opts: aquarium_opts_add_ruleset for choosing which devfs rulesets t…

…o use - resolves #29
inobulles · Jul 8, 2023 · 8e9b806 · 8e9b806
1 parent 2630ccf
commit 8e9b806
Show file tree

Hide file tree

Showing 3 changed files with 50 additions and 46 deletions.
diff --git a/src/aquarium.h b/src/aquarium.h
@@ -66,6 +66,11 @@ typedef struct {
 	char* hostname;
 	bool persist;
 	bool vnet_disable;
+
+	// devfs ruleset options
+
+	size_t ruleset_count;
+	uint32_t* rulesets;
 } aquarium_opts_t;
 
 typedef struct {
@@ -98,6 +103,7 @@ aquarium_opts_t* aquarium_opts_create(void);
 void aquarium_opts_free(aquarium_opts_t* opts);
 
 void aquarium_opts_set_base_path(aquarium_opts_t* opts, char const* base_path);
+void aquarium_opts_add_ruleset(aquarium_opts_t* opts, uint32_t ruleset);
 
 bool aquarium_db_next_ent(aquarium_opts_t* opts, aquarium_db_ent_t* ent, size_t buf_len, char buf[buf_len], FILE* fp, bool be_dramatic);
 char* aquarium_db_read_pointer_file(aquarium_opts_t* opts, char const* path);

diff --git a/src/lib/enter.c b/src/lib/enter.c
@@ -76,7 +76,7 @@ static int recursive_umount(char* path) {
 			return 0;
 		}
 
-		// XXX is there a reason I shouldn't be using 'MNT_FORCE'?
+		// XXX is there a reason I *shouldn't* be using 'MNT_FORCE'?
 
 		if (unmount(path, MNT_FORCE) < 0) {
 			warnx("unmount(\"%s\"): %s", path, strerror(errno));
@@ -85,44 +85,32 @@ static int recursive_umount(char* path) {
 	}
 }
 
-static int devfs_ruleset(void) {
+static int devfs_ruleset(aquarium_opts_t* opts) {
 	int rv = -1;
 
-	// we necessarily need to start by hiding everything for some reason
-
 	int const devfs_fd = open("dev", O_RDONLY);
 
 	if (devfs_fd < 0) {
 		warnx("open(\"dev\"): %s", strerror(errno));
 		goto open_err;
 	}
 
-	devfs_rsnum ruleset = 1; // devfsrules_hide_all
-
-	if (ioctl(devfs_fd, DEVFSIO_SAPPLY, &ruleset) < 0) {
-		warnx("DEVFSIO_SAPPLY: %s", strerror(errno));
-		goto devfsio_err;
-	}
-
-	ruleset = 2; // devfsrules_unhide_basic
+	#define APPLY_RULESET(__ruleset) do { \
+		devfs_rsnum const _ruleset = (__ruleset); \
+		\
+		if (ioctl(devfs_fd, DEVFSIO_SAPPLY, &_ruleset) < 0) { \
+			warnx("DEVFSIO_SAPPLY(%d): %s", _ruleset, strerror(errno)); \
+			goto devfsio_err; \
+		} \
+	} while (0)
 
-	if (ioctl(devfs_fd, DEVFSIO_SAPPLY, &ruleset) < 0) {
-		warnx("DEVFSIO_SAPPLY: %s", strerror(errno));
-		goto devfsio_err;
-	}
-
-	ruleset = 3; // devfsrules_unhide_login
-
-	if (ioctl(devfs_fd, DEVFSIO_SAPPLY, &ruleset) < 0) {
-		warnx("DEVFSIO_SAPPLY: %s", strerror(errno));
-		goto devfsio_err;
-	}
+	// we necessarily need to start by hiding everything
 
-	ruleset = 5; // devfsrules_jail_vnet
+	APPLY_RULESET(1); // devfsrules_hide_all
 
-	if (ioctl(devfs_fd, DEVFSIO_SAPPLY, &ruleset) < 0) {
-		warnx("DEVFSIO_SAPPLY: %s", strerror(errno));
-		goto devfsio_err;
+	for (size_t i = 0; i < opts->ruleset_count; i++) {
+		uint32_t const ruleset = opts->rulesets[i];
+		APPLY_RULESET(ruleset);
 	}
 
 	// success
@@ -418,7 +406,7 @@ int aquarium_enter(aquarium_opts_t* opts, char const* path, aquarium_enter_cb_t
 	// set the correct ruleset for devfs
 	// this comes last, so any setup scripts still have full access to the devfs filesystem
 
-	if (devfs_ruleset() < 0) {
+	if (devfs_ruleset(opts) < 0) {
 		goto devfs_ruleset_err;
 	}
 

diff --git a/src/lib/opts.c b/src/lib/opts.c
@@ -29,10 +29,11 @@
 
 // useful macros
 
-#define TRY_FREE(str) \
+#define TRY_FREE(str) do { \
 	if ((str)) { \
 		free((str)); \
-	}
+	} \
+} while (0)
 
 aquarium_opts_t* aquarium_opts_create(void) {
 	aquarium_opts_t* const opts = calloc(1, sizeof *opts);
@@ -93,48 +94,57 @@ aquarium_opts_t* aquarium_opts_create(void) {
 }
 
 void aquarium_opts_free(aquarium_opts_t* opts) {
-	TRY_FREE(opts->base_path)
+	TRY_FREE(opts->base_path);
 
 	// directory paths
 
-	TRY_FREE(opts->templates_path)
-	TRY_FREE(opts->kernels_path)
-	TRY_FREE(opts->aquariums_path)
+	TRY_FREE(opts->templates_path);
+	TRY_FREE(opts->kernels_path);
+	TRY_FREE(opts->aquariums_path);
 
 	// file paths
 
-	TRY_FREE(opts->sanctioned_path)
-	TRY_FREE(opts->db_path)
+	TRY_FREE(opts->sanctioned_path);
+	TRY_FREE(opts->db_path);
 
 	// image output & filesystem creation options
 
-	TRY_FREE(opts->rootfs_label)
-	TRY_FREE(opts->esp_label)
-	TRY_FREE(opts->esp_oem)
-	TRY_FREE(opts->esp_vol_label)
+	TRY_FREE(opts->rootfs_label);
+	TRY_FREE(opts->esp_label);
+	TRY_FREE(opts->esp_oem);
+	TRY_FREE(opts->esp_vol_label);
+
+	// devfs ruleset options
+
+	TRY_FREE(opts->rulesets);
 
 	free(opts);
 }
 
 void aquarium_opts_set_base_path(aquarium_opts_t* opts, char const* base_path) {
-	TRY_FREE(opts->base_path)
+	TRY_FREE(opts->base_path);
 	opts->base_path = strdup(base_path);
 
 	// directory paths
 
-	TRY_FREE(opts->templates_path)
-	TRY_FREE(opts->kernels_path)
-	TRY_FREE(opts->aquariums_path)
+	TRY_FREE(opts->templates_path);
+	TRY_FREE(opts->kernels_path);
+	TRY_FREE(opts->aquariums_path);
 
 	if (asprintf(&opts->templates_path, "%s/" TEMPLATES_PATH, opts->base_path)) {}
 	if (asprintf(&opts->kernels_path,   "%s/" KERNELS_PATH,   opts->base_path)) {}
 	if (asprintf(&opts->aquariums_path, "%s/" AQUARIUMS_PATH, opts->base_path)) {}
 
 	// file paths
 
-	TRY_FREE(opts->sanctioned_path)
-	TRY_FREE(opts->db_path)
+	TRY_FREE(opts->sanctioned_path);
+	TRY_FREE(opts->db_path);
 
 	if (asprintf(&opts->sanctioned_path, "%s/" SANCTIONED_PATH, opts->base_path)) {}
 	if (asprintf(&opts->db_path,         "%s/" DB_PATH,         opts->base_path)) {}
 }
+
+void aquarium_opts_add_ruleset(aquarium_opts_t* opts, uint32_t ruleset) {
+	opts->rulesets = realloc(opts->rulesets, ++opts->ruleset_count * sizeof *opts->rulesets);
+	opts->rulesets[opts->ruleset_count - 1] = ruleset;
+}