libcontainer/system: move userns utilities to separate package

thaJeztah · thaJeztah · commit ab29593e7b03 · 2021-04-04T22:42:03.000+02:00
Moving these utilities to a separate package, so that consumers of this package don't have to pull in the whole "system" package. Looking at uses of these utilities (outside of runc itself); `RunningInUserNS()` is used by [various external consumers][1], so adding a "Deprecated" alias for this. [1]: https://grep.app/search?current=2&q=.RunningInUserNS Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
diff --git a/user/userns/userns.go b/user/userns/userns.go
@@ -0,0 +1,5 @@
+package userns
+
+// RunningInUserNS detects whether we are currently running in a user namespace.
+// Originally copied from github.com/lxc/lxd/shared/util.go
+var RunningInUserNS = runningInUserNS
diff --git a/user/userns/userns_fuzzer.go b/user/userns/userns_fuzzer.go
@@ -0,0 +1,15 @@
+// +build gofuzz
+
+package userns
+
+import (
+	"strings"
+
+	"github.com/opencontainers/runc/libcontainer/user"
+)
+
+func FuzzUIDMap(data []byte) int {
+	uidmap, _ := user.ParseIDMap(strings.NewReader(string(data)))
+	_ = uidMapInUserNS(uidmap)
+	return 1
+}
diff --git a/user/userns/userns_linux.go b/user/userns/userns_linux.go
@@ -0,0 +1,37 @@
+package userns
+
+import (
+	"sync"
+
+	"github.com/opencontainers/runc/libcontainer/user"
+)
+
+var (
+	inUserNS bool
+	nsOnce   sync.Once
+)
+
+// runningInUserNS detects whether we are currently running in a user namespace.
+// Originally copied from github.com/lxc/lxd/shared/util.go
+func runningInUserNS() bool {
+	nsOnce.Do(func() {
+		uidmap, err := user.CurrentProcessUIDMap()
+		if err != nil {
+			// This kernel-provided file only exists if user namespaces are supported
+			return
+		}
+		inUserNS = uidMapInUserNS(uidmap)
+	})
+	return inUserNS
+}
+
+func uidMapInUserNS(uidmap []user.IDMap) bool {
+	/*
+	 * We assume we are in the initial user namespace if we have a full
+	 * range - 4294967295 uids starting at uid 0.
+	 */
+	if len(uidmap) == 1 && uidmap[0].ID == 0 && uidmap[0].ParentID == 0 && uidmap[0].Count == 4294967295 {
+		return false
+	}
+	return true
+}
diff --git a/user/userns/userns_linux_test.go b/user/userns/userns_linux_test.go
@@ -0,0 +1,45 @@
+// +build linux
+
+package userns
+
+import (
+	"strings"
+	"testing"
+
+	"github.com/opencontainers/runc/libcontainer/user"
+)
+
+func TestUIDMapInUserNS(t *testing.T) {
+	cases := []struct {
+		s        string
+		expected bool
+	}{
+		{
+			s:        "         0          0 4294967295\n",
+			expected: false,
+		},
+		{
+			s:        "         0          0          1\n",
+			expected: true,
+		},
+		{
+			s:        "         0       1001          1\n         1     231072      65536\n",
+			expected: true,
+		},
+		{
+			// file exist but empty (the initial state when userns is created. see man 7 user_namespaces)
+			s:        "",
+			expected: true,
+		},
+	}
+	for _, c := range cases {
+		uidmap, err := user.ParseIDMap(strings.NewReader(c.s))
+		if err != nil {
+			t.Fatal(err)
+		}
+		actual := uidMapInUserNS(uidmap)
+		if c.expected != actual {
+			t.Fatalf("expected %v, got %v for %q", c.expected, actual, c.s)
+		}
+	}
+}
diff --git a/user/userns/userns_unsupported.go b/user/userns/userns_unsupported.go
@@ -0,0 +1,17 @@
+// +build !linux
+
+package userns
+
+import "github.com/opencontainers/runc/libcontainer/user"
+
+// runningInUserNS is a stub for non-Linux systems
+// Always returns false
+func runningInUserNS() bool {
+	return false
+}
+
+// uidMapInUserNS is a stub for non-Linux systems
+// Always returns false
+func uidMapInUserNS(uidmap []user.IDMap) bool {
+	return false
+}
