diff options
author | Lennart Poettering <lennart@poettering.net> | 2014-02-10 13:15:42 +0100 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2014-02-10 13:18:16 +0100 |
commit | 8a96d94e4c33173d1426b7e0a6325405804ba224 (patch) | |
tree | 3606aea55bb646ca716ee38d0ed9ee3bb420f071 /src/nspawn | |
parent | deb678f15a6faf9feb29e18954553f5051788056 (diff) |
nspawn: add new --share-system switch to run a container without PID/UTS/IPC namespacing
Diffstat (limited to 'src/nspawn')
-rw-r--r-- | src/nspawn/nspawn.c | 13 |
1 files changed, 12 insertions, 1 deletions
diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c index 646c6c02f3..759f9c1aef 100644 --- a/src/nspawn/nspawn.c +++ b/src/nspawn/nspawn.c @@ -118,6 +118,7 @@ static char **arg_bind = NULL; static char **arg_bind_ro = NULL; static char **arg_setenv = NULL; static bool arg_quiet = false; +static bool arg_share_system = false; static int help(void) { @@ -138,6 +139,7 @@ static int help(void) { " Set the SELinux security context to be used by\n" " API/tmpfs file systems in the container\n" " --private-network Disable network in container\n" + " --share-system Share system namespaces with host\n" " --read-only Mount the root directory read-only\n" " --capability=CAP In addition to the default, retain specified\n" " capability\n" @@ -167,6 +169,7 @@ static int parse_argv(int argc, char *argv[]) { ARG_BIND, ARG_BIND_RO, ARG_SETENV, + ARG_SHARE_SYSTEM }; static const struct option options[] = { @@ -189,6 +192,7 @@ static int parse_argv(int argc, char *argv[]) { { "selinux-context", required_argument, NULL, 'Z' }, { "selinux-apifs-context", required_argument, NULL, 'L' }, { "quiet", no_argument, NULL, 'q' }, + { "share-system", no_argument, NULL, ARG_SHARE_SYSTEM }, {} }; @@ -382,6 +386,10 @@ static int parse_argv(int argc, char *argv[]) { arg_quiet = true; break; + case ARG_SHARE_SYSTEM: + arg_share_system = true; + break; + case '?': return -EINVAL; @@ -1267,7 +1275,10 @@ int main(int argc, char *argv[]) { goto finish; } - pid = syscall(__NR_clone, SIGCHLD|CLONE_NEWIPC|CLONE_NEWNS|CLONE_NEWPID|CLONE_NEWUTS|(arg_private_network ? CLONE_NEWNET : 0), NULL); + pid = syscall(__NR_clone, + SIGCHLD|CLONE_NEWNS| + (arg_share_system ? 0 : CLONE_NEWIPC|CLONE_NEWPID|CLONE_NEWUTS)| + (arg_private_network ? CLONE_NEWNET : 0), NULL); if (pid < 0) { if (errno == EINVAL) log_error("clone() failed, do you have namespace support enabled in your kernel? (You need UTS, IPC, PID and NET namespacing built in): %m"); |