[libvirt] [PATCH] LXC: make sure netns been enabled when trying to enable userns

Chen, Hanxiao chenhanxiao at cn.fujitsu.com
Mon Mar 23 03:17:37 UTC 2015



> -----Original Message-----
> From: Martin Kletzander [mailto:mkletzan at redhat.com]
> Sent: Friday, March 20, 2015 6:31 PM
> To: Chen, Hanxiao/陈 晗霄
> Cc: libvir-list at redhat.com
> Subject: Re: [libvirt] [PATCH] LXC: make sure netns been enabled when trying to
> enable userns
> 
> On Fri, Mar 20, 2015 at 05:58:22AM -0400, Chen Hanxiao wrote:
> >This patch revert commit:
> >7dc5dbc879bd0779924b5132a48b731a0bc04a1e
> >
> 
> I haven't found this commit in the log, also this is not how reverts
> should be done, please use "git revert <commit_id>", it basically
> cherry-picks inverted version of that patch, so resolutions may be
> done for conflicts, and it will let you amend the commit messsage.
> 

I put a wrong commit ID, sorry for that.
I'll resend this by using 'git revert'
Thanks for your help.

Regards,
- Chen


> >Discussed at:
> >http://www.redhat.com/archives/libvir-list/2015-March/msg01023.html
> >
> >Signed-off-by: Chen Hanxiao <chenhanxiao at cn.fujitsu.com>
> >---
> > src/lxc/lxc_container.c | 45 ++++++++++++++++-----------------------------
> > 1 file changed, 16 insertions(+), 29 deletions(-)
> >
> >diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
> >index cc20b6d..69a8f2f 100644
> >--- a/src/lxc/lxc_container.c
> >+++ b/src/lxc/lxc_container.c
> >@@ -934,8 +934,6 @@ static int lxcContainerMountBasicFS(bool userns_enabled,
> > {
> >     size_t i;
> >     int rc = -1;
> >-    char* mnt_src = NULL;
> >-    int mnt_mflags;
> >
> >     VIR_DEBUG("Mounting basic filesystems");
> >
> >@@ -944,22 +942,17 @@ static int lxcContainerMountBasicFS(bool userns_enabled,
> >         virLXCBasicMountInfo const *mnt = &lxcBasicMounts[i];
> >
> >         /* When enable userns but disable netns, kernel will
> >-         * forbid us doing a new fresh mount for sysfs.
> >-         * So we had to do a bind mount for sysfs instead.
> >+         * forbid us doing a new fresh mount for sysfs for security reason.
> >+         * So we should not allow this.
> >          */
> >-        if (userns_enabled && netns_disabled &&
> >-            STREQ(mnt->src, "sysfs")) {
> >-            if (VIR_STRDUP(mnt_src, "/sys") < 0)
> >-                goto cleanup;
> >-            mnt_mflags = MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY|MS_BIND;
> >-        } else {
> >-            if (VIR_STRDUP(mnt_src, mnt->src) < 0)
> >-                goto cleanup;
> >-            mnt_mflags = mnt->mflags;
> >+        if (userns_enabled && netns_disabled) {
> >+            virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
> >+                           _("Userns could not be enabled without netns"));
> >+            goto cleanup;
> >         }
> >
> >         VIR_DEBUG("Processing %s -> %s",
> >-                  mnt_src, mnt->dst);
> >+                  mnt->src, mnt->dst);
> >
> >         if (mnt->skipUnmounted) {
> >             char *hostdir;
> >@@ -976,28 +969,24 @@ static int lxcContainerMountBasicFS(bool userns_enabled,
> >             if (ret == 0) {
> >                 VIR_DEBUG("Skipping '%s' which isn't mounted in host",
> >                           mnt->dst);
> >-                VIR_FREE(mnt_src);
> >                 continue;
> >             }
> >         }
> >
> >         if (mnt->skipUserNS && userns_enabled) {
> >             VIR_DEBUG("Skipping due to user ns enablement");
> >-            VIR_FREE(mnt_src);
> >             continue;
> >         }
> >
> >         /* Skip mounts with missing source without shouting: it may be a
> >          * missing folder in /proc due to the absence of a kernel feature */
> >-        if (STRPREFIX(mnt_src, "/") && !virFileExists(mnt_src)) {
> >-            VIR_DEBUG("Skipping due to missing source: %s", mnt_src);
> >-            VIR_FREE(mnt_src);
> >+        if (STRPREFIX(mnt->src, "/") && !virFileExists(mnt->src)) {
> >+            VIR_DEBUG("Skipping due to missing source: %s", mnt->src);
> >             continue;
> >         }
> >
> >         if (mnt->skipNoNetns && netns_disabled) {
> >             VIR_DEBUG("Skipping due to absence of network namespace");
> >-            VIR_FREE(mnt_src);
> >             continue;
> >         }
> >
> >@@ -1015,35 +1004,33 @@ static int lxcContainerMountBasicFS(bool userns_enabled,
> >          * we mount the filesystem in read-write mode initially, and then do a
> >          * separate read-only bind mount on top of that.
> >          */
> >-        bindOverReadonly = !!(mnt_mflags & MS_RDONLY);
> >+        bindOverReadonly = !!(mnt->mflags & MS_RDONLY);
> >
> >         VIR_DEBUG("Mount %s on %s type=%s flags=%x",
> >-                  mnt_src, mnt->dst, mnt->type, mnt_mflags & ~MS_RDONLY);
> >-        if (mount(mnt_src, mnt->dst, mnt->type, mnt_mflags & ~MS_RDONLY, NULL)
> < 0) {
> >+                  mnt->src, mnt->dst, mnt->type, mnt->mflags & ~MS_RDONLY);
> >+        if (mount(mnt->src, mnt->dst, mnt->type, mnt->mflags & ~MS_RDONLY, NULL)
> < 0) {
> >             virReportSystemError(errno,
> >                                  _("Failed to mount %s on %s type %s flags=%x"),
> >-                                 mnt_src, mnt->dst, NULLSTR(mnt->type),
> >-                                 mnt_mflags & ~MS_RDONLY);
> >+                                 mnt->src, mnt->dst, NULLSTR(mnt->type),
> >+                                 mnt->mflags & ~MS_RDONLY);
> >             goto cleanup;
> >         }
> >
> >         if (bindOverReadonly &&
> >-            mount(mnt_src, mnt->dst, NULL,
> >+            mount(mnt->src, mnt->dst, NULL,
> >                   MS_BIND|MS_REMOUNT|MS_RDONLY, NULL) < 0) {
> >             virReportSystemError(errno,
> >                                  _("Failed to re-mount %s on %s flags=%x"),
> >-                                 mnt_src, mnt->dst,
> >+                                 mnt->src, mnt->dst,
> >                                  MS_BIND|MS_REMOUNT|MS_RDONLY);
> >             goto cleanup;
> >         }
> >
> >-        VIR_FREE(mnt_src);
> >     }
> >
> >     rc = 0;
> >
> >  cleanup:
> >-    VIR_FREE(mnt_src);
> >     VIR_DEBUG("rc=%d", rc);
> >     return rc;
> > }
> >--
> >2.1.0
> >
> >--
> >libvir-list mailing list
> >libvir-list at redhat.com
> >https://www.redhat.com/mailman/listinfo/libvir-list




More information about the libvir-list mailing list