[Devel] [PATCH] hook_ct: mount devtmpfs in CT

Wed Jan 22 02:37:37 PST 2014

All modern distributions require devtmpfs in /dev. devtmpfs can't
be mounted from userns. This patch bind-mounts the host /dev.
It's secure, because permissions are handled according with uid and
gid maps for the user namespace.

This patch removes old hacks about devices. They are not required any more.

Signed-off-by: Andrey Vagin <avagin at openvz.org>
---
 etc/dists/scripts/prestart.sh |  4 ---
 src/lib/hooks_ct.c            | 66 +++++++++++--------------------------------
 2 files changed, 16 insertions(+), 54 deletions(-)

diff --git a/etc/dists/scripts/prestart.sh b/etc/dists/scripts/prestart.sh
index 5ab7895..8b2a0a3 100755
--- a/etc/dists/scripts/prestart.sh
+++ b/etc/dists/scripts/prestart.sh
@@ -41,10 +41,6 @@ fixup_udev()
 		fi
 		break
 	done
-
-	umount /dev/pts
-	umount /dev/shm
-	umount /dev -l
 }
 
 fixup_loginuid()
diff --git a/src/lib/hooks_ct.c b/src/lib/hooks_ct.c
index 2a0b54c..ab2f4fd 100644
--- a/src/lib/hooks_ct.c
+++ b/src/lib/hooks_ct.c
@@ -10,6 +10,7 @@
 #include <fcntl.h>
 #include <sched.h>
 #include <dirent.h>
+#include <sys/vfs.h> 
 
 #include "vzerror.h"
 #include "env.h"
@@ -108,7 +109,7 @@ int ct_chroot(const char *root)
 	 * Linux kernel commit 5ff9d8a6
 	 * "vfs: Lock in place mounts from more privileged users"
 	 */
-	if (mount(root, root, NULL, MS_BIND, NULL)) {
+	if (mount(root, root, NULL, MS_BIND | MS_REC, NULL)) {
 		logger(-1, errno, "Can't bind-mount root %s", root);
 		return ret;
 	}
@@ -269,51 +270,6 @@ out:
 	return ret;
 }
 
-/*
- * Those devices should exist in the container, and be valid device nodes with
- * user access permission. But we need to be absolutely sure this is the case,
- * so we will provide our own versions. That could actually happen since some
- * distributions may come with emptied /dev's, waiting for udev to populate them.
- * That won't happen, we do it ourselves.
- */
-static void create_devices(vps_handler *h, envid_t veid, const char *root)
-{
-	unsigned int i;
-	char *devices[] = {
-		"/dev/null",
-		"/dev/zero",
-		"/dev/random",
-		"/dev/urandom",
-	};
-
-	/*
-	 * We will tolerate errors, and keep the container running, because it is
-	 * likely we will be able to boot it to a barely functional state. But
-	 * be vocal about it
-	 */
-	for (i = 0; i < ARRAY_SIZE(devices); i++) {
-		char ct_devname[STR_SIZE];
-		int ret;
-
-		snprintf(ct_devname, sizeof(ct_devname), "%s%s", root, devices[i]);
-
-		/*
-		 * No need to be crazy about file flags. When we bind mount, the
-		 * source permissions will be inherited.
-		 */
-		ret = open(ct_devname, O_RDWR|O_CREAT, 0);
-		if (ret < 0) {
-			logger(-1, errno, "Could not touch device %s", devices[i]);
-			continue;
-		}
-		close(ret);
-
-		ret = mount(devices[i], ct_devname, "", MS_BIND, 0);
-		if (ret < 0)
-			logger(-1, errno, "Could not bind mount device %s", devices[i]);
-	}
-}
-
 static int _env_create(void *data)
 {
 	struct arg_start *arg = data;
@@ -338,10 +294,6 @@ static int _env_create(void *data)
 	if (arg->userns_p != -1)
 		close(arg->userns_p);
 
-	if (arg->h->can_join_userns) {
-		create_devices(arg->h, arg->veid, arg->res->fs.root);
-	}
-
 	ret = ct_chroot(arg->res->fs.root);
 	/* Probably means chroot failed */
 	if (ret)
@@ -400,11 +352,25 @@ static int ct_env_create_real(struct arg_start *arg)
 
 		userns_p[0] = userns_p[1] = -1;
 	} else {
+		char devpath[PATH_MAX];
+
 		clone_flags |= CLONE_NEWUSER;
 		if (pipe(userns_p) < 0) {
 			logger(-1, errno, "Can not create userns pipe");
 			return VZ_RESOURCE_ERROR;
 		}
+
+		/* Unshare mntns to not affect the host system */
+		if (unshare(CLONE_NEWNS)) {
+			logger(-1, errno, "Can not unshare mount namespace");
+			return VZ_RESOURCE_ERROR;
+		}
+
+		snprintf(devpath, sizeof(devpath), "%s/dev", arg->res->fs.root);
+		if (mount("dev", devpath, "devtmpfs", 0, NULL)) {
+			logger(-1, errno, "Can not mount devtmpfs");
+			return VZ_RESOURCE_ERROR;
+		}
 	}
 	arg->userns_p = userns_p[0];
 
-- 
1.8.3.1


