yo/gocage
1
0
Fork 0
Code Issues Pull Requests Projects Releases 1 Wiki Activity

create dynamic devfs ruleset from configured or default

Browse Source
This commit is contained in:
yo 2022-06-18 20:08:12 +02:00
parent c585678be9
commit e1410bf209
1 changed files with 41 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

75
cmd/start.go
View File

@ -448,8 +448,7 @@ func genNatIpv4(jail *Jail) ([]string, error) {
return ippair, nil return ippair, nil
} }
// WIP 06/06/2022 func buildDevfsRuleSet(jail *Jail) (error, int) {
func getDevfsRuleSet(jail *Jail) (error, int) {
rulesets := []int{} rulesets := []int{}
// TODO : Could be replaced by "add include $devfsrules_unhide_login" (see /etc/devfs.rules) // TODO : Could be replaced by "add include $devfsrules_unhide_login" (see /etc/devfs.rules)
/*default_devs := [47]string {"hide", "null", "zero", "crypto", "random", "urandom", "ptyp*", /*default_devs := [47]string {"hide", "null", "zero", "crypto", "random", "urandom", "ptyp*",
@ -481,38 +480,47 @@ func getDevfsRuleSet(jail *Jail) (error, int) {
} }
} }
// User configured devfs_ruleset. Clone it to a dynamic ruleset (TODO : why cant we use the ruleset as it?) // Get default devfs_ruleset for the datastore
if jail.Config.Devfs_ruleset != string(DEVFS_DEFAULT_RULESET) { ds, err := getDatastoreFromArray(jail.Datastore, gDatastores)
if false == isStringInArray(srs, jail.Config.Devfs_ruleset) { if err != nil {
return errors.New(fmt.Sprintf("Unknown ruleset: %s", jail.Config.Devfs_ruleset)), 0 return errors.New(fmt.Sprintf("Error getting datastore %s for jail %s", jail.Datastore, jail.Name)), 0
} }
defaultrs, err := strconv.ParseInt(ds.DefaultJailConfig.Devfs_ruleset, 10, 64)
cmd := fmt.Sprintf("devfs rule -s %d show", jail.Config.Devfs_ruleset) if err != nil {
out, err := executeCommand(cmd) return errors.New(fmt.Sprintf("Error parsing default devfs_ruleset for datastore %s", jail.Datastore)), 0
if err != nil {
return errors.New(fmt.Sprintf("Error executing command \"%s\": %v; command returned: %s\n", cmd, err, out)), 0
}
for _, r := range strings.Split(out, "\n") {
rt := strings.Split(r, " ")
cmd = fmt.Sprintf("devfs rule -s %d add %s %s %s", ruleset, rt[1], rt[2], rt[3])
out, err := executeCommand(cmd)
if err != nil {
return errors.New(fmt.Sprintf("Error executing command \"%s\": %v; command returned: %s\n", cmd, err, out)), 0
}
}
return nil, ruleset
} }
// WIP // Clone configured devfs_rulesetto a dynamic ruleset
// Create a default dynamic ruleset from if false == isStringInArray(srs, jail.Config.Devfs_ruleset) {
return errors.New(fmt.Sprintf("Unknown ruleset: %s", jail.Config.Devfs_ruleset)), 0
}
rs, _ := strconv.Atoi(jail.Config.Devfs_ruleset)
err := copyDevfsRuleset(ruleset, rs)
if err != nil {
return err, 0
}
// TODO: Get default devfs_ruleset from gDefaultConfig[datastore] // Add rules for enabled options
if jail.Config.Allow_mount_fusefs > 0 {
//def_devfs_inc := []string{"devfsrules_hide_all", "devfsrules_unhide_basic", "devfsrules_unhide_login"} err := addDevfsRuleToRuleset("path fuse unhide", ruleset)
if err != nil {
// TODO : update ruleset return value return err, 0
return nil, 0 }
}
if jail.Config.Bpf > 0 {
err := addDevfsRuleToRuleset("path bpf* unhide", ruleset)
if err != nil {
return err, 0
}
}
if jail.Config.Allow_tun > 0 {
err := addDevfsRuleToRuleset("path tun* unhide", ruleset)
if err != nil {
return err, 0
}
}
return nil, ruleset
} }
/* /*
@ -749,13 +757,12 @@ func StartJail(args []string) {
net = append(net, strings.Split(cj.Config.Vnet_interfaces, " ")...) net = append(net, strings.Split(cj.Config.Vnet_interfaces, " ")...)
} }
// WIP 06/06/2022 err, rs := buildDevfsRuleSet(cj)
err, rs := getDevfsRuleSet(cj)
if err != nil { if err != nil {
fmt.Printf("%s\n", err.Error()) fmt.Printf("%s\n", err.Error())
return return
} }
// CONTINUE HERE // CONTINUE HERE, around https://github.com/iocage/iocage/blob/master/iocage_lib/ioc_start.py:516
fmt.Printf("Built ruleset: %d\n", rs) fmt.Printf("Built ruleset: %d\n", rs)