packaging
/
ostree
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

ostbuild: Add --unshare-ipc flag for user-chroot 

This optionally closes down more paths to the host, which is
a good thing.
This commit is contained in:
Colin Walters 2011-12-07 09:48:38 -05:00
parent d70950e891
commit fbb09d71a6
1 changed files with 13 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
src/ostbuild/ostbuild-user-chroot.c
View File

@ -106,6 +106,8 @@ main (int argc,
char **program_argv; char **program_argv;
BindMount *bind_mounts = NULL; BindMount *bind_mounts = NULL;
BindMount *bind_mount_iter; BindMount *bind_mount_iter;
int unshare_ipc = 0;
int unshare_flags = 0;
if (argc <= 0) if (argc <= 0)
return 1; return 1;
@ -157,6 +159,11 @@ main (int argc,
bind_mounts = mount; bind_mounts = mount;
after_mount_arg_index += 2; after_mount_arg_index += 2;
} }
else if (strcmp (arg, "--unshare-ipc") == 0)
{
unshare_ipc = 1;
after_mount_arg_index += 1;
}
else else
break; break;
} }
@ -164,7 +171,7 @@ main (int argc,
bind_mounts = reverse_bind_mount_list (bind_mounts); bind_mounts = reverse_bind_mount_list (bind_mounts);
if ((argc - after_mount_arg_index) < 2) if ((argc - after_mount_arg_index) < 2)
fatal ("usage: %s [--mount-readonly DIR] [--mount-bind SOURCE DEST] ROOTDIR PROGRAM ARGS...", argv0); fatal ("usage: %s [--unshare-ipc] [--unshare-pid] [--mount-readonly DIR] [--mount-bind SOURCE DEST] ROOTDIR PROGRAM ARGS...", argv0);
chroot_dir = argv[after_mount_arg_index]; chroot_dir = argv[after_mount_arg_index];
program = argv[after_mount_arg_index+1]; program = argv[after_mount_arg_index+1];
program_argv = argv + after_mount_arg_index + 1; program_argv = argv + after_mount_arg_index + 1;
@ -196,8 +203,11 @@ main (int argc,
* affecting our children, not the entire system. This way it's * affecting our children, not the entire system. This way it's
* harmless to bind mount e.g. /proc over an arbitrary directory. * harmless to bind mount e.g. /proc over an arbitrary directory.
*/ */
if (unshare (CLONE_NEWNS) < 0) unshare_flags = CLONE_NEWNS;
fatal_errno ("unshare (CLONE_NEWNS)"); if (unshare_ipc)
unshare_flags |= CLONE_NEWIPC | CLONE_NEWUTS;
if (unshare (unshare_flags) < 0)
fatal_errno ("unshare");
/* This is necessary to undo the damage "sandbox" creates on Fedora /* This is necessary to undo the damage "sandbox" creates on Fedora
* by making / a shared mount instead of private. This isn't * by making / a shared mount instead of private. This isn't