[CRIU] [PATCH v1 05/17] user_ns: Prepare check_user_ns() for working with NS_OTHER

Thu Jan 12 09:52:49 PST 2017

In case of NS_OTHER it's possible there are no mapping
from the namespace to NS_CRIU. Do not fail and do not
try to set uid/gid if it's so.

Also, skip swith_ns() tests for that case.

Signed-off-by: Kirill Tkhai <ktkhai at virtuozzo.com>
---
 criu/namespaces.c |   41 +++++++++++++++++++++++------------------
 1 file changed, 23 insertions(+), 18 deletions(-)

diff --git a/criu/namespaces.c b/criu/namespaces.c
index c976787d7..6b2a65f46 100644
--- a/criu/namespaces.c
+++ b/criu/namespaces.c
@@ -894,31 +894,34 @@ static int check_user_ns(struct ns_id *ns)
 		gid_t gid;
 		int i;
 
-		uid = host_uid(0);
-		gid = host_gid(0);
-		if (uid == INVALID_ID || gid == INVALID_ID) {
-			pr_err("Unable to convert uid or gid\n");
-			return -1;
-		}
-
 		if (prctl(PR_SET_KEEPCAPS, 1)) {
 			pr_perror("Unable to set PR_SET_KEEPCAPS");
 			return -1;
 		}
 
-		if (setresgid(gid, gid, gid)) {
-			pr_perror("Unable to set group ID");
-			return -1;
-		}
+		uid = host_uid(0);
+		gid = host_gid(0);
+		if (uid == INVALID_ID || gid == INVALID_ID) {
+			if (ns->type == NS_ROOT) {
+				pr_err("Unable to convert uid or gid\n");
+				return -1;
+			}
+			/* Child user_ns may do not have a mapping, it's OK */
+		} else {
+			if (setresgid(gid, gid, gid)) {
+				pr_perror("Unable to set group ID");
+				return -1;
+			}
 
-		if (setgroups(0, NULL) < 0) {
-			pr_perror("Unable to drop supplementary groups");
-			return -1;
-		}
+			if (setgroups(0, NULL) < 0) {
+				pr_perror("Unable to drop supplementary groups");
+				return -1;
+			}
 
-		if (setresuid(uid, uid, uid)) {
-			pr_perror("Unable to set user ID");
-			return -1;
+			if (setresuid(uid, uid, uid)) {
+				pr_perror("Unable to set user ID");
+				return -1;
+			}
 		}
 
 		hdr.version = _LINUX_CAPABILITY_VERSION_3;
@@ -939,6 +942,8 @@ static int check_user_ns(struct ns_id *ns)
 		for (i = SERVICE_FD_MIN + 1; i < SERVICE_FD_MAX; i++)
 			close_service_fd(i);
 
+		if (ns->type != NS_ROOT)
+			exit(0);
 		/*
 		 * Check that we are able to enter into other namespaces
 		 * from the target userns namespace. This signs that these

