1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
|
#include "HsFFI.h"
#if defined(__GLASGOW_HASKELL__)
#include "Main_stub.h"
#endif
#include <errno.h>
#include <fcntl.h>
#include <sched.h>
#include <stdbool.h>
#include <stdio.h>
#include <string.h>
#include <sys/mount.h>
#include <unistd.h>
/*
* The unshare call with CLONE_NEWUSER needs to happen before starting
* additional threads, which means before initializing the Haskell RTS.
* To achieve that, replace Haskell main with a custom one here that does
* the unshare work and then executes the Haskell code.
*/
static bool writeProcSelfFile( const char * file, const char * data, size_t size )
{
char path[ 256 ];
if( snprintf( path, sizeof( path ), "/proc/self/%s", file )
>= sizeof( path ) ){
fprintf( stderr, "buffer too small\n" );
return false;
}
int fd = open( path, O_WRONLY );
if( fd < 0 ){
fprintf( stderr, "failed to open %s: %s", path, strerror( errno ));
return false;
}
ssize_t written = write( fd, data, size );
if( written < 0 )
fprintf( stderr, "failed to write to %s: %s\n", path, strerror( errno ));
close( fd );
return written == size;
}
int main( int argc, char * argv[] )
{
uid_t uid = geteuid();
gid_t gid = getegid();
unshare( CLONE_NEWUSER | CLONE_NEWNET | CLONE_NEWNS );
char buf[ 256 ];
int len;
len = snprintf( buf, sizeof( buf ), "%d %d %d\n", 0, uid, 1 );
if( len >= sizeof( buf ) ){
fprintf( stderr, "buffer too small\n" );
return 1;
}
if ( ! writeProcSelfFile( "uid_map", buf, len ) )
return 1;
if ( ! writeProcSelfFile( "setgroups", "deny\n", 5 ) )
return 1;
len = snprintf( buf, sizeof( buf ), "%d %d %d\n", 0, gid, 1 );
if( len >= sizeof( buf ) ){
fprintf( stderr, "buffer too small\n" );
return 1;
}
if ( ! writeProcSelfFile( "gid_map", buf, len ) )
return 1;
mount( "tmpfs", "/run", "tmpfs", 0, "size=4m" );
hs_init( &argc, &argv );
testerMain();
hs_exit();
return 0;
}
|