[lxc-devel] [lxc/lxc] 3e04a6: autodev: adapt to changes in Linux 4.18

GitHub noreply at github.com
Fri Jun 29 16:29:01 UTC 2018 

  Branch: refs/heads/master
  Home:   https://github.com/lxc/lxc
  Commit: 3e04a6083eefe0b837db6d1b826721fd985ce052
      https://github.com/lxc/lxc/commit/3e04a6083eefe0b837db6d1b826721fd985ce052
  Author: Christian Brauner <christian.brauner at ubuntu.com>
  Date:   2018-06-29 (Fri, 29 Jun 2018)

  Changed paths:
    M src/lxc/conf.c

  Log Message:
  -----------
  autodev: adapt to changes in Linux 4.18

Starting with commit
55956b59df33 ("vfs: Allow userns root to call mknod on owned filesystems.")
Linux will allow mknod() in user namespaces for userns root if CAP_MKNOD is
available.
However, these device nodes are useless since

static struct super_block *alloc_super(struct file_system_type *type, int flags,
                                 struct user_namespace *user_ns)
{
  /* <snip> */
   if (s->s_user_ns != &init_user_ns)
          s->s_iflags |= SB_I_NODEV;
   /* <snip> */
}

will set the SB_I_NODEV flag on the filesystem. When a device node created in
non-init userns is open()ed the call chain will hit:

bool may_open_dev(const struct path *path)
{
  return !(path->mnt->mnt_flags & MNT_NODEV) &&
          !(path->mnt->mnt_sb->s_iflags & SB_I_NODEV);
}

which will cause an EPERM because the device node is located on an fs
owned by non-init-userns and thus doesn't grant access to device nodes due to
SB_I_NODEV.

The solution is straightforward. Unless you're real root you should bind-mount
device nodes.

Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>


  Commit: bb9f9cede7f934b9f0bd7b7a5551ceb40b9a62d0
      https://github.com/lxc/lxc/commit/bb9f9cede7f934b9f0bd7b7a5551ceb40b9a62d0
  Author: Stéphane Graber <stgraber at stgraber.org>
  Date:   2018-06-29 (Fri, 29 Jun 2018)

  Changed paths:
    M src/lxc/conf.c

  Log Message:
  -----------
  Merge pull request #2438 from brauner/2018-06-29/linux-v4.18

autodev: adapt to changes in Linux 4.18


Compare: https://github.com/lxc/lxc/compare/4c08bd46b96e...bb9f9cede7f9
      **NOTE:** This service been marked for deprecation: https://developer.github.com/changes/2018-04-25-github-services-deprecation/

      Functionality will be removed from GitHub.com on January 31st, 2019.

More information about the lxc-devel mailing list