restore: do mount proc in usernsd on certain conditions #2600
Conversation
ToolmanP
force-pushed
the
fix-mount-proc
branch
from
82068d3 to
cbe9e92
Compare
| int fd, ret; | ||
|
|
||
| if ((root_ns_mask & CLONE_NEWUSER) && !(root_ns_mask & CLONE_NEWNS)) | ||
| fd = ret = userns_call(userns_mount_proc, UNS_FDOUT, NULL, sizeof(NULL), -1); |
There was a problem hiding this comment.
will it be mounted in the target pid namespace?
There was a problem hiding this comment.
No i don't think it will be mounted and it's gonna be rejected. I fixed this now. The corner case is only when the user namespace is isolated while keeping both mount namespace and pid namespace be shared with host. If either of two namespaces are isolated, the proc fs will be mounted successfully.
There was a problem hiding this comment.
If a target workload is restored in just separate userns and pid namespaces, userns_mount_proc will fail, because the current process doesn't have CAP_SYS_ADMIN in the current mount namespace. The only way to workaround that is to mount proc from usernsd, and the userns mount callback has to enter the target pid namespace before mounting proc.
ToolmanP
force-pushed
the
fix-mount-proc
branch
from
cbe9e92 to
89d1e1c
Compare
ToolmanP
force-pushed
the
fix-mount-proc
branch
2 times, most recently
from
43dbd40 to
eda5ab0
Compare
|
Rebased to criu-dev |
When the user namespace is separate from both pid and mount namespace in the given task, cr-restore will fail to mount the procfs in the new user namespace because of the loss of privileges. Delegate usernsd to do the mount job if that corner case arises. Signed-off-by: Yiyang Wu <[email protected]>
|
A friendly reminder that this PR had no activity for 30 days. |
2 participants
When only the user namespace is isolated in the given task, cr-restore will fail to mount the procfs in the new user namespace because of the loss of privileges.
Delegate usernsd to do the mount job if that corner case arises.
Fixes: #2597