Handle pivot_root in image and split chroot hooks

Bubblewrap uses pivot_root to provide a clean enviroment for its sandbox. Unfortunately, pivot_root requires that current root mount and its parent mount are not shared mounts, which they are by default when making new mounts. To accomplish that, make the chroot root mount private and then bind mount the chroot on top of itself. This will guarantee that both conditions are satisfied. See containers/bubblewrap#135 for details and the workaround suggested in https://gist.github.com/jlebon/fb6e7c6dcc3ce17d3e2a86f5938ec033. https://phabricator.endlessm.com/T14860
endlessm · Jan 5, 2017 · 809e221 · 809e221
1 parent 2887877
commit 809e221
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 0 deletions.
diff --git a/helpers/split-image b/helpers/split-image
@@ -184,6 +184,23 @@ split_image() {
   # mount as a slave.
   eib_mount --bind "${OSTREE_DEPLOYMENT}" "${OSTREE_DEPLOYMENT}"
 
+  # Mark the hook root mount private. This has 2 benefits:
+  #
+  # 1. Any mounts placed under it will not leak out to the parent mount.
+  #    That keeps aliased mounts from showing up elsewhere in the
+  #    system.
+  #
+  # 2. Bubblewrap uses pivot_root, which requires that the old root is
+  #    not a shared mount.
+  mount --make-private "${OSTREE_DEPLOYMENT}"
+
+  # Finally, pivot_root also requires that the parent of the old root is
+  # not a shared mount. Bind mount the hook root over itself again so
+  # the parent is the above private mount.
+  #
+  # See https://github.com/projectatomic/bubblewrap/issues/135.
+  eib_mount --bind "${OSTREE_DEPLOYMENT}" "${OSTREE_DEPLOYMENT}"
+
   # Bind mount the ostree /var into the current deployment so it
   # resembles the booted system.
   eib_mount --bind "${OSTREE_VAR}" "${OSTREE_DEPLOYMENT}"/var

diff --git a/stages/eib_image b/stages/eib_image
@@ -454,6 +454,22 @@ echo "Create image for personality ${EIB_PERSONALITY}"
 # as a slave.
 eib_mount --bind "${OSTREE_DEPLOYMENT}" "${OSTREE_DEPLOYMENT}"
 
+# Mark the hook root mount private. This has 2 benefits:
+#
+# 1. Any mounts placed under it will not leak out to the parent mount.
+#    That keeps aliased mounts from showing up elsewhere in the system.
+#
+# 2. Bubblewrap uses pivot_root, which requires that the old root is not
+#    a shared mount.
+mount --make-private "${OSTREE_DEPLOYMENT}"
+
+# Finally, pivot_root also requires that the parent of the old root is
+# not a shared mount. Bind mount the hook root over itself again so the
+# parent is the above private mount.
+#
+# See https://github.com/projectatomic/bubblewrap/issues/135.
+eib_mount --bind "${OSTREE_DEPLOYMENT}" "${OSTREE_DEPLOYMENT}"
+
 # Mount kernel filesystems into deployment for image hooks
 eib_mount -t sysfs sysfs "${OSTREE_DEPLOYMENT}"/sys
 eib_mount -t proc proc "${OSTREE_DEPLOYMENT}"/proc