[PATCH v2 REPOST 5/6] Add flag to lxcBasicMounts to control use in user namespaces

"Daniel P. Berrange" <berrange@xxxxxxxxxx> · Mon, 28 Oct 2013 15:40:31 +0000

From: "Daniel P. Berrange" <berrange@xxxxxxxxxx>

Some mounts must be skipped if running inside a user namespace,
since the kernel forbids their use. Instead of strcmp'ing the
filesystem type in the body of the loop, set an explicit flag
in the lxcBasicMounts table.

Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
---
 src/lxc/lxc_container.c | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
index 46a6246..992930d 100644
--- a/src/lxc/lxc_container.c
+++ b/src/lxc/lxc_container.c
@@ -755,15 +755,16 @@ typedef struct {
     const char *dst;
     const char *type;
     int mflags;
+    bool skipUserNS;
 } virLXCBasicMountInfo;
 
 static const virLXCBasicMountInfo lxcBasicMounts[] = {
-    { "proc", "/proc", "proc", MS_NOSUID|MS_NOEXEC|MS_NODEV },
-    { "/proc/sys", "/proc/sys", NULL, MS_BIND|MS_RDONLY },
-    { "sysfs", "/sys", "sysfs", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY },
-    { "securityfs", "/sys/kernel/security", "securityfs", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY },
+    { "proc", "/proc", "proc", MS_NOSUID|MS_NOEXEC|MS_NODEV, false },
+    { "/proc/sys", "/proc/sys", NULL, MS_BIND|MS_RDONLY, false },
+    { "sysfs", "/sys", "sysfs", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY, false },
+    { "securityfs", "/sys/kernel/security", "securityfs", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY, true },
 #if WITH_SELINUX
-    { SELINUX_MOUNT, SELINUX_MOUNT, "selinuxfs", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY },
+    { SELINUX_MOUNT, SELINUX_MOUNT, "selinuxfs", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY, true },
 #endif
 };
 
@@ -857,12 +858,14 @@ static int lxcContainerMountBasicFS(bool userns_enabled)
 
 #if WITH_SELINUX
         if (STREQ(mnt->src, SELINUX_MOUNT) &&
-            (!is_selinux_enabled() || userns_enabled))
+            !is_selinux_enabled())
             continue;
 #endif
 
-        if (STREQ(mnt->src, "securityfs") && userns_enabled)
+        if (mnt->skipUserNS && userns_enabled) {
+            VIR_DEBUG("Skipping due to user ns enablement");
             continue;
+        }
 
         if (virFileMakePath(mnt->dst) < 0) {
             virReportSystemError(errno,
-- 
1.8.3.1

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list







