Created
January 21, 2016 11:54
-
-
Save tixxdz/e79cc5440a15bb465a51 to your computer and use it in GitHub Desktop.
[PATCH] nspawn: just a quick patch to test overlayfs uid shift
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
From fc07e715ec5c20b461f4fda4014f755a53a39d5a Mon Sep 17 00:00:00 2001 | |
From: Djalal Harouni <djalal@endocode.com> | |
Date: Thu, 21 Jan 2016 12:49:41 +0100 | |
Subject: [PATCH] nspawn: just a quick patch to test overlayfs uid shift | |
Signed-off-by: Djalal Harouni <djalal@endocode.com> | |
--- | |
src/nspawn/nspawn-mount.c | 25 ++++++++++++++++++------- | |
src/nspawn/nspawn-mount.h | 1 + | |
src/nspawn/nspawn.c | 1 + | |
3 files changed, 20 insertions(+), 7 deletions(-) | |
diff --git a/src/nspawn/nspawn-mount.c b/src/nspawn/nspawn-mount.c | |
index c8e627a..38ab028 100644 | |
--- a/src/nspawn/nspawn-mount.c | |
+++ b/src/nspawn/nspawn-mount.c | |
@@ -514,14 +514,19 @@ static char *joined_and_escaped_lower_dirs(char * const *lower) { | |
static int mount_overlay(const char *dest, CustomMount *m) { | |
_cleanup_free_ char *lower = NULL; | |
+ _cleanup_free_ char *escaped_source = NULL; | |
+ _cleanup_free_ char *escaped_work_dir = NULL; | |
const char *where, *options; | |
- int r; | |
+ int r, shift = 0; | |
assert(dest); | |
assert(m); | |
where = prefix_roota(dest, m->destination); | |
+ if (m->arg_uid_shift != UID_INVALID) | |
+ shift = 1; | |
+ | |
r = mkdir_label(where, 0755); | |
if (r < 0 && r != -EEXIST) | |
return log_error_errno(r, "Creating mount point for overlay %s failed: %m", where); | |
@@ -533,16 +538,13 @@ static int mount_overlay(const char *dest, CustomMount *m) { | |
return log_oom(); | |
if (m->read_only) { | |
- _cleanup_free_ char *escaped_source = NULL; | |
- | |
escaped_source = shell_escape(m->source, ",:"); | |
if (!escaped_source) | |
return log_oom(); | |
- options = strjoina("lowerdir=", escaped_source, ":", lower); | |
+ options = strjoina(shift ? "shift_uids,shift_gids," : "", | |
+ "lowerdir=", escaped_source, ":", lower); | |
} else { | |
- _cleanup_free_ char *escaped_source = NULL, *escaped_work_dir = NULL; | |
- | |
assert(m->work_dir); | |
(void) mkdir_label(m->work_dir, 0700); | |
@@ -553,12 +555,21 @@ static int mount_overlay(const char *dest, CustomMount *m) { | |
if (!escaped_work_dir) | |
return log_oom(); | |
- options = strjoina("lowerdir=", lower, ",upperdir=", escaped_source, ",workdir=", escaped_work_dir); | |
+ options = strjoina("lowerdir=", lower, ",upperdir=", escaped_source, ",workdir=", escaped_work_dir, | |
+ shift ? ",shift_uids,shift_gids" : ""); | |
} | |
if (mount("overlay", where, "overlay", m->read_only ? MS_RDONLY : 0, options) < 0) | |
return log_error_errno(errno, "overlay mount to %s failed: %m", where); | |
+ /* Just a hack to test overlayfs UID shifts */ | |
+ if (shift && escaped_source && escaped_work_dir) { | |
+ lchown(escaped_source, 0 + m->arg_uid_shift, | |
+ 0 + m->arg_uid_shift); | |
+ lchown(escaped_work_dir, 0 + m->arg_uid_shift, | |
+ 0 + m->arg_uid_shift); | |
+ } | |
+ | |
return 0; | |
} | |
diff --git a/src/nspawn/nspawn-mount.h b/src/nspawn/nspawn-mount.h | |
index bdab23b..235f530 100644 | |
--- a/src/nspawn/nspawn-mount.h | |
+++ b/src/nspawn/nspawn-mount.h | |
@@ -47,6 +47,7 @@ typedef struct CustomMount { | |
char *options; | |
char *work_dir; | |
char **lower; | |
+ unsigned int arg_uid_shift; | |
} CustomMount; | |
CustomMount* custom_mount_add(CustomMount **l, unsigned *n, CustomMountType t); | |
diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c | |
index d619206..779b28a 100644 | |
--- a/src/nspawn/nspawn.c | |
+++ b/src/nspawn/nspawn.c | |
@@ -681,6 +681,7 @@ static int parse_argv(int argc, char *argv[]) { | |
m->source = upper; | |
m->lower = lower; | |
m->read_only = c == ARG_OVERLAY_RO; | |
+ m->arg_uid_shift = arg_uid_shift; | |
upper = destination = NULL; | |
lower = NULL; | |
-- | |
2.4.5 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment