mkbox

Unnamed repository; edit this file 'description' to name the repository.
Log | Files | Refs | README
commit 630b4147e0f06003d35f1ae352d888ce73daeb63
parent 8687d82d6aadb2b9b67cbfba8e52af66775847ba
Author: Brian Swetland <swetland@frotz.net>
Date:   Mon,  4 May 2015 22:05:51 -0700

add --with-tmp to get a tmpfs on /tmp

Diffstat:

Mmkbox.c | 30+++++++++++++++++++++---------


1 file changed, 21 insertions(+), 9 deletions(-)

diff --git a/mkbox.c b/mkbox.c
@@ -62,6 +62,7 @@ void usage(void) {
 "                         (otherwise only /dev/{null,zero,random})\n"
 "         --with-sys      mount /sys at sandbox's /sys\n"
 "         --with-proc     mount /proc at sandbox's /proc\n"
+"         --with-tmp      mount tmpfs at sandbox's /tmp\n"
 "         --data=<path>   mount <path> at sandbox's /data (rw)\n"
 "         --init=<path>   exec <path> in sandbox (default: /bin/sh)\n"
 "\n"
@@ -74,6 +75,7 @@ int main(int argc, char **argv) {
 	int with_sys = 0;
 	int with_proc = 0;
 	int with_dev = 0;
+	int with_tmp = 0;
 	char buf[1024];
 	int fd;
 	const char *sandbox = NULL;
@@ -93,6 +95,8 @@ int main(int argc, char **argv) {
 			with_proc = 1;
 		} else if (!strcmp(argv[0], "--with-dev")) {
 			with_dev = 1;
+		} else if (!strcmp(argv[0], "--with-tmp")) {
+			with_tmp = 1;
 		} else if (!strncmp(argv[0], "--init=", 7)) {
 			initbin = argv[0] + 7;
 		} else if (!strncmp(argv[0], "--data=", 7)) {
@@ -143,14 +147,14 @@ int main(int argc, char **argv) {
 	}
 
 	if (with_proc) {
-		rmdir("xproc");
+		rmdir(".oldproc");
 		rmdir("proc");
-		ok(mkdir, "xproc", 0755);
+		ok(mkdir, ".oldproc", 0755);
 		ok(mkdir, "proc", 0755);
 		/* we need to hang on to the old proc in order to mount our
 		 * new proc later on
 		 */
-		ok(mount, "/proc", "xproc", NULL, MS_BIND|MS_REC, NULL);
+		ok(mount, "/proc", ".oldproc", NULL, MS_BIND|MS_REC, NULL);
 	}
 	if (with_sys) {
 		rmdir("sys");
@@ -185,6 +189,13 @@ int main(int argc, char **argv) {
 			MS_NOSUID | MS_NODEV | MS_RDONLY,
 			NULL);
 	}
+	if (with_tmp) {
+		rmdir("tmp");
+		ok(mkdir, "tmp", 0770);
+		ok(mount, "sandbox-tmp", "tmp", "tmpfs",
+			MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_NOATIME,
+			"size=16m,nr_inodes=4k,mode=770");
+	}
 
 	/* map new UID/GID to outer UID/GID */
 	sprintf(buf, "%d %d 1\n", newuid, uid);
@@ -206,11 +217,6 @@ int main(int argc, char **argv) {
 	ok(umount2, ".oldroot", MNT_DETACH);
 	ok(rmdir, ".oldroot");
 
-	/* remount root to finalize permissions */
-	ok(mount, "/", "/", NULL,
-		MS_RDONLY|MS_BIND|MS_NOSUID|MS_REMOUNT,
-		NULL);
-
 	/* we must fork to become pid 1 in the new pid namespace */
 	cpid = ok(fork);
 
@@ -221,9 +227,15 @@ int main(int argc, char **argv) {
 		}
 		if (with_proc) {
 			ok(mount, "/proc", "/proc", "proc", MS_NOSUID, NULL);
-			ok(umount2, "/xproc", MNT_DETACH);
+			ok(umount2, "/.oldproc", MNT_DETACH);
+			rmdir("/.oldproc");
 		}
 
+		/* remount root to finalize permissions */
+		ok(mount, "/", "/", NULL,
+			MS_RDONLY|MS_BIND|MS_NOSUID|MS_REMOUNT,
+			NULL);
+
 		/* discard all capability bits */
 		ok(dropcaps);