diff options
| author | lns <matzeton@googlemail.com> | 2018-04-27 13:12:22 +0200 |
|---|---|---|
| committer | lns <matzeton@googlemail.com> | 2018-04-27 13:12:22 +0200 |
| commit | 533f9b6dea8365fe911955cc93f5c6d59daebfec (patch) | |
| tree | 81d854783a7063bf826e072f57f010c86c47698c | |
| parent | 2c18582245f9b68369a4bb25e602dd449ccf6410 (diff) | |
POTD skeleton #34.
Signed-off-by: lns <matzeton@googlemail.com>
| -rw-r--r-- | src/jail.c | 13 | ||||
| -rw-r--r-- | src/jail.h | 1 | ||||
| -rw-r--r-- | src/main.c | 1 | ||||
| -rw-r--r-- | src/utils.c | 25 | ||||
| -rw-r--r-- | src/utils.h | 2 |
5 files changed, 42 insertions, 0 deletions
@@ -16,6 +16,7 @@ typedef struct jail_prisoner_process { pid_t prisoner_pid; psocket client_psock; char host_buf[NI_MAXHOST], service_buf[NI_MAXSERV]; + char *newroot; } jail_prisoner_process; static int jail_mainloop_epoll(int epoll_fd, jail_ctx *ctx[], size_t siz); @@ -212,6 +213,7 @@ static int jail_accept_client(jail_ctx *ctx[], if (ctx[i]->sock.fd == event->data.fd) { args = (jail_prisoner_process *) calloc(1, sizeof(*args)); assert(args); + args->newroot = ctx[i]->newroot; if (socket_accept_in(&ctx[i]->sock, &args->client_psock)) { E_STRERR("Could not accept client connection"); @@ -254,6 +256,17 @@ static int jail_childfn(void *arg) E_STRERR("Jail child prctl"); exit(EXIT_FAILURE); } + + if (!args->newroot) { + E2("%s", "No new root set"); + exit(EXIT_FAILURE); + } + N2("Safe change root to: '%s'", args->newroot); + if (safe_chroot(args->newroot)) { + E2("Safe jail chroot to '%s' failed", args->newroot); + exit(EXIT_FAILURE); + } + printf("----> CHILD FN: %d <----\n", args->client_psock.fd); sleep(10); @@ -15,6 +15,7 @@ typedef struct jail_ctx { size_t stacksize; void *stack_ptr; void *stack_beg; + char *newroot; } jail_ctx; @@ -52,6 +52,7 @@ int main(int argc, char *argv[]) for (size_t i = 0; i < jail_siz; ++i) { jail_init_ctx(&jail[i], MAX_STACKSIZE); + jail[i]->newroot = strdup("/home/lns/git/busybox/sysroot"); ABORT_ON_FATAL( jail_setup(jail[i], "127.0.0.1", jail_ports[i]), "Jail daemon setup" ); ABORT_ON_FATAL( jail_validate_ctx(jail[i]), diff --git a/src/utils.c b/src/utils.c index 3b44331..7671ac5 100644 --- a/src/utils.c +++ b/src/utils.c @@ -201,3 +201,28 @@ int change_user_group(const char *user, const char *group) return 0; } + +int safe_chroot(const char *newroot) +{ + int s; + + s = chdir(newroot); + if (s) { + E_STRERR("Change directory"); + return 1; + } + + s = chroot("."); + if (s) { + E_STRERR("Change root directory"); + return 1; + } + + s = chdir("/"); + if (s) { + E_STRERR("Change directory inside new root"); + return 1; + } + + return 0; +} diff --git a/src/utils.h b/src/utils.h index 22a2b07..2cabfd0 100644 --- a/src/utils.h +++ b/src/utils.h @@ -20,4 +20,6 @@ int redirect_devnull_to(int fds, ...); int change_user_group(const char *user, const char *group); +int safe_chroot(const char *newroot); + #endif |