From 609658bd2df28d17f5c7898145815aea874df87e Mon Sep 17 00:00:00 2001 From: Elliot Saba Date: Mon, 1 Aug 2022 17:47:53 +0000 Subject: [PATCH] Allow for inaccessible mount points When scanning all current mount points, we must be able to skip mountpoints that we cannot access, such as if `docker` is running and has internal mounts that are not visible to our current user. --- deps/userns_sandbox.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/deps/userns_sandbox.c b/deps/userns_sandbox.c index 3e802c3..4274019 100644 --- a/deps/userns_sandbox.c +++ b/deps/userns_sandbox.c @@ -374,11 +374,20 @@ static void bind_mount(const char *src, const char *dest, char read_only) { check(mtab != NULL); while (mnt = getmntent(mtab)) { struct stat dev_stat; - check(0 == stat(mnt->mnt_dir, &dev_stat)); - if (dev_stat.st_dev == src_stat.st_dev) + // It's possible that we try to stat() something that we're + // not allowed to look at; if that occurs, skip it, hoping + // that it's not the mount we're actually interested in. + if (stat(mnt->mnt_dir, &dev_stat) == 0 && + dev_stat.st_dev == src_stat.st_dev) break; + + // Don't let a non-matching `mnt` leak through, in the event + // that we never find the device the mount belongs to. + mnt = NULL; } endmntent(mtab); + + // This will fail if we never found the matching `mnt`. check(mnt != NULL); int locked_flags = 0;