Don't mount over / if pivot_root_only is enabled

The intention behind pivot_root_only is to support nested user
namespaces. However, if we bind mount over /, which happens by default,
the kernel will deny CLONE_NEWUSER.

diff --git a/mount.c b/mount.c
index d719e6675b57e589b63948bdf56c32b5453c2ba6..2915332896f5082e43b6ae6d0441885b75f21a40 100644 (file)
--- a/mount.c
+++ b/mount.c
@@ -203,6 +203,12 @@ static bool mountInitNsInternal(struct nsjconf_t *nsjconf)
 
        struct mounts_t *p;
        TAILQ_FOREACH(p, &nsjconf->mountpts, pointers) {
+               // The intention behind pivot_root_only is to allow creating
+               // nested usernamespaces. If we bind mount over /, the kernel
+               // will see the process as chrooted and deny CLONE_NEWUSER.
+               if (nsjconf->pivot_root_only && strcmp(p->dst, "/") == 0) {
+                       continue;
+               }
                char dst[PATH_MAX];
                snprintf(dst, sizeof(dst), "%s/%s", newrootdir, p->dst);
                if (mountMount(nsjconf, p, "/old_root", dst) == false) {