User Tools

Site Tools


enhancements_to_bind_mounts

enhanced_bind is a modification primarily aimed at making chroot jails easier to set up, more secure, and less wasteful of storage.

The first enhancement comes from the Linux vserver project. This adds the ability to make bind mounts nosuid, read-only, nodev, and noexec.

On top of that is 'hardening' to prevent a chrooted root process from simply remounting a bind mount to read-write. This is accomplished by basing even a fully privileged root process's permission to remount a binding on it's ability to reach the source of the bind mount.

This allows root inside a chroot to make use of bind internally without compromising the system outside the jail.

On an unenhanced kernel, a bind mount sourced from the actual root of a filesystem behaves distinctly different (in astonishing ways) from a bind sourced from a non-root directory.

Most notably, a remount will actually change the mount options on the superblock and so, the sourc of the binding. In contrast, attempting remount on a bind mount sourced from a non-root directory simply fails.

In support of the principle of least astonishment, the bind enhancements add MNT_BIND flag and set it on any bind-mount. This explicitly prevents 'bleed through' to the superblock and source when remount is called (assuming the remount would otherwise be permissable). Thus, the listing from /proc/mounts will clearly identify bind mounts in the option flags field.

For most uses of bind, this small change in behaviour is either harmless or beneficial. One notable exception is the initrd startup in Fedora core (and possibly others). When running with this patch, it is necessary to modify the mkinitrd package. First, support for the –move mount option must be added to nash, then the mkinitrd script is modified so the init script in the initrd will use –move rather than –bind for the /dev tmpfs, as in:

mount --move /dev /sysroot/dev

If this is not done, rc.sysinit can get confused and end up mounting a new tmpfs over /dev. This, in turn wipes out the LVM device links and so causes the fsck of root to fail and so you get the emergency root login prompt rather than a successful boot.

enhancements_to_bind_mounts.txt · Last modified: 2010/04/15 21:18 (external edit)