From 27a226ad287eba4883084691f1851a00f2ce1649 Mon Sep 17 00:00:00 2001 From: Robert Swiecki Date: Fri, 9 Feb 2018 18:08:11 +0100 Subject: [PATCH] user: move to C++ --- Makefile | 17 +++++++------ cmdline.cc | 10 ++++---- config.cc | 6 ++--- contain.cc | 4 ++-- subproc.cc | 6 ++--- user.c => user.cc | 61 ++++++++++++++++++++++++++--------------------- user.h | 12 ++++++---- 7 files changed, 63 insertions(+), 53 deletions(-) rename user.c => user.cc (85%) diff --git a/Makefile b/Makefile index 4df5306..b77356b 100644 --- a/Makefile +++ b/Makefile @@ -100,20 +100,19 @@ indent: log.o: log.h nsjail.h cgroup.o: cgroup.h nsjail.h log.h util.h mount.o: mount.h nsjail.h common.h log.h subproc.h util.h -user.o: user.h nsjail.h common.h log.h subproc.h util.h util.o: util.h nsjail.h common.h log.h caps.o: caps.h nsjail.h common.h log.h util.h -cmdline.o: cmdline.h nsjail.h common.h log.h mount.h user.h util.h caps.h -cmdline.o: config.h sandbox.h -config.o: common.h config.h nsjail.h log.h mount.h user.h util.h caps.h -config.o: cmdline.h -contain.o: contain.h nsjail.h cgroup.h log.h mount.h user.h caps.h cpu.h -contain.o: net.h pid.h uts.h +cmdline.o: cmdline.h nsjail.h common.h log.h mount.h util.h caps.h config.h +cmdline.o: sandbox.h user.h +config.o: common.h config.h nsjail.h log.h mount.h util.h caps.h cmdline.h +config.o: user.h +contain.o: contain.h nsjail.h cgroup.h log.h mount.h caps.h cpu.h net.h pid.h +contain.o: user.h uts.h cpu.o: cpu.h nsjail.h log.h util.h net.o: net.h nsjail.h log.h subproc.h nsjail.o: nsjail.h cmdline.h common.h log.h net.h subproc.h util.h pid.o: pid.h nsjail.h log.h subproc.h sandbox.o: sandbox.h nsjail.h kafel/include/kafel.h log.h -subproc.o: subproc.h nsjail.h contain.h net.h sandbox.h cgroup.h common.h -subproc.o: log.h user.h util.h +subproc.o: subproc.h nsjail.h contain.h net.h sandbox.h user.h cgroup.h +subproc.o: common.h log.h util.h uts.o: uts.h nsjail.h log.h diff --git a/cmdline.cc b/cmdline.cc index 4d535a7..a87394d 100644 --- a/cmdline.cc +++ b/cmdline.cc @@ -48,13 +48,13 @@ extern "C" { #include "common.h" #include "log.h" #include "mount.h" -#include "user.h" #include "util.h" } #include "caps.h" #include "config.h" #include "sandbox.h" +#include "user.h" namespace cmdline { @@ -623,7 +623,7 @@ std::unique_ptr parseArgs(int argc, char* argv[]) { char* cnt = cmdlineSplitStrByColon(o_id); size_t count = (cnt == NULL || strlen(cnt) == 0) ? 1U : (size_t)strtoull(cnt, NULL, 0); - if (userParseId(nsjconf.get(), i_id, o_id, count, false /* is_gid */, + if (user::parseId(nsjconf.get(), i_id, o_id, count, false /* is_gid */, false /* is_newidmap */) == false) { return nullptr; } @@ -634,7 +634,7 @@ std::unique_ptr parseArgs(int argc, char* argv[]) { char* cnt = cmdlineSplitStrByColon(o_id); size_t count = (cnt == NULL || strlen(cnt) == 0) ? 1U : (size_t)strtoull(cnt, NULL, 0); - if (userParseId(nsjconf.get(), i_id, o_id, count, true /* is_gid */, + if (user::parseId(nsjconf.get(), i_id, o_id, count, true /* is_gid */, false /* is_newidmap */) == false) { return nullptr; } @@ -645,7 +645,7 @@ std::unique_ptr parseArgs(int argc, char* argv[]) { char* cnt = cmdlineSplitStrByColon(o_id); size_t count = (cnt == NULL || strlen(cnt) == 0) ? 1U : (size_t)strtoull(cnt, NULL, 0); - if (userParseId(nsjconf.get(), i_id, o_id, count, false /* is_gid */, + if (user::parseId(nsjconf.get(), i_id, o_id, count, false /* is_gid */, true /* is_newidmap */) == false) { return nullptr; } @@ -656,7 +656,7 @@ std::unique_ptr parseArgs(int argc, char* argv[]) { char* cnt = cmdlineSplitStrByColon(o_id); size_t count = (cnt == NULL || strlen(cnt) == 0) ? 1U : (size_t)strtoull(cnt, NULL, 0); - if (userParseId(nsjconf.get(), i_id, o_id, count, true /* is_gid */, + if (user::parseId(nsjconf.get(), i_id, o_id, count, true /* is_gid */, true /* is_newidmap */) == false) { return nullptr; } diff --git a/config.cc b/config.cc index 8f8ca47..8139740 100644 --- a/config.cc +++ b/config.cc @@ -33,12 +33,12 @@ extern "C" { #include "config.h" #include "log.h" #include "mount.h" -#include "user.h" #include "util.h" } #include "caps.h" #include "cmdline.h" +#include "user.h" #include #include @@ -199,14 +199,14 @@ static bool configParseInternal(struct nsjconf_t* nsjconf, const nsjail::NsJailC nsjconf->clone_newcgroup = njc.clone_newcgroup(); for (ssize_t i = 0; i < njc.uidmap_size(); i++) { - if (userParseId(nsjconf, DUP_IF_SET(njc.uidmap(i), inside_id), + if (user::parseId(nsjconf, DUP_IF_SET(njc.uidmap(i), inside_id), DUP_IF_SET(njc.uidmap(i), outside_id), njc.uidmap(i).count(), false /* is_gid */, njc.uidmap(i).use_newidmap()) == false) { return false; } } for (ssize_t i = 0; i < njc.gidmap_size(); i++) { - if (userParseId(nsjconf, DUP_IF_SET(njc.gidmap(i), inside_id), + if (user::parseId(nsjconf, DUP_IF_SET(njc.gidmap(i), inside_id), DUP_IF_SET(njc.gidmap(i), outside_id), njc.gidmap(i).count(), true /* is_gid */, njc.gidmap(i).use_newidmap()) == false) { return false; diff --git a/contain.cc b/contain.cc index bcc039f..61f47e7 100644 --- a/contain.cc +++ b/contain.cc @@ -41,18 +41,18 @@ extern "C" { #include "cgroup.h" #include "log.h" #include "mount.h" -#include "user.h" } #include "caps.h" #include "cpu.h" #include "net.h" #include "pid.h" +#include "user.h" #include "uts.h" namespace contain { -static bool containUserNs(struct nsjconf_t* nsjconf) { return userInitNsFromChild(nsjconf); } +static bool containUserNs(struct nsjconf_t* nsjconf) { return user::initNsFromChild(nsjconf); } static bool containInitPidNs(struct nsjconf_t* nsjconf) { return pid::initNs(nsjconf); } diff --git a/subproc.cc b/subproc.cc index fc16cf6..7e91bf3 100644 --- a/subproc.cc +++ b/subproc.cc @@ -45,12 +45,12 @@ #include "contain.h" #include "net.h" #include "sandbox.h" +#include "user.h" extern "C" { #include "cgroup.h" #include "common.h" #include "log.h" -#include "user.h" #include "util.h" #if !defined(CLONE_NEWCGROUP) @@ -144,7 +144,7 @@ static int subprocNewProc( } if (pipefd == -1) { - if (userInitNsFromParent(nsjconf, getpid()) == false) { + if (user::initNsFromParent(nsjconf, getpid()) == false) { LOG_E("Couldn't initialize net user namespace"); _exit(0xff); } @@ -384,7 +384,7 @@ static bool initParent(struct nsjconf_t* nsjconf, pid_t pid, int pipefd) { LOG_E("Couldn't initialize cgroup user namespace"); exit(0xff); } - if (userInitNsFromParent(nsjconf, pid) == false) { + if (user::initNsFromParent(nsjconf, pid) == false) { LOG_E("Couldn't initialize user namespaces for pid %d", pid); return false; } diff --git a/user.c b/user.cc similarity index 85% rename from user.c rename to user.cc index c34b0c4..d10f2af 100644 --- a/user.c +++ b/user.cc @@ -39,12 +39,17 @@ #include #include +extern "C" { #include "common.h" #include "log.h" -#include "subproc.h" #include "util.h" +} -static bool userSetResGid(gid_t gid) { +#include "subproc.h" + +namespace user { + +static bool setResGid(gid_t gid) { LOG_D("setresgid(%d)", gid); #if defined(__NR_setresgid32) if (syscall(__NR_setresgid32, (uintptr_t)gid, (uintptr_t)gid, (uintptr_t)gid) == -1) { @@ -60,7 +65,7 @@ static bool userSetResGid(gid_t gid) { return true; } -static bool userSetResUid(uid_t uid) { +static bool setResUid(uid_t uid) { LOG_D("setresuid(%d)", uid); #if defined(__NR_setresuid32) if (syscall(__NR_setresuid32, (uintptr_t)uid, (uintptr_t)uid, (uintptr_t)uid) == -1) { @@ -76,7 +81,7 @@ static bool userSetResUid(uid_t uid) { return true; } -static bool userSetGroups(pid_t pid) { +static bool setGroups(pid_t pid) { /* * No need to write 'deny' to /proc/pid/setgroups if our euid==0, as writing to * uid_map/gid_map will succeed anyway @@ -95,7 +100,7 @@ static bool userSetGroups(pid_t pid) { return true; } -static bool userUidMapSelf(struct nsjconf_t* nsjconf, pid_t pid) { +static bool uidMapSelf(struct nsjconf_t* nsjconf, pid_t pid) { char fname[PATH_MAX]; snprintf(fname, sizeof(fname), "/proc/%d/uid_map", pid); @@ -123,7 +128,7 @@ static bool userUidMapSelf(struct nsjconf_t* nsjconf, pid_t pid) { return true; } -static bool userGidMapSelf(struct nsjconf_t* nsjconf, pid_t pid) { +static bool gidMapSelf(struct nsjconf_t* nsjconf, pid_t pid) { char fname[PATH_MAX]; snprintf(fname, sizeof(fname), "/proc/%d/gid_map", pid); @@ -152,7 +157,7 @@ static bool userGidMapSelf(struct nsjconf_t* nsjconf, pid_t pid) { } /* Use /usr/bin/newgidmap for writing the gid map */ -static bool userGidMapExternal(struct nsjconf_t* nsjconf, pid_t pid UNUSED) { +static bool gidMapExternal(struct nsjconf_t* nsjconf, pid_t pid UNUSED) { size_t idx = 0; const char* argv[1024]; @@ -204,7 +209,7 @@ static bool userGidMapExternal(struct nsjconf_t* nsjconf, pid_t pid UNUSED) { } /* Use /usr/bin/newuidmap for writing the uid map */ -static bool userUidMapExternal(struct nsjconf_t* nsjconf, pid_t pid UNUSED) { +static bool uidMapExternal(struct nsjconf_t* nsjconf, pid_t pid UNUSED) { size_t idx = 0; const char* argv[1024]; @@ -255,36 +260,36 @@ static bool userUidMapExternal(struct nsjconf_t* nsjconf, pid_t pid UNUSED) { return true; } -static bool userUidGidMap(struct nsjconf_t* nsjconf, pid_t pid) { - if (!userGidMapSelf(nsjconf, pid)) { +static bool uidGidMap(struct nsjconf_t* nsjconf, pid_t pid) { + if (!gidMapSelf(nsjconf, pid)) { return false; } - if (!userGidMapExternal(nsjconf, pid)) { + if (!gidMapExternal(nsjconf, pid)) { return false; } - if (!userUidMapSelf(nsjconf, pid)) { + if (!uidMapSelf(nsjconf, pid)) { return false; } - if (!userUidMapExternal(nsjconf, pid)) { + if (!uidMapExternal(nsjconf, pid)) { return false; } return true; } -bool userInitNsFromParent(struct nsjconf_t* nsjconf, pid_t pid) { - if (userSetGroups(pid) == false) { +bool initNsFromParent(struct nsjconf_t* nsjconf, pid_t pid) { + if (setGroups(pid) == false) { return false; } if (nsjconf->clone_newuser == false) { return true; } - if (userUidGidMap(nsjconf, pid) == false) { + if (uidGidMap(nsjconf, pid) == false) { return false; } return true; } -bool userInitNsFromChild(struct nsjconf_t* nsjconf) { +bool initNsFromChild(struct nsjconf_t* nsjconf) { /* * Best effort because of /proc/self/setgroups */ @@ -304,11 +309,11 @@ bool userInitNsFromChild(struct nsjconf_t* nsjconf) { return false; } - if (!userSetResGid(TAILQ_FIRST(&nsjconf->gids)->inside_id)) { + if (!setResGid(TAILQ_FIRST(&nsjconf->gids)->inside_id)) { PLOG_E("setresgid(%u)", TAILQ_FIRST(&nsjconf->gids)->inside_id); return false; } - if (!userSetResUid(TAILQ_FIRST(&nsjconf->uids)->inside_id)) { + if (!setResUid(TAILQ_FIRST(&nsjconf->uids)->inside_id)) { PLOG_E("setresuid(%u)", TAILQ_FIRST(&nsjconf->uids)->inside_id); return false; } @@ -316,7 +321,7 @@ bool userInitNsFromChild(struct nsjconf_t* nsjconf) { return true; } -static uid_t cmdParseUid(const char* id) { +static uid_t parseUid(const char* id) { if (id == NULL || strlen(id) == 0) { return getuid(); } @@ -330,7 +335,7 @@ static uid_t cmdParseUid(const char* id) { return (uid_t)-1; } -static gid_t cmdParseGid(const char* id) { +static gid_t parseGid(const char* id) { if (id == NULL || strlen(id) == 0) { return getgid(); } @@ -344,36 +349,36 @@ static gid_t cmdParseGid(const char* id) { return (gid_t)-1; } -bool userParseId(struct nsjconf_t* nsjconf, const char* i_id, const char* o_id, size_t cnt, +bool parseId(struct nsjconf_t* nsjconf, const char* i_id, const char* o_id, size_t cnt, bool is_gid, bool is_newidmap) { uid_t inside_id; uid_t outside_id; if (is_gid) { - inside_id = cmdParseGid(i_id); + inside_id = parseGid(i_id); if (inside_id == (uid_t)-1) { LOG_W("Cannot parse '%s' as GID", i_id); return false; } - outside_id = cmdParseGid(o_id); + outside_id = parseGid(o_id); if (outside_id == (uid_t)-1) { LOG_W("Cannot parse '%s' as GID", o_id); return false; } } else { - inside_id = cmdParseUid(i_id); + inside_id = parseUid(i_id); if (inside_id == (uid_t)-1) { LOG_W("Cannot parse '%s' as UID", i_id); return false; } - outside_id = cmdParseUid(o_id); + outside_id = parseUid(o_id); if (outside_id == (uid_t)-1) { LOG_W("Cannot parse '%s' as UID", o_id); return false; } } - struct idmap_t* p = utilMalloc(sizeof(struct idmap_t)); + struct idmap_t* p = reinterpret_cast(utilMalloc(sizeof(struct idmap_t))); p->inside_id = inside_id; p->outside_id = outside_id; p->count = cnt; @@ -387,3 +392,5 @@ bool userParseId(struct nsjconf_t* nsjconf, const char* i_id, const char* o_id, return true; } + +} // namespace user diff --git a/user.h b/user.h index e2a768e..1170b40 100644 --- a/user.h +++ b/user.h @@ -26,10 +26,14 @@ #include "nsjail.h" -bool userInitNsFromParent(struct nsjconf_t* nsjconf, pid_t pid); -bool userInitNsFromChild(struct nsjconf_t* nsjconf); +namespace user { -bool userParseId(struct nsjconf_t* nsjconf, const char* i_id, const char* o_id, size_t cnt, - bool is_gid, bool is_newidmap); +bool initNsFromParent(struct nsjconf_t* nsjconf, pid_t pid); +bool initNsFromChild(struct nsjconf_t* nsjconf); + +bool parseId(struct nsjconf_t* nsjconf, const char* i_id, const char* o_id, size_t cnt, bool is_gid, + bool is_newidmap); + +} // namespace user #endif /* NS_USER_H */