diff options
| author | Daniel Golle | 2020-04-25 08:48:46 +0000 |
|---|---|---|
| committer | Daniel Golle | 2020-04-25 09:15:18 +0000 |
| commit | e2ed964f963b782de74110efe13529d855e71ea4 (patch) | |
| tree | 0cd656051d54dd65dea9d40ee01f9d8edd8c5189 | |
| parent | d200b70e5d5b0b3b61e2573f1c2fa22b3fa9d63a (diff) | |
| download | procd-e2ed964f963b782de74110efe13529d855e71ea4.tar.gz | |
jail: don't fail unless requirejail is set
Pass requirejail attribute to ujail and only fail to start a service
which has seccomp policy defined on a system which doesn't have
procd-seccomp installed in case requirejail is set.
Fixes: bcb8655 ("instance: add 'requirejail' attribute")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
| -rw-r--r-- | jail/jail.c | 10 | ||||
| -rw-r--r-- | service/instance.c | 3 |
2 files changed, 11 insertions, 2 deletions
diff --git a/jail/jail.c b/jail/jail.c index 5a1c05b..cc310aa 100644 --- a/jail/jail.c +++ b/jail/jail.c @@ -40,7 +40,7 @@ #include <libubus.h> #define STACK_SIZE (1024 * 1024) -#define OPT_ARGS "S:C:n:h:r:w:d:psulocU:G:NR:fFO:T:" +#define OPT_ARGS "S:C:n:h:r:w:d:psulocU:G:NR:fFO:T:E" static struct { char *name; @@ -61,6 +61,7 @@ static struct { int pw_uid; int pw_gid; int gr_gid; + int require_jail; } opts; @@ -466,6 +467,7 @@ static void usage(void) fprintf(stderr, " -R <dir>\texternal jail rootfs (system container)\n"); fprintf(stderr, " -O <dir>\tdirectory for r/w overlayfs\n"); fprintf(stderr, " -T <size>\tuse tmpfs r/w overlayfs with <size>\n"); + fprintf(stderr, " -E\t\tfail if jail cannot be setup\n"); fprintf(stderr, "\nWarning: by default root inside the jail is the same\n\ and he has the same powers as root outside the jail,\n\ thus he can escape the jail and/or break stuff.\n\ @@ -715,6 +717,9 @@ int main(int argc, char **argv) case 'T': opts.tmpoverlaysize = optarg; break; + case 'E': + opts.require_jail = 1; + break; } } @@ -754,7 +759,8 @@ int main(int argc, char **argv) if (opts.namespace && opts.seccomp && add_path_and_deps("libpreload-seccomp.so", 1, -1, 1)) { ERROR("failed to load libpreload-seccomp.so\n"); - return -1; + if (opts.require_jail) + return -1; } if (opts.name) diff --git a/service/instance.c b/service/instance.c index 47d563c..75fd91f 100644 --- a/service/instance.c +++ b/service/instance.c @@ -289,6 +289,9 @@ jail_run(struct service_instance *in, char **argv) argv[argc++] = in->tmpoverlaysize; } + if (in->require_jail) + argv[argc++] = "-E"; + blobmsg_list_for_each(&jail->mount, var) { const char *type = blobmsg_data(var->data); |