Skip to content

L
lxc
Unverified Commit 3a6678c7 by Christian Brauner
Options

attach: fix namespace preservation

Signed-off-by: 's avatarChristian Brauner <christian.brauner@ubuntu.com>
parent 00df5330
Showing with 25 additions and 16 deletions
src/lxc/attach.c
...@@ -487,16 +487,16 @@ static int same_nsfd(int dfd_pid1, int dfd_pid2, const char *ns_path) ...@@ -487,16 +487,16 @@ static int same_nsfd(int dfd_pid1, int dfd_pid2, const char *ns_path)
ret = fstatat(dfd_pid1, ns_path, &ns_st1, 0); ret = fstatat(dfd_pid1, ns_path, &ns_st1, 0);
if (ret) if (ret)
return -1; return -errno;
ret = fstatat(dfd_pid2, ns_path, &ns_st2, 0); ret = fstatat(dfd_pid2, ns_path, &ns_st2, 0);
if (ret) if (ret)
return -1; return -errno;
/* processes are in the same namespace */ /* processes are in the same namespace */
if ((ns_st1.st_dev == ns_st2.st_dev) && if ((ns_st1.st_dev == ns_st2.st_dev) &&
(ns_st1.st_ino == ns_st2.st_ino)) (ns_st1.st_ino == ns_st2.st_ino))
return -EINVAL; return 1;
return 0; return 0;
} }
...@@ -510,19 +510,23 @@ static int same_ns(int dfd_pid1, int dfd_pid2, const char *ns_path) ...@@ -510,19 +510,23 @@ static int same_ns(int dfd_pid1, int dfd_pid2, const char *ns_path)
(PROTECT_LOOKUP_BENEATH_WITH_MAGICLINKS & (PROTECT_LOOKUP_BENEATH_WITH_MAGICLINKS &
~(RESOLVE_NO_XDEV | RESOLVE_BENEATH)), 0); ~(RESOLVE_NO_XDEV | RESOLVE_BENEATH)), 0);
if (ns_fd2 < 0) { if (ns_fd2 < 0) {
/* The kernel does not support this namespace. This is not an error. */
if (errno == ENOENT) if (errno == ENOENT)
return -ENOENT; return -ENOENT;
return log_error_errno(-errno, errno, "Failed to open %d(%s)", return syserrno(-errno, "Failed to open %d(%s)", dfd_pid2, ns_path);
dfd_pid2, ns_path);
} }
ret = same_nsfd(dfd_pid1, dfd_pid2, ns_path); ret = same_nsfd(dfd_pid1, dfd_pid2, ns_path);
if (ret < 0) switch (ret) {
return ret; case -ENOENT:
__fallthrough;
case 1:
return ret_errno(ENOENT);
case 0:
/* processes are in different namespaces */
return move_fd(ns_fd2);
}
/* processes are in different namespaces */ return ret;
return move_fd(ns_fd2);
} }
static int __prepare_namespaces_pidfd(struct attach_context *ctx) static int __prepare_namespaces_pidfd(struct attach_context *ctx)
...@@ -536,14 +540,19 @@ static int __prepare_namespaces_pidfd(struct attach_context *ctx) ...@@ -536,14 +540,19 @@ static int __prepare_namespaces_pidfd(struct attach_context *ctx)
ret = same_nsfd(ctx->dfd_self_pid, ret = same_nsfd(ctx->dfd_self_pid,
ctx->dfd_init_pid, ctx->dfd_init_pid,
ns_info[i].proc_path); ns_info[i].proc_path);
if (ret == -EINVAL) switch (ret) {
case -ENOENT:
__fallthrough;
case 1:
ctx->ns_inherited &= ~ns_info[i].clone_flag; ctx->ns_inherited &= ~ns_info[i].clone_flag;
else if (ret < 0) break;
return log_error_errno(-1, errno, case 0:
"Failed to determine whether %s namespace is shared",
ns_info[i].proc_name);
else
TRACE("Shared %s namespace needs attach", ns_info[i].proc_name); TRACE("Shared %s namespace needs attach", ns_info[i].proc_name);
break;
}
return syserrno(-errno, "Failed to determine whether %s namespace is shared",
ns_info[i].proc_name);
} }
return 0; return 0;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment