[lxc-devel] [lxd/master] Fix failure due to bind-mount through /proc

[stgraber on Github]

A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 625 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20171024/e642901d/attachment.bin>
-------------- next part --------------
From 5205743a080bceb5dde85696f7753e412899863a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Tue, 24 Oct 2017 16:29:46 +0200
Subject: [PATCH] Fix failure due to bind-mount through /proc
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The kernel won't allow us to bind-mount stuff through /proc.
Since the main reason for my previous change was to fix /dev handling,
lets just whitelist /dev as safe to read from within the snap, which
should be fine so long as distros use devtmpfs.

Closes #3968

Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
 shared/util.go | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/shared/util.go b/shared/util.go
index e97b2db09..e84eaeb26 100644
--- a/shared/util.go
+++ b/shared/util.go
@@ -137,16 +137,12 @@ func HostPath(path string) string {
 	}
 
 	// Check if the path is already snap-aware
-	for _, prefix := range []string{"/snap", "/var/snap", "/var/lib/snapd"} {
+	for _, prefix := range []string{"/dev", "/snap", "/var/snap", "/var/lib/snapd"} {
 		if strings.HasPrefix(path, prefix) {
 			return path
 		}
 	}
 
-	if os.Geteuid() == 0 {
-		return fmt.Sprintf("/proc/1/root%s", path)
-	}
-
 	return fmt.Sprintf("/var/lib/snapd/hostfs%s", path)
 }