From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id E716A138359 for ; Sat, 14 Nov 2020 16:37:33 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id CDE27E041F; Sat, 14 Nov 2020 16:37:32 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id B504AE041F for ; Sat, 14 Nov 2020 16:37:32 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 531453410AE for ; Sat, 14 Nov 2020 16:37:31 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 947902CA for ; Sat, 14 Nov 2020 16:37:29 +0000 (UTC) From: "Matt Turner" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Matt Turner" Message-ID: <1605371697.dccfafea4e8b4622a7527a764d581ac0123b107e.mattst88@gentoo> Subject: [gentoo-commits] proj/catalyst:master commit in: catalyst/ X-VCS-Repository: proj/catalyst X-VCS-Files: catalyst/context.py X-VCS-Directories: catalyst/ X-VCS-Committer: mattst88 X-VCS-Committer-Name: Matt Turner X-VCS-Revision: dccfafea4e8b4622a7527a764d581ac0123b107e X-VCS-Branch: master Date: Sat, 14 Nov 2020 16:37:29 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: 5a24ba74-df8d-4c2e-99e4-3f76cacee4ab X-Archives-Hash: 4685fe8fb80a9febbc0e24d60488f103 commit: dccfafea4e8b4622a7527a764d581ac0123b107e Author: Felix Bier rohde-schwarz com> AuthorDate: Mon Nov 9 19:36:33 2020 +0000 Commit: Matt Turner gentoo org> CommitDate: Sat Nov 14 16:34:57 2020 +0000 URL: https://gitweb.gentoo.org/proj/catalyst.git/commit/?id=dccfafea catalyst: Restore root and cwd after exiting mount namespace This commit saves the file descriptor of /proc/self/{root,cwd} before entering into the new mount namespace. When restoring the previous mount namespace, it restores /proc/self/{root,cwd} based on the saved file descriptors. Without this change, catalyst cannot be run in a chroot when using the recent changes regarding mount namespaces: After the mount namespace has been exited, /proc/self/root points to the "/" of the host system, not the "/" of the chroot. Therefore, the cleanup phase of catalyst runs outside of the chroot. The code is similar to how nsenter(1) sets root and cwd: https://git.kernel.org/pub/scm/utils/util-linux/util-linux.git/tree/sys-utils/nsenter.c#n452 Tested in a Gentoo chroot and in Gentoo VM (non-chroot). Signed-off-by: Felix Bier rohde-schwarz.com> Signed-off-by: Matt Turner gentoo.org> catalyst/context.py | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/catalyst/context.py b/catalyst/context.py index 8a58f33d..01a6d930 100644 --- a/catalyst/context.py +++ b/catalyst/context.py @@ -16,11 +16,21 @@ def namespace(mount=False, uts=False, ipc=False, net=False, pid=False, (user, "user"): None, } + dirs = { + "root": None, + "cwd": None, + } + # Save fds of current namespaces for ns in [ns for ns in namespaces if ns[0]]: fp = open(f"/proc/self/ns/{ns[1]}") namespaces[ns] = fp + # Save fds of current directories + if mount: + for d in dirs: + dirs[d] = os.open(f"/proc/self/{d}", os.O_RDONLY) + simple_unshare(mount=mount, uts=uts, ipc=ipc, net=net, pid=pid, user=user, hostname=hostname) try: @@ -30,3 +40,15 @@ def namespace(mount=False, uts=False, ipc=False, net=False, pid=False, fp = namespaces[ns] setns(fp.fileno(), 0) fp.close() + + if mount: + # Restore original root and cwd. Since we cannot directly chroot to + # a fd, first change the current directory to the fd of the + # original root, then chroot to "." + + os.fchdir(dirs["root"]) + os.chroot(".") + os.fchdir(dirs["cwd"]) + + for fd in dirs.values(): + os.close(fd) From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id DB73D13835B for ; Sat, 19 Dec 2020 19:56:07 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id ADE5D2BC013; Sat, 19 Dec 2020 19:56:06 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 7E9D32BC01C for ; Sat, 19 Dec 2020 19:56:06 +0000 (UTC) Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 0F8AE341035 for ; Sat, 19 Dec 2020 19:56:05 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 588753A2 for ; Sat, 19 Dec 2020 19:56:02 +0000 (UTC) From: "Matt Turner" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Matt Turner" Message-ID: <1605371697.dccfafea4e8b4622a7527a764d581ac0123b107e.mattst88@gentoo> Subject: [gentoo-commits] proj/catalyst:wip/mattst88 commit in: catalyst/ X-VCS-Repository: proj/catalyst X-VCS-Files: catalyst/context.py X-VCS-Directories: catalyst/ X-VCS-Committer: mattst88 X-VCS-Committer-Name: Matt Turner X-VCS-Revision: dccfafea4e8b4622a7527a764d581ac0123b107e X-VCS-Branch: wip/mattst88 Date: Sat, 19 Dec 2020 19:56:02 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: dc8896f3-9e8f-4600-ab39-e37952496c68 X-Archives-Hash: 82895a2b4bff399d047da2c96fa230ea Message-ID: <20201219195602.wVSiJzpEWmiWghfKQ5JAUsUt7YUGKLwejvgQ5sd0AGY@z> commit: dccfafea4e8b4622a7527a764d581ac0123b107e Author: Felix Bier rohde-schwarz com> AuthorDate: Mon Nov 9 19:36:33 2020 +0000 Commit: Matt Turner gentoo org> CommitDate: Sat Nov 14 16:34:57 2020 +0000 URL: https://gitweb.gentoo.org/proj/catalyst.git/commit/?id=dccfafea catalyst: Restore root and cwd after exiting mount namespace This commit saves the file descriptor of /proc/self/{root,cwd} before entering into the new mount namespace. When restoring the previous mount namespace, it restores /proc/self/{root,cwd} based on the saved file descriptors. Without this change, catalyst cannot be run in a chroot when using the recent changes regarding mount namespaces: After the mount namespace has been exited, /proc/self/root points to the "/" of the host system, not the "/" of the chroot. Therefore, the cleanup phase of catalyst runs outside of the chroot. The code is similar to how nsenter(1) sets root and cwd: https://git.kernel.org/pub/scm/utils/util-linux/util-linux.git/tree/sys-utils/nsenter.c#n452 Tested in a Gentoo chroot and in Gentoo VM (non-chroot). Signed-off-by: Felix Bier rohde-schwarz.com> Signed-off-by: Matt Turner gentoo.org> catalyst/context.py | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/catalyst/context.py b/catalyst/context.py index 8a58f33d..01a6d930 100644 --- a/catalyst/context.py +++ b/catalyst/context.py @@ -16,11 +16,21 @@ def namespace(mount=False, uts=False, ipc=False, net=False, pid=False, (user, "user"): None, } + dirs = { + "root": None, + "cwd": None, + } + # Save fds of current namespaces for ns in [ns for ns in namespaces if ns[0]]: fp = open(f"/proc/self/ns/{ns[1]}") namespaces[ns] = fp + # Save fds of current directories + if mount: + for d in dirs: + dirs[d] = os.open(f"/proc/self/{d}", os.O_RDONLY) + simple_unshare(mount=mount, uts=uts, ipc=ipc, net=net, pid=pid, user=user, hostname=hostname) try: @@ -30,3 +40,15 @@ def namespace(mount=False, uts=False, ipc=False, net=False, pid=False, fp = namespaces[ns] setns(fp.fileno(), 0) fp.close() + + if mount: + # Restore original root and cwd. Since we cannot directly chroot to + # a fd, first change the current directory to the fd of the + # original root, then chroot to "." + + os.fchdir(dirs["root"]) + os.chroot(".") + os.fchdir(dirs["cwd"]) + + for fd in dirs.values(): + os.close(fd)