diff --git a/sandbox/sandbox-linux.cpp b/sandbox/sandbox-linux.cpp index 2add804..09d34b0 100644 --- a/sandbox/sandbox-linux.cpp +++ b/sandbox/sandbox-linux.cpp @@ -50,10 +50,11 @@ bool SandboxLinux::seccomp_blacklist(std::initializer_list syscalls) Logger::error() << "Failed to load seccomp filter"; return false; } + seccomp_release(ctx); return success; } -bool SandboxLinux::bindMountPaths(std::string target_root, std::initializer_list paths) +bool SandboxLinux::bindMountPaths(std::string target_root, const std::vector &paths) { for(const std::string &path : paths) { @@ -81,7 +82,8 @@ bool SandboxLinux::bindMountPaths(std::string target_root, std::initializer_list if(mount(path.c_str(), chroot_target_path.c_str(), NULL, MS_BIND, NULL) == -1) { - Logger::error() << "Bind mount failed! " << strerror(errno); + Logger::error() << "Bind mount for " << path << " -> " << chroot_target_path << " failed! " + << strerror(errno); return false; } } @@ -147,13 +149,10 @@ bool SandboxLinux::isolateNamespaces(std::vector fsPaths) return false; } - for(std::string &path : fsPaths) + if(!bindMountPaths(rootpath, fsPaths)) { - if(!bindMountPaths(rootpath, {path})) - { - Logger::error() << "Bind mount for " << path << " failed!"; - return false; - } + Logger::error() << "Bind mounting paths failed!"; + return false; } if(chroot(rootpath.c_str()) == -1) diff --git a/sandbox/sandbox-linux.h b/sandbox/sandbox-linux.h index 3f92913..b97657e 100644 --- a/sandbox/sandbox-linux.h +++ b/sandbox/sandbox-linux.h @@ -15,6 +15,6 @@ class SandboxLinux : public Sandbox private: bool isolateNamespaces(std::vector fsPaths); bool seccomp_blacklist(std::initializer_list syscalls); - bool bindMountPaths(std::string target_root, std::initializer_list paths); + bool bindMountPaths(std::string target_root, const std::vector &paths); }; #endif