[libvirt] [RFC PATCH 2/2] LXC: Create ro overlay mounts only if we're not within a user namespace

Daniel P. Berrange berrange at redhat.com
Mon Jul 1 11:22:15 UTC 2013


On Mon, Jul 01, 2013 at 01:05:23PM +0200, Richard Weinberger wrote:
> Am 01.07.2013 12:33, schrieb Daniel P. Berrange:
> > On Mon, Jul 01, 2013 at 08:29:14AM +0200, Richard Weinberger wrote:
> >> Any ideas what's going on here?
> > 
> > No, it is very odd. It smells like a kernel issue to me. What
> > version are you running ?
> 
> I see this issue on all kernels.
> Currently I'm using vanilla v3.9.x and v3.10.
> 
> > I've also tried running the demo programs shown on the LWN.net
> > article
> > 
> >    https://lwn.net/Articles/532593/
> > 
> > and they don't operate in the way described by the article - the demo
> > programs continue to ru as 'nfsnobody' even after the mappings are
> > setup.
> > 
> > I'm just using the Fedora 3.9.4-303 kernel, rebuilt with userns enabled
> > in KConfig.  I'm wondering if there is still stuff missing in 3.9.x
> > that prevents this from working properly, or if the kernel behaviour
> > changed after those LWN articles were written.
> 
> To me it looks like the capability system behaves odd.
> The mappings in /proc are fine as long I do not call capng_updatev().
> Also calling capng_updatev() with parameters that do not change the current cap set
> triggers the odd behavior too.
> 
> So we see two (related?) issues:
> 1. If we try updating the capabilities of pid1 /proc/1/ has unmapped files till we exec().
> 2. Dropping  capabilities does not work we always gain a fresh and full capability set.
> 
> BTW: I'm sure the issues are not caused by Gau Feng's userns patches.

Yeah, I've reproduced this problem with standalone code outside of
libvirt. 

Take the attached code and run

 # gcc -Wall -o userns_child_exec userns_child_exec.c
 # ./userns_child_exec -U -M '0 1000 1' -G '0 1000 8' bash
 Launching child init
 # id
 uid=0(root) gid=7(lp) groups=0(root),65534(nfsnobody) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
 # ls -al /proc/1/environ
 -r--------. 1 nfsnobody nfsnobody 0 Jul  1 12:14 /proc/1/environ
 # cat /proc/1/environ 
 cat: /proc/1/environ: Permission denied

and this demo program isn't attempting to touch capabilties at all.

Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|




More information about the libvir-list mailing list