crun: drop --no-pivot

drop completely support for --no-pivot. It is just a workaround for running on ramdisk but it introduces security problems. For instance it is possible to create a new user namespace. mount a new proc file system and gain access to all the files that were previously masked. Signed-off-by: Giuseppe Scrivano <giuseppe@scrivano.org>
containers · Jan 11, 2019 · 31d1cf1 · 31d1cf1
1 parent a327fbb
commit 31d1cf1
Show file tree

Hide file tree

Showing 6 changed files with 8 additions and 54 deletions.
diff --git a/src/create.c b/src/create.c
@@ -34,8 +34,7 @@ enum
     OPTION_PID_FILE,
     OPTION_NO_SUBREAPER,
     OPTION_NO_NEW_KEYRING,
-    OPTION_PRESERVE_FDS,
-    OPTION_NO_PIVOT
+    OPTION_PRESERVE_FDS
   };
 
 static const char *bundle = NULL;
@@ -47,7 +46,6 @@ static struct argp_option options[] =
     {"bundle", 'b', 0, 0, "container bundle (default \".\")" },
     {"console-socket", OPTION_CONSOLE_SOCKET, "SOCKET", 0, "path to a socket that will receive the master end of the tty" },
     {"preserve-fds", OPTION_PRESERVE_FDS, 0, 0, "pass additional FDs to the container"},
-    {"no-pivot", OPTION_NO_PIVOT, 0, 0, "do not use pivot_root"},
     {"pid-file", OPTION_PID_FILE, "FILE", 0, "where to write the PID of the container"},
     {"no-subreaper", OPTION_NO_SUBREAPER, 0, 0, "do not create a subreaper process"},
     {"no-new-keyring", OPTION_NO_NEW_KEYRING, 0, 0, "keep the same session key"},
@@ -79,10 +77,6 @@ parse_opt (int key, char *arg, struct argp_state *state)
       crun_context.no_subreaper = true;
       break;
 
-    case OPTION_NO_PIVOT:
-      crun_context.no_pivot = true;
-      break;
-
     case OPTION_NO_NEW_KEYRING:
       crun_context.no_new_keyring = true;
       break;

diff --git a/src/libcrun/container.c b/src/libcrun/container.c
@@ -527,7 +527,7 @@ container_entrypoint_init (void *args, const char *notify_socket,
   if (UNLIKELY (ret < 0))
     return ret;
 
-  ret = libcrun_do_pivot_root (container, entrypoint_args->context->no_pivot, rootfs, err);
+  ret = libcrun_do_pivot_root (container, rootfs, err);
   if (UNLIKELY (ret < 0))
     return ret;
 

diff --git a/src/libcrun/container.h b/src/libcrun/container.h
@@ -40,7 +40,6 @@ struct libcrun_context_s
   bool detach;
   bool no_subreaper;
   bool no_new_keyring;
-  bool no_pivot;
 };
 
 enum

diff --git a/src/libcrun/linux.c b/src/libcrun/linux.c
@@ -936,48 +936,15 @@ libcrun_set_mounts (libcrun_container *container, const char *rootfs, libcrun_er
   return 0;
 }
 
-static int
-move_root (libcrun_container *container, const char *rootfs, libcrun_error_t *err)
-{
-  int ret;
-
-  ret = chdir (rootfs);
-  if (UNLIKELY (ret < 0))
-    return crun_make_error (err, errno, "chdir to '%s'", rootfs);
-
-  ret = mount (rootfs, "/", "", MS_MOVE, "");
-  if (UNLIKELY (ret < 0))
-    return crun_make_error (err, errno, "mount MS_MOVE to '/'");
-
-  ret = chroot (".");
-  if (UNLIKELY (ret < 0))
-    return crun_make_error (err, errno, "chroot to '%s'", rootfs);
-
-  ret = chdir ("/");
-  if (UNLIKELY (ret < 0))
-    return crun_make_error (err, errno, "chdir to '%s'", rootfs);
-
-  return 0;
-}
-
 int
-libcrun_do_pivot_root (libcrun_container *container, bool no_pivot, const char *rootfs, libcrun_error_t *err)
+libcrun_do_pivot_root (libcrun_container *container, const char *rootfs, libcrun_error_t *err)
 {
   int ret;
   if (get_private_data (container)->unshare_flags & CLONE_NEWNS)
     {
-      if (no_pivot)
-        {
-          ret = move_root (container, rootfs, err);
-          if (UNLIKELY (ret < 0))
-            return ret;
-        }
-      else
-        {
-          ret = do_pivot (container, rootfs, err);
-          if (UNLIKELY (ret < 0))
-            return ret;
-        }
+      ret = do_pivot (container, rootfs, err);
+      if (UNLIKELY (ret < 0))
+        return ret;
 
       ret = do_mount (container, "", "/", "", get_private_data (container)->rootfs_propagation, "", 0, err);
       if (UNLIKELY (ret < 0))

diff --git a/src/libcrun/linux.h b/src/libcrun/linux.h
@@ -39,7 +39,7 @@ pid_t libcrun_run_linux_container (libcrun_container *container,
                                    int *sync_socket_out,
                                    libcrun_error_t *err);
 int libcrun_set_mounts (libcrun_container *container, const char *rootfs, libcrun_error_t *err);
-int libcrun_do_pivot_root (libcrun_container *container, bool no_pivot, const char *rootfs, libcrun_error_t *err);
+int libcrun_do_pivot_root (libcrun_container *container, const char *rootfs, libcrun_error_t *err);
 int libcrun_set_usernamespace (libcrun_container *container, pid_t pid, libcrun_error_t *err);
 int libcrun_set_caps (oci_container_process_capabilities *capabilities, uid_t uid, gid_t gid, int no_new_privileges, libcrun_error_t *err);
 int libcrun_set_rlimits (oci_container_process_rlimits_element **rlimits, size_t len, libcrun_error_t *err);

diff --git a/src/run.c b/src/run.c
@@ -36,8 +36,7 @@ enum
     OPTION_PID_FILE,
     OPTION_NO_SUBREAPER,
     OPTION_NO_NEW_KEYRING,
-    OPTION_PRESERVE_FDS,
-    OPTION_NO_PIVOT
+    OPTION_PRESERVE_FDS
   };
 
 static const char *bundle = NULL;
@@ -53,7 +52,6 @@ static struct argp_option options[] =
     {"pid-file", OPTION_PID_FILE, "FILE", 0, "where to write the PID of the container"},
     {"no-subreaper", OPTION_NO_SUBREAPER, 0, 0, "do not create a subreaper process"},
     {"no-new-keyring", OPTION_NO_NEW_KEYRING, 0, 0, "keep the same session key"},
-    {"no-pivot", OPTION_NO_PIVOT, 0, 0, "do not use pivot_root"},
     { 0 }
   };
 
@@ -92,10 +90,6 @@ parse_opt (int key, char *arg, struct argp_state *state)
       crun_context.pid_file = argp_mandatory_argument (arg, state);
       break;
 
-    case OPTION_NO_PIVOT:
-      crun_context.no_pivot = true;
-      break;
-
     case ARGP_KEY_NO_ARGS:
       libcrun_fail_with_error (0, "please specify a ID for the container");