shaba/systemd-stable
1
1
Fork 0
mirror of https://github.com/systemd/systemd-stable.git synced 2024-12-23 17:34:00 +03:00
Code

machined: refuse bind mounts on containers that have user namespaces applied

Browse Source 
As the kernel won't map the UIDs this is simply not safe, and hence we
should generate a clean error and refuse it.

We can restore this feature later should a "shiftfs" become available in
the kernel.
This commit is contained in:
Lennart Poettering 2017-02-16 13:59:13 +01:00
parent 3aca8326bd
commit 7f43928ba6
2 changed files with 15 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
man/machinectl.xml
View File

@ -518,19 +518,14 @@
<varlistentry> <varlistentry>
<term><command>bind</command> <replaceable>NAME</replaceable> <replaceable>PATH</replaceable> [<replaceable>PATH</replaceable>]</term> <term><command>bind</command> <replaceable>NAME</replaceable> <replaceable>PATH</replaceable> [<replaceable>PATH</replaceable>]</term>
<listitem><para>Bind mounts a directory from the host into the <listitem><para>Bind mounts a directory from the host into the specified container. The first directory
specified container. The first directory argument is the argument is the source directory on the host, the second directory argument is the destination directory in the
source directory on the host, the second directory argument container. When the latter is omitted, the destination path in the container is the same as the source path on
is the destination directory in the container. When the the host. When combined with the <option>--read-only</option> switch, a ready-only bind mount is created. When
latter is omitted, the destination path in the container is combined with the <option>--mkdir</option> switch, the destination path is first created before the mount is
the same as the source path on the host. When combined with applied. Note that this option is currently only supported for
the <option>--read-only</option> switch, a ready-only bind <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> containers,
mount is created. When combined with the and only if user namespacing (<option>--private-users</option>) is not used.</para></listitem>
<option>--mkdir</option> switch, the destination path is first
created before the mount is applied. Note that this option is
currently only supported for
<citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>
containers.</para></listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>

7
src/machine/machine-dbus.c
View File

@ -841,6 +841,7 @@ int bus_machine_method_bind_mount(sd_bus_message *message, void *userdata, sd_bu
int read_only, make_directory; int read_only, make_directory;
pid_t child; pid_t child;
siginfo_t si; siginfo_t si;
uid_t uid;
int r; int r;
assert(message); assert(message);
@ -875,6 +876,12 @@ int bus_machine_method_bind_mount(sd_bus_message *message, void *userdata, sd_bu
if (r == 0) if (r == 0)
return 1; /* Will call us back */ return 1; /* Will call us back */
r = machine_get_uid_shift(m, &uid);
if (r < 0)
return r;
if (uid != 0)
return sd_bus_error_setf(error, SD_BUS_ERROR_NOT_SUPPORTED, "Can't bind mount on container with user namespacing applied.");
/* One day, when bind mounting /proc/self/fd/n works across /* One day, when bind mounting /proc/self/fd/n works across
* namespace boundaries we should rework this logic to make * namespace boundaries we should rework this logic to make
* use of it... */ * use of it... */