jasder
/
runc
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Adds namespace flag checks for userns code path in init. 

Signed-off-by: Mrunal Patel <mrunalp@gmail.com> (github: mrunalp)
This commit is contained in:
Mrunal Patel 2015-01-20 13:26:20 -05:00
parent 9303a8f15f
commit 107bad0ee5
1 changed files with 10 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
namespaces/init.go
View File

@ -114,7 +114,7 @@ func initDefault(container *libcontainer.Config, uncleanRootfs, consolePath stri
// InitializeMountNamespace() can be executed only for a new mount namespace // InitializeMountNamespace() can be executed only for a new mount namespace
if (cloneFlags & syscall.CLONE_NEWNS) == 0 { if (cloneFlags & syscall.CLONE_NEWNS) == 0 {
if container.MountConfig != nil { if container.MountConfig != nil {
return fmt.Errorf("mount_config is set without mount namespace") return fmt.Errorf("mount config is set without mount namespace")
} }
} else if err := mount.InitializeMountNamespace(rootfs, } else if err := mount.InitializeMountNamespace(rootfs,
consolePath, consolePath,
@ -145,7 +145,7 @@ func initDefault(container *libcontainer.Config, uncleanRootfs, consolePath stri
// TODO: (crosbymichael) make this configurable at the Config level // TODO: (crosbymichael) make this configurable at the Config level
if container.RestrictSys { if container.RestrictSys {
if (cloneFlags & syscall.CLONE_NEWNS) == 0 { if (cloneFlags & syscall.CLONE_NEWNS) == 0 {
return fmt.Errorf("unable to restrict access to kernel files") return fmt.Errorf("unable to restrict access to kernel files without mount namespace")
} }
if err := restrict.Restrict("proc/sys", "proc/sysrq-trigger", "proc/irq", "proc/bus"); err != nil { if err := restrict.Restrict("proc/sys", "proc/sysrq-trigger", "proc/irq", "proc/bus"); err != nil {
return err return err
@ -208,7 +208,12 @@ func initUserNs(container *libcontainer.Config, uncleanRootfs, consolePath strin
return fmt.Errorf("setup rlimits %s", err) return fmt.Errorf("setup rlimits %s", err)
} }
cloneFlags := GetNamespaceFlags(container.Namespaces)
if container.Hostname != "" { if container.Hostname != "" {
if (cloneFlags & syscall.CLONE_NEWUTS) == 0 {
return fmt.Errorf("unable to set the hostname without UTS namespace")
}
if err := syscall.Sethostname([]byte(container.Hostname)); err != nil { if err := syscall.Sethostname([]byte(container.Hostname)); err != nil {
return fmt.Errorf("unable to sethostname %q: %s", container.Hostname, err) return fmt.Errorf("unable to sethostname %q: %s", container.Hostname, err)
} }
@ -223,6 +228,9 @@ func initUserNs(container *libcontainer.Config, uncleanRootfs, consolePath strin
} }
if container.RestrictSys { if container.RestrictSys {
if (cloneFlags & syscall.CLONE_NEWNS) == 0 {
return fmt.Errorf("unable to restrict access to kernel files without mount namespace")
}
if err := restrict.Restrict("proc/sys", "proc/sysrq-trigger", "proc/irq", "proc/bus"); err != nil { if err := restrict.Restrict("proc/sys", "proc/sysrq-trigger", "proc/irq", "proc/bus"); err != nil {
return err return err
} }