diff --git a/cmdline.cc b/cmdline.cc index b24a549..17ed5d7 100644 --- a/cmdline.cc +++ b/cmdline.cc @@ -242,7 +242,7 @@ void logParams(nsjconf_t* nsjconf) { logYesNo(nsjconf->disable_no_new_privs), nsjconf->max_cpus); for (const auto& p : nsjconf->mountpts) { - LOG_I("%s: %s", p.isSymlink ? "Symlink" : "Mount point", + LOG_I("%s: %s", p.is_symlink ? "Symlink" : "Mount point", mnt::describeMountPt(p).c_str()); } for (const auto& uid : nsjconf->uids) { @@ -603,11 +603,11 @@ std::unique_ptr parseArgs(int argc, char* argv[]) { if (dst.empty()) { dst = src; } - if (!mnt::addMountPtTail(nsjconf.get(), src.c_str(), dst.c_str(), - /* fs_type= */ "", /* options= */ "", - MS_BIND | MS_REC | MS_PRIVATE | MS_RDONLY, - /* isDir= */ mnt::NS_DIR_MAYBE, /* mandatory= */ true, NULL, NULL, - NULL, 0, /* is_symlink= */ false)) { + if (!mnt::addMountPtTail(nsjconf.get(), src, dst, /* fs_type= */ "", + /* options= */ "", MS_BIND | MS_REC | MS_PRIVATE | MS_RDONLY, + /* is_dir= */ mnt::NS_DIR_MAYBE, /* is_mandatory= */ true, + /* src_env= */ "", /* dst_env= */ "", /* src_content= */ "", + /* is_symlink= */ false)) { return nullptr; } }; break; @@ -617,18 +617,19 @@ std::unique_ptr parseArgs(int argc, char* argv[]) { if (dst.empty()) { dst = src; } - if (!mnt::addMountPtTail(nsjconf.get(), src.c_str(), dst.c_str(), - /* fs_type= */ "", /* options= */ "", MS_BIND | MS_REC | MS_PRIVATE, - /* isDir= */ mnt::NS_DIR_MAYBE, /* mandatory= */ true, NULL, NULL, - NULL, 0, /* is_symlink= */ false)) { + if (!mnt::addMountPtTail(nsjconf.get(), src, dst, /* fs_type= */ "", + /* options= */ "", MS_BIND | MS_REC | MS_PRIVATE, + /* is_dir= */ mnt::NS_DIR_MAYBE, /* is_mandatory= */ true, + /* src_env= */ "", /* dst_env= */ "", /* src_content= */ "", + /* is_symlink= */ false)) { return nullptr; } }; break; case 'T': { - if (!mnt::addMountPtTail(nsjconf.get(), /* src= */ NULL, optarg, "tmpfs", + if (!mnt::addMountPtTail(nsjconf.get(), /* src= */ "", optarg, "tmpfs", /* options= */ cmdlineTmpfsSz, /* flags= */ 0, - /* isDir= */ mnt::NS_DIR_YES, - /* mandatory= */ true, NULL, NULL, NULL, 0, + /* is_dir= */ mnt::NS_DIR_YES, /* is_mandatory= */ true, + /* src_env= */ "", /* dst_env= */ "", /* src_content= */ "", /* is_symlink= */ false)) { return nullptr; } @@ -641,11 +642,11 @@ std::unique_ptr parseArgs(int argc, char* argv[]) { } std::string fs_type = argByColon(optarg, 2); std::string options = argByColon(optarg, 3); - if (!mnt::addMountPtTail(nsjconf.get(), src.c_str(), dst.c_str(), - /* fs_type= */ fs_type.c_str(), /* options= */ options.c_str(), - /* flags= */ 0, - /* isDir= */ mnt::NS_DIR_MAYBE, /* mandatory= */ true, NULL, NULL, - NULL, 0, /* is_symlink= */ false)) { + if (!mnt::addMountPtTail(nsjconf.get(), src, dst, /* fs_type= */ fs_type, + /* options= */ options, /* flags= */ 0, + /* is_dir= */ mnt::NS_DIR_MAYBE, /* is_mandatory= */ true, + /* src_env= */ "", /* dst_env= */ "", /* src_content= */ "", + /* is_symlink= */ false)) { return nullptr; } }; break; @@ -745,28 +746,28 @@ std::unique_ptr parseArgs(int argc, char* argv[]) { } if (!nsjconf->proc_path.empty()) { - if (!mnt::addMountPtTail(nsjconf.get(), /* src= */ NULL, nsjconf->proc_path.c_str(), - "proc", "", nsjconf->is_proc_rw ? 0 : MS_RDONLY, - /* isDir= */ mnt::NS_DIR_YES, - /* mandatory= */ true, NULL, NULL, NULL, 0, /* is_symlink= */ false)) { + if (!mnt::addMountPtTail(nsjconf.get(), /* src= */ "", nsjconf->proc_path, "proc", + /* options= */ "", nsjconf->is_proc_rw ? 0 : MS_RDONLY, + /* is_dir= */ mnt::NS_DIR_YES, /* is_mandatory= */ true, /* src_env= */ "", + /* dst_env= */ "", /* src_content= */ "", /* is_symlink= */ false)) { return nullptr; } } if (!(nsjconf->chroot.empty())) { - if (!mnt::addMountPtHead(nsjconf.get(), nsjconf->chroot.c_str(), "/", - /* fs_type= */ "", + if (!mnt::addMountPtHead(nsjconf.get(), nsjconf->chroot, "/", /* fs_type= */ "", /* options= */ "", nsjconf->is_root_rw ? (MS_BIND | MS_REC | MS_PRIVATE) : (MS_BIND | MS_REC | MS_PRIVATE | MS_RDONLY), - /* isDir= */ mnt::NS_DIR_YES, /* mandatory= */ true, NULL, NULL, NULL, 0, - /* is_symlink= */ false)) { + /* is_dir= */ mnt::NS_DIR_YES, /* is_mandatory= */ true, /* src_env= */ "", + /* dst_env= */ "", /* src_content= */ "", /* is_symlink= */ false)) { return nullptr; } } else { - if (!mnt::addMountPtHead(nsjconf.get(), /* src= */ NULL, "/", "tmpfs", + if (!mnt::addMountPtHead(nsjconf.get(), /* src= */ "", "/", "tmpfs", /* options= */ "", nsjconf->is_root_rw ? 0 : MS_RDONLY, - /* isDir= */ mnt::NS_DIR_YES, - /* mandatory= */ true, NULL, NULL, NULL, 0, /* is_symlink= */ false)) { + /* is_dir= */ mnt::NS_DIR_YES, + /* is_mandatory= */ true, /* src_env= */ "", /* dst_env= */ "", + /* src_content= */ "", /* is_symlink= */ false)) { return nullptr; } } diff --git a/config.cc b/config.cc index 5abb1b0..d60686f 100644 --- a/config.cc +++ b/config.cc @@ -200,39 +200,28 @@ static bool configParseInternal(nsjconf_t* nsjconf, const nsjail::NsJailConfig& nsjconf->proc_path.clear(); } for (ssize_t i = 0; i < njc.mount_size(); i++) { - const char* src = (njc.mount(i).has_src()) ? njc.mount(i).src().c_str() : NULL; - const char* src_env = (njc.mount(i).has_prefix_src_env()) - ? njc.mount(i).prefix_src_env().c_str() - : NULL; - const char* dst = (njc.mount(i).has_dst()) ? njc.mount(i).dst().c_str() : NULL; - const char* dst_env = (njc.mount(i).has_prefix_dst_env()) - ? njc.mount(i).prefix_dst_env().c_str() - : NULL; - const char* fstype = - (njc.mount(i).has_fstype()) ? njc.mount(i).fstype().c_str() : NULL; - const char* options = - (njc.mount(i).has_options()) ? njc.mount(i).options().c_str() : NULL; + std::string src = njc.mount(i).src(); + std::string src_env = njc.mount(i).prefix_src_env(); + std::string dst = njc.mount(i).dst(); + std::string dst_env = njc.mount(i).prefix_dst_env(); + std::string fstype = njc.mount(i).fstype(); + std::string options = njc.mount(i).options(); uintptr_t flags = (njc.mount(i).rw() == false) ? MS_RDONLY : 0; flags |= njc.mount(i).is_bind() ? (MS_BIND | MS_REC | MS_PRIVATE) : 0; - bool mandatory = njc.mount(i).mandatory(); + bool is_mandatory = njc.mount(i).mandatory(); + bool is_symlink = njc.mount(i).is_symlink(); + std::string src_content = njc.mount(i).src_content(); - mnt::isDir_t isDir = mnt::NS_DIR_MAYBE; + mnt::isDir_t is_dir = mnt::NS_DIR_MAYBE; if (njc.mount(i).has_is_dir()) { - isDir = njc.mount(i).is_dir() ? mnt::NS_DIR_YES : mnt::NS_DIR_NO; + is_dir = njc.mount(i).is_dir() ? mnt::NS_DIR_YES : mnt::NS_DIR_NO; } - const char* src_content = NULL; - size_t src_content_len = 0; - if (njc.mount(i).has_src_content()) { - src_content = njc.mount(i).src_content().data(); - src_content_len = njc.mount(i).src_content().size(); - } - - if (mnt::addMountPtTail(nsjconf, src, dst, fstype, options, flags, isDir, mandatory, - src_env, dst_env, src_content, src_content_len, - njc.mount(i).is_symlink()) == false) { - LOG_E("Couldn't add mountpoint for src:'%s' dst:'%s'", src, dst); + if (!mnt::addMountPtTail(nsjconf, src, dst, fstype, options, flags, is_dir, + is_mandatory, src_env, dst_env, src_content, is_symlink)) { + LOG_E("Couldn't add mountpoint for src:'%s' dst:'%s'", src.c_str(), + dst.c_str()); return false; } } diff --git a/config.proto b/config.proto index 4a97674..eb5f709 100644 --- a/config.proto +++ b/config.proto @@ -27,15 +27,15 @@ message IdMap { } message MountPt { /* Can be skipped for filesystems like 'proc' */ - optional string src = 1; + optional string src = 1 [default = ""]; /* Should 'src' path be prefixed with this envvar? */ - optional string prefix_src_env = 2; + optional string prefix_src_env = 2 [default = ""]; /* If specified, contains buffer that will be written to the dst file */ - optional bytes src_content = 3; + optional bytes src_content = 3 [default = ""]; /* Mount point inside jail */ - required string dst = 4; + required string dst = 4 [default = ""]; /* Should 'dst' path be prefixed with this envvar? */ - optional string prefix_dst_env = 5; + optional string prefix_dst_env = 5 [default = ""]; /* Can be empty for mount --bind mounts */ optional string fstype = 6 [default = ""]; /* E.g. size=5000000 for 'tmpfs' */ diff --git a/mnt.cc b/mnt.cc index 9f175ad..d6ec47c 100644 --- a/mnt.cc +++ b/mnt.cc @@ -133,12 +133,12 @@ static bool mountPt(mount_t* mpt, const char* newroot, const char* tmpdir) { snprintf(srcpath, sizeof(srcpath), "none"); } - if (mpt->isSymlink) { + if (mpt->is_symlink) { if (!util::createDirRecursively(dst)) { LOG_W("Couldn't create upper directories for '%s'", dst); return false; } - } else if (mpt->isDir) { + } else if (mpt->is_dir) { if (!util::createDirRecursively(dst)) { LOG_W("Couldn't create upper directories for '%s'", dst); return false; @@ -159,10 +159,10 @@ static bool mountPt(mount_t* mpt, const char* newroot, const char* tmpdir) { } } - if (mpt->isSymlink) { + if (mpt->is_symlink) { LOG_D("symlink('%s', '%s')", srcpath, dst); if (symlink(srcpath, dst) == -1) { - if (mpt->mandatory) { + if (mpt->is_mandatory) { PLOG_W("symlink('%s', '%s')", srcpath, dst); return false; } else { @@ -230,7 +230,7 @@ static bool remountRO(const mount_t& mpt) { if (!mpt.mounted) { return true; } - if (mpt.isSymlink) { + if (mpt.is_symlink) { return true; } if ((mpt.flags & MS_RDONLY) == 0) { @@ -371,7 +371,7 @@ static bool initNsInternal(nsjconf_t* nsjconf) { } for (auto& p : nsjconf->mountpts) { - if (!mountPt(&p, destdir, tmpdir) && p.mandatory) { + if (!mountPt(&p, destdir, tmpdir) && p.is_mandatory) { return false; } } @@ -402,7 +402,7 @@ static bool initNsInternal(nsjconf_t* nsjconf) { } for (const auto& p : nsjconf->mountpts) { - if (!remountRO(p) && p.mandatory) { + if (!remountRO(p) && p.is_mandatory) { return false; } } @@ -437,92 +437,84 @@ bool initNs(nsjconf_t* nsjconf) { return false; } -static bool addMountPt(mount_t* mnt, const char* src, const char* dst, const char* fstype, - const char* options, uintptr_t flags, isDir_t isDir, bool mandatory, const char* src_env, - const char* dst_env, const char* src_content, size_t src_content_len, bool is_symlink) { - if (src_env) { - const char* e = getenv(src_env); +static bool addMountPt(mount_t* mnt, const std::string& src, const std::string& dst, + const std::string& fstype, const std::string& options, uintptr_t flags, isDir_t is_dir, + bool is_mandatory, const std::string& src_env, const std::string& dst_env, + const std::string& src_content, bool is_symlink) { + if (!src_env.empty()) { + const char* e = getenv(src_env.c_str()); if (e == NULL) { - LOG_W("No such envvar:'%s'", src_env); + LOG_W("No such envvar:'%s'", src_env.c_str()); return false; } mnt->src = e; } - if (src) { - mnt->src.append(src); - } + mnt->src.append(src); - if (dst_env) { - const char* e = getenv(dst_env); + if (!dst_env.empty()) { + const char* e = getenv(dst_env.c_str()); if (e == NULL) { - LOG_W("No such envvar:'%s'", dst_env); + LOG_W("No such envvar:'%s'", dst_env.c_str()); return false; } mnt->dst = e; } - if (dst) { - mnt->dst.append(dst); - } + mnt->dst.append(dst); - if (fstype) { - mnt->fs_type = fstype; - } - if (options) { - mnt->options = options; - } - if (src_content) { - mnt->src_content.assign(src_content, src_content_len); - } + mnt->fs_type = fstype; + mnt->options = options; mnt->flags = flags; - mnt->isDir = true; - mnt->isSymlink = is_symlink; - mnt->mandatory = mandatory; + mnt->is_symlink = is_symlink; + mnt->is_mandatory = is_mandatory; mnt->mounted = false; + mnt->src_content = src_content; - switch (isDir) { + switch (is_dir) { case NS_DIR_YES: - mnt->isDir = true; + mnt->is_dir = true; break; case NS_DIR_NO: - mnt->isDir = false; + mnt->is_dir = false; break; case NS_DIR_MAYBE: { - if (src_content) { - mnt->isDir = false; + if (!src_content.empty()) { + mnt->is_dir = false; } else if (mnt->src.empty()) { - mnt->isDir = true; + mnt->is_dir = true; } else if (mnt->flags & MS_BIND) { - mnt->isDir = mnt::isDir(mnt->src.c_str()); + mnt->is_dir = mnt::isDir(mnt->src.c_str()); } else { - mnt->isDir = true; + mnt->is_dir = true; } } break; default: - LOG_F("Unknown isDir value: %d", isDir); - break; + LOG_E("Unknown is_dir value: %d", is_dir); + return false; } return true; } -bool addMountPtHead(nsjconf_t* nsjconf, const char* src, const char* dst, const char* fstype, - const char* options, uintptr_t flags, isDir_t isDir, bool mandatory, const char* src_env, - const char* dst_env, const char* src_content, size_t src_content_len, bool is_symlink) { +bool addMountPtHead(nsjconf_t* nsjconf, const std::string& src, const std::string& dst, + const std::string& fstype, const std::string& options, uintptr_t flags, isDir_t is_dir, + bool is_mandatory, const std::string& src_env, const std::string& dst_env, + const std::string& src_content, bool is_symlink) { mount_t mnt; - if (!addMountPt(&mnt, src, dst, fstype, options, flags, isDir, mandatory, src_env, dst_env, - src_content, src_content_len, is_symlink)) { + if (!addMountPt(&mnt, src, dst, fstype, options, flags, is_dir, is_mandatory, src_env, + dst_env, src_content, is_symlink)) { return false; } nsjconf->mountpts.insert(nsjconf->mountpts.begin(), mnt); return true; } -bool addMountPtTail(nsjconf_t* nsjconf, const char* src, const char* dst, const char* fstype, - const char* options, uintptr_t flags, isDir_t isDir, bool mandatory, const char* src_env, - const char* dst_env, const char* src_content, size_t src_content_len, bool is_symlink) { +bool addMountPtTail(nsjconf_t* nsjconf, const std::string& src, const std::string& dst, + const std::string& fstype, const std::string& options, uintptr_t flags, isDir_t is_dir, + bool is_mandatory, const std::string& src_env, const std::string& dst_env, + const std::string& src_content, bool is_symlink) { mount_t mnt; - if (!addMountPt(&mnt, src, dst, fstype, options, flags, isDir, mandatory, src_env, dst_env, - src_content, src_content_len, is_symlink)) { + if (!addMountPt(&mnt, src, dst, fstype, options, flags, is_dir, is_mandatory, src_env, + dst_env, src_content, is_symlink)) { return false; } nsjconf->mountpts.push_back(mnt); @@ -535,16 +527,16 @@ const std::string describeMountPt(const mount_t& mpt) { snprintf(mount_pt_descr, sizeof(mount_pt_descr), "src:'%s' dst:'%s' type:'%s' flags:%s options:'%s' isDir:%s", mpt.src.c_str(), mpt.dst.c_str(), mpt.fs_type.c_str(), flagsToStr(mpt.flags).c_str(), - mpt.options.c_str(), mpt.isDir ? "true" : "false"); + mpt.options.c_str(), mpt.is_dir ? "true" : "false"); - if (!mpt.mandatory) { + if (!mpt.is_mandatory) { util::sSnPrintf(mount_pt_descr, sizeof(mount_pt_descr), " mandatory:false"); } if (!mpt.src_content.empty()) { util::sSnPrintf(mount_pt_descr, sizeof(mount_pt_descr), " src_content_len:%zu", mpt.src_content.length()); } - if (mpt.isSymlink) { + if (mpt.is_symlink) { util::sSnPrintf(mount_pt_descr, sizeof(mount_pt_descr), " symlink:true"); } diff --git a/mnt.h b/mnt.h index 4237853..9b177f9 100644 --- a/mnt.h +++ b/mnt.h @@ -38,12 +38,14 @@ typedef enum { } isDir_t; bool initNs(nsjconf_t* nsjconf); -bool addMountPtHead(nsjconf_t* nsjconf, const char* src, const char* dst, const char* fstype, - const char* options, uintptr_t flags, isDir_t isDir, bool mandatory, const char* src_env, - const char* dst_env, const char* src_content, size_t src_content_len, bool is_symlink); -bool addMountPtTail(nsjconf_t* nsjconf, const char* src, const char* dst, const char* fstype, - const char* options, uintptr_t flags, isDir_t isDir, bool mandatory, const char* src_env, - const char* dst_env, const char* src_content, size_t src_content_len, bool is_symlink); +bool addMountPtHead(nsjconf_t* nsjconf, const std::string& src, const std::string& dst, + const std::string& fstype, const std::string& options, uintptr_t flags, isDir_t is_dir, + bool is_mandatory, const std::string& src_env, const std::string& dst_env, + const std::string& src_content, bool is_symlink); +bool addMountPtTail(nsjconf_t* nsjconf, const std::string& src, const std::string& dst, + const std::string& fstype, const std::string& options, uintptr_t flags, isDir_t is_dir, + bool is_mandatory, const std::string& src_env, const std::string& dst_env, + const std::string& src_content, bool is_symlink); const std::string describeMountPt(const mount_t& mpt); } // namespace mnt diff --git a/nsjail.h b/nsjail.h index b7bd1e6..238f5c2 100644 --- a/nsjail.h +++ b/nsjail.h @@ -61,9 +61,9 @@ struct mount_t { std::string fs_type; std::string options; uintptr_t flags; - bool isDir; - bool isSymlink; - bool mandatory; + bool is_dir; + bool is_symlink; + bool is_mandatory; bool mounted; };