#include <libubus.h>
#define STACK_SIZE (1024 * 1024)
-#define OPT_ARGS "S:C:n:h:r:w:d:psulocU:G:N"
+#define OPT_ARGS "S:C:n:h:r:w:d:psulocU:G:NR:"
#define NAMESPACE_MOUNT (1U << 0)
#define NAMESPACE_IPC (1U << 1)
char *capabilities;
char *user;
char *group;
+ char *extroot;
int no_new_privs;
int namespace;
int procfs;
return -1;
}
- if (mount("tmpfs", jail_root, "tmpfs", MS_NOATIME, "mode=0755")) {
- ERROR("tmpfs mount failed %m\n");
- return -1;
+ if (opts.extroot) {
+ if (mount(opts.extroot, jail_root, NULL, MS_BIND | MS_REC, NULL)) {
+ ERROR("extroot mount failed %m\n");
+ return -1;
+ }
+ } else {
+ if (mount("tmpfs", jail_root, "tmpfs", MS_NOATIME, "mode=0755")) {
+ ERROR("tmpfs mount failed %m\n");
+ return -1;
+ }
}
if (chdir(jail_root)) {
static char preload_var[PATH_MAX];
static char seccomp_var[PATH_MAX];
static char debug_var[] = "LD_DEBUG=all";
+ static char container_var[] = "container=ujail";
const char *preload_lib = find_lib("libpreload-seccomp.so");
int count = 0;
snprintf(preload_var, sizeof(preload_var), "LD_PRELOAD=%s", preload_lib);
envp[count++] = preload_var;
}
+
+ if (is_extroot)
+ envp[count++] = container_var;
+
if (debug > 1)
envp[count++] = debug_var;
fprintf(stderr, " -U <name>\tuser to run jailed process\n");
fprintf(stderr, " -G <name>\tgroup to run jailed process\n");
fprintf(stderr, " -o\t\tremont jail root (/) read only\n");
+ fprintf(stderr, " -R <dir>\texternal jail rootfs (system container)\n");
fprintf(stderr, "\nWarning: by default root inside the jail is the same\n\
and he has the same powers as root outside the jail,\n\
thus he can escape the jail and/or break stuff.\n\
opts.namespace |= NAMESPACE_MOUNT;
opts.ronly = 1;
break;
+ case 'R':
+ opts.namespace |= NAMESPACE_MOUNT | NAMESPACE_UTS;
+ opts.extroot = optarg;
+ break;
case 's':
opts.namespace |= NAMESPACE_MOUNT;
opts.sysfs = 1;
opts.jail_argv = &argv[optind];
- if (opts.namespace && add_path_and_deps(*opts.jail_argv, 1, -1, 0)) {
- ERROR("failed to load dependencies\n");
- return -1;
- }
+ if (!opts.extroot) {
+ if (opts.namespace && add_path_and_deps(*opts.jail_argv, 1, -1, 0)) {
+ ERROR("failed to load dependencies\n");
+ return -1;
+ }
- if (opts.namespace && opts.seccomp && add_path_and_deps("libpreload-seccomp.so", 1, -1, 1)) {
- ERROR("failed to load libpreload-seccomp.so\n");
- return -1;
+ if (opts.namespace && opts.seccomp && add_path_and_deps("libpreload-seccomp.so", 1, -1, 1)) {
+ ERROR("failed to load libpreload-seccomp.so\n");
+ return -1;
+ }
}
if (opts.name)
flags |= CLONE_NEWNS;
add_mount("/dev/full", 0, -1);
add_mount("/dev/null", 0, -1);
+ add_mount("/dev/random", 0, -1);
add_mount("/dev/urandom", 0, -1);
+ add_mount("/dev/tty", 0, -1);
add_mount("/dev/zero", 0, -1);
+ add_mount("/dev/console", 0, -1);
if (opts.user || opts.group) {
add_mount("/etc/passwd", 0, -1);
JAIL_ATTR_MOUNT,
JAIL_ATTR_NETNS,
JAIL_ATTR_REQUIREJAIL,
+ JAIL_ATTR_EXTROOT,
__JAIL_ATTR_MAX,
};
[JAIL_ATTR_MOUNT] = { "mount", BLOBMSG_TYPE_TABLE },
[JAIL_ATTR_NETNS] = { "netns", BLOBMSG_TYPE_BOOL },
[JAIL_ATTR_REQUIREJAIL] = { "requirejail", BLOBMSG_TYPE_BOOL },
+ [JAIL_ATTR_EXTROOT] = { "extroot", BLOBMSG_TYPE_STRING },
};
struct instance_netdev {
if (jail->netns)
argv[argc++] = "-N";
+ if (jail->extroot) {
+ argv[argc++] = "-R";
+ argv[argc++] = jail->extroot;
+ }
+
blobmsg_list_for_each(&jail->mount, var) {
const char *type = blobmsg_data(var->data);
jail->netns = blobmsg_get_bool(tb[JAIL_ATTR_NETNS]);
jail->argc++;
}
+ if (tb[JAIL_ATTR_EXTROOT]) {
+ jail->extroot = strdup(blobmsg_get_string(tb[JAIL_ATTR_EXTROOT]));
+ jail->argc += 2;
+ }
+
if (tb[JAIL_ATTR_MOUNT]) {
struct blob_attr *cur;
int rem;
free(in->config);
free(in->user);
free(in->group);
+ free(in->jail.extroot);
free(in->jail.name);
free(in->jail.hostname);
free(in->seccomp);
blobmsg_add_string(b, "name", in->jail.name);
if (in->jail.hostname)
blobmsg_add_string(b, "hostname", in->jail.hostname);
+ if (in->jail.extroot)
+ blobmsg_add_string(b, "extroot", in->jail.extroot);
blobmsg_add_u8(b, "procfs", in->jail.procfs);
blobmsg_add_u8(b, "sysfs", in->jail.sysfs);
blobmsg_add_u8(b, "ubus", in->jail.ubus);
projects / oweals / procd.git / commitdiff