[PATCH RFC] LXC: don't RO mount /proc, /sys when user namespce enabled

Chen Hanxiao <chenhanxiao@xxxxxxxxxxxxxx> · Mon, 22 Dec 2014 11:57:08 +0800

If we enabled user ns and provided a uid/gid map,
we do not need to mount /proc, /sys as readonly.
Leave it to kernel for protection.

Signed-off-by: Chen Hanxiao <chenhanxiao@xxxxxxxxxxxxxx>
---
 src/lxc/lxc_container.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
index 1b9e2f2..3b5845a 100644
--- a/src/lxc/lxc_container.c
+++ b/src/lxc/lxc_container.c
@@ -983,6 +983,12 @@ static int lxcContainerMountBasicFS(bool userns_enabled,
             goto cleanup;
         }
 
+        /* don't readonly mount when userns is enabled */
+        if (userns_enabled) {
+            VIR_FREE(mnt_src);
+            continue;
+        }
+
         if (bindOverReadonly &&
             mount(mnt_src, mnt->dst, NULL,
                   MS_BIND|MS_REMOUNT|MS_RDONLY, NULL) < 0) {
-- 
1.9.3

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list






