From: Al Viro <viro@ZenIV.linux.org.uk>
To: Andy Lutomirski <luto@amacapital.net>
Cc: Richard Weinberger <richard.weinberger@gmail.com>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
Linux FS Devel <linux-fsdevel@vger.kernel.org>
Subject: Re: How do I make a clean mount namespace?
Date: Thu, 24 Apr 2014 03:24:57 +0100 [thread overview]
Message-ID: <20140424022457.GV18016@ZenIV.linux.org.uk> (raw)
In-Reply-To: <CALCETrUOEFwnYqKNtB3XKqsM1HNnOR9x-MXV8mjdR6ErUL3jGg@mail.gmail.com>
On Wed, Apr 23, 2014 at 05:54:31PM -0700, Andy Lutomirski wrote:
> This requires CAP_SYS_ADMIN and it requires that the caller is not
> chrooted. path must be a mountpoint and flags must be zero.
>
> It lazy-unmounts everything outside path, and it moves path to /.
> When it's done, the current process's root is '/'. If you want to
> retain temporary access to outside things, you can keep an fd open.
> If the old root is shared, it is made private. It's okay for path to
> be shared (I think).
>
> If other things are already running in the current mount namespace,
> then their root directory stays the same, so they keep working, but
> they may be a little confused.
>
> I think this could replace pivot_root for most use cases, and it could
> simplify programs like switch_root.
>
> Thoughts?
chdir(new);
pivot_root(".", old);
umount(old, MNT_DETACH);
chroot(".");
next prev parent reply other threads:[~2014-04-24 2:24 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-04-22 22:12 How do I make a clean mount namespace? Andy Lutomirski
2014-04-23 20:01 ` Richard Weinberger
2014-04-24 0:54 ` Andy Lutomirski
2014-04-24 2:24 ` Al Viro [this message]
2014-04-24 2:39 ` Al Viro
2014-04-24 5:06 ` Andy Lutomirski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140424022457.GV18016@ZenIV.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=richard.weinberger@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.