open kafel file in each kafel subproc individually to avoid file pos sharing

diff --git a/cmdline.c b/cmdline.c
index e7fe2ad24d9935c359f152b3f393e9db5d8a4c3a..e3fe0ce14d816972572b0449ffb4aef07c680bd9 100644 (file)
--- a/cmdline.c
+++ b/cmdline.c
@@ -368,7 +368,8 @@ bool cmdlineParse(int argc, char* argv[], struct nsjconf_t* nsjconf) {
            .iface_vs_ip = "0.0.0.0",
            .iface_vs_nm = "255.255.255.0",
            .iface_vs_gw = "0.0.0.0",
-           .kafel_file = NULL,
+           .kafel_file_path = NULL,
+           .kafel_file_ptr = NULL,
            .kafel_string = NULL,
            .orig_uid = getuid(),
            .num_cpus = sysconf(_SC_NPROCESSORS_ONLN),
@@ -740,8 +741,11 @@ bool cmdlineParse(int argc, char* argv[], struct nsjconf_t* nsjconf) {
                        nsjconf->cgroup_net_cls_parent = optarg;
                        break;
                case 'P':
-                       if ((nsjconf->kafel_file = fopen(optarg, "r")) == NULL) {
-                               PLOG_F("Couldn't open '%s'", optarg);
+                       nsjconf->kafel_file_path = optarg;
+                       if (access(nsjconf->kafel_file_path, R_OK) == -1) {
+                               PLOG_E("kafel config file '%s' cannot be opened for reading",
+                                   nsjconf->kafel_file_path);
+                               return false;
                        }
                        break;
                case 0x0901:

diff --git a/config.cc b/config.cc
index 0b2a54cc6986fa2eb8e9e78b6f8b43e3072f4ba7..5a68c33c698d5f99ad29e0896386770371cb1a02 100644 (file)
--- a/config.cc
+++ b/config.cc
@@ -251,10 +251,10 @@ static bool configParseInternal(struct nsjconf_t* nsjconf, const nsjail::NsJailC
        }
 
        if (njc.has_seccomp_policy_file()) {
-               if ((nsjconf->kafel_file = fopen(njc.seccomp_policy_file().c_str(), "rb")) ==
-                   NULL) {
+               nsjconf->kafel_file_path = njc.seccomp_policy_file().c_str();
+               if (access(nsjconf->kafel_file_path, R_OK) == -1) {
                        PLOG_W("Couldn't open file with seccomp policy '%s'",
-                           njc.seccomp_policy_file().c_str());
+                           nsjconf->kafel_file_path);
                        return false;
                }
        }

diff --git a/nsjail.h b/nsjail.h
index 1b2ba9f7236ebf69e0d9c0aa0d5a29681c1d9f9a..bee2ae13ad75d1732890c391c07cd7432f169878 100644 (file)
--- a/nsjail.h
+++ b/nsjail.h
@@ -173,8 +173,9 @@ struct nsjconf_t {
        const char* cgroup_net_cls_mount;
        const char* cgroup_net_cls_parent;
        unsigned int cgroup_net_cls_classid;
-       FILE* kafel_file;
-       char* kafel_string;
+       const char* kafel_file_path;
+       FILE* kafel_file_ptr;
+       const char* kafel_string;
        long num_cpus;
        uid_t orig_uid;
        TAILQ_HEAD(udmaplist, idmap_t)

diff --git a/sandbox.c b/sandbox.c
index 1a636dcfde39438f25c66bfadd56d915bf384906..96b2549758e7d0f6c9903bac538e6d1a54120adc 100644 (file)
--- a/sandbox.c
+++ b/sandbox.c
@@ -34,18 +34,15 @@
 #endif /* PR_SET_NO_NEW_PRIVS */
 
 static bool sandboxPrepareAndCommit(struct nsjconf_t* nsjconf) {
-       if (nsjconf->kafel_file == NULL && nsjconf->kafel_string == NULL) {
+       if (nsjconf->kafel_file_ptr == NULL && nsjconf->kafel_string == NULL) {
                return true;
        }
        struct sock_fprog seccomp_fprog;
 
        kafel_ctxt_t ctxt = kafel_ctxt_create();
 
-       if (nsjconf->kafel_file != NULL) {
-               if (fseek(nsjconf->kafel_file, 0L, SEEK_SET) == -1) {
-                       PLOG_W("fseek(kafel_file, 0, SEEK_SET)");
-               }
-               kafel_set_input_file(ctxt, nsjconf->kafel_file);
+       if (nsjconf->kafel_file_ptr != NULL) {
+               kafel_set_input_file(ctxt, nsjconf->kafel_file_ptr);
        } else {
                kafel_set_input_string(ctxt, nsjconf->kafel_string);
        }
@@ -69,3 +66,14 @@ static bool sandboxPrepareAndCommit(struct nsjconf_t* nsjconf) {
 }
 
 bool sandboxApply(struct nsjconf_t* nsjconf) { return sandboxPrepareAndCommit(nsjconf); }
+
+bool sandboxPrepare(struct nsjconf_t* nsjconf) {
+       if (nsjconf->kafel_file_path == NULL) {
+               return true;
+       }
+       if ((nsjconf->kafel_file_ptr = fopen(nsjconf->kafel_file_path, "r")) == NULL) {
+               PLOG_W("Couldn't open kafel policy file '%s'", nsjconf->kafel_file_path);
+               return false;
+       }
+       return true;
+}

diff --git a/sandbox.h b/sandbox.h
index ebaf83bc84a3afe831c5187ce24ed3b66c3a4d50..18aa26decfbd5f452e0be56661ff05bcc3b07d31 100644 (file)
--- a/sandbox.h
+++ b/sandbox.h
@@ -27,5 +27,6 @@
 #include "nsjail.h"
 
 bool sandboxApply(struct nsjconf_t* nsjconf);
+bool sandboxPrepare(struct nsjconf_t* nsjconf);
 
 #endif /* NS_SANDBOX_H */

diff --git a/subproc.c b/subproc.c
index b61bc85f132bc2fe872e94dbfb0509c8c42e8a4e..0484e8a0033c3de00de4559cc65bdd153c7ec828 100644 (file)
--- a/subproc.c
+++ b/subproc.c
@@ -130,6 +130,9 @@ static bool subprocReset(void) {
 
 static int subprocNewProc(
     struct nsjconf_t* nsjconf, int fd_in, int fd_out, int fd_err, int pipefd) {
+       if (sandboxPrepare(nsjconf) == false) {
+               _exit(0xff);
+       }
        if (containSetupFD(nsjconf, fd_in, fd_out, fd_err) == false) {
                _exit(0xff);
        }