diff options
| -rwxr-xr-x | examples/cgroup.py | 11 | ||||
| -rwxr-xr-x | examples/unschroot.py | 2 | ||||
| -rw-r--r-- | linuxnamespaces/__init__.py | 15 |
3 files changed, 23 insertions, 5 deletions
diff --git a/examples/cgroup.py b/examples/cgroup.py index 5fa5df6..219dc62 100755 --- a/examples/cgroup.py +++ b/examples/cgroup.py @@ -50,14 +50,17 @@ def main() -> None: linuxnamespaces.systemd.reexec_as_transient_unit( properties={"Delegate": True} ) + namespaces = ( + linuxnamespaces.CloneFlags.NEWUSER + | linuxnamespaces.CloneFlags.NEWNS + | linuxnamespaces.CloneFlags.NEWCGROUP + ) linuxnamespaces.unshare_user_idmap( [linuxnamespaces.IDMapping(os.getuid(), os.getuid(), 1)], [linuxnamespaces.IDMapping(os.getgid(), os.getgid(), 1)], - linuxnamespaces.CloneFlags.NEWUSER - | linuxnamespaces.CloneFlags.NEWNS - | linuxnamespaces.CloneFlags.NEWCGROUP, + namespaces, ) - linuxnamespaces.populate_sys("/", "/", mycgroup) + linuxnamespaces.populate_sys("/", "/", namespaces, mycgroup) os.execlp(os.environ["SHELL"], os.environ["SHELL"]) diff --git a/examples/unschroot.py b/examples/unschroot.py index 59c0ce4..7ad0bed 100755 --- a/examples/unschroot.py +++ b/examples/unschroot.py @@ -243,7 +243,7 @@ def do_run_session(args: argparse.Namespace) -> None: os.setuid(0) linuxnamespaces.bind_mount(".", "/mnt", recursive=True) os.chdir("/mnt") - linuxnamespaces.populate_sys("/", ".") + linuxnamespaces.populate_sys("/", ".", ns) linuxnamespaces.populate_proc("/", ".", ns) linuxnamespaces.populate_dev( "/", ".", tun=bool(ns & linuxnamespaces.CloneFlags.NEWNET) diff --git a/linuxnamespaces/__init__.py b/linuxnamespaces/__init__.py index 8853c07..8c1def3 100644 --- a/linuxnamespaces/__init__.py +++ b/linuxnamespaces/__init__.py @@ -526,12 +526,20 @@ def populate_proc( def populate_sys( origroot: AtLocationLike, newroot: PathConvertible, + namespaces: CloneFlags, rootcgroup: PathConvertible | None = None, module: bool = True, + devices: bool = False, ) -> None: """Create a /sys hierarchy below newroot. Bind the cgroup hierarchy. The cgroup hierarchy will be mounted read-only if mounting the root group. + The module parameter indicates whether the /sys/module should be made + available read-only (True) or not at all (False). The devices parameter + indicates whether the devices hierarchy should be made available. If the + given namespaces happen to include a network namespace, virtual network + devices will be modifiable. + A process with CAP_SYS_ADMIN can remount the created bind mounts read-write or umount hiding mounts and thus elevate their privileges. """ @@ -548,6 +556,13 @@ def populate_sys( ) if module: bind_mounts["module"] = ("module", True) + if devices: + for subdir in ("bus", "class", "dev", "devices"): + bind_mounts[subdir] = (subdir, True) + if namespaces & CloneFlags.NEWNET: + if not devices: + bind_mounts["class/net"] = ("class/net", True) + bind_mounts["devices/virtual/net"] = ("devices/virtual/net", False) bind_fds: dict[str, AtLocation] = {} with contextlib.ExitStack() as exitstack: |