pipe: reopen pipes via usernsd

If a pipe is inherited (external), it may be impossible to reopen it from a restored user namespace due to lack of permession, so in this case we have to reopen it via usernsd. opencontainers/runc#1333
avagin · Feb 23, 2017 · 9986792 · 9986792
1 parent 204f44d
commit 9986792
Showing 1 changed file with 30 additions and 2 deletions.
diff --git a/criu/pipes.c b/criu/pipes.c
@@ -17,6 +17,7 @@
 #include "images/pipe.pb-c.h"
 #include "images/pipe-data.pb-c.h"
 #include "fcntl.h"
+#include "namespaces.h"
 
 static LIST_HEAD(pipes);
 
@@ -213,15 +214,42 @@ int restore_pipe_data(int img_type, int pfd, u32 id, struct pipe_data_rst **hash
 	return ret;
 }
 
+struct uns_reopen_args {
+	int flags;
+};
+
+static int userns_reopen(void *_arg, int fd, pid_t pid)
+{
+	struct uns_reopen_args *arg = _arg;
+	char path[PSFDS];
+	int ret;
+
+	sprintf(path, "/proc/self/fd/%d", fd);
+	ret = open(path, arg->flags);
+	if (ret < 0)
+		pr_perror("Unable to reopen the pipe %s", path);
+	close(fd);
+
+	return ret;
+}
+
 static int reopen_pipe(int fd, int flags)
 {
 	int ret;
 	char path[PSFDS];
 
 	sprintf(path, "/proc/self/fd/%d", fd);
 	ret = open(path, flags);
-	if (ret < 0)
-		pr_perror("Unable to reopen the pipe %s", path);
+	if (ret < 0) {
+		if (errno == EACCES) {
+			/* It may be an external pipe from an another userns */
+			struct uns_reopen_args args = {
+				.flags = flags
+			};
+			ret = userns_call(userns_reopen, UNS_FDOUT, &args, sizeof(args), fd);
+		} else
+			pr_perror("Unable to reopen the pipe %s", path);
+	}
 	close(fd);
 
 	return ret;