[libvirt] [RFC PATCH 5/6] LXC: create tty device with proper permission for container
Daniel P. Berrange
berrange at redhat.com
Wed Mar 13 11:08:00 UTC 2013
On Mon, Mar 11, 2013 at 02:26:51PM +0800, Gao feng wrote:
> Since the root user of container may be a normal
> user on host, we should make sure the container
> has rights to use the tty device.
>
> Signed-off-by: Gao feng <gaofeng at cn.fujitsu.com>
> ---
> src/lxc/lxc_controller.c | 8 ++++++--
> 1 file changed, 6 insertions(+), 2 deletions(-)
>
> diff --git a/src/lxc/lxc_controller.c b/src/lxc/lxc_controller.c
> index c6f8c3b..4715f84 100644
> --- a/src/lxc/lxc_controller.c
> +++ b/src/lxc/lxc_controller.c
> @@ -1311,6 +1311,7 @@ virLXCControllerSetupDevPTS(virLXCControllerPtr ctrl)
> char *opts = NULL;
> char *devpts = NULL;
> int ret = -1;
> + uid_t uid = 0;
>
> if (!root) {
> if (ctrl->nconsoles != 1) {
> @@ -1367,10 +1368,13 @@ virLXCControllerSetupDevPTS(virLXCControllerPtr ctrl)
> goto cleanup;
> }
>
> + if (ctrl->def->os.userns == VIR_DOMAIN_USER_NS_ENABLED)
> + uid = ctrl->def->os.uidmap.low_first;
> +
> /* XXX should we support gid=X for X!=5 for distros which use
> * a different gid for tty? */
> - if (virAsprintf(&opts, "newinstance,ptmxmode=0666,mode=0620,gid=5%s",
> - (mount_options ? mount_options : "")) < 0) {
> + if (virAsprintf(&opts, "newinstance,ptmxmode=0666,mode=0620,uid=%d,gid=5%s",
> + uid, (mount_options ? mount_options : "")) < 0) {
> virReportOOMError();
> goto cleanup;
> }
This is bogus, if no 'uid' parameter is set for devpts, then the
PTYs that are created automatically get given the uid associated
with the calling process, which is what you want. With this change,
you are hardcoding the 'uid' regardless of what UID the process in
the container is running as, which will break things if any container
process changes its uid.
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
More information about the libvir-list
mailing list