[lxc-devel] [PATCH] Fix to work lxc-destroy with unprivileged containers on recent kernel
Serge Hallyn
serge.hallyn at ubuntu.com
Mon Jun 30 14:46:40 UTC 2014
Quoting KATOH Yasufumi (karma at jazz.email.ne.jp):
> Hi,
>
> I applied this patch and test. lxc-destroy work fine. :-)
>
> >>> On Sat, 28 Jun 2014 18:39:54 +0900
> in message "[lxc-devel] [PATCH] Fix to work lxc-destroy with unprivileged containers on recent kernel"
> TAMUKI Shoichi-san wrote:
>
> > Change idmap_add_id() to add both ID_TYPE_UID and ID_TYPE_GID entries
> > to an existing lxc_conf, not just an ID_TYPE_UID entry, so as to work
> > lxc-destroy with unprivileged containers on recent kernel.
>
> > Signed-off-by: TAMUKI Shoichi <tamuki at linet.gr.jp>
>
> Acked-by: KATOH Yasufumi <karma at jazz.email.ne.jp>
Thanks again!
Acked-by: Serge E. Hallyn <serge.hallyn at ubuntu.com>
> > ---
> > src/lxc/conf.c | 49 ++++++++++++++++++++++++++++++++++---------------
> > 1 file changed, 34 insertions(+), 15 deletions(-)
>
> > diff --git a/src/lxc/conf.c b/src/lxc/conf.c
> > index df2f7cc..70f57af 100644
> > --- a/src/lxc/conf.c
> > +++ b/src/lxc/conf.c
> > @@ -4508,14 +4508,14 @@ static int run_userns_fn(void *data)
> > }
>
> > /*
> > - * Add a ID_TYPE_UID entry to an existing lxc_conf, if it is not
> > - * alread there.
> > - * We may want to generalize this to do gids as well as uids, but right now
> > - * it's not necessary.
> > + * Add ID_TYPE_UID/ID_TYPE_GID entries to an existing lxc_conf,
> > + * if they are not already there.
> > */
> > -static struct lxc_list *idmap_add_id(struct lxc_conf *conf, uid_t uid)
> > +static struct lxc_list *idmap_add_id(struct lxc_conf *conf,
> > + uid_t uid, gid_t gid)
> > {
> > - int hostid_mapped = mapped_hostid(uid, conf, ID_TYPE_UID);
> > + int hostuid_mapped = mapped_hostid(uid, conf, ID_TYPE_UID);
> > + int hostgid_mapped = mapped_hostid(gid, conf, ID_TYPE_GID);
> > struct lxc_list *new = NULL, *tmp, *it, *next;
> > struct id_map *entry;
>
> > @@ -4526,9 +4526,9 @@ static struct lxc_list *idmap_add_id(struct lxc_conf *conf, uid_t uid)
> > }
> > lxc_list_init(new);
>
> > - if (hostid_mapped < 0) {
> > - hostid_mapped = find_unmapped_nsuid(conf, ID_TYPE_UID);
> > - if (hostid_mapped < 0)
> > + if (hostuid_mapped < 0) {
> > + hostuid_mapped = find_unmapped_nsuid(conf, ID_TYPE_UID);
> > + if (hostuid_mapped < 0)
> > goto err;
> > tmp = malloc(sizeof(*tmp));
> > if (!tmp)
> > @@ -4540,8 +4540,27 @@ static struct lxc_list *idmap_add_id(struct lxc_conf *conf, uid_t uid)
> > }
> > tmp->elem = entry;
> > entry->idtype = ID_TYPE_UID;
> > - entry->nsid = hostid_mapped;
> > - entry->hostid = (unsigned long)uid;
> > + entry->nsid = hostuid_mapped;
> > + entry->hostid = (unsigned long) uid;
> > + entry->range = 1;
> > + lxc_list_add_tail(new, tmp);
> > + }
> > + if (hostgid_mapped < 0) {
> > + hostgid_mapped = find_unmapped_nsuid(conf, ID_TYPE_GID);
> > + if (hostgid_mapped < 0)
> > + goto err;
> > + tmp = malloc(sizeof(*tmp));
> > + if (!tmp)
> > + goto err;
> > + entry = malloc(sizeof(*entry));
> > + if (!entry) {
> > + free(tmp);
> > + goto err;
> > + }
> > + tmp->elem = entry;
> > + entry->idtype = ID_TYPE_GID;
> > + entry->nsid = hostgid_mapped;
> > + entry->hostid = (unsigned long) gid;
> > entry->range = 1;
> > lxc_list_add_tail(new, tmp);
> > }
> > @@ -4563,7 +4582,7 @@ static struct lxc_list *idmap_add_id(struct lxc_conf *conf, uid_t uid)
> > return new;
>
> > err:
> > - ERROR("Out of memory building a new uid map");
> > + ERROR("Out of memory building a new uid/gid map");
> > if (new)
> > lxc_free_idmap(new);
> > free(new);
> > @@ -4572,7 +4591,7 @@ err:
>
> > /*
> > * Run a function in a new user namespace.
> > - * The caller's euid will be mapped in if it is not already.
> > + * The caller's euid/egid will be mapped in if it is not already.
> > */
> > int userns_exec_1(struct lxc_conf *conf, int (*fn)(void *), void *data)
> > {
> > @@ -4597,8 +4616,8 @@ int userns_exec_1(struct lxc_conf *conf, int (*fn)(void *), void *data)
> > close(p[0]);
> > p[0] = -1;
>
> > - if ((idmap = idmap_add_id(conf, geteuid())) == NULL) {
> > - ERROR("Error adding self to container uid map");
> > + if ((idmap = idmap_add_id(conf, geteuid(), getegid())) == NULL) {
> > + ERROR("Error adding self to container uid/gid map");
> > goto err;
> > }
>
> > --
> > 1.9.0
> > _______________________________________________
> > lxc-devel mailing list
> > lxc-devel at lists.linuxcontainers.org
> > http://lists.linuxcontainers.org/listinfo/lxc-devel
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel
More information about the lxc-devel
mailing list