MCPcopy
hub / github.com/opencontainers/runc / rootfsParentMountPrivate

Function rootfsParentMountPrivate

libcontainer/rootfs_linux.go:1074–1096  ·  view source on GitHub ↗

rootfsParentMountPrivate ensures rootfs parent mount is private. This is needed for two reasons: - pivot_root() will fail if parent mount is shared; - when we bind mount rootfs, if its parent is not private, the new mount will propagate (leak!) to parent namespace and we don't want that.

(path string)

Source from the content-addressed store, hash-verified

1072// - when we bind mount rootfs, if its parent is not private, the new mount
1073// will propagate (leak!) to parent namespace and we don't want that.
1074func rootfsParentMountPrivate(path string) error {
1075 var err error
1076 // Assuming path is absolute and clean (this is checked in
1077 // libcontainer/validate). Any error other than EINVAL means we failed,
1078 // and EINVAL means this is not a mount point, so traverse up until we
1079 // find one.
1080 for {
1081 err = unix.Mount("", path, "", unix.MS_PRIVATE, "")
1082 if err == nil {
1083 return nil
1084 }
1085 if err != unix.EINVAL || path == "/" {
1086 break
1087 }
1088 path = filepath.Dir(path)
1089 }
1090 return &mountError{
1091 op: "remount-private",
1092 target: path,
1093 flags: unix.MS_PRIVATE,
1094 err: err,
1095 }
1096}
1097
1098func prepareRoot(config *configs.Config) error {
1099 flag := unix.MS_SLAVE | unix.MS_REC

Callers 1

prepareRootFunction · 0.85

Calls

no outgoing calls

Tested by

no test coverage detected

Used in the wild real call sites across dependent graphs

searching dependent graphs…