|  | // SPDX-License-Identifier: GPL-2.0 | 
|  | #define _GNU_SOURCE | 
|  | #include <sched.h> | 
|  | #include <unistd.h> | 
|  | #include <stdio.h> | 
|  | #include <stdlib.h> | 
|  | #include <signal.h> | 
|  | #include <errno.h> | 
|  | #include <sys/types.h> | 
|  | #include <sys/stat.h> | 
|  | #include <fcntl.h> | 
|  | #include <sys/ioctl.h> | 
|  | #include <sys/prctl.h> | 
|  | #include <sys/wait.h> | 
|  |  | 
|  | #define NSIO    0xb7 | 
|  | #define NS_GET_USERNS   _IO(NSIO, 0x1) | 
|  |  | 
|  | #define pr_err(fmt, ...) \ | 
|  | ({ \ | 
|  | fprintf(stderr, "%s:%d:" fmt ": %m\n", \ | 
|  | __func__, __LINE__, ##__VA_ARGS__); \ | 
|  | 1; \ | 
|  | }) | 
|  |  | 
|  | int main(int argc, char *argvp[]) | 
|  | { | 
|  | int pfd[2], ns, uns, init_uns; | 
|  | struct stat st1, st2; | 
|  | char path[128]; | 
|  | pid_t pid; | 
|  | char c; | 
|  |  | 
|  | if (pipe(pfd)) | 
|  | return 1; | 
|  |  | 
|  | pid = fork(); | 
|  | if (pid < 0) | 
|  | return pr_err("fork"); | 
|  | if (pid == 0) { | 
|  | prctl(PR_SET_PDEATHSIG, SIGKILL); | 
|  | if (unshare(CLONE_NEWUTS | CLONE_NEWUSER)) | 
|  | return pr_err("unshare"); | 
|  | close(pfd[0]); | 
|  | close(pfd[1]); | 
|  | while (1) | 
|  | sleep(1); | 
|  | return 0; | 
|  | } | 
|  | close(pfd[1]); | 
|  | if (read(pfd[0], &c, 1) != 0) | 
|  | return pr_err("Unable to read from pipe"); | 
|  | close(pfd[0]); | 
|  |  | 
|  | snprintf(path, sizeof(path), "/proc/%d/ns/uts", pid); | 
|  | ns = open(path, O_RDONLY); | 
|  | if (ns < 0) | 
|  | return pr_err("Unable to open %s", path); | 
|  |  | 
|  | uns = ioctl(ns, NS_GET_USERNS); | 
|  | if (uns < 0) | 
|  | return pr_err("Unable to get an owning user namespace"); | 
|  |  | 
|  | if (fstat(uns, &st1)) | 
|  | return pr_err("fstat"); | 
|  |  | 
|  | snprintf(path, sizeof(path), "/proc/%d/ns/user", pid); | 
|  | if (stat(path, &st2)) | 
|  | return pr_err("stat"); | 
|  |  | 
|  | if (st1.st_ino != st2.st_ino) | 
|  | return pr_err("NS_GET_USERNS returned a wrong namespace"); | 
|  |  | 
|  | init_uns = ioctl(uns, NS_GET_USERNS); | 
|  | if (uns < 0) | 
|  | return pr_err("Unable to get an owning user namespace"); | 
|  |  | 
|  | if (ioctl(init_uns, NS_GET_USERNS) >= 0 || errno != EPERM) | 
|  | return pr_err("Don't get EPERM"); | 
|  |  | 
|  | if (unshare(CLONE_NEWUSER)) | 
|  | return pr_err("unshare"); | 
|  |  | 
|  | if (ioctl(ns, NS_GET_USERNS) >= 0 || errno != EPERM) | 
|  | return pr_err("Don't get EPERM"); | 
|  | if (ioctl(init_uns, NS_GET_USERNS) >= 0 || errno != EPERM) | 
|  | return pr_err("Don't get EPERM"); | 
|  |  | 
|  | kill(pid, SIGKILL); | 
|  | wait(NULL); | 
|  | return 0; | 
|  | } |