]> git.ipfire.org Git - pakfire.git/commitdiff
projects / pakfire.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 4f87b4c)
jail: Don't support loop devices any more
authorMichael Tremer <michael.tremer@ipfire.org>
Fri, 29 May 2026 15:41:54 +0000 (15:41 +0000)
committerMichael Tremer <michael.tremer@ipfire.org>
Fri, 29 May 2026 15:41:54 +0000 (15:41 +0000)
loop devices are not namespaced and it is impossible to mount them
inside the jail without any severe security implications.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
src/pakfire/jail.c patch | blob | blame | history
src/pakfire/mount.c patch | blob | blame | history
src/pakfire/mount.h patch | blob | blame | history

diff --git a/src/pakfire/jail.c b/src/pakfire/jail.c
index 3c9c77ee4ae6ba3d1a7d8e7bf46a74c16f41afc9..8b624ab3776c6848ae9e3766b55a2135bf79f2f5 100644 (file)
--- a/src/pakfire/jail.c
+++ b/src/pakfire/jail.c
@@ -889,20 +889,15 @@ static int pakfire_jail_mount_networking(pakfire_jail* jail) {
 */
 static int pakfire_jail_mount(pakfire_jail* jail, pakfire_jail_exec* ctx) {
        pakfire_jail_mountpoint* mp = NULL;
-       int flags = 0;
        int r;
 
-       // Enable loop devices
-       if (pakfire_jail_exec_has_flag(ctx, PAKFIRE_JAIL_HAS_LOOP_DEVICES))
-               flags |= PAKFIRE_MOUNT_LOOP_DEVICES;
-
        // Mount all default stuff
-       r = pakfire_mount_all(jail->ctx, jail->root, PAKFIRE_MNTNS_OUTER, flags);
+       r = pakfire_mount_all(jail->ctx, jail->root, PAKFIRE_MNTNS_OUTER);
        if (r)
                return r;
 
        // Populate /dev
-       r = pakfire_populate_dev(jail->ctx, jail->root, flags);
+       r = pakfire_populate_dev(jail->ctx, jail->root);
        if (r)
                return r;
 
@@ -1535,7 +1530,7 @@ static int pakfire_jail_child(pakfire_jail* jail, pakfire_jail_exec* ctx) {
        }
 
        // Mount all default stuff
-       r = pakfire_mount_all(jail->ctx, jail->root, PAKFIRE_MNTNS_INNER, 0);
+       r = pakfire_mount_all(jail->ctx, jail->root, PAKFIRE_MNTNS_INNER);
        if (r)
                return 126;
 
diff --git a/src/pakfire/mount.c b/src/pakfire/mount.c
index 4d00b979d55e1cc6b710b586253c04303ae2a4b0..2c1b8990691de8514fc3b3e5c9314da75681a374 100644 (file)
--- a/src/pakfire/mount.c
+++ b/src/pakfire/mount.c
@@ -223,28 +223,15 @@ static const struct pakfire_devnode {
        int major;
        int minor;
        mode_t mode;
-       int flags;
 } devnodes[] = {
-       { "/dev/null",      1,  3, S_IFCHR|S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH, 0 },
-       { "/dev/zero",      1,  5, S_IFCHR|S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH, 0 },
-       { "/dev/full",      1,  7, S_IFCHR|S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH, 0 },
-       { "/dev/random",    1,  8, S_IFCHR|S_IRUSR|S_IRGRP|S_IROTH, 0 },
-       { "/dev/urandom",   1,  9, S_IFCHR|S_IRUSR|S_IRGRP|S_IROTH, 0 },
-       { "/dev/kmsg",      1, 11, S_IFCHR|S_IRUSR|S_IRGRP|S_IROTH, 0 },
-       { "/dev/tty",       5,  0, S_IFCHR|S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH, 0 },
-       { "/dev/rtc0",    252,  0, S_IFCHR|S_IRUSR|S_IWUSR, 0 },
-
-       // Loop Devices
-       { "/dev/loop-control", 10, 237, S_IFCHR|S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP, PAKFIRE_MOUNT_LOOP_DEVICES },
-       { "/dev/loop0",         7,   0, S_IFBLK|S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP, PAKFIRE_MOUNT_LOOP_DEVICES },
-       { "/dev/loop1",         7,   1, S_IFBLK|S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP, PAKFIRE_MOUNT_LOOP_DEVICES },
-       { "/dev/loop2",         7,   2, S_IFBLK|S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP, PAKFIRE_MOUNT_LOOP_DEVICES },
-       { "/dev/loop3",         7,   3, S_IFBLK|S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP, PAKFIRE_MOUNT_LOOP_DEVICES },
-       { "/dev/loop4",         7,   4, S_IFBLK|S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP, PAKFIRE_MOUNT_LOOP_DEVICES },
-       { "/dev/loop5",         7,   5, S_IFBLK|S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP, PAKFIRE_MOUNT_LOOP_DEVICES },
-       { "/dev/loop6",         7,   6, S_IFBLK|S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP, PAKFIRE_MOUNT_LOOP_DEVICES },
-       { "/dev/loop7",         7,   7, S_IFBLK|S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP, PAKFIRE_MOUNT_LOOP_DEVICES },
-
+       { "/dev/null",      1,  3, S_IFCHR|S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH },
+       { "/dev/zero",      1,  5, S_IFCHR|S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH },
+       { "/dev/full",      1,  7, S_IFCHR|S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH },
+       { "/dev/random",    1,  8, S_IFCHR|S_IRUSR|S_IRGRP|S_IROTH },
+       { "/dev/urandom",   1,  9, S_IFCHR|S_IRUSR|S_IRGRP|S_IROTH },
+       { "/dev/kmsg",      1, 11, S_IFCHR|S_IRUSR|S_IRGRP|S_IROTH },
+       { "/dev/tty",       5,  0, S_IFCHR|S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH },
+       { "/dev/rtc0",    252,  0, S_IFCHR|S_IRUSR|S_IWUSR },
        { NULL },
 };
 
@@ -341,18 +328,15 @@ int pakfire_mount_list(pakfire_ctx* ctx) {
        return pakfire_parse_file("/proc/self/mounts", __pakfire_mount_list, ctx);
 }
 
-int pakfire_populate_dev(pakfire_ctx* ctx, pakfire_root* root, int flags) {
+int pakfire_populate_dev(pakfire_ctx* ctx, pakfire_root* root) {
        char path[PATH_MAX];
+       int r;
 
        // Create device nodes
        for (const struct pakfire_devnode* devnode = devnodes; devnode->path; devnode++) {
                DEBUG(ctx, "Creating device node %s\n", devnode->path);
 
-               // Check if flags match
-               if (devnode->flags && !(flags & devnode->flags))
-                       continue;
-
-               int r = pakfire_root_path(root, path, "%s", devnode->path);
+               r = pakfire_root_path(root, path, "%s", devnode->path);
                if (r)
                        return r;
 
@@ -392,7 +376,7 @@ MOUNT:
        for (const struct pakfire_symlink* s = symlinks; s->target; s++) {
                DEBUG(ctx, "Creating symlink %s -> %s\n", s->path, s->target);
 
-               int r = pakfire_root_path(root, path, "%s", s->path);
+               r = pakfire_root_path(root, path, "%s", s->path);
                if (r)
                        return r;
 
@@ -444,7 +428,7 @@ int pakfire_mount_interpreter(pakfire_ctx* ctx, pakfire_root* root) {
        return r;
 }
 
-int pakfire_mount_all(pakfire_ctx* ctx, pakfire_root* root, pakfire_mntns_t ns, int flags) {
+int pakfire_mount_all(pakfire_ctx* ctx, pakfire_root* root, pakfire_mntns_t ns) {
        char target[PATH_MAX];
        int r;
 
diff --git a/src/pakfire/mount.h b/src/pakfire/mount.h
index f60b468588fcb00d46c3a6128fdb09fb998b6739..8e5f5ae3f5facdfc35002c9b42b41cb41e812a78 100644 (file)
--- a/src/pakfire/mount.h
+++ b/src/pakfire/mount.h
@@ -38,15 +38,10 @@ int pakfire_bind(pakfire_ctx* ctx, pakfire_root* root,
 
 int pakfire_mount_list(pakfire_ctx* ctx);
 
-int pakfire_populate_dev(pakfire_ctx* ctx, pakfire_root* root, int flags);
+int pakfire_populate_dev(pakfire_ctx* ctx, pakfire_root* root);
 
 int pakfire_mount_interpreter(pakfire_ctx* ctx, pakfire_root* root);
 
-enum pakfire_mount_flags {
-       PAKFIRE_MOUNT_LOOP_DEVICES = (1 << 0),
-};
-
-int pakfire_mount_all(pakfire_ctx* ctx, pakfire_root* root,
-       pakfire_mntns_t ns, int flags);
+int pakfire_mount_all(pakfire_ctx* ctx, pakfire_root* root, pakfire_mntns_t ns);
 
 #endif /* PAKFIRE_MOUNT_H */
Pakfire is the package management and build system for IPFire 3.x.