diff options
| author | Ryan Gonzalez <rymg19@gmail.com> | 2020-06-30 15:12:30 -0500 |
|---|---|---|
| committer | Alexander Larsson <alexander.larsson@gmail.com> | 2020-07-03 09:36:06 +0200 |
| commit | 9833b900194fca5829087e3bb052c8bc0bd3fe7e (patch) | |
| tree | 47cbeb715654f9b7738fbb70b7fe341f19ad3314 | |
| parent | 509ce6bd741e0c5161a7778ad06f91664dd0e63c (diff) | |
| download | flatpak-9833b900194fca5829087e3bb052c8bc0bd3fe7e.tar.gz | |
run: Don't use userns2 if same as userns
When --device=all is *not* passed to Flatpak, --dev is passed to bwrap,
which causes it to use an intermediate user namespace to mount devpts
because it can only be mounted as UID 0. Therefore, when expose-pids
is used, Flatpak will pass both --userns *and* --userns2 to handle
the presence of the intermediate namespace.
However, when --device=all *is* passed, there is no intermediate
namespace. Thus, setns(userns2) will fail with EINVAL. In order to
handle this, --userns2 is no longer passed if the namespace is
identical to that passed via --userns.
Fixes #3722.
| -rw-r--r-- | common/flatpak-run.c | 17 |
1 files changed, 9 insertions, 8 deletions
diff --git a/common/flatpak-run.c b/common/flatpak-run.c index de805cf7..354920e0 100644 --- a/common/flatpak-run.c +++ b/common/flatpak-run.c @@ -3462,18 +3462,19 @@ check_parental_controls (const char *app_ref, } static int -open_namespace_fd_if_needed (const char *path, const char *type) -{ - g_autofree char *self_path = g_strdup_printf ("/proc/self/ns/%s", type); - struct stat s, self_s; +open_namespace_fd_if_needed (const char *path, + const char *other_path) { + struct stat s, other_s; if (stat (path, &s) != 0) return -1; /* No such namespace, ignore */ - if (stat (self_path, &self_s) != 0) + if (stat (other_path, &other_s) != 0) return -1; /* No such namespace, ignore */ - if (s.st_ino != self_s.st_ino) + /* setns calls fail if the process is already in the desired namespace, hence the + check here to ensure the namespaces are different. */ + if (s.st_ino != other_s.st_ino) return open (path, O_RDONLY|O_CLOEXEC); return -1; @@ -3872,13 +3873,13 @@ flatpak_run_app (const char *app_ref, userns_path = g_strdup_printf ("/proc/%d/root/run/.userns", parent_pid); - userns_fd = open_namespace_fd_if_needed (userns_path, "user"); + userns_fd = open_namespace_fd_if_needed (userns_path, "/proc/self/ns/user"); if (userns_fd != -1) { flatpak_bwrap_add_args_data_fd (bwrap, "--userns", userns_fd, NULL); userns2_path = g_strdup_printf ("/proc/%d/ns/user", parent_pid); - userns2_fd = open (userns2_path, O_RDONLY|O_CLOEXEC); + userns2_fd = open_namespace_fd_if_needed (userns2_path, userns_path); if (userns2_fd != -1) flatpak_bwrap_add_args_data_fd (bwrap, "--userns2", userns2_fd, NULL); } |