diff options
author | Chirantan Ekbote <chirantan@chromium.org> | 2020-02-21 16:37:27 +0900 |
---|---|---|
committer | Commit Bot <commit-bot@chromium.org> | 2020-02-22 06:20:21 +0000 |
commit | f84c2298e9d7138be0998c289825128144234862 (patch) | |
tree | fdf7ef6d9d72144c0a219213f2d945b1b874a385 /src/linux.rs | |
parent | d8144a56e26ca09e2c7ff97ed63c57e7e7965674 (diff) | |
download | crosvm-f84c2298e9d7138be0998c289825128144234862.tar crosvm-f84c2298e9d7138be0998c289825128144234862.tar.gz crosvm-f84c2298e9d7138be0998c289825128144234862.tar.bz2 crosvm-f84c2298e9d7138be0998c289825128144234862.tar.lz crosvm-f84c2298e9d7138be0998c289825128144234862.tar.xz crosvm-f84c2298e9d7138be0998c289825128144234862.tar.zst crosvm-f84c2298e9d7138be0998c289825128144234862.zip |
linux.rs: Don't pivot_root when using host's root directory
pivot_root(2) will fail with EBUSY if we try to pivot_root to "/". Check for this case and skip the pivot_root if necessary. BUG=b:147258662 TEST=`tast run <dut> vm.Virtiofs` Change-Id: I1d7645844e183222a561578677fc5f59c080d58c Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/2067823 Auto-Submit: Chirantan Ekbote <chirantan@chromium.org> Tested-by: kokoro <noreply+kokoro@google.com> Reviewed-by: Daniel Verkamp <dverkamp@chromium.org> Commit-Queue: Chirantan Ekbote <chirantan@chromium.org>
Diffstat (limited to 'src/linux.rs')
-rw-r--r-- | src/linux.rs | 15 |
1 files changed, 11 insertions, 4 deletions
diff --git a/src/linux.rs b/src/linux.rs index 662dea5..ba1ccf0 100644 --- a/src/linux.rs +++ b/src/linux.rs @@ -335,9 +335,13 @@ fn create_base_minijail( if let Some(gid_map) = config.gid_map { j.gidmap(gid_map).map_err(Error::SettingGidMap)?; } + // Run in a new mount namespace. + j.namespace_vfs(); + // Run in an empty network namespace. j.namespace_net(); - // Apply the block device seccomp policy. + + // Don't allow the device to gain new privileges. j.no_new_privs(); // By default we'll prioritize using the pre-compiled .bpf over the .policy @@ -367,9 +371,12 @@ fn create_base_minijail( j.run_as_init(); } - // Create a new mount namespace with an empty root FS. - j.namespace_vfs(); - j.enter_pivot_root(root).map_err(Error::DevicePivotRoot)?; + // Only pivot_root if we are not re-using the current root directory. + if root != Path::new("/") { + // It's safe to call `namespace_vfs` multiple times. + j.namespace_vfs(); + j.enter_pivot_root(root).map_err(Error::DevicePivotRoot)?; + } // Most devices don't need to open many fds. let limit = if let Some(r) = r_limit { r } else { 1024u64 }; |