[lxc-users] pre-mount hook namespace
Serge Hallyn
serge.hallyn at ubuntu.com
Wed Nov 11 15:40:12 UTC 2015
Quoting Wolfgang Bumiller (w.bumiller at proxmox.com):
> The pre-mount hook documentation states that it is "a hook to be run
> in the container's fs namespace", which seems a little confusing to me
> as I'm not quite sure what the 'fs' namespace is supposed to
> represent. clone(2)'s CLONE_FS just refers to the root dir, umask and
not CLONE_FS, CLONE_NEWNS.
> current working directory, but when running an unprivileged container
> the user-namespace will also be set up.
> This puts us in a bit of a pickle as we'd like to setup mountpoints
> for an unprivileged container without giving it access to more than it
> needs (in particular, the storage configuration and processes involved
> in managing and activating them.)
Please give a specific example of what you want.
> For us this seems to be only possible in the pre-start hook now, but
> this will be reflected on the host.
> I've thought about running lxc-start in a mount namespace, but then I'd
> have another namespace to clean up after (for the same reasons we added
> the 'stop' hook.)
>
> Since the CLONE_NEWUSER flag is used in the call to clone() I don't see
> any convenient solution here, maybe someone has an idea?
>
> Either way it would probably be a good idea to update the documentation
> to reflect this. Maybe have yet another hook? (The user-namespace could
> be entered later with unshare(CLONE_NEWUSER) and the sync barriers
> already control when the parent can run lxc_map_ids().)
In order for an unprivileged user to be able to manipulate the mounts
table, he must *first* unshare the user namespace. That is so that
if he mounts something over /etc/shadow, he can only trick setuid-root
programs (like login) owned by his own user namespace.
More information about the lxc-users
mailing list