示例#1
0
        def jail():
            os.environ.clear()
            os.environ.update(PATH="/usr/bin", HOME="/")

            if self.hostname:
                sethostname(self.hostname)

            pivot_root(tmp, old_root)
            os.chdir("/")

            mount_proc()
            umount_all(ignore_mounts)
            os.rmdir("/" + put_old)

            os.symlink("/usr/lib", "/lib")
            os.symlink("/usr/lib", "/lib64")

            mount_tmpfs(self.fs_size, "/", const.MS_REMOUNT | const.MS_RDONLY)

            self.setup_workers()
示例#2
0
        def jail():
            os.environ.clear()
            os.environ.update(
                PATH = '/usr/bin',
                HOME = '/',
            )

            if self.hostname:
                sethostname(self.hostname)

            pivot_root(tmp, old_root)
            os.chdir('/')

            mount_proc()
            umount_all(ignore_mounts)
            os.rmdir('/' + put_old)
            
            os.symlink('/usr/lib', '/lib')
            os.symlink('/usr/lib', '/lib64')

            mount_tmpfs(self.fs_size, '/', const.MS_REMOUNT | const.MS_RDONLY)

            self.setup_workers()
示例#3
0
        def jail():
            os.environ.clear()
            os.environ.update(
                PATH='/usr/bin',
                HOME='/',
            )

            if self.hostname:
                sethostname(self.hostname)

            pivot_root(tmp, old_root)
            os.chdir('/')

            mount_proc()
            umount_all(ignore_mounts)
            os.rmdir('/' + put_old)

            os.symlink('/usr/lib', '/lib')
            os.symlink('/usr/lib', '/lib64')

            mount_tmpfs(self.fs_size, '/', const.MS_REMOUNT | const.MS_RDONLY)

            self.setup_workers()
示例#4
0
    def run(self):
        '''
        Set ups jail and runs prisoner
        '''

        # Get desired gid and uid
        gid = None
        uid = None
        if self.gname:
            gid = grp.getgrnam(self.gname).gr_gid
        if self.uname:
            uid = pwd.getpwnam(self.uname).pw_uid

        # Create temporary mountpoint for tmpfs
        tmp = tempfile.mkdtemp()

        # Mount tmpfs for our use
        mount_tmpfs(self.fs_size, tmp)

        # Create directory for old root
        put_old = 'root'
        old_root = os.path.join(tmp, put_old)
        os.mkdir(old_root)

        # Copy stuff to tmpfs
        self.setup_fs(tmp)

        # Clone and create new namespaces. Note CLONE_NEWUSER is not used (yet?)
        pid = clone(const.CLONE_NEWNS | const.CLONE_NEWPID | const.CLONE_NEWUTS
                    | const.CLONE_NEWNET | const.CLONE_NEWIPC)
        assert pid is not None
        if pid:
            try:
                while True:
                    try:
                        pid2, status = os.waitpid(pid, const.WALL)
                    except KeyboardInterrupt:
                        try:
                            os.kill(pid, signal.SIGTERM)
                        except OSError as exc:
                            if exc.errno == errno.ESRCH:
                                break
                            raise
                    except OSError as exc:
                        if exc.errno == errno.ECHILD:
                            break
                        raise
                    else:
                        if pid2 == pid:
                            break
            finally:
                self.teardown_fs(tmp)

                # Umount tmpfs and remove mountpoint
                umount(tmp)
                os.rmdir(tmp)

            #print('Child {} exited with status {}'.format(pid, status))
            sys.exit(status)
        else:
            # We check if new PID namespace worked
            # Note we use syscall getpid instead of stdlib getpid
            assert getpid() == 1

            # Set desired hostname
            if self.hostname:
                sethostname(self.hostname)

            # Move new root to tmpfs, and old to subdir
            pivot_root(tmp, old_root)
            os.chdir('/')

            # Which mountoints to ignore
            ignore_mounts = ['/', '/proc']
            if self.ignore_mounts:
                ignore_mounts.extend(self.ignore_mounts)

            # Mount /proc, /cgroup and /dev
            mount_proc()
            if self.mount_cgroup:
                mount_cgroup()
                ignore_mounts.append('/cgroup')
            if self.mount_dev:
                mount_simple_dev()
                ignore_mounts.append('/dev')

            # Umount all filesystems but those we set up by ourselves
            umount_all(ignore_mounts)
            # Remove evidence of old root ;)
            os.rmdir('/' + put_old)

            os.environ.clear()

            # Remount tmpfs r/o
            if self.remount_ro:
                mount_tmpfs(self.fs_size, '/',
                            const.MS_REMOUNT | const.MS_RDONLY)

            # Set to desired gid/uid
            if gid:
                os.setgid(gid)
            if uid:
                os.setuid(uid)

            # We're ready to go!
            status = self.prisoner()
            status = int(status) if status else 0
            os._exit(status)
示例#5
0
文件: jail.py 项目: fluxid/sandboxed
    def run(self):
        '''
        Set ups jail and runs prisoner
        '''

        # Get desired gid and uid
        gid = None
        uid = None
        if self.gname:
            gid = grp.getgrnam(self.gname).gr_gid
        if self.uname:
            uid = pwd.getpwnam(self.uname).pw_uid

        # Create temporary mountpoint for tmpfs
        tmp = tempfile.mkdtemp()

        # Mount tmpfs for our use
        mount_tmpfs(self.fs_size, tmp)

        # Create directory for old root
        put_old = 'root'
        old_root = os.path.join(tmp, put_old)
        os.mkdir(old_root)

        # Copy stuff to tmpfs
        self.setup_fs(tmp)

        # Clone and create new namespaces. Note CLONE_NEWUSER is not used (yet?)
        pid = clone(
            const.CLONE_NEWNS |
            const.CLONE_NEWPID |
            const.CLONE_NEWUTS |
            const.CLONE_NEWNET |
            const.CLONE_NEWIPC
        )
        assert pid is not None
        if pid:
            try:
                while True:
                    try:
                        pid2, status = os.waitpid(pid, const.WALL)
                    except KeyboardInterrupt:
                        try:
                            os.kill(pid, signal.SIGTERM)
                        except OSError as exc:
                            if exc.errno == errno.ESRCH:
                                break
                            raise
                    except OSError as exc:
                        if exc.errno == errno.ECHILD:
                            break
                        raise
                    else:
                        if pid2 == pid:
                            break
            finally:
                self.teardown_fs(tmp)

                # Umount tmpfs and remove mountpoint
                umount(tmp)
                os.rmdir(tmp)
            
            #print('Child {} exited with status {}'.format(pid, status))
            sys.exit(status)
        else:
            # We check if new PID namespace worked
            # Note we use syscall getpid instead of stdlib getpid
            assert getpid() == 1

            # Set desired hostname
            if self.hostname:
                sethostname(self.hostname)

            # Move new root to tmpfs, and old to subdir
            pivot_root(tmp, old_root)
            os.chdir('/')

            # Which mountoints to ignore
            ignore_mounts = ['/', '/proc']
            if self.ignore_mounts:
                ignore_mounts.extend(self.ignore_mounts)

            # Mount /proc, /cgroup and /dev
            mount_proc()
            if self.mount_cgroup:
                mount_cgroup()
                ignore_mounts.append('/cgroup')
            if self.mount_dev:
                mount_simple_dev()
                ignore_mounts.append('/dev')
            
            # Umount all filesystems but those we set up by ourselves
            umount_all(ignore_mounts)
            # Remove evidence of old root ;)
            os.rmdir('/' + put_old)

            os.environ.clear()

            # Remount tmpfs r/o
            if self.remount_ro:
                mount_tmpfs(self.fs_size, '/', const.MS_REMOUNT | const.MS_RDONLY)

            # Set to desired gid/uid
            if gid:
                os.setgid(gid)
            if uid:
                os.setuid(uid)
            
            # We're ready to go!
            status = self.prisoner()
            status = int(status) if status else 0
            os._exit(status)