From: Chen Hanxiao <chenhanxiao@xxxxxxxxxxxxxx> If we enable userns, we could bind mount some dirs from host to guest, which don't belong to the target mapped uid/gid. Such as we could bind mount root's dirs to guest. What is worse, we could even modify root's files in that bind dir inside container. So if we couldn't know the dir's ownership(without a proper uid/gid mapping), don't mount it. Signed-off-by: Chen Hanxiao <chenhanxiao@xxxxxxxxxxxxxx> --- v2: add more description src/lxc/lxc_container.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c index 255c711..4cf209e 100644 --- a/src/lxc/lxc_container.c +++ b/src/lxc/lxc_container.c @@ -96,6 +96,8 @@ typedef char lxc_message_t; #define LXC_CONTINUE_MSG 'c' +#define OVERFLOW_UGID 65534 + typedef struct __lxc_child_argv lxc_child_argv_t; struct __lxc_child_argv { virDomainDefPtr config; @@ -1073,6 +1075,22 @@ static int lxcContainerMountFSBind(virDomainFSDefPtr fs, if (virAsprintf(&src, "%s%s", srcprefix, fs->src) < 0) goto cleanup; + if (stat(src, &st) < 0) { + virReportSystemError(errno, _("Unable to stat bind source %s"), + src); + goto cleanup; + } else { + if (OVERFLOW_UGID == st.st_uid || OVERFLOW_UGID == st.st_gid) { + errno = EPERM; + VIR_DEBUG("Unknown st_uid %d, st_gid %d for %s", + st.st_uid, st.st_gid, fs->src); + virReportSystemError(errno, + _("Check the permission of src dir '%s' provided for container") + ,fs->src); + goto cleanup; + } + } + if (stat(fs->dst, &st) < 0) { if (errno != ENOENT) { virReportSystemError(errno, _("Unable to stat bind target %s"), -- 1.8.2.1 -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list