[systemd-devel] [PATCH] nspawn: allow bind-mounting char and block files

Thu Jan 22 07:32:26 PST 2015

On 22 January 2015 at 13:51, Lennart Poettering <lennart at poettering.net> wrote:
> On Thu, 22.01.15 13:25, Alban Crequy (muadda at gmail.com) wrote:
>
>> From: Alban Crequy <alban at endocode.com>
>
> Hmm, I wonder if we can actually simplify this. IIRC the rules for
> over-mounting are simpler than I thought initially:
>
> a) dirs can only over-mount dirs
>
> b) everything else can over-mount everything else
>
> With that in mind I think we can collapse this code to only have two
> branches: one branch for the S_ISDIR() case, and another one that uses
> touch() for everything else.
>
> Anychance you can simplify the patch like this? The benefit would be
> that we can do without CAP_SYS_MKNOD for all of this. Also, your patch
> woud then shorten the code, while adding a feature, not make it
> longer!

The patch will be a bit longer because the file type checks in
mount_binds() need to be updated. Otherwise, the second attempt of
running nspawn would fail.

I will send the patch v2 shortly.

>> ---
>>  src/nspawn/nspawn.c | 7 +++++--
>>  1 file changed, 5 insertions(+), 2 deletions(-)
>>
>> diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
>> index 3fce3ad..db57b24 100644
>> --- a/src/nspawn/nspawn.c
>> +++ b/src/nspawn/nspawn.c
>> @@ -911,8 +911,7 @@ static int mount_binds(const char *dest, char **l, bool ro) {
>>                          return -errno;
>>                  }
>>
>> -                /* Create the mount point, but be conservative -- refuse to create block
>> -                 * and char devices. */
>> +                /* Create the mount point */
>>                  if (S_ISDIR(source_st.st_mode)) {
>>                          r = mkdir_label(where, 0755);
>>                          if (r < 0 && errno != EEXIST)
>> @@ -929,6 +928,10 @@ static int mount_binds(const char *dest, char **l, bool ro) {
>>                          r = touch(where);
>>                          if (r < 0)
>>                                  return log_error_errno(r, "Failed to create mount point %s: %m", where);
>> +                } else if (S_ISCHR(source_st.st_mode) || !S_ISBLK(source_st.st_mode)) {
>> +                        r = mknod(where, source_st.st_mode, source_st.st_rdev) < 0;
>> +                        if (r < 0 && errno != EEXIST)
>> +                                return log_error_errno(errno, "Failed to create mount point %s: %m", where);
>>                  } else {
>>                          log_error("Refusing to create mountpoint for file: %s", *x);
>>                          return -ENOTSUP;
>> --
>> 2.1.4
>>
>> _______________________________________________
>> systemd-devel mailing list
>> systemd-devel at lists.freedesktop.org
>> http://lists.freedesktop.org/mailman/listinfo/systemd-devel
>
>
> Lennart
>
> --
> Lennart Poettering, Red Hat