diff options
author | Luke Shumaker <LukeShu@sbcglobal.net> | 2013-10-25 16:12:03 -0400 |
---|---|---|
committer | Luke Shumaker <LukeShu@sbcglobal.net> | 2013-10-26 17:17:58 -0400 |
commit | 385bcfb56e1b4a358ede978c4fc9f5133b3041a9 (patch) | |
tree | 8f7005957d5600aa2f37a9386e2ca4402248863d | |
parent | 112e29d6823993a116d9399a3493250d6cb21c2b (diff) |
librechroot: check that copydir isn't mounted nosuid/noexec
-rwxr-xr-x | src/chroot-tools/librechroot | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/src/chroot-tools/librechroot b/src/chroot-tools/librechroot index 7c1c5a0..ccd8273 100755 --- a/src/chroot-tools/librechroot +++ b/src/chroot-tools/librechroot @@ -174,6 +174,13 @@ calculate_directories() { declare -p copydir } +check_mountpoint() { + local file=$1 + local mountpoint="$(df -P "$file"|sed '1d;s/.*\s//')" + local mountopts=($(LANG=C mount|awk "{ if (\$3==\"$mountpoint\") { gsub(/[(,)]/, \" \", \$6); print \$6 } }")) + ! in_array nosuid "${mountopts[@]}" && ! in_array noexec "${mountopts[@]}" +} + arch_nspawn_flags=() sysd_nspawn_flags=() arch-nspawn() { @@ -271,6 +278,11 @@ main() { lock 9 "$copydir.lock" \ "Waiting for existing lock on chroot copy to be released: [%s]" "$COPY" + if ! check_mountpoint "$copydir.lock"; then + error "Chroot copy is mounted with nosuid or noexec options: [%s]" "$COPY" + return 1 + fi + if [[ ! -d $rootdir ]]; then msg "Creating 'root' copy for chroot [%s]" "$CHROOT" set +u # if an array is empty, it counts as unbound |