Re: pivot_root(".", ".") and the fchdir() dance

All of lore.kernel.org
 help / color / mirror / Atom feed

From: ebiederm@xmission.com (Eric W. Biederman)
To: "Michael Kerrisk \(man-pages\)" <mtk.manpages@gmail.com>
Cc: Christian Brauner <christian.brauner@ubuntu.com>,
	linux-man <linux-man@vger.kernel.org>,
	Containers <containers@lists.linux-foundation.org>,
	lkml <linux-kernel@vger.kernel.org>,
	Andy Lutomirski <luto@amacapital.net>,
	Jordan Ogas <jogas@lanl.gov>,
	werner@almesberger.net, Al Viro <viro@ftp.linux.org.uk>
Subject: Re: pivot_root(".", ".") and the fchdir() dance
Date: Tue, 10 Sep 2019 18:06:48 -0500	[thread overview]
Message-ID: <871rwnda47.fsf@x220.int.ebiederm.org> (raw)
In-Reply-To: <30545c5c-ff4c-8b87-e591-40cc0a631304@gmail.com> (Michael Kerrisk's message of "Tue, 10 Sep 2019 13:21:16 +0200")

"Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com> writes:

> Hello Christian,
>
>>> All: I plan to add the following text to the manual page:
>>>
>>>        new_root and put_old may be the same  directory.   In  particular,
>>>        the following sequence allows a pivot-root operation without need‐
>>>        ing to create and remove a temporary directory:
>>>
>>>            chdir(new_root);
>>>            pivot_root(".", ".");
>>>            umount2(".", MNT_DETACH);
>> 
>> Hm, should we mention that MS_PRIVATE or MS_SLAVE is usually needed
>> before the umount2()? Especially for the container case... I think we
>> discussed this briefly yesterday in person.
> Thanks for noticing. That detail (more precisely: not MS_SHARED) is
> already covered in the numerous other changes that I have pending
> for this page:
>
>        The following restrictions apply:
>        ...
>        -  The propagation type of new_root and its parent mount must  not
>           be MS_SHARED; similarly, if put_old is an existing mount point,
>           its propagation type must not be MS_SHARED.

Ugh.  That is close but not quite correct.

A better explanation:

    The pivot_root system call will never propagate any changes it makes.
    The pivot_root system call ensures this is safe by verifying that
    none of put_old, the parent of new_root, and parent of the root directory
    have a propagation type of MS_SHARED.

>

The concern from our conversation at the container mini-summit was that
there is a pathology if in your initial mount namespace all of the
mounts are marked MS_SHARED like systemd does (and is almost necessary
if you are going to use mount propagation), that if new_root itself
is MS_SHARED then unmounting the old_root could propagate.

So I believe the desired sequence is:

>>>            chdir(new_root);
+++            mount("", ".", MS_SLAVE | MS_REC, NULL);
>>>            pivot_root(".", ".");
>>>            umount2(".", MNT_DETACH);

The change to new new_root could be either MS_SLAVE or MS_PRIVATE.  So
long as it is not MS_SHARED the mount won't propagate back to the
parent mount namespace.

Eric

next prev parent reply	other threads:[~2019-09-10 23:07 UTC|newest]

Thread overview: 25+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-08-01 13:38 pivot_root(".", ".") and the fchdir() dance Michael Kerrisk (man-pages)
2019-08-05 10:36 ` Aleksa Sarai
2019-08-05 12:29   ` Michael Kerrisk (man-pages)
2019-08-05 13:37     ` Aleksa Sarai
2019-08-06 19:35       ` Michael Kerrisk (man-pages)
2019-08-06  8:12     ` Philipp Wendler
2019-08-06 12:03       ` Michael Kerrisk (man-pages)
2019-09-09 10:40         ` Eric W. Biederman
2019-09-09 14:48           ` Michael Kerrisk (man-pages)
2019-09-09 23:40             ` Eric W. Biederman
2019-09-10 10:27               ` Michael Kerrisk (man-pages)
2019-09-10 11:15                 ` Christian Brauner
2019-09-10 11:21                   ` Michael Kerrisk (man-pages)
2019-09-10 23:06                     ` Eric W. Biederman [this message]
2019-09-15  8:12                       ` Michael Kerrisk (man-pages)
2019-09-15 18:17                         ` Eric W. Biederman
2019-09-23 11:10                           ` Michael Kerrisk (man-pages)
2019-09-28 15:05                             ` Michael Kerrisk (man-pages)
2019-09-30 11:42                               ` Eric W. Biederman
2019-10-07 11:02                                 ` Michael Kerrisk (man-pages)
2019-10-07 15:46                                   ` Eric W. Biederman
2019-10-08 14:27                                     ` Michael Kerrisk (man-pages)
2019-10-08 19:40                                       ` Eric W. Biederman
2019-10-08 21:40                                         ` Michael Kerrisk (man-pages)
2019-10-08 22:16                                           ` Eric W. Biederman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=871rwnda47.fsf@x220.int.ebiederm.org \
    --to=ebiederm@xmission.com \
    --cc=christian.brauner@ubuntu.com \
    --cc=containers@lists.linux-foundation.org \
    --cc=jogas@lanl.gov \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-man@vger.kernel.org \
    --cc=luto@amacapital.net \
    --cc=mtk.manpages@gmail.com \
    --cc=viro@ftp.linux.org.uk \
    --cc=werner@almesberger.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.