proxmox-mirrors/mirror_lxc
1
0
Fork 0
mirror of https://git.proxmox.com/git/mirror_lxc synced 2025-08-14 15:29:56 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

conf: make lxc_create_tmp_proc_mount() static

Browse Source 
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
This commit is contained in:
Christian Brauner 2021-02-03 20:55:01 +01:00
parent fdb57ab442
commit e1b9d6af00
No known key found for this signature in database
GPG Key ID: 8EB056D53EECB12D
3 changed files with 71 additions and 72 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

71
src/lxc/conf.c
View File

@ -2952,6 +2952,77 @@ again:
return freeid;
}
/*
* Mount a proc under @rootfs if proc self points to a pid other than
* my own. This is needed to have a known-good proc mount for setting
* up LSMs both at container startup and attach.
*
* @rootfs : the rootfs where proc should be mounted
*
* Returns < 0 on failure, 0 if the correct proc was already mounted
* and 1 if a new proc was mounted.
*
* NOTE: not to be called from inside the container namespace!
*/
static int lxc_mount_proc_if_needed(const char *rootfs)
{
char path[PATH_MAX] = {0};
int link_to_pid, linklen, mypid, ret;
char link[INTTYPE_TO_STRLEN(pid_t)] = {0};
ret = snprintf(path, PATH_MAX, "%s/proc/self", rootfs);
if (ret < 0 || ret >= PATH_MAX) {
SYSERROR("The name of proc path is too long");
return -1;
}
linklen = readlink(path, link, sizeof(link));
ret = snprintf(path, PATH_MAX, "%s/proc", rootfs);
if (ret < 0 || ret >= PATH_MAX) {
SYSERROR("The name of proc path is too long");
return -1;
}
/* /proc not mounted */
if (linklen < 0) {
if (mkdir(path, 0755) && errno != EEXIST)
return -1;
goto domount;
} else if (linklen >= sizeof(link)) {
link[linklen - 1] = '\0';
ERROR("Readlink returned truncated content: \"%s\"", link);
return -1;
}
mypid = lxc_raw_getpid();
INFO("I am %d, /proc/self points to \"%s\"", mypid, link);
if (lxc_safe_int(link, &link_to_pid) < 0)
return -1;
/* correct procfs is already mounted */
if (link_to_pid == mypid)
return 0;
ret = umount2(path, MNT_DETACH);
if (ret < 0)
SYSWARN("Failed to umount \"%s\" with MNT_DETACH", path);
domount:
/* rootfs is NULL */
if (!strcmp(rootfs, ""))
ret = mount("proc", path, "proc", 0, NULL);
else
ret = safe_mount("proc", path, "proc", 0, NULL, rootfs);
if (ret < 0)
return -1;
INFO("Mounted /proc in container for security transition");
return 1;
}
/* NOTE: Must not be called from inside the container namespace! */
static int lxc_create_tmp_proc_mount(struct lxc_conf *conf)
{

71
src/lxc/utils.c
View File

@ -1208,77 +1208,6 @@ int safe_mount(const char *src, const char *dest, const char *fstype,
return 0;
}
/*
* Mount a proc under @rootfs if proc self points to a pid other than
* my own. This is needed to have a known-good proc mount for setting
* up LSMs both at container startup and attach.
*
* @rootfs : the rootfs where proc should be mounted
*
* Returns < 0 on failure, 0 if the correct proc was already mounted
* and 1 if a new proc was mounted.
*
* NOTE: not to be called from inside the container namespace!
*/
int lxc_mount_proc_if_needed(const char *rootfs)
{
char path[PATH_MAX] = {0};
int link_to_pid, linklen, mypid, ret;
char link[INTTYPE_TO_STRLEN(pid_t)] = {0};
ret = snprintf(path, PATH_MAX, "%s/proc/self", rootfs);
if (ret < 0 || ret >= PATH_MAX) {
SYSERROR("The name of proc path is too long");
return -1;
}
linklen = readlink(path, link, sizeof(link));
ret = snprintf(path, PATH_MAX, "%s/proc", rootfs);
if (ret < 0 || ret >= PATH_MAX) {
SYSERROR("The name of proc path is too long");
return -1;
}
/* /proc not mounted */
if (linklen < 0) {
if (mkdir(path, 0755) && errno != EEXIST)
return -1;
goto domount;
} else if (linklen >= sizeof(link)) {
link[linklen - 1] = '\0';
ERROR("Readlink returned truncated content: \"%s\"", link);
return -1;
}
mypid = lxc_raw_getpid();
INFO("I am %d, /proc/self points to \"%s\"", mypid, link);
if (lxc_safe_int(link, &link_to_pid) < 0)
return -1;
/* correct procfs is already mounted */
if (link_to_pid == mypid)
return 0;
ret = umount2(path, MNT_DETACH);
if (ret < 0)
SYSWARN("Failed to umount \"%s\" with MNT_DETACH", path);
domount:
/* rootfs is NULL */
if (!strcmp(rootfs, ""))
ret = mount("proc", path, "proc", 0, NULL);
else
ret = safe_mount("proc", path, "proc", 0, NULL, rootfs);
if (ret < 0)
return -1;
INFO("Mounted /proc in container for security transition");
return 1;
}
int open_devnull(void)
{
int fd = open("/dev/null", O_RDWR);

1
src/lxc/utils.h
View File

@ -144,7 +144,6 @@ __hidden extern bool switch_to_ns(pid_t pid, const char *ns);
__hidden extern char *get_template_path(const char *t);
__hidden extern int safe_mount(const char *src, const char *dest, const char *fstype,
unsigned long flags, const void *data, const char *rootfs);
__hidden extern int lxc_mount_proc_if_needed(const char *rootfs);
__hidden extern int open_devnull(void);
__hidden extern int set_stdfds(int fd);
__hidden extern int null_stdfds(void);