diff options
| author | Lennart Poettering <lennart@poettering.net> | 2017-02-16 13:59:13 +0100 | 
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2017-02-17 10:22:28 +0100 | 
| commit | 7f43928ba6258c66296614dd46ff7600e0e47b5f (patch) | |
| tree | 43390bfd9bfbe26059f252789950a8456615d67b | |
| parent | 3aca8326bda2c6e8d8ddd99ef5cab63cc7a9af1c (diff) | |
machined: refuse bind mounts on containers that have user namespaces applied
As the kernel won't map the UIDs this is simply not safe, and hence we
should generate a clean error and refuse it.
We can restore this feature later should a "shiftfs" become available in
the kernel.
| -rw-r--r-- | man/machinectl.xml | 21 | ||||
| -rw-r--r-- | src/machine/machine-dbus.c | 7 | 
2 files changed, 15 insertions, 13 deletions
| diff --git a/man/machinectl.xml b/man/machinectl.xml index b96aea1a48..7a159aecdc 100644 --- a/man/machinectl.xml +++ b/man/machinectl.xml @@ -518,19 +518,14 @@        <varlistentry>          <term><command>bind</command> <replaceable>NAME</replaceable> <replaceable>PATH</replaceable> [<replaceable>PATH</replaceable>]</term> -        <listitem><para>Bind mounts a directory from the host into the -        specified container. The first directory argument is the -        source directory on the host, the second directory argument -        is the destination directory in the container. When the -        latter is omitted, the destination path in the container is -        the same as the source path on the host. When combined with -        the <option>--read-only</option> switch, a ready-only bind -        mount is created. When combined with the -        <option>--mkdir</option> switch, the destination path is first -        created before the mount is applied. Note that this option is -        currently only supported for -        <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> -        containers.</para></listitem> +        <listitem><para>Bind mounts a directory from the host into the specified container. The first directory +        argument is the source directory on the host, the second directory argument is the destination directory in the +        container. When the latter is omitted, the destination path in the container is the same as the source path on +        the host. When combined with the <option>--read-only</option> switch, a ready-only bind mount is created. When +        combined with the <option>--mkdir</option> switch, the destination path is first created before the mount is +        applied. Note that this option is currently only supported for +        <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> containers, +        and only if user namespacing (<option>--private-users</option>) is not used.</para></listitem>        </varlistentry>        <varlistentry> diff --git a/src/machine/machine-dbus.c b/src/machine/machine-dbus.c index 29fc68b90f..36568b65ef 100644 --- a/src/machine/machine-dbus.c +++ b/src/machine/machine-dbus.c @@ -841,6 +841,7 @@ int bus_machine_method_bind_mount(sd_bus_message *message, void *userdata, sd_bu          int read_only, make_directory;          pid_t child;          siginfo_t si; +        uid_t uid;          int r;          assert(message); @@ -875,6 +876,12 @@ int bus_machine_method_bind_mount(sd_bus_message *message, void *userdata, sd_bu          if (r == 0)                  return 1; /* Will call us back */ +        r = machine_get_uid_shift(m, &uid); +        if (r < 0) +                return r; +        if (uid != 0) +                return sd_bus_error_setf(error, SD_BUS_ERROR_NOT_SUPPORTED, "Can't bind mount on container with user namespacing applied."); +          /* One day, when bind mounting /proc/self/fd/n works across           * namespace boundaries we should rework this logic to make           * use of it... */ | 
