From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by sourceware.org (Postfix) with ESMTPS id 7E6B33858402 for ; Fri, 12 Nov 2021 13:31:58 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 7E6B33858402 Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-443-Ib20AKcyOgKy5WaQ2GuZMQ-1; Fri, 12 Nov 2021 08:31:57 -0500 X-MC-Unique: Ib20AKcyOgKy5WaQ2GuZMQ-1 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 149DA1572D for ; Fri, 12 Nov 2021 13:31:56 +0000 (UTC) Received: from oldenburg.str.redhat.com (unknown [10.39.192.82]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 5DB855D6D5; Fri, 12 Nov 2021 13:31:55 +0000 (UTC) From: Florian Weimer To: DJ Delorie Cc: libc-alpha@sourceware.org Subject: Re: [patch v1] Allow for unpriviledged nested containers References: Date: Fri, 12 Nov 2021 14:31:53 +0100 In-Reply-To: (DJ Delorie's message of "Wed, 10 Nov 2021 13:30:39 -0500") Message-ID: <87sfw1qz3q.fsf@oldenburg.str.redhat.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain X-Spam-Status: No, score=-12.7 required=5.0 tests=BAYES_00, DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H2, SPF_HELO_NONE, SPF_NONE, TXREP autolearn=ham autolearn_force=no version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Nov 2021 13:32:00 -0000 * DJ Delorie: > Florian Weimer writes: >> Have you tried a bind mount of the existing /proc into the chroot (from >> the outside of that chroot)? > > That's an interesting idea, but the directory it (and /sys, /dev, etc, > eventually, I suppose) needs to be mounted on doesn't exist until we're > late into "make check" and rsync'ing the pristine test container to the > working test container. And we delete and rebuild that container as > needed. It would be a lot of messy logic to pre-mount that. Huh. We already do this for various parts of /dev. I had something like this in mind (untested): diff --git a/support/test-container.c b/support/test-container.c index 94498d3901..ff91a12860 100644 --- a/support/test-container.c +++ b/support/test-container.c @@ -1094,6 +1094,13 @@ main (int argc, char **argv) trymount (support_srcdir_root, new_srcdir_path); trymount (support_objdir_root, new_objdir_path); + /* It may not be possible to mount /proc directly. */ + { + char *new_proc = concat (new_root_path, "/proc", NULL); + xmkdirp (new_proc); + trymount ("/proc", new_proc); + } + xmkdirp (concat (new_root_path, "/dev", NULL), 0755); devmount (new_root_path, "null"); devmount (new_root_path, "zero"); @@ -1163,11 +1170,6 @@ main (int argc, char **argv) maybe_xmkdir ("/tmp", 0755); - /* Now that we're pid 1 (effectively "root") we can mount /proc */ - maybe_xmkdir ("/proc", 0777); - if (mount ("proc", "/proc", "proc", 0, NULL) < 0) - FAIL_EXIT1 ("Unable to mount /proc: "); - /* We map our original UID to the same UID in the container so we can own our own files normally. */ UMAP = open ("/proc/self/uid_map", O_WRONLY); Thanks, Florian