From e2ed964f963b782de74110efe13529d855e71ea4 Mon Sep 17 00:00:00 2001 From: Daniel Golle Date: Sat, 25 Apr 2020 09:48:46 +0100 Subject: [PATCH] jail: don't fail unless requirejail is set Pass requirejail attribute to ujail and only fail to start a service which has seccomp policy defined on a system which doesn't have procd-seccomp installed in case requirejail is set. Fixes: bcb8655 ("instance: add 'requirejail' attribute") Signed-off-by: Daniel Golle --- jail/jail.c | 10 ++++++++-- service/instance.c | 3 +++ 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/jail/jail.c b/jail/jail.c index 5a1c05b..cc310aa 100644 --- a/jail/jail.c +++ b/jail/jail.c @@ -40,7 +40,7 @@ #include #define STACK_SIZE (1024 * 1024) -#define OPT_ARGS "S:C:n:h:r:w:d:psulocU:G:NR:fFO:T:" +#define OPT_ARGS "S:C:n:h:r:w:d:psulocU:G:NR:fFO:T:E" static struct { char *name; @@ -61,6 +61,7 @@ static struct { int pw_uid; int pw_gid; int gr_gid; + int require_jail; } opts; @@ -466,6 +467,7 @@ static void usage(void) fprintf(stderr, " -R \texternal jail rootfs (system container)\n"); fprintf(stderr, " -O \tdirectory for r/w overlayfs\n"); fprintf(stderr, " -T \tuse tmpfs r/w overlayfs with \n"); + fprintf(stderr, " -E\t\tfail if jail cannot be setup\n"); fprintf(stderr, "\nWarning: by default root inside the jail is the same\n\ and he has the same powers as root outside the jail,\n\ thus he can escape the jail and/or break stuff.\n\ @@ -715,6 +717,9 @@ int main(int argc, char **argv) case 'T': opts.tmpoverlaysize = optarg; break; + case 'E': + opts.require_jail = 1; + break; } } @@ -754,7 +759,8 @@ int main(int argc, char **argv) if (opts.namespace && opts.seccomp && add_path_and_deps("libpreload-seccomp.so", 1, -1, 1)) { ERROR("failed to load libpreload-seccomp.so\n"); - return -1; + if (opts.require_jail) + return -1; } if (opts.name) diff --git a/service/instance.c b/service/instance.c index 47d563c..75fd91f 100644 --- a/service/instance.c +++ b/service/instance.c @@ -289,6 +289,9 @@ jail_run(struct service_instance *in, char **argv) argv[argc++] = in->tmpoverlaysize; } + if (in->require_jail) + argv[argc++] = "-E"; + blobmsg_list_for_each(&jail->mount, var) { const char *type = blobmsg_data(var->data); -- 2.25.1