From 0a3ac2c40b669c4631bf25c7069916cab1a1be97 Mon Sep 17 00:00:00 2001
Message-Id: <0a3ac2c40b669c4631bf25c7069916cab1a1be97@dist-git>
From: "Daniel P. Berrange" <berrange@redhat.com>
Date: Tue, 18 Feb 2014 15:45:38 -0700
Subject: [PATCH] Add helper for running code in separate namespaces

https://bugzilla.redhat.com/show_bug.cgi?id=1045643
prereq of CVE-2013-6456

Implement virProcessRunInMountNamespace, which runs callback of type
virProcessNamespaceCallback in a container namespace. This uses a
child process to run the callback, since you can't change the mount
namespace of a thread. This implies that callbacks have to be careful
about what code they run due to async safety rules.

Idea by Dan Berrange, based on an initial report by Reco
<recoverym4n@gmail.com> at
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=732394

Signed-off-by: Daniel Berrange <berrange@redhat.com>
Signed-off-by: Eric Blake <eblake@redhat.com>
(cherry picked from commit 7c72ef6f555f1f9844d51be2f38f078bc908652c)
Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
---
 src/libvirt_private.syms |   1 +
 src/util/virprocess.c    | 106 +++++++++++++++++++++++++++++++++++++++++++++++
 src/util/virprocess.h    |  11 +++++
 3 files changed, 118 insertions(+)

diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index e5f80e1..12f70cb 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -1829,6 +1829,7 @@ virProcessGetNamespaces;
 virProcessGetStartTime;
 virProcessKill;
 virProcessKillPainfully;
+virProcessRunInMountNamespace;
 virProcessSetAffinity;
 virProcessSetMaxFiles;
 virProcessSetMaxMemLock;
diff --git a/src/util/virprocess.c b/src/util/virprocess.c
index 9fc3207..868dd04 100644
--- a/src/util/virprocess.c
+++ b/src/util/virprocess.c
@@ -46,6 +46,7 @@
 #include "virlog.h"
 #include "virutil.h"
 #include "virstring.h"
+#include "vircommand.h"
 
 #define VIR_FROM_THIS VIR_FROM_NONE
 
@@ -847,3 +848,108 @@ int virProcessGetStartTime(pid_t pid,
     return 0;
 }
 #endif
+
+
+#ifdef HAVE_SETNS
+static int virProcessNamespaceHelper(int errfd,
+                                     pid_t pid,
+                                     virProcessNamespaceCallback cb,
+                                     void *opaque)
+{
+    char *path;
+    int fd = -1;
+    int ret = -1;
+
+    if (virAsprintf(&path, "/proc/%llu/ns/mnt", (unsigned long long)pid) < 0)
+        goto cleanup;
+
+    if ((fd = open(path, O_RDONLY)) < 0) {
+        virReportSystemError(errno, "%s",
+                             _("Kernel does not provide mount namespace"));
+        goto cleanup;
+    }
+
+    if (setns(fd, 0) < 0) {
+        virReportSystemError(errno, "%s",
+                             _("Unable to enter mount namespace"));
+        goto cleanup;
+    }
+
+    ret = cb(pid, opaque);
+
+ cleanup:
+    if (ret < 0) {
+        virErrorPtr err = virGetLastError();
+        if (err) {
+            size_t len = strlen(err->message) + 1;
+            ignore_value(safewrite(errfd, err->message, len));
+        }
+    }
+    VIR_FREE(path);
+    VIR_FORCE_CLOSE(fd);
+    return ret;
+}
+
+/* Run cb(opaque) in the mount namespace of pid.  Return -1 with error
+ * message raised if we fail to run the child, if the child dies from
+ * a signal, or if the child has status 1; otherwise return the exit
+ * status of the child. The callback will be run in a child process
+ * so must be careful to only use async signal safe functions.
+ */
+int
+virProcessRunInMountNamespace(pid_t pid,
+                              virProcessNamespaceCallback cb,
+                              void *opaque)
+{
+    int ret = -1;
+    pid_t child = -1;
+    int errfd[2] = { -1, -1 };
+
+    if (pipe(errfd) < 0) {
+        virReportSystemError(errno, "%s",
+                             _("Cannot create pipe for child"));
+        return -1;
+    }
+
+    ret = virFork(&child);
+
+    if (ret < 0 || child < 0) {
+        if (child == 0)
+            _exit(1);
+
+        /* parent */
+        virProcessAbort(child);
+        goto cleanup;
+    }
+
+    if (child == 0) {
+        VIR_FORCE_CLOSE(errfd[0]);
+        ret = virProcessNamespaceHelper(errfd[1], pid,
+                                        cb, opaque);
+        VIR_FORCE_CLOSE(errfd[1]);
+        _exit(ret < 0 ? 1 : 0);
+    } else {
+        char *buf = NULL;
+        VIR_FORCE_CLOSE(errfd[1]);
+
+        ignore_value(virFileReadHeaderFD(errfd[0], 1024, &buf));
+        ret = virProcessWait(child, NULL);
+        VIR_FREE(buf);
+    }
+
+cleanup:
+    VIR_FORCE_CLOSE(errfd[0]);
+    VIR_FORCE_CLOSE(errfd[1]);
+    return ret;
+}
+#else /* !HAVE_SETNS */
+int
+virProcessRunInMountNamespace(pid_t pid ATTRIBUTE_UNUSED,
+                              virProcessNamespaceCallback cb ATTRIBUTE_UNUSED,
+                              void *opaque ATTRIBUTE_UNUSED)
+{
+    virReportSystemError(ENOSYS, "%s",
+                         _("Mount namespaces are not available on this platform"));
+    return -1;
+}
+#endif
diff --git a/src/util/virprocess.h b/src/util/virprocess.h
index 9f77bc5..5c173b0 100644
--- a/src/util/virprocess.h
+++ b/src/util/virprocess.h
@@ -60,4 +60,15 @@ int virProcessSetNamespaces(size_t nfdlist,
 int virProcessSetMaxMemLock(pid_t pid, unsigned long long bytes);
 int virProcessSetMaxProcesses(pid_t pid, unsigned int procs);
 int virProcessSetMaxFiles(pid_t pid, unsigned int files);
+
+/* Callback to run code within the mount namespace tied to the given
+ * pid.  This function must use only async-signal-safe functions, as
+ * it gets run after a fork of a multi-threaded process.  The return
+ * value of this function is passed to _exit(), except that a
+ * negative value is treated as an error.  */
+typedef int (*virProcessNamespaceCallback)(pid_t pid, void *opaque);
+
+int virProcessRunInMountNamespace(pid_t pid,
+                                  virProcessNamespaceCallback cb,
+                                  void *opaque);
 #endif /* __VIR_PROCESS_H__ */
-- 
1.9.0