Don't propogate mounts out of ip (#882047)

2013-02-08 14:23:18 +01:00 · 2013-02-08 14:23:18 +01:00 · 39ececf662
commit 39ececf662
parent ddc0afbb45
2 changed files with 52 additions and 1 deletions
--- a/iproute.spec
+++ b/iproute.spec
@ -2,7 +2,7 @@
 Summary:            Advanced IP routing and network device configuration tools
 Name:               iproute
 Version:            3.7.0
-Release:            1%{?dist}
+Release:            2%{?dist}
 Group:              Applications/System
 URL:                http://kernel.org/pub/linux/utils/net/%{name}2/
 Source0:            http://kernel.org/pub/linux/utils/net/%{name}2/%{name}2-%{version}.tar.gz
@ -18,6 +18,7 @@ Patch6:             iproute2-example-cbq-service.patch
 Patch7:             iproute2-2.6.35-print-route.patch
 Patch8:             iproute2-2.6.39-create-peer-veth-without-a-name.patch
 Patch9:             iproute2-2.6.39-lnstat-dump-to-stdout.patch
 Patch10:            iproute2-3.7.0-Don-t-propogate-mounts-out-of-ip.patch
 License:            GPLv2+ and Public Domain
 BuildRequires:      tex(latex) tex(dvips) tex(ecrm1000.tfm) tex(cm-super-t1.enc) linuxdoc-tools
 BuildRequires:      flex linux-atm-libs-devel psutils libdb-devel bison
@ -62,6 +63,7 @@ sed -i "s/_VERSION_/%{version}/" man/man8/ss.8
 %patch7 -p1 -b .print-route
 %patch8 -p1 -b .peer-veth-without-name
 %patch9 -p1 -b .lnstat-dump-to-stdout
 %patch10 -p1 -b .netns-mount
 %build
 export LIBDIR=/%{_libdir}
@ -171,6 +173,9 @@ done
 %{_includedir}/libnetlink.h
 %changelog
 * Fri Feb 08 2013 Petr Šabata <contyk@redhat.com> - 3.7.0-2
 - Don't propogate mounts out of ip (#882047)
 * Wed Dec 12 2012 Petr Šabata <contyk@redhat.com> - 3.7.0-1
 - 3.7.0 bump
--- a/iproute2-3.7.0-Don-t-propogate-mounts-out-of-ip.patch
+++ b/iproute2-3.7.0-Don-t-propogate-mounts-out-of-ip.patch
@ -0,0 +1,46 @@
 From 144e6ce1679a768e987230efb4afa402a5ab58ac Mon Sep 17 00:00:00 2001
 From: "Eric W. Biederman" <ebiederm@xmission.com>
 Date: Thu, 17 Jan 2013 14:45:33 +0000
 Subject: [PATCH] iproute2: Don't propogate mounts out of ip
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 Some systems are now following the advice in
 linux/Documentation/sharedsubtrees.txt and running with all mount
 points shared between all mount namespaces by default.
 After creating the mount namespace call mount on / with
 MS_SLAVE|MS_REC to modify all mounts in the new mount namespace to
 slave mounts if they are shared or private mounts otherwise.
 Guarnateeing that changes to the mount namespace created with
 "ip netns exec" don't propgate to other namespaces.
 Reported-by: Petr Šabata <contyk@redhat.com>
 Tested-by: Petr Šabata <contyk@redhat.com>
 Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
 Signed-off-by: Petr Šabata <contyk@redhat.com>
 ---
 ip/ipnetns.c | 6 ++++++
 1 file changed, 6 insertions(+)
 diff --git a/ip/ipnetns.c b/ip/ipnetns.c
 index e41a598..f2c42ba 100644
 --- a/ip/ipnetns.c
 +++ b/ip/ipnetns.c
@@ -152,6 +152,12 @@ static int netns_exec(int argc, char **argv)
 		fprintf(stderr, "unshare failed: %s\n", strerror(errno));
 		return -1;
 	}
 +	/* Don't let any mounts propogate back to the parent */
 +	if (mount("", "/", "none", MS_SLAVE | MS_REC, NULL)) {
 +		fprintf(stderr, "mount --make-rslave / failed: %s\n",
 +			strerror(errno));
 +		return -1;
 +	}
 	/* Mount a version of /sys that describes the network namespace */
 	if (umount2("/sys", MNT_DETACH) < 0) {
 		fprintf(stderr, "umount of /sys failed: %s\n", strerror(errno));
 -- 
 1.8.1