Merge pull request #1606 from cyphar/rootfs-propagation-no-pivot

hqhq · web-flow · commit 3409d5c5554b · 2017-10-18T09:52:04.000+08:00
specconv: emit an error when using MS_PRIVATE with --no-pivot
diff --git a/libcontainer/specconv/spec_linux.go b/libcontainer/specconv/spec_linux.go
@@ -203,6 +203,9 @@ func CreateLibcontainerConfig(opts *CreateOpts) (*configs.Config, error) {
 		if config.RootPropagation, exists = mountPropagationMapping[spec.Linux.RootfsPropagation]; !exists {
 			return nil, fmt.Errorf("rootfsPropagation=%v is not supported", spec.Linux.RootfsPropagation)
 		}
+		if config.NoPivotRoot && (config.RootPropagation&unix.MS_PRIVATE != 0) {
+			return nil, fmt.Errorf("rootfsPropagation of [r]private is not safe without pivot_root")
+		}
 
 		for _, ns := range spec.Linux.Namespaces {
 			t, exists := namespaceMapping[ns.Type]

Original file line number	Diff line number	Diff line change
`@@ -203,6 +203,9 @@ func CreateLibcontainerConfig(opts CreateOpts) (configs.Config, error) {`
`203`	`203`	`if config.RootPropagation, exists = mountPropagationMapping[spec.Linux.RootfsPropagation]; !exists {`
`204`	`204`	`return nil, fmt.Errorf("rootfsPropagation=%v is not supported", spec.Linux.RootfsPropagation)`
`205`	`205`	`}`
	`206`	`+ if config.NoPivotRoot && (config.RootPropagation&unix.MS_PRIVATE != 0) {`
	`207`	`+ return nil, fmt.Errorf("rootfsPropagation of [r]private is not safe without pivot_root")`
	`208`	`+ }`
`206`	`209`
`207`	`210`	`for _, ns := range spec.Linux.Namespaces {`
`208`	`211`	`t, exists := namespaceMapping[ns.Type]`