From a035b52a0dfd88b0383e22edcfc9f0c42d8129b2 Mon Sep 17 00:00:00 2001
From: Steven Armstrong <steven@icarus.ethz.ch>
Date: Sat, 14 Sep 2013 21:55:51 +0200
Subject: [PATCH] better mounting of virtual filesystems in chroot

Signed-off-by: Steven Armstrong <steven@icarus.ethz.ch>
---
 cdist/conf/type/__chroot_mount/gencode-remote | 20 +++++++++++++++----
 .../conf/type/__chroot_umount/gencode-remote  | 11 ++++++----
 2 files changed, 23 insertions(+), 8 deletions(-)

diff --git a/cdist/conf/type/__chroot_mount/gencode-remote b/cdist/conf/type/__chroot_mount/gencode-remote
index ec0b83ae..6d855f41 100755
--- a/cdist/conf/type/__chroot_mount/gencode-remote
+++ b/cdist/conf/type/__chroot_mount/gencode-remote
@@ -23,13 +23,25 @@ chroot="/$__object_id"
 cat << DONE
 # Prepare chroot
 [ -d "${chroot}/proc" ] || mkdir "${chroot}/proc"
-mount -t proc none "${chroot}/proc"
+mountpoint -q "${chroot}/proc" \
+   || mount -t proc -o nosuid,noexec,nodev proc "${chroot}/proc"
+
 [ -d "${chroot}/sys" ] || mkdir "${chroot}/sys"
-mount -t sysfs none "${chroot}/sys"
+mountpoint -q "${chroot}/sys" \
+   || mount -t sysfs -o nosuid,noexec,nodev sys "${chroot}/sys"
+
 [ -d "${chroot}/dev" ] || mkdir "${chroot}/dev"
-mount --rbind /dev "${chroot}/dev"
+mountpoint -q "${chroot}/dev" \
+   || mount -t devtmpfs -o mode=0755,nosuid udev "${chroot}/dev"
+
+[ -d "${chroot}/dev/pts" ] || mkdir "${chroot}/dev/pts"
+mountpoint -q "${chroot}/dev/pts" \
+   || mount -t devpts -o mode=0620,gid=5,nosuid,noexec devpts "${chroot}/dev/pts"
+
 [ -d "${chroot}/tmp" ] || mkdir -m 1777 "${chroot}/tmp"
-mount -t tmpfs none "${chroot}/tmp"
+mountpoint -q "${chroot}/tmp" \
+   || mount -t tmpfs -o mode=1777,strictatime,nodev,nosuid tmpfs "${chroot}/tmp"
+
 if [ ! -f "${chroot}/etc/resolv.conf" ]; then
    cp /etc/resolv.conf "${chroot}/etc/"
 fi
diff --git a/cdist/conf/type/__chroot_umount/gencode-remote b/cdist/conf/type/__chroot_umount/gencode-remote
index aad9ac76..caf2c40c 100755
--- a/cdist/conf/type/__chroot_umount/gencode-remote
+++ b/cdist/conf/type/__chroot_umount/gencode-remote
@@ -22,12 +22,15 @@ chroot="/$__object_id"
 
 cat << DONE
 umount -l "${chroot}/tmp"
+umount -l "${chroot}/dev/pts"
 umount -l "${chroot}/dev"
 umount -l "${chroot}/sys"
 umount -l "${chroot}/proc"
 rm -f "${chroot}/etc/resolv.conf"
-# ensure /etc/resolvconf/resolv.conf.d/tail is not linked to \
-# e.g. /etc/resolvconf/resolv.conf.d/original
-rm -f "${chroot}/etc/resolvconf/resolv.conf.d/tail"
-touch "${chroot}/etc/resolvconf/resolv.conf.d/tail"
+if [ -d "${chroot}/etc/resolvconf/resolv.conf.d" ]; then
+   # ensure /etc/resolvconf/resolv.conf.d/tail is not linked to \
+   # e.g. /etc/resolvconf/resolv.conf.d/original
+   rm -f "${chroot}/etc/resolvconf/resolv.conf.d/tail"
+   touch "${chroot}/etc/resolvconf/resolv.conf.d/tail"
+fi
 DONE