mkbox

Unnamed repository; edit this file 'description' to name the repository.
Log | Files | Refs | README

commit 630b4147e0f06003d35f1ae352d888ce73daeb63
parent 8687d82d6aadb2b9b67cbfba8e52af66775847ba
Author: Brian Swetland <swetland@frotz.net>
Date:   Mon,  4 May 2015 22:05:51 -0700

add --with-tmp to get a tmpfs on /tmp

Diffstat:
Mmkbox.c | 30+++++++++++++++++++++---------
1 file changed, 21 insertions(+), 9 deletions(-)

diff --git a/mkbox.c b/mkbox.c @@ -62,6 +62,7 @@ void usage(void) { " (otherwise only /dev/{null,zero,random})\n" " --with-sys mount /sys at sandbox's /sys\n" " --with-proc mount /proc at sandbox's /proc\n" +" --with-tmp mount tmpfs at sandbox's /tmp\n" " --data=<path> mount <path> at sandbox's /data (rw)\n" " --init=<path> exec <path> in sandbox (default: /bin/sh)\n" "\n" @@ -74,6 +75,7 @@ int main(int argc, char **argv) { int with_sys = 0; int with_proc = 0; int with_dev = 0; + int with_tmp = 0; char buf[1024]; int fd; const char *sandbox = NULL; @@ -93,6 +95,8 @@ int main(int argc, char **argv) { with_proc = 1; } else if (!strcmp(argv[0], "--with-dev")) { with_dev = 1; + } else if (!strcmp(argv[0], "--with-tmp")) { + with_tmp = 1; } else if (!strncmp(argv[0], "--init=", 7)) { initbin = argv[0] + 7; } else if (!strncmp(argv[0], "--data=", 7)) { @@ -143,14 +147,14 @@ int main(int argc, char **argv) { } if (with_proc) { - rmdir("xproc"); + rmdir(".oldproc"); rmdir("proc"); - ok(mkdir, "xproc", 0755); + ok(mkdir, ".oldproc", 0755); ok(mkdir, "proc", 0755); /* we need to hang on to the old proc in order to mount our * new proc later on */ - ok(mount, "/proc", "xproc", NULL, MS_BIND|MS_REC, NULL); + ok(mount, "/proc", ".oldproc", NULL, MS_BIND|MS_REC, NULL); } if (with_sys) { rmdir("sys"); @@ -185,6 +189,13 @@ int main(int argc, char **argv) { MS_NOSUID | MS_NODEV | MS_RDONLY, NULL); } + if (with_tmp) { + rmdir("tmp"); + ok(mkdir, "tmp", 0770); + ok(mount, "sandbox-tmp", "tmp", "tmpfs", + MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_NOATIME, + "size=16m,nr_inodes=4k,mode=770"); + } /* map new UID/GID to outer UID/GID */ sprintf(buf, "%d %d 1\n", newuid, uid); @@ -206,11 +217,6 @@ int main(int argc, char **argv) { ok(umount2, ".oldroot", MNT_DETACH); ok(rmdir, ".oldroot"); - /* remount root to finalize permissions */ - ok(mount, "/", "/", NULL, - MS_RDONLY|MS_BIND|MS_NOSUID|MS_REMOUNT, - NULL); - /* we must fork to become pid 1 in the new pid namespace */ cpid = ok(fork); @@ -221,9 +227,15 @@ int main(int argc, char **argv) { } if (with_proc) { ok(mount, "/proc", "/proc", "proc", MS_NOSUID, NULL); - ok(umount2, "/xproc", MNT_DETACH); + ok(umount2, "/.oldproc", MNT_DETACH); + rmdir("/.oldproc"); } + /* remount root to finalize permissions */ + ok(mount, "/", "/", NULL, + MS_RDONLY|MS_BIND|MS_NOSUID|MS_REMOUNT, + NULL); + /* discard all capability bits */ ok(dropcaps);