jail: call build_envp() just before execve()

[project/procd.git] / jail / jail.c

diff --git a/jail/jail.c b/jail/jail.c
index 8157a8f..e86ee14 100644 (file)
--- a/jail/jail.c
+++ b/jail/jail.c
@@ -139,16 +139,6 @@ static int build_jail_fs(void)
                return -1;
        }
 
-       if (add_path_and_deps(*opts.jail_argv, 1, -1, 0)) {
-               ERROR("failed to load dependencies\n");
-               return -1;
-       }
-
-       if (opts.seccomp && add_path_and_deps("libpreload-seccomp.so", 1, -1, 1)) {
-               ERROR("failed to load libpreload-seccomp.so\n");
-               return -1;
-       }
-
        if (mount_all(jail_root)) {
                ERROR("mount_all() failed\n");
                return -1;
@@ -240,10 +230,6 @@ and will only drop capabilities/apply seccomp filter.\n\n");
 
 static int exec_jail(void)
 {
-       char **envp = build_envp(opts.seccomp);
-       if (!envp)
-               exit(EXIT_FAILURE);
-
        if (opts.capabilities && drop_capabilities(opts.capabilities))
                exit(EXIT_FAILURE);
 
@@ -252,6 +238,10 @@ static int exec_jail(void)
                exit(EXIT_FAILURE);
        }
 
+       char **envp = build_envp(opts.seccomp);
+       if (!envp)
+               exit(EXIT_FAILURE);
+
        INFO("exec-ing %s\n", *opts.jail_argv);
        execve(*opts.jail_argv, opts.jail_argv, envp);
        /* we get there only if execve fails */
@@ -379,6 +369,16 @@ int main(int argc, char **argv)
 
        opts.jail_argv = &argv[optind];
 
+       if (opts.namespace && add_path_and_deps(*opts.jail_argv, 1, -1, 0)) {
+               ERROR("failed to load dependencies\n");
+               return -1;
+       }
+
+       if (opts.namespace && opts.seccomp && add_path_and_deps("libpreload-seccomp.so", 1, -1, 1)) {
+               ERROR("failed to load libpreload-seccomp.so\n");
+               return -1;
+       }
+
        if (opts.name)
                prctl(PR_SET_NAME, opts.name, NULL, NULL, NULL);