diff options
| -rw-r--r-- | src/jail.c | 14 | ||||
| -rw-r--r-- | src/pevent.c | 3 | ||||
| -rw-r--r-- | src/socket.c | 49 | ||||
| -rw-r--r-- | src/utils.c | 5 |
4 files changed, 52 insertions, 19 deletions
@@ -137,7 +137,7 @@ pid_t jail_daemonize(event_ctx **ev_ctx, jail_ctx *ctx[], size_t siz) W_STRERR("%s", "Jail daemonize"); return -1; case 0: - N("%s", "Jail daemon mainloop"); + N("Jail daemon child pid %d", getpid()); jail_mainloop(ev_ctx, (const jail_ctx **) ctx, siz); } D2("Jail daemon pid: %d", p); @@ -236,6 +236,8 @@ static int jail_childfn(prisoner_process *ctx) assert(ctx); self_pid = getpid(); + if (set_child_sighandler()) + FATAL("Set sighandler for pid %d", self_pid); if (setpgrp()) FATAL("Jail set process group for pid %d", self_pid); if (prctl(PR_SET_PDEATHSIG, SIGKILL) != 0) @@ -282,8 +284,6 @@ static int jail_childfn(prisoner_process *ctx) S_IROTH|S_IXOTH); if (s && errno != EEXIST) FATAL("Create directory '%s'", path_proc); - if (!dir_is_mountpoint(path_proc) && mount_proc(path_proc)) - FATAL("Mount devpts to '%s%s'", ctx->newroot, path_proc) D2("Creating device files in '%s%s'", ctx->newroot, path_dev); if (create_device_files(path_dev)) { @@ -302,16 +302,20 @@ static int jail_childfn(prisoner_process *ctx) self_pid); break; case 0: + if (mount_proc(path_proc)) + exit(EXIT_FAILURE); + if (close_fds_except(0, 1, 2, -1)) + exit(EXIT_FAILURE); if (execl(path_shell, path_shell, (char *) NULL)) exit(EXIT_FAILURE); default: if (set_fd_nonblock(master_fd)) FATAL("Pty master fd nonblock for prisoner pid %d", child_pid); - N("Socket to tty I/O loop for prisoner pid %d", + N("Socket to tty I/O for prisoner pid %d", child_pid); if (jail_socket_tty(ctx, master_fd)) - FATAL("Socket to tty I/O loop for prisoner pid %d", + FATAL("Socket to tty I/O for prisoner pid %d", child_pid); waitpid(child_pid, &s, 0); } diff --git a/src/pevent.c b/src/pevent.c index f2fef01..70fb311 100644 --- a/src/pevent.c +++ b/src/pevent.c @@ -81,7 +81,10 @@ int event_loop(event_ctx *ctx, on_event_cb on_event, void *user_data) ctx->active = 1; while (ctx->active) { + errno = 0; n = epoll_pwait(ctx->epoll_fd, ctx->events, POTD_MAXEVENTS, -1, &eset); + if (errno == EINTR) + continue; if (n < 0) break; diff --git a/src/socket.c b/src/socket.c index e9b8584..2689c0f 100644 --- a/src/socket.c +++ b/src/socket.c @@ -10,6 +10,26 @@ #include "socket.h" #include "utils.h" +static int socket_setopts(int sockfd); + + +static int socket_setopts(int sockfd) +{ + int s, enable = 1; + + s = fcntl(sockfd, F_GETFL, 0); + if (s < 0) + return 1; + s |= O_CLOEXEC; + if (fcntl(sockfd, F_SETFL, s) == -1) + return 1; + + s = setsockopt(sockfd, SOL_SOCKET, SO_REUSEADDR, &enable, sizeof(int)); + if (s) + return 1; + + return 0; +} int socket_nonblock(const psocket *psock) { @@ -40,7 +60,7 @@ int socket_init_in(const char *addr, int socket_bind_in(psocket *psock, struct addrinfo **results) { - int s = 1, fd = -1, rv, reuse_enable = 1; + int s = 1, fd = -1, rv; struct addrinfo *rp = NULL; assert(psock && results && *results); @@ -59,7 +79,10 @@ int socket_bind_in(psocket *psock, struct addrinfo **results) if (!rp) goto finalise; - setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &reuse_enable, sizeof(int)); + s = socket_setopts(fd); + if (s) + goto finalise; + psock->fd = fd; psock->addr_len = rp->ai_addrlen; psock->addr = *rp->ai_addr; @@ -79,7 +102,7 @@ int socket_listen_in(psocket *psock) { assert(psock); - return listen(psock->fd, POTD_BACKLOG); + return listen(psock->fd, POTD_BACKLOG) != 0; } int socket_accept_in(const psocket *psock, psocket *client_psock) @@ -94,7 +117,8 @@ int socket_accept_in(const psocket *psock, psocket *client_psock) &client_psock->addr_len); if (fd < 0) return 1; - if (socket_nonblock(psock)) { + if (socket_nonblock(psock)) + { close(fd); return 1; } @@ -105,7 +129,7 @@ int socket_accept_in(const psocket *psock, psocket *client_psock) int socket_connect_in(psocket *psock, struct addrinfo **results) { - int s = 1, fd = -1, rv, reuse_enable = 1; + int s = 1, fd = -1, rv; struct addrinfo *rp = NULL; assert(psock && results && *results); @@ -124,7 +148,9 @@ int socket_connect_in(psocket *psock, struct addrinfo **results) if (!rp) goto finalise; - setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &reuse_enable, sizeof(int)); + if (socket_setopts(fd)) + goto finalise; + psock->fd = fd; psock->addr_len = rp->ai_addrlen; psock->addr = *(rp->ai_addr); @@ -158,24 +184,23 @@ int socket_addrtostr_in(const psocket *psock, int socket_reconnect_in(psocket *psock) { int rv; - int reuse_enable = 1; assert(psock); if (psock->fd >= 0) - return -1; + return 1; psock->fd = socket(psock->family, psock->socktype, psock->protocol); if (psock->fd < 0) - return -2; + return 1; rv = connect(psock->fd, &psock->addr, psock->addr_len); if (rv) { socket_close(psock); - return -3; + return 1; } - if (setsockopt(psock->fd, SOL_SOCKET, SO_REUSEADDR, &reuse_enable, sizeof(int)) < 0) { + if (socket_setopts(psock->fd)) { socket_close(psock); - return -4; + return 1; } return socket_nonblock(psock); diff --git a/src/utils.c b/src/utils.c index 9f42fd8..bcca9c3 100644 --- a/src/utils.c +++ b/src/utils.c @@ -290,7 +290,7 @@ void mount_root(void) { int s; - s = mount(NULL, "/", "auto", MS_SLAVE|MS_REC, NULL); + s = mount("none", "/", "none", MS_PRIVATE|MS_REC, NULL); if (s) chk_chroot(); } @@ -331,8 +331,9 @@ int mount_proc(const char *mount_path) { int s; + umount(mount_path); s = mount("proc", mount_path, "proc", - MS_RELATIME, "rw"); + MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REC, NULL); if (s) { E_STRERR("Mount proc filesystem to %s", mount_path); return 1; |