From 46183cf8737d2b478923e16b545dce483c9b3d03 Mon Sep 17 00:00:00 2001
From: Matthew Heon <mheon@redhat.com>
Date: Thu, 10 Dec 2020 11:43:59 -0500
Subject: [PATCH] Ignore containers.conf sysctls when sharing namespaces

The existing code prevents containers.conf default sysctls from
being added if the container uses a host namespace. This patch
expands that to not just host namespaces, but also *shared*
namespaces - so we never modify another container's (or a pod's)
namespaces without being explicitly directed to do so by the
user.

Signed-off-by: Matthew Heon <mheon@redhat.com>
---
 pkg/specgen/generate/security.go | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/pkg/specgen/generate/security.go b/pkg/specgen/generate/security.go
index dee1402826..b69bd9091a 100644
--- a/pkg/specgen/generate/security.go
+++ b/pkg/specgen/generate/security.go
@@ -178,6 +178,10 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator,
 
 	g.SetRootReadonly(s.ReadOnlyFilesystem)
 
+	noUseIPC := s.IpcNS.NSMode == specgen.FromContainer || s.IpcNS.NSMode == specgen.FromPod || s.IpcNS.NSMode == specgen.Host
+	noUseNet := s.NetNS.NSMode == specgen.FromContainer || s.NetNS.NSMode == specgen.FromPod || s.NetNS.NSMode == specgen.Host
+	noUseUTS := s.UtsNS.NSMode == specgen.FromContainer || s.UtsNS.NSMode == specgen.FromPod || s.UtsNS.NSMode == specgen.Host
+
 	// Add default sysctls
 	defaultSysctls, err := util.ValidateSysctls(rtc.Sysctls())
 	if err != nil {
@@ -186,20 +190,20 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator,
 	for sysctlKey, sysctlVal := range defaultSysctls {
 
 		// Ignore mqueue sysctls if --ipc=host
-		if s.IpcNS.IsHost() && strings.HasPrefix(sysctlKey, "fs.mqueue.") {
+		if noUseIPC && strings.HasPrefix(sysctlKey, "fs.mqueue.") {
 			logrus.Infof("Sysctl %s=%s ignored in containers.conf, since IPC Namespace set to host", sysctlKey, sysctlVal)
 
 			continue
 		}
 
 		// Ignore net sysctls if --net=host
-		if s.NetNS.IsHost() && strings.HasPrefix(sysctlKey, "net.") {
+		if noUseNet && strings.HasPrefix(sysctlKey, "net.") {
 			logrus.Infof("Sysctl %s=%s ignored in containers.conf, since Network Namespace set to host", sysctlKey, sysctlVal)
 			continue
 		}
 
 		// Ignore uts sysctls if --uts=host
-		if s.UtsNS.IsHost() && (strings.HasPrefix(sysctlKey, "kernel.domainname") || strings.HasPrefix(sysctlKey, "kernel.hostname")) {
+		if noUseUTS && (strings.HasPrefix(sysctlKey, "kernel.domainname") || strings.HasPrefix(sysctlKey, "kernel.hostname")) {
 			logrus.Infof("Sysctl %s=%s ignored in containers.conf, since UTS Namespace set to host", sysctlKey, sysctlVal)
 			continue
 		}