Renaming use_switchroot option with no_pivotroot
This commit is contained in:
parent
b6576fcde7
commit
b83d6f7421
@ -76,7 +76,7 @@ struct custom_option custom_opts[] = {
|
||||
{ { "exec_file", required_argument, NULL, 'x' }, "File to exec (default: argv[0])" },
|
||||
{ { "execute_fd", no_argument, NULL, 0x0607 }, "Use execveat() to execute a file-descriptor instead of executing the binary path. In such case argv[0]/exec_file denotes a file path before mount namespacing" },
|
||||
{ { "chroot", required_argument, NULL, 'c' }, "Directory containing / of the jail (default: none)" },
|
||||
{ { "use_switchroot", no_argument, NULL, 0x600 }, "When creating a mount namespace, use switch_root rather then pivot_root. Usefull when pivot_root is disallowed (e.g. initramfs). Note: escapable is some configuration" },
|
||||
{ { "no_pivotroot", no_argument, NULL, 0x600 }, "When creating a mount namespace, use mount(MS_MOVE) and chroot rather than pivot_root. Usefull when pivot_root is disallowed (e.g. initramfs). Note: escapable is some configuration" },
|
||||
{ { "rw", no_argument, NULL, 0x601 }, "Mount chroot dir (/) R/W (default: R/O)" },
|
||||
{ { "user", required_argument, NULL, 'u' }, "Username/uid of processes inside the jail (default: your current uid). You can also use inside_ns_uid:outside_ns_uid:count convention here. Can be specified multiple times" },
|
||||
{ { "group", required_argument, NULL, 'g' }, "Groupname/gid of processes inside the jail (default: your current gid). You can also use inside_ns_gid:global_ns_gid:count convention here. Can be specified multiple times" },
|
||||
@ -432,7 +432,7 @@ std::unique_ptr<nsjconf_t> parseArgs(int argc, char* argv[]) {
|
||||
nsjconf->clone_newnet = true;
|
||||
nsjconf->clone_newuser = true;
|
||||
nsjconf->clone_newns = true;
|
||||
nsjconf->use_switchroot = false;
|
||||
nsjconf->no_pivotroot = false;
|
||||
nsjconf->clone_newpid = true;
|
||||
nsjconf->clone_newipc = true;
|
||||
nsjconf->clone_newuts = true;
|
||||
@ -651,7 +651,7 @@ std::unique_ptr<nsjconf_t> parseArgs(int argc, char* argv[]) {
|
||||
nsjconf->caps.push_back(cap);
|
||||
} break;
|
||||
case 0x0600:
|
||||
nsjconf->use_switchroot = true;
|
||||
nsjconf->no_pivotroot = true;
|
||||
break;
|
||||
case 0x0601:
|
||||
nsjconf->is_root_rw = true;
|
||||
|
@ -185,7 +185,7 @@ static bool configParseInternal(nsjconf_t* nsjconf, const nsjail::NsJailConfig&
|
||||
nsjconf->clone_newcgroup = njc.clone_newcgroup();
|
||||
nsjconf->clone_newtime = njc.clone_newtime();
|
||||
|
||||
nsjconf->use_switchroot = njc.use_switchroot();
|
||||
nsjconf->no_pivotroot = njc.no_pivotroot();
|
||||
|
||||
for (ssize_t i = 0; i < njc.uidmap_size(); i++) {
|
||||
if (!user::parseId(nsjconf, njc.uidmap(i).inside_id(), njc.uidmap(i).outside_id(),
|
||||
|
@ -87,7 +87,7 @@ message NsJailConfig {
|
||||
optional string cwd = 9 [default = "/"];
|
||||
|
||||
/* Defines whether to use switch_root or pivot_root */
|
||||
optional bool use_switchroot = 88 [default = false];
|
||||
optional bool no_pivotroot = 88 [default = false];
|
||||
|
||||
/* TCP port to listen to. Valid with mode=LISTEN only */
|
||||
optional uint32 port = 10 [default = 0];
|
||||
|
4
mnt.cc
4
mnt.cc
@ -399,7 +399,7 @@ static bool initCloneNs(nsjconf_t* nsjconf) {
|
||||
return false;
|
||||
}
|
||||
|
||||
if (!nsjconf->use_switchroot) {
|
||||
if (!nsjconf->no_pivotroot) {
|
||||
/*
|
||||
* This requires some explanation: It's actually possible to pivot_root('/', '/').
|
||||
* After this operation has been completed, the old root is mounted over the new
|
||||
@ -435,7 +435,7 @@ static bool initCloneNs(nsjconf_t* nsjconf) {
|
||||
* and using setns to re-enter the mount namespace.
|
||||
*/
|
||||
LOG_W(
|
||||
"Using switch_root is escapable when user posseses relevant capabilities, "
|
||||
"Using no_pivotroot is escapable when user posseses relevant capabilities, "
|
||||
"Use it with care!"
|
||||
);
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user