[lxc-devel] [lxc/lxc] 268186: attach: use ns_info[LXC_NS_MAX] struct

GitHub noreply at github.com
Sun Nov 20 06:11:25 UTC 2016


  Branch: refs/heads/master
  Home:   https://github.com/lxc/lxc
  Commit: 2681861894e7e64b5b740831c4e937db0b9a914a
      https://github.com/lxc/lxc/commit/2681861894e7e64b5b740831c4e937db0b9a914a
  Author: Christian Brauner <christian.brauner at canonical.com>
  Date:   2016-11-20 (Sun, 20 Nov 2016)

  Changed paths:
    M src/lxc/attach.c

  Log Message:
  -----------
  attach: use ns_info[LXC_NS_MAX] struct

Using custom structs in attach.c risks getting out of sync with the commonly
used ns_info[LXC_NS_MAX] struct and thus attaching to wrong namespaces. Switch
to using ns_info[LXC_NS_MAX].

Signed-off-by: Christian Brauner <christian.brauner at canonical.com>


  Commit: 29ed9c13ac360aa5b053f935cee09ef62619ee20
      https://github.com/lxc/lxc/commit/29ed9c13ac360aa5b053f935cee09ef62619ee20
  Author: Christian Brauner <christian.brauner at canonical.com>
  Date:   2016-11-20 (Sun, 20 Nov 2016)

  Changed paths:
    M src/lxc/namespace.c
    M src/lxc/namespace.h

  Log Message:
  -----------
  namespace: always attach to user namespace first

Move the user namespace at the first position in the array so that we always
attach to it first when iterating over the struct and using setns() to switch
namespaces. This especially affects lxc_attach(): Suppose you cloned a new user
namespace and mount namespace as an unprivileged user on the host and want to
setns() to the mount namespace. This requires you to attach to the user
namespace first otherwise the kernel will fail this check:

    if (!ns_capable(mnt_ns->user_ns, CAP_SYS_ADMIN) ||
  !ns_capable(current_user_ns(), CAP_SYS_CHROOT) ||
  !ns_capable(current_user_ns(), CAP_SYS_ADMIN))
    	return -EPERM;

in

    linux/fs/namespace.c:mntns_install().

Signed-off-by: Christian Brauner <christian.brauner at canonical.com>


  Commit: b8ca2bc7c9e06d77a9b64f0fb5c425a37af22f0f
      https://github.com/lxc/lxc/commit/b8ca2bc7c9e06d77a9b64f0fb5c425a37af22f0f
  Author: Stéphane Graber <stgraber at stgraber.org>
  Date:   2016-11-20 (Sun, 20 Nov 2016)

  Changed paths:
    M src/lxc/attach.c
    M src/lxc/namespace.c
    M src/lxc/namespace.h

  Log Message:
  -----------
  Merge pull request #1308 from brauner/2016-11-20/use_ns_info_struct

use ns info struct and always attach to user namespace first


Compare: https://github.com/lxc/lxc/compare/88a66d011255...b8ca2bc7c9e0


More information about the lxc-devel mailing list