1 | // SPDX-License-Identifier: GPL-2.0 |
2 | #define _GNU_SOURCE |
3 | #include <sched.h> |
4 | #include <unistd.h> |
5 | #include <stdio.h> |
6 | #include <stdlib.h> |
7 | #include <signal.h> |
8 | #include <errno.h> |
9 | #include <sys/types.h> |
10 | #include <sys/stat.h> |
11 | #include <fcntl.h> |
12 | #include <sys/ioctl.h> |
13 | #include <sys/prctl.h> |
14 | #include <sys/wait.h> |
15 | |
16 | #define NSIO 0xb7 |
17 | #define NS_GET_USERNS _IO(NSIO, 0x1) |
18 | |
19 | #define pr_err(fmt, ...) \ |
20 | ({ \ |
21 | fprintf(stderr, "%s:%d:" fmt ": %m\n", \ |
22 | __func__, __LINE__, ##__VA_ARGS__); \ |
23 | 1; \ |
24 | }) |
25 | |
26 | int main(int argc, char *argvp[]) |
27 | { |
28 | int pfd[2], ns, uns, init_uns; |
29 | struct stat st1, st2; |
30 | char path[128]; |
31 | pid_t pid; |
32 | char c; |
33 | |
34 | if (pipe(pfd)) |
35 | return 1; |
36 | |
37 | pid = fork(); |
38 | if (pid < 0) |
39 | return pr_err("fork" ); |
40 | if (pid == 0) { |
41 | prctl(PR_SET_PDEATHSIG, SIGKILL); |
42 | if (unshare(CLONE_NEWUTS | CLONE_NEWUSER)) |
43 | return pr_err("unshare" ); |
44 | close(pfd[0]); |
45 | close(pfd[1]); |
46 | while (1) |
47 | sleep(1); |
48 | return 0; |
49 | } |
50 | close(pfd[1]); |
51 | if (read(pfd[0], &c, 1) != 0) |
52 | return pr_err("Unable to read from pipe" ); |
53 | close(pfd[0]); |
54 | |
55 | snprintf(path, sizeof(path), "/proc/%d/ns/uts" , pid); |
56 | ns = open(path, O_RDONLY); |
57 | if (ns < 0) |
58 | return pr_err("Unable to open %s" , path); |
59 | |
60 | uns = ioctl(ns, NS_GET_USERNS); |
61 | if (uns < 0) |
62 | return pr_err("Unable to get an owning user namespace" ); |
63 | |
64 | if (fstat(uns, &st1)) |
65 | return pr_err("fstat" ); |
66 | |
67 | snprintf(path, sizeof(path), "/proc/%d/ns/user" , pid); |
68 | if (stat(path, &st2)) |
69 | return pr_err("stat" ); |
70 | |
71 | if (st1.st_ino != st2.st_ino) |
72 | return pr_err("NS_GET_USERNS returned a wrong namespace" ); |
73 | |
74 | init_uns = ioctl(uns, NS_GET_USERNS); |
75 | if (uns < 0) |
76 | return pr_err("Unable to get an owning user namespace" ); |
77 | |
78 | if (ioctl(init_uns, NS_GET_USERNS) >= 0 || errno != EPERM) |
79 | return pr_err("Don't get EPERM" ); |
80 | |
81 | if (unshare(CLONE_NEWUSER)) |
82 | return pr_err("unshare" ); |
83 | |
84 | if (ioctl(ns, NS_GET_USERNS) >= 0 || errno != EPERM) |
85 | return pr_err("Don't get EPERM" ); |
86 | if (ioctl(init_uns, NS_GET_USERNS) >= 0 || errno != EPERM) |
87 | return pr_err("Don't get EPERM" ); |
88 | |
89 | kill(pid, SIGKILL); |
90 | wait(NULL); |
91 | return 0; |
92 | } |
93 | |