From: Robert Swiecki <robert@swiecki.net>
Date: Wed, 28 Jun 2017 22:32:20 +0000 (+0200)
Subject: Allow to create symlinks
X-Git-Tag: 1.5~26
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=e4aba733857a8b9bf8a93d8e09a1909fbd744ff4;p=platform%2Fupstream%2Fnsjail.git

Allow to create symlinks
---

diff --git a/cmdline.c b/cmdline.c
index ffdf4f2..7d297bd 100644
--- a/cmdline.c
+++ b/cmdline.c
@@ -624,6 +624,7 @@ bool cmdlineParse(int argc, char *argv[], struct nsjconf_t * nsjconf)
 				p->options = "";
 				p->fs_type = "";
 				p->isDir = mountIsDir(optarg);
+				p->isSymlink = false;
 				p->mandatory = true;
 				TAILQ_INSERT_TAIL(&nsjconf->mountpts, p, pointers);
 			} break;
@@ -638,6 +639,7 @@ bool cmdlineParse(int argc, char *argv[], struct nsjconf_t * nsjconf)
 				p->options = "";
 				p->fs_type = "";
 				p->isDir = mountIsDir(optarg);
+				p->isSymlink = false;
 				p->mandatory = true;
 				TAILQ_INSERT_TAIL(&nsjconf->mountpts, p, pointers);
 			} break;
@@ -651,6 +653,7 @@ bool cmdlineParse(int argc, char *argv[], struct nsjconf_t * nsjconf)
 				p->options = cmdlineTmpfsSz;
 				p->fs_type = "tmpfs";
 				p->isDir = true;
+				p->isSymlink = false;
 				p->mandatory = true;
 				TAILQ_INSERT_TAIL(&nsjconf->mountpts, p, pointers);
 			} break;
@@ -739,6 +742,7 @@ bool cmdlineParse(int argc, char *argv[], struct nsjconf_t * nsjconf)
 		p->options = "";
 		p->fs_type = "proc";
 		p->isDir = true;
+		p->isSymlink = false;
 		p->mandatory = true;
 		TAILQ_INSERT_HEAD(&nsjconf->mountpts, p, pointers);
 	}
@@ -755,6 +759,7 @@ bool cmdlineParse(int argc, char *argv[], struct nsjconf_t * nsjconf)
 		p->options = "";
 		p->fs_type = "";
 		p->isDir = true;
+		p->isSymlink = false;
 		p->mandatory = true;
 		TAILQ_INSERT_HEAD(&nsjconf->mountpts, p, pointers);
 	} else {
@@ -770,6 +775,7 @@ bool cmdlineParse(int argc, char *argv[], struct nsjconf_t * nsjconf)
 		p->options = "";
 		p->fs_type = "tmpfs";
 		p->isDir = true;
+		p->isSymlink = false;
 		p->mandatory = true;
 		TAILQ_INSERT_HEAD(&nsjconf->mountpts, p, pointers);
 	}
diff --git a/common.h b/common.h
index 500d972..5638d6c 100644
--- a/common.h
+++ b/common.h
@@ -73,6 +73,7 @@ struct mounts_t {
 	const char *options;
 	uintptr_t flags;
 	bool isDir;
+	bool isSymlink;
 	bool mandatory;
 	 TAILQ_ENTRY(mounts_t) pointers;
 };
diff --git a/config.c b/config.c
index a1c9b41..4b1d5a5 100644
--- a/config.c
+++ b/config.c
@@ -202,7 +202,7 @@ static bool configParseInternal(struct nsjconf_t *nsjconf, Nsjail__NsJailConfig
 
 		if (mountAddMountPt
 		    (nsjconf, src, dst, fstype, options, flags, isDir, mandatory, src_env,
-		     dst_env, src_content, src_content_len) == false) {
+		     dst_env, src_content, src_content_len, njc->mount[i]->is_symlink) == false) {
 			LOG_E("Couldn't add mountpoint for src:'%s' dst:'%s'", src, dst);
 			return false;
 		}
diff --git a/config.proto b/config.proto
index cf9816d..9851036 100644
--- a/config.proto
+++ b/config.proto
@@ -51,6 +51,8 @@ message MountPt
     optional bool is_dir = 10;
     /* Should the sandboxing fail if we cannot mount this resource? */
     required bool mandatory = 11 [ default = true ];
+	/* Is it a symlink (instead of real mount point)? */
+	required bool is_symlink = 12 [ default = false ];
 }
 message Exe
 {
diff --git a/configs/bash-with-fake-geteuid.cfg b/configs/bash-with-fake-geteuid.cfg
index 5a4667b..59dfb03 100644
--- a/configs/bash-with-fake-geteuid.cfg
+++ b/configs/bash-with-fake-geteuid.cfg
@@ -129,6 +129,12 @@ mount {
 	is_bind: false
 }
 
+mount {
+	src: "/proc/self/fd"
+	dst: "/dev/fd"
+	is_symlink: true
+}
+
 mount {
 	src: "/dev/null"
 	dst: "/dev/null"
@@ -156,7 +162,6 @@ mount {
 
 seccomp_string: "
 	POLICY example {
-		ERRNO(1337) { geteuid },
 		KILL { syslog },
 		ERRNO(0) { ptrace }
 	}
diff --git a/mount.c b/mount.c
index 1f54d55..cfc0f25 100644
--- a/mount.c
+++ b/mount.c
@@ -122,7 +122,7 @@ static bool mountMount(struct mounts_t *mpt, const char *newroot, const char *tm
 	char dst[PATH_MAX];
 	snprintf(dst, sizeof(dst), "%s/%s", newroot, mpt->dst);
 
-	LOG_D("Mounting '%s'", mountDescribeMountPt(mpt));
+	LOG_D("mounting '%s'", mountDescribeMountPt(mpt));
 
 	char srcpath[PATH_MAX];
 	if (mpt->src != NULL && strlen(mpt->src) > 0) {
@@ -131,7 +131,12 @@ static bool mountMount(struct mounts_t *mpt, const char *newroot, const char *tm
 		snprintf(srcpath, sizeof(srcpath), "none");
 	}
 
-	if (mpt->isDir == true) {
+	if (mpt->isSymlink == true) {
+		if (utilCreateDirRecursively(dst) == false) {
+			LOG_W("Couldn't create upper directories for '%s'", dst);
+			return false;
+		}
+	} else if (mpt->isDir == true) {
 		if (utilCreateDirRecursively(dst) == false) {
 			LOG_W("Couldn't create upper directories for '%s'", dst);
 			return false;
@@ -152,6 +157,15 @@ static bool mountMount(struct mounts_t *mpt, const char *newroot, const char *tm
 		}
 	}
 
+	if (mpt->isSymlink == true) {
+		LOG_D("symlink('%s', '%s')", srcpath, dst);
+		if (symlink(srcpath, dst) == -1) {
+			PLOG_W("symlink('%s', '%s')", srcpath, dst);
+			return false;
+		}
+		return true;
+	}
+
 	if (mpt->src_content) {
 		snprintf(srcpath, sizeof(srcpath), "%s/file.XXXXXX", tmpdir);
 		int fd = mkostemp(srcpath, O_CLOEXEC);
@@ -198,6 +212,9 @@ static bool mountMount(struct mounts_t *mpt, const char *newroot, const char *tm
 
 static bool mountRemountRO(struct mounts_t *mpt)
 {
+	if (mpt->isSymlink == true) {
+		return true;
+	}
 	if (!(mpt->flags & MS_RDONLY)) {
 		return true;
 	}
@@ -379,7 +396,7 @@ bool mountInitNs(struct nsjconf_t * nsjconf)
 bool mountAddMountPt(struct nsjconf_t * nsjconf, const char *src, const char *dst,
 		     const char *fstype, const char *options, uintptr_t flags, const bool * isDir,
 		     bool mandatory, const char *src_env, const char *dst_env,
-		     const uint8_t * src_content, size_t src_content_len)
+		     const uint8_t * src_content, size_t src_content_len, bool is_symlink)
 {
 	struct mounts_t *p = utilCalloc(sizeof(struct mounts_t));
 
@@ -430,6 +447,7 @@ bool mountAddMountPt(struct nsjconf_t * nsjconf, const char *src, const char *ds
 	p->options = utilStrDup(options);
 	p->flags = flags;
 	p->isDir = true;
+	p->isSymlink = is_symlink;
 	p->mandatory = mandatory;
 
 	if (isDir) {
@@ -471,6 +489,9 @@ const char *mountDescribeMountPt(struct mounts_t *mpt)
 		utilSSnPrintf(mount_pt_descr, sizeof(mount_pt_descr), " src_content_len:%zu",
 			      mpt->src_content_len);
 	}
+	if (mpt->isSymlink) {
+		utilSSnPrintf(mount_pt_descr, sizeof(mount_pt_descr), " symlink:true");
+	}
 
 	return mount_pt_descr;
 }
diff --git a/mount.h b/mount.h
index fa4f424..a7fd948 100644
--- a/mount.h
+++ b/mount.h
@@ -32,7 +32,7 @@ bool mountInitNs(struct nsjconf_t *nsjconf);
 bool mountAddMountPt(struct nsjconf_t *nsjconf, const char *src, const char *dst,
 		     const char *fstype, const char *options, uintptr_t flags, const bool * isDir,
 		     bool mandatory, const char *src_env, const char *dst_env,
-		     const uint8_t * src_content, size_t src_content_len);
+		     const uint8_t * src_content, size_t src_content_len, bool is_symlink);
 const char *mountDescribeMountPt(struct mounts_t *mpt);
 
 #endif				/* NS_MOUNT_H */