[iproute/f17] Don't propagate mounts outside of ip
Petr Šabata
psabata at fedoraproject.org
Wed Mar 6 14:03:37 UTC 2013
commit 010336687e7f18270f3829d37655e1b802738ac7
Author: Petr Šabata <contyk at redhat.com>
Date: Wed Mar 6 15:03:33 2013 +0100
Don't propagate mounts outside of ip
iproute.spec | 7 +++-
...e2-3.3.0-Don-t-propagate-mounts-out-of-ip.patch | 46 ++++++++++++++++++++
2 files changed, 52 insertions(+), 1 deletions(-)
---
diff --git a/iproute.spec b/iproute.spec
index e6f110d..b11ce3b 100644
--- a/iproute.spec
+++ b/iproute.spec
@@ -2,7 +2,7 @@
Summary: Advanced IP routing and network device configuration tools
Name: iproute
Version: 3.3.0
-Release: 5%{?dist}
+Release: 6%{?dist}
Group: Applications/System
URL: http://kernel.org/pub/linux/utils/net/%{name}2/
Source0: http://kernel.org/pub/linux/utils/net/%{name}2/%{name}2-%{version}.tar.gz
@@ -23,6 +23,7 @@ Patch11: iproute2-3.7.0-ss-change-default-filter-to-include-all-soc.p
Patch12: iproute2-3.7.0-ipv6-nexthop.patch
Patch13: iproute2-3.3.0-fq_codel.patch
Patch14: iproute2-3.3.0-fq_codel-headers.patch
+Patch15: iproute2-3.3.0-Don-t-propagate-mounts-out-of-ip.patch
License: GPLv2+ and Public Domain
BuildRequires: tex(latex) tex(dvips) linuxdoc-tools
BuildRequires: flex linux-atm-libs-devel psutils db4-devel bison
@@ -73,6 +74,7 @@ sed -i "s/_VERSION_/%{version}/" man/man8/ss.8
%patch12 -p1 -b .ipv6-nexthop
%patch13 -p1 -b .fq_codel
%patch14 -p1 -b .fq_codel-headers
+%patch15 -p1 -b .netns
%build
export LIBDIR=/%{_libdir}
@@ -183,6 +185,9 @@ done
%{_includedir}/libnetlink.h
%changelog
+* Wed Mar 06 2013 Petr Šabata <contyk at redhat.com> - 3.3.0-6
+- Don't propagate mounts outside of ip (#882047)
+
* Thu Dec 20 2012 Petr Šabata <contyk at redhat.com> - 3.3.0-5
- Add support for fq_codel (#886958)
diff --git a/iproute2-3.3.0-Don-t-propagate-mounts-out-of-ip.patch b/iproute2-3.3.0-Don-t-propagate-mounts-out-of-ip.patch
new file mode 100644
index 0000000..c2d4b3f
--- /dev/null
+++ b/iproute2-3.3.0-Don-t-propagate-mounts-out-of-ip.patch
@@ -0,0 +1,46 @@
+From 144e6ce1679a768e987230efb4afa402a5ab58ac Mon Sep 17 00:00:00 2001
+From: "Eric W. Biederman" <ebiederm at xmission.com>
+Date: Thu, 17 Jan 2013 14:45:33 +0000
+Subject: [PATCH] iproute2: Don't propogate mounts out of ip
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Some systems are now following the advice in
+linux/Documentation/sharedsubtrees.txt and running with all mount
+points shared between all mount namespaces by default.
+
+After creating the mount namespace call mount on / with
+MS_SLAVE|MS_REC to modify all mounts in the new mount namespace to
+slave mounts if they are shared or private mounts otherwise.
+Guarnateeing that changes to the mount namespace created with
+"ip netns exec" don't propgate to other namespaces.
+
+Reported-by: Petr Šabata <contyk at redhat.com>
+Tested-by: Petr Šabata <contyk at redhat.com>
+Signed-off-by: "Eric W. Biederman" <ebiederm at xmission.com>
+Signed-off-by: Petr Šabata <contyk at redhat.com>
+---
+ ip/ipnetns.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/ip/ipnetns.c b/ip/ipnetns.c
+index e41a598..f2c42ba 100644
+--- a/ip/ipnetns.c
++++ b/ip/ipnetns.c
+@@ -152,6 +152,12 @@ static int netns_exec(int argc, char **argv)
+ fprintf(stderr, "unshare failed: %s\n", strerror(errno));
+ return -1;
+ }
++ /* Don't let any mounts propogate back to the parent */
++ if (mount("", "/", "none", MS_SLAVE | MS_REC, NULL)) {
++ fprintf(stderr, "mount --make-rslave / failed: %s\n",
++ strerror(errno));
++ return -1;
++ }
+ /* Mount a version of /sys that describes the network namespace */
+ if (umount2("/sys", MNT_DETACH) < 0) {
+ fprintf(stderr, "umount of /sys failed: %s\n", strerror(errno));
+--
+1.8.1
+
More information about the scm-commits
mailing list