From f84c2298e9d7138be0998c289825128144234862 Mon Sep 17 00:00:00 2001 From: Chirantan Ekbote Date: Fri, 21 Feb 2020 16:37:27 +0900 Subject: [PATCH] linux.rs: Don't pivot_root when using host's root directory pivot_root(2) will fail with EBUSY if we try to pivot_root to "/". Check for this case and skip the pivot_root if necessary. BUG=b:147258662 TEST=`tast run vm.Virtiofs` Change-Id: I1d7645844e183222a561578677fc5f59c080d58c Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/2067823 Auto-Submit: Chirantan Ekbote Tested-by: kokoro Reviewed-by: Daniel Verkamp Commit-Queue: Chirantan Ekbote --- src/linux.rs | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/src/linux.rs b/src/linux.rs index 662dea50ee..ba1ccf0a58 100644 --- a/src/linux.rs +++ b/src/linux.rs @@ -335,9 +335,13 @@ fn create_base_minijail( if let Some(gid_map) = config.gid_map { j.gidmap(gid_map).map_err(Error::SettingGidMap)?; } + // Run in a new mount namespace. + j.namespace_vfs(); + // Run in an empty network namespace. j.namespace_net(); - // Apply the block device seccomp policy. + + // Don't allow the device to gain new privileges. j.no_new_privs(); // By default we'll prioritize using the pre-compiled .bpf over the .policy @@ -367,9 +371,12 @@ fn create_base_minijail( j.run_as_init(); } - // Create a new mount namespace with an empty root FS. - j.namespace_vfs(); - j.enter_pivot_root(root).map_err(Error::DevicePivotRoot)?; + // Only pivot_root if we are not re-using the current root directory. + if root != Path::new("/") { + // It's safe to call `namespace_vfs` multiple times. + j.namespace_vfs(); + j.enter_pivot_root(root).map_err(Error::DevicePivotRoot)?; + } // Most devices don't need to open many fds. let limit = if let Some(r) = r_limit { r } else { 1024u64 };