Pablo, Florian, could you please provide comments on this?

On 09.04.2018 19:55, Kirill Tkhai wrote:
> In CRIU and LXC-restore we met the situation,
> when iptables in container can't be restored
> because of permission denied:
> 
> https://github.com/checkpoint-restore/criu/issues/469
> 
> Containers want to restore their own net ns,
> while they may have no their own mnt ns.
> This case they share host's /run/xtables.lock
> file, but they may not have permission to open
> it.
> 
> Patch makes /run/xtables.lock to be per-namespace,
> i.e., to refer to the caller task's net ns.
> 
> What you think?
> 
> Thanks,
> Kirill
> 
> Signed-off-by: Kirill Tkhai <ktk...@virtuozzo.com>
> ---
>  iptables/xshared.c |    7 ++++++-
>  1 file changed, 6 insertions(+), 1 deletion(-)
> 
> diff --git a/iptables/xshared.c b/iptables/xshared.c
> index 06db72d4..b6dbe4e7 100644
> --- a/iptables/xshared.c
> +++ b/iptables/xshared.c
> @@ -254,7 +254,12 @@ static int xtables_lock(int wait, struct timeval 
> *wait_interval)
>       time_left.tv_sec = wait;
>       time_left.tv_usec = 0;
>  
> -     fd = open(XT_LOCK_NAME, O_CREAT, 0600);
> +     if (symlink("/proc/self/ns/net", XT_LOCK_NAME) != 0 &&
> +         errno != EEXIST) {
> +             fprintf(stderr, "Fatal: can't create lock file\n");
> +             return XT_LOCK_FAILED;
> +     }
> +     fd = open(XT_LOCK_NAME, O_RDONLY);
>       if (fd < 0) {
>               fprintf(stderr, "Fatal: can't open lock file %s: %s\n",
>                       XT_LOCK_NAME, strerror(errno));
> 

Reply via email to