pid1: ignore whole /run/host hierarchy

Let's mark the whole /run/host hierarchy as something to ignore by PID 1 for generation of .mount units, i.e. consider it as "extrinsic". By unifying container mgr supplied resources in one dir it's also easy to exclude the whole lot from PID1's management inside the container. This is the right thing to do, since from the payload's PoV these mounts are just API and not manipulatable as they are established, managed and owned by the container manager, not the payload. (While we are it, also add the boot ID mount to the existing list, as nspawn and other container managers overmount that too, typically, and it is thus owned by the container manager and not the payload typically.)
2025-03-14 04:58:28 +03:00 · 2020-10-15 15:25:56 +02:00 · 2020-10-15 15:25:56 +02:00 · 6f997852c8
commit 6f997852c8
parent 69c0807432
1 changed files with 15 additions and 12 deletions
--- a/src/core/mount-setup.c
+++ b/src/core/mount-setup.c
@ -112,17 +112,6 @@ static const MountPoint mount_table[] = {
          NULL,          MNT_NONE,                  },
 };

-/* These are API file systems that might be mounted by other software,
- * we just list them here so that we know that we should ignore them */
-
-static const char ignore_paths[] =
-        /* SELinux file systems */
-        "/sys/fs/selinux\0"
-        /* Container bind mounts */
-        "/proc/sys\0"
-        "/dev/console\0"
-        "/proc/kmsg\0";
-
 bool mount_point_is_api(const char *path) {
        unsigned i;

@ -137,12 +126,26 @@ bool mount_point_is_api(const char *path) {
 }

 bool mount_point_ignore(const char *path) {
+
        const char *i;

-        NULSTR_FOREACH(i, ignore_paths)
+        /* These are API file systems that might be mounted by other software, we just list them here so that
+         * we know that we should ignore them. */
+        FOREACH_STRING(i,
+                       /* SELinux file systems */
+                       "/sys/fs/selinux",
+                       /* Container bind mounts */
+                       "/dev/console",
+                       "/proc/kmsg",
+                       "/proc/sys",
+                       "/proc/sys/kernel/random/boot_id")
                if (path_equal(path, i))
                        return true;

+        if (path_startswith(path, "/run/host")) /* All mounts passed in from the container manager are
+                                                 * something we better ignore. */
+                return true;
+
        return false;
 }