Removing capabilities from the capability bounding set doesn't change
the capability effective set, so we can "drop capabilities" before we
build the jail fs, so we don't need to include the capabilities config
file into the jail.
Signed-off-by: Etienne CHAMPETIER <champetier.etienne@gmail.com>
and will only drop capabilities/apply seccomp filter.\n\n");
}
and will only drop capabilities/apply seccomp filter.\n\n");
}
-static int exec_jail(void)
+static int exec_jail(void *_notused)
{
if (opts.capabilities && drop_capabilities(opts.capabilities))
exit(EXIT_FAILURE);
{
if (opts.capabilities && drop_capabilities(opts.capabilities))
exit(EXIT_FAILURE);
+ if (opts.namespace && opts.hostname
+ && sethostname(opts.hostname, strlen(opts.hostname))) {
+ ERROR("sethostname(%s) failed: %s\n", opts.hostname, strerror(errno));
+ exit(EXIT_FAILURE);
+ }
+
+ if (opts.namespace && build_jail_fs()) {
+ ERROR("failed to build jail fs\n");
+ exit(EXIT_FAILURE);
+ }
+
char **envp = build_envp(opts.seccomp);
if (!envp)
exit(EXIT_FAILURE);
char **envp = build_envp(opts.seccomp);
if (!envp)
exit(EXIT_FAILURE);
-static int spawn_jail(void *_notused)
-{
- if (opts.hostname && sethostname(opts.hostname, strlen(opts.hostname))) {
- ERROR("sethostname(%s) failed: %s\n", opts.hostname, strerror(errno));
- }
-
- if (build_jail_fs()) {
- ERROR("failed to build jail fs");
- exit(EXIT_FAILURE);
- }
-
- return exec_jail();
-}
-
static int jail_running = 1;
static int jail_return_code = 0;
static int jail_running = 1;
static int jail_return_code = 0;
break;
case 'C':
opts.capabilities = optarg;
break;
case 'C':
opts.capabilities = optarg;
- add_mount(optarg, 1, -1);
break;
case 'c':
opts.no_new_privs = 1;
break;
case 'c':
opts.no_new_privs = 1;
uloop_init();
if (opts.namespace) {
uloop_init();
if (opts.namespace) {
- jail_process.pid = clone(spawn_jail,
+ jail_process.pid = clone(exec_jail,
child_stack + STACK_SIZE,
CLONE_NEWUTS | CLONE_NEWPID | CLONE_NEWNS | CLONE_NEWIPC | SIGCHLD, NULL);
} else {
child_stack + STACK_SIZE,
CLONE_NEWUTS | CLONE_NEWPID | CLONE_NEWNS | CLONE_NEWIPC | SIGCHLD, NULL);
} else {
return jail_return_code;
} else if (jail_process.pid == 0) {
/* fork child process */
return jail_return_code;
} else if (jail_process.pid == 0) {
/* fork child process */
+ return exec_jail(NULL);
} else {
ERROR("failed to clone/fork: %s\n", strerror(errno));
return EXIT_FAILURE;
} else {
ERROR("failed to clone/fork: %s\n", strerror(errno));
return EXIT_FAILURE;
projects / project / procd.git / commitdiff