[v2] Allow for unpriviledged nested containers
Checks
| Context |
Check |
Description |
| dj/TryBot-apply_patch |
success
|
Patch applied to master at the time it was sent
|
| dj/TryBot-32bit |
success
|
Build for i686
|
Commit Message
That got us part of the way; mounting /proc seems to be special because
it has stuff mounted under it. Adding MS_REC (recursive?) got us the
rest of the way, and doesn't seem to interfere with the other
trymount's.
@@ -231,7 +231,7 @@ concat (const char *str, ...)
static void
trymount (const char *src, const char *dest)
{
- if (mount (src, dest, "", MS_BIND, NULL) < 0)
+ if (mount (src, dest, "", MS_BIND|MS_REC, NULL) < 0)
FAIL_EXIT1 ("can't mount %s onto %s\n", src, dest);
}
@@ -1094,6 +1094,14 @@ main (int argc, char **argv)
trymount (support_srcdir_root, new_srcdir_path);
trymount (support_objdir_root, new_objdir_path);
+ /* It may not be possible to mount /proc directly. */
+ {
+ char *new_proc = concat (new_root_path, "/proc", NULL);
+ xmkdirp (new_proc, 0755);
+ trymount ("/proc", new_proc);
+ free (new_proc);
+ }
+
xmkdirp (concat (new_root_path, "/dev", NULL), 0755);
devmount (new_root_path, "null");
devmount (new_root_path, "zero");
@@ -1163,11 +1171,6 @@ main (int argc, char **argv)
maybe_xmkdir ("/tmp", 0755);
- /* Now that we're pid 1 (effectively "root") we can mount /proc */
- maybe_xmkdir ("/proc", 0777);
- if (mount ("proc", "/proc", "proc", 0, NULL) < 0)
- FAIL_EXIT1 ("Unable to mount /proc: ");
-
/* We map our original UID to the same UID in the container so we
can own our own files normally. */
UMAP = open ("/proc/self/uid_map", O_WRONLY);