linux: attempt to make rootfs private too

commit 6682432 introduced the regression. After that change, crun does not attempt anymore to make the rootfs directory private but starts from its parent directory, causing pivot_root to fail when the rootfs itself is a mountpoint. Closes: containers#1514 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
giuseppe · Aug 12, 2024 · 26539c6 · 26539c6
1 parent 4346558
commit 26539c6
Showing 1 changed file with 7 additions and 6 deletions.
diff --git a/src/libcrun/linux.c b/src/libcrun/linux.c
@@ -2565,20 +2565,21 @@ make_parent_mount_private (const char *rootfs, libcrun_error_t *err)
     {
       int ret;
       errno = 0;
-      cleanup_close int parentfd = openat (rootfsfd, "..", O_PATH | O_CLOEXEC);
+      cleanup_close int parentfd = -1;
 
+      get_proc_self_fd_path (proc_path, rootfsfd);
+      ret = mount (NULL, proc_path, NULL, MS_PRIVATE, NULL);
+      if (ret == 0)
+        return 0;
+
+      parentfd = openat (rootfsfd, "..", O_PATH | O_CLOEXEC);
       if (parentfd < 0)
         {
           ret = faccessat (rootfsfd, "..", X_OK, AT_EACCESS);
           if (ret != 0)
             return crun_make_error (err, EACCES, "make `%s` private: a component is not accessible", rootfs);
         }
 
-      get_proc_self_fd_path (proc_path, parentfd);
-      ret = mount (NULL, proc_path, NULL, MS_PRIVATE, NULL);
-      if (ret == 0)
-        return 0;
-
       close_and_reset (&rootfsfd);
       rootfsfd = get_and_reset (&parentfd);
     }