Refuse to start in isolated mount namespace

Summary:
When `core:require-root-mount-namespace` is enabled (default false),
EdenFS refuses to start if either the daemon or privhelper is not in
the root mount namespace. Prevents the scenario from S626335 where
agents restarted EdenFS inside private mount namespaces, making all
mounts invisible to users.

Also adds namespace detection logging at startup and renames the
`DaemonStart` telemetry fields from `mount_namespace`/`pid_namespace`/
`is_root_mount_namespace` to `daemon_mount_namespace`/
`daemon_pid_namespace`/`is_daemon_in_root_mount_namespace`, and adds
`is_privhelper_in_root_mount_namespace`.

Reviewed By: muirdm, quark-zju

Differential Revision: D94545183

fbshipit-source-id: 0b306af539a20ebfeb82f5f4d34303c4942e0666

Author: MichaelCuevas

eden/fs/config/EdenConfig.h

@@ -288,6 +288,15 @@ class EdenConfig : private ConfigSettingManager {
       std::nullopt,
       this};
 
+  /**
+   * If true, EdenFS refuses to start when running in a non-root mount
+   * namespace.
+   */
+  ConfigSetting<bool> requireRootMountNamespace{
+      "core:require-root-mount-namespace",
+      false,
+      this};
+
   /**
    * Timeout value for a clean shutdown on SIGTERM. If the timeout elapses, we
    * exit immediately. Set to zero to revert to the old behavior where we

eden/fs/service/BUCK

@@ -14,6 +14,7 @@ cpp_library(
         "EdenMain.cpp",
     ],
     deps = [
+        "fbsource//third-party/fmt:fmt",
         ":init",
         ":startup_logger",
         ":startup_status_subscriber",

eden/fs/service/EdenMain.cpp

@@ -12,6 +12,7 @@
 
 #include <fb303/FollyLoggingHandler.h>
 #include <fb303/TFunctionStatHandler.h>
+#include <fmt/format.h>
 #include <folly/Conv.h>
 #include <folly/MapUtil.h>
 #include <folly/executors/FunctionScheduler.h>
@@ -102,6 +103,10 @@ std::optional<bool> checkIsRootMountNamespace() {
   return std::nullopt;
 }
 
+// Helper macro to convert optional to string for logging
+#define OPT_TO_STRING(opt) \
+  ((opt).has_value() ? folly::to<std::string>(*(opt)) : "nullopt")
+
 std::optional<std::string> readCgroup() {
   std::string contents;
   if (folly::readFile("/proc/self/cgroup", contents)) {
@@ -398,17 +403,14 @@ int runEdenMain(EdenMain&& main, int argc, char** argv) {
     daemonPidNamespace = getNamespaceInode("/proc/self/ns/pid");
     isDaemonInRootMountNamespace = checkIsRootMountNamespace();
   }
-  (void)isPrivhelperInRootMountNamespace;
-  (void)privhelperPidNamespace;
 #else
   std::optional<uint64_t> daemonMountNamespace;
   std::optional<uint64_t> daemonPidNamespace;
   std::optional<std::string> cgroupInfo;
   std::optional<bool> isDaemonInRootMountNamespace;
   std::optional<bool> isPrivhelperInRootMountNamespace;
+  std::optional<uint64_t> privhelperMountNamespace;
   std::optional<uint64_t> privhelperPidNamespace;
-  (void)isPrivhelperInRootMountNamespace;
-  (void)privhelperPidNamespace;
 #endif
 
   std::vector<std::string> originalCommandLine{argv, argv + argc};
@@ -511,6 +513,39 @@ int runEdenMain(EdenMain&& main, int argc, char** argv) {
           daemonPid, daemonMemoryPriority.value());
     }
 
+#ifdef __linux__
+    XLOGF(
+        DBG2,
+        "Namespace detection: daemon(mnt={}, pid={}), privhelper(mnt={}, pid={}), "
+        "rootMountNsInode={}, isDaemonInRootMountNamespace={}, "
+        "isPrivhelperInRootMountNamespace={}",
+        OPT_TO_STRING(daemonMountNamespace),
+        OPT_TO_STRING(daemonPidNamespace),
+        OPT_TO_STRING(privhelperMountNamespace),
+        OPT_TO_STRING(privhelperPidNamespace),
+        OPT_TO_STRING(rootMountNsInode),
+        OPT_TO_STRING(isDaemonInRootMountNamespace),
+        OPT_TO_STRING(isPrivhelperInRootMountNamespace));
+
+    if (edenConfig->requireRootMountNamespace.getValue()) {
+      // To avoid disruption, we assume that the daemon and privhelper are in
+      // the root mount namespace unless we can prove otherwise.
+      bool daemonInRootNs = isDaemonInRootMountNamespace.value_or(true);
+      bool privhelperInRootNs = isPrivhelperInRootMountNamespace.value_or(true);
+
+      if (!daemonInRootNs || !privhelperInRootNs) {
+        auto errorMsg = fmt::format(
+            "EdenFS cannot start: daemon in root mount namespace = {}, "
+            "privhelper in root mount namespace = {}.\n To allow this "
+            "behavior, set core.require-root-mount-namespace config to false",
+            daemonInRootNs,
+            privhelperInRootNs);
+        XLOG(ERR, errorMsg);
+        startupLogger->exitUnsuccessfully(kExitCodeError, errorMsg);
+      }
+    }
+#endif // __linux__
+
     server.emplace(
         std::move(originalCommandLine),
         std::move(identity),
@@ -538,7 +573,10 @@ int runEdenMain(EdenMain&& main, int argc, char** argv) {
               false /*success*/,
               daemonMountNamespace,
               daemonPidNamespace,
+              privhelperMountNamespace,
+              privhelperPidNamespace,
               isDaemonInRootMountNamespace,
+              isPrivhelperInRootMountNamespace,
               cgroupInfo});
     }
     startupLogger->exitUnsuccessfully(
@@ -573,7 +611,10 @@ int runEdenMain(EdenMain&& main, int argc, char** argv) {
            takeover = FLAGS_takeover,
            daemonMountNamespace,
            daemonPidNamespace,
+           privhelperMountNamespace,
+           privhelperPidNamespace,
            isDaemonInRootMountNamespace,
+           isPrivhelperInRootMountNamespace,
            cgroupInfo,
            &server] {
             // This value is slightly different from `startTimeInSeconds`
@@ -592,7 +633,10 @@ int runEdenMain(EdenMain&& main, int argc, char** argv) {
                     true /*success*/,
                     daemonMountNamespace,
                     daemonPidNamespace,
+                    privhelperMountNamespace,
+                    privhelperPidNamespace,
                     isDaemonInRootMountNamespace,
+                    isPrivhelperInRootMountNamespace,
                     cgroupInfo});
 
 #ifndef _WIN32

eden/fs/telemetry/LogEvent.h

@@ -185,39 +185,69 @@ struct DaemonStart : public EdenFSEvent {
   double duration = 0.0;
   bool is_takeover = false;
   bool success = false;
-  std::optional<uint64_t> mount_namespace;
-  std::optional<uint64_t> pid_namespace;
-  std::optional<bool> is_root_mount_namespace;
+  std::optional<uint64_t> daemon_mount_namespace;
+  std::optional<uint64_t> daemon_pid_namespace;
+  std::optional<uint64_t> privhelper_mount_namespace;
+  std::optional<uint64_t> privhelper_pid_namespace;
+  std::optional<bool> is_daemon_in_root_mount_namespace;
+  std::optional<bool> is_privhelper_in_root_mount_namespace;
   std::optional<std::string> cgroup;
 
   DaemonStart(
       double duration,
       bool is_takeover,
       bool success,
-      std::optional<uint64_t> mount_namespace = std::nullopt,
-      std::optional<uint64_t> pid_namespace = std::nullopt,
-      std::optional<bool> is_root_mount_namespace = std::nullopt,
+      std::optional<uint64_t> daemon_mount_namespace = std::nullopt,
+      std::optional<uint64_t> daemon_pid_namespace = std::nullopt,
+      std::optional<uint64_t> privhelper_mount_namespace = std::nullopt,
+      std::optional<uint64_t> privhelper_pid_namespace = std::nullopt,
+      std::optional<bool> is_daemon_in_root_mount_namespace = std::nullopt,
+      std::optional<bool> is_privhelper_in_root_mount_namespace = std::nullopt,
       std::optional<std::string> cgroup = std::nullopt)
       : duration(duration),
         is_takeover(is_takeover),
         success(success),
-        mount_namespace(mount_namespace),
-        pid_namespace(pid_namespace),
-        is_root_mount_namespace(is_root_mount_namespace),
+        daemon_mount_namespace(daemon_mount_namespace),
+        daemon_pid_namespace(daemon_pid_namespace),
+        privhelper_mount_namespace(privhelper_mount_namespace),
+        privhelper_pid_namespace(privhelper_pid_namespace),
+        is_daemon_in_root_mount_namespace(is_daemon_in_root_mount_namespace),
+        is_privhelper_in_root_mount_namespace(
+            is_privhelper_in_root_mount_namespace),
         cgroup(std::move(cgroup)) {}
 
   void populate(DynamicEvent& event) const override {
     event.addDouble("duration", duration);
     event.addBool("is_takeover", is_takeover);
     event.addBool("success", success);
-    if (mount_namespace.has_value()) {
-      event.addInt("mount_namespace", static_cast<int64_t>(*mount_namespace));
+    if (daemon_mount_namespace.has_value()) {
+      event.addInt(
+          "daemon_mount_namespace",
+          static_cast<int64_t>(*daemon_mount_namespace));
+    }
+    if (daemon_pid_namespace.has_value()) {
+      event.addInt(
+          "daemon_pid_namespace", static_cast<int64_t>(*daemon_pid_namespace));
+    }
+    if (privhelper_mount_namespace.has_value()) {
+      event.addInt(
+          "privhelper_mount_namespace",
+          static_cast<int64_t>(*privhelper_mount_namespace));
+    }
+    if (privhelper_pid_namespace.has_value()) {
+      event.addInt(
+          "privhelper_pid_namespace",
+          static_cast<int64_t>(*privhelper_pid_namespace));
     }
-    if (pid_namespace.has_value()) {
-      event.addInt("pid_namespace", static_cast<int64_t>(*pid_namespace));
+    if (is_daemon_in_root_mount_namespace.has_value()) {
+      event.addBool(
+          "is_daemon_in_root_mount_namespace",
+          *is_daemon_in_root_mount_namespace);
     }
-    if (is_root_mount_namespace.has_value()) {
-      event.addBool("is_root_mount_namespace", *is_root_mount_namespace);
+    if (is_privhelper_in_root_mount_namespace.has_value()) {
+      event.addBool(
+          "is_privhelper_in_root_mount_namespace",
+          *is_privhelper_in_root_mount_namespace);
     }
     if (cgroup.has_value()) {
       event.addString("cgroup", *cgroup);