From 39ececf66238ab3a02576a4af30b4f724ca011a5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C5=A0abata?= Date: Fri, 8 Feb 2013 14:23:18 +0100 Subject: [PATCH] Don't propogate mounts out of ip (#882047) --- iproute.spec | 7 ++- ...7.0-Don-t-propogate-mounts-out-of-ip.patch | 46 +++++++++++++++++++ 2 files changed, 52 insertions(+), 1 deletion(-) create mode 100644 iproute2-3.7.0-Don-t-propogate-mounts-out-of-ip.patch diff --git a/iproute.spec b/iproute.spec index 832be2f..6d64599 100644 --- a/iproute.spec +++ b/iproute.spec @@ -2,7 +2,7 @@ Summary: Advanced IP routing and network device configuration tools Name: iproute Version: 3.7.0 -Release: 1%{?dist} +Release: 2%{?dist} Group: Applications/System URL: http://kernel.org/pub/linux/utils/net/%{name}2/ Source0: http://kernel.org/pub/linux/utils/net/%{name}2/%{name}2-%{version}.tar.gz @@ -18,6 +18,7 @@ Patch6: iproute2-example-cbq-service.patch Patch7: iproute2-2.6.35-print-route.patch Patch8: iproute2-2.6.39-create-peer-veth-without-a-name.patch Patch9: iproute2-2.6.39-lnstat-dump-to-stdout.patch +Patch10: iproute2-3.7.0-Don-t-propogate-mounts-out-of-ip.patch License: GPLv2+ and Public Domain BuildRequires: tex(latex) tex(dvips) tex(ecrm1000.tfm) tex(cm-super-t1.enc) linuxdoc-tools BuildRequires: flex linux-atm-libs-devel psutils libdb-devel bison @@ -62,6 +63,7 @@ sed -i "s/_VERSION_/%{version}/" man/man8/ss.8 %patch7 -p1 -b .print-route %patch8 -p1 -b .peer-veth-without-name %patch9 -p1 -b .lnstat-dump-to-stdout +%patch10 -p1 -b .netns-mount %build export LIBDIR=/%{_libdir} @@ -171,6 +173,9 @@ done %{_includedir}/libnetlink.h %changelog +* Fri Feb 08 2013 Petr Šabata - 3.7.0-2 +- Don't propogate mounts out of ip (#882047) + * Wed Dec 12 2012 Petr Šabata - 3.7.0-1 - 3.7.0 bump diff --git a/iproute2-3.7.0-Don-t-propogate-mounts-out-of-ip.patch b/iproute2-3.7.0-Don-t-propogate-mounts-out-of-ip.patch new file mode 100644 index 0000000..c2d4b3f --- /dev/null +++ b/iproute2-3.7.0-Don-t-propogate-mounts-out-of-ip.patch @@ -0,0 +1,46 @@ +From 144e6ce1679a768e987230efb4afa402a5ab58ac Mon Sep 17 00:00:00 2001 +From: "Eric W. Biederman" +Date: Thu, 17 Jan 2013 14:45:33 +0000 +Subject: [PATCH] iproute2: Don't propogate mounts out of ip +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Some systems are now following the advice in +linux/Documentation/sharedsubtrees.txt and running with all mount +points shared between all mount namespaces by default. + +After creating the mount namespace call mount on / with +MS_SLAVE|MS_REC to modify all mounts in the new mount namespace to +slave mounts if they are shared or private mounts otherwise. +Guarnateeing that changes to the mount namespace created with +"ip netns exec" don't propgate to other namespaces. + +Reported-by: Petr Šabata +Tested-by: Petr Šabata +Signed-off-by: "Eric W. Biederman" +Signed-off-by: Petr Šabata +--- + ip/ipnetns.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/ip/ipnetns.c b/ip/ipnetns.c +index e41a598..f2c42ba 100644 +--- a/ip/ipnetns.c ++++ b/ip/ipnetns.c +@@ -152,6 +152,12 @@ static int netns_exec(int argc, char **argv) + fprintf(stderr, "unshare failed: %s\n", strerror(errno)); + return -1; + } ++ /* Don't let any mounts propogate back to the parent */ ++ if (mount("", "/", "none", MS_SLAVE | MS_REC, NULL)) { ++ fprintf(stderr, "mount --make-rslave / failed: %s\n", ++ strerror(errno)); ++ return -1; ++ } + /* Mount a version of /sys that describes the network namespace */ + if (umount2("/sys", MNT_DETACH) < 0) { + fprintf(stderr, "umount of /sys failed: %s\n", strerror(errno)); +-- +1.8.1 +