That is one possible approach to allow remounting in ve(ct) user ns for
docker and at the same time prohibiting to remount sb of mounts
initially created outside of these namespace(proposed by @avagin).
The other possible way - we can save mntns from which the mount have
been initially created on superblock.
On 10/22/2015 06:31 PM, Pavel Tikhomirov wrote:
Signed-off-by: Pavel Tikhomirov <ptikhomi...@virtuozzo.com>
---
fs/namespace.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/fs/namespace.c b/fs/namespace.c
index 8909c13..2ed3f02 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -1994,7 +1994,13 @@ static int do_remount(struct path *path, int flags, int
mnt_flags,
down_write(&sb->s_umount);
if (flags & MS_BIND)
err = change_mount_flags(path->mnt, flags);
- else if (!ve_capable(CAP_SYS_ADMIN))
+ else if (!(capable(CAP_SYS_ADMIN)
+ || (ve_capable(CAP_SYS_ADMIN) &&
IS_ROOT(path->mnt->mnt_root))))
+ /*
+ * Allow CT remount sb if the root of the mount is available
+ * that will prohibit remounting sb for bindmount from host
+ * if in-ct root is not equal to hosts mount root
+ */
err = -EPERM;
else
err = do_check_and_remount_sb(sb, flags, data);
--
Best regards, Tikhomirov Pavel
Software Developer, Odin.
_______________________________________________
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel
