[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] LXC: Helper function for checking ownership of dir when userns enabled



On 08/09/2013 01:53 PM, Chen Hanxiao wrote:
From: Chen Hanxiao<chenhanxiao cn fujitsu com>

  If we enable userns, the ownership of dir we provided for containers
  should match the uid/gid in idmap.
  Currently, the debug log is very implicit or misleading sometimes.
  This patch will help clarify this for us when using
  debug log or virsh.

Signed-off-by: Chen Hanxiao<chenhanxiao cn fujitsu com>
---
  src/lxc/lxc_container.c |   45 +++++++++++++++++++++++++++++++++++++++++++++
  1 files changed, 45 insertions(+), 0 deletions(-)

diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
index b910b10..ce17466 100644
--- a/src/lxc/lxc_container.c
+++ b/src/lxc/lxc_container.c
@@ -1815,6 +1815,48 @@ lxcNeedNetworkNamespace(virDomainDefPtr def)
      return false;
  }

+/*
+ * Helper function for helping check
+ * whether we have enough privilege
+ * to operate the source dir when userns enabled
+ * @vmDef: pointer to vm definition structure
+ * Returns 0 on success or -1 in case of error
+ */
+static int
+lxcContainerUsernsSrcOwnershipCheck(virDomainDefPtr vmDef)
+{
+    struct stat buf;
+    int i;
+    uid_t uid;
+    gid_t gid;
+
+    for(i=0; i<  vmDef->nfss; i++) {
+        VIR_DEBUG("dst is %s, src is %s",
+                vmDef->fss[i]->dst,
+                vmDef->fss[i]->src);
+
+        uid = vmDef->idmap.uidmap[0].target;
+        gid = vmDef->idmap.gidmap[0].target;
+
+        if (lstat(vmDef->fss[i]->src,&buf)<  0) {
+            virReportSystemError(errno, _("Cannot access '%s'"),
+                                     vmDef->fss[i]->src);
+            return -1;
+        } else if(uid != buf.st_uid || gid != buf.st_gid) {
+            VIR_DEBUG("In userns uid is %d, gid is %d\n",
+                    uid, gid);
+            errno = EINVAL;
+
+            virReportSystemError(errno,
+                    "[userns] Src dir \"%s\" does not belong to uid/gid:%d/%d",
+                    vmDef->fss[i]->src, uid, gid);
+            return -1;
+        }
+    }
+
+    return 0;
+}
+
  /**
   * lxcContainerStart:
   * @def: pointer to virtual machine structure
@@ -1866,6 +1908,9 @@ int lxcContainerStart(virDomainDefPtr def,
          if (userns_supported()) {
              VIR_DEBUG("Enable user namespace");
              cflags |= CLONE_NEWUSER;
+            if(lxcContainerUsernsSrcOwnershipCheck(def)<  0) {
+                return -1;
+            }
          } else {
              virReportSystemError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
                                   _("Kernel doesn't support user namespace"));

In addition, please run 'make syntax-check' firstly before committing patches.

src/lxc/lxc_container.c:1835:     for(i=0; i < vmDef->nfss; i++) {
src/lxc/lxc_container.c:1847: } else if(uid != buf.st_uid || gid != buf.st_gid) { src/lxc/lxc_container.c:1913: if(lxcContainerUsernsSrcOwnershipCheck(def) < 0) {
maint.mk: incorrect whitespace, see HACKING for rules
make: *** [bracket-spacing-check] Error 1


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]