[pve-devel] [RFC common v3 10/34] env: add module with helpers to run a Perl subroutine in a user namespace

[Fabian Grünbichler]

On November 13, 2024 11:08 am, Fiona Ebner wrote:
> On 12.11.24 3:20 PM, Fabian Grünbichler wrote:
>> On November 7, 2024 5:51 pm, Fiona Ebner wrote:
>>> +sub __set_id_map($$$) {
>>> +    my ($pid, $what, $value) = @_;
>>> +    sysopen(my $fd, "/proc/$pid/${what}_map", O_WRONLY)
>>> +	or die "failed to open child process' ${what}_map\n";
>>> +    my $rc = syswrite($fd, $value);
>>> +    if (!$rc || $rc != length($value)) {
>>> +	die "failed to set sub$what: $!\n";
>>> +    }
>>> +    close($fd);
>>> +}
>>> +
>>> +sub set_id_map($$) {
>>> +    my ($pid, $id_map) = @_;
>>> +
>>> +    my $gid_map = '';
>>> +    my $uid_map = '';
>>> +
>>> +    for my $map ($id_map->@*) {
>>> +	my ($type, $ct, $host, $length) = $map->@*;
>>> +
>>> +	$gid_map .= "$ct $host $length\n" if $type eq 'g';
>>> +	$uid_map .= "$ct $host $length\n" if $type eq 'u';
>>> +    }
>>> +
>>> +    __set_id_map($pid, 'gid', $gid_map) if $gid_map;
>>> +    __set_id_map($pid, 'uid', $uid_map) if $uid_map;
>>> +}
>> 
>> do we gain a lot here from not just using newuidmap/newgidmap?
>> 
> 
> I didn't know those commands existed :P Running commands seems more
> wasteful then just writing a file, but will change if you insist.

they do check against /etc/subuid (or /etc/subgid) and provide nicer
error messages AFAICT.. and this is not really in the hot path, so I am
not sure whether the "overhead" makes much of a difference.

but I am fine with either way :)