rootfs: make pivot_root(2) dance handle initramfs case

While pivot_root(2) normally refuses to pivot a mount if you are running
with / as initramfs (because initramfs doesn't have a parent mount), you
can create a bind-mount of / and make that your new root to work around
this problem. This does use chroot(2), but this is only done temporarily
to set current->fs->root to the new mount. Once pivot_root(2) finishes,
the chroot(2) and / are gone.

Variants of this hack are fairly well known and is used all over the
place (see [1,2]) but until now we have forced users to have a far less
secure configuration with --no-pivot. This is a slightly modified
version that uses the container rootfs as the temporary spot for the /
clone -- this allows runc to continue working with read-only image-based
OS images.

[1]: containers/bubblewrap#592 (comment)
[2]: https://aconz2.github.io/2024/07/29/container-from-initramfs.html

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>

Author: cyphar

libcontainer/rootfs_linux.go

@@ -1068,19 +1068,58 @@ func pivotRoot(rootfs string) error {
 	}
 	defer unix.Close(oldroot) //nolint: errcheck
 
-	newroot, err := unix.Open(rootfs, unix.O_DIRECTORY|unix.O_RDONLY, 0)
-	if err != nil {
-		return &os.PathError{Op: "open", Path: rootfs, Err: err}
-	}
-	defer unix.Close(newroot) //nolint: errcheck
-
 	// Change to the new root so that the pivot_root actually acts on it.
-	if err := unix.Fchdir(newroot); err != nil {
-		return &os.PathError{Op: "fchdir", Path: "fd " + strconv.Itoa(newroot), Err: err}
+	if err := os.Chdir(rootfs); err != nil {
+		return err
 	}
 
-	if err := unix.PivotRoot(".", "."); err != nil {
-		return &os.PathError{Op: "pivot_root", Path: ".", Err: err}
+	pivotErr := unix.PivotRoot(".", ".")
+	if errors.Is(pivotErr, unix.EINVAL) {
+		// If pivot_root(2) failed with -EINVAL, one of the possible reasons is
+		// that we are in early boot and trying pivot_root on top of the
+		// initramfs (which isn't allowed because initramfs/rootfs doesn't have
+		// a parent mount).
+		//
+		// Traditionally, users were told to pass --no-pivot-root (which used a
+		// chroot instead) but this is very insecure (even with the hardenings
+		// we've put into our chroot() wrapper).
+		//
+		// A much better solution is to create a bind-mount clone of / (which
+		// would have a parent) and then chroot into that clone so that we are
+		// properly rooted within a mount that has a parent mount. Then we can
+		// retry the pivot_root().
+
+		// Clone / on top of . to create a version of / that has a parent and
+		// so can be pivot-rooted.
+		if err := unix.Mount("/", ".", "", unix.MS_BIND|unix.MS_REC, ""); err != nil {
+			err := &os.PathError{Op: "make clone of / mount", Path: rootfs, Err: err}
+			return fmt.Errorf("error during fallback for failed pivot_root (%w): %w", pivotErr, err)
+		}
+		// Switch to the cloned mount. We have to use the full path here
+		// because we need to get the kernel to move us into the new mount
+		// (chdir(".") will keep us in the old non-cloned / mount).
+		if err := os.Chdir(rootfs); err != nil {
+			return fmt.Errorf("error during fallback for failed pivot_root (%w): switch to cloned mount: %w", pivotErr, err)
+		}
+		// Move the cloned mount to /.
+		if err := unix.Mount(".", "/", "", unix.MS_MOVE, ""); err != nil {
+			err := &os.PathError{Op: "move / clone mount to /", Path: rootfs, Err: err}
+			return fmt.Errorf("error during fallback for failed pivot_root (%w): %w", pivotErr, err)
+		}
+		// Update current->fs->root to be the cloned / (to be pivot_root'd).
+		if err := unix.Chroot("."); err != nil {
+			err := &os.PathError{Op: "chroot into cloned /", Path: rootfs, Err: err}
+			return fmt.Errorf("error during fallback for failed pivot_root (%w): %w", pivotErr, err)
+		}
+
+		// Go back to the container rootfs and retry pivot_root.
+		if err := os.Chdir(rootfs); err != nil {
+			return fmt.Errorf("error during fallback for failed pivot_root (%w): %w", pivotErr, err)
+		}
+		pivotErr = unix.PivotRoot(".", ".")
+	}
+	if pivotErr != nil {
+		return &os.PathError{Op: "pivot_root", Path: rootfs, Err: pivotErr}
 	}
 
 	// Currently our "." is oldroot (according to the current kernel code).