From: Gao feng Date: Wed, 11 Sep 2013 08:07:53 +0000 (+0800) Subject: LXC: umount the temporary filesystem created by libvirt X-Git-Tag: CVE-2013-4311~72 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4142bf46b85b0a61737f3d670f543d450ac1a5d8;p=thirdparty%2Flibvirt.git LXC: umount the temporary filesystem created by libvirt The devpts, dev and fuse filesystems are mounted temporarily. there is no need to export them to container if container shares the root directory with host. Signed-off-by: Gao feng --- diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c index 9c04d06b66..0ab4ab72dd 100644 --- a/src/lxc/lxc_container.c +++ b/src/lxc/lxc_container.c @@ -1486,6 +1486,7 @@ static int lxcContainerSetupPivotRoot(virDomainDefPtr vmDef, int ret = -1; char *sec_mount_options; char *stateDir = NULL; + char *tmp = NULL; VIR_DEBUG("Setup pivot root"); @@ -1522,6 +1523,26 @@ static int lxcContainerSetupPivotRoot(virDomainDefPtr vmDef, goto cleanup; #endif + /* These filesystems are created by libvirt temporarily, they + * shouldn't appear in container. */ + if (STREQ(root->src, "/")) { + if (virAsprintf(&tmp, "%s/%s.dev", stateDir, vmDef->name) < 0 || + lxcContainerUnmountSubtree(tmp, false) < 0) + goto cleanup; + + VIR_FREE(tmp); + if (virAsprintf(&tmp, "%s/%s.devpts", stateDir, vmDef->name) < 0 || + lxcContainerUnmountSubtree(tmp, false) < 0) + goto cleanup; + +#if WITH_FUSE + VIR_FREE(tmp); + if (virAsprintf(&tmp, "%s/%s.fuse", stateDir, vmDef->name) < 0 || + lxcContainerUnmountSubtree(tmp, false) < 0) + goto cleanup; +#endif + } + /* If we have the root source being '/', then we need to * get rid of any existing stuff under /proc, /sys & /tmp. * We need new namespace aware versions of those. We must @@ -1571,6 +1592,7 @@ cleanup: VIR_FREE(stateDir); virCgroupFree(&cgroup); VIR_FREE(sec_mount_options); + VIR_FREE(tmp); return ret; }