jasder
/
runc
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge pull request #324 from avagin/namespaces 

namespace: don't change namespaces which are not belonged to the CT
This commit is contained in:
Mrunal Patel 2015-01-20 09:31:24 -08:00
parent b89cd0cf5c ef73d7e235
commit 9303a8f15f
2 changed files with 29 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
namespaces/init.go
View File

@ -90,11 +90,19 @@ func initDefault(container *libcontainer.Config, uncleanRootfs, consolePath stri
} }
} }
if err := setupNetwork(container, networkState); err != nil { cloneFlags := GetNamespaceFlags(container.Namespaces)
return fmt.Errorf("setup networking %s", err)
} if (cloneFlags & syscall.CLONE_NEWNET) == 0 {
if err := setupRoute(container); err != nil { if len(container.Networks) != 0 || len(container.Routes) != 0 {
return fmt.Errorf("setup route %s", err) return fmt.Errorf("unable to apply network parameters without network namespace")
}
} else {
if err := setupNetwork(container, networkState); err != nil {
return fmt.Errorf("setup networking %s", err)
}
if err := setupRoute(container); err != nil {
return fmt.Errorf("setup route %s", err)
}
} }
if err := setupRlimits(container); err != nil { if err := setupRlimits(container); err != nil {
@ -103,7 +111,12 @@ func initDefault(container *libcontainer.Config, uncleanRootfs, consolePath stri
label.Init() label.Init()
if err := mount.InitializeMountNamespace(rootfs, // InitializeMountNamespace() can be executed only for a new mount namespace
if (cloneFlags & syscall.CLONE_NEWNS) == 0 {
if container.MountConfig != nil {
return fmt.Errorf("mount_config is set without mount namespace")
}
} else if err := mount.InitializeMountNamespace(rootfs,
consolePath, consolePath,
container.RestrictSys, container.RestrictSys,
0, // Default Root Uid 0, // Default Root Uid
@ -113,6 +126,9 @@ func initDefault(container *libcontainer.Config, uncleanRootfs, consolePath stri
} }
if container.Hostname != "" { if container.Hostname != "" {
if (cloneFlags & syscall.CLONE_NEWUTS) == 0 {
return fmt.Errorf("unable to set the hostname without UTS namespace")
}
if err := syscall.Sethostname([]byte(container.Hostname)); err != nil { if err := syscall.Sethostname([]byte(container.Hostname)); err != nil {
return fmt.Errorf("unable to sethostname %q: %s", container.Hostname, err) return fmt.Errorf("unable to sethostname %q: %s", container.Hostname, err)
} }
@ -128,6 +144,9 @@ func initDefault(container *libcontainer.Config, uncleanRootfs, consolePath stri
// TODO: (crosbymichael) make this configurable at the Config level // TODO: (crosbymichael) make this configurable at the Config level
if container.RestrictSys { if container.RestrictSys {
if (cloneFlags & syscall.CLONE_NEWNS) == 0 {
return fmt.Errorf("unable to restrict access to kernel files")
}
if err := restrict.Restrict("proc/sys", "proc/sysrq-trigger", "proc/irq", "proc/bus"); err != nil { if err := restrict.Restrict("proc/sys", "proc/sysrq-trigger", "proc/irq", "proc/bus"); err != nil {
return err return err
} }

5
namespaces/utils.go
View File

@ -36,9 +36,12 @@ func newInitPipe() (parent *os.File, child *os.File, err error) {
} }
// GetNamespaceFlags parses the container's Namespaces options to set the correct // GetNamespaceFlags parses the container's Namespaces options to set the correct
// flags on clone, unshare, and setns // flags on clone, unshare. This functions returns flags only for new namespaces.
func GetNamespaceFlags(namespaces libcontainer.Namespaces) (flag int) { func GetNamespaceFlags(namespaces libcontainer.Namespaces) (flag int) {
for _, v := range namespaces { for _, v := range namespaces {
if v.Path != "" {
continue
}
flag |= namespaceInfo[v.Type] flag |= namespaceInfo[v.Type]
} }
return flag return flag