woj/nsjail
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Separate mount.c module

Browse Source
This commit is contained in:
Robert Swiecki 2016-03-03 15:37:04 +01:00
parent 2f137dde4b
commit e02d4e4edf
8 changed files with 260 additions and 183 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
Makefile
View File

@ -25,7 +25,7 @@ CFLAGS += -O2 -g -ggdb -c -std=c11 \
LDFLAGS += -Wl,-z,now -Wl,-z,relro -pie
SRCS = nsjail.c cmdline.c contain.c log.c net.c subproc.c sandbox.c util.c seccomp/bpf-helper.c
SRCS = nsjail.c cmdline.c contain.c log.c net.c mount.c subproc.c sandbox.c util.c seccomp/bpf-helper.c
OBJS = $(SRCS:.c=.o)
BIN = nsjail
@ -53,12 +53,13 @@ indent:
# DO NOT DELETE THIS LINE -- make depend depends on it.
nsjail.o: nsjail.h cmdline.h common.h log.h net.h subproc.h
nsjail.o: nsjail.h common.h cmdline.h log.h net.h subproc.h
cmdline.o: cmdline.h common.h log.h util.h
contain.o: contain.h common.h log.h net.h util.h
contain.o: contain.h common.h log.h mount.h net.h util.h
log.o: log.h common.h
net.o: net.h common.h log.h
mount.o: mount.h common.h log.h
subproc.o: subproc.h common.h contain.h log.h net.h sandbox.h util.h
sandbox.o: sandbox.h common.h log.h seccomp/bpf-helper.h
util.o: util.h log.h common.h
util.o: util.h common.h log.h
seccomp/bpf-helper.o: seccomp/bpf-helper.h

176
contain.c
View File

@ -45,23 +45,13 @@
#include <unistd.h>
#include "log.h"
#include "mount.h"
#include "net.h"
#include "util.h"
bool containInitNetNs(struct nsjconf_t * nsjconf)
{
if (nsjconf->iface_no_lo == false) {
if (netIfaceUp("lo") == false) {
return false;
}
}
if (nsjconf->iface) {
if (netConfigureVs(nsjconf) == false) {
return false;
}
}
return true;
return netInitNs(nsjconf);
}
static bool containSetGroups(pid_t pid)
@ -198,167 +188,9 @@ bool containPrepareEnv(struct nsjconf_t * nsjconf)
return true;
}
static bool containIsDir(const char *path)
bool containInitMountNs(struct nsjconf_t * nsjconf)
{
if (path == NULL || strcmp(path, "none") == 0) {
return false;
}
struct stat st;
if (stat(path, &st) == -1) {
PLOG_E("stat('%s')", path);
return false;
}
if (S_ISDIR(st.st_mode)) {
return true;
}
return false;
}
// It's a not a simple reversal of containIsDir() as it returns also 'false' upon
// stat() failure
static bool containNotIsDir(const char *path)
{
if (path == NULL || strcmp(path, "none") == 0) {
return false;
}
struct stat st;
if (stat(path, &st) == -1) {
PLOG_E("stat('%s')", path);
return false;
}
if (S_ISDIR(st.st_mode)) {
return false;
}
return true;
}
static bool containMount(struct nsjconf_t *nsjconf, struct mounts_t *mpt, const char *dst)
{
LOG_D("Mounting '%s' on '%s' (type:'%s', flags:0x%tx)", mpt->src, dst, mpt->fs_type,
mpt->flags);
if (containIsDir(mpt->src) == true) {
if (mkdir(dst, 0711) == -1 && errno != EEXIST) {
PLOG_W("mkdir('%s')", dst);
}
}
if (containNotIsDir(mpt->src) == true) {
int fd = open(dst, O_CREAT | O_RDONLY, 0644);
if (fd >= 0) {
close(fd);
} else {
PLOG_W("open('%s', O_CREAT|O_RDONLY, 0700)", dst);
}
}
if (mount(mpt->src, dst, mpt->fs_type, mpt->flags, mpt->options) == -1) {
if (errno == EACCES) {
PLOG_E
("mount('%s', '%s', type='%s') failed. Try fixing this problem by applying 'chmod o+x' to the '%s' directory and its ancestors",
mpt->src, dst, mpt->fs_type, nsjconf->chroot);
} else {
PLOG_E("mount('%s', '%s', type='%s') failed", mpt->src, dst, mpt->fs_type);
}
return false;
}
return true;
}
static bool containRemountRO(struct mounts_t *mpt)
{
struct statvfs vfs;
if (statvfs(mpt->dst, &vfs) == -1) {
PLOG_E("statvfs('%s')", mpt->dst);
return false;
}
if (mpt->flags & MS_RDONLY) {
LOG_D("Re-mounting RO '%s'", mpt->dst);
/*
* It's fine to use 'flags | vfs.f_flag' here as per
* /usr/include/x86_64-linux-gnu/bits/statvfs.h: 'Definitions for
* the flag in `f_flag'. These definitions should be
* kept in sync with the definitions in <sys/mount.h>'
*/
if (mount
(mpt->dst, mpt->dst, NULL,
MS_BIND | MS_REMOUNT | MS_RDONLY | vfs.f_flag, 0) == -1) {
PLOG_E("mount('%s', MS_REC|MS_BIND|MS_REMOUNT|MS_RDONLY)", mpt->dst);
return false;
}
}
return true;
}
bool containMountFS(struct nsjconf_t * nsjconf)
{
if (nsjconf->clone_newns == false) {
if (chroot(nsjconf->chroot) == -1) {
PLOG_E("chroot('%s')", nsjconf->chroot) {
return false;
}
}
if (chdir("/") == -1) {
PLOG_E("chdir('/')");
return false;
}
return true;
}
const char *const destdir = "/tmp";
if (mount("none", destdir, "tmpfs", 0, NULL) == -1) {
PLOG_E("mount('%s', 'tmpfs'", destdir);
return false;
}
char newrootdir[PATH_MAX];
snprintf(newrootdir, sizeof(newrootdir), "%s/%s", destdir, "new_root");
if (mkdir(newrootdir, 0755) == -1) {
PLOG_E("mkdir('%s')", newrootdir);
return false;
}
struct mounts_t *p;
TAILQ_FOREACH(p, &nsjconf->mountpts, pointers) {
char dst[PATH_MAX];
snprintf(dst, sizeof(dst), "%s/%s", newrootdir, p->dst);
if (containMount(nsjconf, p, dst) == false) {
return false;
}
}
char pivotrootdir[PATH_MAX];
snprintf(pivotrootdir, sizeof(pivotrootdir), "%s/%s", destdir, "pivot_root");
if (mkdir(pivotrootdir, 0755) == -1) {
PLOG_E("mkdir('%s')", pivotrootdir);
return false;
}
if (syscall(__NR_pivot_root, destdir, pivotrootdir) == -1) {
PLOG_E("pivot_root('%s', '%s')", destdir, pivotrootdir);
return false;
}
if (umount2("/pivot_root", MNT_DETACH) == -1) {
PLOG_E("umount2('/pivot_root', MNT_DETACH)");
return false;
}
if (chroot("/new_root") == -1) {
PLOG_E("CHROOT('/new_root')");
return false;
}
if (chdir(nsjconf->cwd) == -1) {
PLOG_E("chdir('%s')", nsjconf->cwd);
return false;
}
TAILQ_FOREACH(p, &nsjconf->mountpts, pointers) {
if (containRemountRO(p) == false) {
return false;
}
}
return true;
return mountInitNs(nsjconf);
}
bool containSetLimits(struct nsjconf_t * nsjconf)

2
contain.h
View File

@ -30,7 +30,7 @@ bool containInitUserNs(struct nsjconf_t *nsjconf, pid_t pid);
bool containInitNetNs(struct nsjconf_t *nsjconf);
bool containDropPrivs(struct nsjconf_t *nsjconf);
bool containPrepareEnv(struct nsjconf_t *nsjconf);
bool containMountFS(struct nsjconf_t *nsjconf);
bool containInitMountNs(struct nsjconf_t *nsjconf);
bool containSetLimits(struct nsjconf_t *nsjconf);
bool containMakeFdsCOE(void);
bool containSetupFD(struct nsjconf_t *nsjconf, int fd_in, int fd_out, int fd_err, int fd_log);

199
mount.c Normal file
View File

@ -0,0 +1,199 @@
/*
nsjail - CLONE_NEWNS routines
-----------------------------------------
Copyright 2014 Google Inc. All Rights Reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
#include "mount.h"
#include <errno.h>
#include <fcntl.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <sys/mount.h>
#include <sys/stat.h>
#include <sys/statvfs.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>
#include "log.h"
static bool mountIsDir(const char *path)
{
if (path == NULL || strcmp(path, "none") == 0) {
return false;
}
struct stat st;
if (stat(path, &st) == -1) {
PLOG_E("stat('%s')", path);
return false;
}
if (S_ISDIR(st.st_mode)) {
return true;
}
return false;
}
// It's a not a simple reversal of containIsDir() as it returns also 'false' upon
// stat() failure
static bool mountNotIsDir(const char *path)
{
if (path == NULL || strcmp(path, "none") == 0) {
return false;
}
struct stat st;
if (stat(path, &st) == -1) {
PLOG_E("stat('%s')", path);
return false;
}
if (S_ISDIR(st.st_mode)) {
return false;
}
return true;
}
static bool mountMount(struct nsjconf_t *nsjconf, struct mounts_t *mpt, const char *dst)
{
LOG_D("Mounting '%s' on '%s' (type:'%s', flags:0x%tx)", mpt->src, dst, mpt->fs_type,
mpt->flags);
if (mountIsDir(mpt->src) == true) {
if (mkdir(dst, 0711) == -1 && errno != EEXIST) {
PLOG_W("mkdir('%s')", dst);
}
}
if (mountNotIsDir(mpt->src) == true) {
int fd = open(dst, O_CREAT | O_RDONLY, 0644);
if (fd >= 0) {
close(fd);
} else {
PLOG_W("open('%s', O_CREAT|O_RDONLY, 0700)", dst);
}
}
if (mount(mpt->src, dst, mpt->fs_type, mpt->flags, mpt->options) == -1) {
if (errno == EACCES) {
PLOG_E
("mount('%s', '%s', type='%s') failed. Try fixing this problem by applying 'chmod o+x' to the '%s' directory and its ancestors",
mpt->src, dst, mpt->fs_type, nsjconf->chroot);
} else {
PLOG_E("mount('%s', '%s', type='%s') failed", mpt->src, dst, mpt->fs_type);
}
return false;
}
return true;
}
static bool mountRemountRO(struct mounts_t *mpt)
{
struct statvfs vfs;
if (statvfs(mpt->dst, &vfs) == -1) {
PLOG_E("statvfs('%s')", mpt->dst);
return false;
}
if (mpt->flags & MS_RDONLY) {
LOG_D("Re-mounting RO '%s'", mpt->dst);
/*
* It's fine to use 'flags | vfs.f_flag' here as per
* /usr/include/x86_64-linux-gnu/bits/statvfs.h: 'Definitions for
* the flag in `f_flag'. These definitions should be
* kept in sync with the definitions in <sys/mount.h>'
*/
if (mount
(mpt->dst, mpt->dst, NULL,
MS_BIND | MS_REMOUNT | MS_RDONLY | vfs.f_flag, 0) == -1) {
PLOG_E("mount('%s', MS_REC|MS_BIND|MS_REMOUNT|MS_RDONLY)", mpt->dst);
return false;
}
}
return true;
}
bool mountInitNs(struct nsjconf_t * nsjconf)
{
if (nsjconf->clone_newns == false) {
if (chroot(nsjconf->chroot) == -1) {
PLOG_E("chroot('%s')", nsjconf->chroot) {
return false;
}
}
if (chdir("/") == -1) {
PLOG_E("chdir('/')");
return false;
}
return true;
}
const char *const destdir = "/tmp";
if (mount("none", destdir, "tmpfs", 0, NULL) == -1) {
PLOG_E("mount('%s', 'tmpfs'", destdir);
return false;
}
char newrootdir[PATH_MAX];
snprintf(newrootdir, sizeof(newrootdir), "%s/%s", destdir, "new_root");
if (mkdir(newrootdir, 0755) == -1) {
PLOG_E("mkdir('%s')", newrootdir);
return false;
}
struct mounts_t *p;
TAILQ_FOREACH(p, &nsjconf->mountpts, pointers) {
char dst[PATH_MAX];
snprintf(dst, sizeof(dst), "%s/%s", newrootdir, p->dst);
if (mountMount(nsjconf, p, dst) == false) {
return false;
}
}
char pivotrootdir[PATH_MAX];
snprintf(pivotrootdir, sizeof(pivotrootdir), "%s/%s", destdir, "pivot_root");
if (mkdir(pivotrootdir, 0755) == -1) {
PLOG_E("mkdir('%s')", pivotrootdir);
return false;
}
if (syscall(__NR_pivot_root, destdir, pivotrootdir) == -1) {
PLOG_E("pivot_root('%s', '%s')", destdir, pivotrootdir);
return false;
}
if (umount2("/pivot_root", MNT_DETACH) == -1) {
PLOG_E("umount2('/pivot_root', MNT_DETACH)");
return false;
}
if (chroot("/new_root") == -1) {
PLOG_E("CHROOT('/new_root')");
return false;
}
if (chdir(nsjconf->cwd) == -1) {
PLOG_E("chdir('%s')", nsjconf->cwd);
return false;
}
TAILQ_FOREACH(p, &nsjconf->mountpts, pointers) {
if (mountRemountRO(p) == false) {
return false;
}
}
return true;
}

31
mount.h Normal file
View File

@ -0,0 +1,31 @@
/*
nsjail - CLONE_NEWNS routines
-----------------------------------------
Copyright 2014 Google Inc. All Rights Reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
#ifndef _MOUNT_H
#define _MOUNT_H
#include <stdbool.h>
#include "common.h"
bool mountInitNs(struct nsjconf_t *nsjconf);
#endif /* _MOUNT_H */

21
net.c
View File

@ -48,7 +48,7 @@
#if defined(NSJAIL_NL3_WITH_MACVLAN)
#include <netlink/route/link.h>
#include <netlink/route/link/macvlan.h>
bool netCloneMacVtapAndNS(struct nsjconf_t *nsjconf, int pid)
bool netCloneMacVtapAndNS(struct nsjconf_t * nsjconf, int pid)
{
if (nsjconf->iface == NULL) {
return true;
@ -314,7 +314,7 @@ void netConnToText(int fd, bool remote, char *buf, size_t s, struct sockaddr_in6
return;
}
bool netIfaceUp(const char *ifacename)
static bool netIfaceUp(const char *ifacename)
{
int sock = socket(AF_INET, SOCK_STREAM, IPPROTO_IP);
if (sock == -1) {
@ -344,7 +344,7 @@ bool netIfaceUp(const char *ifacename)
return true;
}
bool netConfigureVs(struct nsjconf_t * nsjconf)
static bool netConfigureVs(struct nsjconf_t *nsjconf)
{
struct ifreq ifr;
memset(&ifr, '\0', sizeof(ifr));
@ -428,3 +428,18 @@ bool netConfigureVs(struct nsjconf_t * nsjconf)
close(sock);
return true;
}
bool netInitNs(struct nsjconf_t * nsjconf)
{
if (nsjconf->iface_no_lo == false) {
if (netIfaceUp("lo") == false) {
return false;
}
}
if (nsjconf->iface) {
if (netConfigureVs(nsjconf) == false) {
return false;
}
}
return true;
}

3
net.h
View File

@ -32,7 +32,6 @@ bool netLimitConns(struct nsjconf_t *nsjconf, int connsock);
int netGetRecvSocket(const char *bindhost, int port);
int netAcceptConn(int listenfd);
void netConnToText(int fd, bool remote, char *buf, size_t s, struct sockaddr_in6 *addr_or_null);
bool netIfaceUp(const char *ifacename);
bool netConfigureVs(struct nsjconf_t *nsjconf);
bool netInitNs(struct nsjconf_t *nsjconf);
#endif /* _NET_H */

2
subproc.c
View File

@ -63,7 +63,7 @@ static int subprocNewProc(struct nsjconf_t *nsjconf, int fd_in, int fd_out, int
if (containPrepareEnv(nsjconf) == false) {
exit(1);
}
if (containMountFS(nsjconf) == false) {
if (containInitMountNs(nsjconf) == false) {
exit(1);
}
if (containInitNetNs(nsjconf) == false) {