Skip to content
This repository has been archived by the owner on Jun 11, 2020. It is now read-only.

Commit

Permalink
Merge pull request #10 from thaJeztah/17.06_backport_no_pivot_umount_…
Browse files Browse the repository at this point in the history
…proc_sys

[17.06 backport] rootfs: umount all procfs and sysfs with --no-pivot
  • Loading branch information
andrewhsu authored Mar 28, 2019
2 parents dbf862c + 04d40d6 commit 728371c
Showing 1 changed file with 39 additions and 0 deletions.
39 changes: 39 additions & 0 deletions libcontainer/rootfs_linux.go
Original file line number Diff line number Diff line change
Expand Up @@ -707,9 +707,48 @@ func pivotRoot(rootfs string) error {
}

func msMoveRoot(rootfs string) error {
mountinfos, err := mount.GetMounts()
if err != nil {
return err
}

absRootfs, err := filepath.Abs(rootfs)
if err != nil {
return err
}

for _, info := range mountinfos {
p, err := filepath.Abs(info.Mountpoint)
if err != nil {
return err
}
// Umount every syfs and proc file systems, except those under the container rootfs
if (info.Fstype != "proc" && info.Fstype != "sysfs") || filepath.HasPrefix(p, absRootfs) {
continue
}
// Be sure umount events are not propagated to the host.
if err := syscall.Mount("", p, "", syscall.MS_SLAVE|syscall.MS_REC, ""); err != nil {
return err
}
if err := syscall.Unmount(p, syscall.MNT_DETACH); err != nil {
if err != syscall.EINVAL && err != syscall.EPERM {
return err
} else {
// If we have not privileges for umounting (e.g. rootless), then
// cover the path.
if err := syscall.Mount("tmpfs", p, "tmpfs", 0, ""); err != nil {
return err
}
}
}
}
if err := syscall.Mount(rootfs, "/", "", syscall.MS_MOVE, ""); err != nil {
return err
}
return chroot(rootfs)
}

func chroot(rootfs string) error {
if err := syscall.Chroot("."); err != nil {
return err
}
Expand Down

0 comments on commit 728371c

Please sign in to comment.