From: Paul Sladen (vserver_at_paul.sladen.org)
Date: Thu 14 Aug 2003 - 11:46:28 BST
On Thu, 14 Aug 2003, Herbert Pötzl wrote:
> On Thu, Aug 14, 2003 at 01:38:36AM +0200, Bodo Eggert wrote:
> > Maybe you could change /proc/mounts into a symlink to /etc/mtab.
> would also be an option ... other suggestions?
`/proc/mounts' is actually already a symlink to `/proc/self/mounts' which is
the individual calling processes' namespace; this could probably be
hard-coded to `../etc/mtab' [BUT, see below]:
$ grep 'self/mounts' fs/proc/*.c
fs/proc/proc_misc.c: proc_symlink("mounts", NULL, "self/mounts");
The problem is that that would do it globally (it is done on bootup when
procfs is first mounted), whereas leaving `/proc/mounts' pointing at the
task's namespace will make it easier to do it per-task (really per-context).
I think the fiddling needs doing in `fs/name{space,i}.c', although I haven't
found where... There various things along the line of:
while (mnt->mnt_parent != mnt)
mnt = mnt->mnt_parent;
So if it is within the current chroot, it stops iterating upwards, otherwise
if it is outside. --We need to remove it if it is outside.
Also, have a quick skim (read) over:
http://www.paul.sladen.org/vserver/aspcomplete/2000-08-25/ve-0.4.2-for-2.4.0-test6.diff.gz
I just looked at it recently and noticed there are a couple of things in
there. -It seems that virtuozzo sys_reboot() is causing all the processes in
that context to be killed (something we could do with a function to cause).
Secondly, grepping the virtuozzo diff, there's some patching to:
follow_dotdot(), in fs/namei.c
+#ifdef CONFIG_VE
+ if (nd->dentry == current->envid->fs_root &&
+ nd->mnt == current->envid->fs_rootmnt) {
+ read_unlock(¤t->fs->lock);
+ break;
+ }
+#endif
[envid is equivalent to vserver's ctx]
which maybe related...? (Or that could be chroot() protection).
Happy investigating!
-Paul
-- War is inconsistent with Truth. Nottingham, GB