Google Git
Sign in
android / platform / external / minijail / refs/tags/android-n-preview-4^! / .
commitdf7fab1a0e0ca2c02ec366ba1f530bc8db7c8688[log] [tgz]
authorJorge Lucangeli Obes <jorgelo@google.com>Wed Jun 01 17:15:31 2016 -0700
committerJorge Lucangeli Obes <jorgelo@google.com>Wed Jun 01 17:16:00 2016 -0700
tree345ba177aa62bdcde91beb845dfa93b3780c6cb5
parent477f2e32a7e4a6ce96baf960ad9f915f52f920a6 [diff]
Add logging message when using user namespaces and mount namespaces.

Also fix a comment that was > 80 cols.

Bug: 28714771
Change-Id: I6c9f2f409bbbd499b9a6efb12b50a57861d6c871

diff --git a/libminijail.c b/libminijail.c
index 06f8e1a..2c57d4d 100644
--- a/libminijail.c
+++ b/libminijail.c

@@ -1136,13 +1136,13 @@
 		pdie("failed to fchdir to old /");
 
 	/*
-	 * If j->flags.skip_remount_private was enabled for minijail_enter(), there
-	 * could be a shared mount point under |oldroot|. In that case, mounts
-	 * under this shared mount point will be unmounted below, and this
-	 * unmounting will propagate to the original mount namespace (because the
-	 * mount point is shared). To prevent this unexpected unmounting, remove
-	 * these mounts from their peer groups by recursively remounting them as
-	 * MS_PRIVATE.
+	 * If j->flags.skip_remount_private was enabled for minijail_enter(),
+	 * there could be a shared mount point under |oldroot|. In that case,
+	 * mounts under this shared mount point will be unmounted below, and
+	 * this unmounting will propagate to the original mount namespace
+	 * (because the mount point is shared). To prevent this unexpected
+	 * unmounting, remove these mounts from their peer groups by recursively
+	 * remounting them as MS_PRIVATE.
 	 */
 	if (mount(NULL, ".", NULL, MS_REC | MS_PRIVATE, NULL))
 		pdie("failed to mount(/, private) before umount(/)");
@@ -1178,12 +1178,21 @@
 	 * Right now, we're holding a reference to our parent's old mount of
 	 * /proc in our namespace, which means using MS_REMOUNT here would
 	 * mutate our parent's mount as well, even though we're in a VFS
-	 * namespace (!). Instead, remove their mount from our namespace
-	 * and make our own. However, if we are in a new user namespace, /proc
-	 * is not seen as mounted, so don't return error if umount() fails.
+	 * namespace (!). Instead, remove their mount from our namespace lazily
+	 * (MNT_DETACH) and make our own.
 	 */
-	if (umount2(kProcPath, MNT_DETACH) && !j->flags.userns)
-		return -errno;
+	if (umount2(kProcPath, MNT_DETACH)) {
+		/*
+		 * If we are in a new user namespace, umount(2) will fail.
+		 * See http://man7.org/linux/man-pages/man7/user_namespaces.7.html
+		 */
+		if (j->flags.userns) {
+			info("umount(/proc, MNT_DETACH) failed, "
+			     "this is expected when using user namespaces");
+		} else {
+			return -errno;
+		}
+	}
 	if (mount("", kProcPath, "proc", kSafeFlags | MS_RDONLY, ""))
 		return -errno;
 	return 0;