From e1410bf209d0a2a16c59871ba68b5b968c0ef8d9 Mon Sep 17 00:00:00 2001 From: yo Date: Sat, 18 Jun 2022 20:08:12 +0200 Subject: [PATCH] create dynamic devfs ruleset from configured or default --- cmd/start.go | 75 ++++++++++++++++++++++++++++------------------------ 1 file changed, 41 insertions(+), 34 deletions(-) diff --git a/cmd/start.go b/cmd/start.go index d569c6f..fafffe7 100644 --- a/cmd/start.go +++ b/cmd/start.go @@ -448,8 +448,7 @@ func genNatIpv4(jail *Jail) ([]string, error) { return ippair, nil } -// WIP 06/06/2022 -func getDevfsRuleSet(jail *Jail) (error, int) { +func buildDevfsRuleSet(jail *Jail) (error, int) { rulesets := []int{} // TODO : Could be replaced by "add include $devfsrules_unhide_login" (see /etc/devfs.rules) /*default_devs := [47]string {"hide", "null", "zero", "crypto", "random", "urandom", "ptyp*", @@ -481,38 +480,47 @@ func getDevfsRuleSet(jail *Jail) (error, int) { } } - // User configured devfs_ruleset. Clone it to a dynamic ruleset (TODO : why cant we use the ruleset as it?) - if jail.Config.Devfs_ruleset != string(DEVFS_DEFAULT_RULESET) { - if false == isStringInArray(srs, jail.Config.Devfs_ruleset) { - return errors.New(fmt.Sprintf("Unknown ruleset: %s", jail.Config.Devfs_ruleset)), 0 - } - - cmd := fmt.Sprintf("devfs rule -s %d show", jail.Config.Devfs_ruleset) - out, err := executeCommand(cmd) - if err != nil { - return errors.New(fmt.Sprintf("Error executing command \"%s\": %v; command returned: %s\n", cmd, err, out)), 0 - } - - for _, r := range strings.Split(out, "\n") { - rt := strings.Split(r, " ") - cmd = fmt.Sprintf("devfs rule -s %d add %s %s %s", ruleset, rt[1], rt[2], rt[3]) - out, err := executeCommand(cmd) - if err != nil { - return errors.New(fmt.Sprintf("Error executing command \"%s\": %v; command returned: %s\n", cmd, err, out)), 0 - } - } - return nil, ruleset + // Get default devfs_ruleset for the datastore + ds, err := getDatastoreFromArray(jail.Datastore, gDatastores) + if err != nil { + return errors.New(fmt.Sprintf("Error getting datastore %s for jail %s", jail.Datastore, jail.Name)), 0 + } + defaultrs, err := strconv.ParseInt(ds.DefaultJailConfig.Devfs_ruleset, 10, 64) + if err != nil { + return errors.New(fmt.Sprintf("Error parsing default devfs_ruleset for datastore %s", jail.Datastore)), 0 } - // WIP - // Create a default dynamic ruleset from + // Clone configured devfs_rulesetto a dynamic ruleset + if false == isStringInArray(srs, jail.Config.Devfs_ruleset) { + return errors.New(fmt.Sprintf("Unknown ruleset: %s", jail.Config.Devfs_ruleset)), 0 + } + rs, _ := strconv.Atoi(jail.Config.Devfs_ruleset) + err := copyDevfsRuleset(ruleset, rs) + if err != nil { + return err, 0 + } - // TODO: Get default devfs_ruleset from gDefaultConfig[datastore] - - //def_devfs_inc := []string{"devfsrules_hide_all", "devfsrules_unhide_basic", "devfsrules_unhide_login"} - - // TODO : update ruleset return value - return nil, 0 + // Add rules for enabled options + if jail.Config.Allow_mount_fusefs > 0 { + err := addDevfsRuleToRuleset("path fuse unhide", ruleset) + if err != nil { + return err, 0 + } + } + if jail.Config.Bpf > 0 { + err := addDevfsRuleToRuleset("path bpf* unhide", ruleset) + if err != nil { + return err, 0 + } + } + if jail.Config.Allow_tun > 0 { + err := addDevfsRuleToRuleset("path tun* unhide", ruleset) + if err != nil { + return err, 0 + } + } + + return nil, ruleset } /* @@ -749,13 +757,12 @@ func StartJail(args []string) { net = append(net, strings.Split(cj.Config.Vnet_interfaces, " ")...) } - // WIP 06/06/2022 - err, rs := getDevfsRuleSet(cj) + err, rs := buildDevfsRuleSet(cj) if err != nil { fmt.Printf("%s\n", err.Error()) return } - // CONTINUE HERE + // CONTINUE HERE, around https://github.com/iocage/iocage/blob/master/iocage_lib/ioc_start.py:516 fmt.Printf("Built ruleset: %d\n", rs)