From 5a68595a5b5ca8656df8bf2d2622a5275aaeaaeb Mon Sep 17 00:00:00 2001 From: Robert Swiecki Date: Sun, 2 Jul 2017 03:39:56 +0200 Subject: [PATCH] mount: allow for non-mandatory symlinks mount: allow for non-mandatory symlinks --- configs/bash-with-fake-geteuid.cfg | 19 +++++++++----- mount.c | 41 ++++++++++++------------------ util.c | 6 ++--- 3 files changed, 32 insertions(+), 34 deletions(-) diff --git a/configs/bash-with-fake-geteuid.cfg b/configs/bash-with-fake-geteuid.cfg index 59dfb03..a8d5ed5 100644 --- a/configs/bash-with-fake-geteuid.cfg +++ b/configs/bash-with-fake-geteuid.cfg @@ -129,12 +129,6 @@ mount { is_bind: false } -mount { - src: "/proc/self/fd" - dst: "/dev/fd" - is_symlink: true -} - mount { src: "/dev/null" dst: "/dev/null" @@ -160,6 +154,19 @@ mount { mandatory: false } +mount { + src: "/proc/self/fd" + dst: "/dev/fd" + is_symlink: true +} + +mount { + src: "/some/uninmportant/target" + dst: "/proc/no/symlinks/can/be/created/in/proc" + is_symlink: true + mandatory: false +} + seccomp_string: " POLICY example { KILL { syslog }, diff --git a/mount.c b/mount.c index cfc0f25..612bab3 100644 --- a/mount.c +++ b/mount.c @@ -160,8 +160,13 @@ static bool mountMount(struct mounts_t *mpt, const char *newroot, const char *tm if (mpt->isSymlink == true) { LOG_D("symlink('%s', '%s')", srcpath, dst); if (symlink(srcpath, dst) == -1) { - PLOG_W("symlink('%s', '%s')", srcpath, dst); - return false; + if (mpt->mandatory) { + PLOG_W("symlink('%s', '%s')", srcpath, dst); + return false; + } else { + PLOG_W("symlink('%s', '%s'), but it's not mandatory, continuing", + srcpath, dst); + } } return true; } @@ -188,20 +193,14 @@ static bool mountMount(struct mounts_t *mpt, const char *newroot, const char *tm */ unsigned long flags = mpt->flags & ~(MS_RDONLY); if (mount(srcpath, dst, mpt->fs_type, flags, mpt->options) == -1) { - if (mpt->mandatory == false) { - PLOG_D("mount('%s') src:'%s' dst:'%s' failed", mountDescribeMountPt(mpt), - srcpath, dst); - } else if (errno == EACCES) { - PLOG_E("mount('%s') src:'%s' dst:'%s' failed. " + if (errno == EACCES) { + PLOG_W("mount('%s') src:'%s' dst:'%s' failed. " "Try fixing this problem by applying 'chmod o+x' to the '%s' directory and " "its ancestors", mountDescribeMountPt(mpt), srcpath, dst, srcpath); } else { - PLOG_E("mount('%s') src:'%s' dst:'%s' failed", mountDescribeMountPt(mpt), + PLOG_W("mount('%s') src:'%s' dst:'%s' failed", mountDescribeMountPt(mpt), srcpath, dst); } - if (mpt->mandatory) { - return false; - } } if (mpt->src_content && unlink(srcpath) == -1) { @@ -221,13 +220,8 @@ static bool mountRemountRO(struct mounts_t *mpt) struct statvfs vfs; if (TEMP_FAILURE_RETRY(statvfs(mpt->dst, &vfs)) == -1) { - if (mpt->mandatory) { - PLOG_E("statvfs('%s')", mpt->dst); - return false; - } else { - PLOG_D("statvfs('%s')", mpt->dst); - return true; - } + PLOG_W("statvfs('%s')", mpt->dst); + return false; } /* * It's fine to use 'flags | vfs.f_flag' here as per @@ -241,11 +235,8 @@ static bool mountRemountRO(struct mounts_t *mpt) mountFlagsToStr(vfs.f_flag), mountFlagsToStr(new_flags)); if (mount(mpt->dst, mpt->dst, NULL, new_flags, 0) == -1) { - if (mpt->mandatory) { - PLOG_W("mount('%s', flags:%s)", mpt->dst, mountFlagsToStr(new_flags)); - return false; - } - PLOG_D("mount('%s', flags:%s)", mpt->dst, mountFlagsToStr(new_flags)); + PLOG_W("mount('%s', flags:%s)", mpt->dst, mountFlagsToStr(new_flags)); + return false; } return true; @@ -334,7 +325,7 @@ static bool mountInitNsInternal(struct nsjconf_t *nsjconf) struct mounts_t *p; TAILQ_FOREACH(p, &nsjconf->mountpts, pointers) { - if (mountMount(p, destdir, tmpdir) == false) { + if (mountMount(p, destdir, tmpdir) == false && p->mandatory) { return false; } } @@ -358,7 +349,7 @@ static bool mountInitNsInternal(struct nsjconf_t *nsjconf) } TAILQ_FOREACH(p, &nsjconf->mountpts, pointers) { - if (mountRemountRO(p) == false) { + if (mountRemountRO(p) == false && p->mandatory) { return false; } } diff --git a/util.c b/util.c index 3eef893..f856288 100644 --- a/util.c +++ b/util.c @@ -157,7 +157,7 @@ bool utilCreateDirRecursively(const char *dir) int prev_dir_fd = open("/", O_RDONLY | O_CLOEXEC); if (prev_dir_fd == -1) { - PLOG_E("open('/', O_RDONLY | O_CLOEXEC)"); + PLOG_W("open('/', O_RDONLY | O_CLOEXEC)"); return false; } @@ -177,14 +177,14 @@ bool utilCreateDirRecursively(const char *dir) *next = '\0'; if (mkdirat(prev_dir_fd, curr, 0755) == -1 && errno != EEXIST) { - PLOG_E("mkdir('%s', 0755)", curr); + PLOG_W("mkdir('%s', 0755)", curr); close(prev_dir_fd); return false; } int dir_fd = TEMP_FAILURE_RETRY(openat(prev_dir_fd, curr, O_DIRECTORY | O_CLOEXEC)); if (dir_fd == -1) { - PLOG_E("openat('%d', '%s', O_DIRECTORY | O_CLOEXEC)", prev_dir_fd, curr); + PLOG_W("openat('%d', '%s', O_DIRECTORY | O_CLOEXEC)", prev_dir_fd, curr); close(prev_dir_fd); return false; }