From b2ccb363190f4ba264dffb489f31ea7d624472f2 Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Fri, 24 Nov 2023 15:29:41 +0000
Subject: [PATCH] jail: Mount some things in the outer namespace and some in
 the inner one

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 src/libpakfire/include/pakfire/mount.h |  11 +-
 src/libpakfire/jail.c                  |  17 ++-
 src/libpakfire/mount.c                 | 201 +++++++++++++++++++------
 3 files changed, 182 insertions(+), 47 deletions(-)

diff --git a/src/libpakfire/include/pakfire/mount.h b/src/libpakfire/include/pakfire/mount.h
index 8e3bd854..5ba4517d 100644
--- a/src/libpakfire/include/pakfire/mount.h
+++ b/src/libpakfire/include/pakfire/mount.h
@@ -26,6 +26,11 @@
 #include <pakfire/ctx.h>
 #include <pakfire/pakfire.h>
 
+typedef enum pakfire_mntns {
+	PAKFIRE_MNTNS_INNER = (1 << 0),
+	PAKFIRE_MNTNS_OUTER = (2 << 0),
+} pakfire_mntns_t;
+
 int pakfire_mount_change_propagation(struct pakfire_ctx* ctx, const char* path, int propagation);
 
 int pakfire_mount_make_mounpoint(struct pakfire* pakfire, const char* path);
@@ -36,11 +41,15 @@ int pakfire_bind(struct pakfire* pakfire, const char* src, const char* dst, int
 
 int pakfire_mount_list(struct pakfire_ctx* ctx);
 
+int pakfire_populate_dev(struct pakfire* pakfire, int flags);
+
+int pakfire_mount_interpreter(struct pakfire* pakfire);
+
 enum pakfire_mount_flags {
 	PAKFIRE_MOUNT_LOOP_DEVICES = (1 << 0),
 };
 
-int pakfire_mount_all(struct pakfire* pakfire, int flags);
+int pakfire_mount_all(struct pakfire* pakfire, pakfire_mntns_t ns, int flags);
 
 #endif /* PAKFIRE_PRIVATE */
 
diff --git a/src/libpakfire/jail.c b/src/libpakfire/jail.c
index 595e269d..d67686cd 100644
--- a/src/libpakfire/jail.c
+++ b/src/libpakfire/jail.c
@@ -1451,7 +1451,17 @@ static int pakfire_jail_mount(struct pakfire_jail* jail, struct pakfire_jail_exe
 		flags |= PAKFIRE_MOUNT_LOOP_DEVICES;
 
 	// Mount all default stuff
-	r = pakfire_mount_all(jail->pakfire, flags);
+	r = pakfire_mount_all(jail->pakfire, PAKFIRE_MNTNS_OUTER, flags);
+	if (r)
+		return r;
+
+	// Populate /dev
+	r = pakfire_populate_dev(jail->pakfire, flags);
+	if (r)
+		return r;
+
+	// Mount the interpreter (if needed)
+	r = pakfire_mount_interpreter(jail->pakfire);
 	if (r)
 		return r;
 
@@ -1809,6 +1819,11 @@ static int pakfire_jail_child2(struct pakfire_jail* jail,
 		return 126;
 	}
 
+	// Mount all default stuff
+	r = pakfire_mount_all(jail->pakfire, PAKFIRE_MNTNS_INNER, 0);
+	if (r)
+		return 126;
+
 	const char* arch = pakfire_get_effective_arch(jail->pakfire);
 
 	// Set personality
diff --git a/src/libpakfire/mount.c b/src/libpakfire/mount.c
index c8397253..3ee09aa7 100644
--- a/src/libpakfire/mount.c
+++ b/src/libpakfire/mount.c
@@ -36,6 +36,7 @@
 #include <pakfire/util.h>
 
 static const struct pakfire_mountpoint {
+	pakfire_mntns_t ns;
 	const char* source;
 	const char* target;
 	const char* fstype;
@@ -43,59 +44,173 @@ static const struct pakfire_mountpoint {
 	const char* options;
 } mountpoints[] = {
 	// Mount a new instance of /proc
-	{ "pakfire_proc",        "proc",               "proc",
-		MS_NOSUID|MS_NOEXEC|MS_NODEV, NULL, },
+	{
+		PAKFIRE_MNTNS_INNER|PAKFIRE_MNTNS_OUTER,
+		"pakfire_proc",
+		"proc",
+		"proc",
+		MS_NOSUID|MS_NOEXEC|MS_NODEV,
+		NULL,
+	},
 
 	// Make /proc/sys read-only (except /proc/sys/net)
-	{ "/proc/sys",           "proc/sys",           "bind",   MS_BIND|MS_REC, NULL, },
-	{ "/proc/sys/net",       "proc/sys/net",       "bind",   MS_BIND|MS_REC, NULL, },
-	{ "/proc/sys",           "proc/sys",           "bind",
-		MS_BIND|MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REMOUNT, NULL, },
+	{
+		PAKFIRE_MNTNS_INNER,
+		"/proc/sys",
+		"proc/sys",
+		"bind",
+		MS_BIND|MS_REC,
+		NULL,
+	},
+	{
+		PAKFIRE_MNTNS_INNER,
+		"/proc/sys/net",
+		"proc/sys/net",
+		"bind",
+		MS_BIND|MS_REC,
+		NULL,
+	},
+	{
+		PAKFIRE_MNTNS_INNER,
+		"/proc/sys",
+		"proc/sys",
+		"bind",
+		MS_BIND|MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REMOUNT,
+		NULL,
+	},
 
 	// Deny write access to /proc/sysrq-trigger (can be used to restart the host)
-	{ "/proc/sysrq-trigger", "proc/sysrq-trigger", "bind",   MS_BIND|MS_REC, NULL, },
-	{ "/proc/sysrq-trigger", "proc/sysrq-trigger", "bind",
-		MS_BIND|MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REMOUNT, NULL, },
+	{
+		PAKFIRE_MNTNS_INNER,
+		"/proc/sysrq-trigger",
+		"proc/sysrq-trigger",
+		"bind",
+		MS_BIND|MS_REC,
+		NULL,
+	},
+	{
+		PAKFIRE_MNTNS_INNER,
+		"/proc/sysrq-trigger",
+		"proc/sysrq-trigger",
+		"bind",
+		MS_BIND|MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REMOUNT,
+		NULL,
+	},
 
 	// Make /proc/irq read-only
-	{ "/proc/irq",           "proc/irq",           "bind",   MS_BIND|MS_REC, NULL, },
-	{ "/proc/irq",           "proc/irq",           "bind",
-		MS_BIND|MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REMOUNT, NULL, },
+	{
+		PAKFIRE_MNTNS_INNER,
+		"/proc/irq",
+		"proc/irq",
+		"bind",
+		MS_BIND|MS_REC,
+		NULL,
+	},
+	{
+		PAKFIRE_MNTNS_INNER,
+		"/proc/irq",
+		"proc/irq",
+		"bind",
+		MS_BIND|MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REMOUNT,
+		NULL,
+	},
 
 	// Make /proc/bus read-only
-	{ "/proc/bus",           "proc/bus",           "bind",   MS_BIND|MS_REC, NULL, },
-	{ "/proc/bus",           "proc/bus",           "bind",
-		MS_BIND|MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REMOUNT, NULL, },
+	{
+		PAKFIRE_MNTNS_INNER,
+		"/proc/bus",
+		"proc/bus",
+		"bind",
+		MS_BIND|MS_REC,
+		NULL,
+	},
+	{
+		PAKFIRE_MNTNS_INNER,
+		"/proc/bus",
+		"proc/bus",
+		"bind",
+		MS_BIND|MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REMOUNT,
+		NULL,
+	},
 
 	// Bind-Mount /sys ready-only
-	{ "/sys",                "sys",                "bind",   MS_BIND|MS_REC, NULL, },
-	{ "/sys",                "sys",                "bind",
-		MS_BIND|MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REMOUNT, NULL, },
+	{
+		PAKFIRE_MNTNS_OUTER,
+		"/sys",
+		"sys",
+		"bind",
+		MS_BIND|MS_REC,
+		NULL,
+	},
+	{
+		PAKFIRE_MNTNS_OUTER,
+		"/sys",
+		"sys",
+		"bind",
+		MS_BIND|MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REMOUNT,
+		NULL,
+	},
 
 	// Create a new /dev
-	{ "pakfire_dev",         "dev",                "tmpfs",  MS_NOSUID|MS_NOEXEC,
-		"mode=0755,size=4m,nr_inodes=64k", },
-	{ "pakfire_dev_pts",     "dev/pts",            "devpts", MS_NOSUID|MS_NOEXEC,
-		"newinstance,ptmxmode=0666,mode=620", },
+	{
+		PAKFIRE_MNTNS_OUTER,
+		"pakfire_dev",
+		"dev",
+		"tmpfs",
+		MS_NOSUID|MS_NOEXEC,
+		"mode=0755,size=4m,nr_inodes=64k",
+	},
+	{
+		PAKFIRE_MNTNS_OUTER,
+		"pakfire_dev_pts",
+		"dev/pts",
+		"devpts",
+		MS_NOSUID|MS_NOEXEC,
+		"newinstance,ptmxmode=0666,mode=620",
+	},
 
 	// Create a new /dev/shm
-	{ "pakfire_dev_shm",     "dev/shm",            "tmpfs",
-		MS_NOSUID|MS_NODEV|MS_STRICTATIME, "mode=1777,size=1024m", },
+	{
+		PAKFIRE_MNTNS_OUTER,
+		"pakfire_dev_shm",
+		"dev/shm",
+		"tmpfs",
+		MS_NOSUID|MS_NODEV|MS_STRICTATIME,
+		"mode=1777,size=1024m",
+	},
 
 	// Mount /dev/mqueue
-	{ "mqueue",               "dev/mqueue",        "mqueue",
-		MS_NOSUID|MS_NOEXEC|MS_NODEV, NULL },
+	{
+		PAKFIRE_MNTNS_INNER,
+		"mqueue",
+		"dev/mqueue",
+		"mqueue",
+		MS_NOSUID|MS_NOEXEC|MS_NODEV,
+		NULL,
+	},
 
 	// Create a new /run
-	{ "pakfire_run",          "run",               "tmpfs",  MS_NOSUID|MS_NOEXEC|MS_NODEV,
-		"mode=755,size=256m,nr_inodes=1k", },
+	{
+		PAKFIRE_MNTNS_OUTER,
+		"pakfire_run",
+		"run",
+		"tmpfs",
+		MS_NOSUID|MS_NOEXEC|MS_NODEV,
+		"mode=755,size=256m,nr_inodes=1k",
+	},
 
 	// Create a new /tmp
-	{ "pakfire_tmp",          "tmp",               "tmpfs",
-		MS_NOSUID|MS_NODEV|MS_STRICTATIME, "mode=1777,size=4096m", },
+	{
+		PAKFIRE_MNTNS_OUTER,
+		"pakfire_tmp",
+		"tmp",
+		"tmpfs",
+		MS_NOSUID|MS_NODEV|MS_STRICTATIME,
+		"mode=1777,size=4096m",
+	},
 
 	// The end
-	{ NULL },
+	{},
 };
 
 static const struct pakfire_devnode {
@@ -222,7 +337,7 @@ int pakfire_mount_list(struct pakfire_ctx* ctx) {
 	return pakfire_parse_file("/proc/self/mounts", __pakfire_mount_list, ctx);
 }
 
-static int pakfire_populate_dev(struct pakfire* pakfire, int flags) {
+int pakfire_populate_dev(struct pakfire* pakfire, int flags) {
 	char path[PATH_MAX];
 
 	// Create device nodes
@@ -287,7 +402,7 @@ MOUNT:
 	return 0;
 }
 
-static int pakfire_mount_interpreter(struct pakfire* pakfire) {
+int pakfire_mount_interpreter(struct pakfire* pakfire) {
 	char target[PATH_MAX];
 
 	// Fetch the target architecture
@@ -325,14 +440,20 @@ static int pakfire_mount_interpreter(struct pakfire* pakfire) {
 	return r;
 }
 
-int pakfire_mount_all(struct pakfire* pakfire, int flags) {
+int pakfire_mount_all(struct pakfire* pakfire, pakfire_mntns_t ns, int flags) {
 	char target[PATH_MAX];
 	int r;
 
+	const char* root = "/";
+
 	// Fetch Pakfire's root directory
-	const char* root = pakfire_get_path(pakfire);
+	if (ns == PAKFIRE_MNTNS_OUTER)
+		root = pakfire_get_path(pakfire);
 
 	for (const struct pakfire_mountpoint* mp = mountpoints; mp->source; mp++) {
+		if (!(mp->ns & ns))
+			continue;
+
 		// Figure out where to mount
 		r = pakfire_path_append(target, root, mp->target);
 		if (r)
@@ -353,16 +474,6 @@ int pakfire_mount_all(struct pakfire* pakfire, int flags) {
 			return r;
 	}
 
-	// Populate /dev
-	r = pakfire_populate_dev(pakfire, flags);
-	if (r)
-		return r;
-
-	// Mount the interpreter (if needed)
-	r = pakfire_mount_interpreter(pakfire);
-	if (r)
-		return r;
-
 	return 0;
 }
 
-- 
2.39.2