summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDjalal Harouni <tixxdz@opendz.org>2016-05-26 12:59:49 +0200
committerDjalal Harouni <tixxdz@opendz.org>2016-05-26 22:39:34 +0200
commit231bfb1b02e0ff3fc335018cc58d83d8ef085dd8 (patch)
tree25109d90ccb8b3e618957453754ec8d02ec07ac9
parent87c05f365d0f11e7207e9ff03a50e5988e1af5ce (diff)
nspawn: rename is_procfs_sysfs_or_suchlike() to is_fs_fully_userns_compatible()
Rename is_procfs_sysfs_or_suchlike() to is_fs_fully_userns_compatible() to give it the real meaning. This may prevent future modifications that may introduce bugs.
-rw-r--r--src/nspawn/nspawn-patch-uid.c12
1 files changed, 9 insertions, 3 deletions
diff --git a/src/nspawn/nspawn-patch-uid.c b/src/nspawn/nspawn-patch-uid.c
index 6b26b074d9..cc79597c95 100644
--- a/src/nspawn/nspawn-patch-uid.c
+++ b/src/nspawn/nspawn-patch-uid.c
@@ -280,7 +280,13 @@ static int patch_fd(int fd, const char *name, const struct stat *st, uid_t shift
return r > 0 || changed;
}
-static int is_procfs_sysfs_or_suchlike(int fd) {
+/*
+ * Check if the filesystem is fully compatible with user namespaces or
+ * UID/GID patching. Some filesystems in this list can be fully mounted inside
+ * user namespaces, however their inodes may relate to host resources or only
+ * valid in the global user namespace, therefore no patching should be applied.
+ */
+static int is_fs_fully_userns_compatible(int fd) {
struct statfs sfs;
assert(fd >= 0);
@@ -314,8 +320,8 @@ static int recurse_fd(int fd, bool donate_fd, const struct stat *st, uid_t shift
/* We generally want to permit crossing of mount boundaries when patching the UIDs/GIDs. However, we
* probably shouldn't do this for /proc and /sys if that is already mounted into place. Hence, let's
- * stop the recursion when we hit a procfs or sysfs file system. */
- r = is_procfs_sysfs_or_suchlike(fd);
+ * stop the recursion when we hit procfs, sysfs or some other special file systems. */
+ r = is_fs_fully_userns_compatible(fd);
if (r < 0)
goto finish;
if (r > 0) {