woj/nsjail
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

user: more comments

Browse Source
This commit is contained in:
Robert Swiecki 2017-10-01 15:54:04 +02:00
parent 293a683b14
commit be25a24b5b
3 changed files with 21 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
contain.h
View File

@ -26,7 +26,7 @@
#include "common.h"
bool containSetupFD(struct nsjconf_t *nsjconf, int fd_in, int fd_out, int fd_err);
bool containSetupFD(struct nsjconf_t * nsjconf, int fd_in, int fd_out, int fd_err);
bool containContain(struct nsjconf_t *nsjconf);
#endif /* NS_CONTAIN_H */

12
mount.c
View File

@ -290,6 +290,10 @@ static bool mountGetDir(char *dir, const char *name)
static bool mountInitNsInternal(struct nsjconf_t *nsjconf)
{
/*
* If CLONE_NEWNS is not used, we would be changing the global mount namespace, so simply
* use --chroot in this case
*/
if (nsjconf->clone_newns == false) {
if (nsjconf->chroot == NULL) {
PLOG_E
@ -318,6 +322,7 @@ static bool mountInitNsInternal(struct nsjconf_t *nsjconf)
return false;
}
/* Make changes to / (recursively) private, to avoid changing the global mount ns */
if (mount("/", "/", NULL, MS_REC | MS_PRIVATE, NULL) == -1) {
PLOG_E("mount('/', '/', NULL, MS_REC|MS_PRIVATE, NULL)");
return false;
@ -348,6 +353,13 @@ static bool mountInitNsInternal(struct nsjconf_t *nsjconf)
PLOG_E("umount2('%s', MNT_DETACH)", tmpdir);
return false;
}
/*
* This requires some explanation: It's actually possible to pivot_root('/', '/'). After this
* operation has been completed, the old root is mounted over the new root, and it's OK to
* simply umount('/') now, and to have new_root as '/'. This allows us not care about
* providing any special directory for old_root, which is sometimes not easy, given that e.g.
* /tmp might not always be present inside new_root
*/
if (syscall(__NR_pivot_root, destdir, destdir) == -1) {
PLOG_E("pivot_root('%s', '%s')", destdir, destdir);
return false;

11
user.c
View File

@ -241,12 +241,12 @@ static bool userUidGidMap(struct nsjconf_t *nsjconf, pid_t pid)
bool userInitNsFromParent(struct nsjconf_t * nsjconf, pid_t pid)
{
if (nsjconf->clone_newuser == false) {
return true;
}
if (userSetGroups(pid) == false) {
return false;
}
if (nsjconf->clone_newuser == false) {
return true;
}
if (userUidGidMap(nsjconf, pid) == false) {
return false;
}
@ -264,6 +264,11 @@ bool userInitNsFromChild(struct nsjconf_t * nsjconf)
PLOG_D("setgroups(NULL) failed");
}
/*
* If we don't use CLONE_NEWUSER, then presumably this binary has been run with euid==0, in
* which case we need to avoid calling setuid/setgid, in order to avoid loosing capabilities
* which will be needed for uname/mount/etc.-like syscalls
*/
if (nsjconf->clone_newuser == false) {
return true;
}