[libvirt] [PATCH] LXC: Don't mount securityfs when user namespace enabled
Gao feng
gaofeng at cn.fujitsu.com
Wed Sep 4 02:23:17 UTC 2013
Right now, securityfs is disallowed to be mounted in
un init user namespace, we should avoid to mount securityfs
in the container which enables user namespace.
Signed-off-by: Gao feng <gaofeng at cn.fujitsu.com>
---
src/lxc/lxc_container.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
index 8abaea0..c41ab40 100644
--- a/src/lxc/lxc_container.c
+++ b/src/lxc/lxc_container.c
@@ -750,7 +750,7 @@ err:
}
-static int lxcContainerMountBasicFS(void)
+static int lxcContainerMountBasicFS(bool userns_enabled)
{
const struct {
const char *src;
@@ -801,6 +801,9 @@ static int lxcContainerMountBasicFS(void)
continue;
#endif
+ if (STREQ(mnts[i].src, "securityfs") && userns_enabled)
+ continue;
+
if (virFileMakePath(mnts[i].dst) < 0) {
virReportSystemError(errno,
_("Failed to mkdir %s"),
@@ -1530,7 +1533,7 @@ static int lxcContainerSetupPivotRoot(virDomainDefPtr vmDef,
goto cleanup;
/* Mounts the core /proc, /sys, etc filesystems */
- if (lxcContainerMountBasicFS() < 0)
+ if (lxcContainerMountBasicFS(vmDef->idmap.nuidmap) < 0)
goto cleanup;
/* Mounts /proc/meminfo etc sysinfo */
--
1.8.3.1
More information about the libvir-list
mailing list