From a8dfe4e08da61a454afca3c94e94a88fb310ebba Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Mon, 30 Nov 2015 08:58:53 +0100
Subject: [PATCH] Added lxc.monitor.unshare

If manual mounting with elevated permissions is required
this can currently only be done in pre-start hooks or before
starting LXC. In both cases the mounts would appear in the
host's namespace.
With this flag the namespace is unshared before the startup
sequence, so that mounts performed in the pre-start hook
don't show up on the host.

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
---
 doc/lxc.container.conf.sgml.in | 12 ++++++++++++
 src/lxc/conf.h                 |  3 +++
 src/lxc/confile.c              | 15 +++++++++++++++
 src/lxc/lxccontainer.c         | 12 ++++++++++++
 4 files changed, 42 insertions(+)

diff --git a/doc/lxc.container.conf.sgml.in b/doc/lxc.container.conf.sgml.in
index 7a8c6e056..b19eec942 100644
--- a/doc/lxc.container.conf.sgml.in
+++ b/doc/lxc.container.conf.sgml.in
@@ -1671,6 +1671,18 @@ mknod errno 0
             </para>
           </listitem>
         </varlistentry>
+        <varlistentry>
+          <term>
+            <option>lxc.monitor.unshare</option>
+          </term>
+          <listitem>
+            <para>
+              If not zero the mount namespace will be unshared from the host
+              before initializing the container (before running any pre-start
+              hooks). Default is 0.
+            </para>
+          </listitem>
+        </varlistentry>
         <varlistentry>
           <term>
             <option>lxc.group</option>
diff --git a/src/lxc/conf.h b/src/lxc/conf.h
index 1374d4a79..b0274ec4d 100644
--- a/src/lxc/conf.h
+++ b/src/lxc/conf.h
@@ -347,6 +347,9 @@ struct lxc_conf {
 	struct lxc_list groups;
 	int nbd_idx;
 
+	/* unshare the mount namespace in the monitor */
+	int monitor_unshare;
+
 	/* set to true when rootfs has been setup */
 	bool rootfs_setup;
 
diff --git a/src/lxc/confile.c b/src/lxc/confile.c
index c2eaaa6ce..ce6786cea 100644
--- a/src/lxc/confile.c
+++ b/src/lxc/confile.c
@@ -103,6 +103,7 @@ static int config_haltsignal(const char *, const char *, struct lxc_conf *);
 static int config_rebootsignal(const char *, const char *, struct lxc_conf *);
 static int config_stopsignal(const char *, const char *, struct lxc_conf *);
 static int config_start(const char *, const char *, struct lxc_conf *);
+static int config_monitor(const char *, const char *, struct lxc_conf *);
 static int config_group(const char *, const char *, struct lxc_conf *);
 static int config_environment(const char *, const char *, struct lxc_conf *);
 static int config_init_cmd(const char *, const char *, struct lxc_conf *);
@@ -173,6 +174,7 @@ static struct lxc_config_t config[] = {
 	{ "lxc.start.auto",           config_start                },
 	{ "lxc.start.delay",          config_start                },
 	{ "lxc.start.order",          config_start                },
+	{ "lxc.monitor.unshare",      config_monitor              },
 	{ "lxc.group",                config_group                },
 	{ "lxc.environment",          config_environment          },
 	{ "lxc.init_cmd",             config_init_cmd             },
@@ -1141,6 +1143,17 @@ static int config_start(const char *key, const char *value,
 	return -1;
 }
 
+static int config_monitor(const char *key, const char *value,
+			  struct lxc_conf *lxc_conf)
+{
+	if(strcmp(key, "lxc.monitor.unshare") == 0) {
+		lxc_conf->monitor_unshare = atoi(value);
+		return 0;
+	}
+	SYSERROR("Unknown key: %s", key);
+	return -1;
+}
+
 static int config_group(const char *key, const char *value,
 		      struct lxc_conf *lxc_conf)
 {
@@ -2483,6 +2496,8 @@ int lxc_get_config_item(struct lxc_conf *c, const char *key, char *retv,
 		return lxc_get_conf_int(c, retv, inlen, c->start_delay);
 	else if (strcmp(key, "lxc.start.order") == 0)
 		return lxc_get_conf_int(c, retv, inlen, c->start_order);
+	else if (strcmp(key, "lxc.monitor.unshare") == 0)
+		return lxc_get_conf_int(c, retv, inlen, c->monitor_unshare);
 	else if (strcmp(key, "lxc.group") == 0)
 		return lxc_get_item_groups(c, retv, inlen);
 	else if (strcmp(key, "lxc.seccomp") == 0)
diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c
index 69816da23..280484189 100644
--- a/src/lxc/lxccontainer.c
+++ b/src/lxc/lxccontainer.c
@@ -820,6 +820,18 @@ static bool do_lxcapi_start(struct lxc_container *c, int useinit, char * const a
 
 	conf->reboot = 0;
 
+	/* Unshare the mount namespace if requested */
+	if (conf->monitor_unshare) {
+		if (unshare(CLONE_NEWNS)) {
+			SYSERROR("failed to unshare mount namespace");
+			return false;
+		}
+		if (mount(NULL, "/", NULL, MS_SLAVE|MS_REC, NULL)) {
+			SYSERROR("Failed to make / rslave at startup");
+			return false;
+		}
+	}
+
 reboot:
 	if (lxc_check_inherited(conf, daemonize, -1)) {
 		ERROR("Inherited fds found");