From 0ee51d181249a33b6d3675bcf50496c63efe429a Mon Sep 17 00:00:00 2001 From: Colin Date: Mon, 2 Sep 2024 21:47:51 +0000 Subject: [PATCH] bunpen: peek through *all* symlinks, not just intermediary ones `mount` doesnt seem to mount over symlinks, hence why we have to follow even terminal symlinks --- pkgs/additional/bunpen/restrict/namespace.ha | 24 ++++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/pkgs/additional/bunpen/restrict/namespace.ha b/pkgs/additional/bunpen/restrict/namespace.ha index e583e7d5f..726da9434 100644 --- a/pkgs/additional/bunpen/restrict/namespace.ha +++ b/pkgs/additional/bunpen/restrict/namespace.ha @@ -131,7 +131,6 @@ fn isolate_paths(paths: []path::buffer) void = { "proc", "new/proc", "proc", rt::ext::mount_flag::NOSUID | rt::ext::mount_flag::NOEXEC | rt::ext::mount_flag::NODEV, null )); - // provide a new `/tmp` too. errors::ext::swallow("[namespace] mkdir new/tmp", rt::mkdir("new/tmp", 0o777)); errors::ext::swallow("[namespace] mount -t tmpfs tmpfs new/tmp", rt::ext::mount("tmpfs", "new/tmp", "tmpfs", 0, null)); @@ -228,18 +227,19 @@ fn bind_component(old_fs: *fs::fs, new_fs: *fs::fs, strpath: str, remaining: str let linktext = fs::readlink(old_fs, strpath)?; log::printfln("[namespace/bind] ln new/{} -> {}", strpath, linktext); fs::symlink(new_fs, linktext, strpath)?; - if (remaining != "") { - // bind the real path (or, the "more real" path, in case there are - // multiple layers of symlink). - let target_path: path::buffer = if (path::abs(linktext)) { - // foo/bar/baz/fnord with bar -> /target => `/target/baz/fnord` - yield path::init(linktext, remaining)?; - } else { - // foo/bar/baz/fnord with foo -> target => `foo/target/bar/baz` - yield path::init(strpath, "..", linktext, remaining)?; - }; - return bind_leaf(old_fs, new_fs, &target_path); + + // bind the real path (or, the "more real" path, in case there are + // multiple layers of symlink). + let target_path: path::buffer = if (path::abs(linktext)) { + // foo/bar/baz/fnord with (bar -> /target) => `/target/baz/fnord` + // foo/bar/baz/fnord with (fnord -> /target, remaining="") => `/target` + yield path::init(linktext, remaining)?; + } else { + // foo/bar/baz/fnord with (foo -> target) => `foo/target/bar/baz` + // foo/bar/baz/fnord with (fnord -> target, remaining="") => `foo/bar/baz/target` + yield path::init(strpath, "..", linktext, remaining)?; }; + return bind_leaf(old_fs, new_fs, &target_path); } else if (fs::isdir(st.mode)) { log::printfln("[namespace/bind] mkdir new/{}", strpath); fs::mkdir(new_fs, strpath, st.mode)?;