start: resolve clone flags

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

start: resolve clone flags
8bc8c715 · Christian Brauner · abeb5bba · 8bc8c715 · 8bc8c715
Unverified Commit 8bc8c715 authored Feb 02, 2018 by Christian Brauner
Hide whitespace changes
Inline Side-by-side

Showing with 34 additions and 34 deletions

confile.c src/lxc/confile.c +12 -0

start.c src/lxc/start.c +22 -34

No files found.
--- a/src/lxc/confile.c
+++ b/src/lxc/confile.c
@@ -2194,6 +2194,12 @@ static int set_config_namespace_clone(const char *key, const char *value,
 	if (lxc_config_value_empty(value))
 		return clr_config_namespace_clone(key, lxc_conf, data);

+	if (lxc_conf->ns_keep != 0) {
+		ERROR("%s - Cannot set both \"lxc.namespace.clone\" and "
+		      "\"lxc.namespace.keep\"", strerror(EINVAL));
+		return -EINVAL;
+	}
+
 	ns = strdup(value);
 	if (!ns)
 		return -1;
@@ -2224,6 +2230,12 @@ static int set_config_namespace_keep(const char *key, const char *value,
 	if (lxc_config_value_empty(value))
 		return clr_config_namespace_keep(key, lxc_conf, data);

+	if (lxc_conf->ns_clone != 0) {
+		ERROR("%s - Cannot set both \"lxc.namespace.clone\" and "
+		      "\"lxc.namespace.keep\"", strerror(EINVAL));
+		return -EINVAL;
+	}
+
 	ns = strdup(value);
 	if (!ns)
 		return -1;

--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -1338,44 +1338,31 @@ static int lxc_recv_ttys_from_child(struct lxc_handler *handler)

 int resolve_clone_flags(struct lxc_handler *handler)
 {
-	handler->clone_flags = CLONE_NEWNS;
-
-	if (!handler->conf->ns_share[LXC_NS_USER]) {
-		if (!lxc_list_empty(&handler->conf->id_map))
-			handler->clone_flags |= CLONE_NEWUSER;
-	} else {
-		INFO("Inheriting user namespace");
-	}
+	int i;
+	struct lxc_conf *conf = handler->conf;

-	if (!handler->conf->ns_share[LXC_NS_NET]) {
-		if (!lxc_requests_empty_network(handler))
-			handler->clone_flags |= CLONE_NEWNET;
-	} else {
-		INFO("Inheriting net namespace");
-	}
+	for (i = 0; i < LXC_NS_MAX; i++) {
+		if (conf->ns_keep != 0) {
+			if ((conf->ns_keep & ns_info[i].clone_flag) == 0)
+				handler->clone_flags |= ns_info[i].clone_flag;
+		} else if (conf->ns_clone != 0) {
+			if ((conf->ns_clone & ns_info[i].clone_flag) > 0)
+				handler->clone_flags |= ns_info[i].clone_flag;
+		} else {
+			if (i == LXC_NS_USER && lxc_list_empty(&handler->conf->id_map))
+				continue;

-	if (!handler->conf->ns_share[LXC_NS_IPC])
-		handler->clone_flags |= CLONE_NEWIPC;
-	else
-		INFO("Inheriting ipc namespace");
+			if (i == LXC_NS_NET && lxc_requests_empty_network(handler))
+				continue;

-	if (!handler->conf->ns_share[LXC_NS_UTS])
-		handler->clone_flags |= CLONE_NEWUTS;
-	else
-		INFO("Inheriting uts namespace");
+			handler->clone_flags |= ns_info[i].clone_flag;
+		}

-	if (!handler->conf->ns_share[LXC_NS_PID])
-		handler->clone_flags |= CLONE_NEWPID;
-	else
-		INFO("Inheriting pid namespace");
+		if (!conf->ns_share[i])
+			continue;

-	if (cgns_supported()) {
-		if (!handler->conf->ns_share[LXC_NS_CGROUP])
-			handler->clone_flags |= CLONE_NEWCGROUP;
-		else
-			INFO("Inheriting cgroup namespace");
-	} else if (handler->conf->ns_share[LXC_NS_CGROUP]) {
-			return -EINVAL;
+		handler->clone_flags &= ~ns_info[i].clone_flag;
+		TRACE("Sharing %s namespace", ns_info[i].proc_name);
 	}

 	return 0;
@@ -1567,7 +1554,8 @@ static int lxc_spawn(struct lxc_handler *handler)
 	 * again.
 	 */
 	if (wants_to_map_ids) {
-		if (!handler->conf->ns_share[LXC_NS_USER]) {
+		if (!handler->conf->ns_share[LXC_NS_USER] ||
+		    (handler->conf->ns_keep & CLONE_NEWUSER) > 0) {
 			ret = lxc_map_ids(id_map, handler->pid);
 			if (ret < 0) {
 				ERROR("Failed to set up id mapping.");