Merge branch 'nsfs-ioctls' into HEAD

From: Andrey Vagin <avagin@openvz.org> Each namespace has an owning user namespace and now there is not way to discover these relationships. Pid and user namepaces are hierarchical. There is no way to discover parent-child relationships too. Why we may want to know relationships between namespaces? One use would be visualization, in order to understand the running system. Another would be to answer the question: what capability does process X have to perform operations on a resource governed by namespace Y? One more use-case (which usually called abnormal) is checkpoint/restart. In CRIU we are going to dump and restore nested namespaces. There [1] was a discussion about which interface to choose to determing relationships between namespaces. Eric suggested to add two ioctl-s [2]: > Grumble, Grumble. I think this may actually a case for creating ioctls > for these two cases. Now that random nsfs file descriptors are bind > mountable the original reason for using proc files is not as pressing. > > One ioctl for the user namespace that owns a file descriptor. > One ioctl for the parent namespace of a namespace file descriptor. Here is an implementaions of these ioctl-s. $ man man7/namespaces.7 ... Since Linux 4.X, the following ioctl(2) calls are supported for namespace file descriptors. The correct syntax is: fd = ioctl(ns_fd, ioctl_type); where ioctl_type is one of the following: NS_GET_USERNS Returns a file descriptor that refers to an owning user names‐ pace. NS_GET_PARENT Returns a file descriptor that refers to a parent namespace. This ioctl(2) can be used for pid and user namespaces. For user namespaces, NS_GET_PARENT and NS_GET_USERNS have the same meaning. In addition to generic ioctl(2) errors, the following specific ones can occur: EINVAL NS_GET_PARENT was called for a nonhierarchical namespace. EPERM The requested namespace is outside of the current namespace scope. [1] https://lkml.org/lkml/2016/7/6/158 [2] https://lkml.org/lkml/2016/7/9/101 Changes for v2: * don't return ENOENT for init_user_ns and init_pid_ns. There is nothing outside of the init namespace, so we can return EPERM in this case too. > The fewer special cases the easier the code is to get > correct, and the easier it is to read. // Eric Changes for v3: * rename ns->get_owner() to ns->owner(). get_* usually means that it grabs a reference. Cc: "Eric W. Biederman" <ebiederm@xmission.com> Cc: James Bottomley <James.Bottomley@HansenPartnership.com> Cc: "Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com> Cc: "W. Trevor King" <wking@tremily.us> Cc: Alexander Viro <viro@zeniv.linux.org.uk> Cc: Serge Hallyn <serge.hallyn@canonical.com>
author: Eric W. Biederman <ebiederm@xmission.com> 2016-09-22 21:00:36 -0400
committer: Eric W. Biederman <ebiederm@xmission.com> 2016-09-22 21:00:36 -0400
commit: 78725596644be0181c46f55c52aadfb8c70bcdb7 (patch)
tree: baaea28de07a45f932f7674cfcd6c83522940770 /tools
parent: 93f0a88bd4ad99a515f500a09f4a489ff03073eb (diff)
parent: 6ad92bf63e45f97e306da48cd1cbce6e4fef1e5d (diff)
4 files changed, 182 insertions, 0 deletions
diff --git a/tools/testing/selftests/Makefile b/tools/testing/selftests/Makefile
index ff9e5f20a5a7..f770dba2a6f6 100644
--- a/tools/testing/selftests/Makefile
+++ b/tools/testing/selftests/Makefile
@@ -15,6 +15,7 @@ TARGETS += memory-hotplug
 TARGETS += mount
 TARGETS += mqueue
 TARGETS += net
+TARGETS += nsfs
 TARGETS += powerpc
 TARGETS += pstore
 TARGETS += ptrace
diff --git a/tools/testing/selftests/nsfs/Makefile b/tools/testing/selftests/nsfs/Makefile
new file mode 100644
index 000000000000..2306054a901a
--- /dev/null
+++ b/tools/testing/selftests/nsfs/Makefile
@@ -0,0 +1,12 @@
+TEST_PROGS := owner pidns
+CFLAGS := -Wall -Werror
+all: owner pidns
+owner: owner.c
+pidns: pidns.c
+clean:
+        $(RM) owner pidns
+include ../lib.mk
diff --git a/tools/testing/selftests/nsfs/owner.c b/tools/testing/selftests/nsfs/owner.c
new file mode 100644
index 000000000000..437205f8b714
--- /dev/null
+++ b/tools/testing/selftests/nsfs/owner.c
@@ -0,0 +1,91 @@
+#define _GNU_SOURCE
+#include <sched.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <signal.h>
+#include <errno.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <sys/ioctl.h>
+#include <sys/prctl.h>
+#include <sys/wait.h>
+#define NSIO    0xb7
+#define NS_GET_USERNS   _IO(NSIO, 0x1)
+#define pr_err(fmt, ...) \
+                ({ \
+                        fprintf(stderr, "%s:%d:" fmt ": %m\n", \
+                                __func__, __LINE__, ##__VA_ARGS__); \
+                        1; \
+                })
+int main(int argc, char *argvp[])
+{
+        int pfd[2], ns, uns, init_uns;
+        struct stat st1, st2;
+        char path[128];
+        pid_t pid;
+        char c;
+        if (pipe(pfd))
+                return 1;
+        pid = fork();
+        if (pid < 0)
+                return pr_err("fork");
+        if (pid == 0) {
+                prctl(PR_SET_PDEATHSIG, SIGKILL);
+                if (unshare(CLONE_NEWUTS | CLONE_NEWUSER))
+                        return pr_err("unshare");
+                close(pfd[0]);
+                close(pfd[1]);
+                while (1)
+                        sleep(1);
+                return 0;
+        }
+        close(pfd[1]);
+        if (read(pfd[0], &c, 1) != 0)
+                return pr_err("Unable to read from pipe");
+        close(pfd[0]);
+        snprintf(path, sizeof(path), "/proc/%d/ns/uts", pid);
+        ns = open(path, O_RDONLY);
+        if (ns < 0)
+                return pr_err("Unable to open %s", path);
+        uns = ioctl(ns, NS_GET_USERNS);
+        if (uns < 0)
+                return pr_err("Unable to get an owning user namespace");
+        if (fstat(uns, &st1))
+                return pr_err("fstat");
+        snprintf(path, sizeof(path), "/proc/%d/ns/user", pid);
+        if (stat(path, &st2))
+                return pr_err("stat");
+        if (st1.st_ino != st2.st_ino)
+                return pr_err("NS_GET_USERNS returned a wrong namespace");
+        init_uns = ioctl(uns, NS_GET_USERNS);
+        if (uns < 0)
+                return pr_err("Unable to get an owning user namespace");
+        if (ioctl(init_uns, NS_GET_USERNS) >= 0 || errno != EPERM)
+                return pr_err("Don't get EPERM");
+        if (unshare(CLONE_NEWUSER))
+                return pr_err("unshare");
+        if (ioctl(ns, NS_GET_USERNS) >= 0 || errno != EPERM)
+                return pr_err("Don't get EPERM");
+        if (ioctl(init_uns, NS_GET_USERNS) >= 0 || errno != EPERM)
+                return pr_err("Don't get EPERM");
+        kill(pid, SIGKILL);
+        wait(NULL);
+        return 0;
+}
diff --git a/tools/testing/selftests/nsfs/pidns.c b/tools/testing/selftests/nsfs/pidns.c
new file mode 100644
index 000000000000..ae3a0d68e966
--- /dev/null
+++ b/tools/testing/selftests/nsfs/pidns.c
@@ -0,0 +1,78 @@
+#define _GNU_SOURCE
+#include <sched.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <signal.h>
+#include <errno.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <sys/ioctl.h>
+#include <sys/prctl.h>
+#include <sys/wait.h>
+#define pr_err(fmt, ...) \
+                ({ \
+                        fprintf(stderr, "%s:%d:" fmt ": %m\n", \
+                                __func__, __LINE__, ##__VA_ARGS__); \
+                        1; \
+                })
+#define NSIO    0xb7
+#define NS_GET_USERNS   _IO(NSIO, 0x1)
+#define NS_GET_PARENT   _IO(NSIO, 0x2)
+#define __stack_aligned__       __attribute__((aligned(16)))
+struct cr_clone_arg {
+        char stack[128] __stack_aligned__;
+        char stack_ptr[0];
+};
+static int child(void *args)
+{
+        prctl(PR_SET_PDEATHSIG, SIGKILL);
+        while (1)
+                sleep(1);
+        exit(0);
+}
+int main(int argc, char *argv[])
+{
+        char *ns_strs[] = {"pid", "user"};
+        char path[] = "/proc/0123456789/ns/pid";
+        struct cr_clone_arg ca;
+        struct stat st1, st2;
+        int ns, pns, i;
+        pid_t pid;
+        pid = clone(child, ca.stack_ptr, CLONE_NEWUSER | CLONE_NEWPID | SIGCHLD, NULL);
+        if (pid < 0)
+                return pr_err("clone");
+        for (i = 0; i < 2; i++) {
+                snprintf(path, sizeof(path), "/proc/%d/ns/%s", pid, ns_strs[i]);
+                ns = open(path, O_RDONLY);
+                if (ns < 0)
+                        return pr_err("Unable to open %s", path);
+                pns = ioctl(ns, NS_GET_PARENT);
+                if (pns < 0)
+                        return pr_err("Unable to get a parent pidns");
+                snprintf(path, sizeof(path), "/proc/self/ns/%s", ns_strs[i]);
+                if (stat(path, &st2))
+                        return pr_err("Unable to stat %s", path);
+                if (fstat(pns, &st1))
+                        return pr_err("Unable to stat the parent pidns");
+                if (st1.st_ino != st2.st_ino)
+                        return pr_err("NS_GET_PARENT returned a wrong namespace");
+                if (ioctl(pns, NS_GET_PARENT) >= 0 || errno != EPERM)
+                        return pr_err("Don't get EPERM");;
+        }
+        kill(pid, SIGKILL);
+        wait(NULL);
+        return 0;
+}
author	Eric W. Biederman <ebiederm@xmission.com>	2016-09-22 21:00:36 -0400
committer	Eric W. Biederman <ebiederm@xmission.com>	2016-09-22 21:00:36 -0400
commit	78725596644be0181c46f55c52aadfb8c70bcdb7 (patch)
tree	baaea28de07a45f932f7674cfcd6c83522940770 /tools
parent	93f0a88bd4ad99a515f500a09f4a489ff03073eb (diff)
parent	6ad92bf63e45f97e306da48cd1cbce6e4fef1e5d (diff)

diff --git a/tools/testing/selftests/Makefile b/tools/testing/selftests/Makefile index ff9e5f20a5a7..f770dba2a6f6 100644 --- a/tools/testing/selftests/Makefile +++ b/tools/testing/selftests/Makefile
@@ -15,6 +15,7 @@ TARGETS += memory-hotplug
15	TARGETS += mount	15	TARGETS += mount
16	TARGETS += mqueue	16	TARGETS += mqueue
17	TARGETS += net	17	TARGETS += net
		18	TARGETS += nsfs
18	TARGETS += powerpc	19	TARGETS += powerpc
19	TARGETS += pstore	20	TARGETS += pstore
20	TARGETS += ptrace	21	TARGETS += ptrace


diff --git a/tools/testing/selftests/nsfs/Makefile b/tools/testing/selftests/nsfs/Makefile new file mode 100644 index 000000000000..2306054a901a --- /dev/null +++ b/tools/testing/selftests/nsfs/Makefile
@@ -0,0 +1,12 @@
		1	TEST_PROGS := owner pidns
		2
		3	CFLAGS := -Wall -Werror
		4
		5	all: owner pidns
		6	owner: owner.c
		7	pidns: pidns.c
		8
		9	clean:
		10	$(RM) owner pidns
		11
		12	include ../lib.mk


diff --git a/tools/testing/selftests/nsfs/owner.c b/tools/testing/selftests/nsfs/owner.c new file mode 100644 index 000000000000..437205f8b714 --- /dev/null +++ b/tools/testing/selftests/nsfs/owner.c
@@ -0,0 +1,91 @@
		1	#define _GNU_SOURCE
		2	#include <sched.h>
		3	#include <unistd.h>
		4	#include <stdio.h>
		5	#include <stdlib.h>
		6	#include <signal.h>
		7	#include <errno.h>
		8	#include <sys/types.h>
		9	#include <sys/stat.h>
		10	#include <fcntl.h>
		11	#include <sys/ioctl.h>
		12	#include <sys/prctl.h>
		13	#include <sys/wait.h>
		14
		15	#define NSIO 0xb7
		16	#define NS_GET_USERNS _IO(NSIO, 0x1)
		17
		18	#define pr_err(fmt, ...) \
		19	({ \
		20	fprintf(stderr, "%s:%d:" fmt ": %m\n", \
		21	__func__, __LINE__, ##__VA_ARGS__); \
		22	1; \
		23	})
		24
		25	int main(int argc, char *argvp[])
		26	{
		27	int pfd[2], ns, uns, init_uns;
		28	struct stat st1, st2;
		29	char path[128];
		30	pid_t pid;
		31	char c;
		32
		33	if (pipe(pfd))
		34	return 1;
		35
		36	pid = fork();
		37	if (pid < 0)
		38	return pr_err("fork");
		39	if (pid == 0) {
		40	prctl(PR_SET_PDEATHSIG, SIGKILL);
		41	if (unshare(CLONE_NEWUTS \| CLONE_NEWUSER))
		42	return pr_err("unshare");
		43	close(pfd[0]);
		44	close(pfd[1]);
		45	while (1)
		46	sleep(1);
		47	return 0;
		48	}
		49	close(pfd[1]);
		50	if (read(pfd[0], &c, 1) != 0)
		51	return pr_err("Unable to read from pipe");
		52	close(pfd[0]);
		53
		54	snprintf(path, sizeof(path), "/proc/%d/ns/uts", pid);
		55	ns = open(path, O_RDONLY);
		56	if (ns < 0)
		57	return pr_err("Unable to open %s", path);
		58
		59	uns = ioctl(ns, NS_GET_USERNS);
		60	if (uns < 0)
		61	return pr_err("Unable to get an owning user namespace");
		62
		63	if (fstat(uns, &st1))
		64	return pr_err("fstat");
		65
		66	snprintf(path, sizeof(path), "/proc/%d/ns/user", pid);
		67	if (stat(path, &st2))
		68	return pr_err("stat");
		69
		70	if (st1.st_ino != st2.st_ino)
		71	return pr_err("NS_GET_USERNS returned a wrong namespace");
		72
		73	init_uns = ioctl(uns, NS_GET_USERNS);
		74	if (uns < 0)
		75	return pr_err("Unable to get an owning user namespace");
		76
		77	if (ioctl(init_uns, NS_GET_USERNS) >= 0 \|\| errno != EPERM)
		78	return pr_err("Don't get EPERM");
		79
		80	if (unshare(CLONE_NEWUSER))
		81	return pr_err("unshare");
		82
		83	if (ioctl(ns, NS_GET_USERNS) >= 0 \|\| errno != EPERM)
		84	return pr_err("Don't get EPERM");
		85	if (ioctl(init_uns, NS_GET_USERNS) >= 0 \|\| errno != EPERM)
		86	return pr_err("Don't get EPERM");
		87
		88	kill(pid, SIGKILL);
		89	wait(NULL);
		90	return 0;
		91	}


diff --git a/tools/testing/selftests/nsfs/pidns.c b/tools/testing/selftests/nsfs/pidns.c new file mode 100644 index 000000000000..ae3a0d68e966 --- /dev/null +++ b/tools/testing/selftests/nsfs/pidns.c
@@ -0,0 +1,78 @@
		1	#define _GNU_SOURCE
		2	#include <sched.h>
		3	#include <unistd.h>
		4	#include <stdio.h>
		5	#include <stdlib.h>
		6	#include <signal.h>
		7	#include <errno.h>
		8	#include <sys/types.h>
		9	#include <sys/stat.h>
		10	#include <fcntl.h>
		11	#include <sys/ioctl.h>
		12	#include <sys/prctl.h>
		13	#include <sys/wait.h>
		14
		15	#define pr_err(fmt, ...) \
		16	({ \
		17	fprintf(stderr, "%s:%d:" fmt ": %m\n", \
		18	__func__, __LINE__, ##__VA_ARGS__); \
		19	1; \
		20	})
		21
		22	#define NSIO 0xb7
		23	#define NS_GET_USERNS _IO(NSIO, 0x1)
		24	#define NS_GET_PARENT _IO(NSIO, 0x2)
		25
		26	#define __stack_aligned__ __attribute__((aligned(16)))
		27	struct cr_clone_arg {
		28	char stack[128] __stack_aligned__;
		29	char stack_ptr[0];
		30	};
		31
		32	static int child(void *args)
		33	{
		34	prctl(PR_SET_PDEATHSIG, SIGKILL);
		35	while (1)
		36	sleep(1);
		37	exit(0);
		38	}
		39
		40	int main(int argc, char *argv[])
		41	{
		42	char *ns_strs[] = {"pid", "user"};
		43	char path[] = "/proc/0123456789/ns/pid";
		44	struct cr_clone_arg ca;
		45	struct stat st1, st2;
		46	int ns, pns, i;
		47	pid_t pid;
		48
		49	pid = clone(child, ca.stack_ptr, CLONE_NEWUSER \| CLONE_NEWPID \| SIGCHLD, NULL);
		50	if (pid < 0)
		51	return pr_err("clone");
		52
		53	for (i = 0; i < 2; i++) {
		54	snprintf(path, sizeof(path), "/proc/%d/ns/%s", pid, ns_strs[i]);
		55	ns = open(path, O_RDONLY);
		56	if (ns < 0)
		57	return pr_err("Unable to open %s", path);
		58
		59	pns = ioctl(ns, NS_GET_PARENT);
		60	if (pns < 0)
		61	return pr_err("Unable to get a parent pidns");
		62
		63	snprintf(path, sizeof(path), "/proc/self/ns/%s", ns_strs[i]);
		64	if (stat(path, &st2))
		65	return pr_err("Unable to stat %s", path);
		66	if (fstat(pns, &st1))
		67	return pr_err("Unable to stat the parent pidns");
		68	if (st1.st_ino != st2.st_ino)
		69	return pr_err("NS_GET_PARENT returned a wrong namespace");
		70
		71	if (ioctl(pns, NS_GET_PARENT) >= 0 \|\| errno != EPERM)
		72	return pr_err("Don't get EPERM");;
		73	}
		74
		75	kill(pid, SIGKILL);
		76	wait(NULL);
		77	return 0;
		78	}