I'm experimenting with the new namespace feature of Linux
and its working nice. Now I'm trying to add grsec into mix
but it wont work anymore as grsec disallows umount and chroot
after pivot_root.
For reference, what I'm trying to do:
(rfork = clone(CLONE_NEWNS))
- Code: Select all
#! /bin/sh
skel=/opt/root
dst=/var/empty
if test "$1" = ""; then
exec /opt/bin/rfork $skel/bin/boot.sh stage1
fi
if test "$1" = "stage1"; then
mount -n -t ramfs ramfs $dst
cd $skel
for d in *; do
mkdir $dst/$d
mount -n --bind $skel/$d $dst/$d
done
cd $dst
mkdir oldroot
pivot_root . oldroot
umount -nl oldroot
rmdir oldroot
exec chroot . /bin/bash
fi
As I understand, currently grsec thinks pivot_root == chroot, but
I want to do some additional setup after pivot_root, but not allow
mount/umount/chroot in chroot.
So, how could I tell grsec to allow me do an umount / chroot after
pivot_root? Additional config option is needed to code?