From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from simark.ca by simark.ca with LMTP id iLjTG0pkSGg4mggAWB0awg (envelope-from ) for ; Tue, 10 Jun 2025 12:58:50 -0400 Authentication-Results: simark.ca; dkim=pass (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=Cg4Eenal; dkim-atps=neutral Received: by simark.ca (Postfix, from userid 112) id 48DFE1E11C; Tue, 10 Jun 2025 12:58:50 -0400 (EDT) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-25) on simark.ca X-Spam-Level: X-Spam-Status: No, score=-10.1 required=5.0 tests=ARC_SIGNED,ARC_VALID, BAYES_00,DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU, MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,RCVD_IN_VALIDITY_CERTIFIED, RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE autolearn=ham autolearn_force=no version=4.0.1 Received: from server2.sourceware.org (server2.sourceware.org [8.43.85.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (prime256v1) server-digest SHA256) (No client certificate requested) by simark.ca (Postfix) with ESMTPS id 865E91E0C2 for ; Tue, 10 Jun 2025 12:58:48 -0400 (EDT) Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id F1A5A382D29E for ; Tue, 10 Jun 2025 16:58:47 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org F1A5A382D29E Authentication-Results: sourceware.org; dkim=pass (1024-bit key, unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=Cg4Eenal Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by sourceware.org (Postfix) with ESMTP id 7014D384241C for ; Tue, 10 Jun 2025 16:58:05 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 7014D384241C Authentication-Results: sourceware.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=redhat.com ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 7014D384241C Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=170.10.129.124 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1749574685; cv=none; b=S+xotVa6uLbHhhDyLjceoMcB/6rH65gVgbTyEMRfh8rG6GV0+2ibgf1D5/WRcRIGsmd7KjMogSzsU13pZxyLWZc41wTCvWZSiKcYKxmsMSGgxULrnTi/IOUMO9U4tRVIA0fxrpzKr5JdPIGOKC2R5uJ1QrpET0imcDgN+eaaUFw= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1749574685; c=relaxed/simple; bh=Y4fN/E8DgRvgGi0y9KNJaHFTIQiVbFNSmdIlmlgNToI=; h=DKIM-Signature:From:To:Subject:Date:Message-ID:MIME-Version; b=Za5N+nGLusI0m36P5wffzZHi1JuE2nha1xf7Q0DIucqJtigxA+N+EqEJqeoA522+QRPTlumj80UkYA8w1JHTA0PZK8o22dhuCMLG/jsFqZAzUi+lP0YRyvvhsCWQgnt+XiMwmhMSb6RosIA3Fx9O+fb6+K0RMv2bIyEFEkBbof0= ARC-Authentication-Results: i=1; server2.sourceware.org DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 7014D384241C DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1749574685; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=2PwTCS1qmk/b7E9osBQ/3PYhTw3lSFk9ZKOsbAgScdQ=; b=Cg4Eenal3TDtJpgewaKYO4giFadJmVOnfTCF3UL5zzuI4pvAtf6XHSlFeQYWO+J4HzWUYN 6lOgDV36F+0YXAPBBUrzpQLJofb6I15YIKjG/JZcsC1cXohxTPyLmFaDvi91MdWkYHwKVe 8uzJW+aLgiOUh+pmQ/bqqPMe8kP9zlk= Received: from mail-wm1-f72.google.com (mail-wm1-f72.google.com [209.85.128.72]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-609-mXJBeBUrMy6cxcZsFUh_Ig-1; Tue, 10 Jun 2025 12:58:04 -0400 X-MC-Unique: mXJBeBUrMy6cxcZsFUh_Ig-1 X-Mimecast-MFC-AGG-ID: mXJBeBUrMy6cxcZsFUh_Ig_1749574683 Received: by mail-wm1-f72.google.com with SMTP id 5b1f17b1804b1-450d9f96f61so38358005e9.1 for ; Tue, 10 Jun 2025 09:58:03 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1749574682; x=1750179482; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=2PwTCS1qmk/b7E9osBQ/3PYhTw3lSFk9ZKOsbAgScdQ=; b=vB/OHMVpTljQ7g69jIc0R0q+K5b1BwzWWSVdEhgvM3lfMOZuuUpKWRLhY2qnH0Sdg4 8hb4tyT3dd+CAjflNPZutkbWMgTuuAND+Mz6WMEIQ9bnfkWCWSgRGJg6c0RWtIm3iYxO /9zwu9ktZxM29kawOz9vWIsnHibuOMGku4fjXM9xwRHGAB6R/GXMCeKTbrxtnHN5HfQa 89ICC0SCZmUfO/80ru2gUY+yBFj9cJYqSD+U4BuY277kQ75Y8WmXl9cLF5zK2JEeELp2 cHMim9/u4mq7laUhs/qardwN6IxGHc4mFWlhAMN5hS/+GoWZVNcx3xy03+3wEg33JDYR X47w== X-Gm-Message-State: AOJu0YzU+jl+F6TIwr37imP9jE3EGqKHsxB7Sliw8rxrtEWNuhVWdLwU A+cn8jEQOCGWqDTk8EOaf+EvhkNdc0YYG8wJC7h0iGlxp329HbvWJP18AX7hCk0KzE4CU9XzIu6 8tSn4WJz4pk4PsFeESNElDT0OWOgq4AvA/9wCniKdRim7Ojg3hRoFq0agbE7guuWzy3y40kBH2A DCSv77QqtIWtWPWXfe8qctAexpDs2JNXDEl1uwVkdrKoccj6I= X-Gm-Gg: ASbGncvgL0Q1Ikuj/Yk/bFzE9eZrBU5Z2mgGHBhDVpdeuhwWs4rXT77y3W94a90p8pg TzNy6tSlQpeiX+4uXA7iZUxmOdPt363iHQYVBFu5rjaGSQ01iIohyRO9kjzji0G5j9r8XiXN/wq pl4asxyFUwC4HrXUrAhJEFkT4eDQ9ShdbvdnBe+dOCXaU551SA+NV4uH5FNvR2ANOA8VJWhp948 A88Y6t1MyH8ELW91QpwTXmgDV8fWW6ACLBarq7AKtuEsoVgvE8/TTUFRPxNRCF8KXoCBXDWZ5D/ HCfxsgCQdOH4EwBPc0mimrxhGdWKHGuQwdgEWlFR/RVdPfQ= X-Received: by 2002:a05:600c:6994:b0:442:d9f2:c74e with SMTP id 5b1f17b1804b1-4531de8cab4mr32910215e9.23.1749574682382; Tue, 10 Jun 2025 09:58:02 -0700 (PDT) X-Google-Smtp-Source: AGHT+IFok79lVLHa49SDkGF+EmMWcJc6u1jz+CI7vVyR5jWMm2y9Dg1e26yJ6PYmRFM4+qmu5cS5IQ== X-Received: by 2002:a05:600c:6994:b0:442:d9f2:c74e with SMTP id 5b1f17b1804b1-4531de8cab4mr32910015e9.23.1749574681789; Tue, 10 Jun 2025 09:58:01 -0700 (PDT) Received: from localhost (75.226.159.143.dyn.plus.net. [143.159.226.75]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4530b64b6b2sm88114235e9.13.2025.06.10.09.58.01 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Jun 2025 09:58:01 -0700 (PDT) From: Andrew Burgess To: gdb-patches@sourceware.org Cc: Benjamin Berg , Andrew Burgess Subject: [PATCH] gdb: linux-namespaces: enter user namespace when appropriate Date: Tue, 10 Jun 2025 17:57:58 +0100 Message-ID: X-Mailer: git-send-email 2.47.1 MIME-Version: 1.0 X-Mimecast-Spam-Score: 0 X-Mimecast-MFC-PROC-ID: CbFwyy4IzyfpDLTzz3lq9gnCCtZA2UbP8B8nwHgYVDo_1749574683 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: 8bit content-type: text/plain; charset="US-ASCII"; x-default=true X-BeenThere: gdb-patches@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Gdb-patches mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: gdb-patches-bounces~public-inbox=simark.ca@sourceware.org From: Benjamin Berg The use of user namespaces is required for normal users to use mount namespaces. Consider trying this as an unprivileged user: $ unshare --mount /bin/true unshare: unshare failed: Operation not permitted The problem here is that an unprivileged user doesn't have the required permissions to create a new mount namespace. If, instead, we do this: $ unshare --mount --map-root-user /bin/true then this will succeed. The new option causes unshare to create a user namespace in which the unprivileged user is mapped to UID/GID 0, and so gains all privileges (inside the namespace), the user is then able to create the mount namespace as required. So, how does this relate to GDB? When a user attaches to a process running in a separate mount namespace, GDB makes use of a separate helper process (see linux_mntns_get_helper in nat/linux-namespaces.c), which will then use the `setns` function to enter (or try to enter) the mount namespace of the process GDB is attaching too. The helper process will then handle file I/O requests received from GDB, and return the results back to GDB, this allows GDB to access files within the mount namespace. The problem here is that, switching to a mount namespace requires that a process hold CAP_SYS_CHROOT and CAP_SYS_ADMIN capabilities within its user namespace (actually it's a little more complex, see 'man 2 setns'). Assuming GDB is running as an unprivileged user, then GDB will not have the required permissions. However, if GDB enters the user namespace that the `unshare` process created, then the current user will be mapped to UID/GID 0, and will have the required permissions. And so, this patch extends linux_mntns_access_fs (in nat/linux-namespace.c) to first try and switch to the user namespace of the inferior before trying to switch to the mount namespace. If the inferior does have a user namespace, and does have elevated privileges within that namespace, then this first switch by GDB will mean that the second step, into the mount namespace, will succeed. If there is no user namespace, or the inferior doesn't have elevated privileges within the user namespace, then the switch into the mount namespace will fail, just as it currently does, and the user will need to give elevated privileges to GDB via some other mechanism (e.g. run as root). This work was originally posted here: https://inbox.sourceware.org/gdb-patches/20230321120126.1418012-1-benjamin@sipsolutions.net I (Andrew Burgess) have made some cleanups to the code to comply with GDB's coding standard, and the test is entirely mine. This commit message is also entirely mine -- the original message was very terse and required the reader to understand how the various namespaces work and interact. The above is my attempt to document what I now understand about the problem being fixed. I've left the original author in place as the core of the GDB change itself is largely as originally presented, but any inaccuracies in the commit message, or problems with the test, are all mine. Co-Authored-by: Andrew Burgess --- gdb/nat/linux-namespaces.c | 24 +++- .../gdb.base/user-namespace-attach.c | 35 +++++ .../gdb.base/user-namespace-attach.exp | 130 ++++++++++++++++++ 3 files changed, 188 insertions(+), 1 deletion(-) create mode 100644 gdb/testsuite/gdb.base/user-namespace-attach.c create mode 100644 gdb/testsuite/gdb.base/user-namespace-attach.exp diff --git a/gdb/nat/linux-namespaces.c b/gdb/nat/linux-namespaces.c index ea94fddcffa..f8afd75fe92 100644 --- a/gdb/nat/linux-namespaces.c +++ b/gdb/nat/linux-namespaces.c @@ -884,7 +884,7 @@ linux_mntns_access_fs (pid_t pid) struct stat sb; struct linux_mnsh *helper; ssize_t size; - int fd; + int fd, fd_user = -1; if (pid == getpid ()) return MNSH_FS_DIRECT; @@ -901,6 +901,8 @@ linux_mntns_access_fs (pid_t pid) { int save_errno = errno; close (fd); + if (fd_user >= 0) + close (fd_user); errno = save_errno; }; @@ -910,6 +912,13 @@ linux_mntns_access_fs (pid_t pid) if (sb.st_ino == ns->id) return MNSH_FS_DIRECT; + struct linux_ns *ns_user = linux_ns_get_namespace (LINUX_NS_USER); + if (ns_user != nullptr) + { + const char *ns_filename = linux_ns_filename (ns_user, pid); + fd_user = gdb_open_cloexec (ns_filename, O_RDONLY, 0).release (); + } + helper = linux_mntns_get_helper (); if (helper == NULL) return MNSH_FS_ERROR; @@ -918,6 +927,19 @@ linux_mntns_access_fs (pid_t pid) { int result, error; + /* Try to enter the user namespace first. The current user might + have elevated privileges within the user namespace, which would + then allow the attempt to enter the mount namespace to succeed. */ + if (fd_user >= 0) + { + size = mnsh_send_setns (helper, fd_user, 0); + if (size < 0) + return MNSH_FS_ERROR; + + if (mnsh_recv_int (helper, &result, &error) != 0) + return MNSH_FS_ERROR; + } + size = mnsh_send_setns (helper, fd, 0); if (size < 0) return MNSH_FS_ERROR; diff --git a/gdb/testsuite/gdb.base/user-namespace-attach.c b/gdb/testsuite/gdb.base/user-namespace-attach.c new file mode 100644 index 00000000000..684ce1cfc66 --- /dev/null +++ b/gdb/testsuite/gdb.base/user-namespace-attach.c @@ -0,0 +1,35 @@ +/* This testcase is part of GDB, the GNU debugger. + + Copyright 2025 Free Software Foundation, Inc. + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . */ + +#include +#include +#include + +volatile int spin_p = 1; + +int +main () +{ + alarm (60); + + printf ("pid = %lld\n", ((long long) getpid ())); + + while (spin_p) + sleep (1); + + return 0; +} diff --git a/gdb/testsuite/gdb.base/user-namespace-attach.exp b/gdb/testsuite/gdb.base/user-namespace-attach.exp new file mode 100644 index 00000000000..b817d74375a --- /dev/null +++ b/gdb/testsuite/gdb.base/user-namespace-attach.exp @@ -0,0 +1,130 @@ +# Copyright 2025 Free Software Foundation, Inc. +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +# Check that GDB can attach to a process started using 'unshare'. The +# inferior is started in a separate mnt namespace. + +require can_spawn_for_attach + +standard_testfile + +if {[prepare_for_testing "failed to prepare" $testfile $srcfile] == -1} { + return +} + +# This test relies (at least in some parts) on the sysroot being +# 'target:'. Grab the current sysroot now so we can skip those tests +# if the board file has changed the sysroot. +set sysroot "" +set test "show sysroot" +gdb_test_multiple $test $test { + -re -wrap "The current system root is \"(.*)\"\\." { + set sysroot $expect_out(1,string) + } +} + +# Start a process using 'unshare FLAGS', then attach to the process +# from GDB. Check that the attach worked as expected. +proc run_test { flags } { + + # If FLAGS contains '--mount' then a separate mnt namespace will + # be created, in which case the executable will have been read + # from the 'target:'. Otherwise, the executable will have been + # read from the local filesystem, and there will be no prefix. + # + # Of course, this only applies if the sysroot is 'target:', some + # boards change this, so skip these tests on those boards. + if { [lsearch -exact [split $flags " "] "--mount"] != -1 } { + if { $::sysroot ne "target:" } { + return + } + + set prefix "target:" + } else { + set prefix "" + } + + + + set inferior_spawn_id \ + [spawn_wait_for_attach [list "unshare $flags $::binfile"]] + if { $inferior_spawn_id == -1 } { + unsupported "failed to spawn for attach" + return + } + + set inferior_pid [spawn_id_get_pid $inferior_spawn_id] + + clean_restart + + set saw_bad_warning false + gdb_test_multiple "attach $inferior_pid" "attach to inferior" { + -re "^attach $::decimal\r\n" { + exp_continue + } + + -re "^warning: \[^\r\n\]+: could not open as an executable file: \[^\r\n\]+\r\n" { + set saw_bad_warning true + exp_continue + } + + -re "^warning: \[^\r\n\]+: can't open to read symbols: \[^\r\n\]+\r\n" { + set saw_bad_warning true + exp_continue + } + + -re "^warning: Could not load vsyscall page because no executable was specified\r\n" { + # This warning is a secondary consequence of the above bad + # warnings, so don't count this as a bad warnings, ignore + # it instead. + exp_continue + } + + -re "^warning: \[^\r\n\]+\r\n" { + # If we ignore "other" warnings then, should the above + # warnings strings change we'll start ignoring the bad + # warnings, and the test will appear to pass. + # + # If you are seeing a warning here that really has nothing + # to do with the test failing, then the correct solution + # is to add a new regexp to specifically match _that_ + # warning, and ignore it. + set saw_bad_warning true + exp_continue + } + + -re "^$::gdb_prompt $" { + gdb_assert { !$saw_bad_warning } $gdb_test_name + } + + -re "^\[^\r\n\]*\r\n" { + exp_continue + } + } + + # Ensure GDB could access the executable. + set binfile_re [string_to_regexp $::binfile] + gdb_test "info inferiors" \ + "\r\n\\*\\s+$::decimal\\s+\[^\r\n\]+\\s+${prefix}${binfile_re}\\s*" +} + +set test_flags [list \ + "--mount --map-root-user" \ + "--user" \ + "--user --map-root-user"] + +foreach_with_prefix flags $test_flags { + run_test $flags +} base-commit: 3f8fc746d6bd837c082a41cbc37a2f8ec2325bf2 -- 2.47.1