--- /dev/null
+From dc54e85c015bf6f2b67b6abcc3fac82e9d927412 Mon Sep 17 00:00:00 2001
+From: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Date: Wed, 18 Nov 2015 14:05:00 +0100
+Subject: [PATCH] added lxc.start.unshare
+
+---
+ config/apparmor/abstractions/start-container | 1 +
+ doc/lxc.container.conf.sgml.in | 12 ++++++++++++
+ src/lxc/conf.h | 1 +
+ src/lxc/confile.c | 7 +++++++
+ src/lxc/lxccontainer.c | 12 ++++++++++++
+ 5 files changed, 33 insertions(+)
+
+diff --git a/config/apparmor/abstractions/start-container b/config/apparmor/abstractions/start-container
+index b06a84d..eee0c2f 100644
+--- a/config/apparmor/abstractions/start-container
++++ b/config/apparmor/abstractions/start-container
+@@ -15,6 +15,7 @@
+ mount options=bind /dev/pts/ptmx/ -> /dev/ptmx/,
+ mount options=bind /dev/pts/** -> /dev/**,
+ mount options=(rw, make-slave) -> **,
++ mount options=(rw, make-rslave) -> **,
+ mount fstype=debugfs,
+ # allow pre-mount hooks to stage mounts under /var/lib/lxc/<container>/
+ mount -> /var/lib/lxc/{**,},
+diff --git a/doc/lxc.container.conf.sgml.in b/doc/lxc.container.conf.sgml.in
+index 90ffefa..7592d5c 100644
+--- a/doc/lxc.container.conf.sgml.in
++++ b/doc/lxc.container.conf.sgml.in
+@@ -1661,6 +1661,18 @@ mknod errno 0
+ </varlistentry>
+ <varlistentry>
+ <term>
++ <option>lxc.start.unshare</option>
++ </term>
++ <listitem>
++ <para>
++ If not zero (which is the default) the mount namespace will
++ be unshared from the host before initializing the container
++ (before running any pre-start hooks).
++ </para>
++ </listitem>
++ </varlistentry>
++ <varlistentry>
++ <term>
+ <option>lxc.group</option>
+ </term>
+ <listitem>
+diff --git a/src/lxc/conf.h b/src/lxc/conf.h
+index 1374d4a..3a83ba3 100644
+--- a/src/lxc/conf.h
++++ b/src/lxc/conf.h
+@@ -344,6 +344,7 @@ struct lxc_conf {
+ int start_auto;
+ int start_delay;
+ int start_order;
++ int start_unshare;
+ struct lxc_list groups;
+ int nbd_idx;
+
+diff --git a/src/lxc/confile.c b/src/lxc/confile.c
+index c2eaaa6..b6ed195 100644
+--- a/src/lxc/confile.c
++++ b/src/lxc/confile.c
+@@ -173,6 +173,7 @@ static struct lxc_config_t config[] = {
+ { "lxc.start.auto", config_start },
+ { "lxc.start.delay", config_start },
+ { "lxc.start.order", config_start },
++ { "lxc.start.unshare", config_start },
+ { "lxc.group", config_group },
+ { "lxc.environment", config_environment },
+ { "lxc.init_cmd", config_init_cmd },
+@@ -1137,6 +1138,10 @@ static int config_start(const char *key, const char *value,
+ lxc_conf->start_order = atoi(value);
+ return 0;
+ }
++ else if (strcmp(key, "lxc.start.unshare") == 0) {
++ lxc_conf->start_unshare = atoi(value);
++ return 0;
++ }
+ SYSERROR("Unknown key: %s", key);
+ return -1;
+ }
+@@ -2483,6 +2488,8 @@ int lxc_get_config_item(struct lxc_conf *c, const char *key, char *retv,
+ return lxc_get_conf_int(c, retv, inlen, c->start_delay);
+ else if (strcmp(key, "lxc.start.order") == 0)
+ return lxc_get_conf_int(c, retv, inlen, c->start_order);
++ else if (strcmp(key, "lxc.start.unshare") == 0)
++ return lxc_get_conf_int(c, retv, inlen, c->start_unshare);
+ else if (strcmp(key, "lxc.group") == 0)
+ return lxc_get_item_groups(c, retv, inlen);
+ else if (strcmp(key, "lxc.seccomp") == 0)
+diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c
+index 5207255..074fa57 100644
+--- a/src/lxc/lxccontainer.c
++++ b/src/lxc/lxccontainer.c
+@@ -820,6 +820,18 @@ static bool do_lxcapi_start(struct lxc_container *c, int useinit, char * const a
+
+ conf->reboot = 0;
+
++ /* Unshare the mount namespace if requested */
++ if (conf->start_unshare) {
++ if (unshare(CLONE_NEWNS)) {
++ SYSERROR("failed to unshare mount namespace");
++ return false;
++ }
++ if (mount(NULL, "/", NULL, MS_SLAVE|MS_REC, NULL)) {
++ SYSERROR("Failed to make / rslave at startup");
++ return false;
++ }
++ }
++
+ reboot:
+ if (lxc_check_inherited(conf, daemonize, -1)) {
+ ERROR("Inherited fds found");
+--
+2.1.4
+
projects / lxc.git / commitdiff