From patchwork Sun May 29 23:39:15 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Etienne Champetier <champetier.etienne@gmail.com>
X-Patchwork-Id: 627552
Return-Path: 
 <lede-dev-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from bombadil.infradead.org (bombadil.infradead.org
	[IPv6:2001:1868:205::9])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 3rHx8W1f9Sz9t3q
	for <incoming@patchwork.ozlabs.org>;
	Mon, 30 May 2016 09:40:59 +1000 (AEST)
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com header.b=VvChwAcv;
	dkim-atps=neutral
Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.80.1 #2 (Red Hat Linux))
	id 1b7AJJ-00080d-SI; Sun, 29 May 2016 23:39:57 +0000
Received: from mail-wm0-x241.google.com ([2a00:1450:400c:c09::241])
	by bombadil.infradead.org with esmtps (Exim 4.80.1 #2 (Red Hat
	Linux)) id 1b7AJA-0007w8-GY
	for lede-dev@lists.infradead.org; Sun, 29 May 2016 23:39:50 +0000
Received: by mail-wm0-x241.google.com with SMTP id a136so17615804wme.0
	for <lede-dev@lists.infradead.org>;
	Sun, 29 May 2016 16:39:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
	h=from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=DoOIm22wJI8mtd2bqKcbxcZt5yh3kg8f5MmJS4pgXfQ=;
	b=VvChwAcvShAFLGmEazOqWd0NUyVoClSfSgMN/wdrXjfJrvjj65OTISmDTyK+z+ghmz
	33eI4UV6UFQYD7fma/AqVWdv0jB0iioSF5F2xJ2W4/+zL6tY2R0agaH5YFr+mf0lh+IJ
	48ZjdesO48juPZ6Fv7PMnR8uYIgN3AtgIJgbKt5omF2BdO7k6HUTW4tefLsb5q5n7pRy
	lqeUxd5wGdvmODdgt0xMxk3CJfiYvIofZYu+FFCBWnfqV7X+rq+3tjnAhcu4nJBpq2z/
	f8JiRb7lhHRlIP5rVycr6NEBCnaivI97ZW+mMK1SE9Yhp5qmN3T/4tD90oxhWrHb3Nue
	QASw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=DoOIm22wJI8mtd2bqKcbxcZt5yh3kg8f5MmJS4pgXfQ=;
	b=gluBFl27sFF4kd8aWyTpulE3KzuMAgmrBAqxYzvU+4D/DkVpBEoLTnjQtuKDAnKOtT
	mXwRdjLKaOlJ5rK27kybLYR/blLgP++yYzNM5+w9lhk2E+mjaLeNG/eBt7AKLyzPFM4/
	PccNCtBQUDKf8DHFzN+JIXw1b9npEdkDJJSE59il3RcL2IhQvYByI9S6fkavI94DSPra
	GbMZujASdmy0BKEnqg2n2Qop2ukjClA7SREl4RYHhjJygdDPJx9I39M2Ivt+JJQNU8db
	vDTMI6+q0K7hjF5RKeJEE2YoFCrOxuKaKome8LlNsCIiOatgAXIKBFoUkWCDeWBM/l6m
	Zraw==
X-Gm-Message-State: 
 ALyK8tK8sXw1MbpLzSyquHsaw4MuiXurcBzmn2HJPXgOdhl1RlfhpGND/WOGK3+4kKWXCw==
X-Received: by 10.28.54.150 with SMTP id y22mr7762562wmh.70.1464565168157;
	Sun, 29 May 2016 16:39:28 -0700 (PDT)
Received: from ubuntu1404.lxcnattst (ns623510.ovh.net. [5.135.134.9])
	by smtp.gmail.com with ESMTPSA id
	124sm20721292wml.12.2016.05.29.16.39.27
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Sun, 29 May 2016 16:39:27 -0700 (PDT)
From: Etienne CHAMPETIER <champetier.etienne@gmail.com>
To: lede-dev@lists.infradead.org
Date: Sun, 29 May 2016 23:39:15 +0000
Message-Id: <1464565158-18043-4-git-send-email-champetier.etienne@gmail.com>
X-Mailer: git-send-email 1.9.1
In-Reply-To: <1464565158-18043-1-git-send-email-champetier.etienne@gmail.com>
References: <1464565158-18043-1-git-send-email-champetier.etienne@gmail.com>
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20160529_163948_794327_41F954FD 
X-CRM114-Status: GOOD (  12.94  )
X-Spam-Score: -2.7 (--)
X-Spam-Report: SpamAssassin version 3.4.0 on bombadil.infradead.org summary:
	Content analysis details:   (-2.7 points)
	pts rule name              description
	---- ----------------------
	--------------------------------------------------
	-0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/,
	low
	trust [2a00:1450:400c:c09:0:0:0:241 listed in] [list.dnswl.org]
	-0.0 SPF_PASS               SPF: sender matches SPF record
	0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail
	provider (champetier.etienne[at]gmail.com)
	-1.9 BAYES_00               BODY: Bayes spam probability is 0 to 1%
	[score: 0.0000]
	-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
	-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
	author's domain
	0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
	not necessarily valid
Subject: [LEDE-DEV] [PATCH procd 4/7] jail: don't include capabilities
	config (-C) inside the jail
X-BeenThere: lede-dev@lists.infradead.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: <lede-dev.lists.infradead.org>
List-Unsubscribe: <http://lists.infradead.org/mailman/options/lede-dev>,
	<mailto:lede-dev-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/lede-dev/>
List-Post: <mailto:lede-dev@lists.infradead.org>
List-Help: <mailto:lede-dev-request@lists.infradead.org?subject=help>
List-Subscribe: <http://lists.infradead.org/mailman/listinfo/lede-dev>,
	<mailto:lede-dev-request@lists.infradead.org?subject=subscribe>
Cc: Etienne CHAMPETIER <champetier.etienne@gmail.com>
MIME-Version: 1.0
Sender: "Lede-dev" <lede-dev-bounces@lists.infradead.org>
Errors-To: lede-dev-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

Removing capabilities from the capability bounding set doesn't change
the capability effective set, so we can "drop capabilities" before we
build the jail fs, so we don't need to include the capabilities config
file into the jail.

Signed-off-by: Etienne CHAMPETIER <champetier.etienne@gmail.com>
---
 jail/jail.c | 32 ++++++++++++++------------------
 1 file changed, 14 insertions(+), 18 deletions(-)

diff --git a/jail/jail.c b/jail/jail.c
index e86ee14..03ff66c 100644
--- a/jail/jail.c
+++ b/jail/jail.c
@@ -228,7 +228,7 @@ ujail will not use namespace/build a jail,\n\
 and will only drop capabilities/apply seccomp filter.\n\n");
 }
 
-static int exec_jail(void)
+static int exec_jail(void *_notused)
 {
 	if (opts.capabilities && drop_capabilities(opts.capabilities))
 		exit(EXIT_FAILURE);
@@ -238,6 +238,17 @@ static int exec_jail(void)
 		exit(EXIT_FAILURE);
 	}
 
+	if (opts.namespace && opts.hostname
+			&& sethostname(opts.hostname, strlen(opts.hostname))) {
+		ERROR("sethostname(%s) failed: %s\n", opts.hostname, strerror(errno));
+		exit(EXIT_FAILURE);
+	}
+
+	if (opts.namespace && build_jail_fs()) {
+		ERROR("failed to build jail fs\n");
+		exit(EXIT_FAILURE);
+	}
+
 	char **envp = build_envp(opts.seccomp);
 	if (!envp)
 		exit(EXIT_FAILURE);
@@ -249,20 +260,6 @@ static int exec_jail(void)
 	exit(EXIT_FAILURE);
 }
 
-static int spawn_jail(void *_notused)
-{
-	if (opts.hostname && sethostname(opts.hostname, strlen(opts.hostname))) {
-		ERROR("sethostname(%s) failed: %s\n", opts.hostname, strerror(errno));
-	}
-
-	if (build_jail_fs()) {
-		ERROR("failed to build jail fs");
-		exit(EXIT_FAILURE);
-	}
-
-	return exec_jail();
-}
-
 static int jail_running = 1;
 static int jail_return_code = 0;
 
@@ -322,7 +319,6 @@ int main(int argc, char **argv)
 			break;
 		case 'C':
 			opts.capabilities = optarg;
-			add_mount(optarg, 1, -1);
 			break;
 		case 'c':
 			opts.no_new_privs = 1;
@@ -384,7 +380,7 @@ int main(int argc, char **argv)
 
 	uloop_init();
 	if (opts.namespace) {
-		jail_process.pid = clone(spawn_jail,
+		jail_process.pid = clone(exec_jail,
 			child_stack + STACK_SIZE,
 			CLONE_NEWUTS | CLONE_NEWPID | CLONE_NEWNS | CLONE_NEWIPC | SIGCHLD, NULL);
 	} else {
@@ -404,7 +400,7 @@ int main(int argc, char **argv)
 		return jail_return_code;
 	} else if (jail_process.pid == 0) {
 		/* fork child process */
-		return exec_jail();
+		return exec_jail(NULL);
 	} else {
 		ERROR("failed to clone/fork: %s\n", strerror(errno));
 		return EXIT_FAILURE;