diff --git a/src/bin/izoli.rs b/src/bin/izoli.rs index 9ea7b15..f4ad06f 100644 --- a/src/bin/izoli.rs +++ b/src/bin/izoli.rs @@ -5,7 +5,7 @@ use izolilib::{ cgroup::CGroup, cgroup_option::CGroupOption, cpu_limit::CpuLimit, limit_value::CGroupLimitValue, }, - izolibox::{IzoliBox, IzoliBoxOptions}, + izolibox::{IzoliBox, IzoliBoxOptions, Mount}, }; use nix::{sys::wait::waitpid, unistd::execvp}; use tracing::Level; @@ -35,6 +35,14 @@ fn main() { ..Default::default() }), new_net: false, + mounts: vec![ + Mount::new("/bin", "/bin", true, false), + Mount::new("/usr/bin", "/usr/bin", true, false), + Mount::new("/lib", "/lib", true, false), + Mount::new("/lib64", "/lib64", true, false), + Mount::new("/usr/lib", "/usr/lib", true, false), + Mount::new("/usr/lib64", "/usr/lib64", true, false), + ], }, ); diff --git a/src/izolibox.rs b/src/izolibox.rs index 77acb0d..24b3873 100644 --- a/src/izolibox.rs +++ b/src/izolibox.rs @@ -6,7 +6,7 @@ use nix::{ sched::{self, CloneCb, CloneFlags}, unistd::{sethostname, Pid}, }; -use tracing::info; +use tracing::{info, trace}; use crate::cgroup::{cgroup::CGroup, cgroup_option::CGroupOption}; @@ -21,6 +21,26 @@ pub struct IzoliBox { pub struct IzoliBoxOptions { pub cgroup_option: Option, pub new_net: bool, + pub mounts: Vec, +} + +#[derive(Debug, Clone, Default)] +pub struct Mount { + pub target: String, + pub source: String, + pub readonly: bool, + pub no_exec: bool, +} + +impl Mount { + pub fn new(target: &str, source: &str, readonly: bool, no_exec: bool) -> Self { + Self { + target: target.to_string(), + source: source.to_string(), + readonly, + no_exec, + } + } } impl IzoliBox { @@ -62,6 +82,7 @@ impl IzoliBox { fn prelude(&self) -> Result<(), Box> { info!("box prelude"); let root = self.get_root(); + let _ = fs::remove_dir(Path::new(&root)); fs::create_dir_all(Path::new(&root))?; self.prelude_mount()?; @@ -107,22 +128,34 @@ impl IzoliBox { )?; } - // readonly monut - let mounts = [ - ("bin", "/bin"), - ("usr/bin", "/usr/bin"), - ("usr/lib", "/usr/lib"), - ("lib", "/usr/lib"), - ("lib64", "/usr/lib64"), - ]; + for Mount { + target, + source, + readonly, + no_exec, + } in self.options.mounts.clone() + { + let target: &str = ⌖ + let source: &str = &source; + let flag_noexec = if no_exec { + MsFlags::MS_NOEXEC + } else { + MsFlags::empty() + }; + + let flag_rdonly = if readonly { + MsFlags::MS_RDONLY + } else { + MsFlags::empty() + }; + + let full_target: &str = &format!("{}/{}", root, target.trim_start_matches("/")); + info!("mounting {} to {}", source, full_target); + fs::create_dir_all(full_target)?; - for (target, source) in mounts.iter() { - let target: &str = &format!("{}/{}", root, target); - info!("mounting {} to {} readonly", source, target); - fs::create_dir_all(target)?; mount( - Some(*source), - target, + Some(source), + full_target, Some("none"), MsFlags::MS_BIND | MsFlags::MS_REC, None::<&str>, @@ -130,12 +163,25 @@ impl IzoliBox { mount( None::<&str>, - target, + full_target, None::<&str>, - MsFlags::MS_BIND | MsFlags::MS_REMOUNT | MsFlags::MS_RDONLY | MsFlags::MS_REC, + MsFlags::MS_BIND + | MsFlags::MS_REMOUNT + | MsFlags::MS_REC + | flag_rdonly + | flag_noexec, None::<&str>, )?; + trace!( + "{:?}", + MsFlags::MS_BIND + | MsFlags::MS_REMOUNT + | MsFlags::MS_REC + | flag_rdonly + | flag_noexec + ); } + Ok(()) }