diff options
| -rw-r--r-- | bind-mount.c | 7 | ||||
| -rw-r--r-- | bubblewrap.c | 21 | ||||
| -rw-r--r-- | bwrap.xml | 4 | ||||
| -rw-r--r-- | completions/bash/bwrap | 1 |
4 files changed, 31 insertions, 2 deletions
diff --git a/bind-mount.c b/bind-mount.c index 72fd3c5..d5c45b8 100644 --- a/bind-mount.c +++ b/bind-mount.c @@ -244,8 +244,11 @@ bind_mount (int proc_fd, unsigned long current_flags, new_flags; int i; - if (mount (src, dest, NULL, MS_MGC_VAL | MS_BIND | (recursive ? MS_REC : 0), NULL) != 0) - return 1; + if (src) + { + if (mount (src, dest, NULL, MS_MGC_VAL | MS_BIND | (recursive ? MS_REC : 0), NULL) != 0) + return 1; + } current_flags = get_mountflags (proc_fd, dest); diff --git a/bubblewrap.c b/bubblewrap.c index 6c4fa76..980cb80 100644 --- a/bubblewrap.c +++ b/bubblewrap.c @@ -63,6 +63,7 @@ typedef enum { SETUP_MAKE_FILE, SETUP_MAKE_BIND_FILE, SETUP_MAKE_SYMLINK, + SETUP_REMOUNT_RO_NO_RECURSIVE, } SetupOpType; typedef struct _SetupOp SetupOp; @@ -96,6 +97,7 @@ enum { PRIV_SEP_OP_TMPFS_MOUNT, PRIV_SEP_OP_DEVPTS_MOUNT, PRIV_SEP_OP_MQUEUE_MOUNT, + PRIV_SEP_OP_REMOUNT_RO_NO_RECURSIVE, }; typedef struct @@ -165,6 +167,7 @@ usage (int ecode, FILE *out) " --bind SRC DEST Bind mount the host path SRC on DEST\n" " --dev-bind SRC DEST Bind mount the host path SRC on DEST, allowing device access\n" " --ro-bind SRC DEST Bind mount the host path SRC readonly on DEST\n" + " --remount-ro DEST Remount DEST as readonly, it doesn't recursively remount\n" " --exec-label LABEL Exec Label for the sandbox\n" " --file-label LABEL File label for temporary sandbox content\n" " --proc DEST Mount procfs on DEST\n" @@ -541,6 +544,11 @@ privileged_op (int privileged_op_socket, case PRIV_SEP_OP_DONE: break; + case PRIV_SEP_OP_REMOUNT_RO_NO_RECURSIVE: + if (bind_mount (proc_fd, arg1, arg2, flags) != 0) + die_with_error ("Can't bind mount %s on %s", arg1, arg2); + break; + case PRIV_SEP_OP_BIND_MOUNT: /* We always bind directories recursively, otherwise this would let us access files that are otherwise covered on the host */ @@ -626,6 +634,11 @@ setup_newroot (bool unshare_pid, source, dest); break; + case SETUP_REMOUNT_RO_NO_RECURSIVE: + privileged_op (privileged_op_socket, + PRIV_SEP_OP_REMOUNT_RO_NO_RECURSIVE, BIND_READONLY, NULL, dest); + break; + case SETUP_MOUNT_PROC: if (mkdir (dest, 0755) != 0 && errno != EEXIST) die_with_error ("Can't mkdir %s", op->dest); @@ -1002,6 +1015,14 @@ parse_args_recurse (int *argcp, argv++; argc--; } + else if (strcmp (arg, "--remount-ro") == 0) + { + SetupOp *op = setup_op_new (SETUP_REMOUNT_RO_NO_RECURSIVE); + op->dest = argv[1]; + + argv++; + argc--; + } else if (strcmp (arg, "--bind") == 0) { if (argc < 3) @@ -179,6 +179,10 @@ <listitem><para>Bind mount the host path <arg choice="plain">SRC</arg> readonly on <arg choice="plain">DEST</arg></para></listitem> </varlistentry> <varlistentry> + <term><option>--remount-ro <arg choice="plain">DEST</arg></option></term> + <listitem><para>Remount the path <arg choice="plain">DEST</arg> as readonly. It works only on the specified mount point, without changing any other mount point under the specified path</para></listitem> + </varlistentry> + <varlistentry> <term><option>--proc <arg choice="plain">DEST</arg></option></term> <listitem><para>Mount procfs on <arg choice="plain">DEST</arg></para></listitem> </varlistentry> diff --git a/completions/bash/bwrap b/completions/bash/bwrap index ba312fd..6dc5a19 100644 --- a/completions/bash/bwrap +++ b/completions/bash/bwrap @@ -33,6 +33,7 @@ _bwrap() { --lock-file --proc --ro-bind + --remount-ro --seccomp --setenv --symlink |