Don't use unshare(CLONE_FS) when not multithreaded

See coreos/coreos-assembler#3428 (comment) In `--sandbox none` scenarios, the calling process is already in an isolated container, and we may not be capable of invoking `unshare` again. Signed-off-by: Colin Walters <[email protected]>
arighi · May 2, 2023 · 6f6319a · 6f6319a
1 parent ca1d808
commit 6f6319a
Showing 1 changed file with 11 additions and 11 deletions.
diff --git a/src/main.rs b/src/main.rs
@@ -125,18 +125,18 @@ impl<F: FileSystem + Send + Sync + 'static> Clone for VhostUserFsThread<F> {
 
 impl<F: FileSystem + Send + Sync + 'static> VhostUserFsThread<F> {
     fn new(fs: F, thread_pool_size: usize) -> Result<Self> {
-        // Test that unshare(CLONE_FS) works, it will be called for each thread.
-        // It's an unprivileged system call but some Docker/Moby versions are
-        // known to reject it via seccomp when CAP_SYS_ADMIN is not given.
-        //
-        // Note that the program is single-threaded here so this syscall has no
-        // visible effect and is safe to make.
-        let ret = unsafe { libc::unshare(libc::CLONE_FS) };
-        if ret == -1 {
-            return Err(Error::UnshareCloneFs(std::io::Error::last_os_error()));
-        }
-
         let pool = if thread_pool_size > 0 {
+            // Test that unshare(CLONE_FS) works, it will be called for each thread.
+            // It's an unprivileged system call but some Docker/Moby versions are
+            // known to reject it via seccomp when CAP_SYS_ADMIN is not given.
+            //
+            // Note that the program is single-threaded here so this syscall has no
+            // visible effect and is safe to make.
+            let ret = unsafe { libc::unshare(libc::CLONE_FS) };
+            if ret == -1 {
+                return Err(Error::UnshareCloneFs(std::io::Error::last_os_error()));
+            }
+
             Some(
                 ThreadPoolBuilder::new()
                     .after_start(|_| {