diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/jail.c | 35 | ||||
| -rw-r--r-- | src/utils.c | 47 | ||||
| -rw-r--r-- | src/utils.h | 6 |
3 files changed, 80 insertions, 8 deletions
@@ -5,6 +5,7 @@ #include <pty.h> #include <sys/epoll.h> #include <sys/prctl.h> +#include <sys/stat.h> #include <assert.h> #include "jail.h" @@ -250,7 +251,8 @@ static int jail_childfn(void *arg) { jail_prisoner_process *args; const char *path_dev = "/dev"; - int term_fd; + const char *path_devpts = "/dev/pts"; + int s, term_fd; struct termios *term = NULL; struct winsize *win = NULL; pid_t child_pid; @@ -273,12 +275,37 @@ static int jail_childfn(void *arg) exit(EXIT_FAILURE); } - D2("Mounting %s to %s%s", path_dev, args->newroot, path_dev); - if (dir_is_mountpoint(path_dev) > 0) { + D2("Mounting rootfs to %s", args->newroot); + mount_root(); + + D2("Mounting devtmpfs to %s%s", args->newroot, path_dev); + s = mkdir(path_dev, S_IRUSR|S_IWUSR|S_IXUSR| + S_IRGRP|S_IXGRP| + S_IROTH|S_IXOTH); + if (s && errno != EEXIST) { + E2("Could not create directory: %s", path_dev); + E_STRERR("mkdir"); + exit(EXIT_FAILURE); + } + if (dir_is_mountpoint(path_dev)) { W2("%s%s is already a mountpoint", args->newroot, path_dev); } if (mount_dev(path_dev)) { - E2("Can not mount /dev to %s%s", args->newroot, path_dev); + E2("Can not mount devtmpfs to %s%s", args->newroot, path_dev); + exit(EXIT_FAILURE); + } + + D2("Mounting devpts to %s%s", args->newroot, path_devpts); + s = mkdir(path_devpts, S_IRUSR|S_IWUSR|S_IXUSR| + S_IRGRP|S_IXGRP| + S_IROTH|S_IXOTH); + if (s && errno != EEXIST) { + E2("Could not create directory: %s", path_devpts); + E_STRERR("mkdir"); + exit(EXIT_FAILURE); + } + if (!dir_is_mountpoint(path_devpts) && mount_pts(path_devpts)) { + E2("Can not mount devpts to %s%s", args->newroot, path_devpts); exit(EXIT_FAILURE); } diff --git a/src/utils.c b/src/utils.c index 8b89b6a..b4820d0 100644 --- a/src/utils.c +++ b/src/utils.c @@ -251,15 +251,38 @@ error: return -1; } +void chk_chroot(void) +{ + struct stat s = {0}; + + if (stat("/", &s) == 0) { + if (s.st_ino != 2) + return; + } + + E("%s", "Can not mount filesystem as slave"); + exit(EXIT_FAILURE); +} + +void mount_root(void) +{ + int s; + + s = mount(NULL, "/", "auto", MS_SLAVE|MS_REC, NULL); + if (s) + chk_chroot(); +} + int mount_dev(const char *mount_path) { int s; - s = mount("dev", mount_path, "devtmpfs", - 0, - "rw,nosuid,relatime,size=4k,mode=755"); + s = mount("tmpfs", mount_path, "tmpfs", + MS_NOSUID|MS_STRICTATIME| + MS_NOEXEC|MS_REC, + "size=4k,mode=755,gid=0"); if (s) { - E_STRERR("Mount /dev"); + E_STRERR("Mount devtmpfs filesystem"); return 1; } @@ -268,5 +291,21 @@ int mount_dev(const char *mount_path) int mount_pts(const char *mount_path) { + int s; + + s = mount("devpts", mount_path, "devpts", + MS_MGC_VAL, + "newinstance,gid=5,mode=620,ptmxmode=0666"); + + if (s) { + E_STRERR("Mount devpts filesystem"); + return 1; + } + + return 0; +} + +int create_device_files(const char *mount_path) +{ return 0; } diff --git a/src/utils.h b/src/utils.h index f9c9e8b..b9ed7ab 100644 --- a/src/utils.h +++ b/src/utils.h @@ -24,8 +24,14 @@ int safe_chroot(const char *newroot); int dir_is_mountpoint(const char *path); +void chk_chroot(void); + +void mount_root(void); + int mount_dev(const char *mount_path); int mount_pts(const char *mount_path); +int create_device_files(const char *mount_path); + #endif |