From d72a1e7bb96b461eb47d921436f7fe344e7b268a Mon Sep 17 00:00:00 2001 From: David Gibson Date: Mon, 12 Sep 2022 22:24:03 +1000 Subject: Move self-isolation code into a separate file passt/pasta contains a number of routines designed to isolate passt from the rest of the system for security. These are spread through util.c and passt.c. Move them together into a new isolation.c file. Signed-off-by: David Gibson --- passt.c | 113 +--------------------------------------------------------------- 1 file changed, 1 insertion(+), 112 deletions(-) (limited to 'passt.c') diff --git a/passt.c b/passt.c index bbf53d9..2a8314c 100644 --- a/passt.c +++ b/passt.c @@ -19,51 +19,25 @@ * created in a separate network namespace). */ -#include -#include #include -#include -#include -#include -#include #include #include #include -#include -#include -#include -#include -#include -#include -#include #include #include -#include #include #include #include #include #include -#include #include -#include -#include -#include #include -#include -#include -#include -#include - #include "util.h" -#include "seccomp.h" #include "passt.h" #include "dhcp.h" #include "dhcpv6.h" -#include "icmp.h" -#include "tcp.h" -#include "udp.h" +#include "isolation.h" #include "pcap.h" #include "tap.h" #include "conf.h" @@ -166,91 +140,6 @@ void proto_update_l2_buf(const unsigned char *eth_d, const unsigned char *eth_s, udp_update_l2_buf(eth_d, eth_s, ip_da); } -/** - * seccomp() - Set up seccomp filters depending on mode, won't return on failure - * @c: Execution context - */ -static void seccomp(const struct ctx *c) -{ - struct sock_fprog prog; - - if (c->mode == MODE_PASST) { - prog.len = (unsigned short)ARRAY_SIZE(filter_passt); - prog.filter = filter_passt; - } else { - prog.len = (unsigned short)ARRAY_SIZE(filter_pasta); - prog.filter = filter_pasta; - } - - if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) || - prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog)) { - perror("prctl"); - exit(EXIT_FAILURE); - } -} - -/** - * sandbox() - Unshare IPC, mount, PID, UTS, and user namespaces, "unmount" root - * - * Return: negative error code on failure, zero on success - */ -static int sandbox(struct ctx *c) -{ - int flags = CLONE_NEWIPC | CLONE_NEWNS | CLONE_NEWUTS; - - if (!c->netns_only) { - if (c->pasta_userns_fd == -1) - flags |= CLONE_NEWUSER; - else - setns(c->pasta_userns_fd, CLONE_NEWUSER); - } - - c->pasta_userns_fd = -1; - - /* If we run in foreground, we have no chance to actually move to a new - * PID namespace. For passt, use CLONE_NEWPID anyway, in case somebody - * ever gets around seccomp profiles -- there's no harm in passing it. - */ - if (!c->foreground || c->mode == MODE_PASST) - flags |= CLONE_NEWPID; - - if (unshare(flags)) { - perror("unshare"); - return -errno; - } - - if (mount("", "/", "", MS_UNBINDABLE | MS_REC, NULL)) { - perror("mount /"); - return -errno; - } - - if (mount("", TMPDIR, "tmpfs", - MS_NODEV | MS_NOEXEC | MS_NOSUID | MS_RDONLY, - "nr_inodes=2,nr_blocks=0")) { - perror("mount tmpfs"); - return -errno; - } - - if (chdir(TMPDIR)) { - perror("chdir"); - return -errno; - } - - if (syscall(SYS_pivot_root, ".", ".")) { - perror("pivot_root"); - return -errno; - } - - if (umount2(".", MNT_DETACH | UMOUNT_NOFOLLOW)) { - perror("umount2"); - return -errno; - } - - drop_caps(); /* Relative to the new user namespace this time. */ - - return 0; -} - /** * exit_handler() - Signal handler for SIGQUIT and SIGTERM * @unused: Unused, handler deals with SIGQUIT and SIGTERM only -- cgit v1.2.3