[PATCH v2]LXC: Helper function for checking ownership of dir when userns enabled

Chen Hanxiao <chenhanxiao@xxxxxxxxxxxxxx> · Fri, 9 Aug 2013 16:05:58 +0800

From: Chen Hanxiao <chenhanxiao@xxxxxxxxxxxxxx>

If we enable userns, the ownership of dir we provided for containers
should match the uid/gid in idmap.
Currently, the debug log is very implicit or misleading sometimes.
This patch will help clarify this for us when using
debug log or virsh.

v2: syntax-check clean

Signed-off-by: Chen Hanxiao <chenhanxiao@xxxxxxxxxxxxxx>
---
 src/lxc/lxc_container.c |   46 ++++++++++++++++++++++++++++++++++++++++++++++
 1 files changed, 46 insertions(+), 0 deletions(-)

diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
index b910b10..2ccdc61 100644
--- a/src/lxc/lxc_container.c
+++ b/src/lxc/lxc_container.c
@@ -1815,6 +1815,49 @@ lxcNeedNetworkNamespace(virDomainDefPtr def)
     return false;
 }
 
+/*
+ * Helper function for helping check
+ * whether we have enough privilege
+ * to operate the source dir when userns enabled
+ * @vmDef: pointer to vm definition structure
+ * Returns 0 on success or -1 in case of error
+ */
+static int
+lxcContainerUsernsSrcOwnershipCheck(virDomainDefPtr vmDef)
+{
+    struct stat buf;
+    size_t i;
+    uid_t uid;
+    gid_t gid;
+
+    VIR_DEBUG("vmDef->nfss %d", (int)vmDef->nfss);
+    for (i = 0; i < vmDef->nfss; i++) {
+        VIR_DEBUG("dst is %s, src is %s",
+                  vmDef->fss[i]->dst,
+                  vmDef->fss[i]->src);
+
+        uid = vmDef->idmap.uidmap[0].target;
+        gid = vmDef->idmap.gidmap[0].target;
+
+        if (lstat(vmDef->fss[i]->src, &buf) < 0) {
+            virReportSystemError(errno, _("Cannot access '%s'"),
+                                 vmDef->fss[i]->src);
+            return -1;
+        } else if (uid != buf.st_uid || gid != buf.st_gid) {
+            VIR_DEBUG("In userns uid is %d, gid is %d\n",
+                      uid, gid);
+            errno = EINVAL;
+
+            virReportSystemError(errno,
+                                  _("[userns] Src dir '%s' does not belong to uid/gid: %d/%d"),
+                                 vmDef->fss[i]->src, uid, gid);
+            return -1;
+        }
+    }
+
+    return 0;
+}
+
 /**
  * lxcContainerStart:
  * @def: pointer to virtual machine structure
@@ -1866,6 +1909,9 @@ int lxcContainerStart(virDomainDefPtr def,
         if (userns_supported()) {
             VIR_DEBUG("Enable user namespace");
             cflags |= CLONE_NEWUSER;
+            if (lxcContainerUsernsSrcOwnershipCheck(def) < 0) {
+                return -1;
+            }
         } else {
             virReportSystemError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
                                  _("Kernel doesn't support user namespace"));
-- 
1.7.1

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list







