From mboxrd@z Thu Jan 1 00:00:00 1970 Received: by passt.top (Postfix, from userid 1000) id 898C05A0270; Mon, 22 May 2023 01:41:58 +0200 (CEST) From: Stefano Brivio To: passt-dev@passt.top Subject: [PATCH 2/3] pasta: Detach mount namespace, (re)mount procfs before spawning command Date: Mon, 22 May 2023 01:41:57 +0200 Message-Id: <20230521234158.2769867-3-sbrivio@redhat.com> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20230521234158.2769867-1-sbrivio@redhat.com> References: <20230521234158.2769867-1-sbrivio@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-ID-Hash: 4ZW3HOSXJ2BLNLICEH3TE5THQIUDE775 X-Message-ID-Hash: 4ZW3HOSXJ2BLNLICEH3TE5THQIUDE775 X-MailFrom: sbrivio@passt.top X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: David Gibson X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: If we want /proc contents to be consistent after pasta spawns a child process in a new PID namespace (only for operation without a pre-existing namespace), we need to mount /proc after the clone(2) call with CLONE_NEWPID, and we enable the child to do that by passing, in the same call, the CLONE_NEWNS flag, as described by pid_namespaces(7). This is not really a remount: in fact, passing MS_REMOUNT to mount(2) would make the call fail. We're in another mount namespace now, so it's a fresh mount that has the effect of hiding the existing one. Signed-off-by: Stefano Brivio --- pasta.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/pasta.c b/pasta.c index 3a4d704..b30ce70 100644 --- a/pasta.c +++ b/pasta.c @@ -29,6 +29,7 @@ #include #include #include +#include #include #include #include @@ -172,6 +173,10 @@ static int pasta_spawn_cmd(void *arg) const struct pasta_spawn_cmd_arg *a; sigset_t set; + /* We run in a detached PID and mount namespace: mount /proc over */ + if (mount("", "/proc", "proc", 0, NULL)) + warn("Couldn't mount /proc: %s", strerror(errno)); + if (write_file("/proc/sys/net/ipv4/ping_group_range", "0 0")) warn("Cannot set ping_group_range, ICMP requests might fail"); @@ -243,7 +248,7 @@ void pasta_start_ns(struct ctx *c, uid_t uid, gid_t gid, pasta_child_pid = do_clone(pasta_spawn_cmd, ns_fn_stack, sizeof(ns_fn_stack), CLONE_NEWIPC | CLONE_NEWPID | CLONE_NEWNET | - CLONE_NEWUTS | SIGCHLD, + CLONE_NEWUTS | CLONE_NEWNS | SIGCHLD, (void *)&arg); if (pasta_child_pid == -1) { -- 2.39.2