support_become_root: Don't fail when /proc/<pid/setgroups is missing

The requirement to write "deny" to /proc/<pid>/setgroups for a given user namespace before being able to write a gid mapping was introduced in Linux 3.19. Before that this requirement including the file did not exist. So don't fail when errno == ENOENT.
2024-11-08 14:20:07 +00:00 · 2017-11-18 16:22:01 +01:00 · 2017-11-18 16:22:01 +01:00 · ea69a5c874
commit ea69a5c874
parent 8db7f48cb7
2 changed files with 21 additions and 5 deletions
--- a/5
+++ b/5
@ -1,3 +1,8 @@
+2017-11-18  Christian Brauner <christian.brauner@ubuntu.com>
+
+	* support/support_become_root.c (setup_uid_gid_mapping): Don't fail
+	when /proc/<pid>/setgroups does not exist.
+
 2017-11-18  Florian Weimer  <fweimer@redhat.com>

 	* sysdeps/unix/sysv/linux/tst-ttyname.c
--- a/support/support_become_root.c
+++ b/support/support_become_root.c
@ -18,6 +18,7 @@

 #include <support/namespace.h>

+#include <errno.h>
 #include <fcntl.h>
 #include <sched.h>
 #include <stdio.h>
@ -50,11 +51,21 @@ setup_uid_gid_mapping (uid_t original_uid, gid_t original_gid)
  xwrite (fd, buf, ret);
  xclose (fd);

-  /* Disable setgroups before mapping groups, otherwise that would
-     fail with EPERM.  */
-  fd = xopen ("/proc/self/setgroups", O_WRONLY, 0);
-  xwrite (fd, "deny\n", strlen ("deny\n"));
-  xclose (fd);
+  /* Linux 3.19 introduced the setgroups file.  We need write "deny" to this
+   * file otherwise writing to gid_map will fail with EPERM.  */
+  fd = open64 ("/proc/self/setgroups", O_WRONLY, 0);
+  if (fd < 0)
+    {
+      if (errno != ENOENT)
+        FAIL_EXIT1 ("open64 (\"/proc/self/setgroups\", 0x%x, 0%o): %m",
+                    O_WRONLY, 0);
+      /* This kernel doesn't expose the setgroups file so simply move on.  */
+    }
+  else
+    {
+      xwrite (fd, "deny\n", strlen ("deny\n"));
+      xclose (fd);
+    }

  /* Now map our own GID, like we did for the user ID.  */
  fd = xopen ("/proc/self/gid_map", O_WRONLY, 0);