Is it possible to create a bind mount to the parent namespace when creating a container?
I have code that does the following operations (error checking stripped):
struct clone_args cloneArguments;
memset(&cloneArguments, 0, sizeof(cloneArguments));
cloneArguments.flags = CLONE_NEWNS | CLONE_NEWPID | CLONE_NEWUSER;
pid_t child = syscall(SYS_clone3, &cloneArguments, sizeof(cloneArguments));
if(child){
// Go do parent things
return;
}
mkdir("container", S_IRWXU);
mount(NULL, "container", "tmpfs", 0, NULL);
mkdir("container/bin", S_IRWXU);
copyFile("busybox", "container/bin", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH);
mkdir("container/lib", S_IRWXU);
mount("/usr/lib", "container/lib", NULL, MS_BIND, NULL);
mkdir("container/oldRoot", S_IRWXU);
syscall(SYS_pivot_root, "container", "container/oldRoot");
chdir("/");
umount2("/oldRoot", MNT_DETACH);
remove("/oldRoot");
mount(NULL, "/", NULL, MS_REAMOUNT | MS_BIND | MS_RDONLY, nullptr);
child = fork();
if(child){
waitpid(child, NULL, 0);
}else{
// Busybox checks arg0 to see what applet it uses, not passing the binary as the first arg is not a bug in this context.
execl("/bin/busybox", "/bin/find", "/", NULL);
exit(errno);
}
All of the error checking passes and busybox runs. It prints out all of the files in the container minus the ones from the host in /usr/lib. It prints find: /lib: Value too large for defined data type to stderr.
Is there a way to allow this to work with bind mounts? The old root still exists because of the parent namespace, otherwise my machine would pretty quickly crash and the error makes no sense to me.