From 84d5469a40bdc65aa5607d11a9060bb710bfd9b9 Mon Sep 17 00:00:00 2001 From: smitsohu Date: Tue, 5 Oct 2021 16:21:09 +0200 Subject: simplify recursive remounting --- src/firejail/firejail.h | 2 +- src/firejail/fs.c | 38 +++++++++++++++++--------------------- src/firejail/mountinfo.c | 40 ++++++++++++---------------------------- 3 files changed, 30 insertions(+), 50 deletions(-) diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index 2a7d88575..e1ba8f48a 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -563,7 +563,7 @@ typedef struct { // mountinfo.c MountData *get_last_mount(void); -int get_mount_id(const char *path); +int get_mount_id(int fd); char **build_mount_array(const int mount_id, const char *path); // fs_var.c diff --git a/src/firejail/fs.c b/src/firejail/fs.c index 6d01b5e5d..3144156a3 100644 --- a/src/firejail/fs.c +++ b/src/firejail/fs.c @@ -633,34 +633,30 @@ out: } // remount recursively; requires a resolved path -static void fs_remount_rec(const char *dir, OPERATION op) { +static void fs_remount_rec(const char *path, OPERATION op) { EUID_ASSERT(); - assert(dir); + assert(op < OPERATION_MAX); + assert(path); - struct stat s; - if (stat(dir, &s) != 0) - return; - if (!S_ISDIR(s.st_mode)) { - // no need to search in /proc/self/mountinfo for submounts if not a directory - fs_remount_simple(dir, op); + // no need to search /proc/self/mountinfo for submounts if not a directory + int fd = open(path, O_PATH|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC); + if (fd < 0) { + fs_remount_simple(path, op); return; } - // get mount point of the directory - int mountid = get_mount_id(dir); - if (mountid == -1) - return; - if (mountid == -2) { - // falling back to a simple remount on old kernels - static int mount_warning = 0; - if (!mount_warning) { - fwarning("read-only, read-write and noexec options are not applied recursively\n"); - mount_warning = 1; - } - fs_remount_simple(dir, op); + + // get mount id of the directory + int mountid = get_mount_id(fd); + close(fd); + if (mountid < 0) { + // falling back to a simple remount + fwarning("%s %s not applied recursively\n", opstr[op], path); + fs_remount_simple(path, op); return; } + // build array with all mount points that need to get remounted - char **arr = build_mount_array(mountid, dir); + char **arr = build_mount_array(mountid, path); assert(arr); // remount char **tmp = arr; diff --git a/src/firejail/mountinfo.c b/src/firejail/mountinfo.c index 64a94bd84..f1eb9c924 100644 --- a/src/firejail/mountinfo.c +++ b/src/firejail/mountinfo.c @@ -151,47 +151,31 @@ MountData *get_last_mount(void) { return &mdata; } -// Extract the mount id from /proc/self/fdinfo and return it. -int get_mount_id(const char *path) { - EUID_ASSERT(); - assert(path); - - int fd = open(path, O_PATH|O_CLOEXEC); - if (fd == -1) - return -1; +// Needs kernel 3.15 or better +int get_mount_id(int fd) { + int rv = -1; - char *fdinfo; - if (asprintf(&fdinfo, "/proc/self/fdinfo/%d", fd) == -1) + char *proc; + if (asprintf(&proc, "/proc/self/fdinfo/%d", fd) == -1) errExit("asprintf"); EUID_ROOT(); - FILE *fp = fopen(fdinfo, "re"); + FILE *fp = fopen(proc, "re"); EUID_USER(); - free(fdinfo); if (!fp) goto errexit; - // read the file char buf[MAX_BUF]; - if (fgets(buf, MAX_BUF, fp) == NULL) - goto errexit; - do { + while (fgets(buf, MAX_BUF, fp)) { if (strncmp(buf, "mnt_id:", 7) == 0) { - char *ptr = buf + 7; - while (*ptr != '\0' && (*ptr == ' ' || *ptr == '\t')) { - ptr++; - } - if (*ptr == '\0') + if (sscanf(buf + 7, "%d", &rv) != 1) goto errexit; - fclose(fp); - close(fd); - return atoi(ptr); + break; } - } while (fgets(buf, MAX_BUF, fp)); + } - // fallback, kernels older than 3.15 don't expose the mount id in this place + free(proc); fclose(fp); - close(fd); - return -2; + return rv; errexit: fprintf(stderr, "Error: cannot read proc file\n"); -- cgit v1.2.3-54-g00ecf From a78d014660d8a1daaea95f11da399c2e2305cc63 Mon Sep 17 00:00:00 2001 From: smitsohu Date: Tue, 5 Oct 2021 18:11:50 +0200 Subject: mountinfo: get mount id from failed call to name_to_handle_at Enables recursive remounting on very old kernels, which has some relevance for SailfishOS community ports. --- src/firejail/mountinfo.c | 39 +++++++++++++++++++++++++++++++++++++-- 1 file changed, 37 insertions(+), 2 deletions(-) diff --git a/src/firejail/mountinfo.c b/src/firejail/mountinfo.c index f1eb9c924..304f80eee 100644 --- a/src/firejail/mountinfo.c +++ b/src/firejail/mountinfo.c @@ -19,6 +19,7 @@ */ #include "firejail.h" +#include #include #ifndef O_PATH @@ -151,8 +152,35 @@ MountData *get_last_mount(void) { return &mdata; } -// Needs kernel 3.15 or better -int get_mount_id(int fd) { +// Returns mount id, or -1 if fd refers to a procfs or sysfs file +static int get_mount_id_from_handle(int fd) { + EUID_ASSERT(); + + char *proc; + if (asprintf(&proc, "/proc/self/fd/%d", fd) == -1) + errExit("asprintf"); + struct file_handle *fh = malloc(sizeof *fh); + if (!fh) + errExit("malloc"); + fh->handle_bytes = 0; + + int rv = -1; + int tmp; + if (name_to_handle_at(-1, proc, fh, &tmp, AT_SYMLINK_FOLLOW) != -1) { + fprintf(stderr, "Error: unexpected result from name_to_handle_at\n"); + exit(1); + } + if (errno == EOVERFLOW && fh->handle_bytes) + rv = tmp; + + free(proc); + free(fh); + return rv; +} + +// Returns mount id, or -1 on kernels < 3.15 +static int get_mount_id_from_fdinfo(int fd) { + EUID_ASSERT(); int rv = -1; char *proc; @@ -182,6 +210,13 @@ errexit: exit(1); } +int get_mount_id(int fd) { + int rv = get_mount_id_from_fdinfo(fd); + if (rv < 0) + rv = get_mount_id_from_handle(fd); + return rv; +} + // Check /proc/self/mountinfo if path contains any mounts points. // Returns an array that can be iterated over for recursive remounting. char **build_mount_array(const int mount_id, const char *path) { -- cgit v1.2.3-54-g00ecf