linux: Update rootfsfd when rootfs is replaced

giuseppe · giuseppe · commit 64a2e0e1c643 · 2025-05-20T21:43:20.000+02:00
When a mount operation replaces the container's root filesystem ("/"), the existing `rootfsfd` becomes stale. This file descriptor would still point to the old, now overmounted root, potentially causing subsequent filesystem operations within the container setup to fail or target the incorrect filesystem. Closes: #1752 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
diff --git a/src/libcrun/linux.c b/src/libcrun/linux.c
@@ -1227,6 +1227,17 @@ do_mount (libcrun_container_t *container, const char *source, int targetfd,
           if (UNLIKELY (fd < 0))
             return fd;
 
+          /* We are replacing the rootfs, reopen it.  */
+          if (is_empty_string (target))
+            {
+              int tmp = dup (fd);
+              if (UNLIKELY (tmp < 0))
+                return crun_make_error (err, errno, "dup");
+
+              TEMP_FAILURE_RETRY (close (get_private_data (container)->rootfsfd));
+              get_private_data (container)->rootfsfd = tmp;
+            }
+
 #ifdef HAVE_FGETXATTR
           if (label_how == LABEL_XATTR)
             {
diff --git a/tests/test_mounts.py b/tests/test_mounts.py
@@ -115,6 +115,33 @@ def prepare_rootfs(rootfs):
         return 0
     return -1
 
+def test_mount_bind_to_rootfs():
+    conf = base_config()
+    conf['process']['args'] = ['/init', 'true']
+    add_all_namespaces(conf)
+    tmpdir = tempfile.mkdtemp()
+    shutil.copy(get_init_path(), tmpdir)
+
+    mounts = [
+        {"destination": "/", "type": "bind", "source": tmpdir, "options": ["bind"]},
+    ]
+    conf['mounts'] = mounts + conf['mounts']
+    _, _ = run_and_get_output(conf, hide_stderr=True)
+    return 0
+
+def test_mount_tmpfs_to_rootfs():
+    conf = base_config()
+    conf['process']['args'] = ['/init', 'true']
+    add_all_namespaces(conf)
+    tmpdir = tempfile.mkdtemp()
+
+    mounts = [
+        {"destination": "/", "type": "tmpfs", "source": "tmpfs", "options": ["tmpcopyup"]},
+    ]
+    conf['mounts'] = mounts + conf['mounts']
+    _, _ = run_and_get_output(conf, hide_stderr=True)
+    return 0
+
 def test_ro_cgroup():
     for cgroupns in [True, False]:
         for netns in [True, False]:
@@ -693,6 +720,8 @@ def test_mount_help():
     "mount-unix-socket" : test_mount_unix_socket,
     "mount-symlink-not-existing" : test_mount_symlink_not_existing,
     "mount-dev" : test_mount_dev,
+    "mount-bind-to-rootfs": test_mount_bind_to_rootfs,
+    "mount-tmpfs-to-rootfs": test_mount_tmpfs_to_rootfs,
     "mount-nodev" : test_mount_nodev,
     "mount-path-with-multiple-slashes" : test_mount_path_with_multiple_slashes,
     "mount-userns-bind-mount" : test_userns_bind_mount,
