10:46 p.m.
Chen Hanxiao (2):
Revert "LXC: create a bind mount for sysfs when enable userns but
disable netns"
LXC: make sure netns been enabled when trying to enable userns
src/lxc/lxc_container.c | 45 ++++++++++++++++-----------------------------
1 file changed, 16 insertions(+), 29 deletions(-)
--
2.1.0
10:46 p.m.
New subject: [libvirt] [PATCH 1/2] Revert "LXC: create a bind mount for sysfs when enable userns but disable netns"
This reverts commit a86b6215a74b1feb2667204e214fbfd2f7decc5c.
Discussed at:
http://www.redhat.com/archives/libvir-list/2015-March/msg01023.html
Signed-off-by: Chen Hanxiao <chenhanxiao(a)cn.fujitsu.com>
Conflicts:
src/lxc/lxc_container.c
---
src/lxc/lxc_container.c | 43 ++++++++++---------------------------------
1 file changed, 10 insertions(+), 33 deletions(-)
diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
index cc20b6d..e34968a 100644
--- a/src/lxc/lxc_container.c
+++ b/src/lxc/lxc_container.c
@@ -934,8 +934,6 @@ static int lxcContainerMountBasicFS(bool userns_enabled,
{
size_t i;
int rc = -1;
- char* mnt_src = NULL;
- int mnt_mflags;
VIR_DEBUG("Mounting basic filesystems");
@@ -943,23 +941,8 @@ static int lxcContainerMountBasicFS(bool userns_enabled,
bool bindOverReadonly;
virLXCBasicMountInfo const *mnt = &lxcBasicMounts[i];
- /* When enable userns but disable netns, kernel will
- * forbid us doing a new fresh mount for sysfs.
- * So we had to do a bind mount for sysfs instead.
- */
- if (userns_enabled && netns_disabled &&
- STREQ(mnt->src, "sysfs")) {
- if (VIR_STRDUP(mnt_src, "/sys") < 0)
- goto cleanup;
- mnt_mflags = MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY|MS_BIND;
- } else {
- if (VIR_STRDUP(mnt_src, mnt->src) < 0)
- goto cleanup;
- mnt_mflags = mnt->mflags;
- }
-
VIR_DEBUG("Processing %s -> %s",
- mnt_src, mnt->dst);
+ mnt->src, mnt->dst);
if (mnt->skipUnmounted) {
char *hostdir;
@@ -976,28 +959,24 @@ static int lxcContainerMountBasicFS(bool userns_enabled,
if (ret == 0) {
VIR_DEBUG("Skipping '%s' which isn't mounted in
host",
mnt->dst);
- VIR_FREE(mnt_src);
continue;
}
}
if (mnt->skipUserNS && userns_enabled) {
VIR_DEBUG("Skipping due to user ns enablement");
- VIR_FREE(mnt_src);
continue;
}
/* Skip mounts with missing source without shouting: it may be a
* missing folder in /proc due to the absence of a kernel feature */
- if (STRPREFIX(mnt_src, "/") && !virFileExists(mnt_src)) {
- VIR_DEBUG("Skipping due to missing source: %s", mnt_src);
- VIR_FREE(mnt_src);
+ if (STRPREFIX(mnt->src, "/") && !virFileExists(mnt->src))
{
+ VIR_DEBUG("Skipping due to missing source: %s", mnt->src);
continue;
}
if (mnt->skipNoNetns && netns_disabled) {
VIR_DEBUG("Skipping due to absence of network namespace");
- VIR_FREE(mnt_src);
continue;
}
@@ -1015,35 +994,33 @@ static int lxcContainerMountBasicFS(bool userns_enabled,
* we mount the filesystem in read-write mode initially, and then do a
* separate read-only bind mount on top of that.
*/
- bindOverReadonly = !!(mnt_mflags & MS_RDONLY);
+ bindOverReadonly = !!(mnt->mflags & MS_RDONLY);
VIR_DEBUG("Mount %s on %s type=%s flags=%x",
- mnt_src, mnt->dst, mnt->type, mnt_mflags & ~MS_RDONLY);
- if (mount(mnt_src, mnt->dst, mnt->type, mnt_mflags & ~MS_RDONLY, NULL)
< 0) {
+ mnt->src, mnt->dst, mnt->type, mnt->mflags &
~MS_RDONLY);
+ if (mount(mnt->src, mnt->dst, mnt->type, mnt->mflags &
~MS_RDONLY, NULL) < 0) {
virReportSystemError(errno,
_("Failed to mount %s on %s type %s
flags=%x"),
- mnt_src, mnt->dst, NULLSTR(mnt->type),
- mnt_mflags & ~MS_RDONLY);
+ mnt->src, mnt->dst, NULLSTR(mnt->type),
+ mnt->mflags & ~MS_RDONLY);
goto cleanup;
}
if (bindOverReadonly &&
- mount(mnt_src, mnt->dst, NULL,
+ mount(mnt->src, mnt->dst, NULL,
MS_BIND|MS_REMOUNT|MS_RDONLY, NULL) < 0) {
virReportSystemError(errno,
_("Failed to re-mount %s on %s flags=%x"),
- mnt_src, mnt->dst,
+ mnt->src, mnt->dst,
MS_BIND|MS_REMOUNT|MS_RDONLY);
goto cleanup;
}
- VIR_FREE(mnt_src);
}
rc = 0;
cleanup:
- VIR_FREE(mnt_src);
VIR_DEBUG("rc=%d", rc);
return rc;
}
--
2.1.0
5:51 a.m.
New subject: [libvirt] [PATCH 1/2] Revert "LXC: create a bind mount for sysfs when enable userns but disable netns"
On Sun, Mar 22, 2015 at 11:46:22PM -0400, Chen Hanxiao wrote:
This reverts commit a86b6215a74b1feb2667204e214fbfd2f7decc5c.
Only partially. I think it should also revert the netns_disabled
argrument, see my reply to patch 2/2.
Discussed at:
http://www.redhat.com/archives/libvir-list/2015-March/msg01023.html
Signed-off-by: Chen Hanxiao <chenhanxiao(a)cn.fujitsu.com>
Conflicts:
src/lxc/lxc_container.c
It would be helpful to list the conflicts here (though it looks it was
just context).
Jan
2:54 a.m.
New subject: [libvirt] [PATCH 1/2] Revert "LXC: create a bind mount for sysfs when enable userns but disable netns"
Hi, Jan
-----Original Message-----
From: Ján Tomko [mailto:jtomko@redhat.com]
Sent: Tuesday, April 07, 2015 6:52 PM
To: Chen, Hanxiao/陈 晗霄
Cc: libvir-list(a)redhat.com
Subject: Re: [libvirt] [PATCH 1/2] Revert "LXC: create a bind mount for sysfs when
enable userns but disable netns"
On Sun, Mar 22, 2015 at 11:46:22PM -0400, Chen Hanxiao wrote:
> This reverts commit a86b6215a74b1feb2667204e214fbfd2f7decc5c.
>
Only partially. I think it should also revert the netns_disabled
argrument, see my reply to patch 2/2.
> Discussed at:
> http://www.redhat.com/archives/libvir-list/2015-March/msg01023.html
>
> Signed-off-by: Chen Hanxiao <chenhanxiao(a)cn.fujitsu.com>
>
> Conflicts:
> src/lxc/lxc_container.c
It would be helpful to list the conflicts here (though it looks it was
just context).
You mean all context in
<<<<<<< HEAD
=======
>>>>>> parent of
should be posted?
There are also some codes depend on this patch, should them be in a separate patch,
or modified in this revert patch?
Regards,
- Chen
3:15 a.m.
New subject: [libvirt] [PATCH 1/2] Revert "LXC: create a bind mount for sysfs when enable userns but disable netns"
On Wed, Apr 08, 2015 at 07:54:51AM +0000, Chen, Hanxiao wrote:
Hi, Jan
> -----Original Message-----
> From: Ján Tomko [mailto:jtomko@redhat.com]
> Sent: Tuesday, April 07, 2015 6:52 PM
> To: Chen, Hanxiao/陈 晗霄
> Cc: libvir-list(a)redhat.com
> Subject: Re: [libvirt] [PATCH 1/2] Revert "LXC: create a bind mount for sysfs
when
> enable userns but disable netns"
>
> On Sun, Mar 22, 2015 at 11:46:22PM -0400, Chen Hanxiao wrote:
> > This reverts commit a86b6215a74b1feb2667204e214fbfd2f7decc5c.
> >
>
> Only partially. I think it should also revert the netns_disabled
> argrument, see my reply to patch 2/2.
>
> > Discussed at:
> > http://www.redhat.com/archives/libvir-list/2015-March/msg01023.html
> >
> > Signed-off-by: Chen Hanxiao <chenhanxiao(a)cn.fujitsu.com>
> >
> > Conflicts:
> > src/lxc/lxc_container.c
>
> It would be helpful to list the conflicts here (though it looks it was
> just context).
>
You mean all context in
<<<<<<< HEAD
=======
>>>>>>> parent of
should be posted?
If you only had to move the lines around, writing
Conflicts:
src/lxc/lxc_container.c - context
should be enough.
If you had to change them (variables/structures/functions have been
renamed since, or their behavior changed), it's nice to mention them.
There are also some codes depend on this patch, should them be in a separate patch,
or modified in this revert patch?
If they depend on parts of the original commit a86b621, it's okay to do
a partial revert (if you say that in the commit message).
Jan
10:46 p.m.
New subject: [libvirt] [PATCH 2/2] LXC: make sure netns been enabled when trying to enable userns
Discussed at:
http://www.redhat.com/archives/libvir-list/2015-March/msg01023.html
Signed-off-by: Chen Hanxiao <chenhanxiao(a)cn.fujitsu.com>
---
src/lxc/lxc_container.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
index e34968a..69a8f2f 100644
--- a/src/lxc/lxc_container.c
+++ b/src/lxc/lxc_container.c
@@ -941,6 +941,16 @@ static int lxcContainerMountBasicFS(bool userns_enabled,
bool bindOverReadonly;
virLXCBasicMountInfo const *mnt = &lxcBasicMounts[i];
+ /* When enable userns but disable netns, kernel will
+ * forbid us doing a new fresh mount for sysfs for security reason.
+ * So we should not allow this.
+ */
+ if (userns_enabled && netns_disabled) {
+ virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+ _("Userns could not be enabled without netns"));
+ goto cleanup;
+ }
+
VIR_DEBUG("Processing %s -> %s",
mnt->src, mnt->dst);
--
2.1.0
5:49 a.m.
New subject: [libvirt] [PATCH 2/2] LXC: make sure netns been enabled when trying to enable userns
On Sun, Mar 22, 2015 at 11:46:23PM -0400, Chen Hanxiao wrote:
Discussed at:
http://www.redhat.com/archives/libvir-list/2015-March/msg01023.html
Signed-off-by: Chen Hanxiao <chenhanxiao(a)cn.fujitsu.com>
---
src/lxc/lxc_container.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
index e34968a..69a8f2f 100644
--- a/src/lxc/lxc_container.c
+++ b/src/lxc/lxc_container.c
@@ -941,6 +941,16 @@ static int lxcContainerMountBasicFS(bool userns_enabled,
bool bindOverReadonly;
virLXCBasicMountInfo const *mnt = &lxcBasicMounts[i];
+ /* When enable userns but disable netns, kernel will
+ * forbid us doing a new fresh mount for sysfs for security reason.
+ * So we should not allow this.
+ */
+ if (userns_enabled && netns_disabled) {
+ virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+ _("Userns could not be enabled without netns"));
+ goto cleanup;
+ }
+
These bools are just the idmap.nuidmap and nnets values from vmDef, so
this only depends on the domain definition.
I think we can reject this configuration much sooner, for exmaple in
lxcContainerStart.
Jan
9:48 p.m.
-----Original Message-----
From: libvir-list-bounces(a)redhat.com [mailto:libvir-list-bounces@redhat.com] On
Behalf Of Chen Hanxiao
Sent: Monday, March 23, 2015 11:46 AM
To: libvir-list(a)redhat.com
Subject: [libvirt] [PATCH 0/2] fail out if enable userns but disable netns
Chen Hanxiao (2):
Revert "LXC: create a bind mount for sysfs when enable userns but
disable netns"
LXC: make sure netns been enabled when trying to enable userns
src/lxc/lxc_container.c | 45 ++++++++++++++++-----------------------------
1 file changed, 16 insertions(+), 29 deletions(-)
ping
Regards,
- Chen
9:39 p.m.
-----Original Message-----
From: Chen, Hanxiao/陈 晗霄
Sent: Thursday, March 26, 2015 10:49 AM
To: Chen, Hanxiao/陈 晗霄; libvir-list(a)redhat.com
Subject: RE: [libvirt] [PATCH 0/2] fail out if enable userns but disable netns
> -----Original Message-----
> From: libvir-list-bounces(a)redhat.com [mailto:libvir-list-bounces@redhat.com] On
> Behalf Of Chen Hanxiao
> Sent: Monday, March 23, 2015 11:46 AM
> To: libvir-list(a)redhat.com
> Subject: [libvirt] [PATCH 0/2] fail out if enable userns but disable netns
>
>
> Chen Hanxiao (2):
> Revert "LXC: create a bind mount for sysfs when enable userns but
> disable netns"
> LXC: make sure netns been enabled when trying to enable userns
>
> src/lxc/lxc_container.c | 45 ++++++++++++++++-----------------------------
> 1 file changed, 16 insertions(+), 29 deletions(-)
>
ping
ping
Regards,
- Chen
3515
days inactive
3531
days old
8 comments
3 participants
participants (3)
-
Chen Hanxiao -
Chen, Hanxiao
-
Ján Tomko