Don't mount over / if pivot_root_only is enabled
The intention behind pivot_root_only is to support nested user namespaces. However, if we bind mount over /, which happens by default, the kernel will deny CLONE_NEWUSER.
This commit is contained in:
parent
c647ebb74f
commit
cf4f197684
6
mount.c
6
mount.c
@ -203,6 +203,12 @@ static bool mountInitNsInternal(struct nsjconf_t *nsjconf)
|
||||
|
||||
struct mounts_t *p;
|
||||
TAILQ_FOREACH(p, &nsjconf->mountpts, pointers) {
|
||||
// The intention behind pivot_root_only is to allow creating
|
||||
// nested usernamespaces. If we bind mount over /, the kernel
|
||||
// will see the process as chrooted and deny CLONE_NEWUSER.
|
||||
if (nsjconf->pivot_root_only && strcmp(p->dst, "/") == 0) {
|
||||
continue;
|
||||
}
|
||||
char dst[PATH_MAX];
|
||||
snprintf(dst, sizeof(dst), "%s/%s", newrootdir, p->dst);
|
||||
if (mountMount(nsjconf, p, "/old_root", dst) == false) {
|
||||
|
Loading…
Reference in New Issue
Block a user