On Mon, May 22, 2023 at 01:41:57AM +0200, Stefano Brivio wrote: > If we want /proc contents to be consistent after pasta spawns a child > process in a new PID namespace (only for operation without a > pre-existing namespace), we need to mount /proc after the clone(2) > call with CLONE_NEWPID, and we enable the child to do that by > passing, in the same call, the CLONE_NEWNS flag, as described by > pid_namespaces(7). > > This is not really a remount: in fact, passing MS_REMOUNT to mount(2) > would make the call fail. We're in another mount namespace now, so > it's a fresh mount that has the effect of hiding the existing one. > > Signed-off-by: Stefano Brivio Reviewed-by: David Gibson > --- > pasta.c | 7 ++++++- > 1 file changed, 6 insertions(+), 1 deletion(-) > > diff --git a/pasta.c b/pasta.c > index 3a4d704..b30ce70 100644 > --- a/pasta.c > +++ b/pasta.c > @@ -29,6 +29,7 @@ > #include > #include > #include > +#include > #include > #include > #include > @@ -172,6 +173,10 @@ static int pasta_spawn_cmd(void *arg) > const struct pasta_spawn_cmd_arg *a; > sigset_t set; > > + /* We run in a detached PID and mount namespace: mount /proc over */ > + if (mount("", "/proc", "proc", 0, NULL)) > + warn("Couldn't mount /proc: %s", strerror(errno)); > + > if (write_file("/proc/sys/net/ipv4/ping_group_range", "0 0")) > warn("Cannot set ping_group_range, ICMP requests might fail"); > > @@ -243,7 +248,7 @@ void pasta_start_ns(struct ctx *c, uid_t uid, gid_t gid, > pasta_child_pid = do_clone(pasta_spawn_cmd, ns_fn_stack, > sizeof(ns_fn_stack), > CLONE_NEWIPC | CLONE_NEWPID | CLONE_NEWNET | > - CLONE_NEWUTS | SIGCHLD, > + CLONE_NEWUTS | CLONE_NEWNS | SIGCHLD, > (void *)&arg); > > if (pasta_child_pid == -1) { -- David Gibson | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you. NOT _the_ _other_ | _way_ _around_! http://www.ozlabs.org/~dgibson