From 809e221d565d78c67be2fb3c78c0691a1cab1087 Mon Sep 17 00:00:00 2001
From: Dan Nicholson <nicholson@endlessm.com>
Date: Wed, 4 Jan 2017 17:04:34 -0600
Subject: [PATCH] Handle pivot_root in image and split chroot hooks

Bubblewrap uses pivot_root to provide a clean enviroment for its
sandbox. Unfortunately, pivot_root requires that current root mount and
its parent mount are not shared mounts, which they are by default when
making new mounts.

To accomplish that, make the chroot root mount private and then bind
mount the chroot on top of itself. This will guarantee that both
conditions are satisfied.

See https://github.com/projectatomic/bubblewrap/issues/135 for details
and the workaround suggested in
https://gist.github.com/jlebon/fb6e7c6dcc3ce17d3e2a86f5938ec033.

https://phabricator.endlessm.com/T14860
---
 helpers/split-image | 17 +++++++++++++++++
 stages/eib_image    | 16 ++++++++++++++++
 2 files changed, 33 insertions(+)

diff --git a/helpers/split-image b/helpers/split-image
index 39f590d5..d1fdf3e4 100755
--- a/helpers/split-image
+++ b/helpers/split-image
@@ -184,6 +184,23 @@ split_image() {
   # mount as a slave.
   eib_mount --bind "${OSTREE_DEPLOYMENT}" "${OSTREE_DEPLOYMENT}"
 
+  # Mark the hook root mount private. This has 2 benefits:
+  #
+  # 1. Any mounts placed under it will not leak out to the parent mount.
+  #    That keeps aliased mounts from showing up elsewhere in the
+  #    system.
+  #
+  # 2. Bubblewrap uses pivot_root, which requires that the old root is
+  #    not a shared mount.
+  mount --make-private "${OSTREE_DEPLOYMENT}"
+
+  # Finally, pivot_root also requires that the parent of the old root is
+  # not a shared mount. Bind mount the hook root over itself again so
+  # the parent is the above private mount.
+  #
+  # See https://github.com/projectatomic/bubblewrap/issues/135.
+  eib_mount --bind "${OSTREE_DEPLOYMENT}" "${OSTREE_DEPLOYMENT}"
+
   # Bind mount the ostree /var into the current deployment so it
   # resembles the booted system.
   eib_mount --bind "${OSTREE_VAR}" "${OSTREE_DEPLOYMENT}"/var
diff --git a/stages/eib_image b/stages/eib_image
index 94aabda1..42bc2009 100755
--- a/stages/eib_image
+++ b/stages/eib_image
@@ -454,6 +454,22 @@ echo "Create image for personality ${EIB_PERSONALITY}"
 # as a slave.
 eib_mount --bind "${OSTREE_DEPLOYMENT}" "${OSTREE_DEPLOYMENT}"
 
+# Mark the hook root mount private. This has 2 benefits:
+#
+# 1. Any mounts placed under it will not leak out to the parent mount.
+#    That keeps aliased mounts from showing up elsewhere in the system.
+#
+# 2. Bubblewrap uses pivot_root, which requires that the old root is not
+#    a shared mount.
+mount --make-private "${OSTREE_DEPLOYMENT}"
+
+# Finally, pivot_root also requires that the parent of the old root is
+# not a shared mount. Bind mount the hook root over itself again so the
+# parent is the above private mount.
+#
+# See https://github.com/projectatomic/bubblewrap/issues/135.
+eib_mount --bind "${OSTREE_DEPLOYMENT}" "${OSTREE_DEPLOYMENT}"
+
 # Mount kernel filesystems into deployment for image hooks
 eib_mount -t sysfs sysfs "${OSTREE_DEPLOYMENT}"/sys
 eib_mount -t proc proc "${OSTREE_DEPLOYMENT}"/proc