gpt4 book ai didi

c - 如何使用带有 CLONE_NEWUSER 标志的克隆系统调用测试用户命名空间

转载 作者:塔克拉玛干 更新时间:2023-11-03 00:04:36 29 4
gpt4 key购买 nike

测试 sample来自 Containerization with LXC演示用户命名空间。

它应该打印新用户命名空间中子进程的输出和父进程的输出。

# ./user_namespace
UID outside the namespace is 0
GID outside the namespace is 0
UID inside the namespace is 65534
GID inside the namespace is 65534

但是,它只显示父输出。

UID outside the namespace is 1000
GID outside the namespace is 1000

请帮助理解为什么子进程不打印。

Code

#define _GNU_SOURCE
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <sched.h>
#include <signal.h>

static int childFunc(void *arg)
{
printf("UID inside the namespace is %ld\n", (long)geteuid());
printf("GID inside the namespace is %ld\n", (long)getegid());
}

static char child_stack[1024*1024];

int main(int argc, char *argv[])
{
pid_t child_pid;

/* child_pid = clone(childFunc, child_stack + (1024*1024), CLONE_NEWUSER, 0);*/

child_pid = clone(&childFunc, child_stack + (1024*1024), CLONE_NEWUSER, 0);

printf("UID outside the namespace is %ld\n", (long)geteuid());
printf("GID outside the namespace is %ld\n", (long)getegid());
waitpid(child_pid, NULL, 0);
exit(EXIT_SUCCESS);
}

环境

$ uname -r
3.10.0-693.21.1.el7.x86_64

$ cat /etc/os-release
NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
CPE_NAME="cpe:/o:centos:centos:7"

引用资料


更新

根据thejonny的回答,是开启用户命名空间。对于 RHEL/CentOS 7,Is it safe to enable user namespaces in CentOS 7.4 and how to do it?

By default, the new 7.4 kernel restricts the number of user namespaces to 0. To work around this, increase the user namespace limit:
echo 15000 > /proc/sys/user/max_user_namespaces

最佳答案

非特权用户命名空间可能被禁用。由于您不检查 clone 的返回值,因此您不会注意到。在我的系统上运行 strace 打印:

.... startup stuff ...
clone(child_stack=0x55b41f2a4070, flags=CLONE_NEWUSER) = -1 EPERM (Operation not permitted)
geteuid() = 1000
fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 6), ...}) = 0
brk(NULL) = 0x55b4200b8000
brk(0x55b4200d9000) = 0x55b4200d9000
write(1, "UID outside the namespace is 100"..., 34UID outside the namespace is 1000
) = 34
getegid() = 1000
write(1, "GID outside the namespace is 100"..., 34GID outside the namespace is 1000
) = 34
wait4(-1, NULL, 0, NULL) = -1 ECHILD (No child processes)
exit_group(0) = ?

因此 clone 和 waitpid 失败,没有子进程。

查看此处启用用户权限:https://superuser.com/questions/1094597/enable-user-namespaces-in-debian-kernel

关于c - 如何使用带有 CLONE_NEWUSER 标志的克隆系统调用测试用户命名空间,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/49593433/

29 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com