[lxc-devel] problem with user namespace as root
Michael H. Warfield
mhw at WittsEnd.com
Fri Feb 14 18:21:23 UTC 2014
On Wed, 2014-02-12 at 11:42 -0600, Serge Hallyn wrote:
> Quoting Stephan Sachse (ste.sachse at gmail.com):
> > ok, maybe like this. but i need the in_userns()... how can i detect if
> > i run in a userns?
> Looks good. The easiest way actually might be to just try the mknod,
> and if you get EPERM||EACCESS then try create+bind-mount.
Actually, a slight rework of his code to incorporate it into the
existing ret check from the mknod and I would suggest this (which also
includes the minor fix to my DEBUG statement in mount_autodev):
--
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index 0de189f..19608e4 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -1376,7 +1376,7 @@ static int mount_autodev(const char *name, char *root, const char *lxcpath)
} else {
/* Only mount a tmpfs on here if we don't already a mount */
if ( ! mount_check_fs( host_path, NULL ) ) {
- DEBUG("Mounting tmpfs to %s", host_path );
+ DEBUG("Mounting tmpfs to %s", path );
ret = mount("none", path, "tmpfs", 0, "size=100000,mode=755");
} else {
/* This allows someone to manually set up a mount */
@@ -1428,6 +1428,7 @@ static int setup_autodev(const char *root)
{
int ret;
char path[MAXPATHLEN];
+ char src[MAXPATHLEN];
int i;
mode_t cmask;
@@ -1448,8 +1449,19 @@ static int setup_autodev(const char *root)
return -1;
ret = mknod(path, d->mode, makedev(d->maj, d->min));
if (ret && errno != EEXIST) {
- SYSERROR("Error creating %s", d->name);
- return -1;
+ ret = creat(path, 0440);
+ if (ret==-1 && errno != EEXIST) {
+ SYSERROR("error creating %s\n", path);
+ return -1;
+ }
+ ret = snprintf(src, MAXPATHLEN, "/dev/%s", d->name);
+ if (ret < 0 || ret >= MAXPATHLEN)
+ return -1;
+
+ if (mount(src, path, "none", MS_BIND, NULL)) {
+ SYSERROR("failed to mount '%s'->'%s'", src, path);
+ return -1;
+ }
}
}
umask(cmask);
--
Doesn't hurt if we give it a shot, regardless of the mknod failure as
long as it's not EEXIST.
Mike
> > diff --git a/src/lxc/conf.c b/src/lxc/conf.c
> > index 81dcb42..a056935 100644
> > --- a/src/lxc/conf.c
> > +++ b/src/lxc/conf.c
> > @@ -1396,6 +1396,7 @@ static int setup_autodev(const char *root)
> > {
> > int ret;
> > char path[MAXPATHLEN];
> > + char src[MAXPATHLEN];
> > int i;
> > mode_t cmask;
> >
> > @@ -1414,10 +1415,27 @@ static int setup_autodev(const char *root)
> > ret = snprintf(path, MAXPATHLEN, "%s/dev/%s", root, d->name);
> > if (ret < 0 || ret >= MAXPATHLEN)
> > return -1;
> > - ret = mknod(path, d->mode, makedev(d->maj, d->min));
> > - if (ret && errno != EEXIST) {
> > - SYSERROR("Error creating %s\n", d->name);
> > - return -1;
> > + if (in_userns()) {
> > + ret = creat(path, 0440);
> > + if (ret==-1 && errno != EEXIST) {
> > + SYSERROR("error creating %s\n", path);
> > + return -1;
> > + }
> > +
> > + ret = snprintf(src, MAXPATHLEN, "/dev/%s" d->name);
> > + if (ret < 0 || ret >= MAXPATHLEN)
> > + return -1;
> > +
> > + if (mount(src, path, "none", MS_BIND, NULL)) {
> > + SYSERROR("failed to mount '%s'->'%s'",
> > src, path);
> > + return -1
> > + }
> > + } else {
> > + ret = mknod(path, d->mode, makedev(d->maj, d->min));
> > + if (ret && errno != EEXIST) {
> > + SYSERROR("Error creating %s\n", d->name);
> > + return -1;
> > + }
> > }
> > }
> > umask(cmask);
> >
> > --
> > Software is like sex, it's better when it's free!
> > _______________________________________________
> > lxc-devel mailing list
> > lxc-devel at lists.linuxcontainers.org
> > http://lists.linuxcontainers.org/listinfo/lxc-devel
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel
>
--
Michael H. Warfield (AI4NB) | (770) 978-7061 | mhw at WittsEnd.com
/\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 465 bytes
Desc: This is a digitally signed message part
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20140214/fc033d47/attachment.pgp>
More information about the lxc-devel
mailing list