[iproute/f18] Don't propogate mounts out of ip (#882047)
Petr Šabata
psabata at fedoraproject.org
Fri Feb 8 13:43:58 UTC 2013
commit 9792a0fef6c64c1b75431dce6def65a67fa712ef
Author: Petr Šabata <contyk at redhat.com>
Date: Fri Feb 8 14:43:53 2013 +0100
Don't propogate mounts out of ip (#882047)
iproute.spec | 7 +++-
...e2-3.7.0-Don-t-propogate-mounts-out-of-ip.patch | 46 ++++++++++++++++++++
2 files changed, 52 insertions(+), 1 deletions(-)
---
diff --git a/iproute.spec b/iproute.spec
index 677faa3..1d2728a 100644
--- a/iproute.spec
+++ b/iproute.spec
@@ -2,7 +2,7 @@
Summary: Advanced IP routing and network device configuration tools
Name: iproute
Version: 3.6.0
-Release: 5%{?dist}
+Release: 6%{?dist}
Group: Applications/System
URL: http://kernel.org/pub/linux/utils/net/%{name}2/
Source0: http://kernel.org/pub/linux/utils/net/%{name}2/%{name}2-%{version}.tar.gz
@@ -21,6 +21,7 @@ Patch9: iproute2-2.6.39-lnstat-dump-to-stdout.patch
Patch10: iproute2-3.6.0-List-interfaces-without-net-address-by-default.patch
Patch11: iproute2-3.7.0-ss-change-default-filter-to-include-all-soc.patch
Patch12: iproute2-3.7.0-ipv6-nexthop.patch
+Patch13: iproute2-3.7.0-Don-t-propogate-mounts-out-of-ip.patch
License: GPLv2+ and Public Domain
BuildRequires: tex(latex) tex(dvips) tex(ecrm1000.tfm) tex(cm-super-t1.enc) linuxdoc-tools
BuildRequires: flex linux-atm-libs-devel psutils libdb-devel bison
@@ -68,6 +69,7 @@ sed -i "s/_VERSION_/%{version}/" man/man8/ss.8
%patch10 -p1 -b .list-all
%patch11 -p1 -b .ss-list-all
%patch12 -p1 -b .ipv6-nexthop
+%patch13 -p1 -b .netns-mount
%build
export LIBDIR=/%{_libdir}
@@ -177,6 +179,9 @@ done
%{_includedir}/libnetlink.h
%changelog
+* Fri Feb 08 2013 Petr Šabata <contyk at redhat.com> - 3.6.0-6
+- Don't propogate mounts out of ip (#882047)
+
* Thu Dec 20 2012 Petr Šabata <contyk at redhat.com> - 3.6.0-5
- Support IPv6 addresses for route's nexthop
diff --git a/iproute2-3.7.0-Don-t-propogate-mounts-out-of-ip.patch b/iproute2-3.7.0-Don-t-propogate-mounts-out-of-ip.patch
new file mode 100644
index 0000000..c2d4b3f
--- /dev/null
+++ b/iproute2-3.7.0-Don-t-propogate-mounts-out-of-ip.patch
@@ -0,0 +1,46 @@
+From 144e6ce1679a768e987230efb4afa402a5ab58ac Mon Sep 17 00:00:00 2001
+From: "Eric W. Biederman" <ebiederm at xmission.com>
+Date: Thu, 17 Jan 2013 14:45:33 +0000
+Subject: [PATCH] iproute2: Don't propogate mounts out of ip
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Some systems are now following the advice in
+linux/Documentation/sharedsubtrees.txt and running with all mount
+points shared between all mount namespaces by default.
+
+After creating the mount namespace call mount on / with
+MS_SLAVE|MS_REC to modify all mounts in the new mount namespace to
+slave mounts if they are shared or private mounts otherwise.
+Guarnateeing that changes to the mount namespace created with
+"ip netns exec" don't propgate to other namespaces.
+
+Reported-by: Petr Šabata <contyk at redhat.com>
+Tested-by: Petr Šabata <contyk at redhat.com>
+Signed-off-by: "Eric W. Biederman" <ebiederm at xmission.com>
+Signed-off-by: Petr Šabata <contyk at redhat.com>
+---
+ ip/ipnetns.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/ip/ipnetns.c b/ip/ipnetns.c
+index e41a598..f2c42ba 100644
+--- a/ip/ipnetns.c
++++ b/ip/ipnetns.c
+@@ -152,6 +152,12 @@ static int netns_exec(int argc, char **argv)
+ fprintf(stderr, "unshare failed: %s\n", strerror(errno));
+ return -1;
+ }
++ /* Don't let any mounts propogate back to the parent */
++ if (mount("", "/", "none", MS_SLAVE | MS_REC, NULL)) {
++ fprintf(stderr, "mount --make-rslave / failed: %s\n",
++ strerror(errno));
++ return -1;
++ }
+ /* Mount a version of /sys that describes the network namespace */
+ if (umount2("/sys", MNT_DETACH) < 0) {
+ fprintf(stderr, "umount of /sys failed: %s\n", strerror(errno));
+--
+1.8.1
+
More information about the scm-commits
mailing list