Check if unprivileged user namespaces are enabled

youki-dev · Nov 24, 2021 · 4192841 · 4192841
1 parent 64fd60d
commit 4192841
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 1 deletion.
diff --git a/crates/libcontainer/src/rootless.rs b/crates/libcontainer/src/rootless.rs
@@ -2,6 +2,7 @@ use crate::{namespaces::Namespaces, utils};
 use anyhow::{bail, Context, Result};
 use nix::unistd::Pid;
 use oci_spec::runtime::{Linux, LinuxIdMapping, LinuxNamespace, LinuxNamespaceType, Mount, Spec};
+use std::fs;
 use std::path::Path;
 use std::process::Command;
 use std::{env, path::PathBuf};
@@ -104,6 +105,22 @@ pub fn rootless_required() -> bool {
     matches!(std::env::var("YOUKI_USE_ROOTLESS").as_deref(), Ok("true"))
 }
 
+pub fn unprivileged_user_ns_enabled() -> Result<bool> {
+    let user_ns_sysctl = Path::new("/proc/sys/kernel/unprivileged_userns_clone");
+    if !user_ns_sysctl.exists() {
+        return Ok(true);
+    }
+
+    let content =
+        fs::read_to_string(user_ns_sysctl).context("failed to read unprivileged userns clone")?;
+
+    match content.trim().parse::<u8>()? {
+        0 => Ok(false),
+        1 => Ok(true),
+        v => bail!("failed to parse unprivileged userns value: {}", v),
+    }
+}
+
 /// Validates that the spec contains the required information for
 /// running in rootless mode
 fn validate(spec: &Spec) -> Result<()> {

diff --git a/crates/youki/src/commands/info.rs b/crates/youki/src/commands/info.rs
@@ -3,6 +3,7 @@ use std::{collections::HashSet, fs, path::Path};
 
 use anyhow::Result;
 use clap::Parser;
+use libcontainer::rootless;
 use procfs::{CpuInfo, Meminfo};
 
 use libcgroups::{common::CgroupSetup, v2::controller_type::ControllerType};
@@ -176,7 +177,12 @@ pub fn print_namespaces() {
         println!("  {:<16}enabled", "mount");
         print_feature_status(&content, "CONFIG_UTS_NS", FeatureDisplay::new("uts"));
         print_feature_status(&content, "CONFIG_IPC_NS", FeatureDisplay::new("ipc"));
-        print_feature_status(&content, "CONFIG_USER_NS", FeatureDisplay::new("user"));
+
+        let user_display = match rootless::unprivileged_user_ns_enabled() {
+            Ok(false) => FeatureDisplay::with_status("user", "enabled (root only)", "disabled"),
+            _ => FeatureDisplay::new("user"),
+        };
+        print_feature_status(&content, "CONFIG_USER_NS", user_display);
         print_feature_status(&content, "CONFIG_PID_NS", FeatureDisplay::new("pid"));
         print_feature_status(&content, "CONFIG_NET_NS", FeatureDisplay::new("network"));
         // While the CONFIG_CGROUP_NS kernel feature exists, it is obsolete and should not be used. CGroup namespaces