woj/nsjail
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'master' of ssh://github.com/google/nsjail

Browse Source
This commit is contained in:
Robert Swiecki 2017-10-20 14:44:07 +02:00
commit 86f444d00b
4 changed files with 21 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
cmdline.c
View File

@ -368,6 +368,7 @@ bool cmdlineParse(int argc, char* argv[], struct nsjconf_t* nsjconf)
.iface_vs_gw = "0.0.0.0", .iface_vs_gw = "0.0.0.0",
.kafel_file = NULL, .kafel_file = NULL,
.kafel_string = NULL, .kafel_string = NULL,
.orig_uid = getuid(),
.num_cpus = sysconf(_SC_NPROCESSORS_ONLN), .num_cpus = sysconf(_SC_NPROCESSORS_ONLN),
}; };
@ -651,9 +652,8 @@ bool cmdlineParse(int argc, char* argv[], struct nsjconf_t* nsjconf)
dst = dst ? dst : optarg; dst = dst ? dst : optarg;
if (!mountAddMountPtTail(nsjconf, /* src= */ optarg, dst, /* fs_type= */ "", if (!mountAddMountPtTail(nsjconf, /* src= */ optarg, dst, /* fs_type= */ "",
/* options= */ "", MS_BIND | MS_REC | MS_PRIVATE | MS_RDONLY, /* options= */ "", MS_BIND | MS_REC | MS_PRIVATE | MS_RDONLY,
/* isDir= */ /* isDir= */ NS_DIR_MAYBE, /* mandatory= */ true, NULL, NULL, NULL,
NS_DIR_MAYBE, /* mandatory= */ true, NULL, NULL, NULL, 0, 0, /* is_symlink= */ false)) {
/* is_symlink= */ false)) {
return false; return false;
} }
}; break; }; break;
@ -662,18 +662,15 @@ bool cmdlineParse(int argc, char* argv[], struct nsjconf_t* nsjconf)
dst = dst ? dst : optarg; dst = dst ? dst : optarg;
if (!mountAddMountPtTail(nsjconf, /* src= */ optarg, dst, /* fs_type= */ "", if (!mountAddMountPtTail(nsjconf, /* src= */ optarg, dst, /* fs_type= */ "",
/* options= */ "", MS_BIND | MS_REC | MS_PRIVATE, /* options= */ "", MS_BIND | MS_REC | MS_PRIVATE,
/* isDir= */ NS_DIR_MAYBE, /* isDir= */ NS_DIR_MAYBE, /* mandatory= */ true, NULL, NULL, NULL,
/* mandatory= */ true, NULL, NULL, NULL, 0, 0, /* is_symlink= */ false)) {
/* is_symlink= */
false)) {
return false; return false;
} }
}; break; }; break;
case 'T': { case 'T': {
if (!mountAddMountPtTail(nsjconf, /* src= */ NULL, optarg, "tmpfs", if (!mountAddMountPtTail(nsjconf, /* src= */ NULL, optarg, "tmpfs",
/* options= */ "", /* options= */ "", /* flags= */ 0, /* isDir= */ NS_DIR_YES,
/* flags= */ 0, /* isDir= */ true, /* mandatory= */ true, NULL, /* mandatory= */ true, NULL, NULL, NULL, 0,
NULL, NULL, 0,
/* is_symlink= */ false)) { /* is_symlink= */ false)) {
return false; return false;
} }
@ -752,7 +749,7 @@ bool cmdlineParse(int argc, char* argv[], struct nsjconf_t* nsjconf)
if (nsjconf->mount_proc) { if (nsjconf->mount_proc) {
if (!mountAddMountPtTail(nsjconf, /* src= */ NULL, nsjconf->proc_path, "proc", "", if (!mountAddMountPtTail(nsjconf, /* src= */ NULL, nsjconf->proc_path, "proc", "",
nsjconf->is_proc_rw ? 0 : MS_RDONLY, /* isDir= */ true, nsjconf->is_proc_rw ? 0 : MS_RDONLY, /* isDir= */ NS_DIR_YES,
/* mandatory= */ true, NULL, NULL, NULL, 0, /* is_symlink= */ false)) { /* mandatory= */ true, NULL, NULL, NULL, 0, /* is_symlink= */ false)) {
return false; return false;
} }
@ -762,13 +759,13 @@ bool cmdlineParse(int argc, char* argv[], struct nsjconf_t* nsjconf)
/* options= */ "", /* options= */ "",
nsjconf->is_root_rw ? (MS_BIND | MS_REC | MS_PRIVATE) nsjconf->is_root_rw ? (MS_BIND | MS_REC | MS_PRIVATE)
: (MS_BIND | MS_REC | MS_PRIVATE | MS_RDONLY), : (MS_BIND | MS_REC | MS_PRIVATE | MS_RDONLY),
/* isDir= */ true, /* mandatory= */ true, NULL, NULL, NULL, 0, /* isDir= */ NS_DIR_YES, /* mandatory= */ true, NULL, NULL, NULL, 0,
/* is_symlink= */ false)) { /* is_symlink= */ false)) {
return false; return false;
} }
} else { } else {
if (!mountAddMountPtHead(nsjconf, /* src= */ NULL, "/", "tmpfs", /* options= */ "", if (!mountAddMountPtHead(nsjconf, /* src= */ NULL, "/", "tmpfs", /* options= */ "",
nsjconf->is_root_rw ? 0 : MS_RDONLY, /* isDir= */ true, nsjconf->is_root_rw ? 0 : MS_RDONLY, /* isDir= */ NS_DIR_YES,
/* mandatory= */ true, NULL, NULL, NULL, 0, /* is_symlink= */ false)) { /* mandatory= */ true, NULL, NULL, NULL, 0, /* is_symlink= */ false)) {
return false; return false;
} }

14
mount.c
View File

@ -266,9 +266,9 @@ static bool mountMkdirAndTest(const char* dir)
return true; return true;
} }
static bool mountGetDir(char* dir, const char* name) static bool mountGetDir(struct nsjconf_t* nsjconf, char* dir, const char* name)
{ {
snprintf(dir, PATH_MAX, "/dev/shm/nsjail.%s", name); snprintf(dir, PATH_MAX, "/run/user/%u/nsjail.%s", nsjconf->orig_uid, name);
if (mountMkdirAndTest(dir)) { if (mountMkdirAndTest(dir)) {
return true; return true;
} }
@ -278,11 +278,15 @@ static bool mountGetDir(char* dir, const char* name)
} }
const char* tmp = getenv("TMPDIR"); const char* tmp = getenv("TMPDIR");
if (tmp) { if (tmp) {
snprintf(dir, PATH_MAX, "%s/nsjail.%s", name, tmp); snprintf(dir, PATH_MAX, "%s/nsjail.%s", tmp, name);
if (mountMkdirAndTest(dir)) { if (mountMkdirAndTest(dir)) {
return true; return true;
} }
} }
snprintf(dir, PATH_MAX, "/dev/shm/nsjail.%s", name);
if (mountMkdirAndTest(dir)) {
return true;
}
snprintf(dir, PATH_MAX, "/tmp/nsjail.%s.%" PRIx64, name, utilRnd64()); snprintf(dir, PATH_MAX, "/tmp/nsjail.%s.%" PRIx64, name, utilRnd64());
if (mountMkdirAndTest(dir)) { if (mountMkdirAndTest(dir)) {
return true; return true;
@ -321,7 +325,7 @@ static bool mountInitNsInternal(struct nsjconf_t* nsjconf)
} }
char destdir[PATH_MAX]; char destdir[PATH_MAX];
if (mountGetDir(destdir, "root") == false) { if (mountGetDir(nsjconf, destdir, "root") == false) {
LOG_E("Couldn't obtain root mount directories"); LOG_E("Couldn't obtain root mount directories");
return false; return false;
} }
@ -337,7 +341,7 @@ static bool mountInitNsInternal(struct nsjconf_t* nsjconf)
} }
char tmpdir[PATH_MAX]; char tmpdir[PATH_MAX];
if (mountGetDir(tmpdir, "tmp") == false) { if (mountGetDir(nsjconf, tmpdir, "tmp") == false) {
LOG_E("Couldn't obtain temporary mount directories"); LOG_E("Couldn't obtain temporary mount directories");
return false; return false;
} }

2
mount.h
View File

@ -28,7 +28,7 @@
#include "nsjail.h" #include "nsjail.h"
typedef enum { typedef enum {
NS_DIR_NO = 0, NS_DIR_NO = 0x100,
NS_DIR_YES, NS_DIR_YES,
NS_DIR_MAYBE, NS_DIR_MAYBE,
} isDir_t; } isDir_t;

2
nsjail.h
View File

@ -160,8 +160,8 @@ struct nsjconf_t {
size_t cgroup_pids_max; size_t cgroup_pids_max;
FILE* kafel_file; FILE* kafel_file;
char* kafel_string; char* kafel_string;
uid_t orig_euid;
long num_cpus; long num_cpus;
uid_t orig_uid;
TAILQ_HEAD(udmaplist, idmap_t) TAILQ_HEAD(udmaplist, idmap_t)
uids; uids;
TAILQ_HEAD(gdmaplist, idmap_t) TAILQ_HEAD(gdmaplist, idmap_t)