[Devel] [PATCH RH7] fs: allow to remount from ve user ns
Pavel Tikhomirov
ptikhomirov at odin.com
Thu Oct 22 05:19:54 PDT 2015
On 10/22/2015 02:34 PM, Andrew Vagin wrote:
> On Mon, Oct 19, 2015 at 04:38:00PM +0300, Pavel Tikhomirov wrote:
>> docker 1.9.0-rc1+ makes bindmounts for cgroups, in non-privileged
>> container it remounts cgroup root(/sys/fs/cgroup) tmpfs readonly.
>
> Does it posiable to remount a superblock for a bind mount? If I
> bind-mount a directory from host to a container, will a user be able to
> remount the superblock for this bind-mount to read-only?
It seam yes, and we cannot allow this. I think it will be the same in
mainstream, if one runs docker in user namespace - it will fail to
remount tmpfs without MS_BIND flag.
>
>>
>> Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
>> ---
>> fs/namespace.c | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/fs/namespace.c b/fs/namespace.c
>> index 1377488..8909c13 100644
>> --- a/fs/namespace.c
>> +++ b/fs/namespace.c
>> @@ -1994,7 +1994,7 @@ static int do_remount(struct path *path, int flags, int mnt_flags,
>> down_write(&sb->s_umount);
>> if (flags & MS_BIND)
>> err = change_mount_flags(path->mnt, flags);
>> - else if (!capable(CAP_SYS_ADMIN))
>> + else if (!ve_capable(CAP_SYS_ADMIN))
>> err = -EPERM;
>> else
>> err = do_check_and_remount_sb(sb, flags, data);
>> --
>> 1.9.3
>>
>> _______________________________________________
>> Devel mailing list
>> Devel at openvz.org
>> https://lists.openvz.org/mailman/listinfo/devel
--
Best regards, Tikhomirov Pavel
Software Developer, Odin.
More information about the Devel
mailing list