Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
L
lxc
Project
Overview
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Chen Yisong
lxc
Commits
cb1be30a
Unverified
Commit
cb1be30a
authored
Nov 01, 2018
by
Stéphane Graber
Committed by
GitHub
Nov 01, 2018
Browse files
Options
Browse Files
Download
Plain Diff
Merge pull request #2713 from brauner/2018-10-30/mount_injection
conf: expand shmounts lxc.mount.auto option
parents
007ef61a
ecce75a6
Hide whitespace changes
Inline
Side-by-side
Showing
4 changed files
with
67 additions
and
91 deletions
+67
-91
confile.c
src/lxc/confile.c
+18
-5
lxccontainer.c
src/lxc/lxccontainer.c
+7
-2
start.c
src/lxc/start.c
+0
-80
mount_injection.c
src/tests/mount_injection.c
+42
-4
No files found.
src/lxc/confile.c
View file @
cb1be30a
...
...
@@ -1788,18 +1788,31 @@ static int set_config_mount_auto(const char *key, const char *value,
lxc_conf
->
auto_mounts
|=
allowed_auto_mounts
[
i
].
flag
;
if
(
is_shmounts
)
{
lxc_conf
->
shmount
.
path_host
=
strdup
(
token
+
STRLITERALLEN
(
"shmounts:"
));
if
(
!
lxc_conf
->
shmount
.
path_host
)
{
char
*
container_path
;
char
*
host_path
;
host_path
=
token
+
STRLITERALLEN
(
"shmounts:"
);
if
(
*
host_path
==
'\0'
)
{
SYSERROR
(
"Failed to copy shmounts host path"
);
goto
on_error
;
}
if
(
strcmp
(
lxc_conf
->
shmount
.
path_host
,
""
)
==
0
)
{
ERROR
(
"Invalid shmounts path: empty"
);
container_path
=
strchr
(
host_path
,
':'
);
if
(
!
container_path
||
*
(
container_path
+
1
)
==
'\0'
)
container_path
=
"/dev/.lxc-mounts"
;
else
*
container_path
++
=
'\0'
;
ERROR
(
"AAAA: %s"
,
host_path
);
ERROR
(
"BBBB: %s"
,
container_path
);
lxc_conf
->
shmount
.
path_host
=
strdup
(
host_path
);
if
(
!
lxc_conf
->
shmount
.
path_host
)
{
SYSERROR
(
"Failed to copy shmounts host path"
);
goto
on_error
;
}
lxc_conf
->
shmount
.
path_cont
=
strdup
(
"/dev/.lxc-mounts"
);
lxc_conf
->
shmount
.
path_cont
=
strdup
(
container_path
);
if
(
!
lxc_conf
->
shmount
.
path_cont
)
{
SYSERROR
(
"Failed to copy shmounts container path"
);
goto
on_error
;
...
...
src/lxc/lxccontainer.c
View file @
cb1be30a
...
...
@@ -4976,6 +4976,7 @@ static int do_lxcapi_mount(struct lxc_container *c, const char *source,
char
template
[
PATH_MAX
],
path
[
PATH_MAX
];
pid_t
pid
,
init_pid
;
struct
stat
sb
;
bool
is_dir
;
int
ret
=
-
1
,
fd
=
-
EBADF
;
if
(
!
c
||
!
c
->
lxc_conf
)
{
...
...
@@ -5006,7 +5007,8 @@ static int do_lxcapi_mount(struct lxc_container *c, const char *source,
}
}
if
(
S_ISDIR
(
sb
.
st_mode
))
{
is_dir
=
(
S_ISDIR
(
sb
.
st_mode
)
!=
0
);
if
(
is_dir
)
{
sret
=
mkdtemp
(
template
);
if
(
!
sret
)
{
SYSERROR
(
"Could not create shmounts temporary dir"
);
...
...
@@ -5089,7 +5091,10 @@ static int do_lxcapi_mount(struct lxc_container *c, const char *source,
ret
=
0
;
(
void
)
umount2
(
template
,
MNT_DETACH
);
(
void
)
unlink
(
template
);
if
(
is_dir
)
(
void
)
rmdir
(
template
);
else
(
void
)
unlink
(
template
);
out
:
if
(
fd
>=
0
)
...
...
src/lxc/start.c
View file @
cb1be30a
...
...
@@ -1578,75 +1578,6 @@ static inline int do_share_ns(void *arg)
return
0
;
}
static
int
lxc_setup_shmount
(
struct
lxc_conf
*
conf
)
{
size_t
len_cont
;
char
*
full_cont_path
;
int
ret
=
-
1
;
/* Construct the shmount path under the container root. */
len_cont
=
strlen
(
conf
->
rootfs
.
mount
)
+
1
+
strlen
(
conf
->
shmount
.
path_cont
);
/* +1 for the terminating '\0' */
full_cont_path
=
malloc
(
len_cont
+
1
);
if
(
!
full_cont_path
)
{
SYSERROR
(
"Not enough memory"
);
return
-
ENOMEM
;
}
ret
=
snprintf
(
full_cont_path
,
len_cont
+
1
,
"%s/%s"
,
conf
->
rootfs
.
mount
,
conf
->
shmount
.
path_cont
);
if
(
ret
<
0
||
ret
>=
len_cont
+
1
)
{
SYSERROR
(
"Failed to create filename"
);
free
(
full_cont_path
);
return
-
1
;
}
/* Check if shmount point is already set up. */
if
(
is_shared_mountpoint
(
conf
->
shmount
.
path_host
))
{
INFO
(
"Path
\"
%s
\"
is already MS_SHARED. Reusing"
,
conf
->
shmount
.
path_host
);
free
(
full_cont_path
);
return
0
;
}
/* Create host and cont mount paths */
ret
=
mkdir_p
(
conf
->
shmount
.
path_host
,
0711
);
if
(
ret
<
0
&&
errno
!=
EEXIST
)
{
SYSERROR
(
"Failed to create directory
\"
%s
\"
"
,
conf
->
shmount
.
path_host
);
free
(
full_cont_path
);
return
ret
;
}
ret
=
mkdir_p
(
full_cont_path
,
0711
);
if
(
ret
<
0
&&
errno
!=
EEXIST
)
{
SYSERROR
(
"Failed to create directory
\"
%s
\"
"
,
full_cont_path
);
free
(
full_cont_path
);
return
ret
;
}
/* Prepare host mountpoint */
ret
=
mount
(
"tmpfs"
,
conf
->
shmount
.
path_host
,
"tmpfs"
,
0
,
"size=100k,mode=0711"
);
if
(
ret
<
0
)
{
SYSERROR
(
"Failed to mount
\"
%s
\"
"
,
conf
->
shmount
.
path_host
);
free
(
full_cont_path
);
return
ret
;
}
ret
=
mount
(
conf
->
shmount
.
path_host
,
conf
->
shmount
.
path_host
,
"none"
,
MS_REC
|
MS_SHARED
,
""
);
if
(
ret
<
0
)
{
SYSERROR
(
"Failed to make shared
\"
%s
\"
"
,
conf
->
shmount
.
path_host
);
free
(
full_cont_path
);
return
ret
;
}
INFO
(
"Setup shared mount point
\"
%s
\"
"
,
conf
->
shmount
.
path_host
);
free
(
full_cont_path
);
return
0
;
}
/* lxc_spawn() performs crucial setup tasks and clone()s the new process which
* exec()s the requested container binary.
* Note that lxc_spawn() runs in the parent namespaces. Any operations performed
...
...
@@ -1693,17 +1624,6 @@ static int lxc_spawn(struct lxc_handler *handler)
if
(
ret
<
0
)
goto
out_sync_fini
;
if
(
conf
->
shmount
.
path_host
)
{
if
(
!
conf
->
shmount
.
path_cont
)
goto
out_sync_fini
;
ret
=
lxc_setup_shmount
(
conf
);
if
(
ret
<
0
)
{
ERROR
(
"Failed to setup shared mount point"
);
goto
out_sync_fini
;
}
}
if
(
handler
->
ns_clone_flags
&
CLONE_NEWNET
)
{
if
(
!
lxc_list_empty
(
&
conf
->
network
))
{
...
...
src/tests/mount_injection.c
View file @
cb1be30a
...
...
@@ -386,16 +386,54 @@ static int do_unpriv_container_test()
return
perform_container_test
(
NAME
"unprivileged"
,
config_items
);
}
static
bool
lxc_setup_shmount
(
const
char
*
shmount_path
)
{
int
ret
;
ret
=
mkdir_p
(
shmount_path
,
0711
);
if
(
ret
<
0
&&
errno
!=
EEXIST
)
{
fprintf
(
stderr
,
"Failed to create directory
\"
%s
\"\n
"
,
shmount_path
);
return
false
;
}
/* Prepare host mountpoint */
ret
=
mount
(
"tmpfs"
,
shmount_path
,
"tmpfs"
,
0
,
"size=100k,mode=0711"
);
if
(
ret
<
0
)
{
fprintf
(
stderr
,
"Failed to mount
\"
%s
\"\n
"
,
shmount_path
);
return
false
;
}
ret
=
mount
(
shmount_path
,
shmount_path
,
"none"
,
MS_REC
|
MS_SHARED
,
""
);
if
(
ret
<
0
)
{
fprintf
(
stderr
,
"Failed to make shared
\"
%s
\"\n
"
,
shmount_path
);
return
false
;
}
return
true
;
}
static
void
lxc_teardown_shmount
(
char
*
shmount_path
)
{
(
void
)
umount2
(
shmount_path
,
MNT_DETACH
);
(
void
)
recursive_destroy
(
shmount_path
);
}
int
main
(
int
argc
,
char
*
argv
[])
{
if
(
!
lxc_setup_shmount
(
"/tmp/mount_injection_test"
))
exit
(
EXIT_FAILURE
);
if
(
do_priv_container_test
())
{
fprintf
(
stderr
,
"Privileged mount injection test failed
\n
"
);
return
-
1
;
exit
(
EXIT_FAILURE
)
;
}
if
(
do_unpriv_container_test
())
{
if
(
do_unpriv_container_test
())
{
fprintf
(
stderr
,
"Unprivileged mount injection test failed
\n
"
);
return
-
1
;
exit
(
EXIT_FAILURE
)
;
}
return
0
;
lxc_teardown_shmount
(
"/tmp/mount_injection_test"
);
exit
(
EXIT_SUCCESS
);
}
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment
