From eb52ab9a2bcbf17f5196a1f68698526d12e1a271 Mon Sep 17 00:00:00 2001 From: Robert Swiecki Date: Tue, 8 Mar 2016 15:57:09 +0100 Subject: [PATCH] Move contain fnctions into contain.c --- contain.c | 42 +++++++++++++++++++++++++++++++++++------- contain.h | 8 +------- subproc.c | 32 ++++++-------------------------- 3 files changed, 42 insertions(+), 40 deletions(-) diff --git a/contain.c b/contain.c index afa14b7..dcb490c 100644 --- a/contain.c +++ b/contain.c @@ -48,17 +48,17 @@ #include "util.h" #include "uts.h" -bool containInitNetNs(struct nsjconf_t * nsjconf) +static bool containInitNetNs(struct nsjconf_t *nsjconf) { return netInitNsFromChild(nsjconf); } -bool containInitUtsNs(struct nsjconf_t * nsjconf) +static bool containInitUtsNs(struct nsjconf_t *nsjconf) { return utsInitNs(nsjconf); } -bool containDropPrivs(struct nsjconf_t * nsjconf) +static bool containDropPrivs(struct nsjconf_t *nsjconf) { /* * Best effort because of /proc/self/setgroups @@ -114,7 +114,7 @@ bool containDropPrivs(struct nsjconf_t * nsjconf) return true; } -bool containPrepareEnv(struct nsjconf_t * nsjconf) +static bool containPrepareEnv(struct nsjconf_t *nsjconf) { if (prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0) == -1) { PLOG_E("prctl(PR_SET_PDEATHSIG, SIGKILL)"); @@ -134,12 +134,12 @@ bool containPrepareEnv(struct nsjconf_t * nsjconf) return true; } -bool containInitMountNs(struct nsjconf_t * nsjconf) +static bool containInitMountNs(struct nsjconf_t *nsjconf) { return mountInitNs(nsjconf); } -bool containSetLimits(struct nsjconf_t * nsjconf) +static bool containSetLimits(struct nsjconf_t *nsjconf) { struct rlimit64 rl; rl.rlim_cur = rl.rlim_max = nsjconf->rl_as; @@ -240,7 +240,7 @@ static bool containMakeFdsCOEProc(void) return true; } -bool containMakeFdsCOE(void) +static bool containMakeFdsCOE(void) { if (containMakeFdsCOEProc() == true) { return true; @@ -283,3 +283,31 @@ bool containSetupFD(struct nsjconf_t * nsjconf, int fd_in, int fd_out, int fd_er } return true; } + +bool containContain(struct nsjconf_t * nsjconf) +{ + if (containInitMountNs(nsjconf) == false) { + return false; + } + if (containInitNetNs(nsjconf) == false) { + return false; + } + if (containInitUtsNs(nsjconf) == false) { + return false; + } + if (containDropPrivs(nsjconf) == false) { + return false; + } + /* */ + /* As non-root */ + if (containSetLimits(nsjconf) == false) { + return false; + } + if (containPrepareEnv(nsjconf) == false) { + return false; + } + if (containMakeFdsCOE() == false) { + return false; + } + return true; +} diff --git a/contain.h b/contain.h index 0f1ee11..4a57da9 100644 --- a/contain.h +++ b/contain.h @@ -26,13 +26,7 @@ #include "common.h" -bool containInitNetNs(struct nsjconf_t *nsjconf); -bool containInitUtsNs(struct nsjconf_t *nsjconf); -bool containDropPrivs(struct nsjconf_t *nsjconf); -bool containPrepareEnv(struct nsjconf_t *nsjconf); -bool containInitMountNs(struct nsjconf_t *nsjconf); -bool containSetLimits(struct nsjconf_t *nsjconf); -bool containMakeFdsCOE(void); bool containSetupFD(struct nsjconf_t *nsjconf, int fd_in, int fd_out, int fd_err, int fd_log); +bool containContain(struct nsjconf_t *nsjconf); #endif /* _CONTAIN_H */ diff --git a/subproc.c b/subproc.c index 3c9e5f5..ca7eff0 100644 --- a/subproc.c +++ b/subproc.c @@ -61,34 +61,9 @@ static int subprocNewProc(struct nsjconf_t *nsjconf, int fd_in, int fd_out, int if (doneChar != subprocDoneChar) { exit(1); } - if (containInitMountNs(nsjconf) == false) { + if (containContain(nsjconf) == false) { exit(1); } - if (containInitNetNs(nsjconf) == false) { - exit(1); - } - if (containInitUtsNs(nsjconf) == false) { - exit(1); - } - if (containDropPrivs(nsjconf) == false) { - exit(1); - } - /* */ - /* As non-root */ - if (containSetLimits(nsjconf) == false) { - exit(1); - } - if (containPrepareEnv(nsjconf) == false) { - exit(1); - } - if (containMakeFdsCOE() == false) { - exit(1); - } - /* Should be the last one in the sequence */ - if (sandboxApply(nsjconf) == false) { - exit(1); - } - if (nsjconf->keep_env == false) { clearenv(); } @@ -101,6 +76,11 @@ static int subprocNewProc(struct nsjconf_t *nsjconf, int fd_in, int fd_out, int for (size_t i = 0; nsjconf->argv[i]; i++) { LOG_D(" Arg[%zu]: '%s'", i, nsjconf->argv[i]); } + + /* Should be the last one in the sequence */ + if (sandboxApply(nsjconf) == false) { + exit(1); + } execv(nsjconf->argv[0], &nsjconf->argv[0]); PLOG_E("execve('%s') failed", nsjconf->argv[0]); -- 2.34.1