libmount: use fd_target in hook_idmap for move_mount()

Use the pinned fd_target with MOVE_MOUNT_T_EMPTY_PATH for restricted
users instead of string-based move_mount().  Re-open the target fd
after mount to point to the mounted filesystem root.

Signed-off-by: Karel Zak <kzak@redhat.com>

diff --git a/libmount/src/hook_idmap.c b/libmount/src/hook_idmap.c
index b620795271e24afe89a294c08a966f6357a2d47b..88c04e14c552eea375c8713c49c4226281433c2f 100644 (file)
--- a/libmount/src/hook_idmap.c
+++ b/libmount/src/hook_idmap.c
@@ -352,10 +352,25 @@ static int hook_mount_post(
 
        /* Attach the idmapped mount. */
        if (is_private) {
+               unsigned int mmflags = MOVE_MOUNT_F_EMPTY_PATH;
+
                /* Unmount the old, non-idmapped mount we just cloned and idmapped. */
                umount2(target, MNT_DETACH);
 
-               rc = move_mount(fd_tree, "", -1, target, MOVE_MOUNT_F_EMPTY_PATH);
+               if (mnt_context_target_fd_required(cxt)) {
+                       int fd_tgt = mnt_context_get_target_fd(cxt);
+
+                       if (fd_tgt < 0) {
+                               rc = -errno;
+                               goto done;
+                       }
+                       mmflags |= MOVE_MOUNT_T_EMPTY_PATH;
+                       rc = move_mount(fd_tree, "", fd_tgt, "", mmflags);
+               } else
+                       rc = move_mount(fd_tree, "", AT_FDCWD, target, mmflags);
+
+               if (rc == 0)
+                       rc = mnt_context_reopen_target_fd(cxt);
                if (rc < 0) {
                        mnt_context_syscall_save_status(cxt, "move_mount", 0);
                        if (!mnt_context_read_mesgs(cxt, fd_tree)) {