[lxc-devel] [lxc/lxc] 268186: attach: use ns_info[LXC_NS_MAX] struct
GitHub
noreply at github.com
Sun Nov 20 06:11:25 UTC 2016
Branch: refs/heads/master
Home: https://github.com/lxc/lxc
Commit: 2681861894e7e64b5b740831c4e937db0b9a914a
https://github.com/lxc/lxc/commit/2681861894e7e64b5b740831c4e937db0b9a914a
Author: Christian Brauner <christian.brauner at canonical.com>
Date: 2016-11-20 (Sun, 20 Nov 2016)
Changed paths:
M src/lxc/attach.c
Log Message:
-----------
attach: use ns_info[LXC_NS_MAX] struct
Using custom structs in attach.c risks getting out of sync with the commonly
used ns_info[LXC_NS_MAX] struct and thus attaching to wrong namespaces. Switch
to using ns_info[LXC_NS_MAX].
Signed-off-by: Christian Brauner <christian.brauner at canonical.com>
Commit: 29ed9c13ac360aa5b053f935cee09ef62619ee20
https://github.com/lxc/lxc/commit/29ed9c13ac360aa5b053f935cee09ef62619ee20
Author: Christian Brauner <christian.brauner at canonical.com>
Date: 2016-11-20 (Sun, 20 Nov 2016)
Changed paths:
M src/lxc/namespace.c
M src/lxc/namespace.h
Log Message:
-----------
namespace: always attach to user namespace first
Move the user namespace at the first position in the array so that we always
attach to it first when iterating over the struct and using setns() to switch
namespaces. This especially affects lxc_attach(): Suppose you cloned a new user
namespace and mount namespace as an unprivileged user on the host and want to
setns() to the mount namespace. This requires you to attach to the user
namespace first otherwise the kernel will fail this check:
if (!ns_capable(mnt_ns->user_ns, CAP_SYS_ADMIN) ||
!ns_capable(current_user_ns(), CAP_SYS_CHROOT) ||
!ns_capable(current_user_ns(), CAP_SYS_ADMIN))
return -EPERM;
in
linux/fs/namespace.c:mntns_install().
Signed-off-by: Christian Brauner <christian.brauner at canonical.com>
Commit: b8ca2bc7c9e06d77a9b64f0fb5c425a37af22f0f
https://github.com/lxc/lxc/commit/b8ca2bc7c9e06d77a9b64f0fb5c425a37af22f0f
Author: Stéphane Graber <stgraber at stgraber.org>
Date: 2016-11-20 (Sun, 20 Nov 2016)
Changed paths:
M src/lxc/attach.c
M src/lxc/namespace.c
M src/lxc/namespace.h
Log Message:
-----------
Merge pull request #1308 from brauner/2016-11-20/use_ns_info_struct
use ns info struct and always attach to user namespace first
Compare: https://github.com/lxc/lxc/compare/88a66d011255...b8ca2bc7c9e0
More information about the lxc-devel
mailing list