michael-dev@xxxxxxxxxxxxx writes:
> From: michael-dev <michael-dev@xxxxxxxxxxxxx>
>
> After unshare(...) is called, /proc/self/ns/pid does not change.
> Instead, only /proc/self/ns/pid_for_children is affected. So bind-mounting /proc/self/ns/pid results in the original namespace getting bind-mounted.
>
> Fix this by instead bind-mounting ns/pid_for_children.
Why all of the extra code motion and change?
Your description sounds like only the first hunk is necessary. Did
something else get mixed into this change? Or are all of the hunks
necessary?
Eric
> Signed-off-by: Michael Braun <michael-dev@xxxxxxxxxxxxx>
> ---
> sys-utils/unshare.c | 66 ++++++++++++++++++++++++++-------------------
> 1 file changed, 38 insertions(+), 28 deletions(-)
>
> diff --git a/sys-utils/unshare.c b/sys-utils/unshare.c
> index 8652ebdaf..c3ba18e32 100644
> --- a/sys-utils/unshare.c
> +++ b/sys-utils/unshare.c
> @@ -63,7 +63,7 @@ static struct namespace_file {
> { .type = CLONE_NEWIPC, .name = "ns/ipc" },
> { .type = CLONE_NEWUTS, .name = "ns/uts" },
> { .type = CLONE_NEWNET, .name = "ns/net" },
> - { .type = CLONE_NEWPID, .name = "ns/pid" },
> + { .type = CLONE_NEWPID, .name = "ns/pid_for_children" },
> { .type = CLONE_NEWNS, .name = "ns/mnt" },
> { .type = CLONE_NEWTIME, .name = "ns/time" },
> { .name = NULL }
> @@ -361,6 +361,7 @@ int main(int argc, char *argv[])
> const char *procmnt = NULL;
> const char *newroot = NULL;
> const char *newdir = NULL;
> + pid_t pid_bind = 0;
> pid_t pid = 0;
> int fds[2];
> int status;
> @@ -501,13 +502,37 @@ int main(int argc, char *argv[])
> "unsharing of a time namespace (-t)"));
>
> if (npersists && (unshare_flags & CLONE_NEWNS))
> - bind_ns_files_from_child(&pid, fds);
> + bind_ns_files_from_child(&pid_bind, fds);
>
> if (-1 == unshare(unshare_flags))
> err(EXIT_FAILURE, _("unshare failed"));
>
> - if (npersists) {
> - if (pid && (unshare_flags & CLONE_NEWNS)) {
> + if (force_boottime)
> + settime(boottime, CLOCK_BOOTTIME);
> +
> + if (force_monotonic)
> + settime(monotonic, CLOCK_MONOTONIC);
> +
> + if (forkit) {
> + // force child forking before mountspace binding
> + // so pid_for_children is populated
> + pid = fork();
> +
> + switch(pid) {
> + case -1:
> + err(EXIT_FAILURE, _("fork failed"));
> + case 0: /* child */
> + if (pid_bind && (unshare_flags & CLONE_NEWNS))
> + close(fds[1]);
> + break;
> + default: /* parent */
> + break;
> + }
> + }
> +
> + if (npersists && (pid || !forkit)) {
> + // run in parent
> + if (pid_bind && (unshare_flags & CLONE_NEWNS)) {
> int rc;
> char ch = PIPE_SYNC_BYTE;
>
> @@ -518,7 +543,7 @@ int main(int argc, char *argv[])
>
> /* wait for bind_ns_files_from_child() */
> do {
> - rc = waitpid(pid, &status, 0);
> + rc = waitpid(pid_bind, &status, 0);
> if (rc < 0) {
> if (errno == EINTR)
> continue;
> @@ -533,29 +558,14 @@ int main(int argc, char *argv[])
> bind_ns_files(getpid());
> }
>
> - if (force_boottime)
> - settime(boottime, CLOCK_BOOTTIME);
> -
> - if (force_monotonic)
> - settime(monotonic, CLOCK_MONOTONIC);
> -
> - if (forkit) {
> - pid = fork();
> -
> - switch(pid) {
> - case -1:
> - err(EXIT_FAILURE, _("fork failed"));
> - case 0: /* child */
> - break;
> - default: /* parent */
> - if (waitpid(pid, &status, 0) == -1)
> - err(EXIT_FAILURE, _("waitpid failed"));
> - if (WIFEXITED(status))
> - return WEXITSTATUS(status);
> - else if (WIFSIGNALED(status))
> - kill(getpid(), WTERMSIG(status));
> - err(EXIT_FAILURE, _("child exit failed"));
> - }
> + if (pid) {
> + if (waitpid(pid, &status, 0) == -1)
> + err(EXIT_FAILURE, _("waitpid failed"));
> + if (WIFEXITED(status))
> + return WEXITSTATUS(status);
> + else if (WIFSIGNALED(status))
> + kill(getpid(), WTERMSIG(status));
> + err(EXIT_FAILURE, _("child exit failed"));
> }
>
> if (kill_child_signo != 0 && prctl(PR_SET_PDEATHSIG, kill_child_signo) < 0)
