From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from gandalf.ozlabs.org (gandalf.ozlabs.org [150.107.74.76]) by passt.top (Postfix) with ESMTPS id 5771D5A027F for ; Mon, 22 May 2023 08:01:52 +0200 (CEST) Received: by gandalf.ozlabs.org (Postfix, from userid 1007) id 4QPmzt4H1jz4x4B; Mon, 22 May 2023 16:01:46 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gibson.dropbear.id.au; s=201602; t=1684735306; bh=47Bc9C2WaEiEbYndImUTpDeLLpoQm4RT67ZtuCEF/xc=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=QMyaqwFTvgOaJhhEhoefUGPevqzkPVeXX0IYXzZx/IF9ZxVrK0SKU78cdBZNoJ2ff tINVZVNlSbTMz7cdgDb6S2MWS0fHBzC8eqkCylgukDVp5nUg4tlTM4pTfb6QMo9ckU QIgkfOlKD1q6UbCexUKVg9npR/sp0zX0poxoo/E4= Date: Mon, 22 May 2023 15:42:23 +1000 From: David Gibson To: Stefano Brivio Subject: Re: [PATCH 2/3] pasta: Detach mount namespace, (re)mount procfs before spawning command Message-ID: References: <20230521234158.2769867-1-sbrivio@redhat.com> <20230521234158.2769867-3-sbrivio@redhat.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="uf6UC/yVdzGP+Coj" Content-Disposition: inline In-Reply-To: <20230521234158.2769867-3-sbrivio@redhat.com> Message-ID-Hash: 23QVE7ASV72BRUHD2U4HZRDBA2EDCRVR X-Message-ID-Hash: 23QVE7ASV72BRUHD2U4HZRDBA2EDCRVR X-MailFrom: dgibson@gandalf.ozlabs.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: passt-dev@passt.top X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: --uf6UC/yVdzGP+Coj Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, May 22, 2023 at 01:41:57AM +0200, Stefano Brivio wrote: > If we want /proc contents to be consistent after pasta spawns a child > process in a new PID namespace (only for operation without a > pre-existing namespace), we need to mount /proc after the clone(2) > call with CLONE_NEWPID, and we enable the child to do that by > passing, in the same call, the CLONE_NEWNS flag, as described by > pid_namespaces(7). >=20 > This is not really a remount: in fact, passing MS_REMOUNT to mount(2) > would make the call fail. We're in another mount namespace now, so > it's a fresh mount that has the effect of hiding the existing one. >=20 > Signed-off-by: Stefano Brivio Reviewed-by: David Gibson > --- > pasta.c | 7 ++++++- > 1 file changed, 6 insertions(+), 1 deletion(-) >=20 > diff --git a/pasta.c b/pasta.c > index 3a4d704..b30ce70 100644 > --- a/pasta.c > +++ b/pasta.c > @@ -29,6 +29,7 @@ > #include > #include > #include > +#include > #include > #include > #include > @@ -172,6 +173,10 @@ static int pasta_spawn_cmd(void *arg) > const struct pasta_spawn_cmd_arg *a; > sigset_t set; > =20 > + /* We run in a detached PID and mount namespace: mount /proc over */ > + if (mount("", "/proc", "proc", 0, NULL)) > + warn("Couldn't mount /proc: %s", strerror(errno)); > + > if (write_file("/proc/sys/net/ipv4/ping_group_range", "0 0")) > warn("Cannot set ping_group_range, ICMP requests might fail"); > =20 > @@ -243,7 +248,7 @@ void pasta_start_ns(struct ctx *c, uid_t uid, gid_t g= id, > pasta_child_pid =3D do_clone(pasta_spawn_cmd, ns_fn_stack, > sizeof(ns_fn_stack), > CLONE_NEWIPC | CLONE_NEWPID | CLONE_NEWNET | > - CLONE_NEWUTS | SIGCHLD, > + CLONE_NEWUTS | CLONE_NEWNS | SIGCHLD, > (void *)&arg); > =20 > if (pasta_child_pid =3D=3D -1) { --=20 David Gibson | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you. NOT _the_ _other_ | _way_ _around_! http://www.ozlabs.org/~dgibson --uf6UC/yVdzGP+Coj Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEO+dNsU4E3yXUXRK2zQJF27ox2GcFAmRrALgACgkQzQJF27ox 2GdJXA/+O42fHu1Rys7sxUikOW6LDuW5wGg9tBDOH4n4jUvDeeXkO6obIjBmyXrl sCuAWvazsljcaspFDJvSJq0QHaOf6TZHi/JAdfR6WB6gtCrIBqBiZ62XFnvScqdu baUZHXAy+L+blWIeIx+Ysbal8SyaWby/i1b2P58W4kIZ8bJ8M4v/c1nsrqvEdvrF sLxsvGQHWjsraF2ti97cH17EUf8lXufY7ili+ndQSp/8u6UWdb6QZQg7+yjX+cC+ 02DR0dHCdqFTEWBo94JzC7eH8jjFbwet+HTjwkz8FWm9cNMiq3891y3d2BbwyLY5 xhHjnb13MkG4d7z9SBK85s/JXUs8nXlSpR/cYVkDVkwj0H3g2YskNW4aa5TQpvUv HNzucj1DyGNqkGwRXqtiu0BkbMywUAL3TMs6A//OsYy1L0YoXLHwyMmVEbCGTtrC fJxviDUam/zZ2VOvtQMV/iUNT+U5tNeQS39zOMxYhsIVY0Vd47qjINb6S49crKc5 6AQZMtx/gKBDlK2/gb/HZMC13owgs5/vyn65JgNcAirDk9ko7/5nqJcPx0iPb59t sq1CSnI3WSBHhSldzcllwlQ3k8hCeaCzg4S56qHKZov78GgNJ42jJFWQzjpLht/U kIWOCgFSrE40ZnPXj03qT6LrCX50XZmcd3mSl2ud7gLRA8z8rKQ= =biUx -----END PGP SIGNATURE----- --uf6UC/yVdzGP+Coj--