On Sat, Oct 07, 2006 at 10:54:10AM +0100, Roger Leigh wrote:
> One concern I have is what will happen to bind mounted filesystems, or
> filesystems mounted multiple times? If there are open files, we don't
> want to kill anything /outside/ the chroot, which may also be using
> the filesystem.
Ah, yes. fuser isn't as smart as I was hoping. Here is a better patch,
which looks for processes that were run from the chroot base dir, which
will protect processes on mount points built with "bind". This will
also not kill processes that are using the chroot area but were run from
outside the chroot. (Causing the umounts to correctly fail.)
How does this look?
--
Kees Cook @outflux.net
Index: schroot/setup/10mount
===================================================================
--- schroot/setup/10mount (revision 1032)
+++ schroot/setup/10mount (working copy)
@@ -23,10 +23,26 @@
mount $VERBOSE $1 "$2" "$3"
}
+# Kill all processes that were run from within the chroot environment
+# $1: mount base location
+do_kill_all()
+{
+ if [ "$AUTH_VERBOSITY" = "verbose" ]; then
+ echo "Killing processes run inside $1"
+ fi
+ ls /proc | egrep '^[[:digit:]]+$' |
+ while read pid; do
+ if readlink /proc/"$pid"/exe | grep ^"$1"/ >/dev/null; then
+ kill "$pid"
+ fi
+ done
+}
+
# Unmount all filesystem under specified location
# $1: mount base location
do_umount_all()
{
+ do_kill_all "$1"
"$LIBEXEC_DIR/schroot-listmounts" -m "$1" |
while read mountloc; do
if [ "$AUTH_VERBOSITY" = "verbose" ]; then
