[lxc-devel] [PATCH v2 lxc 2/2] Added lxc.monitor.unshare

[Wolfgang Bumiller]

If manual mounting with elevated permissions is required
this can currently only be done in pre-start hooks or before
starting LXC. In both cases the mounts would appear in the
host's namespace.
With this flag the namespace is unshared before the startup
sequence, so that mounts performed in the pre-start hook
don't show up on the host.

Signed-off-by: Wolfgang Bumiller <w.bumiller at proxmox.com>
---
 doc/lxc.container.conf.sgml.in | 12 ++++++++++++
 src/lxc/conf.h                 |  3 +++
 src/lxc/confile.c              | 15 +++++++++++++++
 src/lxc/lxccontainer.c         | 12 ++++++++++++
 4 files changed, 42 insertions(+)

diff --git a/doc/lxc.container.conf.sgml.in b/doc/lxc.container.conf.sgml.in
index 90ffefa..3b6f698 100644
--- a/doc/lxc.container.conf.sgml.in
+++ b/doc/lxc.container.conf.sgml.in
@@ -1661,6 +1661,18 @@ mknod errno 0
         </varlistentry>
         <varlistentry>
           <term>
+            <option>lxc.monitor.unshare</option>
+          </term>
+          <listitem>
+            <para>
+              If not zero the mount namespace will be unshared from the host
+              before initializing the container (before running any pre-start
+              hooks). Default is 0.
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term>
             <option>lxc.group</option>
           </term>
           <listitem>
diff --git a/src/lxc/conf.h b/src/lxc/conf.h
index 1374d4a..b0274ec 100644
--- a/src/lxc/conf.h
+++ b/src/lxc/conf.h
@@ -347,6 +347,9 @@ struct lxc_conf {
 	struct lxc_list groups;
 	int nbd_idx;
 
+	/* unshare the mount namespace in the monitor */
+	int monitor_unshare;
+
 	/* set to true when rootfs has been setup */
 	bool rootfs_setup;
 
diff --git a/src/lxc/confile.c b/src/lxc/confile.c
index c2eaaa6..ce6786c 100644
--- a/src/lxc/confile.c
+++ b/src/lxc/confile.c
@@ -103,6 +103,7 @@ static int config_haltsignal(const char *, const char *, struct lxc_conf *);
 static int config_rebootsignal(const char *, const char *, struct lxc_conf *);
 static int config_stopsignal(const char *, const char *, struct lxc_conf *);
 static int config_start(const char *, const char *, struct lxc_conf *);
+static int config_monitor(const char *, const char *, struct lxc_conf *);
 static int config_group(const char *, const char *, struct lxc_conf *);
 static int config_environment(const char *, const char *, struct lxc_conf *);
 static int config_init_cmd(const char *, const char *, struct lxc_conf *);
@@ -173,6 +174,7 @@ static struct lxc_config_t config[] = {
 	{ "lxc.start.auto",           config_start                },
 	{ "lxc.start.delay",          config_start                },
 	{ "lxc.start.order",          config_start                },
+	{ "lxc.monitor.unshare",      config_monitor              },
 	{ "lxc.group",                config_group                },
 	{ "lxc.environment",          config_environment          },
 	{ "lxc.init_cmd",             config_init_cmd             },
@@ -1141,6 +1143,17 @@ static int config_start(const char *key, const char *value,
 	return -1;
 }
 
+static int config_monitor(const char *key, const char *value,
+			  struct lxc_conf *lxc_conf)
+{
+	if(strcmp(key, "lxc.monitor.unshare") == 0) {
+		lxc_conf->monitor_unshare = atoi(value);
+		return 0;
+	}
+	SYSERROR("Unknown key: %s", key);
+	return -1;
+}
+
 static int config_group(const char *key, const char *value,
 		      struct lxc_conf *lxc_conf)
 {
@@ -2483,6 +2496,8 @@ int lxc_get_config_item(struct lxc_conf *c, const char *key, char *retv,
 		return lxc_get_conf_int(c, retv, inlen, c->start_delay);
 	else if (strcmp(key, "lxc.start.order") == 0)
 		return lxc_get_conf_int(c, retv, inlen, c->start_order);
+	else if (strcmp(key, "lxc.monitor.unshare") == 0)
+		return lxc_get_conf_int(c, retv, inlen, c->monitor_unshare);
 	else if (strcmp(key, "lxc.group") == 0)
 		return lxc_get_item_groups(c, retv, inlen);
 	else if (strcmp(key, "lxc.seccomp") == 0)
diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c
index 69816da..2804841 100644
--- a/src/lxc/lxccontainer.c
+++ b/src/lxc/lxccontainer.c
@@ -820,6 +820,18 @@ static bool do_lxcapi_start(struct lxc_container *c, int useinit, char * const a
 
 	conf->reboot = 0;
 
+	/* Unshare the mount namespace if requested */
+	if (conf->monitor_unshare) {
+		if (unshare(CLONE_NEWNS)) {
+			SYSERROR("failed to unshare mount namespace");
+			return false;
+		}
+		if (mount(NULL, "/", NULL, MS_SLAVE|MS_REC, NULL)) {
+			SYSERROR("Failed to make / rslave at startup");
+			return false;
+		}
+	}
+
 reboot:
 	if (lxc_check_inherited(conf, daemonize, -1)) {
 		ERROR("Inherited fds found");
-- 
2.1.4