open kafel file in each kafel subproc individually to avoid file pos sharing
This commit is contained in:
parent
6e63fd4115
commit
354c5ae47b
10
cmdline.c
10
cmdline.c
@ -368,7 +368,8 @@ bool cmdlineParse(int argc, char* argv[], struct nsjconf_t* nsjconf) {
|
||||
.iface_vs_ip = "0.0.0.0",
|
||||
.iface_vs_nm = "255.255.255.0",
|
||||
.iface_vs_gw = "0.0.0.0",
|
||||
.kafel_file = NULL,
|
||||
.kafel_file_path = NULL,
|
||||
.kafel_file_ptr = NULL,
|
||||
.kafel_string = NULL,
|
||||
.orig_uid = getuid(),
|
||||
.num_cpus = sysconf(_SC_NPROCESSORS_ONLN),
|
||||
@ -740,8 +741,11 @@ bool cmdlineParse(int argc, char* argv[], struct nsjconf_t* nsjconf) {
|
||||
nsjconf->cgroup_net_cls_parent = optarg;
|
||||
break;
|
||||
case 'P':
|
||||
if ((nsjconf->kafel_file = fopen(optarg, "r")) == NULL) {
|
||||
PLOG_F("Couldn't open '%s'", optarg);
|
||||
nsjconf->kafel_file_path = optarg;
|
||||
if (access(nsjconf->kafel_file_path, R_OK) == -1) {
|
||||
PLOG_E("kafel config file '%s' cannot be opened for reading",
|
||||
nsjconf->kafel_file_path);
|
||||
return false;
|
||||
}
|
||||
break;
|
||||
case 0x0901:
|
||||
|
@ -251,10 +251,10 @@ static bool configParseInternal(struct nsjconf_t* nsjconf, const nsjail::NsJailC
|
||||
}
|
||||
|
||||
if (njc.has_seccomp_policy_file()) {
|
||||
if ((nsjconf->kafel_file = fopen(njc.seccomp_policy_file().c_str(), "rb")) ==
|
||||
NULL) {
|
||||
nsjconf->kafel_file_path = njc.seccomp_policy_file().c_str();
|
||||
if (access(nsjconf->kafel_file_path, R_OK) == -1) {
|
||||
PLOG_W("Couldn't open file with seccomp policy '%s'",
|
||||
njc.seccomp_policy_file().c_str());
|
||||
nsjconf->kafel_file_path);
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
5
nsjail.h
5
nsjail.h
@ -173,8 +173,9 @@ struct nsjconf_t {
|
||||
const char* cgroup_net_cls_mount;
|
||||
const char* cgroup_net_cls_parent;
|
||||
unsigned int cgroup_net_cls_classid;
|
||||
FILE* kafel_file;
|
||||
char* kafel_string;
|
||||
const char* kafel_file_path;
|
||||
FILE* kafel_file_ptr;
|
||||
const char* kafel_string;
|
||||
long num_cpus;
|
||||
uid_t orig_uid;
|
||||
TAILQ_HEAD(udmaplist, idmap_t)
|
||||
|
20
sandbox.c
20
sandbox.c
@ -34,18 +34,15 @@
|
||||
#endif /* PR_SET_NO_NEW_PRIVS */
|
||||
|
||||
static bool sandboxPrepareAndCommit(struct nsjconf_t* nsjconf) {
|
||||
if (nsjconf->kafel_file == NULL && nsjconf->kafel_string == NULL) {
|
||||
if (nsjconf->kafel_file_ptr == NULL && nsjconf->kafel_string == NULL) {
|
||||
return true;
|
||||
}
|
||||
struct sock_fprog seccomp_fprog;
|
||||
|
||||
kafel_ctxt_t ctxt = kafel_ctxt_create();
|
||||
|
||||
if (nsjconf->kafel_file != NULL) {
|
||||
if (fseek(nsjconf->kafel_file, 0L, SEEK_SET) == -1) {
|
||||
PLOG_W("fseek(kafel_file, 0, SEEK_SET)");
|
||||
}
|
||||
kafel_set_input_file(ctxt, nsjconf->kafel_file);
|
||||
if (nsjconf->kafel_file_ptr != NULL) {
|
||||
kafel_set_input_file(ctxt, nsjconf->kafel_file_ptr);
|
||||
} else {
|
||||
kafel_set_input_string(ctxt, nsjconf->kafel_string);
|
||||
}
|
||||
@ -69,3 +66,14 @@ static bool sandboxPrepareAndCommit(struct nsjconf_t* nsjconf) {
|
||||
}
|
||||
|
||||
bool sandboxApply(struct nsjconf_t* nsjconf) { return sandboxPrepareAndCommit(nsjconf); }
|
||||
|
||||
bool sandboxPrepare(struct nsjconf_t* nsjconf) {
|
||||
if (nsjconf->kafel_file_path == NULL) {
|
||||
return true;
|
||||
}
|
||||
if ((nsjconf->kafel_file_ptr = fopen(nsjconf->kafel_file_path, "r")) == NULL) {
|
||||
PLOG_W("Couldn't open kafel policy file '%s'", nsjconf->kafel_file_path);
|
||||
return false;
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
@ -27,5 +27,6 @@
|
||||
#include "nsjail.h"
|
||||
|
||||
bool sandboxApply(struct nsjconf_t* nsjconf);
|
||||
bool sandboxPrepare(struct nsjconf_t* nsjconf);
|
||||
|
||||
#endif /* NS_SANDBOX_H */
|
||||
|
@ -130,6 +130,9 @@ static bool subprocReset(void) {
|
||||
|
||||
static int subprocNewProc(
|
||||
struct nsjconf_t* nsjconf, int fd_in, int fd_out, int fd_err, int pipefd) {
|
||||
if (sandboxPrepare(nsjconf) == false) {
|
||||
_exit(0xff);
|
||||
}
|
||||
if (containSetupFD(nsjconf, fd_in, fd_out, fd_err) == false) {
|
||||
_exit(0xff);
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user