[Devel] [PATCH 1/2] hooks_ct: mount /proc and /sys before umounting the old root

Andrew Vagin avagin at parallels.com
Mon Jan 20 03:49:24 PST 2014


Pls ignore these patches.

On Mon, Jan 20, 2014 at 02:20:29PM +0400, Andrey Vagin wrote:
> Here is workaround for the kernel commit:
> 
> commit e51db73532955dc5eaba4235e62b74b460709d5b
> Author: Eric W. Biederman <ebiederm at xmission.com>
> Date:   Sat Mar 30 19:57:41 2013 -0700
> 
>     userns: Better restrictions on when proc and sysfs can be mounted
> 
>     Rely on the fact that another flavor of the filesystem is already
>     mounted and do not rely on state in the user namespace.
> 
>     Verify that the mounted filesystem is not covered in any significant
>     way.  I would love to verify that the previously mounted filesystem
>     has no mounts on top but there are at least the directories
>     /proc/sys/fs/binfmt_misc and /sys/fs/cgroup/ that exist explicitly
>     for other filesystems to mount on top of.
> 
> Signed-off-by: Andrey Vagin <avagin at openvz.org>
> ---
>  src/lib/env.c      |  9 ++++++++-
>  src/lib/hooks_ct.c | 26 ++++++++++++++++++++++++++
>  2 files changed, 34 insertions(+), 1 deletion(-)
> 
> diff --git a/src/lib/env.c b/src/lib/env.c
> index 8622a7a..3ff8724 100644
> --- a/src/lib/env.c
> +++ b/src/lib/env.c
> @@ -31,6 +31,8 @@
>  #include <sys/mount.h>
>  #include <sys/utsname.h>
>  #include <sys/stat.h>
> +#include <sys/vfs.h>
> +#include <linux/magic.h>
>  
>  #include "vzerror.h"
>  #include "res.h"
> @@ -244,6 +246,7 @@ int exec_container_init(struct arg_start *arg,
>  	int fd, ret;
>  	char *argv[] = {"init", "-z", "      ", NULL};
>  	char *envp[] = {"HOME=/", "TERM=linux", NULL};
> +	struct statfs sfs;
>  
>  	/* Clear supplementary group IDs */
>  	setgroups(0, NULL);
> @@ -262,7 +265,11 @@ int exec_container_init(struct arg_start *arg,
>  		}
>  	}
>  
> -	if (access("/proc", F_OK) == 0 && mount("proc", "/proc", "proc", 0, 0))
> +	if (statfs("/proc", &sfs))
> +		return vzctl_err(VZ_SYSTEM_ERROR, errno, "statfs on /proc failed");
> +
> +	if (sfs.f_type != PROC_SUPER_MAGIC &&
> +	    mount("proc", "/proc", "proc", 0, 0))
>  		return vzctl_err(VZ_SYSTEM_ERROR, errno,
>  				"Failed to mount /proc");
>  
> diff --git a/src/lib/hooks_ct.c b/src/lib/hooks_ct.c
> index aff9cee..a1b91d9 100644
> --- a/src/lib/hooks_ct.c
> +++ b/src/lib/hooks_ct.c
> @@ -147,6 +147,32 @@ int ct_chroot(const char *root)
>  		goto rmdir;
>  	}
>  
> +	/*
> +	 * proc and sysfs must be mounted before unmounting oldroot because of:
> +	 *
> +	 * LK: e51db73532955dc5eaba4235e62b74b460709d5b
> +	 * userns: Better restrictions on when proc and sysfs can be mounted
> +    	 *
> +	 * Rely on the fact that another flavor of the filesystem is already
> +	 * mounted and do not rely on state in the user namespace.
> +	 *
> +	 * Verify that the mounted filesystem is not covered in any significant
> +	 * way.  I would love to verify that the previously mounted filesystem
> +	 * has no mounts on top but there are at least the directories
> +	 * /proc/sys/fs/binfmt_misc and /sys/fs/cgroup/ that exist explicitly
> +	 * for other filesystems to mount on top of.
> +	 */
> +
> +	if (mount("proc", "/proc", "proc", 0, 0)) {
> +		logger(-1, errno, "Failed to mount /proc");
> +		goto rmdir;
> +	}
> +
> +	if (mount("sysfs", "/sys", "sysfs", 0, 0)) {
> +		logger(-1, errno, "Failed to mount /sys");
> +		goto rmdir;
> +	}
> +
>  	if (umount2(oldroot, MNT_DETACH)) {
>  		logger(-1, 0, "Can't umount old mounts");
>  		goto rmdir;
> -- 
> 1.8.3.1
> 



More information about the Devel mailing list