nsenter: un-split clone(cloneflags) for RHEL

cyphar · cyphar · commit e3cd191acc5e · 2016-10-18T18:26:27.000+11:00
Without this patch applied, RHEL's SELinux policies cause container creation to not really work. Unfortunately this might be an issue for rootless containers (#774) but we'll cross that bridge when we come to it. Signed-off-by: Aleksa Sarai <asarai@suse.de>
diff --git a/libcontainer/nsenter/nsexec.c b/libcontainer/nsenter/nsexec.c
@@ -621,16 +621,25 @@ void nsexec(void)
 			if (config.namespaces)
 				join_namespaces(config.namespaces);
 
+			/*
+			 * Unshare all of the namespaces. Now, it should be noted that this
+			 * ordering might break in the future (especially with rootless
+			 * containers). But for now, it's not possible to split this into
+			 * CLONE_NEWUSER + [the rest] because of some RHEL SELinux issues.
+			 *
+			 * We also  can't be sure if the current kernel supports
+			 * clone(CLONE_PARENT | CLONE_NEWPID), so we'll just do it the long
+			 * way anyway.
+			 */
+			if (unshare(config.cloneflags) < 0)
+				bail("failed to unshare namespaces");
+
 			/*
 			 * Deal with user namespaces first. They are quite special, as they
 			 * affect our ability to unshare other namespaces and are used as
 			 * context for privilege checks.
 			 */
 			if (config.cloneflags & CLONE_NEWUSER) {
-				/* Create a new user namespace. */
-				if (unshare(CLONE_NEWUSER) < 0)
-					bail("failed to unshare user namespace");
-
 				/*
 				 * We don't have the privileges to do any mapping here (see the
 				 * clone_parent rant). So signal our parent to hook us up.
@@ -646,18 +655,8 @@ void nsexec(void)
 					bail("failed to sync with parent: read(SYNC_USERMAP_ACK)");
 				if (s != SYNC_USERMAP_ACK)
 					bail("failed to sync with parent: SYNC_USERMAP_ACK: got %u", s);
-
-				config.cloneflags &= ~CLONE_NEWUSER;
 			}
 
-			/*
-			 * Now we can unshare the rest of the namespaces. We can't be sure if the
-			 * current kernel supports clone(CLONE_PARENT | CLONE_NEWPID), so we'll
-			 * just do it the long way anyway.
-			 */
-			if (unshare(config.cloneflags) < 0)
-				bail("failed to unshare namespaces");
-
 			/* TODO: What about non-namespace clone flags that we're dropping here? */
 			child = clone_parent(&env, JUMP_INIT);
 			if (child < 0)
