1
1
mirror of https://github.com/systemd/systemd-stable.git synced 2024-12-22 13:33:56 +03:00

machined: refuse bind mounts on containers that have user namespaces applied

As the kernel won't map the UIDs this is simply not safe, and hence we
should generate a clean error and refuse it.

We can restore this feature later should a "shiftfs" become available in
the kernel.
This commit is contained in:
Lennart Poettering 2017-02-16 13:59:13 +01:00
parent 3aca8326bd
commit 7f43928ba6
2 changed files with 15 additions and 13 deletions

View File

@ -518,19 +518,14 @@
<varlistentry>
<term><command>bind</command> <replaceable>NAME</replaceable> <replaceable>PATH</replaceable> [<replaceable>PATH</replaceable>]</term>
<listitem><para>Bind mounts a directory from the host into the
specified container. The first directory argument is the
source directory on the host, the second directory argument
is the destination directory in the container. When the
latter is omitted, the destination path in the container is
the same as the source path on the host. When combined with
the <option>--read-only</option> switch, a ready-only bind
mount is created. When combined with the
<option>--mkdir</option> switch, the destination path is first
created before the mount is applied. Note that this option is
currently only supported for
<citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>
containers.</para></listitem>
<listitem><para>Bind mounts a directory from the host into the specified container. The first directory
argument is the source directory on the host, the second directory argument is the destination directory in the
container. When the latter is omitted, the destination path in the container is the same as the source path on
the host. When combined with the <option>--read-only</option> switch, a ready-only bind mount is created. When
combined with the <option>--mkdir</option> switch, the destination path is first created before the mount is
applied. Note that this option is currently only supported for
<citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> containers,
and only if user namespacing (<option>--private-users</option>) is not used.</para></listitem>
</varlistentry>
<varlistentry>

View File

@ -841,6 +841,7 @@ int bus_machine_method_bind_mount(sd_bus_message *message, void *userdata, sd_bu
int read_only, make_directory;
pid_t child;
siginfo_t si;
uid_t uid;
int r;
assert(message);
@ -875,6 +876,12 @@ int bus_machine_method_bind_mount(sd_bus_message *message, void *userdata, sd_bu
if (r == 0)
return 1; /* Will call us back */
r = machine_get_uid_shift(m, &uid);
if (r < 0)
return r;
if (uid != 0)
return sd_bus_error_setf(error, SD_BUS_ERROR_NOT_SUPPORTED, "Can't bind mount on container with user namespacing applied.");
/* One day, when bind mounting /proc/self/fd/n works across
* namespace boundaries we should rework this logic to make
* use of it... */