Merge pull request #8801 from NixOS/backport-8800-to-2.14-maintenance

[Backport 2.14-maintenance] restoreMountNamespace(): Restore the original root directory
2025-11-25 19:51:00 +01:00 · 2023-08-14 11:02:53 +02:00 · 2023-08-14 11:02:53 +02:00 · a5fa42c5ed
commit a5fa42c5ed
parent 4504ee2957 3065960f2a
1 changed files with 14 additions and 5 deletions
--- a/src/libutil/util.cc
+++ b/src/libutil/util.cc
@ -1782,6 +1782,7 @@ void setStackSize(size_t stackSize)

 #if __linux__
 static AutoCloseFD fdSavedMountNamespace;
+static AutoCloseFD fdSavedRoot;
 #endif

 void saveMountNamespace()
@ -1789,10 +1790,11 @@ void saveMountNamespace()
 #if __linux__
    static std::once_flag done;
    std::call_once(done, []() {
-        AutoCloseFD fd = open("/proc/self/ns/mnt", O_RDONLY);
-        if (!fd)
+        fdSavedMountNamespace = open("/proc/self/ns/mnt", O_RDONLY);
+        if (!fdSavedMountNamespace)
            throw SysError("saving parent mount namespace");
-        fdSavedMountNamespace = std::move(fd);
+
+        fdSavedRoot = open("/proc/self/root", O_RDONLY);
    });
 #endif
 }
@ -1805,9 +1807,16 @@ void restoreMountNamespace()

        if (fdSavedMountNamespace && setns(fdSavedMountNamespace.get(), CLONE_NEWNS) == -1)
            throw SysError("restoring parent mount namespace");
-        if (chdir(savedCwd.c_str()) == -1) {
-            throw SysError("restoring cwd");
+
+        if (fdSavedRoot) {
+            if (fchdir(fdSavedRoot.get()))
+                throw SysError("chdir into saved root");
+            if (chroot("."))
+                throw SysError("chroot into saved root");
        }
+
+        if (chdir(savedCwd.c_str()) == -1)
+            throw SysError("restoring cwd");
    } catch (Error & e) {
        debug(e.msg());
    }