Renaming use_switchroot option with no_pivotroot

cmdline.cc

@@ -76,7 +76,7 @@ struct custom_option custom_opts[] = {
     { { "exec_file", required_argument, NULL, 'x' }, "File to exec (default: argv[0])" },
     { { "execute_fd", no_argument, NULL, 0x0607 }, "Use execveat() to execute a file-descriptor instead of executing the binary path. In such case argv[0]/exec_file denotes a file path before mount namespacing" },
     { { "chroot", required_argument, NULL, 'c' }, "Directory containing / of the jail (default: none)" },
-    { { "use_switchroot", no_argument, NULL, 0x600 }, "When creating a mount namespace, use switch_root rather then pivot_root. Usefull when pivot_root is disallowed (e.g. initramfs). Note: escapable is some configuration" },
+    { { "no_pivotroot", no_argument, NULL, 0x600 }, "When creating a mount namespace, use mount(MS_MOVE) and chroot rather than pivot_root. Usefull when pivot_root is disallowed (e.g. initramfs). Note: escapable is some configuration" },
     { { "rw", no_argument, NULL, 0x601 }, "Mount chroot dir (/) R/W (default: R/O)" },
     { { "user", required_argument, NULL, 'u' }, "Username/uid of processes inside the jail (default: your current uid). You can also use inside_ns_uid:outside_ns_uid:count convention here. Can be specified multiple times" },
     { { "group", required_argument, NULL, 'g' }, "Groupname/gid of processes inside the jail (default: your current gid). You can also use inside_ns_gid:global_ns_gid:count convention here. Can be specified multiple times" },
@@ -432,7 +432,7 @@ std::unique_ptr<nsjconf_t> parseArgs(int argc, char* argv[]) {
 	nsjconf->clone_newnet = true;
 	nsjconf->clone_newuser = true;
 	nsjconf->clone_newns = true;
-	nsjconf->use_switchroot = false;
+	nsjconf->no_pivotroot = false;
 	nsjconf->clone_newpid = true;
 	nsjconf->clone_newipc = true;
 	nsjconf->clone_newuts = true;
@@ -651,7 +651,7 @@ std::unique_ptr<nsjconf_t> parseArgs(int argc, char* argv[]) {
 			nsjconf->caps.push_back(cap);
 		} break;
 		case 0x0600:
-			nsjconf->use_switchroot = true;
+			nsjconf->no_pivotroot = true;
 			break;
 		case 0x0601:
 			nsjconf->is_root_rw = true;

config.cc

@@ -185,7 +185,7 @@ static bool configParseInternal(nsjconf_t* nsjconf, const nsjail::NsJailConfig&
 	nsjconf->clone_newcgroup = njc.clone_newcgroup();
 	nsjconf->clone_newtime = njc.clone_newtime();
 	
-	nsjconf->use_switchroot = njc.use_switchroot();
+	nsjconf->no_pivotroot = njc.no_pivotroot();
 
 	for (ssize_t i = 0; i < njc.uidmap_size(); i++) {
 		if (!user::parseId(nsjconf, njc.uidmap(i).inside_id(), njc.uidmap(i).outside_id(),

config.proto

@@ -87,7 +87,7 @@ message NsJailConfig {
     optional string cwd = 9 [default = "/"];
 
     /* Defines whether to use switch_root or pivot_root */
-    optional bool use_switchroot = 88  [default = false];
+    optional bool no_pivotroot = 88  [default = false];
     
     /* TCP port to listen to. Valid with mode=LISTEN only */
     optional uint32 port = 10 [default = 0];

mnt.cc

@@ -399,7 +399,7 @@ static bool initCloneNs(nsjconf_t* nsjconf) {
 		return false;
 	}
 	
-    if (!nsjconf->use_switchroot) {
+    if (!nsjconf->no_pivotroot) {
         /*
         * This requires some explanation: It's actually possible to pivot_root('/', '/').
         * After this operation has been completed, the old root is mounted over the new
@@ -435,7 +435,7 @@ static bool initCloneNs(nsjconf_t* nsjconf) {
         * and using setns to re-enter the mount namespace.
         */
        	LOG_W(
-			    "Using switch_root is escapable when user posseses relevant capabilities, "
+			    "Using no_pivotroot is escapable when user posseses relevant capabilities, "
 			    "Use it with care!"
         );
 		

nsjail.h

@@ -120,7 +120,7 @@ struct nsjconf_t {
 	bool clone_newnet;
 	bool clone_newuser;
 	bool clone_newns;
-	bool use_switchroot;
+	bool no_pivotroot;
 	bool clone_newpid;
 	bool clone_newipc;
 	bool clone_newuts;