Hello,
I am not confused about how I can currently use pivot_root for
containers on my kernel (version 3.13). Currently a sequence like:
if (-1 == syscall(__NR_pivot_root, ".", ".")) {
perror("pivot_root");
return EXIT_FAILURE;
}
if (-1 == umount2(".", MNT_DETACH)) {
perror("umount");
return EXIT_FAILURE;
}
/* pivot_root() may or may not affect its current working
* directory. It is therefore recommended to call chdir("/")
* immediately after pivot_root().
*
* - http://man7.org/linux/man-pages/man2/pivot_root.2.html
*/
if (-1 == chdir("/")) {
perror("chdir");
return EXIT_FAILURE;
}
works. However, I am completely and totally confused about how the
pivot_root system call is intended to be used here and have absolutely
no idea if this will work in the future. This concerns me because I
don't want my program to potentially develop silent security bugs on
future versions of the Linux kernel.
Some information about the context. I am sandboxing a program just
after it has done a fork, unshared the mount namespace, setup a
sandbox directory and changed into it. If you just want to look at the
code, the actual code is avaliable at
https://gitorious.org/linted/linted/source/b25685ba4762bfb794c8f36ae74276d32d2b0ca8:src/spawn/spawn.c.
Thank you,
Steven Stewart-Gallus
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
