From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-fsdevel-owner@vger.kernel.org>
Received: from mail-vk0-f68.google.com ([209.85.213.68]:37445 "EHLO
        mail-vk0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1725892AbeHQBSD (ORCPT
        <rfc822;linux-fsdevel@vger.kernel.org>);
        Thu, 16 Aug 2018 21:18:03 -0400
Received: by mail-vk0-f68.google.com with SMTP id v72-v6so2239986vkd.4
        for <linux-fsdevel@vger.kernel.org>; Thu, 16 Aug 2018 15:17:10 -0700 (PDT)
MIME-Version: 1.0
References: <20180816073407.12567-1-avagin@openvz.org>
In-Reply-To: <20180816073407.12567-1-avagin@openvz.org>
From: Andrei Vagin <avagin@gmail.com>
Date: Thu, 16 Aug 2018 15:16:58 -0700
Message-ID: <CANaxB-xucN2aWxQDdoSq9V_jL9Su8QittqyehinTxwn9gG0=Yg@mail.gmail.com>
Subject: Re: [PATCH dhowells/mount-api] proc: set a proper user namespace for fs_context
To: David Howells <dhowells@redhat.com>
Cc: linux-fsdevel <linux-fsdevel@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-fsdevel-owner@vger.kernel.org
List-ID: <linux-fsdevel.vger.kernel.org>

Hi David,

I reported this problem about a month ago when patches were not in the
linux-next. Now they are there and we can't run CRIU tests, because it
is impossible to mount /proc in a container.

[root@fc24 ~]# strace unshare -Urnm --mount-proc true

unshare(CLONE_NEWNS|CLONE_NEWNET|CLONE_NEWUSER) = 0
openat(AT_FDCWD, "/proc/self/setgroups", O_WRONLY) = 3
write(3, "deny", 4)                     = 4
close(3)                                = 0
openat(AT_FDCWD, "/proc/self/uid_map", O_WRONLY) = 3
write(3, "0 0 1", 5)                    = 5
close(3)                                = 0
openat(AT_FDCWD, "/proc/self/gid_map", O_WRONLY) = 3
write(3, "0 0 1", 5)                    = 5
close(3)                                = 0
mount("none", "/", NULL, MS_REC|MS_PRIVATE, NULL) = 0
mount("none", "/proc", NULL, MS_REC|MS_PRIVATE, NULL) = 0
mount("proc", "/proc", "proc", MS_NOSUID|MS_NODEV|MS_NOEXEC, NULL) =
-1 EBUSY (Device or resource busy)

https://travis-ci.org/avagin/linux/jobs/416641093

Thanks,
Andrei
On Thu, Aug 16, 2018 at 12:34 AM Andrei Vagin <avagin@openvz.org> wrote:
>
> A user namespace should be taken from a pidns for which a procfs is created.
>
> Signed-off-by: Andrei Vagin <avagin@gmail.com>
> ---
>  fs/proc/root.c | 5 +++++
>  1 file changed, 5 insertions(+)
>
> diff --git a/fs/proc/root.c b/fs/proc/root.c
> index 1d6e5bfa30cc..1419b48a89ab 100644
> --- a/fs/proc/root.c
> +++ b/fs/proc/root.c
> @@ -315,6 +315,11 @@ int pid_ns_prepare_proc(struct pid_namespace *ns)
>         if (IS_ERR(fc))
>                 return PTR_ERR(fc);
>
> +       if (fc->user_ns != ns->user_ns) {
> +               put_user_ns(fc->user_ns);
> +               fc->user_ns = get_user_ns(ns->user_ns);
> +       }
> +
>         ctx = fc->fs_private;
>         if (ctx->pid_ns != ns) {
>                 put_pid_ns(ctx->pid_ns);
> --
> 2.17.1
>