jail: don't always CLONE_NEWUTS

[project/procd.git] / jail / jail.c

diff --git a/jail/jail.c b/jail/jail.c
index b3f27d3..c442847 100644 (file)
--- a/jail/jail.c
+++ b/jail/jail.c
@@ -129,6 +129,12 @@ static int build_jail_fs(void)
                return -1;
        }
 
+       /* oldroot can't be MS_SHARED else pivot_root() fails */
+       if (mount("none", "/", NULL, MS_REC|MS_PRIVATE, NULL)) {
+               ERROR("private mount failed %s\n", strerror(errno));
+               return -1;
+       }
+
        if (mount("tmpfs", jail_root, "tmpfs", MS_NOATIME, "mode=0755")) {
                ERROR("tmpfs mount failed %s\n", strerror(errno));
                return -1;
@@ -238,7 +244,7 @@ static int exec_jail(void *_notused)
                exit(EXIT_FAILURE);
        }
 
-       if (opts.namespace && opts.hostname
+       if (opts.namespace && opts.hostname && strlen(opts.hostname) > 0
                        && sethostname(opts.hostname, strlen(opts.hostname))) {
                ERROR("sethostname(%s) failed: %s\n", opts.hostname, strerror(errno));
                exit(EXIT_FAILURE);
@@ -380,9 +386,10 @@ int main(int argc, char **argv)
 
        uloop_init();
        if (opts.namespace) {
-               jail_process.pid = clone(exec_jail,
-                       child_stack + STACK_SIZE,
-                       CLONE_NEWUTS | CLONE_NEWPID | CLONE_NEWNS | CLONE_NEWIPC | SIGCHLD, NULL);
+               int flags = CLONE_NEWPID | CLONE_NEWNS | CLONE_NEWIPC | SIGCHLD;
+               if (opts.hostname)
+                       flags |= CLONE_NEWUTS;
+               jail_process.pid = clone(exec_jail, child_stack + STACK_SIZE, flags, NULL);
        } else {
                jail_process.pid = fork();
        }