add Linux namespace-entering connections

Signed-off-by: Sean Whitton <spwhitton@spwhitton.name>

1 files changed, 37 insertions, 0 deletions

diff --git a/src/util/linux-namespace.lisp b/src/util/linux-namespace.lisp
new file mode 100644
index 0000000..e362868
--- /dev/null
+++ b/src/util/linux-namespace.lisp
@@ -0,0 +1,37 @@
+;;; Consfigurator -- Lisp declarative configuration management system
+
+;;; Copyright (C) 2021  Sean Whitton <spwhitton@spwhitton.name>
+
+;;; This file is free software; you can redistribute it and/or modify
+;;; it under the terms of the GNU General Public License as published by
+;;; the Free Software Foundation; either version 3, or (at your option)
+;;; any later version.
+
+;;; This file is distributed in the hope that it will be useful,
+;;; but WITHOUT ANY WARRANTY; without even the implied warranty of
+;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+;;; GNU General Public License for more details.
+
+;;; You should have received a copy of the GNU General Public License
+;;; along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+(in-package :consfigurator.util.linux-namespace)
+(named-readtables:in-readtable :consfigurator)
+
+#+linux
+(defun get-userns-owner (fd)
+  (with-foreign-object (owner 'uid_t)
+    (if (minusp
+         (foreign-funcall
+          "ioctl" :int fd :unsigned-long +NS_GET_OWNER_UID+ :pointer owner
+                  :int))
+        (error "Couldn't determine owner of target userns.")
+        (mem-ref owner 'uid_t))))
+
+(defun setgroups-p ()
+  "In a Lisp-type connection, do we have the ability to use setgroups(2)?"
+  (and #-linux (zerop (nix:geteuid))
+       #+linux (capability-p :cap-effective +CAP-SETGID+)
+       #+linux (string= "allow"
+                        (stripln
+                         (read-file-string "/proc/thread-self/setgroups")))))