[libvirt] [PATCH RFC] LXC: don't RO mount /proc, /sys when user namespce enabled
Chen Hanxiao
chenhanxiao at cn.fujitsu.com
Mon Dec 22 03:57:08 UTC 2014
If we enabled user ns and provided a uid/gid map,
we do not need to mount /proc, /sys as readonly.
Leave it to kernel for protection.
Signed-off-by: Chen Hanxiao <chenhanxiao at cn.fujitsu.com>
---
src/lxc/lxc_container.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
index 1b9e2f2..3b5845a 100644
--- a/src/lxc/lxc_container.c
+++ b/src/lxc/lxc_container.c
@@ -983,6 +983,12 @@ static int lxcContainerMountBasicFS(bool userns_enabled,
goto cleanup;
}
+ /* don't readonly mount when userns is enabled */
+ if (userns_enabled) {
+ VIR_FREE(mnt_src);
+ continue;
+ }
+
if (bindOverReadonly &&
mount(mnt_src, mnt->dst, NULL,
MS_BIND|MS_REMOUNT|MS_RDONLY, NULL) < 0) {
--
1.9.3
More information about the libvir-list
mailing list