mrrl-containers

MRRL version of container scripts
git clone https://ccx.te2000.cz/git/mrrl-containers
Log | Files | Refs
commit b32bb14a1988b451ad586e0dfd13aac892aca62f
parent 6a8f5cda5c68fe0fcda7c440e8729b38c8c7a8b0
Author: ccx <ccx@te2000.cz>
Date:   Tue, 19 Mar 2024 16:27:48 +0000

Move xsession mounts into a namespace

Diffstat:

Mservice_scripts/xsession/finish | 5-----


Mservice_scripts/xsession/run | 18+++++++++++++-----


2 files changed, 13 insertions(+), 10 deletions(-)

diff --git a/service_scripts/xsession/finish b/service_scripts/xsession/finish
@@ -10,11 +10,6 @@ multisubstitute {
 	define CONTAINER_TMPFS /run/containers/${CONTAINER_NAME}.${CONTAINER_USER}
 #	define CONTAINER_DATA /mnt/volumes/containers/user/${CONTAINER_USER}/${CONTAINER_NAME}
 }
-foreground { umount ${CONTAINER_TMPFS}/home }
-foreground { umount ${CONTAINER_TMPFS}/inbox }
-foreground { umount ${CONTAINER_TMPFS}/run }
-foreground { umount ${CONTAINER_TMPFS}/tmp }
-foreground { umount --recursive data/root/ }
 foreground {
 	if { test -f ${CONTAINER_TMPFS}/run/uncaught-logs/current }
 	mv ${CONTAINER_TMPFS}/run/uncaught-logs/current data/lastlog
diff --git a/service_scripts/xsession/run b/service_scripts/xsession/run
@@ -29,11 +29,13 @@ if { rm -rf ${CONTAINER_TMPFS} }
 if { mkdir -p ${CONTAINER_TMPFS}/${tmpfs_dirs} ${CONTAINER_TMPFS}/mnt/${CONTAINER_MNT_DIRS} }
 if { chmod 1770 ${CONTAINER_TMPFS}/${tmpfs_dirs} }
 if { chown root:${CONTAINER_USER} ${CONTAINER_TMPFS}/${tmpfs_dirs} }
-if { mount -a -T data/fstab }
 
 # Put UID/GID/GIDLIST into environment for use by s6-applyuidgid below
 s6-envuidgid ${CONTAINER_USER}
 
+unshare -m -u -i  # new mount, UTS and IPC namespaces
+if { mount -a -T data/fstab }
+
 # Run user's script to populate /home /run and/or /tmp
 if {
 	env HOME=${CONTAINER_USER_HOME} USER=${CONTAINER_USER}
@@ -41,16 +43,22 @@ if {
 	${CONTAINER_USER_HOME}/xsession-setup ${CONTAINER_TMPFS} ${vtN}
 }
 
-env
-  NS_EXTRA="if { mount -o bind,ro /etc/passwd etc/passwd } if { mount -o bind,ro /etc/group etc/group }"
-
 unshare -n  # make new network namespace
 if { ip addr add 127.0.0.1/8 dev lo }
 if { ip addr add ::1/128 dev lo }
 if { ip link set lo up }
 
 emptyenv -c
-ns_run data/root
+ns_run_unshared data/root {
+	# pre pivot-root commands
+	# /dev/shm -> /run/shm
+	if { mkdir ./run/shm }
+	if { chmod 1777 ./run/shm }
+
+	if { mount -o bind,ro /etc/passwd ./etc/passwd }
+	if { mount -o bind,ro /etc/group ./etc/group }
+}
+# This runs with changed / so use absolute paths before dropping privs
 /mnt/ns/current/command/applyuidgid-caps -U ""
 env HOME=${CONTAINER_USER_HOME} USER=${CONTAINER_USER}
 /run/init