From: Gao feng <gaofeng@cn.fujitsu.com>
Date: Fri, 7 Jun 2013 07:12:19 +0000 (+0800)
Subject: LXC: enable user namespace only when user set the uidmap
X-Git-Tag: CVE-2013-2230~99
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8b58336eecbebdf0318c3fb768afad4620a65f59;p=thirdparty%2Flibvirt.git

LXC: enable user namespace only when user set the uidmap

User namespace will be enabled only when the idmap exist
in configuration.

If you want disable user namespace,just remove these
elements from XML.

If kernel doesn't support user namespace and idmap exist
in configuration file, libvirt lxc will start failed and
return "Kernel doesn't support user namespace" message.

Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
---

diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
index f288c533a0..a5fc0fdcb1 100644
--- a/src/lxc/lxc_container.c
+++ b/src/lxc/lxc_container.c
@@ -2018,14 +2018,12 @@ cleanup:
 
 static int userns_supported(void)
 {
-#if 1
-    /*
-     * put off using userns until uid mapping is implemented
-     */
-    return 0;
-#else
     return lxcContainerAvailable(LXC_CONTAINER_FEATURE_USER) == 0;
-#endif
+}
+
+static int userns_required(virDomainDefPtr def)
+{
+    return def->idmap.uidmap && def->idmap.gidmap;
 }
 
 virArch lxcContainerGetAlt32bitArch(virArch arch)
@@ -2105,9 +2103,15 @@ int lxcContainerStart(virDomainDefPtr def,
 
     cflags = CLONE_NEWPID|CLONE_NEWNS|CLONE_NEWUTS|CLONE_NEWIPC|SIGCHLD;
 
-    if (userns_supported()) {
-        VIR_DEBUG("Enable user namespaces");
-        cflags |= CLONE_NEWUSER;
+    if (userns_required(def)) {
+        if (userns_supported()) {
+            VIR_DEBUG("Enable user namespace");
+            cflags |= CLONE_NEWUSER;
+        } else {
+            virReportSystemError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+                                 _("Kernel doesn't support user namespace"));
+            return -1;
+        }
     }
 
     if (lxcNeedNetworkNamespace(def)) {