machined: refuse bind mounts on containers that have user namespaces applied

As the kernel won't map the UIDs this is simply not safe, and hence we should generate a clean error and refuse it. We can restore this feature later should a "shiftfs" become available in the kernel.
2017-02-16 13:59:13 +01:00 · 2017-02-16 13:59:13 +01:00 · 7f43928ba6
parent 3aca8326bd
commit 7f43928ba6
2 changed files with 15 additions and 13 deletions
--- a/man/machinectl.xml
+++ b/man/machinectl.xml
@ -518,19 +518,14 @@
      <varlistentry>
        <term><command>bind</command> <replaceable>NAME</replaceable> <replaceable>PATH</replaceable> [<replaceable>PATH</replaceable>]</term>

-        <listitem><para>Bind mounts a directory from the host into the
-        specified container. The first directory argument is the
-        source directory on the host, the second directory argument
-        is the destination directory in the container. When the
-        latter is omitted, the destination path in the container is
-        the same as the source path on the host. When combined with
-        the <option>--read-only</option> switch, a ready-only bind
-        mount is created. When combined with the
-        <option>--mkdir</option> switch, the destination path is first
-        created before the mount is applied. Note that this option is
-        currently only supported for
-        <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>
-        containers.</para></listitem>
+        <listitem><para>Bind mounts a directory from the host into the specified container. The first directory
+        argument is the source directory on the host, the second directory argument is the destination directory in the
+        container. When the latter is omitted, the destination path in the container is the same as the source path on
+        the host. When combined with the <option>--read-only</option> switch, a ready-only bind mount is created. When
+        combined with the <option>--mkdir</option> switch, the destination path is first created before the mount is
+        applied. Note that this option is currently only supported for
+        <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry> containers,
+        and only if user namespacing (<option>--private-users</option>) is not used.</para></listitem>
      </varlistentry>

      <varlistentry>
--- a/src/machine/machine-dbus.c
+++ b/src/machine/machine-dbus.c
@ -841,6 +841,7 @@ int bus_machine_method_bind_mount(sd_bus_message *message, void *userdata, sd_bu
        int read_only, make_directory;
        pid_t child;
        siginfo_t si;
+        uid_t uid;
        int r;

        assert(message);
@ -875,6 +876,12 @@ int bus_machine_method_bind_mount(sd_bus_message *message, void *userdata, sd_bu
        if (r == 0)
                return 1; /* Will call us back */

+        r = machine_get_uid_shift(m, &uid);
+        if (r < 0)
+                return r;
+        if (uid != 0)
+                return sd_bus_error_setf(error, SD_BUS_ERROR_NOT_SUPPORTED, "Can't bind mount on container with user namespacing applied.");
+
        /* One day, when bind mounting /proc/self/fd/n works across
         * namespace boundaries we should rework this logic to make
         * use of it... */