[lxc-devel] [lxd/master] forkproxy: only attach to mntns for unix sockets

[brauner on Github]

A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 364 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20190417/34c6f753/attachment.bin>
-------------- next part --------------
From e69985f0d70ac711a0f00699f812065df9a270e2 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Wed, 17 Apr 2019 22:29:57 +0200
Subject: [PATCH 1/2] forkproxy: only attach to mntns for unix sockets

Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
 lxd/main_forkproxy.go | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/lxd/main_forkproxy.go b/lxd/main_forkproxy.go
index fb2213a548..4bec58c01e 100644
--- a/lxd/main_forkproxy.go
+++ b/lxd/main_forkproxy.go
@@ -85,6 +85,7 @@ again:
 
 void forkproxy()
 {
+	bool needs_mntns = false;
 	int connect_pid, listen_pid, log_fd;
 	ssize_t ret;
 	pid_t pid;
@@ -134,6 +135,10 @@ void forkproxy()
 		    _exit(EXIT_FAILURE);
 	}
 
+	if (strncmp(listen_addr, "unix:", sizeof("unix:") - 1) == 0 ||
+	    strncmp(connect_addr, "unix:", sizeof("unix:") - 1) == 0)
+		    needs_mntns = true;
+
 	ret = socketpair(AF_UNIX, SOCK_STREAM | SOCK_CLOEXEC, 0, sk_fds);
 	if (ret < 0) {
 		fprintf(stderr,
@@ -169,9 +174,7 @@ void forkproxy()
 			_exit(EXIT_FAILURE);
 		}
 
-		// Attach to the mount namespace of the listener
-		ret = dosetns(listen_pid, "mnt");
-		if (ret < 0) {
+		if (needs_mntns && dosetns(listen_pid, "mnt")) {
 			fprintf(stderr, "Failed setns to listener mount namespace: %s\n",
 				strerror(errno));
 			_exit(EXIT_FAILURE);
@@ -209,8 +212,7 @@ void forkproxy()
 		}
 
 		// Attach to the mount namespace of the listener
-		ret = dosetns(connect_pid, "mnt");
-		if (ret < 0) {
+		if (needs_mntns && dosetns(connect_pid, "mnt")) {
 			fprintf(stderr, "Failed setns to listener mount namespace: %s\n",
 				strerror(errno));
 			_exit(EXIT_FAILURE);

From 3174be64e19ae1802852ab87178f3741155a1142 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Wed, 17 Apr 2019 22:34:40 +0200
Subject: [PATCH 2/2] make: add full-relro

Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
 Makefile              | 4 ++--
 lxd/main_forkproxy.go | 1 +
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/Makefile b/Makefile
index 99f2aa6bad..045915bebf 100644
--- a/Makefile
+++ b/Makefile
@@ -16,7 +16,7 @@ ifeq ($(TAG_SQLITE3),)
 endif
 
 	go get -t -v -d ./...
-	CC=$(CC) go install -v -tags "$(TAG_SQLITE3)" $(DEBUG) ./...
+	CGO_LDFLAGS_ALLOW="-Wl,-z,now" CC=$(CC) go install -v -tags "$(TAG_SQLITE3)" $(DEBUG) ./...
 	@echo "LXD built successfully"
 
 .PHONY: client
@@ -90,7 +90,7 @@ ifeq ($(TAG_SQLITE3),)
 endif
 
 	go get -t -v -d ./...
-	CC=$(CC) go install -v -tags "$(TAG_SQLITE3) logdebug" $(DEBUG) ./...
+	CGO_LDFLAGS_ALLOW="-Wl,-z,now" CC=$(CC) go install -v -tags "$(TAG_SQLITE3) logdebug" $(DEBUG) ./...
 	@echo "LXD built successfully"
 
 .PHONY: check
diff --git a/lxd/main_forkproxy.go b/lxd/main_forkproxy.go
index 4bec58c01e..90297261e2 100644
--- a/lxd/main_forkproxy.go
+++ b/lxd/main_forkproxy.go
@@ -285,6 +285,7 @@ void forkproxy()
 }
 */
 // #cgo CFLAGS: -std=gnu11 -Wvla
+// #cgo LDFLAGS: -Wl,-z,now -Wl,-z,relro
 import "C"
 
 const forkproxyUDSSockFDNum int = C.FORKPROXY_UDS_SOCK_FD_NUM