woj/nsjail
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Don't mount over / if pivot_root_only is enabled

Browse Source 
The intention behind pivot_root_only is to support nested user
namespaces. However, if we bind mount over /, which happens by default,
the kernel will deny CLONE_NEWUSER.
This commit is contained in:
Stephen Röttger 2016-09-25 15:48:58 +02:00 committed by Stephen Röttger
parent c647ebb74f
commit cf4f197684
1 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
mount.c
View File

@ -203,6 +203,12 @@ static bool mountInitNsInternal(struct nsjconf_t *nsjconf)
struct mounts_t *p;
TAILQ_FOREACH(p, &nsjconf->mountpts, pointers) {
// The intention behind pivot_root_only is to allow creating
// nested usernamespaces. If we bind mount over /, the kernel
// will see the process as chrooted and deny CLONE_NEWUSER.
if (nsjconf->pivot_root_only && strcmp(p->dst, "/") == 0) {
continue;
}
char dst[PATH_MAX];
snprintf(dst, sizeof(dst), "%s/%s", newrootdir, p->dst);
if (mountMount(nsjconf, p, "/old_root", dst) == false) {