On Thu, Sep 05, 2013 at 02:47:25PM -0700, Eric W. Biederman wrote:
[..]
>> An important detail to look at is mount propagation,
especially on
>> fedora. You need to make all of your mounts private to make certain
>> mounts don't propogate out and possibly take some defensive measures
>> to keep mounts or umounts from propogating in. Remount /proc
>> and /sys should be enough to defend against that but it is worth
>> thinking about.
>
> Hi Eric,
>
> I do make /sbin/kexec's mount namespace private recursively so that no
> mount events are propagated in/out.
>
> + * make root private so that no mount event from previous
> namespace
> + * are propogated
> + */
> + ret = mount("", "/", "", MS_REC | MS_PRIVATE,
"");
> + if (ret == -1) {
> + fprintf(stderr, "mount(MS_REC|MS_PRIVATE) failed:%s\n",
> + strerror(errno));
> + return -1;
> + }
That prevents transmission but my previous read of the code says you
will still receive mount changes, for mount points the parent shares.
Which are all of them in the world of systemd, last I heard.
Hi Eric,
I think I am not understanding something very basic. I am not sure what do
you mean by "still receive mount changes for mount points the parent shares".
I tried following.
- Open a terminal
- mkdir /tmp/kexec-proc
- mount -t proc none /tmp/kexec-proc
- Now open another terminal and launch a bash shell with separate mount
namespace
unshare -m bash
- In the new bash shell I can see that proc is mounted on /tmp/kexec-proc
- In the new bash shell, make / private recursively.
mount --make-rprivate /
- Now in original bash shell unmount /tmp/kexec-proc
- I go back to new bash and there /tmp/kexec-proc is still mounted. So
changes to original mount namespace did not reflect in this new one. I
am assuming same will happen when systemd does some changes to initial
mount namespace and they should not be visible in /sbin/kexec mount
namespace.
Looks like I am entirely missing the point you are making. Can you please
elaborate a bit.
Thanks
Vivek