[lxc-devel] [PATCH V1] Use pivot_root and umount2 instead of chroot

Michael H. Warfield mhw at WittsEnd.com
Mon Sep 1 03:50:49 UTC 2014 

On Mon, 2014-09-01 at 03:24 +0000, Steven Stewart-Gallus wrote:
> chrooting leaves the old mount information in /proc/mounts and gives
> me anxiety. Explicitly switch root directories and unmount the old
> root directory.

> Signed-off-by: Steven Stewart-Gallus <sstewartgallus00 at mylangara.bc.ca>

(/me checks watch and checks calendar)...  Here there be dragons.

We have gone back and forth on this for years.  There were SERIOUS
reasons for the decisions that were made (maybe right, maybe wrong and
which maybe changed now).  Not just the pollution of the mount table
(which is a seriouos PITA) but the issues of security and mount (mount
remount) security in containers and the interaction with other
containers.  This subject cause no ends of problems of ro/rw remount
issues across templates.

Has this been tested against the security and operational cases we have
faced and evaluated in the past?  I'd like to hear from Stephane and
Serge on this but I'm extremely leary of this lacking a security
evaluation of this change.  This is at the heart of a security issue for
the whole project.

IF things have changed and IF this can be done securely and IF this can
be done where one container does NOT contaminate the state of another, I
am comfortable with it.  With out that assurance, I am not.

This needs some serious evaluation, IMNSO.

Regards,
Mike

> ---
> 
> Hello! In my own little sandbox program I use pivot_root and umount2
> instead of chroot.  It seems a lot more fool proof to me and also
> removes the old mount information from /proc/mounts.  I noticed that
> LXC didn't use this technique so I wanted to share it with LXC.
> Unfortunately, LXC's build system was mysteriously failing at building
> the documentation so I couldn't test this patch.  In any case, I
> wanted to discuss the general approach anyways mostly.
> 
> Thank you,
> Steven Stewart-Gallus
> 
> diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c
> index ee8f491..38e33f4 100644
> --- a/src/lxc/lxccontainer.c
> +++ b/src/lxc/lxccontainer.c
> @@ -3397,10 +3397,17 @@ static bool do_add_remove_node(pid_t init_pid, const
> char *path, bool add,
>  	if (ret < 0 || ret >= MAXPATHLEN)
>  		return false;
>  
> -	if (chroot(chrootpath) < 0)
> +	if (chdir(chrootpath) < 0)
>  		exit(1);
> -	if (chdir("/") < 0)
> +
> +	if (syscall(__NR_pivot_root, ".", ".") < 0) {
> +		exit(1);
> +	}
> +
> +	if (umount2(".", MNT_DETACH) < 0) {
>  		exit(1);
> +	}
> +
>  	/* remove path if it exists */
>  	if(faccessat(AT_FDCWD, path, F_OK, AT_SYMLINK_NOFOLLOW) == 0) {
>  		if (unlink(path) < 0) {
> 
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel
> 

-- 
Michael H. Warfield (AI4NB) | (770) 978-7061 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 465 bytes
Desc: This is a digitally signed message part
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20140831/a8f7ec13/attachment.sig>

More information about the lxc-devel mailing list