From 1de11e6b16d34ecebde794d66711b5778c953621 Mon Sep 17 00:00:00 2001
From: Allison Karlitskaya <allison.karlitskaya@redhat.com>
Date: Thu, 19 Dec 2024 14:39:08 +0100
Subject: [PATCH] cli: open root filesystem as `root`

Instead of opening "/" and using it for the `root` variable in the main
CLI function, use `open_tree()` to create a non-recursive mountpoint to
operate on instead.

This lets us operate directly on the container image filesystem and not
on the unified view with all the bind mounts set up by the container
runtime.

This impacts the following operations:
  - lint
  - internals systemd-generator
  - internals fixup-etc-fstab

Signed-off-by: Allison Karlitskaya <allison.karlitskaya@redhat.com>
---
 lib/src/cli.rs | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/lib/src/cli.rs b/lib/src/cli.rs
index 0ce2660d4..aad8bce67 100644
--- a/lib/src/cli.rs
+++ b/lib/src/cli.rs
@@ -25,6 +25,7 @@ use serde::{Deserialize, Serialize};
 
 use crate::deploy::RequiredHostSpec;
 use crate::lints;
+use crate::mount::open_tree;
 use crate::progress_jsonl::{ProgressWriter, RawProgressFd};
 use crate::spec::Host;
 use crate::spec::ImageReference;
@@ -991,7 +992,9 @@ impl Opt {
 
 /// Internal (non-generic/monomorphized) primary CLI entrypoint
 async fn run_from_opt(opt: Opt) -> Result<()> {
-    let root = &Dir::open_ambient_dir("/", cap_std::ambient_authority())?;
+    // We want to open *only* the root filesystem of the container image
+    // ie: without /sys, /proc, /etc/resolve.conf bind mounts, etc.
+    let root: Dir = open_tree("/".into(), false)?.into();
     match opt {
         Opt::Upgrade(opts) => upgrade(opts).await,
         Opt::Switch(opts) => switch(opts).await,
@@ -1006,7 +1009,7 @@ async fn run_from_opt(opt: Opt) -> Result<()> {
                     );
                 }
 
-                lints::lint(root)?;
+                lints::lint(&root)?;
                 Ok(())
             }
         },
@@ -1071,7 +1074,7 @@ async fn run_from_opt(opt: Opt) -> Result<()> {
                 late_dir: _,
             } => {
                 let unit_dir = &Dir::open_ambient_dir(normal_dir, cap_std::ambient_authority())?;
-                crate::generator::generator(root, unit_dir)
+                crate::generator::generator(&root, unit_dir)
             }
             InternalsOpts::OstreeExt { args } => {
                 ostree_ext::cli::run_from_iter(["ostree-ext".into()].into_iter().chain(args)).await