aboutsummaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorToni Uhlig <matzeton@googlemail.com>2018-06-23 20:39:50 +0200
committerToni Uhlig <matzeton@googlemail.com>2018-06-23 20:39:50 +0200
commit2cb07736d36a8116d4fa390bc116f6b94d479ded (patch)
tree02bc600087a5f6e013aa7b0650dbafb59c60f90a /src
parent5c03f3f3e32a3c4d9b30e8765e1082dd9886020c (diff)
fixed blacklisting issues after safe_chroot, main jail-client process does not chroot anymore
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
Diffstat (limited to 'src')
-rw-r--r--src/filesystem.c6
-rw-r--r--src/jail.c81
2 files changed, 45 insertions, 42 deletions
diff --git a/src/filesystem.c b/src/filesystem.c
index 3fbb0d6..1edf260 100644
--- a/src/filesystem.c
+++ b/src/filesystem.c
@@ -185,10 +185,8 @@ static void disable_file_newroot(fs_oper op, const char *filename,
{
char path[PATH_MAX];
- snprintf(path, sizeof path, "%s/%s", newroot, filename);
+ snprintf(path, sizeof path, "%s%s", newroot, filename);
disable_file(op, path);
-// if (last_disable == SUCCESSFUL)
-// fs_rdonly(path, 1);
}
static int get_mount_flags(const char *path, unsigned long *flags)
@@ -416,7 +414,7 @@ void fs_disable_files(const char *newroot)
size_t i;
const char *blacklist_objects[] = {
"/sys/firmware", "/sys/hypervisor", "/sys/power", "/sys/kernel/debug",
- "/sys/kernel/vmcoreinfo", "/sys/kernel/uevent_helper",
+ "/sys/kernel/vmcoreinfo", "/sys/kernel/uevent_helper", "/proc/modules",
/* various /proc/sys files */
"/proc/sys/security", "/proc/sys/efi/vars", "/proc/sys/fs/binfmt_misc",
"/proc/sys/kernel/core_pattern", "/proc/sys/kernel/modprobe",
diff --git a/src/jail.c b/src/jail.c
index e302123..23d8d4d 100644
--- a/src/jail.c
+++ b/src/jail.c
@@ -4,6 +4,7 @@
#include <signal.h>
#include <pty.h>
#include <utmp.h>
+#include <limits.h>
#include <sys/signalfd.h>
#include <sys/wait.h>
#include <sys/prctl.h>
@@ -250,6 +251,7 @@ error:
static int jail_childfn(prisoner_process *ctx)
{
+ char path[PATH_MAX];
const char *path_dev = "/dev";
const char *path_devpts = "/dev/pts";
const char *path_proc = "/proc";
@@ -283,7 +285,7 @@ static int jail_childfn(prisoner_process *ctx)
FATAL("Setup network namespace for pid %d", self_pid);
caps_drop_dac_override(0);
- //caps_drop_all();
+ //caps_drop_all(); /* TODO: If seccomp not avail, drop all caps! */
D2("Unshare prisoner %d", self_pid);
if (unshare(unshare_flags))
@@ -291,48 +293,44 @@ static int jail_childfn(prisoner_process *ctx)
D2("Mounting rootfs to '%s'", ctx->newroot);
mount_root();
- fs_proc_sys(ctx->newroot);
- fs_disable_files(ctx->newroot);
- D2("Safe change root to: '%s'", ctx->newroot);
- if (safe_chroot(ctx->newroot))
- FATAL("Safe jail chroot to '%s' failed", ctx->newroot);
+ snprintf(path, sizeof path, "%s%s", ctx->newroot, path_shell);
+ D2("Checking Shell '%s'", path);
+ if (access(path, R_OK|X_OK))
+ FATAL("Shell '%s' is not accessible", path);
- fs_basic_fs();
-
- D2("Checking Shell '%s%s'", ctx->newroot, path_shell);
- if (access(path_shell, R_OK|X_OK))
- FATAL("Shell '%s%s' is not accessible", ctx->newroot, path_shell);
-
- D2("Mounting devtmpfs to '%s%s'", ctx->newroot, path_dev);
- s = mkdir(path_dev, S_IRUSR|S_IWUSR|S_IXUSR|
- S_IRGRP|S_IXGRP|
- S_IROTH|S_IXOTH);
+ snprintf(path, sizeof path, "%s%s", ctx->newroot, path_dev);
+ D2("Mounting devtmpfs to '%s'", path);
+ s = mkdir(path, S_IRUSR|S_IWUSR|S_IXUSR|
+ S_IRGRP|S_IXGRP|
+ S_IROTH|S_IXOTH);
if (s && errno != EEXIST)
- FATAL("Create directory '%s'", path_dev);
- if (!path_is_mountpoint(path_dev) && mount_dev(path_dev))
- FATAL("Mount devtmpfs to '%s%s'", ctx->newroot, path_dev);
-
- D2("Mounting devpts to '%s%s'", ctx->newroot, path_devpts);
- s = mkdir(path_devpts, S_IRUSR|S_IWUSR|S_IXUSR|
- S_IRGRP|S_IXGRP|
- S_IROTH|S_IXOTH);
+ FATAL("Create directory '%s'", path);
+ if (!path_is_mountpoint(path) && mount_dev(path))
+ FATAL("Mount devtmpfs to '%s'", path);
+
+ snprintf(path, sizeof path, "%s%s", ctx->newroot, path_devpts);
+ D2("Mounting devpts to '%s'", path);
+ s = mkdir(path, S_IRUSR|S_IWUSR|S_IXUSR|
+ S_IRGRP|S_IXGRP|
+ S_IROTH|S_IXOTH);
if (s && errno != EEXIST)
- FATAL("Create directory '%s'", path_devpts);
- if (!path_is_mountpoint(path_devpts) && mount_pts(path_devpts))
- FATAL("Mount devpts to '%s%s'", ctx->newroot, path_devpts);
-
- D2("Mounting proc to '%s%s'", ctx->newroot, path_proc);
- s = mkdir(path_proc, S_IRUSR|S_IWUSR|S_IXUSR|
- S_IRGRP|S_IXGRP|
- S_IROTH|S_IXOTH);
+ FATAL("Create directory '%s'", path);
+ if (!path_is_mountpoint(path) && mount_pts(path))
+ FATAL("Mount devpts to '%s'", path);
+
+ snprintf(path, sizeof path, "%s%s", ctx->newroot, path_proc);
+ D2("Mounting proc to '%s'", path);
+ s = mkdir(path, S_IRUSR|S_IWUSR|S_IXUSR|
+ S_IRGRP|S_IXGRP|
+ S_IROTH|S_IXOTH);
if (s && errno != EEXIST)
- FATAL("Create directory '%s'", path_proc);
+ FATAL("Create directory '%s'", path);
- D2("Creating device files in '%s%s'", ctx->newroot, path_dev);
- if (create_device_files(path_dev))
- FATAL("Device file creation failed for rootfs '%s%s'",
- ctx->newroot, path_dev);
+ snprintf(path, sizeof path, "%s%s", ctx->newroot, path_dev);
+ D2("Creating device files in '%s'", path);
+ if (create_device_files(path))
+ FATAL("Device file creation failed for rootfs '%s'", path);
if (openpty(&master_fd, &slave_fd, NULL, NULL, NULL))
FATAL("%s", "openpty");
@@ -347,7 +345,14 @@ static int jail_childfn(prisoner_process *ctx)
self_pid);
break;
case 0:
- fs_proc_sys("");
+ fs_proc_sys(ctx->newroot);
+ fs_disable_files(ctx->newroot);
+
+ D2("Safe change root to: '%s'", ctx->newroot);
+ if (safe_chroot(ctx->newroot))
+ FATAL("Safe jail chroot to '%s' failed", ctx->newroot);
+
+ fs_basic_fs();
socket_set_ifaddr(&ctx->client_psock, "lo", "127.0.0.1", "255.0.0.0");
/*
if (update_setgroups_self(0))
Powered by cgit, Themed by Ted Yin.