[libvirt] [PATCH]lxc: mount dir as readonly if ownership couldn't be known

From: Chen Hanxiao <chenhanxiao@cn.fujitsu.com> We bind mount some dir from host to guest. With userns enabled, if we couldn't know the dir's ownership, it's better to mount them as readonly. Signed-off-by: Chen Hanxiao <chenhanxiao@cn.fujitsu.com> --- src/lxc/lxc_container.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c index 255c711..f3f0c15 100644 --- a/src/lxc/lxc_container.c +++ b/src/lxc/lxc_container.c @@ -96,6 +96,8 @@ typedef char lxc_message_t; #define LXC_CONTINUE_MSG 'c' +#define OVERFLOWUID 65534 + typedef struct __lxc_child_argv lxc_child_argv_t; struct __lxc_child_argv { virDomainDefPtr config; @@ -1067,12 +1069,22 @@ static int lxcContainerMountFSBind(virDomainFSDefPtr fs, char *src = NULL; int ret = -1; struct stat st; + bool readonly = false; VIR_DEBUG("src=%s dst=%s", fs->src, fs->dst); if (virAsprintf(&src, "%s%s", srcprefix, fs->src) < 0) goto cleanup; + if (stat(src, &st) < 0) { + virReportSystemError(errno, _("Unable to stat bind source %s"), + src); + goto cleanup; + } else { + if (OVERFLOWUID == st.st_uid || OVERFLOWUID == st.st_gid) + readonly = true; + } + if (stat(fs->dst, &st) < 0) { if (errno != ENOENT) { virReportSystemError(errno, _("Unable to stat bind target %s"), @@ -1119,7 +1131,7 @@ static int lxcContainerMountFSBind(virDomainFSDefPtr fs, goto cleanup; } - if (fs->readonly) { + if (fs->readonly || readonly) { VIR_DEBUG("Binding %s readonly", fs->dst); if (mount(src, fs->dst, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY, NULL) < 0) { virReportSystemError(errno, -- 1.8.2.1

On Tue, Nov 12, 2013 at 05:51:45PM +0800, Chen Hanxiao wrote:
From: Chen Hanxiao <chenhanxiao@cn.fujitsu.com>
We bind mount some dir from host to guest. With userns enabled, if we couldn't know the dir's ownership, it's better to mount them as readonly.
No, if the user has requested the mount to be read-write and we can not do that, we should fail, not silently change to a read-only mount. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|

-----Original Message----- From: Daniel P. Berrange [mailto:berrange@redhat.com] Sent: Tuesday, November 12, 2013 6:39 PM To: Chen Hanxiao Cc: libvir-list@redhat.com Subject: Re: [libvirt] [PATCH]lxc: mount dir as readonly if ownership couldn't be known
On Tue, Nov 12, 2013 at 05:51:45PM +0800, Chen Hanxiao wrote:
From: Chen Hanxiao <chenhanxiao@cn.fujitsu.com>
We bind mount some dir from host to guest. With userns enabled, if we couldn't know the dir's ownership, it's better to mount them as readonly.
No, if the user has requested the mount to be read-write and we can not do that, we should fail, not silently change to a read-only mount.
Thanks. New patch will come soon.
participants (2)
-
Chen Hanxiao
-
Daniel P. Berrange