proxmox-mirrors/mirror_lxc
1
0
Fork 0
mirror of https://git.proxmox.com/git/mirror_lxc synced 2025-07-27 16:18:16 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #2560 from brauner/2018-08-21/fix_fully_unprivileged_containers

Browse Source 
conf: fix devpts mounting when fully unprivileged
This commit is contained in:
Stéphane Graber 2018-08-21 10:53:57 -04:00 committed by GitHub
commit ac907950d8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 28 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
src/lxc/conf.c
View File

@ -1625,8 +1625,10 @@ static const struct id_map *find_mapped_nsid_entry(struct lxc_conf *conf,
static int lxc_setup_devpts(struct lxc_conf *conf) static int lxc_setup_devpts(struct lxc_conf *conf)
{ {
int ret; int ret;
char default_devpts_mntopts[] = "gid=5,newinstance,ptmxmode=0666,mode=0620"; char **opts;
char devpts_mntopts[256]; char devpts_mntopts[256];
char *mntopt_sets[5];
char default_devpts_mntopts[256] = "gid=5,newinstance,ptmxmode=0666,mode=0620";
if (conf->pty_max <= 0) { if (conf->pty_max <= 0) {
DEBUG("No new devpts instance will be mounted since no pts " DEBUG("No new devpts instance will be mounted since no pts "
@ -1652,29 +1654,33 @@ static int lxc_setup_devpts(struct lxc_conf *conf)
return -1; return -1;
} }
/* gid=5 && max= */
mntopt_sets[0] = devpts_mntopts;
/* !gid=5 && max= */
mntopt_sets[1] = devpts_mntopts + sizeof("gid=5");
/* gid=5 && !max= */
mntopt_sets[2] = default_devpts_mntopts;
/* !gid=5 && !max= */
mntopt_sets[3] = default_devpts_mntopts + sizeof("gid=5");
/* end */
mntopt_sets[4] = NULL;
for (ret = -1, opts = mntopt_sets; opts && *opts; opts++) {
/* mount new devpts instance */ /* mount new devpts instance */
ret = mount("devpts", "/dev/pts", "devpts", MS_NOSUID | MS_NOEXEC, devpts_mntopts); ret = mount("devpts", "/dev/pts", "devpts", MS_NOSUID | MS_NOEXEC, *opts);
if (ret < 0) { if (ret == 0)
/* try mounting without "max" */ break;
if (errno == EINVAL) {
devpts_mntopts[sizeof(default_devpts_mntopts) - 1] = '\0';
ret = mount("devpts", "/dev/pts", "devpts",
MS_NOSUID | MS_NOEXEC, devpts_mntopts);
if (ret < 0) {
SYSERROR("Failed to mount new devpts instance");
return -1;
}
} }
/* try mounting without gid=5 */
ret = mount("devpts", "/dev/pts", "devpts", MS_NOSUID | MS_NOEXEC,
devpts_mntopts + sizeof("gid=5"));
if (ret < 0) { if (ret < 0) {
SYSERROR("Failed to mount new devpts instance"); SYSERROR("Failed to mount new devpts instance");
return -1; return -1;
} }
} DEBUG("Mount new devpts instance with options \"%s\"", *opts);
DEBUG("Mount new devpts instance with options \"%s\"", devpts_mntopts);
/* Remove any pre-existing /dev/ptmx file. */ /* Remove any pre-existing /dev/ptmx file. */
ret = remove("/dev/ptmx"); ret = remove("/dev/ptmx");