summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLuke Shumaker <LukeShu@sbcglobal.net>2013-10-25 16:12:03 -0400
committerLuke Shumaker <LukeShu@sbcglobal.net>2013-10-26 17:17:58 -0400
commit385bcfb56e1b4a358ede978c4fc9f5133b3041a9 (patch)
tree8f7005957d5600aa2f37a9386e2ca4402248863d
parent112e29d6823993a116d9399a3493250d6cb21c2b (diff)
librechroot: check that copydir isn't mounted nosuid/noexec
-rwxr-xr-xsrc/chroot-tools/librechroot12
1 files changed, 12 insertions, 0 deletions
diff --git a/src/chroot-tools/librechroot b/src/chroot-tools/librechroot
index 7c1c5a0..ccd8273 100755
--- a/src/chroot-tools/librechroot
+++ b/src/chroot-tools/librechroot
@@ -174,6 +174,13 @@ calculate_directories() {
declare -p copydir
}
+check_mountpoint() {
+ local file=$1
+ local mountpoint="$(df -P "$file"|sed '1d;s/.*\s//')"
+ local mountopts=($(LANG=C mount|awk "{ if (\$3==\"$mountpoint\") { gsub(/[(,)]/, \" \", \$6); print \$6 } }"))
+ ! in_array nosuid "${mountopts[@]}" && ! in_array noexec "${mountopts[@]}"
+}
+
arch_nspawn_flags=()
sysd_nspawn_flags=()
arch-nspawn() {
@@ -271,6 +278,11 @@ main() {
lock 9 "$copydir.lock" \
"Waiting for existing lock on chroot copy to be released: [%s]" "$COPY"
+ if ! check_mountpoint "$copydir.lock"; then
+ error "Chroot copy is mounted with nosuid or noexec options: [%s]" "$COPY"
+ return 1
+ fi
+
if [[ ! -d $rootdir ]]; then
msg "Creating 'root' copy for chroot [%s]" "$CHROOT"
set +u # if an array is empty, it counts as unbound