[Bug 2018271] Re: os-prober expects to run in a new private mount namespace, but new namespace is not private
Launchpad Bug Tracker
2018271 at bugs.launchpad.net
Fri May 5 15:01:24 UTC 2023
This bug was fixed in the package os-prober - 1.81ubuntu3
---------------
os-prober (1.81ubuntu3) mantic; urgency=medium
* Replace newns by unshare --mount from util-linux [essential]. This makes
os-prober run in a private mount namespace, as it was initially intended.
(LP: #2018271)
-- Olivier Gayot <olivier.gayot at canonical.com> Tue, 02 May 2023
09:19:22 +0200
** Changed in: os-prober (Ubuntu)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to os-prober in Ubuntu.
https://bugs.launchpad.net/bugs/2018271
Title:
os-prober expects to run in a new private mount namespace, but new
namespace is not private
Status in os-prober package in Ubuntu:
Fix Released
Status in os-prober package in Debian:
New
Bug description:
During execution of os-prober, other processes on the system can see the
temporary mounts to /var/lib/os-prober/mount even though os-prober runs
in a separate mount namespace.
In order to run os-prober in a more isolated mode, we introduced the
newns.c source file a while ago. We build it to a binary and ship it in
os-prober and os-prober-udeb.
The original idea was to run os-prober in a private mount namespace.
Sadly, calling the unshare(CLONE_NEWNS) system call is only enough to
create a new mount namespace. But it is not enough to make the new
namespace private.
While we can patch newns.c to make the new mount namespace private,
relying on unshare(1) from util-linux (which is an essential package)
seems like a more viable option.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/os-prober/+bug/2018271/+subscriptions
More information about the foundations-bugs
mailing list