RE: CLONE_NEWNS and bind mounts to make "chroot" jail
From: Bodo Eggert
Date: Mon Mar 03 2008 - 10:54:31 EST
Leibowitz, Michael <michael.leibowitz@xxxxxxxxx> wrote:
> If I understand correctly, the following should accomplish what I'm
> looking for. However, pivot_root gives me EBUSY. I played around with
> moving the mount --bind /jail /jail to before the unshared, as well as
> making old_root a bind mount to itself. However, pivot_root always
> seems to fail. Is there something obvious that I'm doing wrong? The
> following is my test code (error checking has been removed for clarity,
> except for pivot_root).
>
> char *newargv[]= { "sh", NULL };
>
> chdir("/jail");
> unshare(CLONE_NEWNS));
> mount("/jail", "/jail", NULL, MS_BIND, NULL));
> mount("/bin", "bin", NULL, MS_BIND, NULL));
> mount("/usr", "usr", NULL, MS_BIND, NULL));
> mount("/lib", "lib", NULL, MS_BIND, NULL));
> if (pivot_root(".", "old_root")) perror("pivot_root . old_root");
> exec("./bash-static"); /* copied to /jail prior to running */
This works for me:
#include <sys/mount.h>
#include <unistd.h>
#define _GNU_SOURCE
#include <sched.h>
#define MNT_DETACH 2 /* Detach from tree only */
int main()
{
unshare(CLONE_NEWNS);
mount("jail", "jail", NULL, MS_BIND, NULL);
mount("/bin", "jail/bin", NULL, MS_BIND, NULL);
mount("/usr", "jail/usr", NULL, MS_BIND, NULL);
mount("/lib", "jail/lib", NULL, MS_BIND, NULL);
/* abuse bin as the temporary old root directory */
if (pivot_root("jail", "jail/bin"))
perror("pivot_root");
chdir("/");
umount2("bin", MNT_DETACH);
execl("./sash", NULL); /* copied to /jail prior to running */
}
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/