picnoir/Systemd
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

nspawn: Enable specifying root as the mount target directory.

Browse source 
Fixes #3847.
This commit is contained in:
Daan De Meyer 2019-12-06 22:45:14 +01:00
parent 65ca546f06
commit 5f0a6347ac
3 changed files with 31 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
src/nspawn/nspawn-mount.c
View file

@ -222,8 +222,6 @@ int bind_mount_parse(CustomMount **l, size_t *n, const char *s, bool read_only)
if (!path_is_absolute(destination)) if (!path_is_absolute(destination))
return -EINVAL; return -EINVAL;
if (empty_or_root(destination))
return -EINVAL;
m = custom_mount_add(l, n, CUSTOM_MOUNT_BIND); m = custom_mount_add(l, n, CUSTOM_MOUNT_BIND);
if (!m) if (!m)
@ -262,8 +260,6 @@ int tmpfs_mount_parse(CustomMount **l, size_t *n, const char *s) {
if (!path_is_absolute(path)) if (!path_is_absolute(path))
return -EINVAL; return -EINVAL;
if (empty_or_root(path))
return -EINVAL;
m = custom_mount_add(l, n, CUSTOM_MOUNT_TMPFS); m = custom_mount_add(l, n, CUSTOM_MOUNT_TMPFS);
if (!m) if (!m)
@ -323,9 +319,6 @@ int overlay_mount_parse(CustomMount **l, size_t *n, const char *s, bool read_onl
return -EINVAL; return -EINVAL;
} }
if (empty_or_root(destination))
return -EINVAL;
m = custom_mount_add(l, n, CUSTOM_MOUNT_OVERLAY); m = custom_mount_add(l, n, CUSTOM_MOUNT_OVERLAY);
if (!m) if (!m)
return -ENOMEM; return -ENOMEM;
@ -923,7 +916,7 @@ int mount_custom(
CustomMount *mounts, size_t n, CustomMount *mounts, size_t n,
bool userns, uid_t uid_shift, uid_t uid_range, bool userns, uid_t uid_shift, uid_t uid_range,
const char *selinux_apifs_context, const char *selinux_apifs_context,
bool in_userns) { MountSettingsMask mount_settings) {
size_t i; size_t i;
int r; int r;
@ -933,7 +926,13 @@ int mount_custom(
for (i = 0; i < n; i++) { for (i = 0; i < n; i++) {
CustomMount *m = mounts + i; CustomMount *m = mounts + i;
if (m->in_userns != in_userns) if ((mount_settings & MOUNT_IN_USERNS) != m->in_userns)
continue;
if (mount_settings & MOUNT_ROOT_ONLY && !path_equal(m->destination, "/"))
continue;
if (mount_settings & MOUNT_NON_ROOT_ONLY && path_equal(m->destination, "/"))
continue; continue;
switch (m->type) { switch (m->type) {

4
src/nspawn/nspawn-mount.h
View file

@ -14,6 +14,8 @@ typedef enum MountSettingsMask {
MOUNT_APPLY_APIVFS_NETNS = 1 << 4, /* if set, /proc/sys/net will be mounted read-write. MOUNT_APPLY_APIVFS_NETNS = 1 << 4, /* if set, /proc/sys/net will be mounted read-write.
Works only if MOUNT_APPLY_APIVFS_RO is also set. */ Works only if MOUNT_APPLY_APIVFS_RO is also set. */
MOUNT_APPLY_TMPFS_TMP = 1 << 5, /* if set, /tmp will be mounted as tmpfs */ MOUNT_APPLY_TMPFS_TMP = 1 << 5, /* if set, /tmp will be mounted as tmpfs */
MOUNT_ROOT_ONLY = 1 << 6, /* if set, only root mounts are mounted */
MOUNT_NON_ROOT_ONLY = 1 << 7, /* if set, only non-root mounts are mounted */
} MountSettingsMask; } MountSettingsMask;
typedef enum CustomMountType { typedef enum CustomMountType {
@ -52,7 +54,7 @@ int inaccessible_mount_parse(CustomMount **l, size_t *n, const char *s);
int mount_all(const char *dest, MountSettingsMask mount_settings, uid_t uid_shift, const char *selinux_apifs_context); int mount_all(const char *dest, MountSettingsMask mount_settings, uid_t uid_shift, const char *selinux_apifs_context);
int mount_sysfs(const char *dest, MountSettingsMask mount_settings); int mount_sysfs(const char *dest, MountSettingsMask mount_settings);
int mount_custom(const char *dest, CustomMount *mounts, size_t n, bool userns, uid_t uid_shift, uid_t uid_range, const char *selinux_apifs_context, bool in_userns); int mount_custom(const char *dest, CustomMount *mounts, size_t n, bool userns, uid_t uid_shift, uid_t uid_range, const char *selinux_apifs_context, MountSettingsMask mount_settings);
int setup_volatile_mode(const char *directory, VolatileMode mode, bool userns, uid_t uid_shift, uid_t uid_range, const char *selinux_apifs_context); int setup_volatile_mode(const char *directory, VolatileMode mode, bool userns, uid_t uid_shift, uid_t uid_range, const char *selinux_apifs_context);

23
src/nspawn/nspawn.c
View file

@ -2979,7 +2979,7 @@ static int inner_child(
0, 0,
0, 0,
arg_selinux_apifs_context, arg_selinux_apifs_context,
true); MOUNT_NON_ROOT_ONLY | MOUNT_IN_USERNS);
if (r < 0) if (r < 0)
return r; return r;
@ -3371,6 +3371,18 @@ static int outer_child(
if (r < 0) if (r < 0)
return r; return r;
r = mount_custom(
directory,
arg_custom_mounts,
arg_n_custom_mounts,
arg_userns_mode != USER_NAMESPACE_NO,
arg_uid_shift,
arg_uid_range,
arg_selinux_apifs_context,
MOUNT_ROOT_ONLY);
if (r < 0)
return r;
if (dissected_image) { if (dissected_image) {
/* Now we know the uid shift, let's now mount everything else that might be in the image. */ /* Now we know the uid shift, let's now mount everything else that might be in the image. */
r = dissected_image_mount(dissected_image, directory, arg_uid_shift, r = dissected_image_mount(dissected_image, directory, arg_uid_shift,
@ -3401,7 +3413,12 @@ static int outer_child(
* inside the container that create a new mount namespace. * inside the container that create a new mount namespace.
* See https://github.com/systemd/systemd/issues/3860 * See https://github.com/systemd/systemd/issues/3860
* Further submounts (such as /dev) done after this will inherit the * Further submounts (such as /dev) done after this will inherit the
* shared propagation mode. */ * shared propagation mode.
*
* IMPORTANT: Do not overmount the root directory anymore from now on to
* enable moving the root directory mount to root later on.
* https://github.com/systemd/systemd/issues/3847#issuecomment-562735251
*/
r = mount_verbose(LOG_ERR, NULL, directory, NULL, MS_SHARED|MS_REC, NULL); r = mount_verbose(LOG_ERR, NULL, directory, NULL, MS_SHARED|MS_REC, NULL);
if (r < 0) if (r < 0)
return r; return r;
@ -3474,7 +3491,7 @@ static int outer_child(
arg_uid_shift, arg_uid_shift,
arg_uid_range, arg_uid_range,
arg_selinux_apifs_context, arg_selinux_apifs_context,
false); MOUNT_NON_ROOT_ONLY);
if (r < 0) if (r < 0)
return r; return r;