From 97a36d1696982949722c6d6da1e5031d79e90b48 Mon Sep 17 00:00:00 2001
From: Andrei Vagin <avagin@google.com>
Date: Wed, 10 Feb 2021 16:30:22 -0800
Subject: Don't allow to umount the namespace root mount

Linux does the same thing.

Reported-by: syzbot+6c79385c930c929d1d9e@syzkaller.appspotmail.com
PiperOrigin-RevId: 356854562
---
 pkg/sentry/vfs/mount.go | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'pkg')

diff --git a/pkg/sentry/vfs/mount.go b/pkg/sentry/vfs/mount.go
index d865fd603..7063066ff 100644
--- a/pkg/sentry/vfs/mount.go
+++ b/pkg/sentry/vfs/mount.go
@@ -309,6 +309,11 @@ func (vfs *VirtualFilesystem) UmountAt(ctx context.Context, creds *auth.Credenti
 			vfs.mountMu.Unlock()
 			return syserror.EINVAL
 		}
+
+		if vd.mount == vd.mount.ns.root {
+			vfs.mountMu.Unlock()
+			return syserror.EINVAL
+		}
 	}
 
 	// TODO(gvisor.dev/issue/1035): Linux special-cases umount of the caller's
-- 
cgit v1.2.3