Fix setting SELinux label for mqueue when user namespaces are enabled

mrunalp · runcom · commit 3ce50afe04f1 · 2016-10-27T15:39:06.000+02:00
If one tries to user SELinux with user namespaces, then labeling of /dev/mqueue
fails because the IPC namespace belongs to the root in init_user_ns. This
commit fixes that by unsharing IPC namespace after we clone into a new USER
namespace so the IPC namespace is owned by the root inside the new USER
namespace as opposed to init_user_ns.

Signed-off-by: Mrunal Patel &lt;mrunalp@gmail.com&gt;
diff --git a/libcontainer/nsenter/nsexec.c b/libcontainer/nsenter/nsexec.c
@@ -94,14 +94,20 @@ static int child_func(void *arg)
 	longjmp(*ca->env, JUMP_VAL);
 }
 
-static int clone_parent(jmp_buf *env, int flags) __attribute__ ((noinline));
-static int clone_parent(jmp_buf *env, int flags)
+static int clone_parent(jmp_buf *env, int flags, bool delay_ipc_unshare) __attribute__ ((noinline));
+static int clone_parent(jmp_buf *env, int flags, bool delay_ipc_unshare)
 {
 	int child;
 	struct clone_arg ca = {
 		.env = env,
 	};
 
+	// Don't clone into NEWIPC at the same time as cloning into NEWUSER.
+	// This way we can ensure that NEWIPC namespace belongs to the root in new user namespace.
+	if (delay_ipc_unshare) {
+		flags &= ~CLONE_NEWIPC;
+	}
+
 	child = clone(child_func, ca.stack_ptr, CLONE_PARENT | SIGCHLD | flags, &ca);
 
 	/*
@@ -227,7 +233,7 @@ static void update_gidmap(int pid, char *map, int map_len)
 
 #define JSON_MAX 4096
 
-static void start_child(int pipenum, jmp_buf *env, int syncpipe[2], struct nlconfig_t *config)
+static void start_child(int pipenum, jmp_buf *env, int syncpipe[2], struct nlconfig_t *config, bool delay_ipc_unshare)
 {
 	int len, childpid;
 	char buf[JSON_MAX];
@@ -239,7 +245,7 @@ static void start_child(int pipenum, jmp_buf *env, int syncpipe[2], struct nlcon
 	 * (the bootstrap process). Also so we don't need to forward the
 	 * child's exit code or resend its death signal.
 	 */
-	childpid = clone_parent(env, config->cloneflags);
+	childpid = clone_parent(env, config->cloneflags, delay_ipc_unshare);
 	if (childpid < 0)
 		bail("unable to fork");
 
@@ -415,6 +421,9 @@ void nsexec(void)
 	if (config.cloneflags == -1)
 		bail("missing clone_flags");
 
+	bool delay_ipc_unshare = ((config.cloneflags & CLONE_NEWUSER) == CLONE_NEWUSER)
+		&& ((config.cloneflags & CLONE_NEWIPC) == CLONE_NEWIPC);
+
 	/* Pipe so we can tell the child when we've finished setting up. */
 	if (pipe(syncpipe) < 0)
 		bail("failed to setup sync pipe between parent and child");
@@ -447,6 +456,12 @@ void nsexec(void)
 		if (setgroups(0, NULL) < 0)
 			bail("setgroups failed");
 
+		if (delay_ipc_unshare) {
+			if (unshare(CLONE_NEWIPC)) {
+				bail("unable to unshare IPC namespace");
+			}
+		}
+
 		if (consolefd != -1) {
 			if (ioctl(consolefd, TIOCSCTTY, 0) < 0)
 				bail("ioctl TIOCSCTTY failed");
@@ -466,7 +481,7 @@ void nsexec(void)
 	}
 
 	/* Run the parent code. */
-	start_child(pipenum, &env, syncpipe, &config);
+	start_child(pipenum, &env, syncpipe, &config, delay_ipc_unshare);
 
 	/* Should never be reached. */
 	bail("should never be reached");
