fix by ignoring EINVAL on remount of proc
cherry-pick from: 0b7633309620df26f57673682eca33806b3826e7
This commit is contained in:
shangyibin
z30031144
parent
a41a63be62
commit
a157a9ab24
40
backport-fix-by-ignoring-EINVAL-on-remount-of-proc.patch
Normal file
40
backport-fix-by-ignoring-EINVAL-on-remount-of-proc.patch
Normal file
@ -0,0 +1,40 @@
|
||||
From 1961dccea09176a401bc8fc5e1769ab426308314 Mon Sep 17 00:00:00 2001
|
||||
From: benaryorg <binary@benary.org>
|
||||
Date: Fri, 4 Jun 2021 12:34:52 +0000
|
||||
Subject: [PATCH] fix #648 by ignoring EINVAL on-remount of proc
|
||||
|
||||
When using --mount-proc=/some/path then unshare fails if the path provided is not already mounted due to the mount(2) call to change the propagation of the mount.
|
||||
In such a case mount(2) returns EINVAL, which however is used for a variety of other errors.
|
||||
If this error is ignored mistakenly the effects however should be neglible since:
|
||||
|
||||
1. the mount of proc afterwards happens regardless, errors of which are not ignored
|
||||
2. the propagation change of root uses MS_REC, which shold already change the propagation of all mounts recursively
|
||||
|
||||
Furthermore /proc is not touched if --mount-proc specifies a different mount point.
|
||||
This should not cause too much unexpected behaviour due to point 2 from above in any case.
|
||||
Specifying --mount-proc with a different path also means that unshare(3) is not instructed to touch /proc, thus /proc not being touched should not be unexpected.
|
||||
As a side note, if unshare is called with /proc as an (implicit) parameter to --mount-proc then /proc is a stacked mount, meaning if /proc is unmounted it in the namespace the host /proc is visible again, thus not touching /proc with a different parameter does not constitute more information leakage than the alternative, quite contary it may even be the desired behaviour.
|
||||
|
||||
Signed-off-by: benaryorg <binary@benary.org>
|
||||
---
|
||||
sys-utils/unshare.c | 7 +++++--
|
||||
1 file changed, 5 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/sys-utils/unshare.c b/sys-utils/unshare.c
|
||||
index e5627d3c64..820691ba35 100644
|
||||
--- a/sys-utils/unshare.c
|
||||
+++ b/sys-utils/unshare.c
|
||||
@@ -650,8 +650,11 @@ int main(int argc, char *argv[])
|
||||
err(EXIT_FAILURE, _("cannot chdir to '%s'"), newdir);
|
||||
|
||||
if (procmnt) {
|
||||
- if (!newroot && mount("none", procmnt, NULL, MS_PRIVATE|MS_REC, NULL) != 0)
|
||||
- err(EXIT_FAILURE, _("cannot change %s filesystem propagation"), procmnt);
|
||||
+ if (!newroot && mount("none", procmnt, NULL, MS_PRIVATE|MS_REC, NULL))
|
||||
+ /* custom procmnt means that proc is very likely not mounted, causing EINVAL
|
||||
+ ignoring the error in this specific instance is safe */
|
||||
+ if(errno != EINVAL)
|
||||
+ err(EXIT_FAILURE, _("cannot change %s filesystem propagation"), procmnt);
|
||||
if (mount("proc", procmnt, "proc", MS_NOSUID|MS_NOEXEC|MS_NODEV, NULL) != 0)
|
||||
err(EXIT_FAILURE, _("mount %s failed"), procmnt);
|
||||
}
|
||||
@ -24,16 +24,18 @@ Patch6002: backport-CVE-2021-3996.patch
|
||||
Patch6003: realloc-buffer-when-header-size-changed.patch
|
||||
Patch6004: fix-size-use-for-stdin.patch
|
||||
Patch6005: segmentation-fault-on-invalid-unicode-input-passed-to-s-option.patch
|
||||
Patch6006: backport-su-bash-completion-offer-usernames-rather-than-files.patch
|
||||
Patch6007: backport-Fix-memory-leaks-in-the-chcpu.patch
|
||||
Patch6008: backport-logger-fix-prio-prefix-doesn-t-use-priority-default.patch
|
||||
Patch6009: backport-vipw-flush-stdout-before-getting-answer.patch
|
||||
Patch6010: backport-login-Restore-tty-size-after-calling-vhangup.patch
|
||||
Patch6011: backport-Forward-value-of-sector_size-instead-of-its-address.patch
|
||||
Patch6012: backport-libfdisk-dereference-of-possibly-NULL-gcc-analyzer.patch
|
||||
Patch6013: backport-libfdisk-check-calloc-return-gcc-analyzer.patch
|
||||
Patch6014: backport-mcookie-fix-infinite-loop-when-use-f.patch
|
||||
Patch6015: backport-sfdisk-write-empty-label-also-when-only-ignored-part.patch
|
||||
Patch6006: backport-fix-by-ignoring-EINVAL-on-remount-of-proc.patch
|
||||
Patch6007: backport-su-bash-completion-offer-usernames-rather-than-files.patch
|
||||
Patch6008: backport-Fix-memory-leaks-in-the-chcpu.patch
|
||||
Patch6009: backport-logger-fix-prio-prefix-doesn-t-use-priority-default.patch
|
||||
Patch6010: backport-vipw-flush-stdout-before-getting-answer.patch
|
||||
Patch6011: backport-login-Restore-tty-size-after-calling-vhangup.patch
|
||||
Patch6012: backport-Forward-value-of-sector_size-instead-of-its-address.patch
|
||||
Patch6013: backport-libfdisk-dereference-of-possibly-NULL-gcc-analyzer.patch
|
||||
Patch6014: backport-libfdisk-check-calloc-return-gcc-analyzer.patch
|
||||
Patch6015: backport-mcookie-fix-infinite-loop-when-use-f.patch
|
||||
Patch6016: backport-sfdisk-write-empty-label-also-when-only-ignored-part.patch
|
||||
|
||||
|
||||
Patch9000: Add-check-to-resolve-uname26-version-test-failed.patch
|
||||
Patch9001: SKIPPED-no-root-permissions-test.patch
|
||||
@ -411,7 +413,7 @@ fi
|
||||
- Type:bugfix
|
||||
- ID:NA
|
||||
- SUG:NA
|
||||
- DESC:Sync community patches
|
||||
- DESC:fix by ignoring EINVAL on remount of proc
|
||||
|
||||
* Fri Feb 18 2022 shangyibin<shangyibin1@h-partners.com> - 2.37.2-4
|
||||
- Type:bugfix
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user