47 lines
1.7 KiB
Diff
47 lines
1.7 KiB
Diff
From 144e6ce1679a768e987230efb4afa402a5ab58ac Mon Sep 17 00:00:00 2001
|
|
From: "Eric W. Biederman" <ebiederm@xmission.com>
|
|
Date: Thu, 17 Jan 2013 14:45:33 +0000
|
|
Subject: [PATCH] iproute2: Don't propogate mounts out of ip
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
Some systems are now following the advice in
|
|
linux/Documentation/sharedsubtrees.txt and running with all mount
|
|
points shared between all mount namespaces by default.
|
|
|
|
After creating the mount namespace call mount on / with
|
|
MS_SLAVE|MS_REC to modify all mounts in the new mount namespace to
|
|
slave mounts if they are shared or private mounts otherwise.
|
|
Guarnateeing that changes to the mount namespace created with
|
|
"ip netns exec" don't propgate to other namespaces.
|
|
|
|
Reported-by: Petr Šabata <contyk@redhat.com>
|
|
Tested-by: Petr Šabata <contyk@redhat.com>
|
|
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
|
|
Signed-off-by: Petr Šabata <contyk@redhat.com>
|
|
---
|
|
ip/ipnetns.c | 6 ++++++
|
|
1 file changed, 6 insertions(+)
|
|
|
|
diff --git a/ip/ipnetns.c b/ip/ipnetns.c
|
|
index e41a598..f2c42ba 100644
|
|
--- a/ip/ipnetns.c
|
|
+++ b/ip/ipnetns.c
|
|
@@ -152,6 +152,12 @@ static int netns_exec(int argc, char **argv)
|
|
fprintf(stderr, "unshare failed: %s\n", strerror(errno));
|
|
return -1;
|
|
}
|
|
+ /* Don't let any mounts propogate back to the parent */
|
|
+ if (mount("", "/", "none", MS_SLAVE | MS_REC, NULL)) {
|
|
+ fprintf(stderr, "mount --make-rslave / failed: %s\n",
|
|
+ strerror(errno));
|
|
+ return -1;
|
|
+ }
|
|
/* Mount a version of /sys that describes the network namespace */
|
|
if (umount2("/sys", MNT_DETACH) < 0) {
|
|
fprintf(stderr, "umount of /sys failed: %s\n", strerror(errno));
|
|
--
|
|
1.8.1
|
|
|