diff options
| author | Daniel Golle | 2020-01-03 13:54:57 +0000 |
|---|---|---|
| committer | Daniel Golle | 2020-01-21 10:45:26 +0000 |
| commit | 81b88b1c63770542985f8cb0665eff37e27eb412 (patch) | |
| tree | 109bb5213259a393371f1df396eaf14d19e6dbfa | |
| parent | ba69639872a02e8930943b82185ca90eb721568d (diff) | |
| download | procd-81b88b1c63770542985f8cb0665eff37e27eb412.tar.gz | |
jail: more strict mount options for /tmp/resolv.conf.d/
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
| -rw-r--r-- | jail/jail.c | 21 |
1 files changed, 15 insertions, 6 deletions
diff --git a/jail/jail.c b/jail/jail.c index 9b8d1a9..eb976cb 100644 --- a/jail/jail.c +++ b/jail/jail.c @@ -96,11 +96,12 @@ static int mkdir_p(char *dir, mode_t mask) return ret; } -static int _mount_bind(const char *root, const char *path, const char *target, int readonly, int error) +static int _mount_bind(const char *root, const char *path, const char *target, int readonly, int strict, int error) { struct stat s; char new[PATH_MAX]; int fd; + int remount_flags = MS_BIND | MS_REMOUNT; if (stat(path, &s)) { ERROR("stat(%s) failed: %m\n", path); @@ -127,18 +128,26 @@ static int _mount_bind(const char *root, const char *path, const char *target, i return -1; } - if (readonly && mount(NULL, new, NULL, MS_BIND | MS_REMOUNT | MS_RDONLY, NULL)) { - ERROR("failed to remount ro %s: %m\n", new); + if (readonly) + remount_flags |= MS_RDONLY; + + if (strict) + remount_flags |= MS_NOEXEC | MS_NOSUID | MS_NODEV; + + if ((strict || readonly) && mount(NULL, new, NULL, remount_flags, NULL)) { + ERROR("failed to remount (%s%s%s) %s: %m\n", readonly?"ro":"rw", + (readonly && strict)?", ":"", strict?"strict":"", new); return -1; } - DEBUG("mount -B %s %s (%s)\n", path, new, readonly?"ro":"rw"); + DEBUG("mount -B %s %s (%s%s%s)\n", path, new, + readonly?"ro":"rw", (readonly && strict)?", ":"", strict?"strict":""); return 0; } int mount_bind(const char *root, const char *path, int readonly, int error) { - return _mount_bind(root, path, NULL, readonly, error); + return _mount_bind(root, path, NULL, readonly, 0, error); } static int build_jail_fs(void) @@ -175,7 +184,7 @@ static int build_jail_fs(void) snprintf(hostdir, PATH_MAX, "/tmp/resolv.conf-%s.d", opts.name); mkdir_p(hostdir, 0755); - _mount_bind(jail_root, hostdir, "/tmp/resolv.conf.d", 1, -1); + _mount_bind(jail_root, hostdir, "/tmp/resolv.conf.d", 1, 1, -1); snprintf(jailetc, PATH_MAX, "%s/etc", jail_root); mkdir_p(jailetc, 0755); snprintf(jaillink, PATH_MAX, "%s/etc/resolv.conf", jail_root); |