rootfs: always pivot_root(2) and treat --no-pivot as a fallback

Despite the hardenings we've added to the MS_MOVE+chroot dance over the years like commit 28a697c ("rootfs: umount all procfs and sysfs with --no-pivot"), --no-pivot is fundamentally insecure and the primary reason why people use it (to run containers from initramfs) can now be done safely with pivot_root(2). So we should always try to pivot_root(2) and give a warning to the user that their configuration is insecure if we have to use the --no-pivot fallback (users should not see this message in practice, because the primary users that couldn't use pivot_root(2) now can and will transparently use it if possible). Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
opencontainers · Oct 10, 2024 · 948a7d9 · 948a7d9
1 parent 16b45c8
commit 948a7d9
Showing 1 changed file with 12 additions and 3 deletions.
diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go
@@ -202,10 +202,19 @@ func prepareRootfs(pipe *syncSocket, iConfig *initConfig) (err error) {
 		return err
 	}
 
-	if config.NoPivotRoot {
-		err = msMoveRoot(config.Rootfs)
-	} else if config.Namespaces.Contains(configs.NEWNS) {
+	if config.Namespaces.Contains(configs.NEWNS) {
 		err = pivotRoot(config.Rootfs)
+		if config.NoPivotRoot {
+			logrus.Warnf("--no-pivot is deprecated and may be removed or silently ignored in a future version of runc -- see <TODO> for more details")
+			if err != nil {
+				// Always try to do pivot_root(2) because it's safe, and only fallback
+				// to the unsafe MS_MOVE+chroot(2) dance if pivot_root(2) fails.
+				logrus.Warnf("your container failed to start with pivot_root(2) (%v) -- please open a bug report to let us know about your usecase", err)
+				err = msMoveRoot(config.Rootfs)
+			} else {
+				logrus.Warnf("despite setting --no-pivot, this container successfully started using pivot_root(2) -- consider removing the --no-pivot flag")
+			}
+		}
 	} else {
 		err = chroot()
 	}