sandbox-linux: call seccomp_release, remove unnecessary iteration

このコミットが含まれているのは:
Albert S. 2019-08-21 20:14:44 +02:00
コミット 116fe5aecc
2個のファイルの変更12行の追加12行の削除

ファイルの表示

@ -50,10 +50,11 @@ bool SandboxLinux::seccomp_blacklist(std::initializer_list<int> syscalls)
Logger::error() << "Failed to load seccomp filter"; Logger::error() << "Failed to load seccomp filter";
return false; return false;
} }
seccomp_release(ctx);
return success; return success;
} }
bool SandboxLinux::bindMountPaths(std::string target_root, std::initializer_list<std::string> paths) bool SandboxLinux::bindMountPaths(std::string target_root, const std::vector<std::string> &paths)
{ {
for(const std::string &path : paths) for(const std::string &path : paths)
{ {
@ -68,7 +69,8 @@ bool SandboxLinux::bindMountPaths(std::string target_root, std::initializer_list
f1.open(chroot_target_path, std::ios::out); f1.open(chroot_target_path, std::ios::out);
f1.close(); f1.close();
} }
else { else
{
std::error_code ec; std::error_code ec;
//TODO: fails if the stuff already exists, but it shouldn't according to doc? //TODO: fails if the stuff already exists, but it shouldn't according to doc?
if(!std::filesystem::create_directories(chroot_target_path, ec)) if(!std::filesystem::create_directories(chroot_target_path, ec))
@ -79,7 +81,7 @@ bool SandboxLinux::bindMountPaths(std::string target_root, std::initializer_list
if(mount(path.c_str(), chroot_target_path.c_str(), NULL, MS_BIND, NULL) == -1) if(mount(path.c_str(), chroot_target_path.c_str(), NULL, MS_BIND, NULL) == -1)
{ {
Logger::error() << "Bind mount failed! " << strerror(errno); Logger::error() << "Bind mount for " << path << " -> " << chroot_target_path << " failed! " << strerror(errno);
return false; return false;
} }
} }
@ -147,15 +149,13 @@ bool SandboxLinux::isolateNamespaces(std::vector<std::string> fsPaths)
} }
for(std::string &path : fsPaths) if(!bindMountPaths(rootpath, fsPaths ))
{ {
if(!bindMountPaths(rootpath, { path })) Logger::error() << "Bind mounting paths failed!";
{
Logger::error() << "Bind mount for " << path << " failed!";
return false; return false;
} }
}
if(chroot(rootpath.c_str()) == -1) if(chroot(rootpath.c_str()) == -1)
{ {

ファイルの表示

@ -14,6 +14,6 @@ public:
private : private :
bool isolateNamespaces(std::vector<std::string> fsPaths); bool isolateNamespaces(std::vector<std::string> fsPaths);
bool seccomp_blacklist(std::initializer_list<int> syscalls); bool seccomp_blacklist(std::initializer_list<int> syscalls);
bool bindMountPaths(std::string target_root, std::initializer_list<std::string> paths); bool bindMountPaths(std::string target_root, const std::vector<std::string> &paths);
}; };
#endif #endif