --preserve-credentials -t ${__ns2_pid} kill $(cat "${STATESETUP}/qemu_2.pid") context_wait qemu_1 @@ -321,8 +321,8 @@ teardown_two_guests() { nsenter -U -p --preserve-credentials -t ${__ns2_pid} kill $(cat "${STATESETUP}/passt_2.pid") context_wait passt_1 context_wait passt_2 - ${NSTOOL} "${STATESETUP}/ns1.hold" stop - ${NSTOOL} "${STATESETUP}/ns2.hold" stop + ${NSTOOL} stop "${STATESETUP}/ns1.hold" + ${NSTOOL} stop "${STATESETUP}/ns2.hold" context_wait pasta_1 context_wait pasta_2 diff --git a/test/nstool.c b/test/nstool.c index 958ece7..c38d96f 100644 --- a/test/nstool.c +++ b/test/nstool.c @@ -7,17 +7,17 @@ * * Can run in 3 modes: * - * nstool <path> hold + * nstool hold <path> * Designed to be run inside a namespace, opens a Unix domain * control socket at <path> and waits until instructed to stop - * with "nstool <path> stop" - * nstool <path> pid - * Prints the PID of the nstool hold process with control - * socket <path>. This is given in the PID namespace where - * nstool pid is executed, not the one where nstool hold is - * running - * nstool <path> stop - * Instruct the nstool hold with control socket at <path> to exit. + * with "nstool stop <path>" + * nstool pid <path> + * Prints the PID of the nstool hold process with control socket + * <path>. This is given in the PID namespace where nstool pid + * is executed, not the one where nstool hold is running + * nstool stop <path> + * Instruct the nstool hold with control socket at <path> to + * exit. */ #define _GNU_SOURCE @@ -38,7 +38,7 @@ static void usage(void) { - die("Usage: nstool <socket path> hold|pid\n"); + die("Usage: nstool hold|pid|stop <socket path>\n"); } static void hold(int fd, const struct sockaddr_un *addr) @@ -119,18 +119,18 @@ int main(int argc, char *argv[]) if (argc != 3) usage(); - sockname = argv[1]; + sockname = argv[2]; strncpy(sockaddr.sun_path, sockname, UNIX_PATH_MAX); fd = socket(AF_UNIX, SOCK_STREAM, PF_UNIX); if (fd < 0) die("socket(): %s\n", strerror(errno)); - if (strcmp(argv[2], "hold") == 0) + if (strcmp(argv[1], "hold") == 0) hold(fd, &sockaddr); - else if (strcmp(argv[2], "pid") == 0) + else if (strcmp(argv[1], "pid") == 0) pid(fd, &sockaddr); - else if (strcmp(argv[2], "stop") == 0) + else if (strcmp(argv[1], "stop") == 0) stop(fd, &sockaddr); else usage(); -- 2.39.2

This will make it easier to differentiate the options to those commands further in future. Signed-off-by: David Gibson --- test/nstool.c | 102 +++++++++++++++++++++++++++++++++----------------- 1 file changed, 68 insertions(+), 34 deletions(-) diff --git a/test/nstool.c b/test/nstool.c index 92909c2..c75d458 100644 --- a/test/nstool.c +++ b/test/nstool.c @@ -11,6 +11,7 @@ #include #include #include +#include #include #include #include @@ -37,19 +38,55 @@ static void usage(void) " terminate.\n"); } -static void hold(int fd, const struct sockaddr_un *addr) +static int connect_ctl(const char * sockpath, bool wait) { + int fd = socket(AF_UNIX, SOCK_STREAM, PF_UNIX); + struct sockaddr_un addr = { + .sun_family = AF_UNIX, + }; int rc; - rc = bind(fd, (struct sockaddr *)addr, sizeof(*addr)); + if (fd < 0) + die("socket(): %s\n", strerror(errno)); + + strncpy(addr.sun_path, sockpath, UNIX_PATH_MAX); + + do { + rc = connect(fd, (struct sockaddr *)&addr, sizeof(addr)); + if (rc < 0 && + (!wait || (errno != ENOENT && errno != ECONNREFUSED))) + die("connect() to %s: %s\n", sockpath, strerror(errno)); + } while (rc < 0); + + return fd; +} + +static void cmd_hold(int argc, char *argv[]) +{ + int fd = socket(AF_UNIX, SOCK_STREAM, PF_UNIX); + struct sockaddr_un addr = { + .sun_family = AF_UNIX, + }; + const char *sockpath = argv[1]; + int rc; + + if (argc != 2) + usage(); + + if (fd < 0) + die("socket(): %s\n", strerror(errno)); + + strncpy(addr.sun_path, sockpath, UNIX_PATH_MAX); + + rc = bind(fd, (struct sockaddr *)&addr, sizeof(addr)); if (rc < 0) - die("bind(): %s\n", strerror(errno)); + die("bind() to %s: %s\n", sockpath, strerror(errno)); rc = listen(fd, 0); if (rc < 0) - die("listen(): %s\n", strerror(errno)); + die("listen() on %s: %s\n", sockpath, strerror(errno)); - printf("nstool: local PID=%d local UID=%u local GID=%u\n", + printf("nstool hold: local PID=%d local UID=%u local GID=%u\n", getpid(), getuid(), getgid()); do { int afd = accept(fd, NULL, NULL); @@ -63,71 +100,68 @@ static void hold(int fd, const struct sockaddr_un *addr) die("read(): %s\n", strerror(errno)); } while (rc == 0); - unlink(addr->sun_path); + unlink(sockpath); } -static void pid(int fd, const struct sockaddr_un *addr) +static void cmd_pid(int argc, char *argv[]) { - int rc; + const char *sockpath = argv[1]; struct ucred peercred; socklen_t optlen = sizeof(peercred); + int fd, rc; - do { - rc = connect(fd, (struct sockaddr *)addr, sizeof(*addr)); - if (rc < 0 && errno != ENOENT && errno != ECONNREFUSED) - die("connect(): %s\n", strerror(errno)); - } while (rc < 0); + if (argc != 2) + usage(); + + fd = connect_ctl(sockpath, true); rc = getsockopt(fd, SOL_SOCKET, SO_PEERCRED, &peercred, &optlen); if (rc < 0) - die("getsockopet(SO_PEERCRED): %s\n", strerror(errno)); + die("getsockopet(SO_PEERCRED) %s: %s\n", + sockpath, strerror(errno)); close(fd); printf("%d\n", peercred.pid); } -static void stop(int fd, const struct sockaddr_un *addr) +static void cmd_stop(int argc, char *argv[]) { - int rc; + const char *sockpath = argv[1]; + int fd, rc; char buf = 'Q'; - rc = connect(fd, (struct sockaddr *)addr, sizeof(*addr)); - if (rc < 0) - die("connect(): %s\n", strerror(errno)); + if (argc != 2) + usage(); + + fd = connect_ctl(sockpath, false); rc = write(fd, &buf, sizeof(buf)); if (rc < 0) - die("write(): %s\n", strerror(errno)); + die("write() to %s: %s\n", sockpath, strerror(errno)); close(fd); } int main(int argc, char *argv[]) { + const char *subcmd = argv[1]; int fd; - const char *sockname; - struct sockaddr_un sockaddr = { - .sun_family = AF_UNIX, - }; - if (argc != 3) + if (argc < 2) usage(); - sockname = argv[2]; - strncpy(sockaddr.sun_path, sockname, UNIX_PATH_MAX); - fd = socket(AF_UNIX, SOCK_STREAM, PF_UNIX); if (fd < 0) die("socket(): %s\n", strerror(errno)); - if (strcmp(argv[1], "hold") == 0) - hold(fd, &sockaddr); - else if (strcmp(argv[1], "pid") == 0) - pid(fd, &sockaddr); - else if (strcmp(argv[1], "stop") == 0) - stop(fd, &sockaddr); + if (strcmp(subcmd, "hold") == 0) + cmd_hold(argc - 1, argv + 1); + else if (strcmp(subcmd, "pid") == 0) + cmd_pid(argc - 1, argv + 1); + else if (strcmp(subcmd, "stop") == 0) + cmd_stop(argc - 1, argv + 1); else usage(); -- 2.39.2

Give nstool the ability to detect what namespaces the target process is in, relative to where it's called. That is, those namespace types for which the target is not in the same namespace as the caller. For now, just print this information with "info", which can be useful for debugging. Signed-off-by: David Gibson --- test/nstool.c | 157 +++++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 143 insertions(+), 14 deletions(-) diff --git a/test/nstool.c b/test/nstool.c index 5f54439..146b66e 100644 --- a/test/nstool.c +++ b/test/nstool.c @@ -15,8 +15,13 @@ #include #include #include +#include +#include #include #include +#include + +#define ARRAY_SIZE(a) ((int)(sizeof(a) / sizeof((a)[0]))) #define die(...) \ do { \ @@ -24,6 +29,28 @@ exit(1); \ } while (0) +struct ns_type { + int flag; + const char *name; +}; + +const struct ns_type nstypes[] = { + { CLONE_NEWCGROUP, "cgroup" }, + { CLONE_NEWIPC, "ipc" }, + { CLONE_NEWNET, "net" }, + { CLONE_NEWNS, "mnt" }, + { CLONE_NEWPID, "pid" }, + { CLONE_NEWTIME, "time" }, + { CLONE_NEWUSER, "user" }, + { CLONE_NEWUTS, "uts" }, +}; + +struct holder_info { + pid_t pid; + uid_t uid; + gid_t gid; +}; + static void usage(void) { die("Usage:\n" @@ -41,12 +68,16 @@ static void usage(void) " terminate.\n"); } -static int connect_ctl(const char * sockpath, bool wait) +static int connect_ctl(const char *sockpath, bool wait, + struct holder_info *info, + struct ucred *peercred) { int fd = socket(AF_UNIX, SOCK_STREAM, PF_UNIX); struct sockaddr_un addr = { .sun_family = AF_UNIX, }; + struct holder_info discard; + ssize_t len; int rc; if (fd < 0) @@ -61,6 +92,28 @@ static int connect_ctl(const char * sockpath, bool wait) die("connect() to %s: %s\n", sockpath, strerror(errno)); } while (rc < 0); + if (!info) + info = &discard; + + /* Always read the info structure, even if we don't need it, + * so that the holder doesn't get a broken pipe error + */ + len = read(fd, info, sizeof(*info)); + if (len < 0) + die("read() on control socket %s: %s\n", sockpath, strerror(errno)); + if ((size_t)len < sizeof(*info)) + die("short read() on control socket %s\n", sockpath); + + if (peercred) { + socklen_t optlen = sizeof(*peercred); + + rc = getsockopt(fd, SOL_SOCKET, SO_PEERCRED, + peercred, &optlen); + if (rc < 0) + die("getsockopet(SO_PEERCRED) %s: %s\n", + sockpath, strerror(errno)); + } + return fd; } @@ -71,6 +124,7 @@ static void cmd_hold(int argc, char *argv[]) .sun_family = AF_UNIX, }; const char *sockpath = argv[1]; + struct holder_info info; int rc; if (argc != 2) @@ -89,8 +143,10 @@ static void cmd_hold(int argc, char *argv[]) if (rc < 0) die("listen() on %s: %s\n", sockpath, strerror(errno)); - printf("nstool hold: local PID=%d local UID=%u local GID=%u\n", - getpid(), getuid(), getgid()); + info.pid = getpid(); + info.uid = getuid(); + info.gid = getgid(); + do { int afd = accept(fd, NULL, NULL); char buf; @@ -98,6 +154,12 @@ static void cmd_hold(int argc, char *argv[]) if (afd < 0) die("accept(): %s\n", strerror(errno)); + rc = write(afd, &info, sizeof(info)); + if (rc < 0) + die("write(): %s\n", strerror(errno)); + if ((size_t)rc < sizeof(info)) + die("short write() on control socket\n"); + rc = read(afd, &buf, sizeof(buf)); if (rc < 0) die("read(): %s\n", strerror(errno)); @@ -106,6 +168,68 @@ static void cmd_hold(int argc, char *argv[]) unlink(sockpath); } +static ssize_t getlink(char *buf, size_t bufsiz, const char *fmt, ...) +{ + char linkpath[PATH_MAX]; + ssize_t linklen; + va_list ap; + + va_start(ap, fmt); + if (vsnprintf(linkpath, sizeof(linkpath), fmt, ap) >= PATH_MAX) + die("Truncated path \"%s\"\n", linkpath); + va_end(ap); + + linklen = readlink(linkpath, buf, bufsiz); + if (linklen < 0) + die("readlink() on %s: %s\n", linkpath, strerror(errno)); + if ((size_t)linklen >= bufsiz) + die("Target of symbolic link %s is too long\n", linkpath); + + return linklen; +} + +static int detect_namespaces(pid_t pid) +{ + int i; + int flags = 0; + + for (i = 0; i < ARRAY_SIZE(nstypes); i++) { + const struct ns_type *nst = &nstypes[i]; + char selflink[PATH_MAX], pidlink[PATH_MAX]; + ssize_t selflen, pidlen; + + selflen = getlink(selflink, sizeof(selflink), + "/proc/self/ns/%s", nst->name); + pidlen = getlink(pidlink, sizeof(pidlink), + "/proc/%d/ns/%s", pid, nst->name); + + if ((selflen != pidlen) || memcmp(selflink, pidlink, selflen)) + flags |= nst->flag; + } + + return flags; +} + +static void print_nstypes(int flags) +{ + bool first = true; + int i; + + for (i = 0; i < ARRAY_SIZE(nstypes); i++) { + const struct ns_type *nst = &nstypes[i]; + + if (!(flags & nst->flag)) + continue; + + printf("%s%s", first ? "" : ", " , nst->name); + first = false; + flags &= ~nst->flag; + } + + if (flags) + printf("%s0x%x", first ? "" : ", ", flags); +} + static void cmd_info(int argc, char *argv[]) { const struct option options[] = { @@ -114,11 +238,11 @@ static void cmd_info(int argc, char *argv[]) { 0 }, }; bool pidonly = false, waitforsock = false; - struct ucred peercred; - socklen_t optlen = sizeof(peercred); const char *optstring = "pw"; + struct holder_info info; + struct ucred peercred; const char *sockpath; - int fd, rc, opt; + int fd, opt; do { opt = getopt_long(argc, argv, optstring, options, NULL); @@ -144,23 +268,28 @@ static void cmd_info(int argc, char *argv[]) sockpath = argv[optind]; - fd = connect_ctl(sockpath, waitforsock); - - rc = getsockopt(fd, SOL_SOCKET, SO_PEERCRED, - &peercred, &optlen); - if (rc < 0) - die("getsockopet(SO_PEERCRED) %s: %s\n", - sockpath, strerror(errno)); + fd = connect_ctl(sockpath, waitforsock, &info, &peercred); close(fd); if (pidonly) { printf("%d\n", peercred.pid); } else { + int flags = detect_namespaces(peercred.pid); + + printf("Namespaces: "); + print_nstypes(flags); + printf("\n"); + printf("As seen from calling context:\n"); printf("\tPID:\t%d\n", peercred.pid); printf("\tUID:\t%u\n", peercred.uid); printf("\tGID:\t%u\n", peercred.gid); + + printf("As seen from holding context:\n"); + printf("\tPID:\t%d\n", info.pid); + printf("\tUID:\t%u\n", info.uid); + printf("\tGID:\t%u\n", info.gid); } } @@ -173,7 +302,7 @@ static void cmd_stop(int argc, char *argv[]) if (argc != 2) usage(); - fd = connect_ctl(sockpath, false); + fd = connect_ctl(sockpath, false, NULL, NULL); rc = write(fd, &buf, sizeof(buf)); if (rc < 0) -- 2.39.2

Will make things a bit less verbose in future. Signed-off-by: David Gibson --- test/nstool.c | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/test/nstool.c b/test/nstool.c index 7b222dd..b70b053 100644 --- a/test/nstool.c +++ b/test/nstool.c @@ -46,6 +46,14 @@ const struct ns_type nstypes[] = { { CLONE_NEWUTS, "uts" }, }; +#define for_each_nst(_nst, _flags) \ + for ((_nst) = &nstypes[0]; \ + ((_nst) - nstypes) < ARRAY_SIZE(nstypes); \ + (_nst)++) \ + if ((_flags) & (_nst)->flag) + +#define for_every_nst(_nst) for_each_nst(_nst, INT_MAX) + #define NSTOOL_MAGIC 0x7570017575601d75ULL struct holder_info { @@ -199,11 +207,10 @@ static ssize_t getlink(char *buf, size_t bufsiz, const char *fmt, ...) static int detect_namespaces(pid_t pid) { - int i; + const struct ns_type *nst; int flags = 0; - for (i = 0; i < ARRAY_SIZE(nstypes); i++) { - const struct ns_type *nst = &nstypes[i]; + for_every_nst(nst) { char selflink[PATH_MAX], pidlink[PATH_MAX]; ssize_t selflen, pidlen; @@ -221,15 +228,10 @@ static int detect_namespaces(pid_t pid) static void print_nstypes(int flags) { + const struct ns_type *nst; bool first = true; - int i; - - for (i = 0; i < ARRAY_SIZE(nstypes); i++) { - const struct ns_type *nst = &nstypes[i]; - - if (!(flags & nst->flag)) - continue; + for_each_nst(nst, flags) { printf("%s%s", first ? "" : ", " , nst->name); first = false; flags &= ~nst->flag; -- 2.39.2

This allows you to run commands within a user namespace with the privilege that comes from owning that userns. Signed-off-by: David Gibson --- test/nstool.c | 87 +++++++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 78 insertions(+), 9 deletions(-) diff --git a/test/nstool.c b/test/nstool.c index 5aa14b8..c224d23 100644 --- a/test/nstool.c +++ b/test/nstool.c @@ -19,10 +19,15 @@ #include #include #include +#include +#include #include #include +#include +#include #include #include +#include #define ARRAY_SIZE(a) ((int)(sizeof(a) / sizeof((a)[0]))) @@ -75,11 +80,13 @@ static void usage(void) " nstool info [-pw] pid SOCK\n" " Print information about the nstool hold process with control\n" " socket at SOCK\n" - " -p Print just the holder's PID as seen by the caller\n" - " -w Retry connecting to SOCK until it is ready\n" - " nstool exec SOCK [COMMAND [ARGS...]]\n" + " -p Print just the holder's PID as seen by the caller\n" + " -w Retry connecting to SOCK until it is ready\n" + " nstool exec [--keep-caps] SOCK [COMMAND [ARGS...]]\n" " Execute command or shell in the namespaces of the nstool hold\n" " with control socket at SOCK\n" + " --keep-caps Give all possible capabilities to COMMAND via\n" + " the ambient capability mask\n" " nstool stop SOCK\n" " Instruct the nstool hold with control socket at SOCK to\n" " terminate.\n"); @@ -278,7 +285,6 @@ static void cmd_info(int argc, char *argv[]) } while (opt != -1); if (optind != argc - 1) { - fprintf(stderr, "B\n"); usage(); } @@ -359,21 +365,81 @@ static void wait_for_child(pid_t pid) die("Unexpected status for child %d\n", pid); } +static void caps_to_ambient(void) +{ + /* Use raw system calls to avoid the overly complex caps + * libraries. */ + struct __user_cap_header_struct header = { + .version = _LINUX_CAPABILITY_VERSION_3, + .pid = 0, + }; + struct __user_cap_data_struct payload[_LINUX_CAPABILITY_U32S_3] = + {{ 0 }}; + uint64_t effective, cap; + + if (syscall(SYS_capget, &header, payload) < 0) + die("capget(): %s\n", strerror(errno)); + + /* First make caps inheritable */ + payload[0].inheritable = payload[0].permitted; + payload[1].inheritable = payload[1].permitted; + + if (syscall(SYS_capset, &header, payload) < 0) + die("capset(): %s\n", strerror(errno)); + + effective = ((uint64_t)payload[1].effective << 32) | (uint64_t)payload[0].effective; + + for (cap = 0; cap < (sizeof(effective) * 8); cap++) { + /* Skip non-existent caps */ + if (prctl(PR_CAPBSET_READ, cap, 0, 0, 0) < 0) + continue; + + if ((effective & (1 << cap)) + && prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, cap, 0, 0) < 0) + die("prctl(PR_CAP_AMBIENT): %s\n", strerror(errno)); + } +} + static void cmd_exec(int argc, char *argv[]) { + enum { + OPT_EXEC_KEEPCAPS = CHAR_MAX + 1, + }; + const struct option options[] = { + {"keep-caps", no_argument, NULL, OPT_EXEC_KEEPCAPS }, + { 0 }, + }; const char *shargs[] = { NULL, NULL }; const char *sockpath = argv[1]; int nfd[ARRAY_SIZE(nstypes)]; + const char *optstring = ""; const struct ns_type *nst; + int ctlfd, flags, opt, rc; const char *const *xargs; + bool keepcaps = false; struct ucred peercred; - int ctlfd, flags, rc; const char *exe; pid_t xpid; - if (argc < 2) + do { + opt = getopt_long(argc, argv, optstring, options, NULL); + + switch (opt) { + case OPT_EXEC_KEEPCAPS: + keepcaps = true; + break; + case -1: + break; + default: + usage(); + } + } while (opt != -1); + + if (argc < optind + 1) usage(); + sockpath = argv[optind]; + ctlfd = connect_ctl(sockpath, false, NULL, &peercred); flags = detect_namespaces(peercred.pid); @@ -418,9 +484,9 @@ static void cmd_exec(int argc, char *argv[]) } /* CHILD */ - if (argc > 2) { - exe = argv[2]; - xargs = (const char * const*)(argv + 2); + if (argc > optind + 1) { + exe = argv[optind + 1]; + xargs = (const char * const*)(argv + optind + 1); } else { exe = getenv("SHELL"); if (!exe) @@ -431,6 +497,9 @@ static void cmd_exec(int argc, char *argv[]) xargs = shargs; } + if (keepcaps) + caps_to_ambient(); + rc = execvp(exe, (char *const *)xargs); if (rc < 0) die("execv() %s: %s\n", exe, strerror(errno)); -- 2.39.2

Using this, rather than using "nstool info" to get the pid then manually connecting with nsenter makes things a little simpler. Signed-off-by: David Gibson --- test/lib/context | 14 +++++++++----- test/lib/setup | 33 +++++++++++++-------------------- test/run | 2 +- 3 files changed, 23 insertions(+), 26 deletions(-) diff --git a/test/lib/context b/test/lib/context index ee6b683..4938952 100644 --- a/test/lib/context +++ b/test/lib/context @@ -13,6 +13,8 @@ # Copyright Red Hat # Author: David Gibson +NSTOOL="${BASEPATH}/nstool" + # context_setup_common() - Create outline of a new context # $1: Context name context_setup_common() { @@ -30,15 +32,17 @@ context_setup_host() { echo sh -c > "${__enter}" } -# context_setup_nsenter() - Create a new context for running commands in a namespace +# context_setup_nstool() - Create a new context for running commands with nstool exec # $1: Context name -# $2: Namespace PID -context_setup_nsenter() { +# $2: nstool control socket +context_setup_nstool() { __name="$1" - shift + __sock="$2" __enter="${STATESETUP}/context_${__name}.enter" + # Wait for the ns to be ready + ${NSTOOL} info -w "${__sock}" > /dev/null context_setup_common "${__name}" - echo "nsenter $@ sh -c" > "${__enter}" + echo "${NSTOOL} exec ${__sock} -- sh -c" > "${__enter}" } # context_setup_guest() - Create a new context for running commands in a guest diff --git a/test/lib/setup b/test/lib/setup index 6d7644a..28f6a57 100755 --- a/test/lib/setup +++ b/test/lib/setup @@ -17,7 +17,6 @@ INITRAMFS="${BASEPATH}/mbuto.img" VCPUS="$( [ $(nproc) -ge 8 ] && echo 6 || echo $(( $(nproc) / 2 + 1 )) )" __mem_kib="$(sed -n 's/MemTotal:[ ]*\([0-9]*\) kB/\1/p' /proc/meminfo)" VMEM="$((${__mem_kib} / 1024 / 4))" -NSTOOL="${BASEPATH}/nstool" # setup_build() - Set up pane layout for build tests setup_build() { @@ -78,9 +77,8 @@ setup_pasta() { layout_pasta context_run_bg unshare "unshare -rUnpf ${NSTOOL} hold ${STATESETUP}/ns.hold" - __target_pid=$(${NSTOOL} info -pw ${STATESETUP}/ns.hold) - context_setup_nsenter ns -U -n -p --preserve-credentials -t ${__target_pid} + context_setup_nstool ns ${STATESETUP}/ns.hold # Ports: # @@ -94,7 +92,7 @@ setup_pasta() { [ ${DEBUG} -eq 1 ] && __opts="${__opts} -d" [ ${TRACE} -eq 1 ] && __opts="${__opts} --trace" - context_run_bg passt "./pasta ${__opts} -f -t 10002 -T 10003 -u 10002 -U 10003 -P ${STATESETUP}/passt.pid ${__target_pid}" + context_run_bg passt "./pasta ${__opts} -f -t 10002 -T 10003 -u 10002 -U 10003 -P ${STATESETUP}/passt.pid $(${NSTOOL} info -pw ${STATESETUP}/ns.hold)" # pidfile isn't created until pasta is ready wait_for [ -f "${STATESETUP}/passt.pid" ] @@ -128,11 +126,10 @@ setup_passt_in_ns() { context_run_bg pasta "./pasta ${__opts} -t 10001,10002,10011,10012 -T 10003,10013 -u 10001,10002,10011,10012 -U 10003,10013 -P ${STATESETUP}/pasta.pid --config-net ${NSTOOL} hold ${STATESETUP}/ns.hold" wait_for [ -f "${STATESETUP}/pasta.pid" ] - __ns_pid=$(${NSTOOL} info -pw ${STATESETUP}/ns.hold) - context_setup_nsenter qemu "-t ${__ns_pid} -U -n -p --preserve-credentials" - context_setup_nsenter ns "-t ${__ns_pid} -U -n -p --preserve-credentials" - context_setup_nsenter passt "-t ${__ns_pid} -U -n -p --preserve-credentials" + context_setup_nstool qemu ${STATESETUP}/ns.hold + context_setup_nstool ns ${STATESETUP}/ns.hold + context_setup_nstool passt ${STATESETUP}/ns.hold __opts= [ ${PCAP} -eq 1 ] && __opts="${__opts} -p ${LOGDIR}/passt_in_pasta.pcap" @@ -190,19 +187,17 @@ setup_two_guests() { [ ${DEBUG} -eq 1 ] && __opts="${__opts} -d" [ ${TRACE} -eq 1 ] && __opts="${__opts} --trace" context_run_bg pasta_1 "./pasta ${__opts} --trace -l /tmp/pasta1.log -P ${STATESETUP}/pasta_1.pid -t 10001,10002 -T 10003,10004 -u 10001,10002 -U 10003,10004 --config-net ${NSTOOL} hold ${STATESETUP}/ns1.hold" - __ns1_pid=$(${NSTOOL} info -pw ${STATESETUP}/ns1.hold) - context_setup_nsenter passt_1 -U -n -p --preserve-credentials -t ${__ns1_pid} + context_setup_nstool passt_1 ${STATESETUP}/ns1.hold __opts= [ ${PCAP} -eq 1 ] && __opts="${__opts} -p ${LOGDIR}/pasta_2.pcap" [ ${DEBUG} -eq 1 ] && __opts="${__opts} -d" [ ${TRACE} -eq 1 ] && __opts="${__opts} --trace" context_run_bg pasta_2 "./pasta ${__opts} --trace -l /tmp/pasta2.log -P ${STATESETUP}/pasta_2.pid -t 10004,10005 -T 10003,10001 -u 10004,10005 -U 10003,10001 --config-net ${NSTOOL} hold ${STATESETUP}/ns2.hold" - __ns2_pid=$(${NSTOOL} info -pw ${STATESETUP}/ns2.hold) - context_setup_nsenter passt_2 -U -n -p --preserve-credentials -t ${__ns2_pid} + context_setup_nstool passt_2 ${STATESETUP}/ns2.hold - context_setup_nsenter qemu_1 -U -n -p --preserve-credentials -t ${__ns1_pid} - context_setup_nsenter qemu_2 -U -n -p --preserve-credentials -t ${__ns2_pid} + context_setup_nstool qemu_1 ${STATESETUP}/ns1.hold + context_setup_nstool qemu_2 ${STATESETUP}/ns2.hold __ifname="$(context_run qemu_1 "ip -j link show | jq -rM '.[] | select(.link_type == \"ether\").ifname'")" @@ -310,15 +305,13 @@ teardown_passt_in_ns() { # teardown_two_guests() - Exit namespaces, kill qemu processes, passt and pasta teardown_two_guests() { - __ns1_pid=$(${NSTOOL} info -pw "${STATESETUP}/ns1.hold") - __ns2_pid=$(${NSTOOL} info -pw "${STATESETUP}/ns2.hold") - nsenter -U -p --preserve-credentials -t ${__ns1_pid} kill $(cat "${STATESETUP}/qemu_1.pid") - nsenter -U -p --preserve-credentials -t ${__ns2_pid} kill $(cat "${STATESETUP}/qemu_2.pid") + ${NSTOOL} exec ${STATESETUP}/ns1.hold -- kill $(cat "${STATESETUP}/qemu_1.pid") + ${NSTOOL} exec ${STATESETUP}/ns2.hold -- kill $(cat "${STATESETUP}/qemu_2.pid") context_wait qemu_1 context_wait qemu_2 - nsenter -U -p --preserve-credentials -t ${__ns1_pid} kill $(cat "${STATESETUP}/passt_1.pid") - nsenter -U -p --preserve-credentials -t ${__ns2_pid} kill $(cat "${STATESETUP}/passt_2.pid") + ${NSTOOL} exec ${STATESETUP}/ns1.hold -- kill $(cat "${STATESETUP}/passt_1.pid") + ${NSTOOL} exec ${STATESETUP}/ns2.hold -- kill $(cat "${STATESETUP}/passt_2.pid") context_wait passt_1 context_wait passt_2 ${NSTOOL} stop "${STATESETUP}/ns1.hold" diff --git a/test/run b/test/run index 1945c7b..447d831 100755 --- a/test/run +++ b/test/run @@ -41,9 +41,9 @@ PCAP=${PCAP:-0} COMMIT="$(git log --oneline --no-decorate -1)" . lib/util +. lib/context . lib/setup . lib/setup_ugly -. lib/context . lib/term . lib/perf_report . lib/layout -- 2.39.2

If we enter a mount namespace with nstool exec our working directory will be changed to / in the new mount ns. This is surprising if we haven't actually altered any mounts yet in the new ns. Instead, change the working directory to match that of the holder process in this situation. Signed-off-by: David Gibson --- test/nstool.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/test/nstool.c b/test/nstool.c index ece566e..48f4b77 100644 --- a/test/nstool.c +++ b/test/nstool.c @@ -420,6 +420,7 @@ static void cmd_exec(int argc, char *argv[]) const struct ns_type *nst; int ctlfd, flags, opt, rc; const char *const *xargs; + struct holder_info info; bool keepcaps = false; struct ucred peercred; const char *exe; @@ -444,7 +445,7 @@ static void cmd_exec(int argc, char *argv[]) sockpath = argv[optind]; - ctlfd = connect_ctl(sockpath, false, NULL, &peercred); + ctlfd = connect_ctl(sockpath, false, &info, &peercred); flags = detect_namespaces(peercred.pid); @@ -475,6 +476,15 @@ static void cmd_exec(int argc, char *argv[]) nst->name, strerror(errno)); } + /* If we've entered a mount ns, our cwd has changed to /. + * Switch to the cwd of the holder, which is probably less + * surprising. */ + if (flags & CLONE_NEWNS) { + rc = chdir(info.cwd); + if (rc < 0) + die("chdir(\"%s\"): %s\n", info.cwd, strerror(errno)); + } + /* Fork to properly enter PID namespace */ xpid = fork(); if (xpid < 0) -- 2.39.2