From 8e9b8065b564235990655824c573483f66a3d30f Mon Sep 17 00:00:00 2001 From: obiwac Date: Sat, 8 Jul 2023 22:22:09 +0200 Subject: [PATCH] opts: `aquarium_opts_add_ruleset` for choosing which devfs rulesets to use - resolves #29 --- src/aquarium.h | 6 ++++++ src/lib/enter.c | 44 ++++++++++++++++---------------------------- src/lib/opts.c | 46 ++++++++++++++++++++++++++++------------------ 3 files changed, 50 insertions(+), 46 deletions(-) diff --git a/src/aquarium.h b/src/aquarium.h index 6c742052..ef949a9d 100644 --- a/src/aquarium.h +++ b/src/aquarium.h @@ -66,6 +66,11 @@ typedef struct { char* hostname; bool persist; bool vnet_disable; + + // devfs ruleset options + + size_t ruleset_count; + uint32_t* rulesets; } aquarium_opts_t; typedef struct { @@ -98,6 +103,7 @@ aquarium_opts_t* aquarium_opts_create(void); void aquarium_opts_free(aquarium_opts_t* opts); void aquarium_opts_set_base_path(aquarium_opts_t* opts, char const* base_path); +void aquarium_opts_add_ruleset(aquarium_opts_t* opts, uint32_t ruleset); bool aquarium_db_next_ent(aquarium_opts_t* opts, aquarium_db_ent_t* ent, size_t buf_len, char buf[buf_len], FILE* fp, bool be_dramatic); char* aquarium_db_read_pointer_file(aquarium_opts_t* opts, char const* path); diff --git a/src/lib/enter.c b/src/lib/enter.c index 5f8b3b2b..80a1f1de 100644 --- a/src/lib/enter.c +++ b/src/lib/enter.c @@ -76,7 +76,7 @@ static int recursive_umount(char* path) { return 0; } - // XXX is there a reason I shouldn't be using 'MNT_FORCE'? + // XXX is there a reason I *shouldn't* be using 'MNT_FORCE'? if (unmount(path, MNT_FORCE) < 0) { warnx("unmount(\"%s\"): %s", path, strerror(errno)); @@ -85,11 +85,9 @@ static int recursive_umount(char* path) { } } -static int devfs_ruleset(void) { +static int devfs_ruleset(aquarium_opts_t* opts) { int rv = -1; - // we necessarily need to start by hiding everything for some reason - int const devfs_fd = open("dev", O_RDONLY); if (devfs_fd < 0) { @@ -97,32 +95,22 @@ static int devfs_ruleset(void) { goto open_err; } - devfs_rsnum ruleset = 1; // devfsrules_hide_all - - if (ioctl(devfs_fd, DEVFSIO_SAPPLY, &ruleset) < 0) { - warnx("DEVFSIO_SAPPLY: %s", strerror(errno)); - goto devfsio_err; - } - - ruleset = 2; // devfsrules_unhide_basic + #define APPLY_RULESET(__ruleset) do { \ + devfs_rsnum const _ruleset = (__ruleset); \ + \ + if (ioctl(devfs_fd, DEVFSIO_SAPPLY, &_ruleset) < 0) { \ + warnx("DEVFSIO_SAPPLY(%d): %s", _ruleset, strerror(errno)); \ + goto devfsio_err; \ + } \ + } while (0) - if (ioctl(devfs_fd, DEVFSIO_SAPPLY, &ruleset) < 0) { - warnx("DEVFSIO_SAPPLY: %s", strerror(errno)); - goto devfsio_err; - } - - ruleset = 3; // devfsrules_unhide_login - - if (ioctl(devfs_fd, DEVFSIO_SAPPLY, &ruleset) < 0) { - warnx("DEVFSIO_SAPPLY: %s", strerror(errno)); - goto devfsio_err; - } + // we necessarily need to start by hiding everything - ruleset = 5; // devfsrules_jail_vnet + APPLY_RULESET(1); // devfsrules_hide_all - if (ioctl(devfs_fd, DEVFSIO_SAPPLY, &ruleset) < 0) { - warnx("DEVFSIO_SAPPLY: %s", strerror(errno)); - goto devfsio_err; + for (size_t i = 0; i < opts->ruleset_count; i++) { + uint32_t const ruleset = opts->rulesets[i]; + APPLY_RULESET(ruleset); } // success @@ -418,7 +406,7 @@ int aquarium_enter(aquarium_opts_t* opts, char const* path, aquarium_enter_cb_t // set the correct ruleset for devfs // this comes last, so any setup scripts still have full access to the devfs filesystem - if (devfs_ruleset() < 0) { + if (devfs_ruleset(opts) < 0) { goto devfs_ruleset_err; } diff --git a/src/lib/opts.c b/src/lib/opts.c index b39764e7..67c2fa17 100644 --- a/src/lib/opts.c +++ b/src/lib/opts.c @@ -29,10 +29,11 @@ // useful macros -#define TRY_FREE(str) \ +#define TRY_FREE(str) do { \ if ((str)) { \ free((str)); \ - } + } \ +} while (0) aquarium_opts_t* aquarium_opts_create(void) { aquarium_opts_t* const opts = calloc(1, sizeof *opts); @@ -93,38 +94,42 @@ aquarium_opts_t* aquarium_opts_create(void) { } void aquarium_opts_free(aquarium_opts_t* opts) { - TRY_FREE(opts->base_path) + TRY_FREE(opts->base_path); // directory paths - TRY_FREE(opts->templates_path) - TRY_FREE(opts->kernels_path) - TRY_FREE(opts->aquariums_path) + TRY_FREE(opts->templates_path); + TRY_FREE(opts->kernels_path); + TRY_FREE(opts->aquariums_path); // file paths - TRY_FREE(opts->sanctioned_path) - TRY_FREE(opts->db_path) + TRY_FREE(opts->sanctioned_path); + TRY_FREE(opts->db_path); // image output & filesystem creation options - TRY_FREE(opts->rootfs_label) - TRY_FREE(opts->esp_label) - TRY_FREE(opts->esp_oem) - TRY_FREE(opts->esp_vol_label) + TRY_FREE(opts->rootfs_label); + TRY_FREE(opts->esp_label); + TRY_FREE(opts->esp_oem); + TRY_FREE(opts->esp_vol_label); + + // devfs ruleset options + + TRY_FREE(opts->rulesets); free(opts); } void aquarium_opts_set_base_path(aquarium_opts_t* opts, char const* base_path) { - TRY_FREE(opts->base_path) + TRY_FREE(opts->base_path); opts->base_path = strdup(base_path); // directory paths - TRY_FREE(opts->templates_path) - TRY_FREE(opts->kernels_path) - TRY_FREE(opts->aquariums_path) + TRY_FREE(opts->templates_path); + TRY_FREE(opts->kernels_path); + TRY_FREE(opts->aquariums_path); if (asprintf(&opts->templates_path, "%s/" TEMPLATES_PATH, opts->base_path)) {} if (asprintf(&opts->kernels_path, "%s/" KERNELS_PATH, opts->base_path)) {} @@ -132,9 +137,14 @@ void aquarium_opts_set_base_path(aquarium_opts_t* opts, char const* base_path) { // file paths - TRY_FREE(opts->sanctioned_path) - TRY_FREE(opts->db_path) + TRY_FREE(opts->sanctioned_path); + TRY_FREE(opts->db_path); if (asprintf(&opts->sanctioned_path, "%s/" SANCTIONED_PATH, opts->base_path)) {} if (asprintf(&opts->db_path, "%s/" DB_PATH, opts->base_path)) {} } + +void aquarium_opts_add_ruleset(aquarium_opts_t* opts, uint32_t ruleset) { + opts->rulesets = realloc(opts->rulesets, ++opts->ruleset_count * sizeof *opts->rulesets); + opts->rulesets[opts->ruleset_count - 1] = ruleset; +}