Fix read-only /dev, /proc, /tmp, /var/tmp, /run in blacklist mode
This commit is contained in:
@@ -22,9 +22,11 @@ pub fn build_command(config: &SandboxConfig) -> Result<Command, SandboxError> {
|
|||||||
SandboxMode::Whitelist => add_whitelist_mode(&mut cmd)?,
|
SandboxMode::Whitelist => add_whitelist_mode(&mut cmd)?,
|
||||||
}
|
}
|
||||||
|
|
||||||
if hardened {
|
if matches!(config.mode, SandboxMode::Whitelist) {
|
||||||
cmd.args(["--tmpfs", "/tmp"]);
|
cmd.args(["--tmpfs", "/tmp"]);
|
||||||
|
cmd.args(["--tmpfs", "/var/tmp"]);
|
||||||
cmd.args(["--dev", "/dev"]);
|
cmd.args(["--dev", "/dev"]);
|
||||||
|
cmd.args(["--tmpfs", "/dev/shm"]);
|
||||||
cmd.args(["--tmpfs", "/run"]);
|
cmd.args(["--tmpfs", "/run"]);
|
||||||
cmd.args(["--proc", "/proc"]);
|
cmd.args(["--proc", "/proc"]);
|
||||||
}
|
}
|
||||||
@@ -62,6 +64,13 @@ fn add_blacklist_mode(cmd: &mut Command) -> Result<(), SandboxError> {
|
|||||||
for file in &overlays.null_bind_files {
|
for file in &overlays.null_bind_files {
|
||||||
cmd.arg("--ro-bind").arg("/dev/null").arg(file);
|
cmd.arg("--ro-bind").arg("/dev/null").arg(file);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
cmd.args(["--dev-bind", "/dev", "/dev"]);
|
||||||
|
cmd.args(["--proc", "/proc"]);
|
||||||
|
cmd.args(["--bind", "/tmp", "/tmp"]);
|
||||||
|
cmd.args(["--bind", "/var/tmp", "/var/tmp"]);
|
||||||
|
cmd.args(["--bind", "/run", "/run"]);
|
||||||
|
|
||||||
Ok(())
|
Ok(())
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user