The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/3597
This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.
=== Description (from pull-request) ===
From 958779e4bfd5f2cdbaf66232afd8d0d865eb827b Mon Sep 17 00:00:00 2001
From: zhenr667 <44516803+zhenr...@users.noreply.github.com>
Date: Fri, 11 Dec 2020 19:12:11 -0600
Subject: [PATCH 1/2] unmount /proc/sys/net if dropping CAP_NET_ADMIN
---
src/lxc/conf.c | 39 ++++++++++++++++++++++-----------------
1 file changed, 22 insertions(+), 17 deletions(-)
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index 84d16d7749..9fcedb9298 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -616,6 +616,7 @@ static int lxc_mount_auto_mounts(struct lxc_conf *conf, int
flags, struct lxc_ha
const char *fstype;
unsigned long flags;
const char *options;
+ int net_cap_dropped;
} default_mounts[] = {
/* Read-only bind-mounting... In older kernels, doing that
* required to do one MS_BIND mount and then
@@ -629,24 +630,24 @@ static int lxc_mount_auto_mounts(struct lxc_conf *conf,
int flags, struct lxc_ha
* it's busy... MS_REMOUNT|MS_BIND|MS_RDONLY seems to work for
* kernels as low as 2.6.32...
*/
- { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "proc",
"%r/proc", "proc",
MS_NODEV|MS_NOEXEC|MS_NOSUID, NULL },
+ { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "proc",
"%r/proc", "proc",
MS_NODEV|MS_NOEXEC|MS_NOSUID, NULL, 0 },
/* proc/tty is used as a temporary placeholder for proc/sys/net
which we'll move back in a few steps */
- { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "%r/proc/sys/net",
"%r/proc/tty", NULL, MS_BIND,
NULL },
- { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "%r/proc/sys",
"%r/proc/sys", NULL, MS_BIND,
NULL },
- { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, NULL,
"%r/proc/sys", NULL,
MS_REMOUNT|MS_BIND|MS_RDONLY, NULL },
- { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "%r/proc/tty",
"%r/proc/sys/net", NULL, MS_MOVE,
NULL },
- { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED,
"%r/proc/sysrq-trigger", "%r/proc/sysrq-trigger",
NULL, MS_BIND, NULL },
- { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, NULL,
"%r/proc/sysrq-trigger", NULL,
MS_REMOUNT|MS_BIND|MS_RDONLY, NULL },
- { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_RW, "proc",
"%r/proc", "proc",
MS_NODEV|MS_NOEXEC|MS_NOSUID, NULL },
- { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_RW, "sysfs",
"%r/sys", "sysfs", 0,
NULL },
- { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_RO, "sysfs",
"%r/sys", "sysfs", MS_RDONLY,
NULL },
- { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, "sysfs",
"%r/sys", "sysfs",
MS_NODEV|MS_NOEXEC|MS_NOSUID, NULL },
- { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, "%r/sys",
"%r/sys", NULL, MS_BIND,
NULL },
- { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, NULL,
"%r/sys", NULL,
MS_REMOUNT|MS_BIND|MS_RDONLY, NULL },
- { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, "sysfs",
"%r/sys/devices/virtual/net", "sysfs", 0,
NULL },
- { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED,
"%r/sys/devices/virtual/net/devices/virtual/net", "%r/sys/devices/virtual/net",
NULL, MS_BIND, NULL },
- { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, NULL,
"%r/sys/devices/virtual/net", NULL,
MS_REMOUNT|MS_BIND|MS_NOSUID|MS_NODEV|MS_NOEXEC, NULL },
- { 0, 0, NULL,
NULL, NULL, 0,
NULL }
+ { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "%r/proc/sys/net",
"%r/proc/tty", NULL, MS_BIND,
NULL, 1 },
+ { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "%r/proc/sys",
"%r/proc/sys", NULL, MS_BIND,
NULL, 0 },
+ { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, NULL,
"%r/proc/sys", NULL,
MS_REMOUNT|MS_BIND|MS_RDONLY, NULL, 0 },
+ { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "%r/proc/tty",
"%r/proc/sys/net", NULL, MS_MOVE,
NULL, 1 },
+ { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED,
"%r/proc/sysrq-trigger", "%r/proc/sysrq-trigger",
NULL, MS_BIND, NULL, 0 },
+ { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, NULL,
"%r/proc/sysrq-trigger", NULL,
MS_REMOUNT|MS_BIND|MS_RDONLY, NULL, 0 },
+ { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_RW, "proc",
"%r/proc", "proc",
MS_NODEV|MS_NOEXEC|MS_NOSUID, NULL, 0 },
+ { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_RW, "sysfs",
"%r/sys", "sysfs", 0,
NULL, 0 },
+ { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_RO, "sysfs",
"%r/sys", "sysfs", MS_RDONLY,
NULL, 0 },
+ { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, "sysfs",
"%r/sys", "sysfs",
MS_NODEV|MS_NOEXEC|MS_NOSUID, NULL, 0 },
+ { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, "%r/sys",
"%r/sys", NULL, MS_BIND,
NULL, 0 },
+ { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, NULL,
"%r/sys", NULL,
MS_REMOUNT|MS_BIND|MS_RDONLY, NULL, 0 },
+ { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, "sysfs",
"%r/sys/devices/virtual/net", "sysfs", 0,
NULL, 0 },
+ { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED,
"%r/sys/devices/virtual/net/devices/virtual/net", "%r/sys/devices/virtual/net",
NULL, MS_BIND, NULL, 0 },
+ { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, NULL,
"%r/sys/devices/virtual/net", NULL,
MS_REMOUNT|MS_BIND|MS_NOSUID|MS_NODEV|MS_NOEXEC, NULL, 0 },
+ { 0, 0, NULL,
NULL, NULL, 0,
NULL, 0 }
};
for (i = 0; default_mounts[i].match_mask; i++) {
@@ -666,6 +667,10 @@ static int lxc_mount_auto_mounts(struct lxc_conf *conf,
int flags, struct lxc_ha
if (!default_mounts[i].destination)
return log_error(-1, "BUG: auto mounts destination %d
was NULL", i);
+ if(in_caplist(CAP_NET_ADMIN, &conf->caps))
+ if(default_mounts[i].net_cap_dropped)
+ continue;
+
/* will act like strdup if %r is not present */
destination = lxc_string_replace("%r", conf->rootfs.path ?
conf->rootfs.mount : "", default_mounts[i].destination);
if (!destination)
From 1858df34cce322b0974c5999bf97a466d4090a1f Mon Sep 17 00:00:00 2001
From: zhenr667 <44516803+zhenr...@users.noreply.github.com>
Date: Fri, 11 Dec 2020 19:27:25 -0600
Subject: [PATCH 2/2] unmount /proc/sys/net if dropping CAP_NET_ADMIN >> >>
Signed-off-by: Henry Zhang <henryzhan...@gmail.com>
---
src/lxc/conf.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index 9fcedb9298..40528a1afa 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -667,7 +667,7 @@ static int lxc_mount_auto_mounts(struct lxc_conf *conf, int
flags, struct lxc_ha
if (!default_mounts[i].destination)
return log_error(-1, "BUG: auto mounts destination %d
was NULL", i);
- if(in_caplist(CAP_NET_ADMIN, &conf->caps))
+ if(!in_caplist(CAP_NET_ADMIN, &conf->caps))
if(default_mounts[i].net_cap_dropped)
continue;
_______________________________________________
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel
