sandbox-linux: call seccomp_release, remove unnecessary iteration
このコミットが含まれているのは:
コミット
116fe5aecc
@ -50,10 +50,11 @@ bool SandboxLinux::seccomp_blacklist(std::initializer_list<int> syscalls)
|
|||||||
Logger::error() << "Failed to load seccomp filter";
|
Logger::error() << "Failed to load seccomp filter";
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
seccomp_release(ctx);
|
||||||
return success;
|
return success;
|
||||||
}
|
}
|
||||||
|
|
||||||
bool SandboxLinux::bindMountPaths(std::string target_root, std::initializer_list<std::string> paths)
|
bool SandboxLinux::bindMountPaths(std::string target_root, const std::vector<std::string> &paths)
|
||||||
{
|
{
|
||||||
for(const std::string &path : paths)
|
for(const std::string &path : paths)
|
||||||
{
|
{
|
||||||
@ -68,7 +69,8 @@ bool SandboxLinux::bindMountPaths(std::string target_root, std::initializer_list
|
|||||||
f1.open(chroot_target_path, std::ios::out);
|
f1.open(chroot_target_path, std::ios::out);
|
||||||
f1.close();
|
f1.close();
|
||||||
}
|
}
|
||||||
else {
|
else
|
||||||
|
{
|
||||||
std::error_code ec;
|
std::error_code ec;
|
||||||
//TODO: fails if the stuff already exists, but it shouldn't according to doc?
|
//TODO: fails if the stuff already exists, but it shouldn't according to doc?
|
||||||
if(!std::filesystem::create_directories(chroot_target_path, ec))
|
if(!std::filesystem::create_directories(chroot_target_path, ec))
|
||||||
@ -79,7 +81,7 @@ bool SandboxLinux::bindMountPaths(std::string target_root, std::initializer_list
|
|||||||
|
|
||||||
if(mount(path.c_str(), chroot_target_path.c_str(), NULL, MS_BIND, NULL) == -1)
|
if(mount(path.c_str(), chroot_target_path.c_str(), NULL, MS_BIND, NULL) == -1)
|
||||||
{
|
{
|
||||||
Logger::error() << "Bind mount failed! " << strerror(errno);
|
Logger::error() << "Bind mount for " << path << " -> " << chroot_target_path << " failed! " << strerror(errno);
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -147,15 +149,13 @@ bool SandboxLinux::isolateNamespaces(std::vector<std::string> fsPaths)
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
for(std::string &path : fsPaths)
|
if(!bindMountPaths(rootpath, fsPaths ))
|
||||||
{
|
{
|
||||||
if(!bindMountPaths(rootpath, { path }))
|
Logger::error() << "Bind mounting paths failed!";
|
||||||
{
|
|
||||||
Logger::error() << "Bind mount for " << path << " failed!";
|
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
if(chroot(rootpath.c_str()) == -1)
|
if(chroot(rootpath.c_str()) == -1)
|
||||||
{
|
{
|
||||||
|
@ -14,6 +14,6 @@ public:
|
|||||||
private :
|
private :
|
||||||
bool isolateNamespaces(std::vector<std::string> fsPaths);
|
bool isolateNamespaces(std::vector<std::string> fsPaths);
|
||||||
bool seccomp_blacklist(std::initializer_list<int> syscalls);
|
bool seccomp_blacklist(std::initializer_list<int> syscalls);
|
||||||
bool bindMountPaths(std::string target_root, std::initializer_list<std::string> paths);
|
bool bindMountPaths(std::string target_root, const std::vector<std::string> &paths);
|
||||||
};
|
};
|
||||||
#endif
|
#endif
|
||||||
|
読み込み中…
新しいイシューから参照
ユーザーをブロックする