woj/nsjail
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Mount read-only directly if mounting rw fails

Browse Source 
For new mounts if MNT_LOCK_READONLY is locked on the visible mnt
mount_too_revealing will fail and the whole mount will fail.
Those mounts need to be created with the readonly flag set.
This commit is contained in:
Wiktor Garbacz 2023-05-16 14:01:45 +02:00
parent 5b48117a09
commit f920c9194e
1 changed files with 14 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
mnt.cc
View File

@ -128,6 +128,19 @@ static bool isDir(const char* path) {
return false;
}
static int mountRWIfPossible(mount_t* mpt, const char* src, const char* dst) {
int res =
mount(src, dst, mpt->fs_type.c_str(), mpt->flags & ~(MS_RDONLY), mpt->options.c_str());
if ((mpt->flags & MS_RDONLY) && res == -1 && errno == EPERM) {
LOG_W(
"mount('%s') src: '%s' dstpath: '%s' could not mount read-write, falling back "
"to mounting read-only directly",
describeMountPt(*mpt).c_str(), src, dst);
res = mount(src, dst, mpt->fs_type.c_str(), mpt->flags, mpt->options.c_str());
}
return res;
}
static bool mountPt(mount_t* mpt, const char* newroot, const char* tmpdir) {
LOG_D("Mounting %s", describeMountPt(*mpt).c_str());
@ -199,8 +212,7 @@ static bool mountPt(mount_t* mpt, const char* newroot, const char* tmpdir) {
/*
* Initially mount it as RW, it will be remounted later on if needed
*/
unsigned long flags = mpt->flags & ~(MS_RDONLY);
if (mount(srcpath, dstpath, mpt->fs_type.c_str(), flags, mpt->options.c_str()) == -1) {
if (mountRWIfPossible(mpt, srcpath, dstpath) == -1) {
if (errno == EACCES) {
PLOG_W(
"mount('%s') src:'%s' dstpath:'%s' failed. "