diff options
| author | Daniel Golle <daniel@makrotopia.org> | 2021-07-17 14:06:38 +0100 |
|---|---|---|
| committer | Daniel Golle <daniel@makrotopia.org> | 2021-07-17 18:10:02 +0100 |
| commit | 05459054fb6b5f49c76fd5de2d02ff6c891f1dcd (patch) | |
| tree | 7c5de1c2abd2a4e600e54254f1e99753f5f4ce54 /jail | |
| parent | ed96eda0a2a15c8ee801c4c26e8fe5bd241f83e9 (diff) | |
| download | procd-05459054fb6b5f49c76fd5de2d02ff6c891f1dcd.tar.gz | |
jail: make use of realpath() for rootfs and overlaydir
Use realpath() to resolve rootfs and read/write-overlay as they are
potentially (and likely, as we are going to use blockd with autofs)
symlinks.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Diffstat (limited to 'jail')
| -rw-r--r-- | jail/jail.c | 44 |
1 files changed, 20 insertions, 24 deletions
diff --git a/jail/jail.c b/jail/jail.c index 4cc16c8..e6c9081 100644 --- a/jail/jail.c +++ b/jail/jail.c @@ -621,6 +621,7 @@ static void enter_jail_fs(void); static int build_jail_fs(void) { char *overlaydir = NULL; + int ret; old_umask = umask(0); @@ -641,7 +642,7 @@ static int build_jail_fs(void) } if (opts.extroot) { - /* use stat to trigger autofs mount */ + /* use open() to trigger autofs mount */ DEBUG("mounting extroot from %s\n", opts.extroot); int rootdirfd = open(opts.extroot, O_RDONLY | O_DIRECTORY); if (rootdirfd == -1) { @@ -674,14 +675,23 @@ static int build_jail_fs(void) ERROR("failed to mount tmpfs for overlay (size=%s)\n", opts.tmpoverlaysize); return -1; } - overlaydir = tmpovdir; + overlaydir = strdup(tmpovdir); + if (!overlaydir) + return -1; } - if (opts.overlaydir) - overlaydir = opts.overlaydir; + if (opts.overlaydir) { + overlaydir = realpath(opts.overlaydir, NULL); + if (!overlaydir) + return errno; + } - if (overlaydir) - mount_overlay(jail_root, overlaydir); + if (overlaydir) { + ret = mount_overlay(jail_root, overlaydir); + free(overlaydir); + if (ret) + return ret; + } if (chdir(jail_root)) { ERROR("chdir(%s) (jail_root) failed: %m\n", jail_root); @@ -1332,9 +1342,7 @@ static const struct blobmsg_policy oci_root_policy[] = { static int parseOCIroot(const char *jsonfile, struct blob_attr *msg) { - static char extroot[PATH_MAX] = { 0 }; - char buf[PATH_MAX]; - ssize_t len; + char extroot[PATH_MAX] = { 0 }; struct blob_attr *tb[__OCI_ROOT_MAX]; char *cur; char *root_path; @@ -1360,21 +1368,9 @@ static int parseOCIroot(const char *jsonfile, struct blob_attr *msg) strncat(extroot, root_path, PATH_MAX - (strlen(extroot) + 1)); /* follow symbolic link(s) */ - while ((len = readlink(extroot, buf, sizeof(buf)-1)) != -1) { - buf[len] = '\0'; - if (buf[0] != '/') { - cur = strrchr(extroot, '/'); - if (!cur) - return ENOTDIR; - - *(++cur) = '\0'; - strncat(extroot, buf, sizeof(extroot)-1); - } else { - strncpy(extroot, buf, sizeof(extroot)-1); - } - } - - opts.extroot = extroot; + opts.extroot = realpath(extroot, NULL); + if (!opts.extroot) + return errno; if (tb[OCI_ROOT_READONLY]) opts.ronly = blobmsg_get_bool(tb[OCI_ROOT_READONLY]); |