From 107bad0ee5141bb847257a6f57dff2469dd584da Mon Sep 17 00:00:00 2001 From: Mrunal Patel Date: Tue, 20 Jan 2015 13:26:20 -0500 Subject: [PATCH 1/2] Adds namespace flag checks for userns code path in init. Signed-off-by: Mrunal Patel (github: mrunalp) --- namespaces/init.go | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/namespaces/init.go b/namespaces/init.go index 2bd4c7d3..3d231350 100644 --- a/namespaces/init.go +++ b/namespaces/init.go @@ -114,7 +114,7 @@ func initDefault(container *libcontainer.Config, uncleanRootfs, consolePath stri // InitializeMountNamespace() can be executed only for a new mount namespace if (cloneFlags & syscall.CLONE_NEWNS) == 0 { if container.MountConfig != nil { - return fmt.Errorf("mount_config is set without mount namespace") + return fmt.Errorf("mount config is set without mount namespace") } } else if err := mount.InitializeMountNamespace(rootfs, consolePath, @@ -145,7 +145,7 @@ func initDefault(container *libcontainer.Config, uncleanRootfs, consolePath stri // TODO: (crosbymichael) make this configurable at the Config level if container.RestrictSys { if (cloneFlags & syscall.CLONE_NEWNS) == 0 { - return fmt.Errorf("unable to restrict access to kernel files") + return fmt.Errorf("unable to restrict access to kernel files without mount namespace") } if err := restrict.Restrict("proc/sys", "proc/sysrq-trigger", "proc/irq", "proc/bus"); err != nil { return err @@ -208,7 +208,12 @@ func initUserNs(container *libcontainer.Config, uncleanRootfs, consolePath strin return fmt.Errorf("setup rlimits %s", err) } + cloneFlags := GetNamespaceFlags(container.Namespaces) + if container.Hostname != "" { + if (cloneFlags & syscall.CLONE_NEWUTS) == 0 { + return fmt.Errorf("unable to set the hostname without UTS namespace") + } if err := syscall.Sethostname([]byte(container.Hostname)); err != nil { return fmt.Errorf("unable to sethostname %q: %s", container.Hostname, err) } @@ -223,6 +228,9 @@ func initUserNs(container *libcontainer.Config, uncleanRootfs, consolePath strin } if container.RestrictSys { + if (cloneFlags & syscall.CLONE_NEWNS) == 0 { + return fmt.Errorf("unable to restrict access to kernel files without mount namespace") + } if err := restrict.Restrict("proc/sys", "proc/sysrq-trigger", "proc/irq", "proc/bus"); err != nil { return err } From bde8bf2ebc5630399c7d0965f58b502100180400 Mon Sep 17 00:00:00 2001 From: Mrunal Patel Date: Tue, 20 Jan 2015 13:26:59 -0500 Subject: [PATCH 2/2] Adds namespace flag checks to userns setup. Signed-off-by: Mrunal Patel (github: mrunalp) --- namespaces/execin.go | 24 ++++++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-) diff --git a/namespaces/execin.go b/namespaces/execin.go index b56ddfed..6bae9f1e 100644 --- a/namespaces/execin.go +++ b/namespaces/execin.go @@ -152,12 +152,19 @@ func SetupContainer(container *libcontainer.Config, dataPath, uncleanRootfs, con return fmt.Errorf("unable to read state: %s", err) } - if err := setupNetwork(container, &state.NetworkState); err != nil { - return fmt.Errorf("setup networking %s", err) - } + cloneFlags := GetNamespaceFlags(container.Namespaces) - if err := setupRoute(container); err != nil { - return fmt.Errorf("setup route %s", err) + if (cloneFlags & syscall.CLONE_NEWNET) == 0 { + if len(container.Networks) != 0 || len(container.Routes) != 0 { + return fmt.Errorf("unable to apply network parameters without network namespace") + } + } else { + if err := setupNetwork(container, &state.NetworkState); err != nil { + return fmt.Errorf("setup networking %s", err) + } + if err := setupRoute(container); err != nil { + return fmt.Errorf("setup route %s", err) + } } label.Init() @@ -172,7 +179,12 @@ func SetupContainer(container *libcontainer.Config, dataPath, uncleanRootfs, con return fmt.Errorf("failed to get hostRootGid %s", err) } - if err := mount.InitializeMountNamespace(rootfs, + // InitializeMountNamespace() can be executed only for a new mount namespace + if (cloneFlags & syscall.CLONE_NEWNS) == 0 { + if container.MountConfig != nil { + return fmt.Errorf("mount config is set without mount namespace") + } + } else if err := mount.InitializeMountNamespace(rootfs, consolePath, container.RestrictSys, hostRootUid,