Merge pull request #126 from snapcore/ns-sharing

Add support module for namespace sharing

docs/snap-confine.rst

@@ -85,6 +85,13 @@ quirks:
   the execution environment. This allows various snaps, while running in
   devmode, to access the LXD socket. LP: #1613845
 
+Sharing of the mount namespace
+------------------------------
+
+As of version 1.0.41 all the applications from the same snap will share the
+same mount namespace. Applications from different snaps continue to use
+separate mount namespaces.
+
 ENVIRONMENT
 ===========
 
@@ -126,6 +133,41 @@ FILES
 
 	Description of the seccomp profile.
 
+`/run/snapd/ns/`:
+
+    Directory used to keep shared mount namespaces.
+
+    `snap-confine` internally converts this directory to a private bind mount.
+    Semantically the behavior is identical to the following mount commands:
+
+    mount --bind /run/snapd/ns /run/snapd/ns
+    mount --make-private /run/snapd/ns
+
+`/run/snapd/ns/.lock`:
+
+    A `flock(2)`-based lock file acquired to create and convert
+    `/run/snapd/ns/` to a private bind mount.
+
+`/run/snapd/ns/$SNAP_NAME.lock`:
+
+    A `flock(2)`-based lock file acquired to create or join the mount namespace
+    represented as `/run/snaps/ns/$SNAP_NAME.mnt`.
+
+`/run/snapd/ns/$SNAP_NAME.mnt`:
+
+    This file can be either:
+
+    - An empty file that may be seen before the mount namespace is preserved or
+      when the mount namespace is unmounted.
+    - A file belonging to the `nsfs` file system, representing a fully
+      populated mount namespace of a given snap. The file is bind mounted from
+      `/proc/self/ns/mnt` from the first process in any snap.
+
+`/proc/self/mountinfo`:
+
+    This file is read to decide if `/run/snapd/ns/` needs to be created and
+    converted to a private bind mount, as described above.
+
 Note that the apparmor profile is external to `snap-confine` and is loaded
 directly into the kernel. The actual apparmor profile is managed by `snapd`.
 

src/Makefile.am

@@ -25,7 +25,9 @@ snap_confine_SOURCES = \
 	quirks.c \
 	quirks.h \
 	mountinfo.c \
-	mountinfo.h
+	mountinfo.h \
+	ns-support.c \
+	ns-support.h
 
 snap_confine_CFLAGS = -Wall -Werror $(AM_CFLAGS)
 snap_confine_LDFLAGS = $(AM_LDFLAGS)
@@ -66,7 +68,8 @@ snap_confine_unit_tests_SOURCES = \
 	cleanup-funcs-test.c \
 	mount-support-test.c \
 	verify-executable-name-test.c \
-	mountinfo-test.c
+	mountinfo-test.c \
+	ns-support-test.c
 snap_confine_unit_tests_CFLAGS = $(snap_confine_CFLAGS) $(GLIB_CFLAGS)
 snap_confine_unit_tests_LDADD = $(snap_confine_LDADD) $(GLIB_LIBS)
 snap_confine_unit_tests_LDFLAGS = $(snap_confine_LDFLAGS)

src/cleanup-funcs.c

@@ -18,6 +18,7 @@
 #include "cleanup-funcs.h"
 
 #include <mntent.h>
+#include <unistd.h>
 
 void sc_cleanup_string(char **ptr)
 {
@@ -49,3 +50,8 @@ void sc_cleanup_closedir(DIR ** ptr)
 		closedir(*ptr);
 	}
 }
+
+void sc_cleanup_close(int *ptr)
+{
+	close(*ptr);
+}

src/cleanup-funcs.h

@@ -72,4 +72,12 @@ void sc_cleanup_seccomp_release(scmp_filter_ctx * ptr);
  **/
 void sc_cleanup_closedir(DIR ** ptr);
 
+/**
+ * Close an open file descriptor with close(2)
+ *
+ * This function is designed to be used with
+ * __attribute__((cleanup(sc_cleanup_close))).
+ **/
+void sc_cleanup_close(int *ptr);
+
 #endif

src/mountinfo.c

@@ -236,6 +236,8 @@ static struct mountinfo_entry *parse_mountinfo_entry(const char *line)
 	if ((entry->mount_opts = parse_next_string_field()) == NULL)
 		goto fail;
 	entry->optional_fields = &entry->line_buf[0] + total_used++;
+	// NOTE: This ensures that optional_fields is never NULL. If this changes,
+	// must adjust all callers of parse_mountinfo_entry() accordingly.
 	strcpy(entry->optional_fields, "");
 	for (;;) {
 		char *opt_field = parse_next_string_field();