linux: add 'at_symlink_nofollow' bind mount option

giuseppe · giuseppe · commit 8315cafa962d · 2025-05-26T11:57:42.000+02:00
This option enables bind-mounting a source symbolic link itself (not its target) onto a destination path. If the destination path is also a symbolic link, it is replaced by the mount rather than being dereferenced. This is useful for precisely controlling symlink handling during mounts, such as when needing to overlay a container's symlink with a mount of a host's symlink. The implementation ensures that if the source is a symlink and this option is active, the symlink's nature is preserved in the mount. Closes: containers#1761 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
diff --git a/crun.1 b/crun.1
@@ -661,6 +661,17 @@ destination instead of attempting a mount that would resolve the
 symlink itself.  If the destination already exists and it is not a
 symlink with the expected content, crun will return an error.
 
+.SH at_symlink_nofollow
+When this option is specified for a bind mount, and the source of the
+bind mount is a symbolic link, \fBcrun\fR will mount the symbolic link
+itself at the target destination, rather than the file or directory
+the symbolic link points to.  This is achieved by using the
+\fBAT_SYMLINK_NOFOLLOW\fR flag during the mount operation, specifically
+with the \fBopen_tree(2)\fR system call in conjunction with
+\fBOPEN_TREE_CLONE\fR\&.  If the source of the bind mount is not a symbolic
+link, this option has no practical effect on the mount's target but
+will still be passed to \fBopen_tree(2)\fR\&.
+
 .SH r$FLAG mount options
 If a \fBr$FLAG\fR mount option is specified then the flag \fB$FLAG\fR is set
 recursively for each children mount.
diff --git a/crun.1.md b/crun.1.md
@@ -571,6 +571,17 @@ destination instead of attempting a mount that would resolve the
 symlink itself.  If the destination already exists and it is not a
 symlink with the expected content, crun will return an error.
 
+## at_symlink_nofollow
+When this option is specified for a bind mount, and the source of the
+bind mount is a symbolic link, `crun` will mount the symbolic link
+itself at the target destination, rather than the file or directory
+the symbolic link points to.  This is achieved by using the
+`AT_SYMLINK_NOFOLLOW` flag during the mount operation, specifically
+with the `open_tree(2)` system call in conjunction with
+`OPEN_TREE_CLONE`.  If the source of the bind mount is not a symbolic
+link, this option has no practical effect on the mount's target but
+will still be passed to `open_tree(2)`.
+
 ## r$FLAG mount options
 
 If a `r$FLAG` mount option is specified then the flag `$FLAG` is set
diff --git a/src/libcrun/linux.c b/src/libcrun/linux.c
@@ -2116,7 +2116,7 @@ do_mounts (libcrun_container_t *container, int rootfsfd, const char *rootfs, lib
               path = proc_buf;
             }
 
-          ret = get_file_type (&src_mode, (extra_flags & OPTION_COPY_SYMLINK) ? true : false, path);
+          ret = get_file_type (&src_mode, (extra_flags & (OPTION_AT_SYMLINK_NOFOLLOW | OPTION_COPY_SYMLINK)) ? true : false, path);
           if (UNLIKELY (ret < 0))
             return crun_make_error (err, errno, "cannot stat `%s`", path);
 
@@ -2125,20 +2125,45 @@ do_mounts (libcrun_container_t *container, int rootfsfd, const char *rootfs, lib
 
       if (S_ISLNK (src_mode))
         {
-          cleanup_free char *target = NULL;
-          ssize_t len;
+          if (extra_flags & OPTION_COPY_SYMLINK)
+            {
+              cleanup_free char *target = NULL;
+              ssize_t len;
 
-          /* If we got here, it means the OPTION_COPY_SYMLINK was provided, so we need to copy the origin
-             symlink instead of performing the mount operation.  */
-          len = safe_readlinkat (AT_FDCWD, def->mounts[i]->source, &target, 0, err);
-          if (UNLIKELY (len < 0))
-            return len;
+              /* If we got here, it means the OPTION_COPY_SYMLINK was provided, so we need to copy the origin
+                 symlink instead of performing the mount operation.  */
+              len = safe_readlinkat (AT_FDCWD, def->mounts[i]->source, &target, 0, err);
+              if (UNLIKELY (len < 0))
+                return len;
 
-          ret = safe_create_symlink (rootfsfd, rootfs, target, def->mounts[i]->destination, err);
-          if (UNLIKELY (ret < 0))
-            return ret;
+              ret = safe_create_symlink (rootfsfd, rootfs, target, def->mounts[i]->destination, err);
+              if (UNLIKELY (ret < 0))
+                return ret;
+
+              mounted = true;
+            }
+          else if (extra_flags & OPTION_AT_SYMLINK_NOFOLLOW)
+            {
+              cleanup_close int srcfd = -1;
 
-          mounted = true;
+              ret = get_bind_mount (AT_FDCWD, def->mounts[i]->source, true, true, true, err);
+              if (UNLIKELY (ret < 0))
+                return ret;
+
+              srcfd = ret;
+
+              ret = safe_openat (rootfsfd, rootfs, target, O_PATH | O_NOFOLLOW | O_CLOEXEC, 0, err);
+              if (UNLIKELY (ret < 0))
+                return ret;
+
+              targetfd = ret;
+
+              ret = fs_move_mount_to (srcfd, targetfd, NULL);
+              if (UNLIKELY (ret < 0))
+                return crun_make_error (err, errno, "move mount to `%s`", def->mounts[i]->destination);
+
+              mounted = true;
+            }
         }
       else if (is_sysfs_or_proc)
         {
diff --git a/tests/test_mounts.py b/tests/test_mounts.py
@@ -124,20 +124,20 @@ def test_ro_cgroup():
                 add_all_namespaces(conf, cgroupns=cgroupns, netns=netns)
                 mounts = [
                     {
-	                "destination": "/sys",
-	                "type": "sysfs",
-	                "source": "sysfs",
-	                "options": [
-		            "nosuid",
-		            "noexec",
-		            "nodev",
-		            "ro"
-	                ]
-	            },
+                        "destination": "/sys",
+                        "type": "sysfs",
+                        "source": "sysfs",
+                        "options": [
+                            "nosuid",
+                            "noexec",
+                            "nodev",
+                            "ro"
+                        ]
+                    },
                     {
-	                "destination": "/proc",
-	                "type": "proc"
-	            }
+                        "destination": "/proc",
+                        "type": "proc"
+                    }
                 ]
 
                 if has_cgroup_mount:
@@ -556,28 +556,28 @@ def test_cgroup_mount_without_netns():
         add_all_namespaces(conf, cgroupns=cgroupns, netns=False)
         mounts = [
             {
-	        "destination": "/proc",
-	        "type": "proc"
-	    },
+                "destination": "/proc",
+                "type": "proc"
+            },
             {
-	        "destination": "/sys",
-	        "type": "bind",
-	        "source": "/sys",
-	        "options": [
+                "destination": "/sys",
+                "type": "bind",
+                "source": "/sys",
+                "options": [
                     "rprivate",
                     "nosuid",
                     "noexec",
                     "nodev",
                     "ro",
                     "rbind"
-	        ]
-	    },
+                ]
+            },
             {
                 "destination": "/sys/fs/cgroup",
                 "type": "cgroup",
                 "source": "cgroup",
                 "options": [
-	            "rprivate",
+                    "rprivate",
                     "nosuid",
                     "noexec",
                     "nodev",
@@ -676,6 +676,33 @@ def test_mount_help():
     
     return 0
 
+def test_bind_mount_symlink_nofollow():
+    root = get_tests_root()
+    symlink = os.path.join(root, "a-symlink")
+    target_content = "content-of-symlink"
+
+    os.symlink(target_content, symlink)
+
+    def prepare_rootfs(rootfs):
+        path = os.path.join(rootfs, "symlink")
+        os.symlink("point-to-nowhere", path)
+
+    conf = base_config()
+    conf['process']['args'] = ['/init', 'readlink', '/symlink']
+    add_all_namespaces(conf)
+    mount_opt = {"destination": "/symlink", "type": "bind", "source": symlink, "options": ["bind", "at_symlink_nofollow"]}
+    conf['mounts'].append(mount_opt)
+
+    try:
+        out, _ = run_and_get_output(conf, hide_stderr=True,callback_prepare_rootfs=prepare_rootfs)
+        sys.stderr.write("got output %s\n" % out)
+        if target_content in out:
+            return 0
+    except Exception as e:
+        sys.stderr.write("error %s\n" % e)
+        pass
+    return -1
+
 all_tests = {
     "mount-ro" : test_mount_ro,
     "mount-rro" : test_mount_rro,
@@ -703,6 +730,7 @@ def test_mount_help():
     "mount-ro-cgroup": test_ro_cgroup,
     "mount-cgroup-without-netns": test_cgroup_mount_without_netns,
     "mount-copy-symlink": test_copy_symlink,
+    "mount-bind-mount-symlink-nofollow": test_bind_mount_symlink_nofollow,
     "mount-tmpfs-permissions": test_mount_tmpfs_permissions,
     "mount-add-remove-mounts": test_add_remove_mounts,
     "mount-help": test_mount_help,
