Add --no-default-dirs

Allow custom specification of directory rules without worrying about new default rules being added in the future. By default, certain directories are bound from the root filesystem. This is undesirable if the isolated program should run in a custom OS installation. Currently, one needs to undo all undesired default rules with e.g. "--dir=lib64=" etc., otherwise the root filesystem files may leak into the sandbox. It's much safer to start from zero in this case.
pehrsoderman · Mar 24, 2018 · 2f5b70c · 2f5b70c
1 parent 3197c82
commit 2f5b70c
Show file tree

Hide file tree

Showing 4 changed files with 46 additions and 17 deletions.
diff --git a/isolate.1.txt b/isolate.1.txt
@@ -197,9 +197,14 @@ no setuid binaries). This behavior can be modified using the 'options':
 	Instead of binding a directory, mount a device-less filesystem called 'in'.
 	For example, this can be 'proc' or 'sysfs'.
 
-The default set of directory rules binds +/bin+, +/dev+ (with devices allowed), +/lib+,
-+/lib64+ (if it exists), and +/usr+. It also binds the working directory to +/box+ (read-write)
-and mounts the proc filesystem at +/proc+.
+Unless *--no-default-dirs* is specified, the default set of directory rules binds +/bin+,
++/dev+ (with devices allowed), +/lib+, +/lib64+ (if it exists), and +/usr+. It also binds
+the working directory to +/box+ (read-write) and mounts the proc filesystem at +/proc+.
+
+*-D, --no-default-dirs*::
+	Do not bind the default set of directories. Care has to be taken to specify
+	the correct set of rules (using *--dir*) for the executed program to run
+	correctly. In particular, +/box+ has to be bound.
 
 CONTROL GROUPS
 --------------

diff --git a/isolate.c b/isolate.c
@@ -80,6 +80,7 @@ static int redir_stderr_to_stdout;
 static char *set_cwd;
 static int share_net;
 static int inherit_fds;
+static int default_dirs = 1;
 
 int cg_enable;
 int cg_memory_limit;
@@ -544,7 +545,7 @@ setup_root(void)
   if (mount("none", "root", "tmpfs", 0, "mode=755") < 0)
     die("Cannot mount root ramdisk: %m");
 
-  apply_dir_rules();
+  apply_dir_rules(default_dirs);
 
   if (chroot("root") < 0)
     die("Chroot failed: %m");
@@ -864,6 +865,7 @@ Options:\n\
 \t\t\t\tmaybe\tSkip the rule if <out> does not exist\n\
 \t\t\t\tnoexec\tDo not allow execution of binaries\n\
 \t\t\t\trw\tAllow read-write access\n\
+-D, --no-default-dirs\tDo not add default directory rules\n\
 -f, --fsize=<size>\tMax size (in KB) of files that can be created\n\
 -E, --env=<var>\t\tInherit the environment variable <var> from the parent process\n\
 -E, --env=<var>=<val>\tSet the environment variable <var> to <val>; unset it if <var> is empty\n\
@@ -908,7 +910,7 @@ enum opt_code {
   OPT_STDERR_TO_STDOUT,
 };
 
-static const char short_opts[] = "b:c:d:eE:f:i:k:m:M:o:p::q:r:st:vw:x:";
+static const char short_opts[] = "b:c:d:DeE:f:i:k:m:M:o:p::q:r:st:vw:x:";
 
 static const struct option long_opts[] = {
   { "box-id",		1, NULL, 'b' },
@@ -918,6 +920,7 @@ static const struct option long_opts[] = {
   { "cg-timing",	0, NULL, OPT_CG_TIMING },
   { "cleanup",		0, NULL, OPT_CLEANUP },
   { "dir",		1, NULL, 'd' },
+  { "no-default-dirs",  0, NULL, 'D' },
   { "fsize",		1, NULL, 'f' },
   { "env",		1, NULL, 'E' },
   { "extra-time",	1, NULL, 'x' },
@@ -968,6 +971,9 @@ main(int argc, char **argv)
 	if (!set_dir_action(optarg))
 	  usage("Invalid directory specified: %s\n", optarg);
 	break;
+      case 'D':
+        default_dirs = 0;
+        break;
       case 'e':
 	pass_environ = 1;
 	break;

diff --git a/isolate.h b/isolate.h
@@ -52,7 +52,7 @@ char **setup_environment(void);
 
 void init_dir_rules(void);
 int set_dir_action(char *arg);
-void apply_dir_rules(void);
+void apply_dir_rules(int with_defaults);
 
 void set_quota(void);
 

diff --git a/rules.c b/rules.c
@@ -169,6 +169,7 @@ enum dir_rule_flags {
   DIR_FLAG_FS = 4,
   DIR_FLAG_MAYBE = 8,
   DIR_FLAG_DEV = 16,
+  DIR_FLAG_DEFAULT = 1U << 15,	// Used internally
   DIR_FLAG_DISABLED = 1U << 16,	// Used internally
 };
 
@@ -253,13 +254,13 @@ parse_dir_option(char *opt)
   die("Unknown directory option %s", opt);
 }
 
-int
-set_dir_action(char *arg)
+static int
+set_dir_action_ext(char *arg, unsigned int ext_flags)
 {
   arg = xstrdup(arg);
 
   char *colon = strchr(arg, ':');
-  unsigned int flags = 0;
+  unsigned int flags = ext_flags;
   while (colon)
     {
       *colon++ = 0;
@@ -284,16 +285,28 @@ set_dir_action(char *arg)
     }
 }
 
+int
+set_dir_action(char *arg)
+{
+  return set_dir_action_ext(arg, 0);
+}
+
+static int
+set_dir_action_default(char *arg)
+{
+  return set_dir_action_ext(arg, DIR_FLAG_DEFAULT);
+}
+
 void
 init_dir_rules(void)
 {
-  set_dir_action("box=./box:rw");
-  set_dir_action("bin");
-  set_dir_action("dev:dev");
-  set_dir_action("lib");
-  set_dir_action("lib64:maybe");
-  set_dir_action("proc=proc:fs");
-  set_dir_action("usr");
+  set_dir_action_default("box=./box:rw");
+  set_dir_action_default("bin");
+  set_dir_action_default("dev:dev");
+  set_dir_action_default("lib");
+  set_dir_action_default("lib64:maybe");
+  set_dir_action_default("proc=proc:fs");
+  set_dir_action_default("usr");
 }
 
 static void
@@ -314,7 +327,7 @@ set_cap_sys_admin(void)
 }
 
 void
-apply_dir_rules(void)
+apply_dir_rules(int with_defaults)
 {
   /*
    * Before mounting anything, we create all mount points inside the box.
@@ -323,6 +336,9 @@ apply_dir_rules(void)
    */
   for (struct dir_rule *r = first_dir_rule; r; r=r->next)
     {
+      if (!with_defaults && (r->flags & DIR_FLAG_DEFAULT))
+        continue;
+
       char *in = r->inside;
       char *out = r->outside;
 
@@ -349,6 +365,8 @@ apply_dir_rules(void)
     {
       if (r->flags & DIR_FLAG_DISABLED)
 	continue;
+      if (!with_defaults && (r->flags & DIR_FLAG_DEFAULT))
+        continue;
 
       char *in = r->inside;
       char *out = r->outside;