diff --git a/pkg/sys/namespace_linux.go b/pkg/sys/namespace_linux.go new file mode 100644 index 000000000..d2a898acc --- /dev/null +++ b/pkg/sys/namespace_linux.go @@ -0,0 +1,38 @@ +/* + Copyright The containerd Authors. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + +package sys + +import ( + "fmt" + "os" + "syscall" + + "golang.org/x/sys/unix" +) + +// GetUsernsForNamespace returns a file descriptor that refers to the owning +// user namespace for the namespace referred to by fd. +// +// REF: https://man7.org/linux/man-pages/man2/ioctl_ns.2.html +func GetUsernsForNamespace(fd uintptr) (*os.File, error) { + fd, _, errno := unix.Syscall(syscall.SYS_IOCTL, fd, uintptr(unix.NS_GET_USERNS), 0) + if errno != 0 { + return nil, fmt.Errorf("failed to get user namespace fd: %w", errno) + } + + return os.NewFile(fd, fmt.Sprintf("/proc/%d/fd/%d", os.Getpid(), fd)), nil +} diff --git a/pkg/sys/namespace_linux_test.go b/pkg/sys/namespace_linux_test.go new file mode 100644 index 000000000..b1ec75b5a --- /dev/null +++ b/pkg/sys/namespace_linux_test.go @@ -0,0 +1,106 @@ +/* + Copyright The containerd Authors. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + +package sys + +import ( + "fmt" + "os" + "syscall" + "testing" + + kernel "github.com/containerd/containerd/v2/pkg/kernelversion" + "github.com/containerd/continuity/testutil" + "github.com/stretchr/testify/require" + "golang.org/x/sys/unix" +) + +func TestGetUsernsForNamespace(t *testing.T) { + testutil.RequiresRoot(t) + + t.Parallel() + + k409 := kernel.KernelVersion{Kernel: 4, Major: 9} + ok, err := kernel.GreaterEqualThan(k409) + require.NoError(t, err) + if !ok { + t.Skip("Requires kernel >= 4.9") + } + + tmpDir := t.TempDir() + + f, err := os.CreateTemp(tmpDir, "netns") + require.NoError(t, err) + + netnsPath := f.Name() + f.Close() + + defer testutil.Unmount(t, netnsPath) + + currentUsernsIno, err := getNamespaceInode(os.Getpid(), "user") + require.NoError(t, err) + + usernsIno := uint64(0) + uerr := UnshareAfterEnterUserns("0:1000:10", "0:1000:10", syscall.CLONE_NEWNET, func(pid int) error { + err := unix.Mount( + fmt.Sprintf("/proc/%d/ns/net", pid), + netnsPath, + "", + unix.MS_BIND|unix.MS_RDONLY, + "", + ) + if err != nil { + return err + } + + usernsIno, err = getNamespaceInode(pid, "user") + if err != nil { + return err + } + return nil + }) + require.NoError(t, uerr) + + require.NotEqual(t, currentUsernsIno, usernsIno) + t.Logf("Current user namespace [%d], new user namespace [%d]", currentUsernsIno, usernsIno) + + netnsFd, err := os.Open(netnsPath) + require.NoError(t, err) + defer netnsFd.Close() + + usernsFd, err := GetUsernsForNamespace(netnsFd.Fd()) + require.NoError(t, err) + defer usernsFd.Close() + + usernsInoFromNetnsFd := getInode(t, usernsFd) + + t.Logf("Fetch netns namespace %s' user namespace owner %d", netnsPath, usernsInoFromNetnsFd) + require.Equal(t, usernsIno, usernsInoFromNetnsFd) + + parentUsernsFd, err := GetUsernsForNamespace(usernsFd.Fd()) + require.NoError(t, err) + defer parentUsernsFd.Close() + + parentUsernsIno := getInode(t, parentUsernsFd) + t.Logf("User namespace %d's parent %d", usernsInoFromNetnsFd, parentUsernsIno) + require.Equal(t, currentUsernsIno, parentUsernsIno) +} + +func getInode(t *testing.T, f *os.File) uint64 { + info, err := f.Stat() + require.NoError(t, err) + return info.Sys().(*syscall.Stat_t).Ino +}