[Devel] [PATCH 1/2] hooks_ct: mount /proc and /sys before umounting the old root
Andrew Vagin
avagin at parallels.com
Mon Jan 20 03:49:24 PST 2014
Pls ignore these patches.
On Mon, Jan 20, 2014 at 02:20:29PM +0400, Andrey Vagin wrote:
> Here is workaround for the kernel commit:
>
> commit e51db73532955dc5eaba4235e62b74b460709d5b
> Author: Eric W. Biederman <ebiederm at xmission.com>
> Date: Sat Mar 30 19:57:41 2013 -0700
>
> userns: Better restrictions on when proc and sysfs can be mounted
>
> Rely on the fact that another flavor of the filesystem is already
> mounted and do not rely on state in the user namespace.
>
> Verify that the mounted filesystem is not covered in any significant
> way. I would love to verify that the previously mounted filesystem
> has no mounts on top but there are at least the directories
> /proc/sys/fs/binfmt_misc and /sys/fs/cgroup/ that exist explicitly
> for other filesystems to mount on top of.
>
> Signed-off-by: Andrey Vagin <avagin at openvz.org>
> ---
> src/lib/env.c | 9 ++++++++-
> src/lib/hooks_ct.c | 26 ++++++++++++++++++++++++++
> 2 files changed, 34 insertions(+), 1 deletion(-)
>
> diff --git a/src/lib/env.c b/src/lib/env.c
> index 8622a7a..3ff8724 100644
> --- a/src/lib/env.c
> +++ b/src/lib/env.c
> @@ -31,6 +31,8 @@
> #include <sys/mount.h>
> #include <sys/utsname.h>
> #include <sys/stat.h>
> +#include <sys/vfs.h>
> +#include <linux/magic.h>
>
> #include "vzerror.h"
> #include "res.h"
> @@ -244,6 +246,7 @@ int exec_container_init(struct arg_start *arg,
> int fd, ret;
> char *argv[] = {"init", "-z", " ", NULL};
> char *envp[] = {"HOME=/", "TERM=linux", NULL};
> + struct statfs sfs;
>
> /* Clear supplementary group IDs */
> setgroups(0, NULL);
> @@ -262,7 +265,11 @@ int exec_container_init(struct arg_start *arg,
> }
> }
>
> - if (access("/proc", F_OK) == 0 && mount("proc", "/proc", "proc", 0, 0))
> + if (statfs("/proc", &sfs))
> + return vzctl_err(VZ_SYSTEM_ERROR, errno, "statfs on /proc failed");
> +
> + if (sfs.f_type != PROC_SUPER_MAGIC &&
> + mount("proc", "/proc", "proc", 0, 0))
> return vzctl_err(VZ_SYSTEM_ERROR, errno,
> "Failed to mount /proc");
>
> diff --git a/src/lib/hooks_ct.c b/src/lib/hooks_ct.c
> index aff9cee..a1b91d9 100644
> --- a/src/lib/hooks_ct.c
> +++ b/src/lib/hooks_ct.c
> @@ -147,6 +147,32 @@ int ct_chroot(const char *root)
> goto rmdir;
> }
>
> + /*
> + * proc and sysfs must be mounted before unmounting oldroot because of:
> + *
> + * LK: e51db73532955dc5eaba4235e62b74b460709d5b
> + * userns: Better restrictions on when proc and sysfs can be mounted
> + *
> + * Rely on the fact that another flavor of the filesystem is already
> + * mounted and do not rely on state in the user namespace.
> + *
> + * Verify that the mounted filesystem is not covered in any significant
> + * way. I would love to verify that the previously mounted filesystem
> + * has no mounts on top but there are at least the directories
> + * /proc/sys/fs/binfmt_misc and /sys/fs/cgroup/ that exist explicitly
> + * for other filesystems to mount on top of.
> + */
> +
> + if (mount("proc", "/proc", "proc", 0, 0)) {
> + logger(-1, errno, "Failed to mount /proc");
> + goto rmdir;
> + }
> +
> + if (mount("sysfs", "/sys", "sysfs", 0, 0)) {
> + logger(-1, errno, "Failed to mount /sys");
> + goto rmdir;
> + }
> +
> if (umount2(oldroot, MNT_DETACH)) {
> logger(-1, 0, "Can't umount old mounts");
> goto rmdir;
> --
> 1.8.3.1
>
More information about the Devel
mailing list