This patch revert commit:
7dc5dbc879bd0779924b5132a48b731a0bc04a1e
Discussed at:
http://www.redhat.com/archives/libvir-list/2015-March/msg01023.html
Signed-off-by: Chen Hanxiao <chenhanxiao(a)cn.fujitsu.com>
---
src/lxc/lxc_container.c | 45 ++++++++++++++++-----------------------------
1 file changed, 16 insertions(+), 29 deletions(-)
diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
index cc20b6d..69a8f2f 100644
--- a/src/lxc/lxc_container.c
+++ b/src/lxc/lxc_container.c
@@ -934,8 +934,6 @@ static int lxcContainerMountBasicFS(bool userns_enabled,
{
size_t i;
int rc = -1;
- char* mnt_src = NULL;
- int mnt_mflags;
VIR_DEBUG("Mounting basic filesystems");
@@ -944,22 +942,17 @@ static int lxcContainerMountBasicFS(bool userns_enabled,
virLXCBasicMountInfo const *mnt = &lxcBasicMounts[i];
/* When enable userns but disable netns, kernel will
- * forbid us doing a new fresh mount for sysfs.
- * So we had to do a bind mount for sysfs instead.
+ * forbid us doing a new fresh mount for sysfs for security reason.
+ * So we should not allow this.
*/
- if (userns_enabled && netns_disabled &&
- STREQ(mnt->src, "sysfs")) {
- if (VIR_STRDUP(mnt_src, "/sys") < 0)
- goto cleanup;
- mnt_mflags = MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY|MS_BIND;
- } else {
- if (VIR_STRDUP(mnt_src, mnt->src) < 0)
- goto cleanup;
- mnt_mflags = mnt->mflags;
+ if (userns_enabled && netns_disabled) {
+ virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+ _("Userns could not be enabled without netns"));
+ goto cleanup;
}
VIR_DEBUG("Processing %s -> %s",
- mnt_src, mnt->dst);
+ mnt->src, mnt->dst);
if (mnt->skipUnmounted) {
char *hostdir;
@@ -976,28 +969,24 @@ static int lxcContainerMountBasicFS(bool userns_enabled,
if (ret == 0) {
VIR_DEBUG("Skipping '%s' which isn't mounted in
host",
mnt->dst);
- VIR_FREE(mnt_src);
continue;
}
}
if (mnt->skipUserNS && userns_enabled) {
VIR_DEBUG("Skipping due to user ns enablement");
- VIR_FREE(mnt_src);
continue;
}
/* Skip mounts with missing source without shouting: it may be a
* missing folder in /proc due to the absence of a kernel feature */
- if (STRPREFIX(mnt_src, "/") && !virFileExists(mnt_src)) {
- VIR_DEBUG("Skipping due to missing source: %s", mnt_src);
- VIR_FREE(mnt_src);
+ if (STRPREFIX(mnt->src, "/") && !virFileExists(mnt->src))
{
+ VIR_DEBUG("Skipping due to missing source: %s", mnt->src);
continue;
}
if (mnt->skipNoNetns && netns_disabled) {
VIR_DEBUG("Skipping due to absence of network namespace");
- VIR_FREE(mnt_src);
continue;
}
@@ -1015,35 +1004,33 @@ static int lxcContainerMountBasicFS(bool userns_enabled,
* we mount the filesystem in read-write mode initially, and then do a
* separate read-only bind mount on top of that.
*/
- bindOverReadonly = !!(mnt_mflags & MS_RDONLY);
+ bindOverReadonly = !!(mnt->mflags & MS_RDONLY);
VIR_DEBUG("Mount %s on %s type=%s flags=%x",
- mnt_src, mnt->dst, mnt->type, mnt_mflags & ~MS_RDONLY);
- if (mount(mnt_src, mnt->dst, mnt->type, mnt_mflags & ~MS_RDONLY, NULL)
< 0) {
+ mnt->src, mnt->dst, mnt->type, mnt->mflags &
~MS_RDONLY);
+ if (mount(mnt->src, mnt->dst, mnt->type, mnt->mflags &
~MS_RDONLY, NULL) < 0) {
virReportSystemError(errno,
_("Failed to mount %s on %s type %s
flags=%x"),
- mnt_src, mnt->dst, NULLSTR(mnt->type),
- mnt_mflags & ~MS_RDONLY);
+ mnt->src, mnt->dst, NULLSTR(mnt->type),
+ mnt->mflags & ~MS_RDONLY);
goto cleanup;
}
if (bindOverReadonly &&
- mount(mnt_src, mnt->dst, NULL,
+ mount(mnt->src, mnt->dst, NULL,
MS_BIND|MS_REMOUNT|MS_RDONLY, NULL) < 0) {
virReportSystemError(errno,
_("Failed to re-mount %s on %s flags=%x"),
- mnt_src, mnt->dst,
+ mnt->src, mnt->dst,
MS_BIND|MS_REMOUNT|MS_RDONLY);
goto cleanup;
}
- VIR_FREE(mnt_src);
}
rc = 0;
cleanup:
- VIR_FREE(mnt_src);
VIR_DEBUG("rc=%d", rc);
return rc;
}
--
2.1.0