[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[libvirt] [PATCH] LXC: Don't mount securityfs when user namespace enabled



Right now, securityfs is disallowed to be mounted in
un init user namespace, we should avoid to mount securityfs
in the container which enables user namespace.

Signed-off-by: Gao feng <gaofeng cn fujitsu com>
---
 src/lxc/lxc_container.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
index 8abaea0..c41ab40 100644
--- a/src/lxc/lxc_container.c
+++ b/src/lxc/lxc_container.c
@@ -750,7 +750,7 @@ err:
 }
 
 
-static int lxcContainerMountBasicFS(void)
+static int lxcContainerMountBasicFS(bool userns_enabled)
 {
     const struct {
         const char *src;
@@ -801,6 +801,9 @@ static int lxcContainerMountBasicFS(void)
             continue;
 #endif
 
+        if (STREQ(mnts[i].src, "securityfs") && userns_enabled)
+            continue;
+
         if (virFileMakePath(mnts[i].dst) < 0) {
             virReportSystemError(errno,
                                  _("Failed to mkdir %s"),
@@ -1530,7 +1533,7 @@ static int lxcContainerSetupPivotRoot(virDomainDefPtr vmDef,
         goto cleanup;
 
     /* Mounts the core /proc, /sys, etc filesystems */
-    if (lxcContainerMountBasicFS() < 0)
+    if (lxcContainerMountBasicFS(vmDef->idmap.nuidmap) < 0)
         goto cleanup;
 
     /* Mounts /proc/meminfo etc sysinfo */
-- 
1.8.3.1


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]