diff options
| author | Etienne CHAMPETIER | 2016-05-29 23:39:15 +0000 |
|---|---|---|
| committer | John Crispin | 2016-06-01 08:27:35 +0000 |
| commit | 4edf66c192583af866e5b8d4e8e9fcfcd68f1879 (patch) | |
| tree | a2ab727b2056a654e71a624fd551a3e5d162788f | |
| parent | 8f3df4a1747f8dc6097abfc827007830cb0fbf59 (diff) | |
| download | procd-4edf66c192583af866e5b8d4e8e9fcfcd68f1879.tar.gz | |
jail: don't include capabilities config (-C) inside the jail
Removing capabilities from the capability bounding set doesn't change
the capability effective set, so we can "drop capabilities" before we
build the jail fs, so we don't need to include the capabilities config
file into the jail.
Signed-off-by: Etienne CHAMPETIER <champetier.etienne@gmail.com>
| -rw-r--r-- | jail/jail.c | 32 |
1 files changed, 14 insertions, 18 deletions
diff --git a/jail/jail.c b/jail/jail.c index e86ee14..03ff66c 100644 --- a/jail/jail.c +++ b/jail/jail.c @@ -228,7 +228,7 @@ ujail will not use namespace/build a jail,\n\ and will only drop capabilities/apply seccomp filter.\n\n"); } -static int exec_jail(void) +static int exec_jail(void *_notused) { if (opts.capabilities && drop_capabilities(opts.capabilities)) exit(EXIT_FAILURE); @@ -238,6 +238,17 @@ static int exec_jail(void) exit(EXIT_FAILURE); } + if (opts.namespace && opts.hostname + && sethostname(opts.hostname, strlen(opts.hostname))) { + ERROR("sethostname(%s) failed: %s\n", opts.hostname, strerror(errno)); + exit(EXIT_FAILURE); + } + + if (opts.namespace && build_jail_fs()) { + ERROR("failed to build jail fs\n"); + exit(EXIT_FAILURE); + } + char **envp = build_envp(opts.seccomp); if (!envp) exit(EXIT_FAILURE); @@ -249,20 +260,6 @@ static int exec_jail(void) exit(EXIT_FAILURE); } -static int spawn_jail(void *_notused) -{ - if (opts.hostname && sethostname(opts.hostname, strlen(opts.hostname))) { - ERROR("sethostname(%s) failed: %s\n", opts.hostname, strerror(errno)); - } - - if (build_jail_fs()) { - ERROR("failed to build jail fs"); - exit(EXIT_FAILURE); - } - - return exec_jail(); -} - static int jail_running = 1; static int jail_return_code = 0; @@ -322,7 +319,6 @@ int main(int argc, char **argv) break; case 'C': opts.capabilities = optarg; - add_mount(optarg, 1, -1); break; case 'c': opts.no_new_privs = 1; @@ -384,7 +380,7 @@ int main(int argc, char **argv) uloop_init(); if (opts.namespace) { - jail_process.pid = clone(spawn_jail, + jail_process.pid = clone(exec_jail, child_stack + STACK_SIZE, CLONE_NEWUTS | CLONE_NEWPID | CLONE_NEWNS | CLONE_NEWIPC | SIGCHLD, NULL); } else { @@ -404,7 +400,7 @@ int main(int argc, char **argv) return jail_return_code; } else if (jail_process.pid == 0) { /* fork child process */ - return exec_jail(); + return exec_jail(NULL); } else { ERROR("failed to clone/fork: %s\n", strerror(errno)); return EXIT_FAILURE; |