On 11/13/2013 04:51 PM, Chen Hanxiao wrote:
From: Chen Hanxiao <chenhanxiao(a)cn.fujitsu.com>
If we enable userns, we could bind mount
some dirs from host to guest, which don't belong to
the target mapped uid/gid.
Such as we could bind mount root's dirs to guest.
What is worse, we could even modify root's files
in that bind dir inside container.
If this happend, this problem should be a generic permission
problem. it should be fixed in kernel.
So if we couldn't know
the dir's ownership(without a proper uid/gid mapping),
don't mount it.
Signed-off-by: Chen Hanxiao <chenhanxiao(a)cn.fujitsu.com>
---
v2: add more description
src/lxc/lxc_container.c | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
index 255c711..4cf209e 100644
--- a/src/lxc/lxc_container.c
+++ b/src/lxc/lxc_container.c
@@ -96,6 +96,8 @@
typedef char lxc_message_t;
#define LXC_CONTINUE_MSG 'c'
+#define OVERFLOW_UGID 65534
+
typedef struct __lxc_child_argv lxc_child_argv_t;
struct __lxc_child_argv {
virDomainDefPtr config;
@@ -1073,6 +1075,22 @@ static int lxcContainerMountFSBind(virDomainFSDefPtr fs,
if (virAsprintf(&src, "%s%s", srcprefix, fs->src) < 0)
goto cleanup;
+ if (stat(src, &st) < 0) {
+ virReportSystemError(errno, _("Unable to stat bind source %s"),
+ src);
+ goto cleanup;
+ } else {
+ if (OVERFLOW_UGID == st.st_uid || OVERFLOW_UGID == st.st_gid) {
+ errno = EPERM;
+ VIR_DEBUG("Unknown st_uid %d, st_gid %d for %s",
+ st.st_uid, st.st_gid, fs->src);
+ virReportSystemError(errno,
+ _("Check the permission of src dir '%s'
provided for container")
+ ,fs->src);
+ goto cleanup;
+ }
+ }
+
if (stat(fs->dst, &st) < 0) {
if (errno != ENOENT) {
virReportSystemError(errno, _("Unable to stat bind target %s"),