libnetwork/rootlessnetns: make mountns tree private

While this is a none issue normally because we run in a unprivileged userns we cannot modify the host mounts in any way. However in case where the rootless netns logic might be executed from a non userns context we might change the mount tree if the mounts are shared which is the systemd default. While this should never happen let's make sure we never mess up the system by accident in case there are more bugs and explicitly make our mount tree private. Signed-off-by: Paul Holzinger <[email protected]>
containers · Apr 2, 2024 · 5bc4328 · 5bc4328
1 parent ae37276
commit 5bc4328
Showing 1 changed file with 8 additions and 1 deletion.
diff --git a/libnetwork/internal/rootlessnetns/netns_linux.go b/libnetwork/internal/rootlessnetns/netns_linux.go
@@ -315,14 +315,21 @@ func (n *Netns) setupMounts() error {
 		return wrapError("create new mount namespace", err)
 	}
 
+	// Ensure we mount private in our mountns to prevent accidentally
+	// overwriting host mounts in case the default is shared.
+	err = unix.Mount("", "/", "", unix.MS_PRIVATE|unix.MS_REC, "")
+	if err != nil {
+		return wrapError("make tree private in new mount namespace", err)
+	}
+
 	xdgRuntimeDir, err := homedir.GetRuntimeDir()
 	if err != nil {
 		return fmt.Errorf("could not get runtime directory: %w", err)
 	}
 	newXDGRuntimeDir := n.getPath(xdgRuntimeDir)
 	// 1. Mount the netns into the new run to keep them accessible.
 	// Otherwise cni setup will fail because it cannot access the netns files.
-	err = mountAndMkdirDest(xdgRuntimeDir, newXDGRuntimeDir, none, unix.MS_BIND|unix.MS_SHARED|unix.MS_REC)
+	err = mountAndMkdirDest(xdgRuntimeDir, newXDGRuntimeDir, none, unix.MS_BIND|unix.MS_REC)
 	if err != nil {
 		return err
 	}