[Devel] [PATCH 1/2] hooks-ct: bind-mount the root in itself after entering in a user namespace

Andrey Vagin avagin at openvz.org
Mon Jan 13 07:57:30 PST 2014


Here is workaround for the kernel commit:
commit 5ff9d8a65ce80efb509ce4e8051394e9ed2cd942
Author: Eric W. Biederman <ebiederm at xmission.com>
Date:   Fri Mar 29 21:04:39 2013 -0700

    vfs: Lock in place mounts from more privileged users

    When creating a less privileged mount namespace or propogating mounts
    from a more privileged to a less privileged mount namespace lock the
    submounts so they may not be unmounted individually in the child mount
    namespace revealing what is under them.

    This enforces the reasonable expectation that it is not possible to
    see under a mount point.
    ...

Signed-off-by: Andrey Vagin <avagin at openvz.org>
---
 src/lib/hooks_ct.c | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/src/lib/hooks_ct.c b/src/lib/hooks_ct.c
index 4972dac..aff9cee 100644
--- a/src/lib/hooks_ct.c
+++ b/src/lib/hooks_ct.c
@@ -103,6 +103,25 @@ int ct_chroot(const char *root)
 	char oldroot[] = "vzctl-old-root.XXXXXX";
 	int ret = VZ_RESOURCE_ERROR;
 
+	/*
+	 * The root must be bing-mounted in itself to not show what is under it.
+	 *
+	 * LK: 5ff9d8a65ce80efb509ce4e8051394e9ed2cd942
+	 * vfs: Lock in place mounts from more privileged users
+	 *
+	 * When creating a less privileged mount namespace or propogating mounts
+	 * from a more privileged to a less privileged mount namespace lock the
+	 * submounts so they may not be unmounted individually in the child mount
+	 * namespace revealing what is under them.
+	 *
+	 * This enforces the reasonable expectation that it is not possible to
+	 * see under a mount point.
+	 */
+	if (mount(root, root, NULL, MS_BIND, NULL)) {
+		logger(-1, errno, "Can't bind-mount root %s", root);
+		return ret;
+	}
+
 	if (chdir(root)) {
 		logger(-1, errno, "Can't chdir %s", root);
 		return ret;
-- 
1.8.3.1




More information about the Devel mailing list