Properly bring back mount

[carllerche]

Bring back mount w/ tests for the various permutation of arguments

[redrampage]

+1

[carllerche]

I'm pretty busy at the moment, but I would be happy to accept a PR :)

[kamalmarhubi]

I'd be happy to submit a PR for this, as I only just found out it was missing! Could you briefly outline some test cases that would be necessary to bring this back? I'm thinking we'd want to verify at least:

• MS_NOEXEC
• MS_NOSUID
• MS_RDONLY

result in the expected properties holding on the mount, that MS_REMOUNT can change MS_RDONLY, and that MS_BIND works. Let me know if this makes sense?

[carllerche]

To be honest, I forgot the context around mount and why I left it commented out :) It looks like the NixPath stuff got a little involved and maybe there were bugs around it initially?

What you are suggesting seems fine.

[kamalmarhubi]

Yeah, the NixPath stuff changed a bit. I'm not sure what it's meant to do, but I have some WIP towards re-enabling it. I'm on vacation, but I'll figure out where that is at and send a PR hopefully by new year. :-)

[kamalmarhubi]

I realised that the test won't be able to actually mount anything without superuser privileges (or CAP_SYS_ADMIN on linux). Best I can think of is Linux only: create a new user and mount namespace, allowing the process to mount some things for test purposes. This is what I'm putting together.

This will exclude non-Linux, as well as Linux without unprivileged user namespaces. Unfortunately, Arch, and default settings for Debian-derived systems will be out, but I think it's better than nothing.

[kamalmarhubi]

This will exclude non-Linux

I realised that existing bindings are Linux-only to begin with. In BSDs, the flags are different, and the unmount call is called unmount not umount.

[kamalmarhubi]

More niggles: MS_REMOUNT is not permitted from within a user namespace. This limits the tests I'll submit to:

• verify that MS_RDONLY, MS_NOEXEC work as expected
• verify that MS_BIND works
• use MS_BIND to verify that MS_RDONLY mounts allow executing (since MS_REMOUNT is out)

I haven't done any tests of MS_BIND yet, so this is still subject to change. Still have some investigation to see if I can test MS_NOSUID from an unprivileged process.

[kamalmarhubi]

I think testing MS_NOSUID is possible using newuidmap, but the overall setup to test that would be a little convoluted. I'm going to skip it, and submit a PR soon with the other tests mentioned above.

[kamalmarhubi]

use MS_BIND to verify that MS_RDONLY mounts allow executing (since MS_REMOUNT is out)

Having trouble getting this to work. My bind mount seems to have the same flags even though my reading of the man page says I should be able to set flags.