diff options
author | Matthias Schiffer <mschiffer@universe-factory.net> | 2021-10-20 19:37:28 +0200 |
---|---|---|
committer | Matthias Schiffer <mschiffer@universe-factory.net> | 2021-10-20 22:39:21 +0200 |
commit | eacb142b31ebbe5d493b27a5305d8edddb5a8f51 (patch) | |
tree | c2e1d82c37420fe1bf199efe26e196283784dd39 | |
parent | 1abff00386b5d30f27899810799ace7eb4fb12c0 (diff) | |
download | rebel-eacb142b31ebbe5d493b27a5305d8edddb5a8f51.tar rebel-eacb142b31ebbe5d493b27a5305d8edddb5a8f51.zip |
container: bind mount rootfs onto itself
Required to pivot_root() into the rootfs. While we're at it, also make
it read-only to prevent accidental changes.
-rw-r--r-- | src/runner/container/init.rs | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/src/runner/container/init.rs b/src/runner/container/init.rs index b489e73..68091b6 100644 --- a/src/runner/container/init.rs +++ b/src/runner/container/init.rs @@ -13,6 +13,9 @@ fn prepare_rootfs(rootfs: &str) -> Result<()> { tar::unpack(File::open(paths::ROOTFS_ARCHIVE)?, rootfs) .context("Unpacking build container rootfs failed")?; + mount::mount::<_, _, str, str>(Some(rootfs), rootfs, None, MsFlags::MS_BIND, None) + .context("Failed to bind mount container rootfs")?; + for dir in IntoIterator::into_iter(["pts", "shm", "mqueue"]) { fs::mkdir(paths::join(&[rootfs, "dev", dir]))?; } @@ -37,6 +40,15 @@ fn prepare_rootfs(rootfs: &str) -> Result<()> { .with_context(|| format!("Failed to bind mount {}", source))?; } + mount::mount::<str, _, str, str>( + None, + rootfs, + None, + MsFlags::MS_REMOUNT | MsFlags::MS_BIND | MsFlags::MS_RDONLY, + None, + ) + .context("Failed to mount container rootfs read-only")?; + Ok(()) } |