crtxcr/qswiki
1
0
Fork 0
Code Issues 21 Pull Requests 1 Releases Activity

sandbox-linux: call seccomp_release, remove unnecessary iteration

Browse Source
This commit is contained in:
Albert S. 2019-08-21 20:14:44 +02:00
parent efd7aff613
commit 116fe5aecc
2 changed files with 12 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
sandbox/sandbox-linux.cpp
View File

@ -50,10 +50,11 @@ bool SandboxLinux::seccomp_blacklist(std::initializer_list<int> syscalls)
Logger::error() << "Failed to load seccomp filter"; Logger::error() << "Failed to load seccomp filter";
return false; return false;
} }
seccomp_release(ctx);
return success; return success;
} }
bool SandboxLinux::bindMountPaths(std::string target_root, std::initializer_list<std::string> paths) bool SandboxLinux::bindMountPaths(std::string target_root, const std::vector<std::string> &paths)
{ {
for(const std::string &path : paths) for(const std::string &path : paths)
{ {
@ -68,7 +69,8 @@ bool SandboxLinux::bindMountPaths(std::string target_root, std::initializer_list
f1.open(chroot_target_path, std::ios::out); f1.open(chroot_target_path, std::ios::out);
f1.close(); f1.close();
} }
else { else
{
std::error_code ec; std::error_code ec;
//TODO: fails if the stuff already exists, but it shouldn't according to doc? //TODO: fails if the stuff already exists, but it shouldn't according to doc?
if(!std::filesystem::create_directories(chroot_target_path, ec)) if(!std::filesystem::create_directories(chroot_target_path, ec))
@ -79,8 +81,8 @@ bool SandboxLinux::bindMountPaths(std::string target_root, std::initializer_list
if(mount(path.c_str(), chroot_target_path.c_str(), NULL, MS_BIND, NULL) == -1) if(mount(path.c_str(), chroot_target_path.c_str(), NULL, MS_BIND, NULL) == -1)
{ {
Logger::error() << "Bind mount failed! " << strerror(errno); Logger::error() << "Bind mount for " << path << " -> " << chroot_target_path << " failed! " << strerror(errno);
return false; return false;
} }
} }
@ -147,16 +149,14 @@ bool SandboxLinux::isolateNamespaces(std::vector<std::string> fsPaths)
} }
for(std::string &path : fsPaths) if(!bindMountPaths(rootpath, fsPaths ))
{ {
if(!bindMountPaths(rootpath, { path })) Logger::error() << "Bind mounting paths failed!";
{ return false;
Logger::error() << "Bind mount for " << path << " failed!";
return false;
}
} }
if(chroot(rootpath.c_str()) == -1) if(chroot(rootpath.c_str()) == -1)
{ {
Logger::error() << "chroot to sandbox failed!"; Logger::error() << "chroot to sandbox failed!";

2
sandbox/sandbox-linux.h
View File

@ -14,6 +14,6 @@ public:
private : private :
bool isolateNamespaces(std::vector<std::string> fsPaths); bool isolateNamespaces(std::vector<std::string> fsPaths);
bool seccomp_blacklist(std::initializer_list<int> syscalls); bool seccomp_blacklist(std::initializer_list<int> syscalls);
bool bindMountPaths(std::string target_root, std::initializer_list<std::string> paths); bool bindMountPaths(std::string target_root, const std::vector<std::string> &paths);
}; };
#endif #endif