Skip to content

Commit

Permalink
src: use mount API to self-clone
Browse files Browse the repository at this point in the history
if the new mount API is available, use it to grad a read-only
reference to the current executable.  The advantage is that there is
no need to leak a mount in the current mount namespace.

Closes: containers#1383
Closes: https://issues.redhat.com/browse/RHEL-67558

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
  • Loading branch information
giuseppe committed Nov 15, 2024
1 parent 01830cb commit e29348b
Show file tree
Hide file tree
Showing 3 changed files with 22 additions and 1 deletion.
19 changes: 19 additions & 0 deletions src/libcrun/cloned_binary.c
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,7 @@
#include <sys/syscall.h>

#include "utils.h"
#include "linux.h"

/* Use our own wrapper for memfd_create. */
#if !defined(SYS_memfd_create) && defined(__NR_memfd_create)
Expand Down Expand Up @@ -366,6 +367,17 @@ static int seal_execfd(int *fd, int fdtype)
return -1;
}

static int try_bindfd_mount_api(void)
{
libcrun_error_t err;
int mountfd = get_bind_mount (-1, "/proc/self/exe", false, true, &err);
if (mountfd < 0) {
crun_error_release (&err);
return -1;
}
return mountfd;
}

static int try_bindfd(void)
{
mode_t mask;
Expand Down Expand Up @@ -464,6 +476,13 @@ static int clone_binary(void)
* Before we resort to copying, let's try creating an ro-binfd in one shot
* by getting a handle for a read-only bind-mount of the execfd.
*/
execfd = try_bindfd_mount_api();
if (execfd >= 0) {
/* Transfer ownership to caller */
int ret_execfd = execfd;
execfd = -1;
return ret_execfd;
}
execfd = try_bindfd();
if (execfd >= 0) {
/* Transfer ownership to caller */
Expand Down
2 changes: 1 addition & 1 deletion src/libcrun/linux.c
Original file line number Diff line number Diff line change
Expand Up @@ -430,7 +430,7 @@ do_mount_setattr (const char *target, int targetfd, uint64_t clear, uint64_t set
return 0;
}

static int
int
get_bind_mount (int dirfd, const char *src, bool recursive, bool rdonly, libcrun_error_t *err)
{
cleanup_close int open_tree_fd = -1;
Expand Down
2 changes: 2 additions & 0 deletions src/libcrun/linux.h
Original file line number Diff line number Diff line change
Expand Up @@ -147,4 +147,6 @@ int libcrun_update_intel_rdt (const char *ctr_name, libcrun_container_t *contain

int libcrun_safe_chdir (const char *path, libcrun_error_t *err);

int get_bind_mount (int dirfd, const char *src, bool recursive, bool rdonly, libcrun_error_t *err);

#endif

0 comments on commit e29348b

Please sign in to comment.