From 28d2e4747af079c73af08708fa78522a9142de7d Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Thu, 10 Oct 2024 11:09:06 +1100 Subject: [PATCH] rootfs: always pivot_root(2) and treat --no-pivot as a fallback Despite the hardenings we've added to the MS_MOVE+chroot dance over the years like commit 28a697cce3e4 ("rootfs: umount all procfs and sysfs with --no-pivot"), --no-pivot is fundamentally insecure and the primary reason why people use it (to run containers from initramfs) can now be done safely with pivot_root(2). So we should always try to pivot_root(2) and give a warning to the user that their configuration is insecure if we have to use the --no-pivot fallback (users should not see this message in practice, because the primary users that couldn't use pivot_root(2) now can and will transparently use it if possible). Signed-off-by: Aleksa Sarai --- libcontainer/rootfs_linux.go | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go index 2881c0cede7..135c7bec373 100644 --- a/libcontainer/rootfs_linux.go +++ b/libcontainer/rootfs_linux.go @@ -202,10 +202,19 @@ func prepareRootfs(pipe *syncSocket, iConfig *initConfig) (err error) { return err } - if config.NoPivotRoot { - err = msMoveRoot(config.Rootfs) - } else if config.Namespaces.Contains(configs.NEWNS) { + if config.Namespaces.Contains(configs.NEWNS) { err = pivotRoot(config.Rootfs) + if config.NoPivotRoot { + logrus.Warnf("--no-pivot is deprecated and may be removed or silently ignored in a future version of runc -- see for more details") + if err != nil { + // Always try to do pivot_root(2) because it's safe, and only fallback + // to the unsafe MS_MOVE+chroot(2) dance if pivot_root(2) fails. + logrus.Warnf("your container failed to start with pivot_root(2) (%v) -- please open a bug report to let us know about your usecase", err) + err = msMoveRoot(config.Rootfs) + } else { + logrus.Warnf("despite setting --no-pivot, this container successfully started using pivot_root(2) -- consider removing the --no-pivot flag") + } + } } else { err = chroot() }