We use cookies to ensure you get the best experience on our website
Página inicial Explorar Ajuda
Registrar Entrar
0ct0pu5
/
moby
1
0
Fork 0
Arquivos Issues 0 Pull Requests 0 Wiki
Ver código fonte

daemon: move getUnprivilegedMountFlags to internal package

This code is currently only used in the daemon, but is also needed in other
places. We should consider moving this code to github.com/moby/sys, so that
BuildKit can also use the same implementation instead of maintaining a fork;
moving it to internal allows us to reuse this code inside the repository, but
does not allow external consumers to depend on it (which we don't want as
it's not a permanent location).

As our code only uses this in linux files, I did not add a stub for other
platforms (but we may decide to do that in the moby/sys repository).

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 7b414f5703f1e4755a9ee7765b87eac2a2f1e0da)
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
Sebastiaan van Stijn 1 ano atrás
pai
7ed7e6caf6
commit
4be97233cc
2 arquivos alterados com 41 adições e 34 exclusões
Visão dividida Mostrar estatísticas do Diff
  1. 2 34
      daemon/oci_linux.go
  2. 39 0
      internal/rootless/mountopts/mountopts_linux.go

+ 2 - 34
daemon/oci_linux.go
Ver arquivo 

@@ -19,6 +19,7 @@ import (
 
 	"github.com/docker/docker/container"
 
 	dconfig "github.com/docker/docker/daemon/config"
 
 	"github.com/docker/docker/errdefs"
 
+	"github.com/docker/docker/internal/rootless/mountopts"
 
 	"github.com/docker/docker/oci"
 
 	"github.com/docker/docker/oci/caps"
 
 	"github.com/docker/docker/pkg/idtools"
 
@@ -31,7 +32,6 @@ import (
 
 	"github.com/opencontainers/runc/libcontainer/cgroups"
 
 	specs "github.com/opencontainers/runtime-spec/specs-go"
 
 	"github.com/pkg/errors"
 
-	"golang.org/x/sys/unix"
 
 )
 
 
 const inContainerInitPath = "/sbin/" + dconfig.DefaultInitBinary
 
@@ -468,38 +468,6 @@ func ensureSharedOrSlave(path string) error {
 
 	return nil
 
 }
 
 
-// Get the set of mount flags that are set on the mount that contains the given
 
-// path and are locked by CL_UNPRIVILEGED. This is necessary to ensure that
 
-// bind-mounting "with options" will not fail with user namespaces, due to
 
-// kernel restrictions that require user namespace mounts to preserve
 
-// CL_UNPRIVILEGED locked flags.
 
-func getUnprivilegedMountFlags(path string) ([]string, error) {
 
-	var statfs unix.Statfs_t
 
-	if err := unix.Statfs(path, &statfs); err != nil {
 
-		return nil, err
 
-	}
 
-
 
-	// The set of keys come from https://github.com/torvalds/linux/blob/v4.13/fs/namespace.c#L1034-L1048.
 
-	unprivilegedFlags := map[uint64]string{
 
-		unix.MS_RDONLY:     "ro",
 
-		unix.MS_NODEV:      "nodev",
 
-		unix.MS_NOEXEC:     "noexec",
 
-		unix.MS_NOSUID:     "nosuid",
 
-		unix.MS_NOATIME:    "noatime",
 
-		unix.MS_RELATIME:   "relatime",
 
-		unix.MS_NODIRATIME: "nodiratime",
 
-	}
 
-
 
-	var flags []string
 
-	for mask, flag := range unprivilegedFlags {
 
-		if uint64(statfs.Flags)&mask == mask {
 
-			flags = append(flags, flag)
 
-		}
 
-	}
 
-
 
-	return flags, nil
 
-}
 
-
 
 var (
 
 	mountPropagationMap = map[string]int{
 
 		"private":  mount.PRIVATE,
 
@@ -723,7 +691,7 @@ func withMounts(daemon *Daemon, daemonCfg *configStore, c *container.Container)
 
 			// when runc sets up the root filesystem, it is already inside a user
 
 			// namespace, and thus cannot change any flags that are locked.
 
 			if daemonCfg.RemappedRoot != "" || userns.RunningInUserNS() {
 
-				unprivOpts, err := getUnprivilegedMountFlags(m.Source)
 
+				unprivOpts, err := mountopts.UnprivilegedMountFlags(m.Source)
 
 				if err != nil {
 
 					return err
 
 				}

+ 39 - 0
internal/rootless/mountopts/mountopts_linux.go
Ver arquivo 

@@ -0,0 +1,39 @@
 
+package mountopts
 
+
 
+import (
 
+	"golang.org/x/sys/unix"
 
+)
 
+
 
+// UnprivilegedMountFlags gets the set of mount flags that are set on the mount that contains the given
 
+// path and are locked by CL_UNPRIVILEGED. This is necessary to ensure that
 
+// bind-mounting "with options" will not fail with user namespaces, due to
 
+// kernel restrictions that require user namespace mounts to preserve
 
+// CL_UNPRIVILEGED locked flags.
 
+//
 
+// TODO: Move to github.com/moby/sys/mount, and update BuildKit copy of this code as well (https://github.com/moby/buildkit/blob/v0.13.0/util/rootless/mountopts/mountopts_linux.go#L11-L18)
 
+func UnprivilegedMountFlags(path string) ([]string, error) {
 
+	var statfs unix.Statfs_t
 
+	if err := unix.Statfs(path, &statfs); err != nil {
 
+		return nil, err
 
+	}
 
+
 
+	// The set of keys come from https://github.com/torvalds/linux/blob/v4.13/fs/namespace.c#L1034-L1048.
 
+	unprivilegedFlags := map[uint64]string{
 
+		unix.MS_RDONLY:     "ro",
 
+		unix.MS_NODEV:      "nodev",
 
+		unix.MS_NOEXEC:     "noexec",
 
+		unix.MS_NOSUID:     "nosuid",
 
+		unix.MS_NOATIME:    "noatime",
 
+		unix.MS_RELATIME:   "relatime",
 
+		unix.MS_NODIRATIME: "nodiratime",
 
+	}
 
+
 
+	var flags []string
 
+	for mask, flag := range unprivilegedFlags {
 
+		if uint64(statfs.Flags)&mask == mask {
 
+			flags = append(flags, flag)
 
+		}
 
+	}
 
+
 
+	return flags, nil
 
+}

Contact | Legal | Takedown | Status
Self-hosted public services - About
NibbleSpot by 0ct0pu5