Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

newuidmap called with nonsense args #1077

Closed
dtrudg opened this issue Nov 21, 2022 · 1 comment · Fixed by #1078
Closed

newuidmap called with nonsense args #1077

dtrudg opened this issue Nov 21, 2022 · 1 comment · Fixed by #1078

Comments

@dtrudg
Copy link

dtrudg commented Nov 21, 2022 

$ /usr/local/bin/crun --version
crun version 1.7.0.0.0.24-b42e
commit: b42e7ec0b199a0ee6409d645228032a187d17c66
rundir: /run/user/1001/crun
spec: 1.0.0
+SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL

With the following config.json:

config.json ``` 
{
	"ociVersion": "1.0.2-dev",
	"process": {
		"terminal": true,
		"user": {
			"uid": 0,
			"gid": 0
		},
		"args": [
			"/bin/sh"
		],
		"env": [
			"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
		],
		"cwd": "/root",
		"capabilities": {
			"bounding": [
				"CAP_NET_BIND_SERVICE",
				"CAP_KILL",
				"CAP_AUDIT_WRITE"
			],
			"effective": [
				"CAP_NET_BIND_SERVICE",
				"CAP_KILL",
				"CAP_AUDIT_WRITE"
			],
			"permitted": [
				"CAP_NET_BIND_SERVICE",
				"CAP_KILL",
				"CAP_AUDIT_WRITE"
			],
			"ambient": [
				"CAP_NET_BIND_SERVICE",
				"CAP_KILL",
				"CAP_AUDIT_WRITE"
			]
		}
	},
	"root": {
		"path": "/tmp/oci-bundle2436642620/rootfs",
		"readonly": true
	},
	"mounts": [
		{
			"destination": "/proc",
			"type": "none",
			"source": "/proc",
			"options": [
				"rbind",
				"nosuid",
				"nodev"
			]
		},
		{
			"destination": "/sys",
			"type": "sysfs",
			"source": "sysfs",
			"options": [
				"nosuid",
				"noexec",
				"nodev",
				"ro"
			]
		},
		{
			"destination": "/dev",
			"type": "tmpfs",
			"source": "tmpfs",
			"options": [
				"nosuid",
				"strictatime",
				"mode=755",
				"size=65536k"
			]
		},
		{
			"destination": "/dev/pts",
			"type": "devpts",
			"source": "devpts",
			"options": [
				"nosuid",
				"noexec",
				"newinstance",
				"ptmxmode=0666",
				"mode=0620",
				"gid=5"
			]
		},
		{
			"destination": "/dev/shm",
			"type": "tmpfs",
			"source": "shm",
			"options": [
				"nosuid",
				"noexec",
				"nodev",
				"mode=1777",
				"size=65536k"
			]
		},
		{
			"destination": "/dev/mqueue",
			"type": "mqueue",
			"source": "mqueue",
			"options": [
				"nosuid",
				"noexec",
				"nodev"
			]
		},
		{
			"destination": "/tmp",
			"type": "tmpfs",
			"source": "tmpfs",
			"options": [
				"nosuid",
				"relatime",
				"mode=777",
				"size=65536k"
			]
		},
		{
			"destination": "/tmp",
			"type": "tmpfs",
			"source": "tmpfs",
			"options": [
				"nosuid",
				"relatime",
				"mode=777",
				"size=65536k"
			]
		},
		{
			"destination": "/root",
			"type": "tmpfs",
			"source": "tmpfs",
			"options": [
				"nosuid",
				"relatime",
				"mode=755",
				"size=65536k"
			]
		}
	],
	"linux": {
		"uidMappings": [
			{
				"containerID": 0,
				"hostID": 1001,
				"size": 1
			},
			{
				"containerID": 1,
				"hostID": 165536,
				"size": 65535
			}
		],
		"gidMappings": [
			{
				"containerID": 0,
				"hostID": 1001,
				"size": 1
			},
			{
				"containerID": 1,
				"hostID": 165536,
				"size": 65535
			}
		],
		"namespaces": [
			{
				"type": "ipc"
			},
			{
				"type": "pid"
			},
			{
				"type": "mount"
			},
			{
				"type": "user"
			}
		]
	}
}

crun will fail with the error:

$ /usr/local/bin/crun --debug run -b /tmp/oci-bundle2436642620 test
usage: newuidmap <pid> <uid> <loweruid> <count> [ <uid> <loweruid> <count> ] ... 
2022-11-21T17:06:35.000823723Z: writing file `/proc/2225603/uid_map`: Invalid argument

Adding a few debug printf statements into src/libcrun/linux.c uidgidmap_helper I can see that newuidmap is being called with nonsense args. The correct args are there, but followed by other pieces of json. newgidmap appears to be called correctly.

$ /usr/local/bin/crun run -b /tmp/oci-bundle2436642620 bob23
newgidmap 2244310 0 1001 1 1 165536 65535 
newuidmap 2244310 0 1001 1 1 165536 65535 r/bin:/sbin:/bin" 		], 		"cwd": "/root", 		"capabilities": {"bounding": [ 				"CAP_NET_BIND_SERVICE", 
usage: newuidmap <pid> <uid> <loweruid> <count> [ <uid> <loweruid> <count> ] ...

The config.json is valid JSON, and is parsed okay by runc:

$ runc --debug run -b /tmp/oci-bundle2436642620 runctest
...
DEBU[0000] nsexec-0[2244500]: update /proc/2244502/uid_map to '0 1001 1
1 165536 65535
' 
DEBU[0000] nsexec-0[2244500]: update /proc/2244502/uid_map got -EPERM (trying /usr/bin/newuidmap) 
DEBU[0000] nsexec-0[2244500]: update /proc/2244502/gid_map to '0 1001 1
1 165536 65535
' 
DEBU[0000] nsexec-0[2244500]: update /proc/2244502/gid_map got -EPERM (trying /usr/bin/newgidmap) 
...
giuseppe added a commit to giuseppe/crun that referenced this issue Nov 21, 2022
@giuseppe
linux: include terminal \0 when copying mapping
db08071 
and while at it, avoid an extra copy to a temporary buffer.

Closes: containers#1077

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
@giuseppe giuseppe mentioned this issue Nov 21, 2022
Merged
@giuseppe
Copy link
Member

thanks for the helpful report, the PR is here: #1078

@dtrudg dtrudg mentioned this issue Nov 25, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

linux: include terminal \0 when copying mapping giuseppe/crun
2 participants
@giuseppe @dtrudg