woj/nsjail
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

mount: allow for non-mandatory symlinks

Browse Source 
mount: allow for non-mandatory symlinks
This commit is contained in:
Robert Swiecki 2017-07-02 03:39:56 +02:00
parent e86598c544
commit 5a68595a5b
3 changed files with 32 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
configs/bash-with-fake-geteuid.cfg
View File

@ -129,12 +129,6 @@ mount {
is_bind: false is_bind: false
} }
mount {
src: "/proc/self/fd"
dst: "/dev/fd"
is_symlink: true
}
mount { mount {
src: "/dev/null" src: "/dev/null"
dst: "/dev/null" dst: "/dev/null"
@ -160,6 +154,19 @@ mount {
mandatory: false mandatory: false
} }
mount {
src: "/proc/self/fd"
dst: "/dev/fd"
is_symlink: true
}
mount {
src: "/some/uninmportant/target"
dst: "/proc/no/symlinks/can/be/created/in/proc"
is_symlink: true
mandatory: false
}
seccomp_string: " seccomp_string: "
POLICY example { POLICY example {
KILL { syslog }, KILL { syslog },

41
mount.c
View File

@ -160,8 +160,13 @@ static bool mountMount(struct mounts_t *mpt, const char *newroot, const char *tm
if (mpt->isSymlink == true) { if (mpt->isSymlink == true) {
LOG_D("symlink('%s', '%s')", srcpath, dst); LOG_D("symlink('%s', '%s')", srcpath, dst);
if (symlink(srcpath, dst) == -1) { if (symlink(srcpath, dst) == -1) {
PLOG_W("symlink('%s', '%s')", srcpath, dst); if (mpt->mandatory) {
return false; PLOG_W("symlink('%s', '%s')", srcpath, dst);
return false;
} else {
PLOG_W("symlink('%s', '%s'), but it's not mandatory, continuing",
srcpath, dst);
}
} }
return true; return true;
} }
@ -188,20 +193,14 @@ static bool mountMount(struct mounts_t *mpt, const char *newroot, const char *tm
*/ */
unsigned long flags = mpt->flags & ~(MS_RDONLY); unsigned long flags = mpt->flags & ~(MS_RDONLY);
if (mount(srcpath, dst, mpt->fs_type, flags, mpt->options) == -1) { if (mount(srcpath, dst, mpt->fs_type, flags, mpt->options) == -1) {
if (mpt->mandatory == false) { if (errno == EACCES) {
PLOG_D("mount('%s') src:'%s' dst:'%s' failed", mountDescribeMountPt(mpt), PLOG_W("mount('%s') src:'%s' dst:'%s' failed. "
srcpath, dst);
} else if (errno == EACCES) {
PLOG_E("mount('%s') src:'%s' dst:'%s' failed. "
"Try fixing this problem by applying 'chmod o+x' to the '%s' directory and " "Try fixing this problem by applying 'chmod o+x' to the '%s' directory and "
"its ancestors", mountDescribeMountPt(mpt), srcpath, dst, srcpath); "its ancestors", mountDescribeMountPt(mpt), srcpath, dst, srcpath);
} else { } else {
PLOG_E("mount('%s') src:'%s' dst:'%s' failed", mountDescribeMountPt(mpt), PLOG_W("mount('%s') src:'%s' dst:'%s' failed", mountDescribeMountPt(mpt),
srcpath, dst); srcpath, dst);
} }
if (mpt->mandatory) {
return false;
}
} }
if (mpt->src_content && unlink(srcpath) == -1) { if (mpt->src_content && unlink(srcpath) == -1) {
@ -221,13 +220,8 @@ static bool mountRemountRO(struct mounts_t *mpt)
struct statvfs vfs; struct statvfs vfs;
if (TEMP_FAILURE_RETRY(statvfs(mpt->dst, &vfs)) == -1) { if (TEMP_FAILURE_RETRY(statvfs(mpt->dst, &vfs)) == -1) {
if (mpt->mandatory) { PLOG_W("statvfs('%s')", mpt->dst);
PLOG_E("statvfs('%s')", mpt->dst); return false;
return false;
} else {
PLOG_D("statvfs('%s')", mpt->dst);
return true;
}
} }
/* /*
* It's fine to use 'flags | vfs.f_flag' here as per * It's fine to use 'flags | vfs.f_flag' here as per
@ -241,11 +235,8 @@ static bool mountRemountRO(struct mounts_t *mpt)
mountFlagsToStr(vfs.f_flag), mountFlagsToStr(new_flags)); mountFlagsToStr(vfs.f_flag), mountFlagsToStr(new_flags));
if (mount(mpt->dst, mpt->dst, NULL, new_flags, 0) == -1) { if (mount(mpt->dst, mpt->dst, NULL, new_flags, 0) == -1) {
if (mpt->mandatory) { PLOG_W("mount('%s', flags:%s)", mpt->dst, mountFlagsToStr(new_flags));
PLOG_W("mount('%s', flags:%s)", mpt->dst, mountFlagsToStr(new_flags)); return false;
return false;
}
PLOG_D("mount('%s', flags:%s)", mpt->dst, mountFlagsToStr(new_flags));
} }
return true; return true;
@ -334,7 +325,7 @@ static bool mountInitNsInternal(struct nsjconf_t *nsjconf)
struct mounts_t *p; struct mounts_t *p;
TAILQ_FOREACH(p, &nsjconf->mountpts, pointers) { TAILQ_FOREACH(p, &nsjconf->mountpts, pointers) {
if (mountMount(p, destdir, tmpdir) == false) { if (mountMount(p, destdir, tmpdir) == false && p->mandatory) {
return false; return false;
} }
} }
@ -358,7 +349,7 @@ static bool mountInitNsInternal(struct nsjconf_t *nsjconf)
} }
TAILQ_FOREACH(p, &nsjconf->mountpts, pointers) { TAILQ_FOREACH(p, &nsjconf->mountpts, pointers) {
if (mountRemountRO(p) == false) { if (mountRemountRO(p) == false && p->mandatory) {
return false; return false;
} }
} }

6
util.c
View File

@ -157,7 +157,7 @@ bool utilCreateDirRecursively(const char *dir)
int prev_dir_fd = open("/", O_RDONLY | O_CLOEXEC); int prev_dir_fd = open("/", O_RDONLY | O_CLOEXEC);
if (prev_dir_fd == -1) { if (prev_dir_fd == -1) {
PLOG_E("open('/', O_RDONLY | O_CLOEXEC)"); PLOG_W("open('/', O_RDONLY | O_CLOEXEC)");
return false; return false;
} }
@ -177,14 +177,14 @@ bool utilCreateDirRecursively(const char *dir)
*next = '\0'; *next = '\0';
if (mkdirat(prev_dir_fd, curr, 0755) == -1 && errno != EEXIST) { if (mkdirat(prev_dir_fd, curr, 0755) == -1 && errno != EEXIST) {
PLOG_E("mkdir('%s', 0755)", curr); PLOG_W("mkdir('%s', 0755)", curr);
close(prev_dir_fd); close(prev_dir_fd);
return false; return false;
} }
int dir_fd = TEMP_FAILURE_RETRY(openat(prev_dir_fd, curr, O_DIRECTORY | O_CLOEXEC)); int dir_fd = TEMP_FAILURE_RETRY(openat(prev_dir_fd, curr, O_DIRECTORY | O_CLOEXEC));
if (dir_fd == -1) { if (dir_fd == -1) {
PLOG_E("openat('%d', '%s', O_DIRECTORY | O_CLOEXEC)", prev_dir_fd, curr); PLOG_W("openat('%d', '%s', O_DIRECTORY | O_CLOEXEC)", prev_dir_fd, curr);
close(prev_dir_fd); close(prev_dir_fd);
return false; return false;
} }