Re: [PATCH 10/14] nstool: Add --keep-caps option to nstool exec

On Tue,  4 Apr 2023 11:46:34 +1000
David Gibson <david(a)gibson.dropbear.id.au> wrote:

...
  This allows you to run commands within a user
namespace with the
 privilege that comes from owning that userns.
 
 Signed-off-by: David Gibson <david(a)gibson.dropbear.id.au>
 ---
  test/nstool.c | 89 +++++++++++++++++++++++++++++++++++++++++++++------
  1 file changed, 79 insertions(+), 10 deletions(-)
 
 diff --git a/test/nstool.c b/test/nstool.c
 index 25079aa..3ecc456 100644
 --- a/test/nstool.c
 +++ b/test/nstool.c
 @@ -18,11 +18,15 @@
  #include <getopt.h>
  #include <stdarg.h>
  #include <fcntl.h>
 +#include <limits.h>
 +#include <unistd.h>
  #include <sys/socket.h>
  #include <sys/wait.h>
 +#include <sys/syscall.h>
 +#include <sys/prctl.h>
  #include <linux/un.h>
 -#include <linux/limits.h>
  #include <sched.h>
 +#include <linux/capability.h>
  
  #define	ARRAY_SIZE(a)	((int)(sizeof(a) / sizeof((a)[0])))
  
 @@ -75,11 +79,13 @@ static void usage(void)
  	    "  nstool info [-pw] pid SOCK\n"
  	    "    Print information about the nstool hold process with control\n"
  	    "    socket at SOCK\n"
 -	    "      -p    Print just the holder's PID as seen by the caller\n"
 -	    "      -w    Retry connecting to SOCK until it is ready\n"
 -	    "  nstool exec SOCK [COMMAND [ARGS...]]\n"
 +	    "      -p          Print just the holder's PID as seen by the
caller\n"
 +	    "      -w          Retry connecting to SOCK until it is ready\n"
 +	    "  nstool exec [--keep-caps] SOCK [COMMAND [ARGS...]]\n"
  	    "    Execute command or shell in the namespaces of the nstool hold\n"
  	    "    with control socket at SOCK\n"
 +	    "      --keep-caps Give all possible capabilities to COMMAND via\n"
 +	    "                  the ambient capability mask\n"
  	    "  nstool stop SOCK\n"
  	    "    Instruct the nstool hold with control socket at SOCK to\n"
  	    "    terminate.\n");
 @@ -275,7 +281,6 @@ static void cmd_info(int argc, char *argv[])
  	} while (opt != -1);
  
  	if (optind != argc - 1) {
 -		fprintf(stderr, "B\n");
  		usage();
  	}
  
 @@ -356,21 +361,82 @@ static void wait_for_child(pid_t pid)
  	die("Unexpected status for child %d\n", pid);
  }
  
 +static void caps_to_ambient(void)
 +{
 +        /* Use raw system calls to avoid the overly complex caps
 +	 * libraries. */ 
Bad indentation here.

-- 
Stefano