Bind-mount /dev, /proc and /sys into chroot when running commands.

1 files changed, 20 insertions, 0 deletions

diff --git a/daemon/command.c b/daemon/command.c
index 03537f03..1daccf6e 100644
--- a/daemon/command.c
+++ b/daemon/command.c
@@ -31,6 +31,7 @@ do_command (char * const * const argv)
 {
   char *out, *err;
   int r;
+  int proc_ok, dev_ok, sys_ok;
 
   /* We need a root filesystem mounted to do this. */
   NEED_ROOT (NULL);
@@ -44,10 +45,29 @@ do_command (char * const * const argv)
     return NULL;
   }
 
+  /* While running the command, bind-mount /dev, /proc, /sys
+   * into the chroot.  However we must be careful to unmount them
+   * afterwards because otherwise they would interfere with
+   * future mount and unmount operations.
+   *
+   * We deliberately allow these commands to fail silently, BUT
+   * if a mount fails, don't unmount the corresponding mount.
+   */
+  r = command (NULL, NULL, "mount", "--bind", "/dev", "/sysroot/dev", NULL);
+  dev_ok = r != -1;
+  r = command (NULL, NULL, "mount", "--bind", "/proc", "/sysroot/proc", NULL);
+  proc_ok = r != -1;
+  r = command (NULL, NULL, "mount", "--bind", "/sys", "/sysroot/sys", NULL);
+  sys_ok = r != -1;
+
   CHROOT_IN;
   r = commandv (&out, &err, argv);
   CHROOT_OUT;
 
+  if (sys_ok) command (NULL, NULL, "umount", "/sysroot/sys", NULL);
+  if (proc_ok) command (NULL, NULL, "umount", "/sysroot/proc", NULL);
+  if (dev_ok) command (NULL, NULL, "umount", "/sysroot/dev", NULL);
+
   if (r == -1) {
     reply_with_error ("%s", err);
     free (out);