From: Christian Brauner Date: Wed, 3 Feb 2021 19:55:01 +0000 (+0100) Subject: conf: make lxc_create_tmp_proc_mount() static X-Git-Tag: lxc-5.0.0~302^2~3 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e1b9d6af00b924b9f386da9dce99159163a84b0a;p=thirdparty%2Flxc.git conf: make lxc_create_tmp_proc_mount() static Signed-off-by: Christian Brauner --- diff --git a/src/lxc/conf.c b/src/lxc/conf.c index 5846bb0fa..220a06453 100644 --- a/src/lxc/conf.c +++ b/src/lxc/conf.c @@ -2952,6 +2952,77 @@ again: return freeid; } +/* + * Mount a proc under @rootfs if proc self points to a pid other than + * my own. This is needed to have a known-good proc mount for setting + * up LSMs both at container startup and attach. + * + * @rootfs : the rootfs where proc should be mounted + * + * Returns < 0 on failure, 0 if the correct proc was already mounted + * and 1 if a new proc was mounted. + * + * NOTE: not to be called from inside the container namespace! + */ +static int lxc_mount_proc_if_needed(const char *rootfs) +{ + char path[PATH_MAX] = {0}; + int link_to_pid, linklen, mypid, ret; + char link[INTTYPE_TO_STRLEN(pid_t)] = {0}; + + ret = snprintf(path, PATH_MAX, "%s/proc/self", rootfs); + if (ret < 0 || ret >= PATH_MAX) { + SYSERROR("The name of proc path is too long"); + return -1; + } + + linklen = readlink(path, link, sizeof(link)); + + ret = snprintf(path, PATH_MAX, "%s/proc", rootfs); + if (ret < 0 || ret >= PATH_MAX) { + SYSERROR("The name of proc path is too long"); + return -1; + } + + /* /proc not mounted */ + if (linklen < 0) { + if (mkdir(path, 0755) && errno != EEXIST) + return -1; + + goto domount; + } else if (linklen >= sizeof(link)) { + link[linklen - 1] = '\0'; + ERROR("Readlink returned truncated content: \"%s\"", link); + return -1; + } + + mypid = lxc_raw_getpid(); + INFO("I am %d, /proc/self points to \"%s\"", mypid, link); + + if (lxc_safe_int(link, &link_to_pid) < 0) + return -1; + + /* correct procfs is already mounted */ + if (link_to_pid == mypid) + return 0; + + ret = umount2(path, MNT_DETACH); + if (ret < 0) + SYSWARN("Failed to umount \"%s\" with MNT_DETACH", path); + +domount: + /* rootfs is NULL */ + if (!strcmp(rootfs, "")) + ret = mount("proc", path, "proc", 0, NULL); + else + ret = safe_mount("proc", path, "proc", 0, NULL, rootfs); + if (ret < 0) + return -1; + + INFO("Mounted /proc in container for security transition"); + return 1; +} + /* NOTE: Must not be called from inside the container namespace! */ static int lxc_create_tmp_proc_mount(struct lxc_conf *conf) { diff --git a/src/lxc/utils.c b/src/lxc/utils.c index 588049d14..12735f589 100644 --- a/src/lxc/utils.c +++ b/src/lxc/utils.c @@ -1208,77 +1208,6 @@ int safe_mount(const char *src, const char *dest, const char *fstype, return 0; } -/* - * Mount a proc under @rootfs if proc self points to a pid other than - * my own. This is needed to have a known-good proc mount for setting - * up LSMs both at container startup and attach. - * - * @rootfs : the rootfs where proc should be mounted - * - * Returns < 0 on failure, 0 if the correct proc was already mounted - * and 1 if a new proc was mounted. - * - * NOTE: not to be called from inside the container namespace! - */ -int lxc_mount_proc_if_needed(const char *rootfs) -{ - char path[PATH_MAX] = {0}; - int link_to_pid, linklen, mypid, ret; - char link[INTTYPE_TO_STRLEN(pid_t)] = {0}; - - ret = snprintf(path, PATH_MAX, "%s/proc/self", rootfs); - if (ret < 0 || ret >= PATH_MAX) { - SYSERROR("The name of proc path is too long"); - return -1; - } - - linklen = readlink(path, link, sizeof(link)); - - ret = snprintf(path, PATH_MAX, "%s/proc", rootfs); - if (ret < 0 || ret >= PATH_MAX) { - SYSERROR("The name of proc path is too long"); - return -1; - } - - /* /proc not mounted */ - if (linklen < 0) { - if (mkdir(path, 0755) && errno != EEXIST) - return -1; - - goto domount; - } else if (linklen >= sizeof(link)) { - link[linklen - 1] = '\0'; - ERROR("Readlink returned truncated content: \"%s\"", link); - return -1; - } - - mypid = lxc_raw_getpid(); - INFO("I am %d, /proc/self points to \"%s\"", mypid, link); - - if (lxc_safe_int(link, &link_to_pid) < 0) - return -1; - - /* correct procfs is already mounted */ - if (link_to_pid == mypid) - return 0; - - ret = umount2(path, MNT_DETACH); - if (ret < 0) - SYSWARN("Failed to umount \"%s\" with MNT_DETACH", path); - -domount: - /* rootfs is NULL */ - if (!strcmp(rootfs, "")) - ret = mount("proc", path, "proc", 0, NULL); - else - ret = safe_mount("proc", path, "proc", 0, NULL, rootfs); - if (ret < 0) - return -1; - - INFO("Mounted /proc in container for security transition"); - return 1; -} - int open_devnull(void) { int fd = open("/dev/null", O_RDWR); diff --git a/src/lxc/utils.h b/src/lxc/utils.h index c3dc5cfb9..790ea4ad0 100644 --- a/src/lxc/utils.h +++ b/src/lxc/utils.h @@ -144,7 +144,6 @@ __hidden extern bool switch_to_ns(pid_t pid, const char *ns); __hidden extern char *get_template_path(const char *t); __hidden extern int safe_mount(const char *src, const char *dest, const char *fstype, unsigned long flags, const void *data, const char *rootfs); -__hidden extern int lxc_mount_proc_if_needed(const char *rootfs); __hidden extern int open_devnull(void); __hidden extern int set_stdfds(int fd); __hidden extern int null_stdfds(void);