free_library_search();
mount_free();
+ cgroups_free();
/* we need to keep argv, envp and seccomp filter in child */
if (parent) { /* parent-only */
free_oci_envp(opts.jail_argv);
free_oci_envp(opts.envp);
- } else { /* child-only */
- if (opts.ocibundle)
- cgroups_free();
}
free_rlimits();
fprintf(stderr, " -E\t\tfail if jail cannot be setup\n");
fprintf(stderr, " -y\t\tprovide jail console\n");
fprintf(stderr, " -J <dir>\tcreate container from OCI bundle\n");
- fprintf(stderr, " -j\t\tstart container immediately\n");
+ fprintf(stderr, " -i\t\tstart container immediately\n");
fprintf(stderr, " -P <pidfile>\tcreate <pidfile>\n");
fprintf(stderr, "\nWarning: by default root inside the jail is the same\n\
and he has the same powers as root outside the jail,\n\
if (opts.namespace & CLONE_NEWCGROUP)
unshare(CLONE_NEWCGROUP);
+ setns_open(CLONE_NEWCGROUP);
+
if ((opts.namespace & CLONE_NEWUSER) || (opts.setns.user != -1)) {
if (setregid(0, 0) < 0) {
ERROR("setgid\n");
}
if (opts.sysfs || opts.ocibundle)
- add_mount("sysfs", "/sys", "sysfs", MS_NOATIME | MS_NODEV | MS_NOEXEC | MS_NOSUID | MS_RDONLY, 0, NULL, -1);
+ add_mount("sysfs", "/sys", "sysfs", MS_RELATIME | MS_NODEV | MS_NOEXEC | MS_NOSUID | MS_RDONLY, 0, NULL, -1);
if (opts.ocibundle)
add_mount("shm", "/dev/shm", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV, 0, "mode=1777", -1);
if (opts.setns.time != -1) {
timens_fd = ns_open_pid("time", getpid());
setns_open(CLONE_NEWTIME);
+ } else {
+ timens_fd = -1;
}
#endif