fixed missing dev null
All checks were successful
continuous-integration/drone/push Build is passing

This commit is contained in:
Jake Hillion 2022-05-21 16:05:00 +01:00 committed by Gitea
parent d365508cba
commit 8244e4ebf7
2 changed files with 28 additions and 4 deletions

View File

@ -326,6 +326,8 @@ impl<'a> Spawner<'a> {
self.mount_entrypoint(builder, self.binary)?; self.mount_entrypoint(builder, self.binary)?;
self.forward_mounts(builder, environment, args); self.forward_mounts(builder, environment, args);
self.forward_files(builder, args); self.forward_files(builder, args);
builder.mount("/dev/null", "/dev/null");
builder.mount("/proc", "/proc").remount_proc(); builder.mount("/proc", "/proc").remount_proc();
builder.keep_fd(&1); builder.keep_fd(&1);

View File

@ -106,7 +106,9 @@ impl VoidBuilder {
debug!("voiding user namespace..."); debug!("voiding user namespace...");
self.void_user_namespace(parent_uid, parent_gid)?; // first to regain full capabilities self.void_user_namespace(parent_uid, parent_gid)?; // first to regain full capabilities
debug!("voiding file descriptors..."); debug!("voiding mount namespace...");
self.void_mount_namespace()?;
debug!("voiding file descriptors..."); // occur after mount to unmount /dev/null
self.void_file_descriptors()?; self.void_file_descriptors()?;
debug!("voiding ipc namespace..."); debug!("voiding ipc namespace...");
@ -117,8 +119,6 @@ impl VoidBuilder {
self.void_network_namespace()?; self.void_network_namespace()?;
debug!("voiding pid namespace..."); debug!("voiding pid namespace...");
self.void_pid_namespace()?; self.void_pid_namespace()?;
debug!("voiding mount namespace...");
self.void_mount_namespace()?;
debug!("voiding cgroup namespace..."); debug!("voiding cgroup namespace...");
self.void_cgroup_namespace()?; self.void_cgroup_namespace()?;
@ -255,7 +255,18 @@ impl VoidBuilder {
std::env::set_current_dir(&new_root)?; std::env::set_current_dir(&new_root)?;
trace!("creating bind mounts before unmounting"); trace!("creating bind mounts before unmounting");
for (src, dst) in &self.mounts {
let standard_dev_null = if self.mounts.contains_key(&PathBuf::from("/dev/null")) {
None
} else {
Some((PathBuf::from("/dev/null"), PathBuf::from("/dev/null")))
};
for (src, dst) in self
.mounts
.iter()
.chain(standard_dev_null.as_ref().map(|(x, y)| (x, y)))
{
let mut src = old_root.join(src.strip_prefix("/").unwrap_or(src)); let mut src = old_root.join(src.strip_prefix("/").unwrap_or(src));
let dst = new_root.join(dst.strip_prefix("/").unwrap_or(dst)); let dst = new_root.join(dst.strip_prefix("/").unwrap_or(dst));
@ -397,6 +408,8 @@ impl VoidBuilder {
let mut nullfd: Option<File> = None; let mut nullfd: Option<File> = None;
for stdfd in &[0, 1, 2] { for stdfd in &[0, 1, 2] {
if !keep.contains(stdfd) { if !keep.contains(stdfd) {
trace!("voiding stdfd {}", stdfd);
let fd = nullfd let fd = nullfd
.take() .take()
.map(Ok) .map(Ok)
@ -412,6 +425,15 @@ impl VoidBuilder {
} }
} }
if !self.mounts.contains_key(&PathBuf::from("/dev/null")) {
debug!("unmount /dev/null after voiding file descriptors");
umount2("/dev/null", MntFlags::MNT_DETACH).map_err(|e| Error::Nix {
msg: "umount2",
src: e,
})?;
}
for fd in keep.as_ref() { for fd in keep.as_ref() {
let mut flags = FdFlag::from_bits_truncate( let mut flags = FdFlag::from_bits_truncate(
nix::fcntl::fcntl(*fd, FcntlArg::F_GETFD).map_err(|e| Error::Nix { nix::fcntl::fcntl(*fd, FcntlArg::F_GETFD).map_err(|e| Error::Nix {