passt: Accurate error reporting for sandbox()
It's actually quite easy to make it fail depending on the environment, accurately report errors here. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
This commit is contained in:
parent
33fc2dece2
commit
052424d7f5
1 changed files with 28 additions and 12 deletions
40
passt.c
40
passt.c
|
@ -241,8 +241,6 @@ static int sandbox(struct ctx *c)
|
||||||
{
|
{
|
||||||
int flags = CLONE_NEWIPC | CLONE_NEWNS | CLONE_NEWUTS;
|
int flags = CLONE_NEWIPC | CLONE_NEWNS | CLONE_NEWUTS;
|
||||||
|
|
||||||
errno = 0;
|
|
||||||
|
|
||||||
if (!c->netns_only) {
|
if (!c->netns_only) {
|
||||||
if (c->pasta_userns_fd == -1)
|
if (c->pasta_userns_fd == -1)
|
||||||
flags |= CLONE_NEWUSER;
|
flags |= CLONE_NEWUSER;
|
||||||
|
@ -259,19 +257,37 @@ static int sandbox(struct ctx *c)
|
||||||
if (!c->foreground || c->mode == MODE_PASST)
|
if (!c->foreground || c->mode == MODE_PASST)
|
||||||
flags |= CLONE_NEWPID;
|
flags |= CLONE_NEWPID;
|
||||||
|
|
||||||
unshare(flags);
|
if (unshare(flags)) {
|
||||||
|
perror("unshare");
|
||||||
mount("", "/", "", MS_UNBINDABLE | MS_REC, NULL);
|
|
||||||
mount("", TMPDIR, "tmpfs", MS_NODEV | MS_NOEXEC | MS_NOSUID | MS_RDONLY,
|
|
||||||
"nr_inodes=2,nr_blocks=0");
|
|
||||||
if (chdir(TMPDIR))
|
|
||||||
return -errno;
|
return -errno;
|
||||||
|
}
|
||||||
|
|
||||||
syscall(SYS_pivot_root, ".", ".");
|
if (mount("", "/", "", MS_UNBINDABLE | MS_REC, NULL)) {
|
||||||
umount2(".", MNT_DETACH | UMOUNT_NOFOLLOW);
|
perror("mount /");
|
||||||
|
|
||||||
if (errno)
|
|
||||||
return -errno;
|
return -errno;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (mount("", TMPDIR, "tmpfs",
|
||||||
|
MS_NODEV | MS_NOEXEC | MS_NOSUID | MS_RDONLY,
|
||||||
|
"nr_inodes=2,nr_blocks=0")) {
|
||||||
|
perror("mount tmpfs");
|
||||||
|
return -errno;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (chdir(TMPDIR)) {
|
||||||
|
perror("chdir");
|
||||||
|
return -errno;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (syscall(SYS_pivot_root, ".", ".")) {
|
||||||
|
perror("pivot_root");
|
||||||
|
return -errno;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (umount2(".", MNT_DETACH | UMOUNT_NOFOLLOW)) {
|
||||||
|
perror("umount2");
|
||||||
|
return -errno;
|
||||||
|
}
|
||||||
|
|
||||||
drop_caps(); /* Relative to the new user namespace this time. */
|
drop_caps(); /* Relative to the new user namespace this time. */
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue