Userns container in containers

ashahab-altiscale · ashahab-altiscale · commit 34b9f16406ed · 2015-10-20T22:03:29.000-07:00
Added a check on devices for hosts that are themselves usernamespaced
containers. It is not possible for a non-root host process to set the
devices.allow and devices.deny, and therefore this patch skips that for
host processes which have a non-root uid_map.
Signed-off-by: Abin Shahab &lt;ashahab@altiscale.com&gt;
diff --git a/libcontainer/cgroups/fs/devices.go b/libcontainer/cgroups/fs/devices.go
@@ -5,6 +5,7 @@ package fs
 import (
 	"github.com/opencontainers/runc/libcontainer/cgroups"
 	"github.com/opencontainers/runc/libcontainer/configs"
+	"github.com/opencontainers/runc/libcontainer/utils"
 )
 
 type DevicesGroup struct {
@@ -26,6 +27,13 @@ func (s *DevicesGroup) Apply(d *data) error {
 }
 
 func (s *DevicesGroup) Set(path string, cgroup *configs.Cgroup) error {
+	isHostUserns, err := utils.IsHostUserns()
+	if err != nil {
+		return err
+	}
+	if isHostUserns {
+		return nil
+	}
 	if !cgroup.AllowAllDevices {
 		if err := writeFile(path, "devices.deny", "a"); err != nil {
 			return err
diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go
@@ -18,6 +18,7 @@ import (
 	"github.com/opencontainers/runc/libcontainer/cgroups"
 	"github.com/opencontainers/runc/libcontainer/configs"
 	"github.com/opencontainers/runc/libcontainer/label"
+	"github.com/opencontainers/runc/libcontainer/utils"
 )
 
 const defaultMountFlags = syscall.MS_NOEXEC | syscall.MS_NOSUID | syscall.MS_NODEV
@@ -370,7 +371,15 @@ func createDevices(config *configs.Config) error {
 	for _, node := range config.Devices {
 		// containers running in a user namespace are not allowed to mknod
 		// devices so we can just bind mount it from the host.
-		if err := createDeviceNode(config.Rootfs, node, config.Namespaces.Contains(configs.NEWUSER)); err != nil {
+		isHostUserns, err := utils.IsHostUserns()
+		if err != nil {
+			return err
+		}
+		isContainerUserns := config.Namespaces.Contains(configs.NEWUSER)
+		if err := createDeviceNode(
+			config.Rootfs,
+			node,
+			isContainerUserns || isHostUserns); err != nil {
 			syscall.Umask(oldMask)
 			return err
 		}
diff --git a/libcontainer/utils/utils.go b/libcontainer/utils/utils.go
@@ -4,14 +4,18 @@ import (
 	"crypto/rand"
 	"encoding/hex"
 	"io"
+	"io/ioutil"
 	"path/filepath"
+	"regexp"
 	"syscall"
 )
 
 const (
 	exitSignalOffset = 128
 )
 
+var userns_regex, _ = regexp.Compile("0\\s+0\\s+\\d+")
+
 // GenerateRandomName returns a new name joined with a prefix.  This size
 // specified is used to truncate the randomly generated value
 func GenerateRandomName(prefix string, size int) (string, error) {
@@ -43,3 +47,18 @@ func ExitStatus(status syscall.WaitStatus) int {
 	}
 	return status.ExitStatus()
 }
+
+//Checks if host itself usernamespaced, to allow for
+//containers in containers case
+func IsHostUserns() (bool, error) {
+	//scan uid map. should never be more than 5 lines long
+	dat, err := ioutil.ReadFile("/proc/self/uid_map")
+	if err != nil {
+		return false, err
+	}
+	if userns_regex.Match(dat) {
+		return false, nil
+	}
+
+	return true, nil
+}
