[libvirt] [PATCH v2]lxc: don't mount dir if ownership couldn't be known
Chen Hanxiao
chenhanxiao at cn.fujitsu.com
Wed Nov 13 08:51:43 UTC 2013
From: Chen Hanxiao <chenhanxiao at cn.fujitsu.com>
If we enable userns, we could bind mount
some dirs from host to guest, which don't belong to
the target mapped uid/gid.
Such as we could bind mount root's dirs to guest.
What is worse, we could even modify root's files
in that bind dir inside container.
So if we couldn't know
the dir's ownership(without a proper uid/gid mapping),
don't mount it.
Signed-off-by: Chen Hanxiao <chenhanxiao at cn.fujitsu.com>
---
v2: add more description
src/lxc/lxc_container.c | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
index 255c711..4cf209e 100644
--- a/src/lxc/lxc_container.c
+++ b/src/lxc/lxc_container.c
@@ -96,6 +96,8 @@
typedef char lxc_message_t;
#define LXC_CONTINUE_MSG 'c'
+#define OVERFLOW_UGID 65534
+
typedef struct __lxc_child_argv lxc_child_argv_t;
struct __lxc_child_argv {
virDomainDefPtr config;
@@ -1073,6 +1075,22 @@ static int lxcContainerMountFSBind(virDomainFSDefPtr fs,
if (virAsprintf(&src, "%s%s", srcprefix, fs->src) < 0)
goto cleanup;
+ if (stat(src, &st) < 0) {
+ virReportSystemError(errno, _("Unable to stat bind source %s"),
+ src);
+ goto cleanup;
+ } else {
+ if (OVERFLOW_UGID == st.st_uid || OVERFLOW_UGID == st.st_gid) {
+ errno = EPERM;
+ VIR_DEBUG("Unknown st_uid %d, st_gid %d for %s",
+ st.st_uid, st.st_gid, fs->src);
+ virReportSystemError(errno,
+ _("Check the permission of src dir '%s' provided for container")
+ ,fs->src);
+ goto cleanup;
+ }
+ }
+
if (stat(fs->dst, &st) < 0) {
if (errno != ENOENT) {
virReportSystemError(errno, _("Unable to stat bind target %s"),
--
1.8.2.1
More information about the libvir-list
mailing list