mount: apply superblock flags from the userns daemon

Superblock flags can be changed only an owner of the global CAP_SYS_ADMIN. But it is posible to mount tmpfs with any flags. travis-ci: success for Fix a few issues to dump/restore Docker containers with userns Signed-off-by: Andrei Vagin <avagin@virtuozzo.com> Signed-off-by: Pavel Emelyanov <xemul@virtuozzo.com>
2025-08-30 05:48:05 +00:00 · 2016-10-26 23:55:23 +03:00 · 2016-10-26 23:55:23 +03:00 · c64ebbcc44
commit c64ebbcc44
parent 5cb1ce94fe
1 changed files with 38 additions and 3 deletions
--- a/criu/mount.c
+++ b/criu/mount.c
@ -1686,6 +1686,27 @@ static char *mnt_fsname(struct mount_info *mi)
 	return mi->fstype->name;
 }

+static int apply_sb_flags(void *args, int fd, pid_t pid)
+{
+	int rst = -1, err = -1;
+	long flags = *(int *) args;
+	char path[PSFDS];
+
+	snprintf(path, sizeof(path), "/proc/self/fd/%d", fd);
+
+	if (pid != getpid() && switch_ns(pid, &mnt_ns_desc, &rst))
+		return -1;
+
+	err = mount(NULL, path, NULL, MS_REMOUNT | flags, NULL);
+	if (err)
+		pr_perror("Unable to remount %s", path);
+
+	if (rst >= 0 &&	restore_ns(rst, &mnt_ns_desc))
+		return -1;
+
+	return err;
+}
+
 static int do_new_mount(struct mount_info *mi)
 {
 	unsigned long sflags = mi->sb_flags;
@ -1726,9 +1747,23 @@ static int do_new_mount(struct mount_info *mi)
 	}

 	if (!mi->is_ns_root && !mi->external && remount_ro) {
-				     MS_REMOUNT | MS_RDONLY, NULL)) {
-		pr_perror("Unable to apply mount options");
-		return -1;
+		int fd;
+
+		fd = open(mi->mountpoint, O_PATH);
+		if (fd < 0) {
+			pr_perror("Unable to open %s\n", mi->mountpoint);
+			return -1;
+		}
+
+		sflags |= MS_RDONLY;
+		if (userns_call(apply_sb_flags, 0,
+				&sflags, sizeof(int), fd)) {
+			pr_perror("Unable to apply mount falgs %d for %s",
+						mi->sb_flags, mi->mountpoint);
+			close(fd);
+			return -1;
+		}
+		close(fd);
 	}

 	if (mflags && mount(NULL, mi->mountpoint, NULL,