linux: attempt to make rootfs private too

commit 6682432 introduced the regression. After that change, crun does not attempt anymore to make the rootfs directory private but starts from its parent directory, causing pivot_root to fail when the rootfs itself is a mountpoint. Closes: #1514 Signed-off-by: Giuseppe Scrivano <[email protected]>
containers · Aug 13, 2024 · c6ecb3b · c6ecb3b
1 parent 109f1e9
commit c6ecb3b
Showing 1 changed file with 7 additions and 6 deletions.
diff --git a/src/libcrun/linux.c b/src/libcrun/linux.c
@@ -2565,20 +2565,21 @@ make_parent_mount_private (const char *rootfs, libcrun_error_t *err)
     {
       int ret;
       errno = 0;
-      cleanup_close int parentfd = openat (rootfsfd, "..", O_PATH | O_CLOEXEC);
+      cleanup_close int parentfd = -1;
 
+      get_proc_self_fd_path (proc_path, rootfsfd);
+      ret = mount (NULL, proc_path, NULL, MS_PRIVATE, NULL);
+      if (ret == 0)
+        return 0;
+
+      parentfd = openat (rootfsfd, "..", O_PATH | O_CLOEXEC);
       if (parentfd < 0)
         {
           ret = faccessat (rootfsfd, "..", X_OK, AT_EACCESS);
           if (ret != 0)
             return crun_make_error (err, EACCES, "make `%s` private: a component is not accessible", rootfs);
         }
 
-      get_proc_self_fd_path (proc_path, parentfd);
-      ret = mount (NULL, proc_path, NULL, MS_PRIVATE, NULL);
-      if (ret == 0)
-        return 0;
-
       close_and_reset (&rootfsfd);
       rootfsfd = get_and_reset (&parentfd);
     }