Issue 808710 link

Starred by 5 users

Issue metadata

Status:	Fixed
Owner:	chirantan@chromium.org
Closed:	Jun 2018
Cc:	chirantan@chromium.org smbar...@chromium.org dgreid@chromium.org
Components:	OS>Systems>Containers
EstimatedDays:	----
NextAction:	----
OS:	Chrome
Pri:	2
Type:	Bug
Proj-Containers Hotlist-Crostini-Platform

concierge: re-enable pivot root

Project Member Reported by smbar...@chromium.org, Feb 3 2018

Issue description

imageloader needs to be set up such that mounts can propagate in but not out (MS_SLAVE), while also not exposing the rest of /run.

/home access will be more difficult to do cleanly.

Comment 1 by smbar...@chromium.org, Feb 6 2018

Summary: concierge: re-enable pivot root (was: concierge: re-enable mount namespacing)

Original title isn't quite accurate since pid namespacing implies mount namespaces for minijail0. The thing that needs to be added back is the pivot root into a new empty root directory.

Comment 2 by tbuck...@chromium.org, Feb 13 2018

Components: OS>Systems>Containers

Comment 3 by tbuck...@chromium.org, May 9 2018

Labels: -Pri-3 Hotlist-Crostini-Platform Pri-2
Owner: chirantan@chromium.org
Status: Assigned (was: Untriaged)

Comment 4 by chirantan@chromium.org, Jun 12 2018

Status: Fixed (was: Assigned)

I'm not sure we ever stopped putting concierge into a pivot_root but in any case, the MS_SLAVE problem was handled in https://chromium-review.googlesource.com/c/chromiumos/platform2/+/986620

►

Issue 808710 link

Issue metadata

concierge: re-enable pivot root

Issue description

Comment 1 by smbar...@chromium.org, Feb 6 2018

Comment 1 Deleted

Comment 2 by tbuck...@chromium.org, Feb 13 2018

Comment 2 Deleted

Comment 3 by tbuck...@chromium.org, May 9 2018

Comment 3 Deleted

Comment 4 by chirantan@chromium.org, Jun 12 2018

Comment 4 Deleted

Sign in to add a comment