diff options
Diffstat (limited to 'internal/namespace/pinning.go')
| -rw-r--r-- | internal/namespace/pinning.go | 29 |
1 files changed, 28 insertions, 1 deletions
diff --git a/internal/namespace/pinning.go b/internal/namespace/pinning.go index 07f15f8..9bf4fee 100644 --- a/internal/namespace/pinning.go +++ b/internal/namespace/pinning.go @@ -12,6 +12,24 @@ import ( "golang.org/x/sys/unix" ) +// blockPaths defines the host services that are bind-mounted over to block access +// from within the isolated namespace. +var blockPaths = []string{ + "/run/dbus/system_bus_socket", + "/run/systemd/resolve/io.systemd.Resolve", + "/run/systemd/resolve/io.systemd.Resolve.Monitor", + "/run/nscd/socket", + "/var/run/dbus/system_bus_socket", + "/var/run/systemd/resolve/io.systemd.Resolve", + "/var/run/systemd/resolve/io.systemd.Resolve.Monitor", + "/var/run/nscd/socket", +} + +// GetBlockPaths returns the list of paths blocked for namespace isolation. +func GetBlockPaths() []string { + return blockPaths +} + // PinNamespace binds the current network namespace to the profile's namespace path. // This prevents the kernel from destroying the namespace when all processes exit. func PinNamespace(pm *paths.PathManager, profile string) error { @@ -44,7 +62,6 @@ func UnpinNamespace(pm *paths.PathManager, profile string) error { } // 1. Unmount the namespace first. - // If this is the last reference to the namespace, the kernel will destroy it. if err := unix.Unmount(nsPath, 0); err != nil { return fmt.Errorf("failed to unmount namespace %s: %w", nsPath, err) } @@ -54,6 +71,16 @@ func UnpinNamespace(pm *paths.PathManager, profile string) error { return fmt.Errorf("failed to remove pin file %s: %w", nsPath, err) } + // 3. Unmount and clean up blocking services. + // Since the block files are located within the profile directory, + // we must unmount them before we can remove the directory. + for _, p := range GetBlockPaths() { + _ = unix.Unmount(p, unix.MNT_DETACH) + } + + blockDir := filepath.Join(pm.RuntimeBaseDir(), "profiles", profile, "block") + _ = os.RemoveAll(blockDir) + pidsDir := GetPidsDirPath(pm, profile) // Try to remove pids directory and empty parent directories |