-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request moby#140 from thaJeztah/integrate_libcontainer_userns
integrate libcontainer/userns into moby/sys/user
- Loading branch information
Showing
7 changed files
with
130 additions
and
7 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,5 +1,5 @@ | ||
module github.com/moby/sys/user | ||
|
||
go 1.18 | ||
go 1.21 | ||
|
||
require golang.org/x/sys v0.1.0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
// Package userns provides utilities to detect whether we are currently running | ||
// in a Linux user namespace. | ||
// | ||
// This code was migrated from [libcontainer/runc], which based its implementation | ||
// on code from [lcx/incus]. | ||
// | ||
// [libcontainer/runc]: https://github.com/opencontainers/runc/blob/3778ae603c706494fd1e2c2faf83b406e38d687d/libcontainer/userns/userns_linux.go#L12-L49 | ||
// [lcx/incus]: https://github.com/lxc/incus/blob/e45085dd42f826b3c8c3228e9733c0b6f998eafe/shared/util.go#L678-L700 | ||
package userns | ||
|
||
// RunningInUserNS detects whether we are currently running in a Linux | ||
// user namespace and memoizes the result. It returns false on non-Linux | ||
// platforms. | ||
func RunningInUserNS() bool { | ||
return inUserNS() | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,53 @@ | ||
package userns | ||
|
||
import ( | ||
"bufio" | ||
"fmt" | ||
"os" | ||
"sync" | ||
) | ||
|
||
var inUserNS = sync.OnceValue(runningInUserNS) | ||
|
||
// runningInUserNS detects whether we are currently running in a user namespace. | ||
// | ||
// This code was migrated from [libcontainer/runc] and based on an implementation | ||
// from [lcx/incus]. | ||
// | ||
// [libcontainer/runc]: https://github.com/opencontainers/runc/blob/3778ae603c706494fd1e2c2faf83b406e38d687d/libcontainer/userns/userns_linux.go#L12-L49 | ||
// [lcx/incus]: https://github.com/lxc/incus/blob/e45085dd42f826b3c8c3228e9733c0b6f998eafe/shared/util.go#L678-L700 | ||
func runningInUserNS() bool { | ||
file, err := os.Open("/proc/self/uid_map") | ||
if err != nil { | ||
// This kernel-provided file only exists if user namespaces are supported. | ||
return false | ||
} | ||
defer file.Close() | ||
|
||
buf := bufio.NewReader(file) | ||
l, _, err := buf.ReadLine() | ||
if err != nil { | ||
return false | ||
} | ||
|
||
return uidMapInUserNS(string(l)) | ||
} | ||
|
||
func uidMapInUserNS(uidMap string) bool { | ||
if uidMap == "" { | ||
// File exist but empty (the initial state when userns is created, | ||
// see user_namespaces(7)). | ||
return true | ||
} | ||
|
||
var a, b, c int64 | ||
if _, err := fmt.Sscanf(uidMap, "%d %d %d", &a, &b, &c); err != nil { | ||
// Assume we are in a regular, non user namespace. | ||
return false | ||
} | ||
|
||
// As per user_namespaces(7), /proc/self/uid_map of | ||
// the initial user namespace shows 0 0 4294967295. | ||
initNS := a == 0 && b == 0 && c == 4294967295 | ||
return !initNS | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
//go:build linux && gofuzz | ||
|
||
package userns | ||
|
||
func FuzzUIDMap(uidmap []byte) int { | ||
_ = uidMapInUserNS(string(uidmap)) | ||
return 1 | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
package userns | ||
|
||
import "testing" | ||
|
||
func TestUIDMapInUserNS(t *testing.T) { | ||
cases := []struct { | ||
s string | ||
expected bool | ||
}{ | ||
{ | ||
s: " 0 0 4294967295\n", | ||
expected: false, | ||
}, | ||
{ | ||
s: " 0 0 1\n", | ||
expected: true, | ||
}, | ||
{ | ||
s: " 0 1001 1\n 1 231072 65536\n", | ||
expected: true, | ||
}, | ||
{ | ||
// file exist but empty (the initial state when userns is created. see man 7 user_namespaces) | ||
s: "", | ||
expected: true, | ||
}, | ||
} | ||
for _, c := range cases { | ||
actual := uidMapInUserNS(c.s) | ||
if c.expected != actual { | ||
t.Fatalf("expected %v, got %v for %q", c.expected, actual, c.s) | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
//go:build !linux | ||
|
||
package userns | ||
|
||
// inUserNS is a stub for non-Linux systems. Always returns false. | ||
func inUserNS() bool { return false } |