[libvirt] LXC: Helper function for checking ownership of dir when userns enabled

Fri Aug 9 07:04:51 UTC 2013

On 08/09/2013 01:53 PM, Chen Hanxiao wrote:
> From: Chen Hanxiao<chenhanxiao at cn.fujitsu.com>
>
>   If we enable userns, the ownership of dir we provided for containers
>   should match the uid/gid in idmap.
>   Currently, the debug log is very implicit or misleading sometimes.
>   This patch will help clarify this for us when using
>   debug log or virsh.
>
> Signed-off-by: Chen Hanxiao<chenhanxiao at cn.fujitsu.com>
> ---
>   src/lxc/lxc_container.c |   45 +++++++++++++++++++++++++++++++++++++++++++++
>   1 files changed, 45 insertions(+), 0 deletions(-)
>
> diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
> index b910b10..ce17466 100644
> --- a/src/lxc/lxc_container.c
> +++ b/src/lxc/lxc_container.c
> @@ -1815,6 +1815,48 @@ lxcNeedNetworkNamespace(virDomainDefPtr def)
>       return false;
>   }
>
> +/*
> + * Helper function for helping check
> + * whether we have enough privilege
> + * to operate the source dir when userns enabled
> + * @vmDef: pointer to vm definition structure
> + * Returns 0 on success or -1 in case of error
> + */
> +static int
> +lxcContainerUsernsSrcOwnershipCheck(virDomainDefPtr vmDef)
> +{
> +    struct stat buf;
> +    int i;
> +    uid_t uid;
> +    gid_t gid;
> +
> +    for(i=0; i<  vmDef->nfss; i++) {
> +        VIR_DEBUG("dst is %s, src is %s",
> +                vmDef->fss[i]->dst,
> +                vmDef->fss[i]->src);
> +
> +        uid = vmDef->idmap.uidmap[0].target;
> +        gid = vmDef->idmap.gidmap[0].target;
> +
> +        if (lstat(vmDef->fss[i]->src,&buf)<  0) {
> +            virReportSystemError(errno, _("Cannot access '%s'"),
> +                                     vmDef->fss[i]->src);
> +            return -1;
> +        } else if(uid != buf.st_uid || gid != buf.st_gid) {
> +            VIR_DEBUG("In userns uid is %d, gid is %d\n",
> +                    uid, gid);
> +            errno = EINVAL;
> +
> +            virReportSystemError(errno,
> +                    "[userns] Src dir \"%s\" does not belong to uid/gid:%d/%d",
> +                    vmDef->fss[i]->src, uid, gid);
> +            return -1;
> +        }
> +    }
> +
> +    return 0;
> +}
> +
>   /**
>    * lxcContainerStart:
>    * @def: pointer to virtual machine structure
> @@ -1866,6 +1908,9 @@ int lxcContainerStart(virDomainDefPtr def,
>           if (userns_supported()) {
>               VIR_DEBUG("Enable user namespace");
>               cflags |= CLONE_NEWUSER;
> +            if(lxcContainerUsernsSrcOwnershipCheck(def)<  0) {
> +                return -1;
> +            }
>           } else {
>               virReportSystemError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
>                                    _("Kernel doesn't support user namespace"));

In addition, please run 'make syntax-check' firstly before committing 
patches.

src/lxc/lxc_container.c:1835:     for(i=0; i < vmDef->nfss; i++) {
src/lxc/lxc_container.c:1847:         } else if(uid != buf.st_uid || gid 
!= buf.st_gid) {
src/lxc/lxc_container.c:1913:             
if(lxcContainerUsernsSrcOwnershipCheck(def) < 0) {
maint.mk: incorrect whitespace, see HACKING for rules
make: *** [bracket-spacing-check] Error 1