[lxc-devel] [lxd/master] forksyscall: switch chdirchroot() and setns() order

[brauner on Github]

A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 364 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20190715/abb8c595/attachment.bin>
-------------- next part --------------
From f701329f058add83d326c4cdc7184052f14d662f Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Mon, 15 Jul 2019 22:41:02 +0200
Subject: [PATCH] forksyscall: switch chdirchroot() and setns() order

Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
 lxd/main_forksyscall.go | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/lxd/main_forksyscall.go b/lxd/main_forksyscall.go
index 35d134d706..79a99347f9 100644
--- a/lxd/main_forksyscall.go
+++ b/lxd/main_forksyscall.go
@@ -12,6 +12,7 @@ import (
 #endif
 #include <fcntl.h>
 #include <libgen.h>
+#include <sched.h>
 #include <stdbool.h>
 #include <stdio.h>
 #include <stdlib.h>
@@ -117,7 +118,7 @@ static bool chdirchroot(pid_t pid)
 // <PID> <root-uid> <root-gid> <path> <mode> <dev>
 static void forkmknod()
 {
-	__do_close_prot_errno int cwd_fd = -EBADF, host_target_fd = -EBADF;
+	__do_close_prot_errno int cwd_fd = -EBADF, host_target_fd = -EBADF, mnt_fd = -EBADF;
 	int ret;
 	char *cur = NULL, *target = NULL, *target_dir = NULL, *target_host = NULL;
 	char path[PATH_MAX];
@@ -161,7 +162,9 @@ static void forkmknod()
 		_exit(EXIT_FAILURE);
 	}
 
-	if (dosetns(pid, "mnt")) {
+	snprintf(path, sizeof(path), "/proc/%d/ns/mnt", pid);
+	mnt_fd = open(path, O_RDONLY | O_CLOEXEC);
+	if (mnt_fd < 0) {
 		fprintf(stderr, "%d", ENOANO);
 		_exit(EXIT_FAILURE);
 	}
@@ -170,6 +173,10 @@ static void forkmknod()
 		fprintf(stderr, "%d", ENOANO);
 		_exit(EXIT_FAILURE);
 	}
+	if (setns(mnt_fd, CLONE_NEWNS)) {
+		fprintf(stderr, "%d", ENOANO);
+		_exit(EXIT_FAILURE);
+	}
 
 	caps = cap_get_pid(pid);
 	if (!caps) {