Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add fakeroot - combined mount and chroot to create a docker-like view on the filesystem #36

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Add fakeroot - combined mount and chroot to create a docker-like view on the filesystem #36

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
b8b21a1
Add fakeroot - combined mount and chroot.
Mar 1, 2025
2b13c29
Add tmpfs support to fakeroot
Mar 1, 2025
8fe8800
Add files/devices and subdirectories to fakeroot
Mar 2, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 27 additions & 0 deletions examples/fakeroot.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
extern crate unshare;

use std::process::exit;


fn main() {
let mut cmd = unshare::Command::new("/usr/bin/ls");
cmd.arg("-l");
cmd.arg("/");

cmd.fakeroot_enable("/dev/shm/sandbox_root");
cmd.fakeroot_mount("/bin", "/bin", true);
cmd.fakeroot_mount_file("/dev/urandom", "/dev/urandom", false);
cmd.fakeroot_mount("/etc", "/etc", true);
cmd.fakeroot_mount("/lib", "/lib", true);
cmd.fakeroot_mount("/lib64", "/lib64", true);
cmd.fakeroot_filesystem("proc", "/proc");
cmd.fakeroot_filesystem("tmpfs", "/tmp");
cmd.fakeroot_mount("/usr", "/usr", true);
cmd.current_dir("/");

match cmd.status().unwrap() {
// propagate signal
unshare::ExitStatus::Exited(x) => exit(x as i32),
unshare::ExitStatus::Signaled(x, _) => exit((128+x as i32) as i32),
}
}
10 changes: 10 additions & 0 deletions src/child.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ use libc::{SIG_DFL, SIG_SETMASK};

use crate::run::{ChildInfo, MAX_PID_LEN};
use crate::error::ErrorCode as Err;
use crate::fakeroot::build_fakeroot;

// And at this point we've reached a special time in the life of the
// child. The child must now be considered hamstrung and unable to
Expand Down Expand Up @@ -143,6 +144,15 @@ pub unsafe fn child_after_clone(child: &ChildInfo) -> ! {
}
});

child.cfg.fake_root_base.as_ref().map(|base| {
if !build_fakeroot(base,
child.cfg.fake_root_mkdirs.as_ref(),
child.cfg.fake_root_touchs.as_ref(),
child.cfg.fake_root_mounts.as_ref()) {
fail(Err::ChangeRoot, epipe);
}
});

child.keep_caps.as_ref().map(|caps| {
let header = ffi::CapsHeader {
version: ffi::CAPS_V3,
Expand Down
9 changes: 9 additions & 0 deletions src/config.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ use nix::sys::signal::{Signal, SIGKILL};
use nix::sched::CloneFlags;
use libc::{uid_t, gid_t};

use crate::fakeroot::{FakeRootMount};
use crate::idmap::{UidMap, GidMap};
use crate::namespace::Namespace;
use crate::stdio::Closing;
Expand All @@ -23,6 +24,10 @@ pub struct Config {
pub restore_sigmask: bool,
pub make_group_leader: bool,
// TODO(tailhook) session leader
pub fake_root_base: Option<CString>,
pub fake_root_mounts: Vec<FakeRootMount>,
pub fake_root_mkdirs: Vec<CString>,
pub fake_root_touchs: Vec<CString>,
}

impl Default for Config {
Expand All @@ -38,6 +43,10 @@ impl Default for Config {
setns_namespaces: HashMap::new(),
restore_sigmask: true,
make_group_leader: false,
fake_root_base: None,
fake_root_mounts: Vec::new(),
fake_root_mkdirs: Vec::new(),
fake_root_touchs: Vec::new(),
}
}
}
219 changes: 219 additions & 0 deletions src/fakeroot.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,219 @@
use crate::ffi_util::ToCString;
use crate::{Command, Namespace};
use libc::{
MNT_DETACH, MS_BIND, MS_PRIVATE, MS_RDONLY, MS_REC, MS_REMOUNT, O_CLOEXEC, O_CREAT, O_RDONLY,
};
use std::ffi::{c_char, c_void, CString};
use std::path::Path;

pub struct FakeRootMount {
mountpoint: CString,
mountpoint_outer: CString,
src: CString,
readonly: bool,
is_special_fs: bool, // "src" is a filesystem type like "proc" or "tmpfs"
}

impl Command {
/// Enable "fakeroot" - the command will be rooted in a custom root directory.
///
/// By default, the root directory is empty, share necessary directories with fakeroot_mount().
/// This will automatically unshare the mount namespace.
/// It might be necessary to also unshare the user namespace.
///
/// The "base" directory must be an empty directory, preferably on a tmpfs.
/// The directory will be created if missing.
/// "/dev/shm/unshare_root" should work fine, or "/run/user/<uid>/unshare_root".
///
/// Do NOT combine with manual pivot_root/chroot, fakeroot will take care of it.
pub fn fakeroot_enable(&mut self, base: &str) {
self.unshare(&[Namespace::Mount]);
self.config.fake_root_base = Some(base.to_cstring());
}

fn fakeroot_mkdir(&mut self, base: &str, dir: &Path) {
dir.parent().map(|parent_dir| {
if dir != parent_dir {
self.fakeroot_mkdir(base, parent_dir);
let outer_dir = format!("{}/{}", base, dir.to_str().unwrap());
self.config.fake_root_mkdirs.push(outer_dir.to_cstring());
}
});
}

/// Add an existing directory to the fakeroot.
///
/// fakeroot_enable() must be called first, otherwise this function will panic.
///
/// Example usage:
/// cmd.fakeroot_mount("/bin", "/bin", true);
/// cmd.fakeroot_mount("/etc", "/etc", true);
/// cmd.fakeroot_mount("/lib", "/lib", true);
/// cmd.fakeroot_mount("/lib64", "/lib64", true);
/// cmd.fakeroot_mount("/usr", "/usr", true);
pub fn fakeroot_mount<P: AsRef<Path>>(&mut self, src: P, dst: &str, readonly: bool) {
let base = self
.config
.fake_root_base
.as_ref()
.expect("call fakeroot_enable() first!")
.to_str()
.unwrap()
.to_owned();
self.fakeroot_mkdir(base.as_ref(), Path::new(dst));
self.config.fake_root_mounts.push(FakeRootMount {
mountpoint: dst.to_cstring(),
mountpoint_outer: format!("{}/{}", base, dst).to_cstring(),
src: src.as_ref().to_cstring(),
readonly,
is_special_fs: false,
});
}

/// Add an existing file or device to the fakeroot.
///
/// fakeroot_enable() must be called first, otherwise this function will panic.
///
/// Example usage:
/// cmd.fakeroot_mount_file("/dev/urandom", "/dev/urandom", false);
pub fn fakeroot_mount_file<P: AsRef<Path>>(&mut self, src: P, dst: &str, readonly: bool) {
let base = self
.config
.fake_root_base
.as_ref()
.expect("call fakeroot_enable() first!")
.to_str()
.unwrap()
.to_owned();
Path::new(dst).parent().map(|parent_dir| {
self.fakeroot_mkdir(base.as_ref(), parent_dir);
});
self.config
.fake_root_touchs
.push(format!("{}/{}", base, dst).to_cstring());
self.config.fake_root_mounts.push(FakeRootMount {
mountpoint: dst.to_cstring(),
mountpoint_outer: format!("{}/{}", base, dst).to_cstring(),
src: src.as_ref().to_cstring(),
readonly,
is_special_fs: false,
});
}

/// Add a new filesystem to the fakeroot.
///
/// fakeroot_enable() must be called first, otherwise this function will panic.
///
/// Example usage:
/// cmd.fakeroot_filesystem("tmpfs", "/tmp");
pub fn fakeroot_filesystem(&mut self, fstype: &str, dst: &str) {
let base = self
.config
.fake_root_base
.as_ref()
.expect("call fakeroot_enable() first!")
.to_str()
.unwrap()
.to_owned();
self.fakeroot_mkdir(base.as_ref(), Path::new(dst));
self.config.fake_root_mounts.push(FakeRootMount {
mountpoint: dst.to_cstring(),
mountpoint_outer: format!("{}/{}", base, dst).to_cstring(),
src: fstype.to_cstring(),
readonly: false,
is_special_fs: true,
});
}
}

/// This syscall sequence is more or less taken from nsjail (https://github.com/google/nsjail).
pub(crate) unsafe fn build_fakeroot(
base: &CString,
mkdirs: &[CString],
touchs: &[CString],
mountpoints: &[FakeRootMount],
) -> bool {
// define some libc constants
let null_char = 0 as *const c_char;
let null_void = 0 as *const c_void;
let slash = b"/\0".as_ptr() as *const c_char;
let dot = b".\0".as_ptr() as *const c_char;
let tmpfs = b"tmpfs\0".as_ptr() as *const c_char;

// keep all mount changes private
libc::mkdir(base.as_ptr(), 0o777);
if libc::mount(slash, slash, null_char, MS_PRIVATE | MS_REC, null_void) < 0 {
return false;
}

// create fakeroot filesystem
if libc::mount(null_char, base.as_ptr(), tmpfs, 0, null_void) < 0 {
return false;
}

// create mount points
for dir in mkdirs {
libc::mkdir(dir.as_ptr(), 0o777);
}
for file in touchs {
let fd = libc::open(file.as_ptr(), O_RDONLY | O_CREAT | O_CLOEXEC);
if fd >= 0 {
libc::close(fd);
}
}

// mount directories - still read-write (because MS_BIND + MS_RDONLY are not supported)
for mount in mountpoints {
let (src, fstype, flags) = if mount.is_special_fs {
(null_char, mount.src.as_ptr(), 0)
} else {
(mount.src.as_ptr(), null_char, MS_PRIVATE | MS_REC | MS_BIND)
};
if libc::mount(
src,
mount.mountpoint_outer.as_ptr(),
fstype,
flags,
null_void,
) < 0
{
return false;
}
}

// chroot jail (try pivot_root first, use classic chroot if not available)
if libc::syscall(libc::SYS_pivot_root, base.as_ptr(), base.as_ptr()) >= 0 {
libc::umount2(slash, MNT_DETACH);
} else {
libc::chdir(base.as_ptr());
libc::mount(dot, slash, null_char, 0, null_void);
if libc::chroot(dot) < 0 {
return false;
}
}

// make directories actually read-only
libc::mount(
slash,
slash,
null_char,
MS_REMOUNT | MS_BIND | MS_RDONLY,
null_void,
);
for mount in mountpoints {
if mount.readonly {
if libc::mount(
mount.mountpoint.as_ptr(),
mount.mountpoint.as_ptr(),
null_char,
MS_REMOUNT | MS_BIND | MS_RDONLY,
null_void,
) < 0
{
return false;
}
}
}

true
}
1 change: 1 addition & 0 deletions src/lib.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,7 @@ mod wait;
mod stdio;
mod debug;
mod zombies;
mod fakeroot;

pub use crate::error::Error;
pub use crate::status::ExitStatus;
Expand Down