| Message ID | 20211222231907.1036709-1-richard.purdie@linuxfoundation.org |
|---|---|
| State | Accepted, archived |
| Commit | 9d6341df611a1725090444f6f8eb0244aed08213 |
| Headers | show |
| Series | [1/2] utils: Add disable_network function | expand |
Hi Richard, First of all, this feature is fantastic. Richard Purdie <richard.purdie@linuxfoundation.org> escreveu no dia quarta, 22/12/2021 à(s) 23:19: > Add a function which uses the unshare glibc call to disable networking > in the current process. This doesn't work on older distros/kernels > but will on more recent ones so for now we simply ignore the cases we > can't execute on. uid/gid can be passed in externally so this can > work with pseudo/fakeroot contexts. > > Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> > --- > lib/bb/utils.py | 31 +++++++++++++++++++++++++++++++ > 1 file changed, 31 insertions(+) > > diff --git a/lib/bb/utils.py b/lib/bb/utils.py > index d890ea832e..8006f7bd2d 100644 > --- a/lib/bb/utils.py > +++ b/lib/bb/utils.py > @@ -26,6 +26,7 @@ import errno > import signal > import collections > import copy > +import ctypes > from subprocess import getstatusoutput > from contextlib import contextmanager > from ctypes import cdll > @@ -1594,6 +1595,36 @@ def set_process_name(name): > except: > pass > > +def disable_network(uid=None, gid=None): > + """ > + Disable networking in the current process if the kernel supports it, > else > + just return after logging to debug. To do this we need to create a > new user > + namespace, then map back to the original uid/gid. > + """ > + libc = ctypes.CDLL('libc.so.6') > + > + # From sched.h > + # New user namespace > + CLONE_NEWUSER = 0x10000000 > + # New network namespace > + CLONE_NEWNET = 0x40000000 > + > + if uid is None: > + uid = os.getuid() > + if gid is None: > + gid = os.getgid() > + > + ret = libc.unshare(CLONE_NEWNET | CLONE_NEWUSER) > + if ret != 0: > + logger.debug("System doesn't suport disabling network without > admin privs") > + return > try: > + with open("/proc/self/uid_map", "w") as f: > + f.write("%s %s 1" % (uid, uid)) > + with open("/proc/self/setgroups", "w") as f: > + f.write("deny") > + with open("/proc/self/gid_map", "w") as f: > + f.write("%s %s 1" % (gid, gid)) > except: print a warning about the fail Without that it can fail silently if the user doesn't have permission to write in /proc/self. In general, if it runs all the steps, the function can return true/false. Jose + > def export_proxies(d): > """ export common proxies variables from datastore to environment """ > import os > -- > 2.32.0 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#13199): > https://lists.openembedded.org/g/bitbake-devel/message/13199 > Mute This Topic: https://lists.openembedded.org/mt/87909296/5052612 > Group Owner: bitbake-devel+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/bitbake-devel/unsub [ > quaresma.jose@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- > >
Hi Richard,
I think that the usage of the unshare system call can replace the use of
pseudo on bitbake.
If we map the new user namespace to the superuser we can do what is
bean done nowadays
inside the pseudo or not ?
*-r*, *--map-root-user*
Run the program only after the current effective user and
group IDs have been mapped to the superuser UID and GID in
the newly created user namespace. This makes it possible to
conveniently gain capabilities needed to manage various
aspects of the newly created namespaces (such as configuring
interfaces in the network namespace or mounting filesystems
in the mount namespace) even when run unprivileged. As a mere
convenience feature, it does not support more sophisticated
use cases, such as mapping multiple ranges of UIDs and GIDs.
This option implies *--setgroups=deny *and *--user*. This option
is equivalent to *--map-user=0 --map-group=0*.
https://man7.org/linux/man-pages/man1/unshare.1.html
Best regards,
Jose
Richard Purdie <richard.purdie@linuxfoundation.org> escreveu no dia sexta,
24/12/2021 à(s) 15:57:
> On Thu, 2021-12-23 at 15:10 +0000, Jose Quaresma wrote:
> > Hi Richard,
> >
> > First of all, this feature is fantastic.
>
> I'm certainly happy we can now do this, at least for some systems (and the
> situation should improve in the future),
>
> >
> > Richard Purdie <richard.purdie@linuxfoundation.org> escreveu no dia
> quarta,
> > 22/12/2021 à(s) 23:19:
> > >
> >
> >
> > try:
> >
> > > + with open("/proc/self/uid_map", "w") as f:
> > > + f.write("%s %s 1" % (uid, uid))
> > > + with open("/proc/self/setgroups", "w") as f:
> > > + f.write("deny")
> > > + with open("/proc/self/gid_map", "w") as f:
> > > + f.write("%s %s 1" % (gid, gid))
> > >
> >
> >
> > except:
> > print a warning about the fail
> >
> > Without that it can fail silently if the user doesn't have permission to
> write
> > in /proc/self.
> > In general, if it runs all the steps, the function can return true/false.
>
> The trouble is there are a set of older distros where this definitely
> won't work
> and we can't really afford to print warnings on those. Not sure what the
> best
> way forward is for that...
>
> Cheers,
>
> Richard
>
>
Richard Purdie <richard.purdie@linuxfoundation.org> escreveu no dia quarta, 2/02/2022 à(s) 13:43: > On Wed, 2022-02-02 at 12:38 +0000, Jose Quaresma wrote: > > Hi Richard, > > > > I think that the usage of the unshare system call can replace the use of > > pseudo on bitbake. > > If we map the new user namespace to the superuser we can do what is > bean done > > nowadays > > inside the pseudo or not ? > > -r, --map-root-user > > Run the program only after the current effective user and > > group IDs have been mapped to the superuser UID and GID in > > the newly created user namespace. This makes it possible to > > conveniently gain capabilities needed to manage various > > aspects of the newly created namespaces (such as configuring > > interfaces in the network namespace or mounting filesystems > > in the mount namespace) even when run unprivileged. As a mere > > convenience feature, it does not support more sophisticated > > use cases, such as mapping multiple ranges of UIDs and GIDs. > > This option implies --setgroups=deny and --user. This option > > is equivalent to --map-user=0 --map-group=0. > > https://man7.org/linux/man-pages/man1/unshare.1.html > > > > I wondered about that and I would love for it to be true however it isn't > that > simple. > > With pseudo we emulate multiple different users and a separate > passwd/group file > with those users in it. The unshare call would map the current user to > root but > it doesn't give us other user IDs or groups to chown/chgrp files to, at > least as > I understand it. > It was also sounding too simple to be true. I will try to better understand this part of the chown/chgrp usage on pseudo. Thank you for the clarification. > > Cheers, > > Richard > >
Hi Richard, This might be a dummy question, but I'm wondering which kernels/distros could support it. I tried the codes on poky target with linux-yocto 6.1.14, and it failed for a non-root user. This manual, https://man7.org/linux/man-pages/man2/unshare.2.html, tells me that CLONE_NEWNET requires CAP_SYS_ADMIN. And looking at the netns_install function in net/core/net_namespace.c, it does seem to be checking CAP_SYS_ADMIN. Regards, Qi On 12/23/21 07:19, Richard Purdie wrote: > Add a function which uses the unshare glibc call to disable networking > in the current process. This doesn't work on older distros/kernels > but will on more recent ones so for now we simply ignore the cases we > can't execute on. uid/gid can be passed in externally so this can > work with pseudo/fakeroot contexts. > > Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> > --- > lib/bb/utils.py | 31 +++++++++++++++++++++++++++++++ > 1 file changed, 31 insertions(+) > > diff --git a/lib/bb/utils.py b/lib/bb/utils.py > index d890ea832e..8006f7bd2d 100644 > --- a/lib/bb/utils.py > +++ b/lib/bb/utils.py > @@ -26,6 +26,7 @@ import errno > import signal > import collections > import copy > +import ctypes > from subprocess import getstatusoutput > from contextlib import contextmanager > from ctypes import cdll > @@ -1594,6 +1595,36 @@ def set_process_name(name): > except: > pass > > +def disable_network(uid=None, gid=None): > + """ > + Disable networking in the current process if the kernel supports it, else > + just return after logging to debug. To do this we need to create a new user > + namespace, then map back to the original uid/gid. > + """ > + libc = ctypes.CDLL('libc.so.6') > + > + # From sched.h > + # New user namespace > + CLONE_NEWUSER = 0x10000000 > + # New network namespace > + CLONE_NEWNET = 0x40000000 > + > + if uid is None: > + uid = os.getuid() > + if gid is None: > + gid = os.getgid() > + > + ret = libc.unshare(CLONE_NEWNET | CLONE_NEWUSER) > + if ret != 0: > + logger.debug("System doesn't suport disabling network without admin privs") > + return > + with open("/proc/self/uid_map", "w") as f: > + f.write("%s %s 1" % (uid, uid)) > + with open("/proc/self/setgroups", "w") as f: > + f.write("deny") > + with open("/proc/self/gid_map", "w") as f: > + f.write("%s %s 1" % (gid, gid)) > + > def export_proxies(d): > """ export common proxies variables from datastore to environment """ > import os > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#13199): https://lists.openembedded.org/g/bitbake-devel/message/13199 > Mute This Topic: https://lists.openembedded.org/mt/87909296/3618072 > Group Owner: bitbake-devel+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/bitbake-devel/unsub [Qi.Chen@windriver.com] > -=-=-=-=-=-=-=-=-=-=-=- >
diff --git a/lib/bb/utils.py b/lib/bb/utils.py index d890ea832e..8006f7bd2d 100644 --- a/lib/bb/utils.py +++ b/lib/bb/utils.py @@ -26,6 +26,7 @@ import errno import signal import collections import copy +import ctypes from subprocess import getstatusoutput from contextlib import contextmanager from ctypes import cdll @@ -1594,6 +1595,36 @@ def set_process_name(name): except: pass +def disable_network(uid=None, gid=None): + """ + Disable networking in the current process if the kernel supports it, else + just return after logging to debug. To do this we need to create a new user + namespace, then map back to the original uid/gid. + """ + libc = ctypes.CDLL('libc.so.6') + + # From sched.h + # New user namespace + CLONE_NEWUSER = 0x10000000 + # New network namespace + CLONE_NEWNET = 0x40000000 + + if uid is None: + uid = os.getuid() + if gid is None: + gid = os.getgid() + + ret = libc.unshare(CLONE_NEWNET | CLONE_NEWUSER) + if ret != 0: + logger.debug("System doesn't suport disabling network without admin privs") + return + with open("/proc/self/uid_map", "w") as f: + f.write("%s %s 1" % (uid, uid)) + with open("/proc/self/setgroups", "w") as f: + f.write("deny") + with open("/proc/self/gid_map", "w") as f: + f.write("%s %s 1" % (gid, gid)) + def export_proxies(d): """ export common proxies variables from datastore to environment """ import os
Add a function which uses the unshare glibc call to disable networking in the current process. This doesn't work on older distros/kernels but will on more recent ones so for now we simply ignore the cases we can't execute on. uid/gid can be passed in externally so this can work with pseudo/fakeroot contexts. Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> --- lib/bb/utils.py | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+)