From 107bad0ee5141bb847257a6f57dff2469dd584da Mon Sep 17 00:00:00 2001 From: Mrunal Patel Date: Tue, 20 Jan 2015 13:26:20 -0500 Subject: [PATCH] Adds namespace flag checks for userns code path in init. Signed-off-by: Mrunal Patel (github: mrunalp) --- namespaces/init.go | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/namespaces/init.go b/namespaces/init.go index 2bd4c7d3..3d231350 100644 --- a/namespaces/init.go +++ b/namespaces/init.go @@ -114,7 +114,7 @@ func initDefault(container *libcontainer.Config, uncleanRootfs, consolePath stri // InitializeMountNamespace() can be executed only for a new mount namespace if (cloneFlags & syscall.CLONE_NEWNS) == 0 { if container.MountConfig != nil { - return fmt.Errorf("mount_config is set without mount namespace") + return fmt.Errorf("mount config is set without mount namespace") } } else if err := mount.InitializeMountNamespace(rootfs, consolePath, @@ -145,7 +145,7 @@ func initDefault(container *libcontainer.Config, uncleanRootfs, consolePath stri // TODO: (crosbymichael) make this configurable at the Config level if container.RestrictSys { if (cloneFlags & syscall.CLONE_NEWNS) == 0 { - return fmt.Errorf("unable to restrict access to kernel files") + return fmt.Errorf("unable to restrict access to kernel files without mount namespace") } if err := restrict.Restrict("proc/sys", "proc/sysrq-trigger", "proc/irq", "proc/bus"); err != nil { return err @@ -208,7 +208,12 @@ func initUserNs(container *libcontainer.Config, uncleanRootfs, consolePath strin return fmt.Errorf("setup rlimits %s", err) } + cloneFlags := GetNamespaceFlags(container.Namespaces) + if container.Hostname != "" { + if (cloneFlags & syscall.CLONE_NEWUTS) == 0 { + return fmt.Errorf("unable to set the hostname without UTS namespace") + } if err := syscall.Sethostname([]byte(container.Hostname)); err != nil { return fmt.Errorf("unable to sethostname %q: %s", container.Hostname, err) } @@ -223,6 +228,9 @@ func initUserNs(container *libcontainer.Config, uncleanRootfs, consolePath strin } if container.RestrictSys { + if (cloneFlags & syscall.CLONE_NEWNS) == 0 { + return fmt.Errorf("unable to restrict access to kernel files without mount namespace") + } if err := restrict.Restrict("proc/sys", "proc/sysrq-trigger", "proc/irq", "proc/bus"); err != nil { return err }