linux.rs: Don't pivot_root when using host's root directory

pivot_root(2) will fail with EBUSY if we try to pivot_root to "/".
Check for this case and skip the pivot_root if necessary.

BUG=b:147258662
TEST=`tast run <dut> vm.Virtiofs`

Change-Id: I1d7645844e183222a561578677fc5f59c080d58c
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/2067823
Auto-Submit: Chirantan Ekbote <chirantan@chromium.org>
Tested-by: kokoro <noreply+kokoro@google.com>
Reviewed-by: Daniel Verkamp <dverkamp@chromium.org>
Commit-Queue: Chirantan Ekbote <chirantan@chromium.org>

1 files changed, 11 insertions, 4 deletions

diff --git a/src/linux.rs b/src/linux.rs
index 662dea5..ba1ccf0 100644
--- a/src/linux.rs
+++ b/src/linux.rs
@@ -335,9 +335,13 @@ fn create_base_minijail(
         if let Some(gid_map) = config.gid_map {
             j.gidmap(gid_map).map_err(Error::SettingGidMap)?;
         }
+        // Run in a new mount namespace.
+        j.namespace_vfs();
+
         // Run in an empty network namespace.
         j.namespace_net();
-        // Apply the block device seccomp policy.
+
+        // Don't allow the device to gain new privileges.
         j.no_new_privs();
 
         // By default we'll prioritize using the pre-compiled .bpf over the .policy
@@ -367,9 +371,12 @@ fn create_base_minijail(
         j.run_as_init();
     }
 
-    // Create a new mount namespace with an empty root FS.
-    j.namespace_vfs();
-    j.enter_pivot_root(root).map_err(Error::DevicePivotRoot)?;
+    // Only pivot_root if we are not re-using the current root directory.
+    if root != Path::new("/") {
+        // It's safe to call `namespace_vfs` multiple times.
+        j.namespace_vfs();
+        j.enter_pivot_root(root).map_err(Error::DevicePivotRoot)?;
+    }
 
     // Most devices don't need to open many fds.
     let limit = if let Some(r) = r_limit { r } else { 1024u64 };