Home Explore Help
Register Sign In
OWEALs
/
procd
mirror of https://git.openwrt.org/project/procd.git
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

jail: more strict mount options for /tmp/resolv.conf.d/

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Daniel Golle 4 years ago
parent
ba69639872
commit
81b88b1c63
1 changed files with 15 additions and 6 deletions
Split View Show Diff Stats
  1. 15 6
      jail/jail.c

+ 15 - 6
jail/jail.c
View File 

@@ -96,11 +96,12 @@ static int mkdir_p(char *dir, mode_t mask)
 
 	return ret;
 
 }
 
 
-static int _mount_bind(const char *root, const char *path, const char *target, int readonly, int error)
 
+static int _mount_bind(const char *root, const char *path, const char *target, int readonly, int strict, int error)
 
 {
 
 	struct stat s;
 
 	char new[PATH_MAX];
 
 	int fd;
 
+	int remount_flags = MS_BIND | MS_REMOUNT;
 
 
 	if (stat(path, &s)) {
 
 		ERROR("stat(%s) failed: %m\n", path);
 
@@ -127,18 +128,26 @@ static int _mount_bind(const char *root, const char *path, const char *target, i
 
 		return -1;
 
 	}
 
 
-	if (readonly && mount(NULL, new, NULL, MS_BIND | MS_REMOUNT | MS_RDONLY, NULL)) {
 
-		ERROR("failed to remount ro %s: %m\n", new);
 
+	if (readonly)
 
+		remount_flags |= MS_RDONLY;
 
+
 
+	if (strict)
 
+		remount_flags |= MS_NOEXEC | MS_NOSUID | MS_NODEV;
 
+
 
+	if ((strict || readonly) && mount(NULL, new, NULL, remount_flags, NULL)) {
 
+		ERROR("failed to remount (%s%s%s) %s: %m\n", readonly?"ro":"rw",
 
+		      (readonly && strict)?", ":"", strict?"strict":"", new);
 
 		return -1;
 
 	}
 
 
-	DEBUG("mount -B %s %s (%s)\n", path, new, readonly?"ro":"rw");
 
+	DEBUG("mount -B %s %s (%s%s%s)\n", path, new,
 
+	      readonly?"ro":"rw", (readonly && strict)?", ":"", strict?"strict":"");
 
 
 	return 0;
 
 }
 
 
 int mount_bind(const char *root, const char *path, int readonly, int error) {
 
-	return _mount_bind(root, path, NULL, readonly, error);
 
+	return _mount_bind(root, path, NULL, readonly, 0, error);
 
 }
 
 
 static int build_jail_fs(void)
 
@@ -175,7 +184,7 @@ static int build_jail_fs(void)
 
 
 		snprintf(hostdir, PATH_MAX, "/tmp/resolv.conf-%s.d", opts.name);
 
 		mkdir_p(hostdir, 0755);
 
-		_mount_bind(jail_root, hostdir, "/tmp/resolv.conf.d", 1, -1);
 
+		_mount_bind(jail_root, hostdir, "/tmp/resolv.conf.d", 1, 1, -1);
 
 		snprintf(jailetc, PATH_MAX, "%s/etc", jail_root);
 
 		mkdir_p(jailetc, 0755);
 
 		snprintf(jaillink, PATH_MAX, "%s/etc/resolv.conf", jail_root);