小贝子编程

C-如何使用clone_newuser标志测试用克隆系统调用用户名称空间



用LXC测试来自容器化的样本以演示用户名称空间。

它应该在新的用户名称空间中从子过程中打印两个输出,并从父进程中输出。

# ./user_namespace
UID outside the namespace is 0
GID outside the namespace is 0
UID inside the namespace is 65534
GID inside the namespace is 65534

但是,它仅显示父级输出。

UID outside the namespace is 1000
GID outside the namespace is 1000

请帮助了解为什么儿童过程未打印。

代码

#define _GNU_SOURCE
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <sched.h>
#include <signal.h>
static int childFunc(void *arg)
{
    printf("UID inside the namespace is %ldn", (long)geteuid());
    printf("GID inside the namespace is %ldn", (long)getegid());
}
static char child_stack[1024*1024];
int main(int argc, char *argv[])
{
    pid_t child_pid;
    /* child_pid = clone(childFunc, child_stack + (1024*1024), CLONE_NEWUSER, 0);*/
    child_pid = clone(&childFunc, child_stack + (1024*1024), CLONE_NEWUSER, 0);
    printf("UID outside the namespace is %ldn", (long)geteuid());
    printf("GID outside the namespace is %ldn", (long)getegid());
    waitpid(child_pid, NULL, 0);
    exit(EXIT_SUCCESS);
}

环境

$ uname -r
3.10.0-693.21.1.el7.x86_64
$ cat /etc/os-release 
NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
CPE_NAME="cpe:/o:centos:centos:7"

参考

  • 如何使用clone((同时运行父程流程和子进程?
  • 男人克隆

更新

根据thejonny的答案,它是为了启用用户名称空间。对于RHEL/CENTOS 7,在CentOS 7.4中启用用户名称空间是安全的吗?

  • 用户名称空间不再在RHEL 7.4
    • 中工作

默认情况下,新的7.4内核将用户名称空间的数量限制为0。要解决此问题,请增加用户名称空间限制:
Echo 15000>/proc/sys/user/max_user_namespaces

毫无疑问的用户名称空间可能被禁用。由于您不检查clone的返回值,因此您不会注意到。通过我的系统打印上的strace运行:

.... startup stuff ...
clone(child_stack=0x55b41f2a4070, flags=CLONE_NEWUSER) = -1 EPERM (Operation not permitted)
geteuid()                               = 1000
fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 6), ...}) = 0
brk(NULL)                               = 0x55b4200b8000
brk(0x55b4200d9000)                     = 0x55b4200d9000
write(1, "UID outside the namespace is 100"..., 34UID outside the namespace is 1000
) = 34
getegid()                               = 1000
write(1, "GID outside the namespace is 100"..., 34GID outside the namespace is 1000
) = 34
wait4(-1, NULL, 0, NULL)                = -1 ECHILD (No child processes)
exit_group(0)   = ?

因此,克隆,因此等待pid失败,没有孩子的过程。

请参阅此处启用用户特权:https://superuser.com/questions/1094597/enable-user-namespaces-in-debian-kernel-kernel

相关内容

  • 没有找到相关文章

最新更新


热门标签:

javascript python java c# php android html jquery c++ css ios sql mysql arrays asp.net json python-3.x ruby-on-rails .net sql-server django objective-c excel regex ruby linux ajax iphone xml vba spring asp.net-mvc database wordpress string postgresql wpf windows xcode bash git oracle list vb.net multithreading eclipse algorithm macos powershell visual-studio image forms numpy scala function api selenium