libcontainer/userns: simplify, and separate from "user" package.

This makes libcontainer/userns self-dependent, largely returning to
the original implementation from lxc. The `uiMapInUserNS` is kept as
a separate function for unit-testing and fuzzing.

Signed-off-by: Sebastiaan van Stijn <[email protected]>

Author: thaJeztah

libcontainer/userns/userns_fuzzer.go

@@ -2,14 +2,7 @@
 
 package userns
 
-import (
-	"strings"
-
-	"github.com/opencontainers/runc/libcontainer/user"
-)
-
-func FuzzUIDMap(data []byte) int {
-	uidmap, _ := user.ParseIDMap(strings.NewReader(string(data)))
-	_ = uidMapInUserNS(uidmap)
+func FuzzUIDMap(uidmap []byte) int {
+	_ = uidMapInUserNS(string(uidmap))
 	return 1
 }

libcontainer/userns/userns_linux.go

@@ -1,9 +1,10 @@
 package userns
 
 import (
+	"bufio"
+	"fmt"
+	"os"
 	"sync"
-
-	"github.com/opencontainers/runc/libcontainer/user"
 )
 
 var (
@@ -15,22 +16,33 @@ var (
 // Originally copied from github.com/lxc/lxd/shared/util.go
 func runningInUserNS() bool {
 	nsOnce.Do(func() {
-		uidmap, err := user.CurrentProcessUIDMap()
+		file, err := os.Open("/proc/self/uid_map")
 		if err != nil {
 			// This kernel-provided file only exists if user namespaces are supported
 			return
 		}
-		inUserNS = uidMapInUserNS(uidmap)
+		defer file.Close()
+
+		buf := bufio.NewReader(file)
+		l, _, err := buf.ReadLine()
+		if err != nil {
+			return
+		}
+
+		inUserNS = uidMapInUserNS(string(l))
 	})
 	return inUserNS
 }
 
-func uidMapInUserNS(uidmap []user.IDMap) bool {
+func uidMapInUserNS(uidMap string) bool {
+	var a, b, c int64
+	_, _ = fmt.Sscanf(uidMap, "%d %d %d", &a, &b, &c)
+
 	/*
 	 * We assume we are in the initial user namespace if we have a full
 	 * range - 4294967295 uids starting at uid 0.
 	 */
-	if len(uidmap) == 1 && uidmap[0].ID == 0 && uidmap[0].ParentID == 0 && uidmap[0].Count == 4294967295 {
+	if a == 0 && b == 0 && c == 4294967295 {
 		return false
 	}
 	return true

libcontainer/userns/userns_linux_test.go

@@ -2,12 +2,7 @@
 
 package userns
 
-import (
-	"strings"
-	"testing"
-
-	"github.com/opencontainers/runc/libcontainer/user"
-)
+import "testing"
 
 func TestUIDMapInUserNS(t *testing.T) {
 	cases := []struct {
@@ -33,11 +28,7 @@ func TestUIDMapInUserNS(t *testing.T) {
 		},
 	}
 	for _, c := range cases {
-		uidmap, err := user.ParseIDMap(strings.NewReader(c.s))
-		if err != nil {
-			t.Fatal(err)
-		}
-		actual := uidMapInUserNS(uidmap)
+		actual := uidMapInUserNS(c.s)
 		if c.expected != actual {
 			t.Fatalf("expected %v, got %v for %q", c.expected, actual, c.s)
 		}

libcontainer/userns/userns_unsupported.go

@@ -2,8 +2,6 @@
 
 package userns
 
-import "github.com/opencontainers/runc/libcontainer/user"
-
 // runningInUserNS is a stub for non-Linux systems
 // Always returns false
 func runningInUserNS() bool {
@@ -12,6 +10,6 @@ func runningInUserNS() bool {
 
 // uidMapInUserNS is a stub for non-Linux systems
 // Always returns false
-func uidMapInUserNS(uidmap []user.IDMap) bool {
+func uidMapInUserNS(uidMap string) bool {
 	return false
 }