Attempt to continue working without namespacing if apparmor denies user namespaces.

gittup · gittup · commit c9903fdfbb38 · 2025-07-25T21:48:22.000-07:00
If apparmor is configured to deny unprivileged user namespaces, the unshare(CLONE_NEWUSER) call will still work, it just won't have any privileges (like CAP_SYS_ADMIN) that we need. This will manifest itself in the deny_setgroups() function when we try to open /proc/pid/setgroups for write. When the unshare() call itself fails, we try to continue on without namespacing enabled. This allows at least for diminished functionality where .tup/mnt paths are visibile to subprocesses. However, when the deny_setgroups() function fails, tup was just quitting outright. It would be better if we could continue in the diminished capacity as if the unshare() call itself failed. Unfortunately, since unshare() isn't failing, we're already in a new namespace by the time we know that it doesn't have the capabilities we need. Therefore we need to close out the child master_fork process and create a new one in the original namespace. This is the reason for the funkiness of writing out a special restart token ("2"). To prevent these error messages from showing up in the first place, one could set TUP_NO_NAMESPACING=1 in the environment to force tup to run without trying namespacing in the first place. Another option is to update the apparmor configuration for tup. For example, Ubuntu comes with a default tup configuration in /etc/apparmor.d/tup that contains: --- abi <abi/4.0>, include <tunables/global> profile tup /usr/bin/tup flags=(unconfined) { userns, # Site-specific additions and overrides. See local/README for details. include if exists <local/tup> } --- The path (here, /usr/bin/tup) needs to match the path of the actual tup binary. So if building tup from source, these paths won't match. You could add another profile in the same file or create a new apparmor profile like so: --- profile localtup /path/to/local/tup/tup flags=(unconfined) { userns, # Site-specific additions and overrides. See local/README for details. include if exists <local/tup> } --- Fixes #502.
diff --git a/src/tup/server/master_fork.c b/src/tup/server/master_fork.c
@@ -101,13 +101,12 @@ static int deny_setgroups(pid_t pid)
 			 */
 			return 0;
 		}
-		perror(filename);
-		fprintf(stderr, "tup error: Unable to deny setgroups when setting up user namespace.\n");
+		fprintf(stderr, "tup warning: Unable to deny setgroups when setting up the user namespace.\n");
 		return -1;
 	}
 	if(write(fd, "deny", 4) < 0) {
 		perror(filename);
-		fprintf(stderr, "tup error: Unable to write \"deny\" to setgroups.\n");
+		fprintf(stderr, "tup warning: Unable to write \"deny\" to setgroups.\n");
 		return -1;
 	}
 	close(fd);
@@ -139,8 +138,15 @@ static int update_map(pid_t pid, const char *mapfile, uid_t id)
 	close(fd);
 	return 0;
 }
+
 #endif
 
+static void disable_namespacing_hint(void)
+{
+	fprintf(stderr, "tup warning: Trying without namespacing enabled. Subprocesses will have '.tup/mnt' paths for the current working directory and some dependencies may be missed.\n");
+	fprintf(stderr, "You may need to update the apparmor profile in order to enable namespacing properly in tup (make sure the path in apparmor matches the path of the tup executable), or you can run tup with TUP_NO_NAMESPACING=1 to disable this warning.\n");
+}
+
 int server_pre_init(void)
 {
 	char c = 0;
@@ -176,11 +182,27 @@ int server_pre_init(void)
 			uid_t origgid = getgid();
 			pid_t pid = getpid();
 			if(unshare(CLONE_NEWUSER) < 0) {
-				fprintf(stderr, "tup warning: unshare(CLONE_NEWUSER) failed, and tup is not privileged. Subprocesses will have '.tup/mnt' paths for the current working directory and some dependencies may be missed.\n");
+				fprintf(stderr, "tup warning: unshare(CLONE_NEWUSER) failed, and tup is not privileged.\n");
+				disable_namespacing_hint();
 				use_namespacing = 0;
 			} else {
-				if(deny_setgroups(pid) < 0)
-					return -1;
+				if(deny_setgroups(pid) < 0) {
+					/* If apparmor is preventing
+					 * unshare(CLONE_NEWUSER) from getting
+					 * CAP_SYS_ADMIN, we will fail here.
+					 *
+					 * See https://github.com/gittup/tup/issues/502
+					 */
+					/* Write a special "2" token to the socket so the parent will
+					 * know to retry without namespacing.
+					 */
+					close(msd[1]);
+					if(write(msd[0], "2", 1) < 0) {
+						perror("write");
+					}
+					/* Exit out of this child process, the parent process will try to re-create another. */
+					exit(1);
+				}
 				if(update_map(pid, "uid_map", origuid) < 0)
 					return -1;
 				if(update_map(pid, "gid_map", origgid) < 0)
@@ -202,6 +224,7 @@ int server_pre_init(void)
 		}
 		exit(master_fork_loop());
 	}
+
 	if(close(msd[0]) < 0) {
 		perror("close(msd[0])");
 		return -1;
@@ -213,6 +236,18 @@ int server_pre_init(void)
 		perror("read");
 		return -1;
 	}
+	if(c == '2' && use_namespacing) {
+		int status;
+		close(msd[1]);
+		if(waitpid(master_fork_pid, &status, 0) < 0) {
+			perror("waitpid");
+			return -1;
+		}
+
+		disable_namespacing_hint();
+		use_namespacing = 0;
+		return server_pre_init();
+	}
 	if(rc == 0 || c != '1') {
 		fprintf(stderr, "tup error: master_fork server did not start up correctly.\n");
 		return -1;
diff --git a/src/tup/tup/main.c b/src/tup/tup/main.c
@@ -202,12 +202,33 @@ int main(int argc, char **argv)
 		tup_valgrind_cleanup();
 		return 0;
 	} else if(strcmp(cmd, "privileged") == 0) {
-#ifdef __linux__
-		if(unshare(CLONE_NEWUSER) == 0) {
+		if(tup_privileged())
 			return 1;
+#ifdef __linux__
+		/* If we're not privileged, we can still pretend that we are
+		 * if we can create a new user namespace.
+		 */
+		if(unshare(CLONE_NEWUSER) < 0) {
+			return 0;
 		}
+		int fd;
+		char filename[PATH_MAX];
+
+		/* Even if we can create a new user namespace, apparmor may
+		 * prevent it from getting CAP_SYS_ADMIN. The easiest way to
+		 * check (and the actual failure path in master_fork.c) is to
+		 * see if we can open the setgroups file for write.
+		 */
+		snprintf(filename, sizeof(filename), "/proc/%i/setgroups", getpid());
+		filename[sizeof(filename)-1] = 0;
+		fd = open(filename, O_WRONLY);
+		if(fd < 0) {
+			return 0;
+		}
+		return 1;
+#else
+		return 0;
 #endif
-		return tup_privileged();
 	} else if(strcmp(cmd, "server") == 0) {
 		printf("%s\n", TUP_SERVER);
 		return 0;
