1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
|
#!/usr/bin/python3
# Copyright 2024 Helmut Grohne <helmut@subdivi.de>
# SPDX-License-Identifier: GPL-3
"""Mount a given ext4 filesystem image inside a user and mount namespace using
unprivileged fuse2fs and chroot into the mouned filesystem.
This requires a fuse package with support for /dev/fd/N. Either with fuse2 via
https://bugs.debian.org/1055222 or when e2fsprogs has been ported to fuse3.
"""
import os
import pathlib
import socket
import sys
if __file__.split("/")[-2:-1] == ["examples"]:
sys.path.insert(0, "/".join(__file__.split("/")[:-2]))
import linuxnamespaces
def main() -> None:
fsimage = pathlib.Path(sys.argv[2])
assert fsimage.exists()
uidmap = linuxnamespaces.IDAllocation.loadsubid("uid").allocatemap(65536)
gidmap = linuxnamespaces.IDAllocation.loadsubid("gid").allocatemap(65536)
mainpid = os.getpid()
mainsock, childsock = socket.socketpair()
@linuxnamespaces.run_in_fork
def setup() -> None:
mainsock.close()
linuxnamespaces.newidmaps(mainpid, [uidmap], [gidmap])
childsock.send(b"\0")
_, fds, _, _ = socket.recv_fds(childsock, 1, 1, 0)
childsock.close()
os.set_inheritable(fds[0], True)
os.execlp("fuse2fs", "fuse2fs", str(fsimage), "/dev/fd/%d" % fds[0])
linuxnamespaces.unshare(
linuxnamespaces.CloneFlags.NEWUSER | linuxnamespaces.CloneFlags.NEWNS
)
setup.start()
mainsock.recv(1)
os.setreuid(0, 0)
os.setregid(0, 0)
fusefd = os.open("/dev/fuse", os.O_RDWR)
socket.send_fds(mainsock, [b"\0"], [fusefd])
mainsock.close()
linuxnamespaces.mount(
str(fsimage),
"/mnt",
"fuse.ext4",
linuxnamespaces.MountFlags.NONE,
"fd=%d,rootmode=040755,user_id=0,group_id=0,allow_other" % fusefd,
)
os.chdir("/mnt")
linuxnamespaces.bind_mount("/proc", "proc", recursive=True)
linuxnamespaces.bind_mount("/sys", "sys", recursive=True)
linuxnamespaces.populate_dev("/", ".", pidns=False, tun=False)
linuxnamespaces.pivot_root(".", ".")
linuxnamespaces.umount(".", linuxnamespaces.UmountFlags.DETACH)
os.close(fusefd)
os.execlp(os.environ["SHELL"], os.environ["SHELL"])
if __name__ == "__main__":
main()
|