commit 0072f4c6f18093d0395181c6fa21be3e0e300d13
author Jess Frazelle <acidburn@google.com> Fri Aug 04 14:46:52 2017 -0400
committer Jess Frazelle <acidburn@google.com> Fri Aug 04 14:46:52 2017 -0400
tree 3b618afb36965d2d09d3f210c9493579098b3bc1
parent d46d3da31d84ddf1508ae63518050db152daf245

add chroot

Signed-off-by: Jess Frazelle <acidburn@google.com>

README.md

diff --git a/README.md b/README.md
index 0d072d3..86070a5 100644
--- a/README.md
+++ b/README.md
@@ -51,6 +51,7 @@
 	Range -> 65536
 Capabilities:
 	BOUNDING -> chown dac_override fowner fsetid kill setgid setuid setpcap net_bind_service net_raw sys_chroot mknod audit_write setfcap
+Chroot/PivotRoot: true
 
 $ docker run --rm -it --pid host r.j3ss.co/amicontained
 Container Runtime: docker
@@ -59,6 +60,7 @@
 User Namespace: false
 Capabilities:
 	BOUNDING -> chown dac_override fowner fsetid kill setgid setuid setpcap net_bind_service net_raw sys_chroot mknod audit_write setfcap
+Chroot/PivotRoot: true
 
 $ docker run --rm -it --security-opt "apparmor=unconfined" r.j3ss.co/amicontained
 Container Runtime: docker
@@ -67,6 +69,34 @@
 User Namespace: false
 Capabilities:
 	BOUNDING -> chown dac_override fowner fsetid kill setgid setuid setpcap net_bind_service net_raw sys_chroot mknod audit_write setfcap
+Chroot/PivotRoot: true
+```
+
+**lxc**
+
+```console
+$ lxc-attach -n xenial
+root@xenial:/# amicontained
+Container Runtime: lxc
+Host PID Namespace: false
+AppArmor Profile: none
+User Namespace: true
+User Namespace Mappings:
+	Container -> 0	Host -> 100000	Range -> 65536
+Capabilities:
+	BOUNDING -> chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_tty_config mknod lease audit_write audit_control setfcap syslog wake_alarm block_suspend audit_read
+Chroot/PivotRoot: true
+
+$ lxc-execute -n xenial -- /bin/amicontained
+Container Runtime: lxc
+Host PID Namespace: false
+AppArmor Profile: none
+User Namespace: true
+User Namespace Mappings:
+	Container -> 0	Host -> 100000	Range -> 65536
+Capabilities:
+	BOUNDING -> chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_tty_config mknod lease audit_write audit_control setfcap syslog wake_alarm block_suspend audit_read
+Chroot/PivotRoot: true
 ```
 
 **unshare**
@@ -84,4 +114,5 @@
 	Range -> 1
 Capabilities:
 	BOUNDING -> chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap mac_override mac_admin syslog wake_alarm block_suspend audit_read
+Chroot/PivotRoot: false
 ```

container/container.go

diff --git a/container/container.go b/container/container.go
index 4b1e7b8..8694399 100644
--- a/container/container.go
+++ b/container/container.go
@@ -186,7 +186,8 @@
 	return allowedCaps, nil
 }
 
-// Chroot detects if we are running in a chroot.
+// Chroot detects if we are running in a chroot or a pivot_root.
+// Currently, we can not distinguish between the two.
 func Chroot() (bool, error) {
 	var a, b syscall.Stat_t
 

main.go

diff --git a/main.go b/main.go
index a1a4792..0589088 100644
--- a/main.go
+++ b/main.go
@@ -110,6 +110,13 @@
 			}
 		}
 	}
+
+	// Chroot
+	chroot, err := container.Chroot()
+	if err != nil {
+		logrus.Debugf("chroot check error: %v", err)
+	}
+	fmt.Printf("Chroot/PivotRoot: %t\n", chroot)
 }
 
 func usageAndExit(message string, exitCode int) {