Skip to content

Commit

Permalink
Merge pull request moby#140 from thaJeztah/integrate_libcontainer_userns
Browse files Browse the repository at this point in the history
integrate libcontainer/userns into moby/sys/user
  • Loading branch information
laurazard authored Jul 25, 2024
2 parents 617cda3 + 5cd502c commit 86870e7
Show file tree
Hide file tree
Showing 7 changed files with 130 additions and 7 deletions.
18 changes: 12 additions & 6 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -16,14 +16,18 @@ clean:
test: test-local
set -eu; \
for p in $(PACKAGES); do \
(cd $$p; go test $(RUN_VIA_SUDO) -v .); \
if $p = user && go version | grep -qv go1.18; then \
(cd $$p; go test $(RUN_VIA_SUDO) -v .); \
fi \
done

.PHONY: tidy
tidy:
set -eu; \
for p in $(PACKAGES); do \
(cd $$p; go mod tidy); \
for p in $(PACKAGES); do \
if $p = user && go version | grep -qv go1.18; then \
(cd $$p; go mod tidy); \
fi \
done

# Test the mount module against the local mountinfo source code instead of the
Expand All @@ -42,9 +46,11 @@ lint: $(BINDIR)/golangci-lint
$(BINDIR)/golangci-lint version
set -eu; \
for p in $(PACKAGES); do \
(cd $$p; \
go mod download; \
../$(BINDIR)/golangci-lint run); \
if $p = user && go version | grep -qv go1.18; then \
(cd $$p; \
go mod download; \
../$(BINDIR)/golangci-lint run); \
fi \
done

$(BINDIR)/golangci-lint: $(BINDIR)
Expand Down
2 changes: 1 addition & 1 deletion user/go.mod
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
module github.com/moby/sys/user

go 1.18
go 1.21

require golang.org/x/sys v0.1.0
16 changes: 16 additions & 0 deletions user/userns/userns.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
// Package userns provides utilities to detect whether we are currently running
// in a Linux user namespace.
//
// This code was migrated from [libcontainer/runc], which based its implementation
// on code from [lcx/incus].
//
// [libcontainer/runc]: https://github.com/opencontainers/runc/blob/3778ae603c706494fd1e2c2faf83b406e38d687d/libcontainer/userns/userns_linux.go#L12-L49
// [lcx/incus]: https://github.com/lxc/incus/blob/e45085dd42f826b3c8c3228e9733c0b6f998eafe/shared/util.go#L678-L700
package userns

// RunningInUserNS detects whether we are currently running in a Linux
// user namespace and memoizes the result. It returns false on non-Linux
// platforms.
func RunningInUserNS() bool {
return inUserNS()
}
53 changes: 53 additions & 0 deletions user/userns/userns_linux.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
package userns

import (
"bufio"
"fmt"
"os"
"sync"
)

var inUserNS = sync.OnceValue(runningInUserNS)

// runningInUserNS detects whether we are currently running in a user namespace.
//
// This code was migrated from [libcontainer/runc] and based on an implementation
// from [lcx/incus].
//
// [libcontainer/runc]: https://github.com/opencontainers/runc/blob/3778ae603c706494fd1e2c2faf83b406e38d687d/libcontainer/userns/userns_linux.go#L12-L49
// [lcx/incus]: https://github.com/lxc/incus/blob/e45085dd42f826b3c8c3228e9733c0b6f998eafe/shared/util.go#L678-L700
func runningInUserNS() bool {
file, err := os.Open("/proc/self/uid_map")
if err != nil {
// This kernel-provided file only exists if user namespaces are supported.
return false
}
defer file.Close()

buf := bufio.NewReader(file)
l, _, err := buf.ReadLine()
if err != nil {
return false
}

return uidMapInUserNS(string(l))
}

func uidMapInUserNS(uidMap string) bool {
if uidMap == "" {
// File exist but empty (the initial state when userns is created,
// see user_namespaces(7)).
return true
}

var a, b, c int64
if _, err := fmt.Sscanf(uidMap, "%d %d %d", &a, &b, &c); err != nil {
// Assume we are in a regular, non user namespace.
return false
}

// As per user_namespaces(7), /proc/self/uid_map of
// the initial user namespace shows 0 0 4294967295.
initNS := a == 0 && b == 0 && c == 4294967295
return !initNS
}
8 changes: 8 additions & 0 deletions user/userns/userns_linux_fuzzer.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
//go:build linux && gofuzz

package userns

func FuzzUIDMap(uidmap []byte) int {
_ = uidMapInUserNS(string(uidmap))
return 1
}
34 changes: 34 additions & 0 deletions user/userns/userns_linux_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
package userns

import "testing"

func TestUIDMapInUserNS(t *testing.T) {
cases := []struct {
s string
expected bool
}{
{
s: " 0 0 4294967295\n",
expected: false,
},
{
s: " 0 0 1\n",
expected: true,
},
{
s: " 0 1001 1\n 1 231072 65536\n",
expected: true,
},
{
// file exist but empty (the initial state when userns is created. see man 7 user_namespaces)
s: "",
expected: true,
},
}
for _, c := range cases {
actual := uidMapInUserNS(c.s)
if c.expected != actual {
t.Fatalf("expected %v, got %v for %q", c.expected, actual, c.s)
}
}
}
6 changes: 6 additions & 0 deletions user/userns/userns_unsupported.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
//go:build !linux

package userns

// inUserNS is a stub for non-Linux systems. Always returns false.
func inUserNS() bool { return false }

0 comments on commit 86870e7

Please sign in to comment.