policycoreutils: sandbox: do not propogate inside mounts outside
Fix the handling of namespaces in seunshare/sandbox. Currently mounting of directories within sandbox is propogating to the parent namesspace. This fix will basically isolate any mounting that happens after the unshare from the parent namespace. Signed-off-by: Eric Paris <eparis@redhat.com Acked-by: Dan Walsh <dwalsh@redhat.com>
This commit is contained in:
Dan Walsh
Eric Paris
parent
09c783c9a3
commit
70c582f4e0
|
|
@ -43,8 +43,8 @@
|
|||
#define MS_REC 1<<14
|
||||
#endif
|
||||
|
||||
#ifndef MS_PRIVATE
|
||||
#define MS_PRIVATE 1<<18
|
||||
#ifndef MS_SLAVE
|
||||
#define MS_SLAVE 1<<19
|
||||
#endif
|
||||
|
||||
#ifndef PACKAGE
|
||||
|
|
@ -255,7 +255,7 @@ static int verify_shell(const char *shell_name)
|
|||
*/
|
||||
static int seunshare_mount(const char *src, const char *dst, struct stat *src_st)
|
||||
{
|
||||
int flags = MS_REC;
|
||||
int flags = 0;
|
||||
int is_tmp = 0;
|
||||
|
||||
if (verbose)
|
||||
|
|
@ -267,14 +267,6 @@ static int seunshare_mount(const char *src, const char *dst, struct stat *src_st
|
|||
}
|
||||
|
||||
/* mount directory */
|
||||
if (mount(dst, dst, NULL, MS_BIND | flags, NULL) < 0) {
|
||||
fprintf(stderr, _("Failed to mount %s on %s: %s\n"), dst, dst, strerror(errno));
|
||||
return -1;
|
||||
}
|
||||
if (mount(dst, dst, NULL, MS_PRIVATE | flags, NULL) < 0) {
|
||||
fprintf(stderr, _("Failed to make %s private: %s\n"), dst, strerror(errno));
|
||||
return -1;
|
||||
}
|
||||
if (mount(src, dst, NULL, MS_BIND | flags, NULL) < 0) {
|
||||
fprintf(stderr, _("Failed to mount %s on %s: %s\n"), src, dst, strerror(errno));
|
||||
return -1;
|
||||
|
|
@ -288,14 +280,6 @@ static int seunshare_mount(const char *src, const char *dst, struct stat *src_st
|
|||
if (verbose)
|
||||
printf(_("Mounting /tmp on /var/tmp\n"));
|
||||
|
||||
if (mount("/var/tmp", "/var/tmp", NULL, MS_BIND | flags, NULL) < 0) {
|
||||
fprintf(stderr, _("Failed to mount /var/tmp on /var/tmp: %s\n"), strerror(errno));
|
||||
return -1;
|
||||
}
|
||||
if (mount("/var/tmp", "/var/tmp", NULL, MS_PRIVATE | flags, NULL) < 0) {
|
||||
fprintf(stderr, _("Failed to make /var/tmp private: %s\n"), strerror(errno));
|
||||
return -1;
|
||||
}
|
||||
if (mount("/tmp", "/var/tmp", NULL, MS_BIND | flags, NULL) < 0) {
|
||||
fprintf(stderr, _("Failed to mount /tmp on /var/tmp: %s\n"), strerror(errno));
|
||||
return -1;
|
||||
|
|
@ -967,6 +951,13 @@ int main(int argc, char **argv) {
|
|||
goto childerr;
|
||||
}
|
||||
|
||||
/* Remount / as SLAVE so that nothing mounted in the namespace
|
||||
shows up in the parent */
|
||||
if (mount("none", "/", NULL, MS_SLAVE | MS_REC , NULL) < 0) {
|
||||
perror(_("Failed to make / a SLAVE mountpoint\n"));
|
||||
goto childerr;
|
||||
}
|
||||
|
||||
/* assume fsuid==ruid after this point */
|
||||
setfsuid(uid);
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue