Fix #2285: linux-sandbox-pid1.cc:398: remount: Operation not permitted

Seems like on Ubuntu 16.04 we have to ignore EPERM on failed remounts, too. -- PiperOrigin-RevId: 146354561 MOS_MIGRATED_REVID=146354561
author: Philipp Wollermann <philwo@google.com> 2017-02-02 13:40:50 +0000
committer: Yun Peng <pcloudy@google.com> 2017-02-02 17:00:28 +0000
commit: 5a181c08d6a25bf773bad67c06635593b79debab (patch)
tree: d58904c28903739c27f73bf0f571818a5e6d23e1 /src/main/tools
parent: b99907661b785b0423cb2474da73205595b91fdd (diff)
1 files changed, 13 insertions, 12 deletions
diff --git a/src/main/tools/linux-sandbox-pid1.cc b/src/main/tools/linux-sandbox-pid1.cc
index 68909842e9..a85d63ccb8 100644
--- a/src/main/tools/linux-sandbox-pid1.cc
+++ b/src/main/tools/linux-sandbox-pid1.cc
@@ -386,18 +386,19 @@ static void MakeFilesystemMostlyReadOnly() {
     PRINT_DEBUG("remount %s: %s", (mountFlags & MS_RDONLY) ? "ro" : "rw",
                 ent->mnt_dir);
     if (mount(NULL, ent->mnt_dir, NULL, mountFlags, NULL) < 0) {
-      // If we get EACCES, this might be a mount-point for which we don't have
-      // read access. Not much we can do about this, but it also won't do any
-      // harm, so let's go on. The same goes for EINVAL, which is fired in case
-      // a later mount overlaps an earlier mount, e.g. consider the case of
-      // /proc, /proc/sys/fs/binfmt_misc and /proc, with the latter /proc being
-      // the one that an outer sandbox has mounted on top of its parent /proc.
-      // In that case, we're not allowed to remount /proc/sys/fs/binfmt_misc,
-      // because it is hidden. If we get ESTALE, the mount is a broken NFS
-      // mount. In the ideal case, the user would either fix or remove that
-      // mount, but in cases where that's not possible, we should just ignore
-      // it.
-      if (errno != EACCES && errno != EINVAL && errno != ESTALE) {
+      // If we get EACCES or EPERM, this might be a mount-point for which we
+      // don't have read access. Not much we can do about this, but it also
+      // won't do any harm, so let's go on. The same goes for EINVAL, which is
+      // fired in case a later mount overlaps an earlier mount, e.g. consider
+      // the case of /proc, /proc/sys/fs/binfmt_misc and /proc, with the latter
+      // /proc being the one that an outer sandbox has mounted on top of its
+      // parent /proc. In that case, we're not allowed to remount
+      // /proc/sys/fs/binfmt_misc, because it is hidden. If we get ESTALE, the
+      // mount is a broken NFS mount. In the ideal case, the user would either
+      // fix or remove that mount, but in cases where that's not possible, we
+      // should just ignore it.
+      if (errno != EACCES && errno != EINVAL && errno != ESTALE &&
+          errno != EPERM) {
         DIE("remount(NULL, %s, NULL, %d, NULL)", ent->mnt_dir, mountFlags);
       }
     }
author	Philipp Wollermann <philwo@google.com>	2017-02-02 13:40:50 +0000
committer	Yun Peng <pcloudy@google.com>	2017-02-02 17:00:28 +0000
commit	5a181c08d6a25bf773bad67c06635593b79debab (patch)
tree	d58904c28903739c27f73bf0f571818a5e6d23e1 /src/main/tools
parent	b99907661b785b0423cb2474da73205595b91fdd (diff)