proxmox-mirrors/mirror_lxc
1
0
Fork 0
mirror of https://git.proxmox.com/git/mirror_lxc synced 2025-08-07 15:29:02 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #2713 from brauner/2018-10-30/mount_injection

Browse Source 
conf: expand shmounts lxc.mount.auto option
This commit is contained in:
Stéphane Graber 2018-11-01 11:42:11 -04:00 committed by GitHub
commit cb1be30a7d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 73 additions and 97 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
src/lxc/confile.c
View File

@ -1788,18 +1788,31 @@ static int set_config_mount_auto(const char *key, const char *value,
lxc_conf->auto_mounts |= allowed_auto_mounts[i].flag; lxc_conf->auto_mounts |= allowed_auto_mounts[i].flag;
if (is_shmounts) { if (is_shmounts) {
lxc_conf->shmount.path_host = strdup(token + STRLITERALLEN("shmounts:")); char *container_path;
char *host_path;
host_path = token + STRLITERALLEN("shmounts:");
if (*host_path == '\0') {
SYSERROR("Failed to copy shmounts host path");
goto on_error;
}
container_path = strchr(host_path, ':');
if (!container_path || *(container_path + 1) == '\0')
container_path = "/dev/.lxc-mounts";
else
*container_path++ = '\0';
ERROR("AAAA: %s", host_path);
ERROR("BBBB: %s", container_path);
lxc_conf->shmount.path_host = strdup(host_path);
if (!lxc_conf->shmount.path_host) { if (!lxc_conf->shmount.path_host) {
SYSERROR("Failed to copy shmounts host path"); SYSERROR("Failed to copy shmounts host path");
goto on_error; goto on_error;
} }
if (strcmp(lxc_conf->shmount.path_host, "") == 0) { lxc_conf->shmount.path_cont = strdup(container_path);
ERROR("Invalid shmounts path: empty");
goto on_error;
}
lxc_conf->shmount.path_cont = strdup("/dev/.lxc-mounts");
if(!lxc_conf->shmount.path_cont) { if(!lxc_conf->shmount.path_cont) {
SYSERROR("Failed to copy shmounts container path"); SYSERROR("Failed to copy shmounts container path");
goto on_error; goto on_error;

7
src/lxc/lxccontainer.c
View File

@ -4976,6 +4976,7 @@ static int do_lxcapi_mount(struct lxc_container *c, const char *source,
char template[PATH_MAX], path[PATH_MAX]; char template[PATH_MAX], path[PATH_MAX];
pid_t pid, init_pid; pid_t pid, init_pid;
struct stat sb; struct stat sb;
bool is_dir;
int ret = -1, fd = -EBADF; int ret = -1, fd = -EBADF;
if (!c || !c->lxc_conf) { if (!c || !c->lxc_conf) {
@ -5006,7 +5007,8 @@ static int do_lxcapi_mount(struct lxc_container *c, const char *source,
} }
} }
if (S_ISDIR(sb.st_mode)) { is_dir = (S_ISDIR(sb.st_mode) != 0);
if (is_dir) {
sret = mkdtemp(template); sret = mkdtemp(template);
if (!sret) { if (!sret) {
SYSERROR("Could not create shmounts temporary dir"); SYSERROR("Could not create shmounts temporary dir");
@ -5089,6 +5091,9 @@ static int do_lxcapi_mount(struct lxc_container *c, const char *source,
ret = 0; ret = 0;
(void)umount2(template, MNT_DETACH); (void)umount2(template, MNT_DETACH);
if (is_dir)
(void)rmdir(template);
else
(void)unlink(template); (void)unlink(template);
out: out:

80
src/lxc/start.c
View File

@ -1578,75 +1578,6 @@ static inline int do_share_ns(void *arg)
return 0; return 0;
} }
static int lxc_setup_shmount(struct lxc_conf *conf)
{
size_t len_cont;
char *full_cont_path;
int ret = -1;
/* Construct the shmount path under the container root. */
len_cont = strlen(conf->rootfs.mount) + 1 + strlen(conf->shmount.path_cont);
/* +1 for the terminating '\0' */
full_cont_path = malloc(len_cont + 1);
if (!full_cont_path) {
SYSERROR("Not enough memory");
return -ENOMEM;
}
ret = snprintf(full_cont_path, len_cont + 1, "%s/%s",
conf->rootfs.mount, conf->shmount.path_cont);
if (ret < 0 || ret >= len_cont + 1) {
SYSERROR("Failed to create filename");
free(full_cont_path);
return -1;
}
/* Check if shmount point is already set up. */
if (is_shared_mountpoint(conf->shmount.path_host)) {
INFO("Path \"%s\" is already MS_SHARED. Reusing",
conf->shmount.path_host);
free(full_cont_path);
return 0;
}
/* Create host and cont mount paths */
ret = mkdir_p(conf->shmount.path_host, 0711);
if (ret < 0 && errno != EEXIST) {
SYSERROR("Failed to create directory \"%s\"",
conf->shmount.path_host);
free(full_cont_path);
return ret;
}
ret = mkdir_p(full_cont_path, 0711);
if (ret < 0 && errno != EEXIST) {
SYSERROR("Failed to create directory \"%s\"", full_cont_path);
free(full_cont_path);
return ret;
}
/* Prepare host mountpoint */
ret = mount("tmpfs", conf->shmount.path_host, "tmpfs", 0,
"size=100k,mode=0711");
if (ret < 0) {
SYSERROR("Failed to mount \"%s\"", conf->shmount.path_host);
free(full_cont_path);
return ret;
}
ret = mount(conf->shmount.path_host, conf->shmount.path_host, "none",
MS_REC | MS_SHARED, "");
if (ret < 0) {
SYSERROR("Failed to make shared \"%s\"", conf->shmount.path_host);
free(full_cont_path);
return ret;
}
INFO("Setup shared mount point \"%s\"", conf->shmount.path_host);
free(full_cont_path);
return 0;
}
/* lxc_spawn() performs crucial setup tasks and clone()s the new process which /* lxc_spawn() performs crucial setup tasks and clone()s the new process which
* exec()s the requested container binary. * exec()s the requested container binary.
* Note that lxc_spawn() runs in the parent namespaces. Any operations performed * Note that lxc_spawn() runs in the parent namespaces. Any operations performed
@ -1693,17 +1624,6 @@ static int lxc_spawn(struct lxc_handler *handler)
if (ret < 0) if (ret < 0)
goto out_sync_fini; goto out_sync_fini;
if (conf->shmount.path_host) {
if (!conf->shmount.path_cont)
goto out_sync_fini;
ret = lxc_setup_shmount(conf);
if (ret < 0) {
ERROR("Failed to setup shared mount point");
goto out_sync_fini;
}
}
if (handler->ns_clone_flags & CLONE_NEWNET) { if (handler->ns_clone_flags & CLONE_NEWNET) {
if (!lxc_list_empty(&conf->network)) { if (!lxc_list_empty(&conf->network)) {

54
src/tests/mount_injection.c
View File

@ -386,16 +386,54 @@ static int do_unpriv_container_test()
return perform_container_test(NAME"unprivileged", config_items); return perform_container_test(NAME"unprivileged", config_items);
} }
int main(int argc, char *argv[]) static bool lxc_setup_shmount(const char *shmount_path)
{ {
if (do_priv_container_test()) { int ret;
fprintf(stderr, "Privileged mount injection test failed\n");
return -1; ret = mkdir_p(shmount_path, 0711);
if (ret < 0 && errno != EEXIST) {
fprintf(stderr, "Failed to create directory \"%s\"\n", shmount_path);
return false;
} }
if(do_unpriv_container_test()) { /* Prepare host mountpoint */
fprintf(stderr, "Unprivileged mount injection test failed\n"); ret = mount("tmpfs", shmount_path, "tmpfs", 0, "size=100k,mode=0711");
return -1; if (ret < 0) {
fprintf(stderr, "Failed to mount \"%s\"\n", shmount_path);
return false;
} }
return 0;
ret = mount(shmount_path, shmount_path, "none", MS_REC | MS_SHARED, "");
if (ret < 0) {
fprintf(stderr, "Failed to make shared \"%s\"\n", shmount_path);
return false;
}
return true;
}
static void lxc_teardown_shmount(char *shmount_path)
{
(void)umount2(shmount_path, MNT_DETACH);
(void)recursive_destroy(shmount_path);
}
int main(int argc, char *argv[])
{
if (!lxc_setup_shmount("/tmp/mount_injection_test"))
exit(EXIT_FAILURE);
if (do_priv_container_test()) {
fprintf(stderr, "Privileged mount injection test failed\n");
exit(EXIT_FAILURE);
}
if (do_unpriv_container_test()) {
fprintf(stderr, "Unprivileged mount injection test failed\n");
exit(EXIT_FAILURE);
}
lxc_teardown_shmount("/tmp/mount_injection_test");
exit(EXIT_SUCCESS);
} }