From d2bf8dbdbb744b06aeece064d43a5ea97dc7a73e Mon Sep 17 00:00:00 2001 From: Colin Date: Fri, 30 Aug 2024 11:37:45 +0000 Subject: [PATCH] bunpen: clone: place the clone flags behind an enum --- pkgs/additional/bunpen/restrict/namespace.ha | 20 ++++----- pkgs/additional/bunpen/rtext/unshare.ha | 46 +++++++++++--------- 2 files changed, 35 insertions(+), 31 deletions(-) diff --git a/pkgs/additional/bunpen/restrict/namespace.ha b/pkgs/additional/bunpen/restrict/namespace.ha index 956e43f09..394debfd9 100644 --- a/pkgs/additional/bunpen/restrict/namespace.ha +++ b/pkgs/additional/bunpen/restrict/namespace.ha @@ -19,24 +19,24 @@ export fn namespace_restrict(what: *resources) void = { // unshare as much as possible, by default: let what_to_unshare = - rtext::CLONE_NEWCGROUP | - rtext::CLONE_NEWIPC | - rtext::CLONE_NEWNET | - rtext::CLONE_NEWNS | - rtext::CLONE_NEWPID | - rtext::CLONE_NEWUSER | - rtext::CLONE_NEWUTS + rtext::clone_flag::NEWCGROUP | + rtext::clone_flag::NEWIPC | + rtext::clone_flag::NEWNET | + rtext::clone_flag::NEWNS | + rtext::clone_flag::NEWPID | + rtext::clone_flag::NEWUSER | + rtext::clone_flag::NEWUTS ; if (what.net) { log::println("[namespace] keeping net namespace"); - what_to_unshare &= ~rtext::CLONE_NEWNET; + what_to_unshare &= ~rtext::clone_flag::NEWNET; }; if (what.pid) { log::println("[namespace] keeping pid namespace"); - what_to_unshare &= ~rtext::CLONE_NEWPID; + what_to_unshare &= ~rtext::clone_flag::NEWPID; }; - log::printfln("[namespace] unshare {}", what_to_unshare); + log::printfln("[namespace] unshare {}", what_to_unshare: u64); rtext::unshare(what_to_unshare)!; // before mounting anything, set up the uids and gids in this namespace. diff --git a/pkgs/additional/bunpen/rtext/unshare.ha b/pkgs/additional/bunpen/rtext/unshare.ha index bbb67e203..d31b5aa70 100644 --- a/pkgs/additional/bunpen/rtext/unshare.ha +++ b/pkgs/additional/bunpen/rtext/unshare.ha @@ -1,39 +1,43 @@ // vim: set shiftwidth=2 : use rt; -//// for use with `setns`, `unshare`, `clone` syscalls -// new time namespace. calling process is NOT moved into the namespace. -export const CLONE_NEWTIME: u64 = 0x00000080; +// for use with `setns`, `unshare`, `clone` syscalls +export type clone_flag = enum u64 { + // new time namespace. calling process is NOT moved into the namespace. + NEWTIME = 0x00000080, -// new mount namespace. -// CLONE_NEWNS implies CLONE_FS. -export const CLONE_NEWNS: u64 = 0x00020000; + // new mount namespace. + // NEWNS implies FS. + NEWNS = 0x00020000, -export const CLONE_NEWCGROUP: u64 = 0x02000000; + NEWCGROUP = 0x02000000, -// new utsname namespace -export const CLONE_NEWUTS: u64 = 0x04000000; + // new utsname namespace + NEWUTS = 0x04000000, -// CLONE_NEWIPC implies CLONE_SYSVSEM. -export const CLONE_NEWIPC: u64 = 0x08000000; + // NEWIPC implies SYSVSEM. + NEWIPC = 0x08000000, -// CLONE_NEWUSER implies CLONE_THREAD and CLONE_FS. -// calling process must NOT be multi-threaded. -export const CLONE_NEWUSER: u64 = 0x10000000; + // NEWUSER implies THREAD and FS. + // calling process must NOT be multi-threaded. + NEWUSER = 0x10000000, -// new process ID namespace. calling process is NOT moved into the namespace. -// the first new child spawned becomes pid 1 and has the role of init(1). -// CLONE_NEWPID implies CLONE_THREAD. -export const CLONE_NEWPID: u64 = 0x20000000; + // new process ID namespace. calling process is NOT moved into the namespace. + // the first new child spawned becomes pid 1 and has the role of init(1). + // NEWPID implies THREAD. + NEWPID = 0x20000000, -export const CLONE_NEWNET: u64 = 0x40000000; + NEWNET = 0x40000000, -// additional CLONE flags in kernel, omitted until i need them. + // additional CLONE flags in kernel, omitted until i need them. +}; +// union of `clone_flag` +export type clone_flags = u64; // export fn setns(ns_fd: i32, nstype: i32) (rt::errno | u64) = { // return syscall(rt::SYS_setns, ns_fd: u64, nstype: u64); // }; -export fn unshare(flags: u64) (rt::errno | u64) = { +export fn unshare(flags: clone_flags) (rt::errno | u64) = { return syscall(rt::SYS_unshare, flags); };