colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

bunpen: namespace: simplify

Browse Source
This commit is contained in:
Colin
2024-08-24 20:03:50 +00:00
parent f0efa0c255
commit 7d7abc9619
1 changed files with 6 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
pkgs/additional/bunpen/restrict/namespace.ha
View File

@@ -8,8 +8,6 @@ use rtext;
use unix; use unix;
export fn namespace_restrict(what: *resources) void = { export fn namespace_restrict(what: *resources) void = {
let proc_fd = rt::open("/proc", rt::O_PATH | rt::O_CLOEXEC, 0)!;
let proc_fs = os::dirfdopen(proc_fd);
// unshare as much as possible, by default: // unshare as much as possible, by default:
let what_to_unshare = let what_to_unshare =
rtext::CLONE_NEWCGROUP | rtext::CLONE_NEWCGROUP |
@@ -32,13 +30,13 @@ export fn namespace_restrict(what: *resources) void = {
// and `mkdir` will return EOVERFLOW. // and `mkdir` will return EOVERFLOW.
// all this does is make it so that namespace operations under uid 1000 are // all this does is make it so that namespace operations under uid 1000 are
// mapped to non-ns ops by the same user, and vice-versa // mapped to non-ns ops by the same user, and vice-versa
write_uid_map(proc_fs); write_uid_map();
rt::mount("tmpfs", "/tmp", &['t': u8, 'm', 'p', 'f', 's', 0]: *const u8, rtext::MS_NODEV | rtext::MS_NOSUID, null)!; rt::mount("tmpfs", "/tmp", &['t': u8, 'm', 'p', 'f', 's', 0]: *const u8, rtext::MS_NODEV | rtext::MS_NOSUID, null)!;
// chroot to `/tmp`, with the old root being placed at `/tmp/oldroot` (i.e. /oldroot) // chroot to `/tmp`, with the old root being placed at `/tmp/oldroot` (i.e. /oldroot)
check_error("cd /tmp", os::chdir("/tmp")); check_error("cd /tmp", os::chdir("/tmp"));
check_error("mkdir /tmp/oldroot", rt::mkdir(&['o': u8, 'l', 'd', 'r', 'o', 'o', 't', 0]: *const u8, 0o755)); check_error("mkdir /tmp/oldroot", rt::mkdir("oldroot", 0o755));
rtext::pivot_root("/tmp", "oldroot")!; rtext::pivot_root("/tmp", "oldroot")!;
check_error("cd /", os::chdir("/")); check_error("cd /", os::chdir("/"));
@@ -60,21 +58,13 @@ fn check_error(op: str, c: (void | fs::error | rt::errno)) void = {
}; };
}; };
// fn write_uid_map(proc_fd: int) void = { fn write_uid_map() void = {
// // let uid_fd = rt::open("/proc/self/uid_map", rt::O_RDWR | rt::O_CLOEXEC, 0)!; let uid_fd = rt::open("/proc/self/uid_map", rt::O_RDWR | rt::O_CLOEXEC, 0)!;
// let uid_fd = rt::openat2(proc_fd, "self/uid_map", rt::open_how {
// flags: rt::O_RDWR | rt::O_CLOEXEC, ...
// })!;
// io::write(uid_fd, &['1': u8, '0', '0', '0', ' ', '0', ' ', '1', 0])!;
// };
fn write_uid_map(proc_fs: *fs::fs) void = {
let uid_fd = fs::open(proc_fs, "self/uid_map", fs::flag::RDWR)!;
io::write(uid_fd, &['1': u8, '0', '0', '0', ' ', '1', '0', '0', '0', ' ', '1', '\n', 0])!; io::write(uid_fd, &['1': u8, '0', '0', '0', ' ', '1', '0', '0', '0', ' ', '1', '\n', 0])!;
let setgroups_fd = fs::open(proc_fs, "self/setgroups", fs::flag::RDWR)!; let setgroups_fd = rt::open("/proc/self/setgroups", rt::O_RDWR | rt::O_CLOEXEC, 0)!;
io::write(setgroups_fd, &['d': u8, 'e', 'n', 'y', '\n', 0])!; io::write(setgroups_fd, &['d': u8, 'e', 'n', 'y', '\n', 0])!;
let gid_fd = fs::open(proc_fs, "self/gid_map", fs::flag::RDWR)!; let gid_fd = rt::open("/proc/self/gid_map", rt::O_RDWR | rt::O_CLOEXEC, 0)!;
io::write(gid_fd, &['1': u8, '0', '0', ' ', '1', '0', '0', ' ', '1', '\n', 0])!; io::write(gid_fd, &['1': u8, '0', '0', ' ', '1', '0', '0', ' ', '1', '\n', 0])!;
}; };