mirror/flatpak
1
0
Fork 0
mirror of https://github.com/flatpak/flatpak.git synced 2026-05-19 06:11:47 -04:00
Code Issues Packages Projects Releases Wiki Activity

run: Don't use userns2 if same as userns

Browse Source 
When --device=all is *not* passed to Flatpak, --dev is passed to bwrap,
which causes it to use an intermediate user namespace to mount devpts
because it can only be mounted as UID 0. Therefore, when expose-pids
is used, Flatpak will pass both --userns *and* --userns2 to handle
the presence of the intermediate namespace.

However, when --device=all *is* passed, there is no intermediate
namespace. Thus, setns(userns2) will fail with EINVAL. In order to
handle this, --userns2 is no longer passed if the namespace is
identical to that passed via --userns.

Fixes #3722.
This commit is contained in:
Ryan Gonzalez
2020-06-30 15:12:30 -05:00
committed by Alexander Larsson
parent 509ce6bd74
commit 9833b90019
1 changed files with 9 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
common/flatpak-run.c
View File

@@ -3462,18 +3462,19 @@ check_parental_controls (const char *app_ref,
}
static int
open_namespace_fd_if_needed (const char *path, const char *type)
{
g_autofree char *self_path = g_strdup_printf ("/proc/self/ns/%s", type);
struct stat s, self_s;
open_namespace_fd_if_needed (const char *path,
const char *other_path) {
struct stat s, other_s;
if (stat (path, &s) != 0)
return -1; /* No such namespace, ignore */
if (stat (self_path, &self_s) != 0)
if (stat (other_path, &other_s) != 0)
return -1; /* No such namespace, ignore */
if (s.st_ino != self_s.st_ino)
/* setns calls fail if the process is already in the desired namespace, hence the
check here to ensure the namespaces are different. */
if (s.st_ino != other_s.st_ino)
return open (path, O_RDONLY|O_CLOEXEC);
return -1;
@@ -3872,13 +3873,13 @@ flatpak_run_app (const char *app_ref,
userns_path = g_strdup_printf ("/proc/%d/root/run/.userns", parent_pid);
userns_fd = open_namespace_fd_if_needed (userns_path, "user");
userns_fd = open_namespace_fd_if_needed (userns_path, "/proc/self/ns/user");
if (userns_fd != -1)
{
flatpak_bwrap_add_args_data_fd (bwrap, "--userns", userns_fd, NULL);
userns2_path = g_strdup_printf ("/proc/%d/ns/user", parent_pid);
userns2_fd = open (userns2_path, O_RDONLY|O_CLOEXEC);
userns2_fd = open_namespace_fd_if_needed (userns2_path, userns_path);
if (userns2_fd != -1)
flatpak_bwrap_add_args_data_fd (bwrap, "--userns2", userns2_fd, NULL);
}