jasder
/
runc
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

nsenter: un-split clone(cloneflags) for RHEL 

Without this patch applied, RHEL's SELinux policies cause container
creation to not really work. Unfortunately this might be an issue for
rootless containers (opencontainers/runc#774) but we'll cross that
bridge when we come to it.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
This commit is contained in:
Aleksa Sarai 2016-10-18 18:26:27 +11:00
parent 2cd9c31b99
commit e3cd191acc
No known key found for this signature in database
GPG Key ID: 9E18AA267DDB8DB4
1 changed files with 13 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
libcontainer/nsenter/nsexec.c
View File

@ -621,16 +621,25 @@ void nsexec(void)
if (config.namespaces)
join_namespaces(config.namespaces);
/*
* Unshare all of the namespaces. Now, it should be noted that this
* ordering might break in the future (especially with rootless
* containers). But for now, it's not possible to split this into
* CLONE_NEWUSER + [the rest] because of some RHEL SELinux issues.
*
* We also can't be sure if the current kernel supports
* clone(CLONE_PARENT | CLONE_NEWPID), so we'll just do it the long
* way anyway.
*/
if (unshare(config.cloneflags) < 0)
bail("failed to unshare namespaces");
/*
* Deal with user namespaces first. They are quite special, as they
* affect our ability to unshare other namespaces and are used as
* context for privilege checks.
*/
if (config.cloneflags & CLONE_NEWUSER) {
/* Create a new user namespace. */
if (unshare(CLONE_NEWUSER) < 0)
bail("failed to unshare user namespace");
/*
* We don't have the privileges to do any mapping here (see the
* clone_parent rant). So signal our parent to hook us up.
@ -646,18 +655,8 @@ void nsexec(void)
bail("failed to sync with parent: read(SYNC_USERMAP_ACK)");
if (s != SYNC_USERMAP_ACK)
bail("failed to sync with parent: SYNC_USERMAP_ACK: got %u", s);
config.cloneflags &= ~CLONE_NEWUSER;
}
/*
* Now we can unshare the rest of the namespaces. We can't be sure if the
* current kernel supports clone(CLONE_PARENT | CLONE_NEWPID), so we'll
* just do it the long way anyway.
*/
if (unshare(config.cloneflags) < 0)
bail("failed to unshare namespaces");
/* TODO: What about non-namespace clone flags that we're dropping here? */
child = clone_parent(&env, JUMP_INIT);
if (child < 0)