Merge pull request #711 from rhatdan/sysctl

Return a more meaningful error when namespaces are disabled
2016-03-30 15:35:06 -07:00 · 2016-03-30 15:35:06 -07:00 · 0c1c615ebd
parent 2441732d6f d2a39ea043
commit 0c1c615ebd
1 changed files with 22 additions and 27 deletions
--- a/libcontainer/configs/validate/config.go
+++ b/libcontainer/configs/validate/config.go
@ -100,38 +100,33 @@ func (v *ConfigValidator) usernamespace(config *configs.Config) error {
 // /proc/sys isn't completely namespaced and depending on which namespaces
 // are specified, a subset of sysctls are permitted.
 func (v *ConfigValidator) sysctl(config *configs.Config) error {
-	validSysctlPrefixes := []string{}
-	validSysctlMap := make(map[string]bool)
-	if config.Namespaces.Contains(configs.NEWNET) {
-		validSysctlPrefixes = append(validSysctlPrefixes, "net.")
-	}
-	if config.Namespaces.Contains(configs.NEWIPC) {
-		validSysctlPrefixes = append(validSysctlPrefixes, "fs.mqueue.")
-		validSysctlMap = map[string]bool{
-			"kernel.msgmax":          true,
-			"kernel.msgmnb":          true,
-			"kernel.msgmni":          true,
-			"kernel.sem":             true,
-			"kernel.shmall":          true,
-			"kernel.shmmax":          true,
-			"kernel.shmmni":          true,
-			"kernel.shm_rmid_forced": true,
-		}
+	validSysctlMap := map[string]bool{
+		"kernel.msgmax":          true,
+		"kernel.msgmnb":          true,
+		"kernel.msgmni":          true,
+		"kernel.sem":             true,
+		"kernel.shmall":          true,
+		"kernel.shmmax":          true,
+		"kernel.shmmni":          true,
+		"kernel.shm_rmid_forced": true,
 	}
+
 	for s := range config.Sysctl {
-		if validSysctlMap[s] {
-			continue
-		}
-		valid := false
-		for _, vp := range validSysctlPrefixes {
-			if strings.HasPrefix(s, vp) {
-				valid = true
-				break
+		if validSysctlMap[s] || strings.HasPrefix(s, "fs.mqueue.") {
+			if config.Namespaces.Contains(configs.NEWIPC) {
+				continue
+			} else {
+				return fmt.Errorf("sysctl %q is not allowed in the hosts ipc namespace", s)
 			}
 		}
-		if !valid {
-			return fmt.Errorf("sysctl %q is not permitted in the config", s)
+		if strings.HasPrefix(s, "net.") {
+			if config.Namespaces.Contains(configs.NEWNET) {
+				continue
+			} else {
+				return fmt.Errorf("sysctl %q is not allowed in the hosts network namespace", s)
+			}
 		}
+		return fmt.Errorf("sysctl %q is not in a separate kernel namespace", s)
 	}

 	return nil