diff options
| author | Toni Uhlig <matzeton@googlemail.com> | 2018-05-06 14:40:52 +0200 |
|---|---|---|
| committer | Toni Uhlig <matzeton@googlemail.com> | 2018-05-06 14:40:52 +0200 |
| commit | 9653d78388348ebd47b820a0d9d95bbd885973a0 (patch) | |
| tree | df3d51baa08075f44b6c18596730ac21714e5139 /src/jail.c | |
| parent | 4f66937b2bfadfa54aa099ea9bbb9f2f0dc2416f (diff) | |
POTD skeleton #42.
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
Diffstat (limited to 'src/jail.c')
| -rw-r--r-- | src/jail.c | 85 |
1 files changed, 55 insertions, 30 deletions
@@ -12,7 +12,6 @@ #include "jail.h" #include "socket.h" #include "server.h" -#include "pterm.h" #include "utils.h" #include "log.h" @@ -26,8 +25,9 @@ static int jail_mainloop_epoll(int epoll_fd, jail_ctx *ctx[], size_t siz) __attribute__((noreturn)); static int jail_accept_client(jail_ctx *ctx[], size_t siz, struct epoll_event *event); -static int jail_childfn(void *arg) +static int jail_childfn(jail_prisoner_process *ctx) __attribute__((noreturn)); +static int jail_socket_tty_epoll(jail_prisoner_process *ctx, int tty_fd); void jail_init_ctx(jail_ctx **ctx, size_t stacksize) @@ -259,85 +259,78 @@ error: return rc; } -static int jail_childfn(void *arg) +static int jail_childfn(jail_prisoner_process *ctx) { - jail_prisoner_process *args; const char *path_dev = "/dev"; const char *path_devpts = "/dev/pts"; const char *path_proc = "/proc"; const char *path_shell = "/bin/sh"; - char tty_name[TTYSZ+sizeof(long)]; - int s, pty_fd, tty_fd; + int s, master_fd; int unshare_flags = CLONE_NEWUTS|CLONE_NEWPID|CLONE_NEWIPC| CLONE_NEWNS|CLONE_NEWNET; pid_t self_pid, child_pid; - assert(arg); - args = (jail_prisoner_process *) arg; + assert(ctx); self_pid = getpid(); if (prctl(PR_SET_PDEATHSIG, SIGKILL) != 0) FATAL("Jail child prctl for pid %d", self_pid); - if (!args->newroot) + if (!ctx->newroot) FATAL("New root set for pid %d", self_pid); D2("Unshare prisoner %d", self_pid); if (unshare(unshare_flags)) FATAL("Unshare prisoner %d", self_pid); - D2("Safe change root to: '%s'", args->newroot); - if (safe_chroot(args->newroot)) - FATAL("Safe jail chroot to '%s' failed", args->newroot); + D2("Safe change root to: '%s'", ctx->newroot); + if (safe_chroot(ctx->newroot)) + FATAL("Safe jail chroot to '%s' failed", ctx->newroot); - D2("Mounting rootfs to '%s'", args->newroot); + D2("Mounting rootfs to '%s'", ctx->newroot); mount_root(); - D2("Mounting devtmpfs to '%s%s'", args->newroot, path_dev); + D2("Mounting devtmpfs to '%s%s'", ctx->newroot, path_dev); s = mkdir(path_dev, S_IRUSR|S_IWUSR|S_IXUSR| S_IRGRP|S_IXGRP| S_IROTH|S_IXOTH); if (s && errno != EEXIST) FATAL("Create directory '%s'", path_dev); if (!dir_is_mountpoint(path_dev) && mount_dev(path_dev)) - FATAL("Mount devtmpfs to '%s%s'", args->newroot, path_dev); + FATAL("Mount devtmpfs to '%s%s'", ctx->newroot, path_dev); - D2("Mounting devpts to '%s%s'", args->newroot, path_devpts); + D2("Mounting devpts to '%s%s'", ctx->newroot, path_devpts); s = mkdir(path_devpts, S_IRUSR|S_IWUSR|S_IXUSR| S_IRGRP|S_IXGRP| S_IROTH|S_IXOTH); if (s && errno != EEXIST) FATAL("Create directory '%s'", path_devpts); if (!dir_is_mountpoint(path_devpts) && mount_pts(path_devpts)) - FATAL("Mount devpts to '%s%s'", args->newroot, path_devpts); + FATAL("Mount devpts to '%s%s'", ctx->newroot, path_devpts); - D2("Mounting proc to '%s%s'", args->newroot, path_proc); + D2("Mounting proc to '%s%s'", ctx->newroot, path_proc); s = mkdir(path_proc, S_IRUSR|S_IWUSR|S_IXUSR| S_IRGRP|S_IXGRP| S_IROTH|S_IXOTH); if (s && errno != EEXIST) FATAL("Create directory '%s'", path_proc); if (!dir_is_mountpoint(path_proc) && mount_proc(path_proc)) - FATAL("Mount devpts to '%s%s'", args->newroot, path_proc) + FATAL("Mount devpts to '%s%s'", ctx->newroot, path_proc) - D2("Creating device files in '%s%s'", args->newroot, path_dev); + D2("Creating device files in '%s%s'", ctx->newroot, path_dev); if (create_device_files(path_dev)) { E2("Device file creation failed for rootfs '%s%s'", - args->newroot, path_dev); + ctx->newroot, path_dev); exit(EXIT_FAILURE); } - if (pty_allocate(&pty_fd, &tty_fd, tty_name, TTYSZ)) - FATAL("%s", "TTY allocation"); - - D2("Forking a new process for the slave tty from " - "parent pty with pid %d", - self_pid); - child_pid = fork(); + D2("Forking a new pty process for " + "parent %d", self_pid); + child_pid = forkpty(&master_fd, NULL, NULL, NULL); switch (child_pid) { case -1: FATAL("Forking a new process for the slave tty from " - "parent pty with pid %d", - self_pid); + "parent pty with pid %d", + self_pid); break; case 0: D2("Executing '%s'", path_shell); @@ -345,8 +338,40 @@ static int jail_childfn(void *arg) FATAL("Execute a shell for pid %d", self_pid); break; default: + if (set_fd_nonblock(master_fd)) + FATAL("Pty master fd nonblock for prisoner pid %d", + child_pid); + N("Socket to tty I/O loop for prisoner pid %d", + child_pid); + if (jail_socket_tty_epoll(ctx, master_fd)) + FATAL("Socket to tty I/O loop for prisoner pid %d", + child_pid); waitpid(child_pid, &s, 0); } exit(EXIT_FAILURE); } + +static int jail_socket_tty_epoll(jail_prisoner_process *ctx, int tty_fd) +{ + int s, fd = epoll_create1(0); + struct epoll_event event = {0,{0}}; + + assert(ctx); + if (fd < 0) + return -1; + + event.events = EPOLLIN | EPOLLET; + event.data.fd = ctx->client_psock.fd; + s = epoll_ctl(fd, EPOLL_CTL_ADD, ctx->client_psock.fd, &event); + if (s) + FATAL("Jail Socket Epoll for client %s:%s", + ctx->host_buf, ctx->service_buf); + event.data.fd = tty_fd; + s = epoll_ctl(fd, EPOLL_CTL_ADD, tty_fd, &event); + if (s) + FATAL("Jail TTY Epoll for client %s:%s", + ctx->host_buf, ctx->service_buf); + + return 0; +} |