runsc:gofer: don't mount a new proc instance

If the existing proc instance has over-mounted areas, it can be impossible to mount a new /proc instance (look at SB_I_USERNS_VISIBLE for more details). Actually, runsc-gofer needs /proc just to open /proc/self/fd and to read a few generic files, so it doesn't need a proc instance of the target pid namespace. Fixes google#8205
avagin · Feb 20, 2024 · 805fb9b · 805fb9b
1 parent 1e741ec
commit 805fb9b
Showing 1 changed file with 16 additions and 11 deletions.
diff --git a/runsc/cmd/gofer.go b/runsc/cmd/gofer.go
@@ -383,24 +383,29 @@ func (g *Gofer) setupRootFS(spec *specs.Spec, conf *config.Config) error {
 		// We need a directory to construct a new root and we know that
 		// runsc can't start without /proc, so we can use it for this.
 		flags := uintptr(unix.MS_NOSUID | unix.MS_NODEV | unix.MS_NOEXEC)
-		if err := specutils.SafeMount("runsc-root", "/proc", "tmpfs", flags, "", procPath); err != nil {
+		if err := specutils.SafeMount("runsc-root", "/proc/fs", "tmpfs", flags, "", procPath); err != nil {
 			util.Fatalf("error mounting tmpfs: %v", err)
 		}
-
+		if err := unix.Mount("", "/proc/fs", "", unix.MS_UNBINDABLE, ""); err != nil {
+			util.Fatalf("error setting MS_UNBINDABLE")
+		}
 		// Prepare tree structure for pivot_root(2).
-		if err := os.Mkdir("/proc/proc", 0755); err != nil {
-			util.Fatalf("error creating /proc/proc: %v", err)
+		if err := os.Mkdir("/proc/fs/proc", 0755); err != nil {
+			util.Fatalf("error creating /proc/fs/proc: %v", err)
 		}
-		if err := os.Mkdir("/proc/root", 0755); err != nil {
-			util.Fatalf("error creating /proc/root: %v", err)
+		if err := os.Mkdir("/proc/fs/root", 0755); err != nil {
+			util.Fatalf("error creating /proc/fs/root: %v", err)
 		}
-		if err := os.Mkdir("/proc/etc", 0755); err != nil {
-			util.Fatalf("error creating /proc/etc: %v", err)
+		if err := os.Mkdir("/proc/fs/etc", 0755); err != nil {
+			util.Fatalf("error creating /proc/fs/etc: %v", err)
 		}
 		// This cannot use SafeMount because there's no available procfs. But we
-		// know that /proc is an empty tmpfs mount, so this is safe.
-		if err := unix.Mount("runsc-proc", "/proc/proc", "proc", flags|unix.MS_RDONLY, ""); err != nil {
-			util.Fatalf("error mounting proc: %v", err)
+		// know that /proc/fs is an empty tmpfs mount, so this is safe.
+		if err := unix.Mount("/proc", "/proc/fs/proc", "", flags|unix.MS_RDONLY|unix.MS_BIND|unix.MS_REC, ""); err != nil {
+			util.Fatalf("error mounting /proc/fs/proc: %v", err)
+		}
+		if err := unix.Mount("/proc/fs", "/proc", "", unix.MS_MOVE, ""); err != nil {
+			util.Fatalf("error mounting /proc: %v", err)
 		}
 		// self/fd is bind-mounted, so that the FD return by
 		// OpenProcSelfFD() does not allow escapes with walking ".." .