[Devel] [PATCH 2/2] hooks_ct: mount /proc and /sys before umounting the old root
Andrey Vagin
avagin at openvz.org
Mon Jan 13 07:57:31 PST 2014
Here is workaround for the kernel commit:
commit e51db73532955dc5eaba4235e62b74b460709d5b
Author: Eric W. Biederman <ebiederm at xmission.com>
Date: Sat Mar 30 19:57:41 2013 -0700
userns: Better restrictions on when proc and sysfs can be mounted
Rely on the fact that another flavor of the filesystem is already
mounted and do not rely on state in the user namespace.
Verify that the mounted filesystem is not covered in any significant
way. I would love to verify that the previously mounted filesystem
has no mounts on top but there are at least the directories
/proc/sys/fs/binfmt_misc and /sys/fs/cgroup/ that exist explicitly
for other filesystems to mount on top of.
Signed-off-by: Andrey Vagin <avagin at openvz.org>
---
src/lib/env.c | 9 ++++++++-
src/lib/hooks_ct.c | 26 ++++++++++++++++++++++++++
2 files changed, 34 insertions(+), 1 deletion(-)
diff --git a/src/lib/env.c b/src/lib/env.c
index 8622a7a..3ff8724 100644
--- a/src/lib/env.c
+++ b/src/lib/env.c
@@ -31,6 +31,8 @@
#include <sys/mount.h>
#include <sys/utsname.h>
#include <sys/stat.h>
+#include <sys/vfs.h>
+#include <linux/magic.h>
#include "vzerror.h"
#include "res.h"
@@ -244,6 +246,7 @@ int exec_container_init(struct arg_start *arg,
int fd, ret;
char *argv[] = {"init", "-z", " ", NULL};
char *envp[] = {"HOME=/", "TERM=linux", NULL};
+ struct statfs sfs;
/* Clear supplementary group IDs */
setgroups(0, NULL);
@@ -262,7 +265,11 @@ int exec_container_init(struct arg_start *arg,
}
}
- if (access("/proc", F_OK) == 0 && mount("proc", "/proc", "proc", 0, 0))
+ if (statfs("/proc", &sfs))
+ return vzctl_err(VZ_SYSTEM_ERROR, errno, "statfs on /proc failed");
+
+ if (sfs.f_type != PROC_SUPER_MAGIC &&
+ mount("proc", "/proc", "proc", 0, 0))
return vzctl_err(VZ_SYSTEM_ERROR, errno,
"Failed to mount /proc");
diff --git a/src/lib/hooks_ct.c b/src/lib/hooks_ct.c
index aff9cee..a1b91d9 100644
--- a/src/lib/hooks_ct.c
+++ b/src/lib/hooks_ct.c
@@ -147,6 +147,32 @@ int ct_chroot(const char *root)
goto rmdir;
}
+ /*
+ * proc and sysfs must be mounted before unmounting oldroot because of:
+ *
+ * LK: e51db73532955dc5eaba4235e62b74b460709d5b
+ * userns: Better restrictions on when proc and sysfs can be mounted
+ *
+ * Rely on the fact that another flavor of the filesystem is already
+ * mounted and do not rely on state in the user namespace.
+ *
+ * Verify that the mounted filesystem is not covered in any significant
+ * way. I would love to verify that the previously mounted filesystem
+ * has no mounts on top but there are at least the directories
+ * /proc/sys/fs/binfmt_misc and /sys/fs/cgroup/ that exist explicitly
+ * for other filesystems to mount on top of.
+ */
+
+ if (mount("proc", "/proc", "proc", 0, 0)) {
+ logger(-1, errno, "Failed to mount /proc");
+ goto rmdir;
+ }
+
+ if (mount("sysfs", "/sys", "sysfs", 0, 0)) {
+ logger(-1, errno, "Failed to mount /sys");
+ goto rmdir;
+ }
+
if (umount2(oldroot, MNT_DETACH)) {
logger(-1, 0, "Can't umount old mounts");
goto rmdir;
--
1.8.3.1
More information about the Devel
mailing list