Rework handling of /run and ${RUNUSER} in blacklist mode
This commit is contained in:
+51
-1
@@ -62,7 +62,6 @@ fn add_blacklist_mode(cmd: &mut Command) -> Result<(), SandboxError> {
|
||||
cmd.args(["--proc", "/proc"]);
|
||||
cmd.args(["--bind", "/tmp", "/tmp"]);
|
||||
cmd.args(["--bind", "/var/tmp", "/var/tmp"]);
|
||||
cmd.args(["--bind", "/run", "/run"]);
|
||||
|
||||
let overlays = blacklist::resolve_overlays(&ctx)?;
|
||||
for dir in &overlays.tmpfs_dirs {
|
||||
@@ -72,6 +71,26 @@ fn add_blacklist_mode(cmd: &mut Command) -> Result<(), SandboxError> {
|
||||
cmd.arg("--ro-bind").arg("/dev/null").arg(file);
|
||||
}
|
||||
|
||||
cmd.args(["--tmpfs", "/run"]);
|
||||
ro_bind_under_tmpfs(
|
||||
cmd,
|
||||
"/run",
|
||||
&[
|
||||
"/run/dbus/system_bus_socket",
|
||||
"/run/systemd/resolve",
|
||||
"/run/systemd/journal",
|
||||
"/run/log/journal",
|
||||
"/run/udev",
|
||||
"/run/NetworkManager/resolv.conf",
|
||||
"/run/media",
|
||||
],
|
||||
);
|
||||
|
||||
ensure_parent_dirs(cmd, "/run", &ctx.run_user);
|
||||
cmd.arg("--tmpfs").arg(&ctx.run_user);
|
||||
let run_user_bus = format!("{}/bus", ctx.run_user);
|
||||
ro_bind_under_tmpfs(cmd, &ctx.run_user, &[&run_user_bus]);
|
||||
|
||||
Ok(())
|
||||
}
|
||||
|
||||
@@ -127,6 +146,37 @@ fn add_whitelist_mode(cmd: &mut Command) -> Result<(), SandboxError> {
|
||||
Ok(())
|
||||
}
|
||||
|
||||
fn ensure_parent_dirs(cmd: &mut Command, base: &str, path: &str) {
|
||||
let base = Path::new(base);
|
||||
let ancestors: Vec<_> = Path::new(path)
|
||||
.ancestors()
|
||||
.skip(1)
|
||||
.take_while(|a| *a != base)
|
||||
.collect();
|
||||
for dir in ancestors.into_iter().rev() {
|
||||
cmd.arg("--dir").arg(dir);
|
||||
}
|
||||
}
|
||||
|
||||
fn ro_bind_under_tmpfs(cmd: &mut Command, base: &str, paths: &[&str]) {
|
||||
let base = Path::new(base);
|
||||
let mut dirs_created = std::collections::HashSet::new();
|
||||
|
||||
for path in paths {
|
||||
let ancestors: Vec<_> = Path::new(path)
|
||||
.ancestors()
|
||||
.skip(1) // skip the path itself
|
||||
.take_while(|a| *a != base)
|
||||
.filter(|a| dirs_created.insert(a.to_path_buf()))
|
||||
.collect();
|
||||
|
||||
for dir in ancestors.into_iter().rev() {
|
||||
cmd.arg("--dir").arg(dir);
|
||||
}
|
||||
cmd.args(["--ro-bind-try", path, path]);
|
||||
}
|
||||
}
|
||||
|
||||
fn add_rw_bind(cmd: &mut Command, path: &Path) -> Result<(), SandboxError> {
|
||||
if !path.exists() {
|
||||
return Err(SandboxError::RwPathMissing(path.to_path_buf()));
|
||||
|
||||
Reference in New Issue
Block a user