From 81b88b1c63770542985f8cb0665eff37e27eb412 Mon Sep 17 00:00:00 2001 From: Daniel Golle Date: Fri, 3 Jan 2020 15:54:57 +0200 Subject: [PATCH] jail: more strict mount options for /tmp/resolv.conf.d/ Signed-off-by: Daniel Golle --- jail/jail.c | 21 +++++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) diff --git a/jail/jail.c b/jail/jail.c index 9b8d1a9..eb976cb 100644 --- a/jail/jail.c +++ b/jail/jail.c @@ -96,11 +96,12 @@ static int mkdir_p(char *dir, mode_t mask) return ret; } -static int _mount_bind(const char *root, const char *path, const char *target, int readonly, int error) +static int _mount_bind(const char *root, const char *path, const char *target, int readonly, int strict, int error) { struct stat s; char new[PATH_MAX]; int fd; + int remount_flags = MS_BIND | MS_REMOUNT; if (stat(path, &s)) { ERROR("stat(%s) failed: %m\n", path); @@ -127,18 +128,26 @@ static int _mount_bind(const char *root, const char *path, const char *target, i return -1; } - if (readonly && mount(NULL, new, NULL, MS_BIND | MS_REMOUNT | MS_RDONLY, NULL)) { - ERROR("failed to remount ro %s: %m\n", new); + if (readonly) + remount_flags |= MS_RDONLY; + + if (strict) + remount_flags |= MS_NOEXEC | MS_NOSUID | MS_NODEV; + + if ((strict || readonly) && mount(NULL, new, NULL, remount_flags, NULL)) { + ERROR("failed to remount (%s%s%s) %s: %m\n", readonly?"ro":"rw", + (readonly && strict)?", ":"", strict?"strict":"", new); return -1; } - DEBUG("mount -B %s %s (%s)\n", path, new, readonly?"ro":"rw"); + DEBUG("mount -B %s %s (%s%s%s)\n", path, new, + readonly?"ro":"rw", (readonly && strict)?", ":"", strict?"strict":""); return 0; } int mount_bind(const char *root, const char *path, int readonly, int error) { - return _mount_bind(root, path, NULL, readonly, error); + return _mount_bind(root, path, NULL, readonly, 0, error); } static int build_jail_fs(void) @@ -175,7 +184,7 @@ static int build_jail_fs(void) snprintf(hostdir, PATH_MAX, "/tmp/resolv.conf-%s.d", opts.name); mkdir_p(hostdir, 0755); - _mount_bind(jail_root, hostdir, "/tmp/resolv.conf.d", 1, -1); + _mount_bind(jail_root, hostdir, "/tmp/resolv.conf.d", 1, 1, -1); snprintf(jailetc, PATH_MAX, "%s/etc", jail_root); mkdir_p(jailetc, 0755); snprintf(jaillink, PATH_MAX, "%s/etc/resolv.conf", jail_root); -- 2.25.1