mirror of
https://github.com/systemd/systemd-stable.git
synced 2024-12-22 13:33:56 +03:00
machined: refuse bind mounts on containers that have user namespaces applied
As the kernel won't map the UIDs this is simply not safe, and hence we should generate a clean error and refuse it. We can restore this feature later should a "shiftfs" become available in the kernel.
This commit is contained in:
parent
3aca8326bd
commit
7f43928ba6
@ -518,19 +518,14 @@
|
||||
<varlistentry>
|
||||
<term><command>bind</command> <replaceable>NAME</replaceable> <replaceable>PATH</replaceable> [<replaceable>PATH</replaceable>]</term>
|
||||
|
||||
<listitem><para>Bind mounts a directory from the host into the
|
||||
specified container. The first directory argument is the
|
||||
source directory on the host, the second directory argument
|
||||
is the destination directory in the container. When the
|
||||
latter is omitted, the destination path in the container is
|
||||
the same as the source path on the host. When combined with
|
||||
the <option>--read-only</option> switch, a ready-only bind
|
||||
mount is created. When combined with the
|
||||
<option>--mkdir</option> switch, the destination path is first
|
||||
created before the mount is applied. Note that this option is
|
||||
currently only supported for
|
||||
<citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>
|
||||
containers.</para></listitem>
|
||||
<listitem><para>Bind mounts a directory from the host into the specified container. The first directory
|
||||
argument is the source directory on the host, the second directory argument is the destination directory in the
|
||||
container. When the latter is omitted, the destination path in the container is the same as the source path on
|
||||
the host. When combined with the <option>--read-only</option> switch, a ready-only bind mount is created. When
|
||||
combined with the <option>--mkdir</option> switch, the destination path is first created before the mount is
|
||||
applied. Note that this option is currently only supported for
|
||||
<citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> containers,
|
||||
and only if user namespacing (<option>--private-users</option>) is not used.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
|
@ -841,6 +841,7 @@ int bus_machine_method_bind_mount(sd_bus_message *message, void *userdata, sd_bu
|
||||
int read_only, make_directory;
|
||||
pid_t child;
|
||||
siginfo_t si;
|
||||
uid_t uid;
|
||||
int r;
|
||||
|
||||
assert(message);
|
||||
@ -875,6 +876,12 @@ int bus_machine_method_bind_mount(sd_bus_message *message, void *userdata, sd_bu
|
||||
if (r == 0)
|
||||
return 1; /* Will call us back */
|
||||
|
||||
r = machine_get_uid_shift(m, &uid);
|
||||
if (r < 0)
|
||||
return r;
|
||||
if (uid != 0)
|
||||
return sd_bus_error_setf(error, SD_BUS_ERROR_NOT_SUPPORTED, "Can't bind mount on container with user namespacing applied.");
|
||||
|
||||
/* One day, when bind mounting /proc/self/fd/n works across
|
||||
* namespace boundaries we should rework this logic to make
|
||||
* use of it... */
|
||||
|
Loading…
Reference in New Issue
Block a user