Only allow the intended types of namespaces to be joined via setns() as a defensive measure. Signed-off-by: Stefano Brivio <sbrivio(a)redhat.com> --- conf.c | 4 ++-- pasta.c | 6 ++++-- util.c | 4 ++-- 3 files changed, 8 insertions(+), 6 deletions(-) diff --git a/conf.c b/conf.c index ab91b7f..6810144 100644 --- a/conf.c +++ b/conf.c @@ -347,8 +347,8 @@ static int conf_ns_check(void *arg) { struct ctx *c = (struct ctx *)arg; - if ((!c->netns_only && setns(c->pasta_userns_fd, 0)) || - setns(c->pasta_netns_fd, 0)) + if ((!c->netns_only && setns(c->pasta_userns_fd, CLONE_NEWUSER)) || + setns(c->pasta_netns_fd, CLONE_NEWNET)) c->pasta_userns_fd = c->pasta_netns_fd = -1; return 0; diff --git a/pasta.c b/pasta.c index a2b842b..bcc1261 100644 --- a/pasta.c +++ b/pasta.c @@ -148,13 +148,15 @@ static int pasta_wait_for_ns(void *arg) snprintf(ns, PATH_MAX, "/proc/%i/ns/user", pasta_child_pid); do while ((c->pasta_userns_fd = open(ns, O_RDONLY)) < 0); - while (setns(c->pasta_userns_fd, 0) && !close(c->pasta_userns_fd)); + while (setns(c->pasta_userns_fd, CLONE_NEWUSER) && + !close(c->pasta_userns_fd)); netns: snprintf(ns, PATH_MAX, "/proc/%i/ns/net", pasta_child_pid); do while ((c->pasta_netns_fd = open(ns, O_RDONLY)) < 0); - while (setns(c->pasta_netns_fd, 0) && !close(c->pasta_netns_fd)); + while (setns(c->pasta_netns_fd, CLONE_NEWNET) && + !close(c->pasta_netns_fd)); return 0; } diff --git a/util.c b/util.c index d172ad8..7a3ea51 100644 --- a/util.c +++ b/util.c @@ -469,10 +469,10 @@ void procfs_scan_listen(char *name, uint8_t *map, uint8_t *exclude) */ int ns_enter(struct ctx *c) { - if (!c->netns_only && setns(c->pasta_userns_fd, 0)) + if (!c->netns_only && setns(c->pasta_userns_fd, CLONE_NEWUSER)) return -errno; - if (setns(c->pasta_netns_fd, 0)) + if (setns(c->pasta_netns_fd, CLONE_NEWNET)) return -errno; return 0; -- 2.33.0