pidjail/main.c

// we need this so sched.h exports unshare and CLONE_*
#define _GNU_SOURCE
#include <sched.h>
#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <unistd.h>
#include <signal.h>

pid_t pid_child;

void fatal(const char* str, int errcode)
{
  printf("%s (%d)\n", str, errcode);
  exit(errcode);
}

void drop_root(void)
{
  /// Drop root privileges
  // First group then user because we might not
  // be able to drop group once we dropped user
  gid_t gid = getgid();
  if (setresgid(-1,gid,gid) == -1)
    fatal("Failed to drop root privileges with setresgid", errno);

  uid_t uid = getuid();
  if (setresuid(-1,uid,uid) == -1)
    fatal("Failed to drop root privileges with setresuid", errno);

  // sanity check
  if (seteuid(0) != -1)
    fatal("Sanity check failed. Able to regain root", 42);
}

struct sigaction forward_signal_descriptor;
void forward_signal(int sig)
{
  if (kill(pid_child, sig) == -1)
    {
      if (sig == SIGTERM)
        exit(1);
    }
}

char** argdup(int argc, const char** argv)
{
  char** newargs = malloc(sizeof(char*) * (argc+1));
  for (size_t i = 0; i < argc; i++)
    {
      newargs[i] = strdup(argv[i]);
    }
  newargs[argc] = NULL;
  return newargs;
}

int main(int argc, const char** argv)
{
  int err;

  forward_signal_descriptor.sa_flags = SA_RESTART;
  forward_signal_descriptor.sa_handler = &forward_signal;

  if (argc == 1)
    {
      fprintf(stderr,"Usage: %s PROGRAM ARGUMENTS...\n"
              "Run command within its own pid namespace. Integrated init process.\n",
              argv[0]);
      return 0;
    }

  // next fork shall be in a new pid namespace
  if (unshare(CLONE_NEWPID) != 0)
    {
      fatal("Failed to unshare pid namespace", errno);
    }

  // Drop root privileges, we only needed those for the unshare call.
  drop_root();

  pid_t pid = fork();

  if (pid == -1)
    {
      fatal("Failed to fork", errno);
    }

  if (pid != 0)
    {
      /// Head process
      // Wait for the init process in the PID namespace to terminate and forward its exit code.
      // Also forward SIGTERM signals towards that init process.

      // Setup signal handler to forward SIGTERM
      pid_child = pid;
      if (sigaction(SIGTERM, &forward_signal_descriptor, NULL) == -1)
        {
          printf("Unable to setup signal handler in head\n");
        }
      // parent waits for child then exits
      // Could be interrupt due to a signal. Retry in that case.
      int status;
      if (waitpid(pid, &status, 0) == -1)
        {
          fatal("Failed to wait for init process", errno);
        }

      return WEXITSTATUS(status);
    }
  else
    {
      // Child should be in new pid namespace and
      // functions as the the init process
      // it needs to fork again then wait for any child.
      // if the forked child exits then exit.

      pid = fork();
      if (pid == -1)
        {
          fatal("Failed to fork in init process", errno);
        }

      if (pid != 0)
        {
          /// Init process
          // This part of the program runs as first process in the pid namespace
          // When this terminates then Linux terminates all remaining processes
          // in the PID namespace. As we want this to happen when our first child
          // terminates, we wait for our first child to terminate before terminating
          // ourselves.
          // As first process in the PID namespace, this also functions as adopting parent
          // for orphaned processes in the PID namespace and therefore has to wait for
          // any child process and then check if the a child process that has terminated
          // is the one we were waiting for.

          pid_t first_child = pid;
          pid_t exited_child;
          int child_status;

          // Setup forward for SIGTERM
          pid_child = first_child;
          if (sigaction(SIGTERM, &forward_signal_descriptor, NULL) == -1)
            {
              fatal("Unable to setup signal forward in init", 1);
            }

          // wait could be interrupt due to a signal. In that case just call wait again.
          do {
            exited_child = wait(&child_status);
            err = errno;
          } while (!(exited_child == first_child || (exited_child == -1 && err == ECHILD)));

          if (exited_child == -1)
            {
              return err;
            }
          else
            {
              int exit_code = WEXITSTATUS(child_status);
              return exit_code;
            }
        }
      else
        {
          // First child of init process. do exec here
          // use cli arguments for subprocess. skip 0 as it's our programs name.

          char** newargs = argdup(argc-1, &argv[1]);

          if (execvp(newargs[0], newargs) == -1)
            {
              fatal("Failed to exec", errno);
            }
        }
    }
}
Initial version 2021-01-06 04:42:04 +01:00			`// we need this so sched.h exports unshare and CLONE_*`
			`#define _GNU_SOURCE`
			`#include <sched.h>`
			`#include <errno.h>`
			`#include <stdio.h>`
			`#include <stdlib.h>`
			`#include <string.h>`
			`#include <sys/types.h>`
			`#include <sys/wait.h>`
			`#include <unistd.h>`
Add signal handler for SIGTERM When the head process receives a SIGTERM we have to forward that to the init process, which in turn has to forward it to the executed process which is jailed. That process can then decide to exit, which also terminates the init and head process through SIGCHILD/wait means. 2021-01-12 19:51:05 +01:00			`#include <signal.h>`

			`pid_t pid_child;`
Initial version 2021-01-06 04:42:04 +01:00
Replace redundent error handling 2021-01-15 20:22:22 +01:00			`void fatal(const char* str, int errcode)`
			`{`
			`printf("%s (%d)\n", str, errcode);`
			`exit(errcode);`
			`}`

Clean up code style 2021-01-15 20:22:22 +01:00			`void drop_root(void)`
			`{`
Drop group rights first We might not be able to drop group rights after dropping user rights so do group rights first. 2021-01-15 20:22:22 +01:00			`/// Drop root privileges`
			`// First group then user because we might not`
			`// be able to drop group once we dropped user`
			`gid_t gid = getgid();`
			`if (setresgid(-1,gid,gid) == -1)`
Replace redundent error handling 2021-01-15 20:22:22 +01:00			`fatal("Failed to drop root privileges with setresgid", errno);`
Drop root privileges earlier We don't need the root privileges after we unshare and the first fork. Therefor we can drop those for safety reasons. 2021-01-12 19:50:07 +01:00
Drop group rights first We might not be able to drop group rights after dropping user rights so do group rights first. 2021-01-15 20:22:22 +01:00			`uid_t uid = getuid();`
			`if (setresuid(-1,uid,uid) == -1)`
Replace redundent error handling 2021-01-15 20:22:22 +01:00			`fatal("Failed to drop root privileges with setresuid", errno);`
Add sanity check As a sanity check whether we're able to regain root after dropping it. If we are able to, then something went wrong. 2021-01-15 20:22:22 +01:00
			`// sanity check`
Clean up code style 2021-01-15 20:22:22 +01:00			`if (seteuid(0) != -1)`
Replace redundent error handling 2021-01-15 20:22:22 +01:00			`fatal("Sanity check failed. Able to regain root", 42);`
Drop root privileges earlier We don't need the root privileges after we unshare and the first fork. Therefor we can drop those for safety reasons. 2021-01-12 19:50:07 +01:00			`}`
Initial version 2021-01-06 04:42:04 +01:00
Use sigaction instead of signal This way we don't have to handle EINTR. 2021-01-15 20:22:22 +01:00			`struct sigaction forward_signal_descriptor;`
Add signal handler for SIGTERM When the head process receives a SIGTERM we have to forward that to the init process, which in turn has to forward it to the executed process which is jailed. That process can then decide to exit, which also terminates the init and head process through SIGCHILD/wait means. 2021-01-12 19:51:05 +01:00			`void forward_signal(int sig)`
			`{`
Clean up code style 2021-01-15 20:22:22 +01:00			`if (kill(pid_child, sig) == -1)`
			`{`
			`if (sig == SIGTERM)`
			`exit(1);`
			`}`
Add signal handler for SIGTERM When the head process receives a SIGTERM we have to forward that to the init process, which in turn has to forward it to the executed process which is jailed. That process can then decide to exit, which also terminates the init and head process through SIGCHILD/wait means. 2021-01-12 19:51:05 +01:00			`}`

Initial version 2021-01-06 04:42:04 +01:00			`char argdup(int argc, const char argv)`
			`{`
			`char** newargs = malloc(sizeof(char) (argc+1));`
Clean up code style 2021-01-15 20:22:22 +01:00			`for (size_t i = 0; i < argc; i++)`
Initial version 2021-01-06 04:42:04 +01:00			`{`
			`newargs[i] = strdup(argv[i]);`
			`}`
			`newargs[argc] = NULL;`
			`return newargs;`
			`}`

			`int main(int argc, const char** argv)`
			`{`
Merge all the various definitions of the err variable 2021-01-15 20:22:22 +01:00			`int err;`
Use sigaction instead of signal This way we don't have to handle EINTR. 2021-01-15 20:22:22 +01:00
			`forward_signal_descriptor.sa_flags = SA_RESTART;`
			`forward_signal_descriptor.sa_handler = &forward_signal;`

Clean up code style 2021-01-15 20:22:22 +01:00			`if (argc == 1)`
			`{`
Usage on stderr 2021-01-15 20:22:22 +01:00			`fprintf(stderr,"Usage: %s PROGRAM ARGUMENTS...\n"`
			`"Run command within its own pid namespace. Integrated init process.\n",`
			`argv[0]);`
Clean up code style 2021-01-15 20:22:22 +01:00			`return 0;`
			`}`
Initial version 2021-01-06 04:42:04 +01:00
			`// next fork shall be in a new pid namespace`
			`if (unshare(CLONE_NEWPID) != 0)`
			`{`
Replace redundent error handling 2021-01-15 20:22:22 +01:00			`fatal("Failed to unshare pid namespace", errno);`
Initial version 2021-01-06 04:42:04 +01:00			`}`

Drop root after unshare. Apparently only the unshare call needs root. The fork which results in a new PID namespace does not. 2021-01-15 20:22:22 +01:00			`// Drop root privileges, we only needed those for the unshare call.`
			`drop_root();`

Initial version 2021-01-06 04:42:04 +01:00			`pid_t pid = fork();`

			`if (pid == -1)`
			`{`
Replace redundent error handling 2021-01-15 20:22:22 +01:00			`fatal("Failed to fork", errno);`
Initial version 2021-01-06 04:42:04 +01:00			`}`

			`if (pid != 0)`
			`{`
More explanation 2021-01-15 20:22:22 +01:00			`/// Head process`
			`// Wait for the init process in the PID namespace to terminate and forward its exit code.`
			`// Also forward SIGTERM signals towards that init process.`
Add signal handler for SIGTERM When the head process receives a SIGTERM we have to forward that to the init process, which in turn has to forward it to the executed process which is jailed. That process can then decide to exit, which also terminates the init and head process through SIGCHILD/wait means. 2021-01-12 19:51:05 +01:00
			`// Setup signal handler to forward SIGTERM`
			`pid_child = pid;`
Use sigaction instead of signal This way we don't have to handle EINTR. 2021-01-15 20:22:22 +01:00			`if (sigaction(SIGTERM, &forward_signal_descriptor, NULL) == -1)`
Clean up code style 2021-01-15 20:22:22 +01:00			`{`
			`printf("Unable to setup signal handler in head\n");`
			`}`
Initial version 2021-01-06 04:42:04 +01:00			`// parent waits for child then exits`
Handle EINTR error code for wait and waitpid 2021-01-15 20:22:22 +01:00			`// Could be interrupt due to a signal. Retry in that case.`
Initial version 2021-01-06 04:42:04 +01:00			`int status;`
Use sigaction instead of signal This way we don't have to handle EINTR. 2021-01-15 20:22:22 +01:00			`if (waitpid(pid, &status, 0) == -1)`
Initial version 2021-01-06 04:42:04 +01:00			`{`
Replace redundent error handling 2021-01-15 20:22:22 +01:00			`fatal("Failed to wait for init process", errno);`
Initial version 2021-01-06 04:42:04 +01:00			`}`

			`return WEXITSTATUS(status);`
			`}`
			`else`
			`{`
			`// Child should be in new pid namespace and`
			`// functions as the the init process`
			`// it needs to fork again then wait for any child.`
			`// if the forked child exits then exit.`

			`pid = fork();`
Replace redundent error handling 2021-01-15 20:22:22 +01:00			`if (pid == -1)`
			`{`
			`fatal("Failed to fork in init process", errno);`
			`}`

Initial version 2021-01-06 04:42:04 +01:00			`if (pid != 0)`
			`{`
More explanation 2021-01-15 20:22:22 +01:00			`/// Init process`
			`// This part of the program runs as first process in the pid namespace`
			`// When this terminates then Linux terminates all remaining processes`
			`// in the PID namespace. As we want this to happen when our first child`
			`// terminates, we wait for our first child to terminate before terminating`
			`// ourselves.`
			`// As first process in the PID namespace, this also functions as adopting parent`
			`// for orphaned processes in the PID namespace and therefore has to wait for`
			`// any child process and then check if the a child process that has terminated`
			`// is the one we were waiting for.`

Initial version 2021-01-06 04:42:04 +01:00			`pid_t first_child = pid;`
			`pid_t exited_child;`
			`int child_status;`
Add signal handler for SIGTERM When the head process receives a SIGTERM we have to forward that to the init process, which in turn has to forward it to the executed process which is jailed. That process can then decide to exit, which also terminates the init and head process through SIGCHILD/wait means. 2021-01-12 19:51:05 +01:00
			`// Setup forward for SIGTERM`
			`pid_child = first_child;`
Use sigaction instead of signal This way we don't have to handle EINTR. 2021-01-15 20:22:22 +01:00			`if (sigaction(SIGTERM, &forward_signal_descriptor, NULL) == -1)`
Clean up code style 2021-01-15 20:22:22 +01:00			`{`
Replace redundent error handling 2021-01-15 20:22:22 +01:00			`fatal("Unable to setup signal forward in init", 1);`
Clean up code style 2021-01-15 20:22:22 +01:00			`}`
Add signal handler for SIGTERM When the head process receives a SIGTERM we have to forward that to the init process, which in turn has to forward it to the executed process which is jailed. That process can then decide to exit, which also terminates the init and head process through SIGCHILD/wait means. 2021-01-12 19:51:05 +01:00
Handle EINTR error code for wait and waitpid 2021-01-15 20:22:22 +01:00			`// wait could be interrupt due to a signal. In that case just call wait again.`
Initial version 2021-01-06 04:42:04 +01:00			`do {`
			`exited_child = wait(&child_status);`
			`err = errno;`
Use sigaction instead of signal This way we don't have to handle EINTR. 2021-01-15 20:22:22 +01:00			`} while (!(exited_child == first_child \|\| (exited_child == -1 && err == ECHILD)));`
Initial version 2021-01-06 04:42:04 +01:00
			`if (exited_child == -1)`
			`{`
			`return err;`
			`}`
			`else`
			`{`
			`int exit_code = WEXITSTATUS(child_status);`
			`return exit_code;`
			`}`
			`}`
			`else`
			`{`
			`// First child of init process. do exec here`
			`// use cli arguments for subprocess. skip 0 as it's our programs name.`

			`char** newargs = argdup(argc-1, &argv[1]);`

Use execvp instead execv execvp resolves the executable location using PATH 2021-01-12 13:24:08 +01:00			`if (execvp(newargs[0], newargs) == -1)`
Initial version 2021-01-06 04:42:04 +01:00			`{`
Replace redundent error handling 2021-01-15 20:22:22 +01:00			`fatal("Failed to exec", errno);`
Initial version 2021-01-06 04:42:04 +01:00			`}`
			`}`
			`}`
			`}`