mount: more extensive search for suitable root dir

contain.c

@@ -357,9 +357,6 @@ bool containSetupFD(struct nsjconf_t * nsjconf, int fd_in, int fd_out, int fd_er
 
 bool containContain(struct nsjconf_t * nsjconf)
 {
-	if (containCPU(nsjconf) == false) {
-		return false;
-	}
 	if (containUserNs(nsjconf) == false) {
 		return false;
 	}
@@ -383,6 +380,9 @@ bool containContain(struct nsjconf_t * nsjconf)
 	}
 	/* */
 	/* As non-root */
+	if (containCPU(nsjconf) == false) {
+		return false;
+	}
 	if (containSetLimits(nsjconf) == false) {
 		return false;
 	}

mount.c

@@ -234,6 +234,49 @@ static bool mountRemountRO(struct mounts_t *mpt)
 	return true;
 }
 
+static bool mountMkdirAndTest(const char *dir)
+{
+	if (mkdir(dir, 0755) == -1 && errno != EEXIST) {
+		PLOG_W("Couldn't create '%s' directory", dir);
+		return false;
+	}
+	if (access(dir, R_OK) == -1) {
+		PLOG_W("access('%s', R_OK)", dir);
+		return false;
+	}
+	LOG_D("Created accessible directory in '%s'", dir);
+	return true;
+}
+
+static bool mountGetDirs(struct nsjconf_t *nsjconf, char *destdir, char *tmpdir)
+{
+	snprintf(destdir, PATH_MAX, "/tmp/nsjail.root.%d", (int)nsjconf->orig_euid);
+	if (!mountMkdirAndTest(destdir)) {
+		snprintf(destdir, PATH_MAX, "/tmp/nsjail.root");
+		if (!mountMkdirAndTest(destdir)) {
+			snprintf(destdir, PATH_MAX, "/tmp/nsjail.root.%" PRIx64, utilRnd64());
+			if (!mountMkdirAndTest(destdir)) {
+				LOG_E("Couldn't create directory for ROOT fs");
+				return false;
+			}
+		}
+	}
+
+	snprintf(tmpdir, PATH_MAX, "/tmp/nsjail.tmp.%d", (int)nsjconf->orig_euid);
+	if (!mountMkdirAndTest(tmpdir)) {
+		snprintf(tmpdir, PATH_MAX, "/tmp/nsjail.tmp");
+		if (!mountMkdirAndTest(tmpdir)) {
+			snprintf(tmpdir, PATH_MAX, "/tmp/nsjail.tmp.%" PRIx64, utilRnd64());
+			if (!mountMkdirAndTest(tmpdir)) {
+				LOG_E("Couldn't create a directory for TMP files");
+				return false;
+			}
+		}
+	}
+
+	return true;
+}
+
 static bool mountInitNsInternal(struct nsjconf_t *nsjconf)
 {
 	if (nsjconf->clone_newns == false) {
@@ -255,22 +298,17 @@ static bool mountInitNsInternal(struct nsjconf_t *nsjconf)
 	}
 
 	char destdir[PATH_MAX];
-	snprintf(destdir, sizeof(destdir), "/tmp/nsjail.root.%d", (int)nsjconf->orig_euid);
-	if (mkdir(destdir, 0755) == -1 && errno != EEXIST) {
-		PLOG_E("Couldn't create '%s' directory. Maybe remove it?", destdir);
+	char tmpdir[PATH_MAX];
+	if (mountGetDirs(nsjconf, destdir, tmpdir) == false) {
+		LOG_E("Couldn't obtain temporary mount directories");
 		return false;
 	}
+
 	if (mount(NULL, destdir, "tmpfs", 0, "size=16777216") == -1) {
 		PLOG_E("mount('%s', 'tmpfs')", destdir);
 		return false;
 	}
 
-	char tmpdir[PATH_MAX];
-	snprintf(tmpdir, sizeof(tmpdir), "/tmp/nsjail.tmp.%d", (int)nsjconf->orig_euid);
-	if (mkdir(tmpdir, 0755) == -1 && errno != EEXIST) {
-		PLOG_E("Couldn't create '%s' directory. Maybe remove it?", tmpdir);
-		return false;
-	}
 	if (mount(NULL, tmpdir, "tmpfs", 0, "size=16777216") == -1) {
 		PLOG_E("mount('%s', 'tmpfs')", tmpdir);
 		return false;

util.c

@@ -32,6 +32,7 @@
 #include <string.h>
 #include <unistd.h>
 #include <sys/stat.h>
+#include <sys/time.h>
 #include <sys/types.h>
 #include <time.h>
 
@@ -226,9 +227,18 @@ static const uint64_t c = 1442695040888963407ULL;
 
 static void utilRndInitThread(void)
 {
+#if defined(__NR_getrandom)
+	if (syscall(__NR_getrandom, &rndX, sizeof(rndX), 0) == sizeof(rndX)) {
+		return;
+	}
+#endif				/* defined(__NR_getrandom) */
 	int fd = open("/dev/urandom", O_RDONLY | O_CLOEXEC);
 	if (fd == -1) {
-		PLOG_F("Couldn't open /dev/urandom for reading");
+		PLOG_D("Couldn't open /dev/urandom for reading");
+		struct timeval tv;
+		gettimeofday(&tv, NULL);
+		rndX = tv.tv_usec + ((uint64_t) tv.tv_sec << 32);
+		return;
 	}
 	if (utilReadFromFd(fd, (uint8_t *) & rndX, sizeof(rndX)) != sizeof(rndX)) {
 		PLOG_F("Couldn't read '%zu' bytes from /dev/urandom", sizeof(rndX));