[apparmor] [patch] tests: work around systemd mounting / shared in pivot_root tests
Tyler Hicks
tyhicks at canonical.com
Tue Mar 24 22:22:01 UTC 2015
On 2015-03-24 14:48:22, Steve Beattie wrote:
> The systemd init daemon mounts the / filesystem as shared [1], which
> breaks pivot_root(2). The following patch adjusts the pivot_root
> test script to remount / as private if it detects that its shared,
> allowing the tests to run successfully, and then undoes it once the
> tests are complete.
>
> [1] http://cgit.freedesktop.org/systemd/systemd/commit/?id=b3ac5f8cb98757416d8660023d6564a7c411f0a0
>
> Signed-off-by: Steve Beattie <steve at nxnw.org>
> ---
> tests/regression/apparmor/pivot_root.sh | 24 ++++++++++++++++++++++++
> 1 file changed, 24 insertions(+)
>
> Index: b/tests/regression/apparmor/pivot_root.sh
> ===================================================================
> --- a/tests/regression/apparmor/pivot_root.sh
> +++ b/tests/regression/apparmor/pivot_root.sh
> @@ -25,6 +25,7 @@ put_old=${new_root}put_old/
> bad=$tmpdir/BAD/
> proc=$new_root/proc
> fstype="ext2"
> +root_was_shared="no"
>
> pivot_root_cleanup() {
> mountpoint -q "$proc"
> @@ -36,9 +37,32 @@ pivot_root_cleanup() {
> if [ $? -eq 0 ] ; then
> umount "$new_root"
> fi
> +
> + if [ "${root_was_shared}" = "yes" ] ; then
> + [ -n "$VERBOSE" ] && echo 'notice: re-mounting / as shared'
> + mount -o remount --make-shared /
I don't think the '-o remount' is needed. I've never used it when
changing a mount's propagation status and the mount(8) man page doesn't
use it in its examples.
I strace'ed mount with and without '-o remount' to see if there's a
difference:
$ sudo strace mount --make-private / 2>&1 | tail
fstat(3, {st_mode=S_IFREG|0644, st_size=3165552, ...}) = 0
mmap(NULL, 3165552, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fed06565000
close(3) = 0
getuid() = 0
geteuid() = 0
mount("none", "/", NULL, MS_PRIVATE, NULL) = 0
close(1) = 0
close(2) = 0
exit_group(0) = ?
+++ exited with 0 +++
$ sudo strace mount -o remount --make-private / 2>&1 | tail
stat("/sbin/mount.ext3", 0x7ffdf0a11730) = -1 ENOENT (No such file or directory)
stat("/sbin/fs.d/mount.ext3", 0x7ffdf0a11730) = -1 ENOENT (No such file or directory)
stat("/sbin/fs/mount.ext3", 0x7ffdf0a11730) = -1 ENOENT (No such file or directory)
mount("none", "/", 0x18a1210, MS_MGC_VAL|MS_REMOUNT|MS_SILENT, NULL) = 0
mount("none", "/", NULL, MS_SILENT|MS_PRIVATE, NULL) = 0
access("/", W_OK) = 0
close(1) = 0
close(2) = 0
exit_group(0) = ?
+++ exited with 0 +++
The '-o remount' ends up being an entirely separate operation that
shouldn't be needed so I think it is best to drop it.
> + fi
> }
> do_onexit="pivot_root_cleanup"
>
> +# systemd mounts / and everything under it MS_SHARED. This breaks
> +# pivot_root entirely, so attempt to detect it, and remount /
> +# MS_PRIVATE temporarily.
> +FINDMNT=/bin/findmnt
> +if [ -x "${FINDMNT}" ] && ${FINDMNT} -no PROPAGATION / > /dev/null 2>&1 ; then
> + if [ "$(${FINDMNT} -no PROPAGATION /)" == "shared" ] ; then
> + root_was_shared="yes"
> + fi
> +elif [ "$(ps -hp1 -ocomm)" = "systemd" ] ; then
> + # no findmnt or findmnt doesn't know the PROPAGATION column,
> + # but init is systemd so assume rootfs is shared
> + root_was_shared="yes"
> +fi
> +if [ "${root_was_shared}" = "yes" ] ; then
> + [ -n "$VERBOSE" ] && echo 'notice: re-mounting / as private'
> + mount -o remount --make-private /
Here, too.
Everything else looks good. Feel free to put my ack on it if you agree
with my proposed changes.
Thanks!
Tyler
> +fi
> +
> # Create disk image since pivot_root doesn't allow old root and new root to be
> # on the same filesystem
> dd if=/dev/zero of="$disk_img" bs=1024 count=512 2> /dev/null
>
> --
> Steve Beattie
> <sbeattie at ubuntu.com>
> http://NxNW.org/~steve/
> --
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20150324/8d38e2a0/attachment.pgp>
More information about the AppArmor
mailing list