From b83d6f7421e3788bb8e7bf127075641a01e7cef5 Mon Sep 17 00:00:00 2001
From: Eli Zrihen <ezrihen@gmail.com>
Date: Tue, 20 Jul 2021 15:45:58 +0300
Subject: [PATCH] Renaming use_switchroot option with no_pivotroot

---
 cmdline.cc   | 6 +++---
 config.cc    | 2 +-
 config.proto | 2 +-
 mnt.cc       | 4 ++--
 nsjail.h     | 2 +-
 5 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/cmdline.cc b/cmdline.cc
index 26626ba..2f96a85 100644
--- a/cmdline.cc
+++ b/cmdline.cc
@@ -76,7 +76,7 @@ struct custom_option custom_opts[] = {
     { { "exec_file", required_argument, NULL, 'x' }, "File to exec (default: argv[0])" },
     { { "execute_fd", no_argument, NULL, 0x0607 }, "Use execveat() to execute a file-descriptor instead of executing the binary path. In such case argv[0]/exec_file denotes a file path before mount namespacing" },
     { { "chroot", required_argument, NULL, 'c' }, "Directory containing / of the jail (default: none)" },
-    { { "use_switchroot", no_argument, NULL, 0x600 }, "When creating a mount namespace, use switch_root rather then pivot_root. Usefull when pivot_root is disallowed (e.g. initramfs). Note: escapable is some configuration" },
+    { { "no_pivotroot", no_argument, NULL, 0x600 }, "When creating a mount namespace, use mount(MS_MOVE) and chroot rather than pivot_root. Usefull when pivot_root is disallowed (e.g. initramfs). Note: escapable is some configuration" },
     { { "rw", no_argument, NULL, 0x601 }, "Mount chroot dir (/) R/W (default: R/O)" },
     { { "user", required_argument, NULL, 'u' }, "Username/uid of processes inside the jail (default: your current uid). You can also use inside_ns_uid:outside_ns_uid:count convention here. Can be specified multiple times" },
     { { "group", required_argument, NULL, 'g' }, "Groupname/gid of processes inside the jail (default: your current gid). You can also use inside_ns_gid:global_ns_gid:count convention here. Can be specified multiple times" },
@@ -432,7 +432,7 @@ std::unique_ptr<nsjconf_t> parseArgs(int argc, char* argv[]) {
 	nsjconf->clone_newnet = true;
 	nsjconf->clone_newuser = true;
 	nsjconf->clone_newns = true;
-	nsjconf->use_switchroot = false;
+	nsjconf->no_pivotroot = false;
 	nsjconf->clone_newpid = true;
 	nsjconf->clone_newipc = true;
 	nsjconf->clone_newuts = true;
@@ -651,7 +651,7 @@ std::unique_ptr<nsjconf_t> parseArgs(int argc, char* argv[]) {
 			nsjconf->caps.push_back(cap);
 		} break;
 		case 0x0600:
-			nsjconf->use_switchroot = true;
+			nsjconf->no_pivotroot = true;
 			break;
 		case 0x0601:
 			nsjconf->is_root_rw = true;
diff --git a/config.cc b/config.cc
index 9c4cf73..ae1370c 100644
--- a/config.cc
+++ b/config.cc
@@ -185,7 +185,7 @@ static bool configParseInternal(nsjconf_t* nsjconf, const nsjail::NsJailConfig&
 	nsjconf->clone_newcgroup = njc.clone_newcgroup();
 	nsjconf->clone_newtime = njc.clone_newtime();
 	
-	nsjconf->use_switchroot = njc.use_switchroot();
+	nsjconf->no_pivotroot = njc.no_pivotroot();
 
 	for (ssize_t i = 0; i < njc.uidmap_size(); i++) {
 		if (!user::parseId(nsjconf, njc.uidmap(i).inside_id(), njc.uidmap(i).outside_id(),
diff --git a/config.proto b/config.proto
index 31f8342..4f51174 100644
--- a/config.proto
+++ b/config.proto
@@ -87,7 +87,7 @@ message NsJailConfig {
     optional string cwd = 9 [default = "/"];
 
     /* Defines whether to use switch_root or pivot_root */
-    optional bool use_switchroot = 88  [default = false];
+    optional bool no_pivotroot = 88  [default = false];
     
     /* TCP port to listen to. Valid with mode=LISTEN only */
     optional uint32 port = 10 [default = 0];
diff --git a/mnt.cc b/mnt.cc
index 413c9c6..f7290e0 100644
--- a/mnt.cc
+++ b/mnt.cc
@@ -399,7 +399,7 @@ static bool initCloneNs(nsjconf_t* nsjconf) {
 		return false;
 	}
 	
-    if (!nsjconf->use_switchroot) {
+    if (!nsjconf->no_pivotroot) {
         /*
         * This requires some explanation: It's actually possible to pivot_root('/', '/').
         * After this operation has been completed, the old root is mounted over the new
@@ -435,7 +435,7 @@ static bool initCloneNs(nsjconf_t* nsjconf) {
         * and using setns to re-enter the mount namespace.
         */
        	LOG_W(
-			    "Using switch_root is escapable when user posseses relevant capabilities, "
+			    "Using no_pivotroot is escapable when user posseses relevant capabilities, "
 			    "Use it with care!"
         );
 		
diff --git a/nsjail.h b/nsjail.h
index 75acc1f..a808df4 100644
--- a/nsjail.h
+++ b/nsjail.h
@@ -120,7 +120,7 @@ struct nsjconf_t {
 	bool clone_newnet;
 	bool clone_newuser;
 	bool clone_newns;
-	bool use_switchroot;
+	bool no_pivotroot;
 	bool clone_newpid;
 	bool clone_newipc;
 	bool clone_newuts;