Separate mount.c module
This commit is contained in:
parent
2f137dde4b
commit
e02d4e4edf
9
Makefile
9
Makefile
@ -25,7 +25,7 @@ CFLAGS += -O2 -g -ggdb -c -std=c11 \
|
||||
|
||||
LDFLAGS += -Wl,-z,now -Wl,-z,relro -pie
|
||||
|
||||
SRCS = nsjail.c cmdline.c contain.c log.c net.c subproc.c sandbox.c util.c seccomp/bpf-helper.c
|
||||
SRCS = nsjail.c cmdline.c contain.c log.c net.c mount.c subproc.c sandbox.c util.c seccomp/bpf-helper.c
|
||||
OBJS = $(SRCS:.c=.o)
|
||||
BIN = nsjail
|
||||
|
||||
@ -53,12 +53,13 @@ indent:
|
||||
|
||||
# DO NOT DELETE THIS LINE -- make depend depends on it.
|
||||
|
||||
nsjail.o: nsjail.h cmdline.h common.h log.h net.h subproc.h
|
||||
nsjail.o: nsjail.h common.h cmdline.h log.h net.h subproc.h
|
||||
cmdline.o: cmdline.h common.h log.h util.h
|
||||
contain.o: contain.h common.h log.h net.h util.h
|
||||
contain.o: contain.h common.h log.h mount.h net.h util.h
|
||||
log.o: log.h common.h
|
||||
net.o: net.h common.h log.h
|
||||
mount.o: mount.h common.h log.h
|
||||
subproc.o: subproc.h common.h contain.h log.h net.h sandbox.h util.h
|
||||
sandbox.o: sandbox.h common.h log.h seccomp/bpf-helper.h
|
||||
util.o: util.h log.h common.h
|
||||
util.o: util.h common.h log.h
|
||||
seccomp/bpf-helper.o: seccomp/bpf-helper.h
|
||||
|
176
contain.c
176
contain.c
@ -45,23 +45,13 @@
|
||||
#include <unistd.h>
|
||||
|
||||
#include "log.h"
|
||||
#include "mount.h"
|
||||
#include "net.h"
|
||||
#include "util.h"
|
||||
|
||||
bool containInitNetNs(struct nsjconf_t * nsjconf)
|
||||
{
|
||||
if (nsjconf->iface_no_lo == false) {
|
||||
if (netIfaceUp("lo") == false) {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
if (nsjconf->iface) {
|
||||
if (netConfigureVs(nsjconf) == false) {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
return true;
|
||||
return netInitNs(nsjconf);
|
||||
}
|
||||
|
||||
static bool containSetGroups(pid_t pid)
|
||||
@ -198,167 +188,9 @@ bool containPrepareEnv(struct nsjconf_t * nsjconf)
|
||||
return true;
|
||||
}
|
||||
|
||||
static bool containIsDir(const char *path)
|
||||
bool containInitMountNs(struct nsjconf_t * nsjconf)
|
||||
{
|
||||
if (path == NULL || strcmp(path, "none") == 0) {
|
||||
return false;
|
||||
}
|
||||
struct stat st;
|
||||
if (stat(path, &st) == -1) {
|
||||
PLOG_E("stat('%s')", path);
|
||||
return false;
|
||||
}
|
||||
if (S_ISDIR(st.st_mode)) {
|
||||
return true;
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
// It's a not a simple reversal of containIsDir() as it returns also 'false' upon
|
||||
// stat() failure
|
||||
static bool containNotIsDir(const char *path)
|
||||
{
|
||||
if (path == NULL || strcmp(path, "none") == 0) {
|
||||
return false;
|
||||
}
|
||||
struct stat st;
|
||||
if (stat(path, &st) == -1) {
|
||||
PLOG_E("stat('%s')", path);
|
||||
return false;
|
||||
}
|
||||
if (S_ISDIR(st.st_mode)) {
|
||||
return false;
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
static bool containMount(struct nsjconf_t *nsjconf, struct mounts_t *mpt, const char *dst)
|
||||
{
|
||||
LOG_D("Mounting '%s' on '%s' (type:'%s', flags:0x%tx)", mpt->src, dst, mpt->fs_type,
|
||||
mpt->flags);
|
||||
|
||||
if (containIsDir(mpt->src) == true) {
|
||||
if (mkdir(dst, 0711) == -1 && errno != EEXIST) {
|
||||
PLOG_W("mkdir('%s')", dst);
|
||||
}
|
||||
}
|
||||
|
||||
if (containNotIsDir(mpt->src) == true) {
|
||||
int fd = open(dst, O_CREAT | O_RDONLY, 0644);
|
||||
if (fd >= 0) {
|
||||
close(fd);
|
||||
} else {
|
||||
PLOG_W("open('%s', O_CREAT|O_RDONLY, 0700)", dst);
|
||||
}
|
||||
}
|
||||
|
||||
if (mount(mpt->src, dst, mpt->fs_type, mpt->flags, mpt->options) == -1) {
|
||||
if (errno == EACCES) {
|
||||
PLOG_E
|
||||
("mount('%s', '%s', type='%s') failed. Try fixing this problem by applying 'chmod o+x' to the '%s' directory and its ancestors",
|
||||
mpt->src, dst, mpt->fs_type, nsjconf->chroot);
|
||||
} else {
|
||||
PLOG_E("mount('%s', '%s', type='%s') failed", mpt->src, dst, mpt->fs_type);
|
||||
}
|
||||
return false;
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
static bool containRemountRO(struct mounts_t *mpt)
|
||||
{
|
||||
struct statvfs vfs;
|
||||
if (statvfs(mpt->dst, &vfs) == -1) {
|
||||
PLOG_E("statvfs('%s')", mpt->dst);
|
||||
return false;
|
||||
}
|
||||
|
||||
if (mpt->flags & MS_RDONLY) {
|
||||
LOG_D("Re-mounting RO '%s'", mpt->dst);
|
||||
/*
|
||||
* It's fine to use 'flags | vfs.f_flag' here as per
|
||||
* /usr/include/x86_64-linux-gnu/bits/statvfs.h: 'Definitions for
|
||||
* the flag in `f_flag'. These definitions should be
|
||||
* kept in sync with the definitions in <sys/mount.h>'
|
||||
*/
|
||||
if (mount
|
||||
(mpt->dst, mpt->dst, NULL,
|
||||
MS_BIND | MS_REMOUNT | MS_RDONLY | vfs.f_flag, 0) == -1) {
|
||||
PLOG_E("mount('%s', MS_REC|MS_BIND|MS_REMOUNT|MS_RDONLY)", mpt->dst);
|
||||
return false;
|
||||
}
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
bool containMountFS(struct nsjconf_t * nsjconf)
|
||||
{
|
||||
if (nsjconf->clone_newns == false) {
|
||||
if (chroot(nsjconf->chroot) == -1) {
|
||||
PLOG_E("chroot('%s')", nsjconf->chroot) {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
if (chdir("/") == -1) {
|
||||
PLOG_E("chdir('/')");
|
||||
return false;
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
const char *const destdir = "/tmp";
|
||||
if (mount("none", destdir, "tmpfs", 0, NULL) == -1) {
|
||||
PLOG_E("mount('%s', 'tmpfs'", destdir);
|
||||
return false;
|
||||
}
|
||||
char newrootdir[PATH_MAX];
|
||||
snprintf(newrootdir, sizeof(newrootdir), "%s/%s", destdir, "new_root");
|
||||
if (mkdir(newrootdir, 0755) == -1) {
|
||||
PLOG_E("mkdir('%s')", newrootdir);
|
||||
return false;
|
||||
}
|
||||
|
||||
struct mounts_t *p;
|
||||
TAILQ_FOREACH(p, &nsjconf->mountpts, pointers) {
|
||||
char dst[PATH_MAX];
|
||||
snprintf(dst, sizeof(dst), "%s/%s", newrootdir, p->dst);
|
||||
if (containMount(nsjconf, p, dst) == false) {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
char pivotrootdir[PATH_MAX];
|
||||
snprintf(pivotrootdir, sizeof(pivotrootdir), "%s/%s", destdir, "pivot_root");
|
||||
if (mkdir(pivotrootdir, 0755) == -1) {
|
||||
PLOG_E("mkdir('%s')", pivotrootdir);
|
||||
return false;
|
||||
}
|
||||
if (syscall(__NR_pivot_root, destdir, pivotrootdir) == -1) {
|
||||
PLOG_E("pivot_root('%s', '%s')", destdir, pivotrootdir);
|
||||
return false;
|
||||
}
|
||||
|
||||
if (umount2("/pivot_root", MNT_DETACH) == -1) {
|
||||
PLOG_E("umount2('/pivot_root', MNT_DETACH)");
|
||||
return false;
|
||||
}
|
||||
if (chroot("/new_root") == -1) {
|
||||
PLOG_E("CHROOT('/new_root')");
|
||||
return false;
|
||||
}
|
||||
|
||||
if (chdir(nsjconf->cwd) == -1) {
|
||||
PLOG_E("chdir('%s')", nsjconf->cwd);
|
||||
return false;
|
||||
}
|
||||
|
||||
TAILQ_FOREACH(p, &nsjconf->mountpts, pointers) {
|
||||
if (containRemountRO(p) == false) {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
return true;
|
||||
return mountInitNs(nsjconf);
|
||||
}
|
||||
|
||||
bool containSetLimits(struct nsjconf_t * nsjconf)
|
||||
|
@ -30,7 +30,7 @@ bool containInitUserNs(struct nsjconf_t *nsjconf, pid_t pid);
|
||||
bool containInitNetNs(struct nsjconf_t *nsjconf);
|
||||
bool containDropPrivs(struct nsjconf_t *nsjconf);
|
||||
bool containPrepareEnv(struct nsjconf_t *nsjconf);
|
||||
bool containMountFS(struct nsjconf_t *nsjconf);
|
||||
bool containInitMountNs(struct nsjconf_t *nsjconf);
|
||||
bool containSetLimits(struct nsjconf_t *nsjconf);
|
||||
bool containMakeFdsCOE(void);
|
||||
bool containSetupFD(struct nsjconf_t *nsjconf, int fd_in, int fd_out, int fd_err, int fd_log);
|
||||
|
199
mount.c
Normal file
199
mount.c
Normal file
@ -0,0 +1,199 @@
|
||||
/*
|
||||
|
||||
nsjail - CLONE_NEWNS routines
|
||||
-----------------------------------------
|
||||
|
||||
Copyright 2014 Google Inc. All Rights Reserved.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
|
||||
*/
|
||||
|
||||
#include "mount.h"
|
||||
|
||||
#include <errno.h>
|
||||
#include <fcntl.h>
|
||||
#include <stdlib.h>
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
#include <sys/mount.h>
|
||||
#include <sys/stat.h>
|
||||
#include <sys/statvfs.h>
|
||||
#include <sys/syscall.h>
|
||||
#include <sys/types.h>
|
||||
#include <unistd.h>
|
||||
|
||||
#include "log.h"
|
||||
|
||||
static bool mountIsDir(const char *path)
|
||||
{
|
||||
if (path == NULL || strcmp(path, "none") == 0) {
|
||||
return false;
|
||||
}
|
||||
struct stat st;
|
||||
if (stat(path, &st) == -1) {
|
||||
PLOG_E("stat('%s')", path);
|
||||
return false;
|
||||
}
|
||||
if (S_ISDIR(st.st_mode)) {
|
||||
return true;
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
// It's a not a simple reversal of containIsDir() as it returns also 'false' upon
|
||||
// stat() failure
|
||||
static bool mountNotIsDir(const char *path)
|
||||
{
|
||||
if (path == NULL || strcmp(path, "none") == 0) {
|
||||
return false;
|
||||
}
|
||||
struct stat st;
|
||||
if (stat(path, &st) == -1) {
|
||||
PLOG_E("stat('%s')", path);
|
||||
return false;
|
||||
}
|
||||
if (S_ISDIR(st.st_mode)) {
|
||||
return false;
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
static bool mountMount(struct nsjconf_t *nsjconf, struct mounts_t *mpt, const char *dst)
|
||||
{
|
||||
LOG_D("Mounting '%s' on '%s' (type:'%s', flags:0x%tx)", mpt->src, dst, mpt->fs_type,
|
||||
mpt->flags);
|
||||
|
||||
if (mountIsDir(mpt->src) == true) {
|
||||
if (mkdir(dst, 0711) == -1 && errno != EEXIST) {
|
||||
PLOG_W("mkdir('%s')", dst);
|
||||
}
|
||||
}
|
||||
|
||||
if (mountNotIsDir(mpt->src) == true) {
|
||||
int fd = open(dst, O_CREAT | O_RDONLY, 0644);
|
||||
if (fd >= 0) {
|
||||
close(fd);
|
||||
} else {
|
||||
PLOG_W("open('%s', O_CREAT|O_RDONLY, 0700)", dst);
|
||||
}
|
||||
}
|
||||
|
||||
if (mount(mpt->src, dst, mpt->fs_type, mpt->flags, mpt->options) == -1) {
|
||||
if (errno == EACCES) {
|
||||
PLOG_E
|
||||
("mount('%s', '%s', type='%s') failed. Try fixing this problem by applying 'chmod o+x' to the '%s' directory and its ancestors",
|
||||
mpt->src, dst, mpt->fs_type, nsjconf->chroot);
|
||||
} else {
|
||||
PLOG_E("mount('%s', '%s', type='%s') failed", mpt->src, dst, mpt->fs_type);
|
||||
}
|
||||
return false;
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
static bool mountRemountRO(struct mounts_t *mpt)
|
||||
{
|
||||
struct statvfs vfs;
|
||||
if (statvfs(mpt->dst, &vfs) == -1) {
|
||||
PLOG_E("statvfs('%s')", mpt->dst);
|
||||
return false;
|
||||
}
|
||||
|
||||
if (mpt->flags & MS_RDONLY) {
|
||||
LOG_D("Re-mounting RO '%s'", mpt->dst);
|
||||
/*
|
||||
* It's fine to use 'flags | vfs.f_flag' here as per
|
||||
* /usr/include/x86_64-linux-gnu/bits/statvfs.h: 'Definitions for
|
||||
* the flag in `f_flag'. These definitions should be
|
||||
* kept in sync with the definitions in <sys/mount.h>'
|
||||
*/
|
||||
if (mount
|
||||
(mpt->dst, mpt->dst, NULL,
|
||||
MS_BIND | MS_REMOUNT | MS_RDONLY | vfs.f_flag, 0) == -1) {
|
||||
PLOG_E("mount('%s', MS_REC|MS_BIND|MS_REMOUNT|MS_RDONLY)", mpt->dst);
|
||||
return false;
|
||||
}
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
bool mountInitNs(struct nsjconf_t * nsjconf)
|
||||
{
|
||||
if (nsjconf->clone_newns == false) {
|
||||
if (chroot(nsjconf->chroot) == -1) {
|
||||
PLOG_E("chroot('%s')", nsjconf->chroot) {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
if (chdir("/") == -1) {
|
||||
PLOG_E("chdir('/')");
|
||||
return false;
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
const char *const destdir = "/tmp";
|
||||
if (mount("none", destdir, "tmpfs", 0, NULL) == -1) {
|
||||
PLOG_E("mount('%s', 'tmpfs'", destdir);
|
||||
return false;
|
||||
}
|
||||
char newrootdir[PATH_MAX];
|
||||
snprintf(newrootdir, sizeof(newrootdir), "%s/%s", destdir, "new_root");
|
||||
if (mkdir(newrootdir, 0755) == -1) {
|
||||
PLOG_E("mkdir('%s')", newrootdir);
|
||||
return false;
|
||||
}
|
||||
|
||||
struct mounts_t *p;
|
||||
TAILQ_FOREACH(p, &nsjconf->mountpts, pointers) {
|
||||
char dst[PATH_MAX];
|
||||
snprintf(dst, sizeof(dst), "%s/%s", newrootdir, p->dst);
|
||||
if (mountMount(nsjconf, p, dst) == false) {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
char pivotrootdir[PATH_MAX];
|
||||
snprintf(pivotrootdir, sizeof(pivotrootdir), "%s/%s", destdir, "pivot_root");
|
||||
if (mkdir(pivotrootdir, 0755) == -1) {
|
||||
PLOG_E("mkdir('%s')", pivotrootdir);
|
||||
return false;
|
||||
}
|
||||
if (syscall(__NR_pivot_root, destdir, pivotrootdir) == -1) {
|
||||
PLOG_E("pivot_root('%s', '%s')", destdir, pivotrootdir);
|
||||
return false;
|
||||
}
|
||||
|
||||
if (umount2("/pivot_root", MNT_DETACH) == -1) {
|
||||
PLOG_E("umount2('/pivot_root', MNT_DETACH)");
|
||||
return false;
|
||||
}
|
||||
if (chroot("/new_root") == -1) {
|
||||
PLOG_E("CHROOT('/new_root')");
|
||||
return false;
|
||||
}
|
||||
|
||||
if (chdir(nsjconf->cwd) == -1) {
|
||||
PLOG_E("chdir('%s')", nsjconf->cwd);
|
||||
return false;
|
||||
}
|
||||
|
||||
TAILQ_FOREACH(p, &nsjconf->mountpts, pointers) {
|
||||
if (mountRemountRO(p) == false) {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
31
mount.h
Normal file
31
mount.h
Normal file
@ -0,0 +1,31 @@
|
||||
/*
|
||||
|
||||
nsjail - CLONE_NEWNS routines
|
||||
-----------------------------------------
|
||||
|
||||
Copyright 2014 Google Inc. All Rights Reserved.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
|
||||
*/
|
||||
|
||||
#ifndef _MOUNT_H
|
||||
#define _MOUNT_H
|
||||
|
||||
#include <stdbool.h>
|
||||
|
||||
#include "common.h"
|
||||
|
||||
bool mountInitNs(struct nsjconf_t *nsjconf);
|
||||
|
||||
#endif /* _MOUNT_H */
|
21
net.c
21
net.c
@ -48,7 +48,7 @@
|
||||
#if defined(NSJAIL_NL3_WITH_MACVLAN)
|
||||
#include <netlink/route/link.h>
|
||||
#include <netlink/route/link/macvlan.h>
|
||||
bool netCloneMacVtapAndNS(struct nsjconf_t *nsjconf, int pid)
|
||||
bool netCloneMacVtapAndNS(struct nsjconf_t * nsjconf, int pid)
|
||||
{
|
||||
if (nsjconf->iface == NULL) {
|
||||
return true;
|
||||
@ -314,7 +314,7 @@ void netConnToText(int fd, bool remote, char *buf, size_t s, struct sockaddr_in6
|
||||
return;
|
||||
}
|
||||
|
||||
bool netIfaceUp(const char *ifacename)
|
||||
static bool netIfaceUp(const char *ifacename)
|
||||
{
|
||||
int sock = socket(AF_INET, SOCK_STREAM, IPPROTO_IP);
|
||||
if (sock == -1) {
|
||||
@ -344,7 +344,7 @@ bool netIfaceUp(const char *ifacename)
|
||||
return true;
|
||||
}
|
||||
|
||||
bool netConfigureVs(struct nsjconf_t * nsjconf)
|
||||
static bool netConfigureVs(struct nsjconf_t *nsjconf)
|
||||
{
|
||||
struct ifreq ifr;
|
||||
memset(&ifr, '\0', sizeof(ifr));
|
||||
@ -428,3 +428,18 @@ bool netConfigureVs(struct nsjconf_t * nsjconf)
|
||||
close(sock);
|
||||
return true;
|
||||
}
|
||||
|
||||
bool netInitNs(struct nsjconf_t * nsjconf)
|
||||
{
|
||||
if (nsjconf->iface_no_lo == false) {
|
||||
if (netIfaceUp("lo") == false) {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
if (nsjconf->iface) {
|
||||
if (netConfigureVs(nsjconf) == false) {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
3
net.h
3
net.h
@ -32,7 +32,6 @@ bool netLimitConns(struct nsjconf_t *nsjconf, int connsock);
|
||||
int netGetRecvSocket(const char *bindhost, int port);
|
||||
int netAcceptConn(int listenfd);
|
||||
void netConnToText(int fd, bool remote, char *buf, size_t s, struct sockaddr_in6 *addr_or_null);
|
||||
bool netIfaceUp(const char *ifacename);
|
||||
bool netConfigureVs(struct nsjconf_t *nsjconf);
|
||||
bool netInitNs(struct nsjconf_t *nsjconf);
|
||||
|
||||
#endif /* _NET_H */
|
||||
|
@ -63,7 +63,7 @@ static int subprocNewProc(struct nsjconf_t *nsjconf, int fd_in, int fd_out, int
|
||||
if (containPrepareEnv(nsjconf) == false) {
|
||||
exit(1);
|
||||
}
|
||||
if (containMountFS(nsjconf) == false) {
|
||||
if (containInitMountNs(nsjconf) == false) {
|
||||
exit(1);
|
||||
}
|
||||
if (containInitNetNs(nsjconf) == false) {
|
||||
|
Loading…
Reference in New Issue
Block a user