[Toybox] [PATCH] Skip mount.test if not running as root

Rob Landley rob at landley.net
Mon Feb 15 06:13:42 PST 2021


Still running through the messages gmail's spam filter false positived on...

On 2/1/21 7:02 AM, Yi-yo Chiang via Toybox wrote:
> mount, mount and their friends usually require root permission, so let's skip
> these when not running as root!

Longer term I want to run the mount test under the "make root" target (see
scripts/mkroot.sh) which builds a linux kernel targeted to QEMU and packages up
a defconfig toybox root filesystem with a simple init script.

Tests like mount, modprobe, and ifconfig need a defined system to work in: it's
not just running them as root, it's also what resources are available and where
can I do with them? (Do I have this dev node, module, or interface?) The QEMU
system can provide known layouts.

Long ago I wrote up an explanation of the 4 filesystem categories on my old
livejournal, and I copied it into the www/doc directory of toybox a while back:

  http://landley.net/toybox/doc/mount.txt

Except I wrote all that up _before_ containers happened, which added a while
scope and lifetime thing (mount namespaces). And it doesn't mention bind mounts,
mount --move, pivot_root (and the reason containers use pivot_root instead of
chroot)...

If you're wondering how I know all this stuff, the answer is I tried to do crazy
stuff that didn't woork, I asked Linus about it:

https://ipfs.io/ipfs/QmdA5WkDNALetBn4iFeSepHjdLGJdxPBwZyY47ir1bZGAK/comp/linux/pivot_root.html

And then other people poked me about more stuff over the years:

https://landley.net/notes-2011.html#02-06-2011

Rob

P.S. The reason containers pivot_root() is if you're root in a chroot you can
mkdir("sub"); chroot("sub"); chdir("../../../../../../../../.."); chroot(".")
and be out of the chroot. Except that the OTHER thing pivot_root does is iterate
through every process in the tree and change any "." and "/" that points into
the old directory to the new directory, yes including kernel threads, so you can
umount the old filesystem without it being pinned by active processes using it,
and that's kind of heavyweight for a container so they added some heuristic but
it's still really dangerous to do because if you haven't set up your new
namespace right when you do a pivot_root your entire system will freeze as every
process suddenly has its global filesystem context edited and gets Confused...
Did I mention I have a todo item to write a "contain" command that creates and
manipulates simple containers? Alas I've had that todo item for 11 years and
haven't done it yet, busy with other things...

tl;dr writing a proper mount.test is on the todo list.



More information about the Toybox mailing list