Re: [PATCH v2]LXC: Helper function for checking ownership of dir when userns enabled

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Aug 09, 2013 at 04:05:58PM +0800, Chen Hanxiao wrote:
> From: Chen Hanxiao <chenhanxiao@xxxxxxxxxxxxxx>
> 
> If we enable userns, the ownership of dir we provided for containers
> should match the uid/gid in idmap.
> Currently, the debug log is very implicit or misleading sometimes.
> This patch will help clarify this for us when using
> debug log or virsh.

I do recall hitting some permission issue once, but can't remember
just what it was. Can you describe exactly how to reproduce the
problem ?

> Signed-off-by: Chen Hanxiao <chenhanxiao@xxxxxxxxxxxxxx>
> ---
>  src/lxc/lxc_container.c |   46 ++++++++++++++++++++++++++++++++++++++++++++++
>  1 files changed, 46 insertions(+), 0 deletions(-)
> 
> diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
> index b910b10..2ccdc61 100644
> --- a/src/lxc/lxc_container.c
> +++ b/src/lxc/lxc_container.c
> @@ -1815,6 +1815,49 @@ lxcNeedNetworkNamespace(virDomainDefPtr def)
>      return false;
>  }
>  
> +/*
> + * Helper function for helping check
> + * whether we have enough privilege
> + * to operate the source dir when userns enabled
> + * @vmDef: pointer to vm definition structure
> + * Returns 0 on success or -1 in case of error
> + */
> +static int
> +lxcContainerUsernsSrcOwnershipCheck(virDomainDefPtr vmDef)
> +{
> +    struct stat buf;
> +    size_t i;
> +    uid_t uid;
> +    gid_t gid;
> +
> +    VIR_DEBUG("vmDef->nfss %d", (int)vmDef->nfss);
> +    for (i = 0; i < vmDef->nfss; i++) {
> +        VIR_DEBUG("dst is %s, src is %s",
> +                  vmDef->fss[i]->dst,
> +                  vmDef->fss[i]->src);
> +
> +        uid = vmDef->idmap.uidmap[0].target;
> +        gid = vmDef->idmap.gidmap[0].target;
> +
> +        if (lstat(vmDef->fss[i]->src, &buf) < 0) {
> +            virReportSystemError(errno, _("Cannot access '%s'"),
> +                                 vmDef->fss[i]->src);
> +            return -1;
> +        } else if (uid != buf.st_uid || gid != buf.st_gid) {
> +            VIR_DEBUG("In userns uid is %d, gid is %d\n",
> +                      uid, gid);
> +            errno = EINVAL;
> +
> +            virReportSystemError(errno,
> +                                  _("[userns] Src dir '%s' does not belong to uid/gid: %d/%d"),
> +                                 vmDef->fss[i]->src, uid, gid);
> +            return -1;
> +        }
> +    }
> +
> +    return 0;
> +}
> +
>  /**
>   * lxcContainerStart:
>   * @def: pointer to virtual machine structure
> @@ -1866,6 +1909,9 @@ int lxcContainerStart(virDomainDefPtr def,
>          if (userns_supported()) {
>              VIR_DEBUG("Enable user namespace");
>              cflags |= CLONE_NEWUSER;
> +            if (lxcContainerUsernsSrcOwnershipCheck(def) < 0) {
> +                return -1;
> +            }
>          } else {
>              virReportSystemError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
>                                   _("Kernel doesn't support user namespace"));


Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list




[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]