[lxc-devel] [lxc/lxc] 91e93c: lxc: don't call pivot_root if / is on a ramfs

[GitHub]

  Branch: refs/heads/master
  Home:   https://github.com/lxc/lxc
  Commit: 91e93c71c7487bce07eada582397af1104d64a8e
      https://github.com/lxc/lxc/commit/91e93c71c7487bce07eada582397af1104d64a8e
  Author: Andrey Vagin <avagin at gmail.com>
  Date:   2014-10-08 (Wed, 08 Oct 2014)

  Changed paths:
    M src/lxc/conf.c

  Log Message:
  -----------
  lxc: don't call pivot_root if / is on a ramfs

pivot_root can't be called if / is on a ramfs. Currently chroot is
called before pivot_root. In this case the standard well-known
'chroot escape' technique allows to escape a container.

I think the best way to handle this situation is to make following actions:
* clean all mounts, which should not be visible in CT
* move CT's rootfs into /
* make chroot into /

I don't have a host, where / is on a ramfs, so I can't test this patch.

Signed-off-by: Andrey Vagin <avagin at openvz.org>
Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>


  Commit: 9a64d3cf9fae39337943174fd7d680a62bade2fa
      https://github.com/lxc/lxc/commit/9a64d3cf9fae39337943174fd7d680a62bade2fa
  Author: Serge Hallyn <serge.hallyn at ubuntu.com>
  Date:   2014-10-08 (Wed, 08 Oct 2014)

  Changed paths:
    M src/tests/lxc-test-unpriv

  Log Message:
  -----------
  lxc-test-unpriv: don't clear out /etc/lxc/lxc-usernet

Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>


Compare: https://github.com/lxc/lxc/compare/956f113bf0c3...9a64d3cf9fae