[Devel] [PATCH 2/2] hooks_ct: mount /proc and /sys before umounting the old root

Andrey Vagin avagin at openvz.org
Mon Jan 13 07:57:31 PST 2014


Here is workaround for the kernel commit:

commit e51db73532955dc5eaba4235e62b74b460709d5b
Author: Eric W. Biederman <ebiederm at xmission.com>
Date:   Sat Mar 30 19:57:41 2013 -0700

    userns: Better restrictions on when proc and sysfs can be mounted

    Rely on the fact that another flavor of the filesystem is already
    mounted and do not rely on state in the user namespace.

    Verify that the mounted filesystem is not covered in any significant
    way.  I would love to verify that the previously mounted filesystem
    has no mounts on top but there are at least the directories
    /proc/sys/fs/binfmt_misc and /sys/fs/cgroup/ that exist explicitly
    for other filesystems to mount on top of.

Signed-off-by: Andrey Vagin <avagin at openvz.org>
---
 src/lib/env.c      |  9 ++++++++-
 src/lib/hooks_ct.c | 26 ++++++++++++++++++++++++++
 2 files changed, 34 insertions(+), 1 deletion(-)

diff --git a/src/lib/env.c b/src/lib/env.c
index 8622a7a..3ff8724 100644
--- a/src/lib/env.c
+++ b/src/lib/env.c
@@ -31,6 +31,8 @@
 #include <sys/mount.h>
 #include <sys/utsname.h>
 #include <sys/stat.h>
+#include <sys/vfs.h>
+#include <linux/magic.h>
 
 #include "vzerror.h"
 #include "res.h"
@@ -244,6 +246,7 @@ int exec_container_init(struct arg_start *arg,
 	int fd, ret;
 	char *argv[] = {"init", "-z", "      ", NULL};
 	char *envp[] = {"HOME=/", "TERM=linux", NULL};
+	struct statfs sfs;
 
 	/* Clear supplementary group IDs */
 	setgroups(0, NULL);
@@ -262,7 +265,11 @@ int exec_container_init(struct arg_start *arg,
 		}
 	}
 
-	if (access("/proc", F_OK) == 0 && mount("proc", "/proc", "proc", 0, 0))
+	if (statfs("/proc", &sfs))
+		return vzctl_err(VZ_SYSTEM_ERROR, errno, "statfs on /proc failed");
+
+	if (sfs.f_type != PROC_SUPER_MAGIC &&
+	    mount("proc", "/proc", "proc", 0, 0))
 		return vzctl_err(VZ_SYSTEM_ERROR, errno,
 				"Failed to mount /proc");
 
diff --git a/src/lib/hooks_ct.c b/src/lib/hooks_ct.c
index aff9cee..a1b91d9 100644
--- a/src/lib/hooks_ct.c
+++ b/src/lib/hooks_ct.c
@@ -147,6 +147,32 @@ int ct_chroot(const char *root)
 		goto rmdir;
 	}
 
+	/*
+	 * proc and sysfs must be mounted before unmounting oldroot because of:
+	 *
+	 * LK: e51db73532955dc5eaba4235e62b74b460709d5b
+	 * userns: Better restrictions on when proc and sysfs can be mounted
+    	 *
+	 * Rely on the fact that another flavor of the filesystem is already
+	 * mounted and do not rely on state in the user namespace.
+	 *
+	 * Verify that the mounted filesystem is not covered in any significant
+	 * way.  I would love to verify that the previously mounted filesystem
+	 * has no mounts on top but there are at least the directories
+	 * /proc/sys/fs/binfmt_misc and /sys/fs/cgroup/ that exist explicitly
+	 * for other filesystems to mount on top of.
+	 */
+
+	if (mount("proc", "/proc", "proc", 0, 0)) {
+		logger(-1, errno, "Failed to mount /proc");
+		goto rmdir;
+	}
+
+	if (mount("sysfs", "/sys", "sysfs", 0, 0)) {
+		logger(-1, errno, "Failed to mount /sys");
+		goto rmdir;
+	}
+
 	if (umount2(oldroot, MNT_DETACH)) {
 		logger(-1, 0, "Can't umount old mounts");
 		goto rmdir;
-- 
1.8.3.1




More information about the Devel mailing list