From e3cd191acc5eb7c76b9e8884b8217d03b22e168b Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Tue, 18 Oct 2016 18:26:27 +1100 Subject: [PATCH] nsenter: un-split clone(cloneflags) for RHEL Without this patch applied, RHEL's SELinux policies cause container creation to not really work. Unfortunately this might be an issue for rootless containers (opencontainers/runc#774) but we'll cross that bridge when we come to it. Signed-off-by: Aleksa Sarai --- libcontainer/nsenter/nsexec.c | 27 +++++++++++++-------------- 1 file changed, 13 insertions(+), 14 deletions(-) diff --git a/libcontainer/nsenter/nsexec.c b/libcontainer/nsenter/nsexec.c index d3a50b04..93265c26 100644 --- a/libcontainer/nsenter/nsexec.c +++ b/libcontainer/nsenter/nsexec.c @@ -621,16 +621,25 @@ void nsexec(void) if (config.namespaces) join_namespaces(config.namespaces); + /* + * Unshare all of the namespaces. Now, it should be noted that this + * ordering might break in the future (especially with rootless + * containers). But for now, it's not possible to split this into + * CLONE_NEWUSER + [the rest] because of some RHEL SELinux issues. + * + * We also can't be sure if the current kernel supports + * clone(CLONE_PARENT | CLONE_NEWPID), so we'll just do it the long + * way anyway. + */ + if (unshare(config.cloneflags) < 0) + bail("failed to unshare namespaces"); + /* * Deal with user namespaces first. They are quite special, as they * affect our ability to unshare other namespaces and are used as * context for privilege checks. */ if (config.cloneflags & CLONE_NEWUSER) { - /* Create a new user namespace. */ - if (unshare(CLONE_NEWUSER) < 0) - bail("failed to unshare user namespace"); - /* * We don't have the privileges to do any mapping here (see the * clone_parent rant). So signal our parent to hook us up. @@ -646,18 +655,8 @@ void nsexec(void) bail("failed to sync with parent: read(SYNC_USERMAP_ACK)"); if (s != SYNC_USERMAP_ACK) bail("failed to sync with parent: SYNC_USERMAP_ACK: got %u", s); - - config.cloneflags &= ~CLONE_NEWUSER; } - /* - * Now we can unshare the rest of the namespaces. We can't be sure if the - * current kernel supports clone(CLONE_PARENT | CLONE_NEWPID), so we'll - * just do it the long way anyway. - */ - if (unshare(config.cloneflags) < 0) - bail("failed to unshare namespaces"); - /* TODO: What about non-namespace clone flags that we're dropping here? */ child = clone_parent(&env, JUMP_INIT); if (child < 0)