2 * Written by Mike Frysinger <vapier@gmail.com>
3 * Released into the public domain.
7 * - Add userns support.
8 * - Make pidns init optional.
9 * - Make setproctitle nicer and include program argv[0].
28 #include <sys/ioctl.h>
29 #include <sys/mount.h>
30 #include <sys/prctl.h>
31 #include <sys/socket.h>
32 #include <sys/types.h>
35 #define PROG "vunshare"
37 static bool vunshare(int flags)
39 if (unshare(flags) == -1) {
41 err(1, "unshare failed");
47 static void unshare_net(void)
49 if (!vunshare(CLONE_NEWNET))
52 int sock = socket(AF_LOCAL, SOCK_DGRAM|SOCK_CLOEXEC, 0);
55 /* Equiv of `ip link set up lo`. Kernel will assign 127.0.0.1 for us. */
56 strcpy(ifr.ifr_name, "lo");
57 if (ioctl(sock, SIOCGIFFLAGS, &ifr) < 0)
58 err(1, "ioctl(SIOCGIFFLAGS) failed");
59 strcpy(ifr.ifr_name, "lo");
60 ifr.ifr_flags |= IFF_UP | IFF_RUNNING;
61 if (ioctl(sock, SIOCSIFFLAGS, &ifr) < 0)
62 err(1, "ioctl(SIOCSIFFLAGS) failed");
65 static char **title_argv;
66 static void setproctitle(const char *title)
68 /* Hopefully 1k is all we ever need. */
70 memset(newtitle, 0, sizeof(newtitle));
71 int len = sprintf(newtitle, "%s: %s [pid ns]", PROG, title);
73 prctl(PR_SET_NAME, (uintptr_t)newtitle);
75 /* Clobber argv to set the title. Need to figure out how much space though. */
78 while (title_argv[argc])
79 i += strlen(title_argv[argc++]) + 1;
80 /* Now scan the environ table. */
81 while (title_argv[argc])
82 i += strlen(title_argv[argc++]) + 1;
86 /* This will NUL pad the string for us too. */
87 strncpy(title_argv[0], newtitle, i);
90 static void close_fds(void)
93 for (i = 3; i < 10; ++i)
97 static void exit_as_status_ext(int status)
100 int exit_status = WEXITSTATUS(status);
102 if (WIFSIGNALED(status)) {
103 sig_status = WTERMSIG(status);
104 } else if (exit_status > 128) {
105 /* For the external init, translate the signal status back.
106 * TODO: This gets it wrong when the child actually exited.
107 * We need to set up a pipe between the two inits so we can
108 * get back the proper details.
110 sig_status = exit_status - 128;
114 signal(sig_status, SIG_DFL);
115 kill(getpid(), sig_status);
117 /* Still here ? Maybe the signal was masked. Just exit. */
118 exit_status = 128 + sig_status;
124 static void exit_as_status_int(int status)
126 /* If we are the init for the pid ns, we can't kill ourselves --
127 * the kernel explicitly disallows this. Just exit with a high
128 * status value instead. Our parent will handle it themselves.
132 if (WIFSIGNALED(status))
133 exit_status = 128 + WTERMSIG(status);
135 exit_status = WEXITSTATUS(status);
140 static int reap_children(void)
152 static pid_t child_pid;
153 static void signal_passthru(int sig, siginfo_t *siginfo, void *context)
158 /* If the signal is coming from our children, ignore it.
159 * If it's coming from outside the pid ns, pass it along.
161 if (siginfo->si_pid != 0)
164 /* Kill all the children! */
169 /* Just forward signal to the child. */
170 kill(child_pid, sig);
174 /* We want to forward some signals to the child process. Block the rest.
175 * We don't actually exit as we wait for the child to die/process the signal
176 * first, and then we'll kill/exit after that point.
178 static void setup_signal_handler(pid_t pid)
182 struct sigaction sa = {
183 .sa_sigaction = signal_passthru,
184 .sa_flags = SA_SIGINFO | SA_RESTART,
189 for (i = 1; i < SIGUNUSED; ++i)
190 if (sigaction(i, &sa, NULL) && errno != EINVAL)
191 fprintf(stderr, "sigaction(%i) failed: %s\n", i, strerror(errno));
192 for (i = SIGRTMIN; i <= SIGRTMAX; ++i)
193 if (sigaction(i, &sa, NULL) && errno != EINVAL)
194 fprintf(stderr, "sigaction(%i) failed: %s\n", i, strerror(errno));
196 /* As an init, we will reap the children via wait(). */
197 signal(SIGCHLD, SIG_DFL);
200 static bool unshare_pid(bool daemonize)
202 if (!vunshare(CLONE_NEWPID))
207 /* Set up external init process. */
210 case -1: err(1, "fork() failed");
215 setproctitle("ext init");
216 setup_signal_handler(pid);
218 exit_as_status_ext(reap_children());
223 err(1, "setsid() failed");
225 int fd = open("/dev/null", O_RDWR);
227 err(1, "open(/dev/null) failed");
228 if (dup2(fd, 0) == -1 || dup2(fd, 1) == -1 || dup2(fd, 2) == -1)
229 err(1, "dup2() failed");
234 /* Set up fresh /proc. */
235 if (mount("none", "/proc", 0, MS_PRIVATE | MS_REC, ""))
236 err(1, "mount(/proc, MS_PRIVATE) failed");
237 if (mount("proc", "/proc", "proc", MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_RELATIME, ""))
238 err(1, "mount(/proc) failed");
240 /* Set up internal init process. */
243 case -1: err(1, "fork() failed");
246 setproctitle("int init");
247 setup_signal_handler(pid);
249 exit_as_status_int(reap_children());
255 static void map_uid_gid(uid_t iuid, gid_t igid, uid_t ouid, gid_t ogid)
259 fp = fopen("/proc/self/setgroups", "w");
265 fp = fopen("/proc/self/uid_map", "w");
266 fprintf(fp, "%u %u 1\n", iuid, ouid);
269 fp = fopen("/proc/self/gid_map", "w");
270 fprintf(fp, "%u %u 1\n", igid, ogid);
274 #define a_argument required_argument
275 static const struct option opts[] = {
276 { "pid", a_argument, NULL, 1 },
277 { NULL, 0, NULL, 0 },
280 static void usage(void)
282 puts("Usage: unshare [options] <program>");
286 int main(int argc, char *argv[])
290 const char *pid = NULL;
297 bool daemonize = false;
303 while ((c = getopt_long(argc, argv, "+DimnpuU", opts, NULL)) != -1) {
308 case 'i': newipc = true; break;
309 case 'm': newmnt = true; break;
310 case 'n': newnet = true; break;
311 case 'p': newpid = true; break;
312 case 'u': newuts = true; break;
313 case 'U': newusr = true; break;
314 case 'D': daemonize = true; break;
328 if (vunshare(CLONE_NEWUSER))
329 map_uid_gid(0, 0, uid, gid);
334 if (newmnt || newpid)
335 vunshare(CLONE_NEWNS);
337 vunshare(CLONE_NEWUTS);
339 vunshare(CLONE_NEWIPC);
344 pidfp = fopen(pid, "we");
346 err(1, "fopen(%s) failed", pid);
349 if (newpid && unshare_pid(daemonize)) {
351 } else if (daemonize)
353 err(1, "daemon() failed");
356 fprintf(pidfp, "%u\n", getpid());
361 if (vunshare(CLONE_NEWUSER))
362 map_uid_gid(uid, gid, 0, 0);
364 execvp(argv[0], argv);
365 fprintf(stderr, "%s: %s\n", argv[0], strerror(errno));
projects / home.git / blob