From 7d7abc961946390efddab3fd0cdbba33c98ca7cb Mon Sep 17 00:00:00 2001 From: Colin Date: Sat, 24 Aug 2024 20:03:50 +0000 Subject: [PATCH] bunpen: namespace: simplify --- pkgs/additional/bunpen/restrict/namespace.ha | 22 ++++++-------------- 1 file changed, 6 insertions(+), 16 deletions(-) diff --git a/pkgs/additional/bunpen/restrict/namespace.ha b/pkgs/additional/bunpen/restrict/namespace.ha index c0c8fd855..8d3747e62 100644 --- a/pkgs/additional/bunpen/restrict/namespace.ha +++ b/pkgs/additional/bunpen/restrict/namespace.ha @@ -8,8 +8,6 @@ use rtext; use unix; export fn namespace_restrict(what: *resources) void = { - let proc_fd = rt::open("/proc", rt::O_PATH | rt::O_CLOEXEC, 0)!; - let proc_fs = os::dirfdopen(proc_fd); // unshare as much as possible, by default: let what_to_unshare = rtext::CLONE_NEWCGROUP | @@ -32,13 +30,13 @@ export fn namespace_restrict(what: *resources) void = { // and `mkdir` will return EOVERFLOW. // all this does is make it so that namespace operations under uid 1000 are // mapped to non-ns ops by the same user, and vice-versa - write_uid_map(proc_fs); + write_uid_map(); rt::mount("tmpfs", "/tmp", &['t': u8, 'm', 'p', 'f', 's', 0]: *const u8, rtext::MS_NODEV | rtext::MS_NOSUID, null)!; // chroot to `/tmp`, with the old root being placed at `/tmp/oldroot` (i.e. /oldroot) check_error("cd /tmp", os::chdir("/tmp")); - check_error("mkdir /tmp/oldroot", rt::mkdir(&['o': u8, 'l', 'd', 'r', 'o', 'o', 't', 0]: *const u8, 0o755)); + check_error("mkdir /tmp/oldroot", rt::mkdir("oldroot", 0o755)); rtext::pivot_root("/tmp", "oldroot")!; check_error("cd /", os::chdir("/")); @@ -60,21 +58,13 @@ fn check_error(op: str, c: (void | fs::error | rt::errno)) void = { }; }; -// fn write_uid_map(proc_fd: int) void = { -// // let uid_fd = rt::open("/proc/self/uid_map", rt::O_RDWR | rt::O_CLOEXEC, 0)!; -// let uid_fd = rt::openat2(proc_fd, "self/uid_map", rt::open_how { -// flags: rt::O_RDWR | rt::O_CLOEXEC, ... -// })!; -// io::write(uid_fd, &['1': u8, '0', '0', '0', ' ', '0', ' ', '1', 0])!; -// }; - -fn write_uid_map(proc_fs: *fs::fs) void = { - let uid_fd = fs::open(proc_fs, "self/uid_map", fs::flag::RDWR)!; +fn write_uid_map() void = { + let uid_fd = rt::open("/proc/self/uid_map", rt::O_RDWR | rt::O_CLOEXEC, 0)!; io::write(uid_fd, &['1': u8, '0', '0', '0', ' ', '1', '0', '0', '0', ' ', '1', '\n', 0])!; - let setgroups_fd = fs::open(proc_fs, "self/setgroups", fs::flag::RDWR)!; + let setgroups_fd = rt::open("/proc/self/setgroups", rt::O_RDWR | rt::O_CLOEXEC, 0)!; io::write(setgroups_fd, &['d': u8, 'e', 'n', 'y', '\n', 0])!; - let gid_fd = fs::open(proc_fs, "self/gid_map", fs::flag::RDWR)!; + let gid_fd = rt::open("/proc/self/gid_map", rt::O_RDWR | rt::O_CLOEXEC, 0)!; io::write(gid_fd, &['1': u8, '0', '0', ' ', '1', '0', '0', ' ', '1', '\n', 0])!; };