From: Michael Tremer Date: Tue, 20 Jun 2023 14:43:10 +0000 (+0000) Subject: jail: Allow accessing loop devices X-Git-Tag: 0.9.29~111 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=282b732a6b2463529f90d72f3fc6e01d174d41cc;p=pakfire.git jail: Allow accessing loop devices This is not great, but the only way we can mount any images inside the jail as loop devices are not namespaced (yet). Jails of this style can access any loop devices set up by the system and for other jails. Signed-off-by: Michael Tremer --- diff --git a/src/libpakfire/include/pakfire/jail.h b/src/libpakfire/include/pakfire/jail.h index 8cd45a02e..0fe26a98b 100644 --- a/src/libpakfire/include/pakfire/jail.h +++ b/src/libpakfire/include/pakfire/jail.h @@ -52,8 +52,9 @@ typedef int (*pakfire_jail_communicate_out) (struct pakfire* pakfire, void* data, int priority, const char* line, const size_t length); enum pakfire_jail_exec_flags { - PAKFIRE_JAIL_HAS_NETWORKING = (1 << 0), - PAKFIRE_JAIL_NOENT_OK = (1 << 1), + PAKFIRE_JAIL_HAS_NETWORKING = (1 << 0), + PAKFIRE_JAIL_NOENT_OK = (1 << 1), + PAKFIRE_JAIL_HAS_LOOP_DEVICES = (1 << 2), }; int pakfire_jail_exec( diff --git a/src/libpakfire/include/pakfire/mount.h b/src/libpakfire/include/pakfire/mount.h index aee963c8f..39e8750b3 100644 --- a/src/libpakfire/include/pakfire/mount.h +++ b/src/libpakfire/include/pakfire/mount.h @@ -29,7 +29,11 @@ int pakfire_bind(struct pakfire* pakfire, const char* src, const char* dst, int int pakfire_mount_list(struct pakfire* pakfire); -int pakfire_mount_all(struct pakfire* pakfire); +enum pakfire_mount_flags { + PAKFIRE_MOUNT_LOOP_DEVICES = (1 << 0), +}; + +int pakfire_mount_all(struct pakfire* pakfire, int flags); #endif /* PAKFIRE_PRIVATE */ diff --git a/src/libpakfire/jail.c b/src/libpakfire/jail.c index 9c74f7381..ed669d499 100644 --- a/src/libpakfire/jail.c +++ b/src/libpakfire/jail.c @@ -1162,10 +1162,15 @@ static int pakfire_jail_mount_networking(struct pakfire_jail* jail) { */ static int pakfire_jail_mount(struct pakfire_jail* jail, struct pakfire_jail_exec* ctx) { struct pakfire_jail_mountpoint* mp = NULL; + int flags = 0; int r; + // Enable loop devices + if (pakfire_jail_exec_has_flag(ctx, PAKFIRE_JAIL_HAS_LOOP_DEVICES)) + flags |= PAKFIRE_MOUNT_LOOP_DEVICES; + // Mount all default stuff - r = pakfire_mount_all(jail->pakfire); + r = pakfire_mount_all(jail->pakfire, flags); if (r) return r; diff --git a/src/libpakfire/mount.c b/src/libpakfire/mount.c index c08a1214e..9dd4af17d 100644 --- a/src/libpakfire/mount.c +++ b/src/libpakfire/mount.c @@ -104,16 +104,29 @@ static const struct pakfire_devnode { int major; int minor; mode_t mode; + int flags; } devnodes[] = { - { "/dev/null", 1, 3, S_IFCHR|S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH, }, - { "/dev/zero", 1, 5, S_IFCHR|S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH, }, - { "/dev/full", 1, 7, S_IFCHR|S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH, }, - { "/dev/random", 1, 8, S_IFCHR|S_IRUSR|S_IRGRP|S_IROTH, }, - { "/dev/urandom", 1, 9, S_IFCHR|S_IRUSR|S_IRGRP|S_IROTH, }, - { "/dev/kmsg", 1, 11, S_IFCHR|S_IRUSR|S_IRGRP|S_IROTH, }, - { "/dev/tty", 5, 0, S_IFCHR|S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH, }, - { "/dev/console", 5, 1, S_IFCHR|S_IRUSR|S_IWUSR, }, - { "/dev/rtc0", 252, 0, S_IFCHR|S_IRUSR|S_IWUSR, }, + { "/dev/null", 1, 3, S_IFCHR|S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH, 0 }, + { "/dev/zero", 1, 5, S_IFCHR|S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH, 0 }, + { "/dev/full", 1, 7, S_IFCHR|S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH, 0 }, + { "/dev/random", 1, 8, S_IFCHR|S_IRUSR|S_IRGRP|S_IROTH, 0 }, + { "/dev/urandom", 1, 9, S_IFCHR|S_IRUSR|S_IRGRP|S_IROTH, 0 }, + { "/dev/kmsg", 1, 11, S_IFCHR|S_IRUSR|S_IRGRP|S_IROTH, 0 }, + { "/dev/tty", 5, 0, S_IFCHR|S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH, 0 }, + { "/dev/console", 5, 1, S_IFCHR|S_IRUSR|S_IWUSR, 0 }, + { "/dev/rtc0", 252, 0, S_IFCHR|S_IRUSR|S_IWUSR, 0 }, + + // Loop Devices + { "/dev/loop-control", 10, 237, S_IFCHR|S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP, PAKFIRE_MOUNT_LOOP_DEVICES }, + { "/dev/loop0", 7, 0, S_IFCHR|S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP, PAKFIRE_MOUNT_LOOP_DEVICES }, + { "/dev/loop1", 7, 1, S_IFCHR|S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP, PAKFIRE_MOUNT_LOOP_DEVICES }, + { "/dev/loop2", 7, 2, S_IFCHR|S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP, PAKFIRE_MOUNT_LOOP_DEVICES }, + { "/dev/loop3", 7, 3, S_IFCHR|S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP, PAKFIRE_MOUNT_LOOP_DEVICES }, + { "/dev/loop4", 7, 4, S_IFCHR|S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP, PAKFIRE_MOUNT_LOOP_DEVICES }, + { "/dev/loop5", 7, 5, S_IFCHR|S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP, PAKFIRE_MOUNT_LOOP_DEVICES }, + { "/dev/loop6", 7, 6, S_IFCHR|S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP, PAKFIRE_MOUNT_LOOP_DEVICES }, + { "/dev/loop7", 7, 7, S_IFCHR|S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP, PAKFIRE_MOUNT_LOOP_DEVICES }, + { NULL }, }; @@ -235,13 +248,17 @@ int pakfire_mount_list(struct pakfire* pakfire) { __pakfire_mount_print, NULL); } -static int pakfire_populate_dev(struct pakfire* pakfire) { +static int pakfire_populate_dev(struct pakfire* pakfire, int flags) { char path[PATH_MAX]; // Create device nodes for (const struct pakfire_devnode* devnode = devnodes; devnode->path; devnode++) { DEBUG(pakfire, "Creating device node %s\n", devnode->path); + // Check if flags match + if (devnode->flags && !(flags & devnode->flags)) + continue; + int r = pakfire_path(pakfire, path, "%s", devnode->path); if (r) return r; @@ -334,7 +351,7 @@ static int pakfire_mount_interpreter(struct pakfire* pakfire) { return r; } -int pakfire_mount_all(struct pakfire* pakfire) { +int pakfire_mount_all(struct pakfire* pakfire, int flags) { char target[PATH_MAX]; int r; @@ -363,7 +380,7 @@ int pakfire_mount_all(struct pakfire* pakfire) { } // Populate /dev - r = pakfire_populate_dev(pakfire); + r = pakfire_populate_dev(pakfire, flags); if (r) return r;