Don't propogate mounts out of ip (#882047)

2013-02-08 14:23:18 +01:00 · 2013-02-08 14:23:18 +01:00 · 39ececf662
commit 39ececf662
parent ddc0afbb45
2 changed files with 52 additions and 1 deletions
--- a/iproute.spec
+++ b/iproute.spec
@ -2,7 +2,7 @@
 Summary:            Advanced IP routing and network device configuration tools
 Name:               iproute
 Version:            3.7.0
-Release:            1%{?dist}
+Release:            2%{?dist}
 Group:              Applications/System
 URL:                http://kernel.org/pub/linux/utils/net/%{name}2/
 Source0:            http://kernel.org/pub/linux/utils/net/%{name}2/%{name}2-%{version}.tar.gz
@ -18,6 +18,7 @@ Patch6:             iproute2-example-cbq-service.patch
 Patch7:             iproute2-2.6.35-print-route.patch
 Patch8:             iproute2-2.6.39-create-peer-veth-without-a-name.patch
 Patch9:             iproute2-2.6.39-lnstat-dump-to-stdout.patch
+Patch10:            iproute2-3.7.0-Don-t-propogate-mounts-out-of-ip.patch
 License:            GPLv2+ and Public Domain
 BuildRequires:      tex(latex) tex(dvips) tex(ecrm1000.tfm) tex(cm-super-t1.enc) linuxdoc-tools
 BuildRequires:      flex linux-atm-libs-devel psutils libdb-devel bison
@ -62,6 +63,7 @@ sed -i "s/_VERSION_/%{version}/" man/man8/ss.8
 %patch7 -p1 -b .print-route
 %patch8 -p1 -b .peer-veth-without-name
 %patch9 -p1 -b .lnstat-dump-to-stdout
+%patch10 -p1 -b .netns-mount

 %build
 export LIBDIR=/%{_libdir}
@ -171,6 +173,9 @@ done
 %{_includedir}/libnetlink.h

 %changelog
+* Fri Feb 08 2013 Petr Šabata <contyk@redhat.com> - 3.7.0-2
+- Don't propogate mounts out of ip (#882047)
+
 * Wed Dec 12 2012 Petr Šabata <contyk@redhat.com> - 3.7.0-1
 - 3.7.0 bump

--- a/iproute2-3.7.0-Don-t-propogate-mounts-out-of-ip.patch
+++ b/iproute2-3.7.0-Don-t-propogate-mounts-out-of-ip.patch
@ -0,0 +1,46 @@
+From 144e6ce1679a768e987230efb4afa402a5ab58ac Mon Sep 17 00:00:00 2001
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Thu, 17 Jan 2013 14:45:33 +0000
+Subject: [PATCH] iproute2: Don't propogate mounts out of ip
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Some systems are now following the advice in
+linux/Documentation/sharedsubtrees.txt and running with all mount
+points shared between all mount namespaces by default.
+
+After creating the mount namespace call mount on / with
+MS_SLAVE|MS_REC to modify all mounts in the new mount namespace to
+slave mounts if they are shared or private mounts otherwise.
+Guarnateeing that changes to the mount namespace created with
+"ip netns exec" don't propgate to other namespaces.
+
+Reported-by: Petr Šabata <contyk@redhat.com>
+Tested-by: Petr Šabata <contyk@redhat.com>
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: Petr Šabata <contyk@redhat.com>
+---
+ ip/ipnetns.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/ip/ipnetns.c b/ip/ipnetns.c
+index e41a598..f2c42ba 100644
+--- a/ip/ipnetns.c
+++ b/ip/ipnetns.c
+@@ -152,6 +152,12 @@ static int netns_exec(int argc, char **argv)
+ 		fprintf(stderr, "unshare failed: %s\n", strerror(errno));
+ 		return -1;
+ 	}
+	/* Don't let any mounts propogate back to the parent */
+	if (mount("", "/", "none", MS_SLAVE | MS_REC, NULL)) {
+		fprintf(stderr, "mount --make-rslave / failed: %s\n",
+			strerror(errno));
+		return -1;
+	}
+ 	/* Mount a version of /sys that describes the network namespace */
+ 	if (umount2("/sys", MNT_DETACH) < 0) {
+ 		fprintf(stderr, "umount of /sys failed: %s\n", strerror(errno));
+-- 
+1.8.1
+