On Fri, Mar 20, 2015 at 05:58:22AM -0400, Chen Hanxiao wrote:
This patch revert commit: 7dc5dbc879bd0779924b5132a48b731a0bc04a1e
I haven't found this commit in the log, also this is not how reverts should be done, please use "git revert <commit_id>", it basically cherry-picks inverted version of that patch, so resolutions may be done for conflicts, and it will let you amend the commit messsage.
Discussed at: http://www.redhat.com/archives/libvir-list/2015-March/msg01023.html Signed-off-by: Chen Hanxiao <chenhanxiao@xxxxxxxxxxxxxx> --- src/lxc/lxc_container.c | 45 ++++++++++++++++----------------------------- 1 file changed, 16 insertions(+), 29 deletions(-) diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c index cc20b6d..69a8f2f 100644 --- a/src/lxc/lxc_container.c +++ b/src/lxc/lxc_container.c @@ -934,8 +934,6 @@ static int lxcContainerMountBasicFS(bool userns_enabled, { size_t i; int rc = -1; - char* mnt_src = NULL; - int mnt_mflags; VIR_DEBUG("Mounting basic filesystems"); @@ -944,22 +942,17 @@ static int lxcContainerMountBasicFS(bool userns_enabled, virLXCBasicMountInfo const *mnt = &lxcBasicMounts[i]; /* When enable userns but disable netns, kernel will - * forbid us doing a new fresh mount for sysfs. - * So we had to do a bind mount for sysfs instead. + * forbid us doing a new fresh mount for sysfs for security reason. + * So we should not allow this. */ - if (userns_enabled && netns_disabled && - STREQ(mnt->src, "sysfs")) { - if (VIR_STRDUP(mnt_src, "/sys") < 0) - goto cleanup; - mnt_mflags = MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY|MS_BIND; - } else { - if (VIR_STRDUP(mnt_src, mnt->src) < 0) - goto cleanup; - mnt_mflags = mnt->mflags; + if (userns_enabled && netns_disabled) { + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", + _("Userns could not be enabled without netns")); + goto cleanup; } VIR_DEBUG("Processing %s -> %s", - mnt_src, mnt->dst); + mnt->src, mnt->dst); if (mnt->skipUnmounted) { char *hostdir; @@ -976,28 +969,24 @@ static int lxcContainerMountBasicFS(bool userns_enabled, if (ret == 0) { VIR_DEBUG("Skipping '%s' which isn't mounted in host", mnt->dst); - VIR_FREE(mnt_src); continue; } } if (mnt->skipUserNS && userns_enabled) { VIR_DEBUG("Skipping due to user ns enablement"); - VIR_FREE(mnt_src); continue; } /* Skip mounts with missing source without shouting: it may be a * missing folder in /proc due to the absence of a kernel feature */ - if (STRPREFIX(mnt_src, "/") && !virFileExists(mnt_src)) { - VIR_DEBUG("Skipping due to missing source: %s", mnt_src); - VIR_FREE(mnt_src); + if (STRPREFIX(mnt->src, "/") && !virFileExists(mnt->src)) { + VIR_DEBUG("Skipping due to missing source: %s", mnt->src); continue; } if (mnt->skipNoNetns && netns_disabled) { VIR_DEBUG("Skipping due to absence of network namespace"); - VIR_FREE(mnt_src); continue; } @@ -1015,35 +1004,33 @@ static int lxcContainerMountBasicFS(bool userns_enabled, * we mount the filesystem in read-write mode initially, and then do a * separate read-only bind mount on top of that. */ - bindOverReadonly = !!(mnt_mflags & MS_RDONLY); + bindOverReadonly = !!(mnt->mflags & MS_RDONLY); VIR_DEBUG("Mount %s on %s type=%s flags=%x", - mnt_src, mnt->dst, mnt->type, mnt_mflags & ~MS_RDONLY); - if (mount(mnt_src, mnt->dst, mnt->type, mnt_mflags & ~MS_RDONLY, NULL) < 0) { + mnt->src, mnt->dst, mnt->type, mnt->mflags & ~MS_RDONLY); + if (mount(mnt->src, mnt->dst, mnt->type, mnt->mflags & ~MS_RDONLY, NULL) < 0) { virReportSystemError(errno, _("Failed to mount %s on %s type %s flags=%x"), - mnt_src, mnt->dst, NULLSTR(mnt->type), - mnt_mflags & ~MS_RDONLY); + mnt->src, mnt->dst, NULLSTR(mnt->type), + mnt->mflags & ~MS_RDONLY); goto cleanup; } if (bindOverReadonly && - mount(mnt_src, mnt->dst, NULL, + mount(mnt->src, mnt->dst, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY, NULL) < 0) { virReportSystemError(errno, _("Failed to re-mount %s on %s flags=%x"), - mnt_src, mnt->dst, + mnt->src, mnt->dst, MS_BIND|MS_REMOUNT|MS_RDONLY); goto cleanup; } - VIR_FREE(mnt_src); } rc = 0; cleanup: - VIR_FREE(mnt_src); VIR_DEBUG("rc=%d", rc); return rc; } -- 2.1.0 -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list
Attachment:
pgpEKR9GgVj0D.pgp
Description: PGP signature
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list