From: Sungbae Yoo Date: Wed, 31 May 2017 06:43:54 +0000 (+0900) Subject: Add a class to unshare/attach the namespaces of process X-Git-Tag: submit/tizen/20170621.051505~1 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=f440e958953f74b11f3282639cb30e8024ae0853;p=platform%2Fcore%2Fsecurity%2Fklay.git Add a class to unshare/attach the namespaces of process Signed-off-by: Sungbae Yoo Change-Id: Id599317957a08a0ae8806af2460223ac9341d14c --- diff --git a/include/klay/namespace.h b/include/klay/namespace.h new file mode 100644 index 0000000..1a1a60e --- /dev/null +++ b/include/klay/namespace.h @@ -0,0 +1,34 @@ +/* + * Copyright (c) 2015 Samsung Electronics Co., Ltd All Rights Reserved + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License + */ + +#ifndef __RUNTIME_NAMESPACE_H__ +#define __RUNTIME_NAMESPACE_H__ + +#include + +namespace runtime { + +class Namespace final { +public: + Namespace() = delete; + + static void unshare(int flags); + static void attach(const pid_t pid); +}; + +} // namespace runtime + +#endif //!__RUNTIME_NAMESPACE_H__ diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index 3c13396..1e5f8ec 100755 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -17,6 +17,7 @@ SET (KLAY_SOURCES ${KLAY_SRC}/error.cpp ${KLAY_SRC}/process.cpp ${KLAY_SRC}/eventfd.cpp ${KLAY_SRC}/mainloop.cpp + ${KLAY_SRC}/namespace.cpp ${KLAY_SRC}/testbench.cpp ${KLAY_SRC}/file-user.cpp ${KLAY_SRC}/filesystem.cpp diff --git a/src/namespace.cpp b/src/namespace.cpp new file mode 100644 index 0000000..c52d9d4 --- /dev/null +++ b/src/namespace.cpp @@ -0,0 +1,80 @@ +/* + * Copyright (c) 2015 Samsung Electronics Co., Ltd All Rights Reserved + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License + */ +#include + +#include +#include +#include + +#include +#include + +namespace runtime { + +namespace { + +typedef std::pair NamespacePair; +std::vector namespaces = { + {"mnt", CLONE_NEWNS}, + {"net", CLONE_NEWNET}, + {"ipc", CLONE_NEWIPC}, + {"pid", CLONE_NEWPID}, + {"uts", CLONE_NEWUTS}, + {"user", CLONE_NEWUSER}, +#ifdef CLONE_NEWCGROUP + {"cgroup", CLONE_NEWCGROUP}, +#endif +}; + +} // namespace + +void Namespace::attach(const pid_t pid) +{ + for (const NamespacePair& ns : namespaces) { + std::string nspath = "/proc/" + std::to_string(pid) + "/ns/" + ns.first; + + int fd; + do { + fd = ::open(nspath.c_str(), O_RDONLY); + } while (fd == -1 && errno == EINTR); + + if (fd == -1) { + if (errno != ENOENT) { + throw runtime::Exception("Failed to open namesapce: " + nspath); + } + } else { + if (::setns(fd, ns.second)) { + ::close(fd); + throw runtime::Exception("Failed to set namespace: " + nspath); + } + ::close(fd); + } + } +} + +void Namespace::unshare(int flags) +{ + if (::unshare(flags)) { + throw runtime::Exception("Failed to unshare namespace"); + } + + if (flags & CLONE_NEWNS && + ::mount(NULL, "/", NULL, MS_SLAVE | MS_REC, NULL) == -1) { + throw runtime::Exception("Failed to mount root filesystem"); + } +} + +} // namespace runtime