1 // $Id: secure-mount.c 2833 2009-04-10 20:24:04Z dhozac $ --*- c++ -*--
3 // Copyright (C) 2003 Enrico Scholz <enrico.scholz@informatik.tu-chemnitz.de>
5 // This program is free software; you can redistribute it and/or modify
6 // it under the terms of the GNU General Public License as published by
7 // the Free Software Foundation; version 2 of the License.
9 // This program is distributed in the hope that it will be useful,
10 // but WITHOUT ANY WARRANTY; without even the implied warranty of
11 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 // GNU General Public License for more details.
14 // You should have received a copy of the GNU General Public License
15 // along with this program; if not, write to the Free Software
16 // Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
19 // secure-mount <general mount(8) options> [--chroot]
20 // [--mtab <mtabfile>] [--fstab <fstabfile>]
22 // Executes mount-operations under the current directory: it assumes sources
23 // in the current root-dir while destinations are expected in the chroot
32 #include "pathconfig.h"
34 #include <lib/internal.h>
45 #include <sys/mount.h>
47 #include <sys/types.h>
57 #define ENSC_WRAPPERS_FCNTL 1
58 #define ENSC_WRAPPERS_UNISTD 1
61 #define MNTPOINT "/etc"
63 typedef enum { rfsYES, rfsNO, rfsONLY } RootFsOption;
88 #define OPTION_BIND 1024
89 #define OPTION_MOVE 1025
90 #define OPTION_MTAB 1026
91 #define OPTION_FSTAB 1027
92 #define OPTION_CHROOT 1028
93 #define OPTION_SECURE 1029
94 #define OPTION_RBIND 1030
95 #define OPTION_ROOTFS 1031
97 #define XFLAG_NOAUTO 0x01
99 static struct option const
100 CMDLINE_OPTIONS[] = {
101 { "help", no_argument, 0, 'h' },
102 { "version", no_argument, 0, 'v' },
103 { "bind", no_argument, 0, OPTION_BIND },
104 { "move", no_argument, 0, OPTION_MOVE },
105 { "mtab", required_argument, 0, OPTION_MTAB },
106 { "fstab", required_argument, 0, OPTION_FSTAB },
107 { "rootfs", required_argument, 0, OPTION_ROOTFS },
108 { "chroot", no_argument, 0, OPTION_CHROOT },
109 { "secure", no_argument, 0, OPTION_SECURE },
110 { "rbind", no_argument, 0, OPTION_RBIND },
115 # define MS_REC 0x4000
118 static struct FstabOption {
119 char const * const opt;
120 unsigned long const flag;
121 unsigned long const mask;
122 unsigned long const xflag;
124 } const FSTAB_OPTIONS[] = {
125 { "defaults", MS_NODEV, (MS_RDONLY|MS_NOSUID|MS_NODEV|MS_NOEXEC|
126 MS_SYNCHRONOUS), 0, false },
127 { "rbind", MS_BIND|MS_REC, MS_BIND|MS_REC, 0, false },
128 { "bind", MS_BIND, MS_BIND, 0, false },
129 { "move", MS_MOVE, MS_MOVE, 0, false },
130 { "async", 0, MS_SYNCHRONOUS, 0, false },
131 { "sync", MS_SYNCHRONOUS, MS_SYNCHRONOUS, 0, false },
132 { "atime", 0, MS_NOATIME, 0, false },
133 { "noatime", MS_NOATIME, MS_NOATIME, 0, false },
134 { "dev", 0, MS_NODEV, 0, false },
135 { "nodev", MS_NODEV, MS_NODEV, 0, false },
136 { "exec", 0, MS_NOEXEC, 0, false },
137 { "noexec", MS_NOEXEC, MS_NOEXEC, 0, false },
138 { "suid", 0, MS_NOSUID, 0, false },
139 { "nosuid", MS_NOSUID, MS_NOSUID, 0, false },
140 { "ro", MS_RDONLY, MS_RDONLY, 0, false },
141 { "rw", 0, MS_RDONLY, 0, false },
143 { "remount", MS_REMOUNT, MS_REMOUNT, 0, false },
144 { "users", MS_NOEXEC|MS_NOSUID|MS_NODEV,
145 MS_NOEXEC|MS_NOSUID|MS_NODEV, 0, false },
146 { "mandlock", MS_MANDLOCK, MS_MANDLOCK, 0, false },
147 { "nodiratime", MS_NODIRATIME, MS_NODIRATIME, 0, false },
149 { "dirsync", MS_DIRSYNC, MS_DIRSYNC, 0, false },
151 { "_netdev", 0, 0, 0, false },
152 { "auto", 0, 0, 0, false },
153 { "noauto", 0, 0, XFLAG_NOAUTO, false },
154 { "user", 0, 0, 0, false },
155 { "nouser", 0, 0, 0, false },
156 { "rec", MS_REC, MS_REC, 0, false },
157 { "unbindable", MS_UNBINDABLE, MS_UNBINDABLE, 0, false },
158 { "private", MS_PRIVATE, MS_PRIVATE, 0, false },
159 { "slave", MS_SLAVE, MS_SLAVE, 0, false },
160 { "shared", MS_SHARED, MS_SHARED, 0, false },
163 int wrapper_exit_code = 1;
166 showHelp(int fd, char const *cmd, int res)
168 VSERVER_DECLARE_CMD(cmd);
170 WRITE_MSG(fd, "Usage: ");
173 " [--help] [--version] [--bind] [--move] [--rbind] [-t <type>] [--chroot]\n"
174 " [--mtab <filename>] [--fstab <filename>] [--rootfs yes|no|only]\n"
175 " [-n] -a|([-o <options>] [--] <src> <dst>)\n\n"
176 "Executes mount-operations under the current directory: it assumes sources in\n"
177 "the current root-dir while destinations are expected in the chroot environment.\n\n"
178 "For non-trivial mount-operations it uses the external 'mount' program which\n"
179 "can be overridden by the $MOUNT environment variable.\n\n"
181 " --bind|move|rbind ... set the correspond flags; with this options\n"
182 " the mount will be executed internally without\n"
183 " calling an external mount program.\n"
184 " -t <type> ... assume the given filesystem type\n"
185 " -o <options> ... set additional options; see mount(2) for details\n"
186 " -n ... do not update the mtab-file\n"
187 " --mtab <filename> ... use <filename> as an alternative mtab file\n"
188 " [default: /etc/mtab]\n"
189 " --chroot ... chroot into the current directory before\n"
190 " mounting the filesystem\n"
191 " --fstab <filename> ... use <filename> as an alternative fstab file;\n"
192 " this option has an effect only with the '-a'\n"
193 " option [default: /etc/fstab]\n"
194 " --rootfs yes|no|only ... specifies how to handle an entry for a rootfs\n"
195 " ('/') when processing an fstab file. 'yes' will\n"
196 " mount it among the other entries, 'only' will\n"
197 " mount only the rootfs entry, and 'no' will ignore\n"
198 " it and mount only the other entries [default: yes]\n"
199 " -a ... mount everything listed in the fstab-file\n\n"
200 " <src> ... the source-filesystem; this path is absolute\n"
201 " to the current root-filesystem. Only valid\n"
202 " without the '-a' option.\n"
203 " <dst> ... the destination mount-point; when used with\n"
204 " '--chroot', this path is relative to the current\n"
205 " directory. Only valid without the '-a' option\n\n"
206 "Please report bugs to " PACKAGE_BUGREPORT "\n");
215 "secure-mount " VERSION " -- secure mounting of directories\n"
216 "This program is part of " PACKAGE_STRING "\n\n"
217 "Copyright (C) 2003 Enrico Scholz\n"
218 VERSION_COPYRIGHT_DISCLAIMER);
223 isSameObject(struct stat const *lhs,
224 struct stat const *rhs)
226 return (lhs->st_dev==rhs->st_dev &&
227 lhs->st_ino==rhs->st_ino);
233 if (fchdir(fd)==-1 || chroot(".")==-1) return -1;
238 writeX(int fd, void const *buf, size_t len)
240 if ((size_t)(write(fd, buf, len))!=len) return -1;
245 writeStrX(int fd, char const *str)
247 return writeX(fd, str, strlen(str));
250 static inline char const *
251 getType(struct MountInfo const *mnt)
253 if (mnt->type==0) return "none";
254 else if (strncmp(mnt->type, "ext", 3)==0) return "ufs";
255 else return mnt->type;
259 restoreRoot(struct Options const *opt)
261 if (opt->do_chroot!=0 && fchroot(opt->cur_rootdir_fd)==-1) {
262 perror("secure-mount: fchdir(\"/\")");
263 WRITE_MSG(2, "Failed to restore root-directory; aborting\n");
269 updateMtab(struct MountInfo const *mnt, struct Options const *opt)
273 assert(opt->mtab!=0);
275 if (opt->do_chroot && fchroot(opt->cur_dir_fd)==-1) {
276 perror("secure-mount: fchroot(\".\")");
280 fd=open(opt->mtab, O_CREAT|O_APPEND|O_WRONLY, 0644);
283 perror("secure-mount: open(<mtab>)");
287 if (lockf(fd, F_LOCK, 0)==-1) {
288 perror("secure-mount: lockf()");
292 if (writeStrX(fd, mnt->src)==-1 ||
293 writeStrX(fd, " ")==-1 ||
294 writeStrX(fd, mnt->dst)==-1 ||
295 writeStrX(fd, " ")==-1 ||
296 writeStrX(fd, getType(mnt))==-1 ||
297 writeStrX(fd, " ")==-1 ||
298 writeStrX(fd, mnt->data ? mnt->data : "defaults")==-1 ||
299 writeStrX(fd, " 0 0\n")==-1) {
300 perror("secure-mount: write()");
313 callExternalMount(struct MountInfo const *mnt)
315 char const * argv[10];
319 char const * mount_prog = getenv("MOUNT");
321 if (mount_prog==0) mount_prog = MOUNT_PROG;
323 argv[idx++] = mount_prog;
325 if (mnt->flag & MS_BIND) argv[idx++] = "--bind";
326 else if (mnt->flag & MS_MOVE) argv[idx++] = "--move";
329 if (mnt->data && *mnt->data &&
330 strcmp(mnt->data, "defaults")!=0) {
331 if (mnt->mask & MS_NODEV)
332 argv[idx++] = mnt->data;
334 char * tmp = alloca(strlen(mnt->data) + sizeof("nodev,"));
335 strcpy(tmp, "nodev,");
336 strcat(tmp, mnt->data);
341 argv[idx++] = "nodev";
345 argv[idx++] = mnt->type;
348 argv[idx++] = mnt->src;
354 perror("secure-mount: fork()");
359 execv(mount_prog, const_cast(char **)(argv));
360 PERROR_Q("secure-mount: execv", mount_prog);
364 if (wait4(pid, &status, 0, 0)==-1) {
365 perror("secure-mount: wait4()");
369 return (WIFEXITED(status)) && (WEXITSTATUS(status)==0);
373 secureChdir(char const *dir, struct Options const *opt)
378 if (opt->do_chroot!=0 && fchroot(opt->cur_dir_fd)==-1) {
379 perror("secure-mount: fchroot(\".\")");
383 if (chdir(dir)==-1) {
384 PERROR_Q("secure-mount: chdir", dir);
388 dir_fd = open(".", O_RDONLY|O_DIRECTORY);
390 perror("secure-mount: open(\".\")");
395 if (fchdir(dir_fd)==-1)
396 PERROR_Q("secure-mount: fchdir", dir);
409 canHandleInternal(struct MountInfo const *mnt)
411 static char const * FS[] = {
412 "tmpfs", "sysfs", "proc", "sockfs", "pipefs", "futexfs",
413 "inotifyfs", "devpts", "ext3", "ext2", "ramfs",
414 "hugetlbfs", "usbfs", "binfmt_misc",
419 if (!mnt) return false;
420 else if ((mnt->flag & (MS_BIND|MS_MOVE))) return true;
421 else if ((mnt->flag & (MS_SHARED|MS_SLAVE|MS_PRIVATE|
422 MS_UNBINDABLE))) return true;
423 else if (mnt->type==0) return false;
425 for (i=FS+0; *i!=0; ++i)
426 if (strcmp(mnt->type, *i)==0) return true;
432 mountSingle(struct MountInfo const *mnt, struct Options const *opt)
436 if (!secureChdir(mnt->dst, opt))
439 if (canHandleInternal(mnt)) {
440 if (mount(mnt->src, ".",
441 mnt->type ? mnt->type : "",
442 mnt->flag, mnt->data_parsed)==-1) {
443 perror("secure-mount: mount()");
446 if ((mnt->flag & MS_BIND) &&
447 (mnt->flag & ~(MS_BIND|MS_REC))) {
448 /* This is needed to put us in the new mountpoint */
449 if (!secureChdir(mnt->dst, opt))
451 if (mount(mnt->src, ".",
452 mnt->type ? mnt->type : "",
453 (mnt->flag | MS_REMOUNT), NULL) == -1 &&
454 errno != EBUSY) { /* Returned on older kernels */
455 perror("secure-mount: mount()");
460 else if (!callExternalMount(mnt))
463 if (!opt->ignore_mtab &&
464 updateMtab(mnt, opt)==-1) {
465 WRITE_MSG(2, "Failed to update mtab-file\n");
472 static struct FstabOption const *
473 searchOption(char const *opt, size_t len)
475 struct FstabOption const * i;
476 for (i=FSTAB_OPTIONS+0; i<FSTAB_OPTIONS+DIM_OF(FSTAB_OPTIONS); ++i)
477 if (strncmp(i->opt, opt, len)==0) return i;
483 transformOptionList(struct MountInfo *info, size_t UNUSED *col)
485 char const * ptr = info->data;
486 char * data = malloc(strlen(info->data));
490 char const * pos = strchr(ptr, ',');
491 struct FstabOption const * opt;
493 if (pos==0) pos = ptr+strlen(ptr);
494 opt = searchOption(ptr, pos-ptr);
497 info->flag &= ~opt->mask;
498 info->flag |= opt->flag;
499 info->mask |= opt->mask;
500 info->xflag |= opt->xflag;
505 strncpy(dst, ptr, pos-ptr);
515 } while (*ptr!='\0');
517 info->data_parsed = data;
521 #define MOVE_TO_NEXT_FIELD(PTR,ALLOW_EOL) \
522 while (!isspace(*PTR) && *PTR!='\0') ++PTR; \
523 if (col) *col = buf-start_buf+1; \
524 if (!(ALLOW_EOL) && *PTR=='\0') return prFAIL; \
526 while (isspace(*PTR)) ++PTR
528 static enum {prDOIT, prFAIL, prIGNORE}
529 parseFstabLine(struct MountInfo *info, char *buf, size_t *col)
531 char const * const start_buf = buf;
534 while (isspace(*buf)) ++buf;
535 if (*buf=='#' || *buf=='\0') return prIGNORE;
538 MOVE_TO_NEXT_FIELD(buf, false);
540 MOVE_TO_NEXT_FIELD(buf, false);
542 MOVE_TO_NEXT_FIELD(buf, false);
543 err_col = buf-start_buf+1;
545 MOVE_TO_NEXT_FIELD(buf, true);
547 info->flag = MS_NODEV;
551 if (strcmp(info->type, "swap") ==0) return prIGNORE;
552 else if (strcmp(info->type, "none") ==0) info->type = 0;
553 else if (strcmp(info->type, "devpts")==0) {
554 info->mask |= MS_NODEV;
555 info->flag &= ~MS_NODEV;
558 if (col) *col = err_col;
559 if (!transformOptionList(info,col)) return prFAIL;
560 if (info->xflag & XFLAG_NOAUTO) return prIGNORE;
565 #undef MOVE_TO_NEXT_FIELD
568 showFstabPosition(int fd, char const *fname, size_t line_nr, size_t col_nr)
570 char buf[3*sizeof(line_nr)*2 + 4];
571 size_t len = utilvserver_fmt_uint(buf+1, line_nr)+1;
575 len += utilvserver_fmt_uint(buf+len, col_nr);
576 WRITE_STR(fd, fname);
577 Vwrite(fd, buf, len);
582 mountFstab(struct Options const *opt)
588 assert(opt->fstab!=0);
589 fd = open(opt->fstab, O_RDONLY);
591 perror("secure-mount: open(<fstab>)");
595 len = lseek(fd, 0, SEEK_END);
597 lseek(fd, 0, SEEK_SET)==-1) {
598 perror("secure-mount: lseek(<fstab>)");
605 size_t line_nr=0, col_nr;
607 if (read(fd, buf, len+1)!=len) {
608 perror("secure-mount: read()");
611 buf[len] = '#'; // workaround for broken dietlibc strtok_r()
616 while ((ptr=strsep(&ptrptr, "\n")) != 0) {
617 struct MountInfo mnt;
620 switch (parseFstabLine(&mnt, ptr, &col_nr)) {
622 showFstabPosition(2, opt->fstab, line_nr, col_nr);
623 WRITE_MSG(2, ": syntax error\n");
626 case prIGNORE : break;
628 bool is_rootfs = (strcmp(mnt.dst, "/")==0);
630 if (( is_rootfs && opt->rootfs==rfsNO) ||
631 (!is_rootfs && opt->rootfs==rfsONLY)) { /* ignore the entry */ }
632 else if (!mountSingle(&mnt, opt)) {
633 showFstabPosition(2, opt->fstab, line_nr, 1);
634 WRITE_MSG(2, ": failed to mount fstab-entry\n");
651 initFDs(struct Options *opt)
653 opt->cur_dir_fd = Eopen(".", O_RDONLY|O_DIRECTORY, 0);
654 opt->cur_rootdir_fd = Eopen("/", O_RDONLY|O_DIRECTORY, 0);
656 Efcntl(opt->cur_dir_fd, F_SETFD, FD_CLOEXEC);
657 Efcntl(opt->cur_rootdir_fd, F_SETFD, FD_CLOEXEC);
661 parseRootFS(char const *str)
663 if (strcasecmp(str, "yes")==0) return rfsYES;
664 else if (strcasecmp(str, "no")==0) return rfsNO;
665 else if (strcasecmp(str, "only")==0) return rfsONLY;
667 WRITE_MSG(2, "secure-mount: invalid option for '--rootfs': '");
670 exit(wrapper_exit_code);
674 int main(int argc, char *argv[])
676 struct MountInfo mnt = {
685 struct Options opt = {
687 .fstab = "/etc/fstab",
689 .ignore_mtab = false,
692 .cur_rootdir_fd = -1,
697 int c = getopt_long(argc, argv, "ht:nao:", CMDLINE_OPTIONS, 0);
701 case 'h' : showHelp(1, argv[0], 0);
702 case 'v' : showVersion();
703 case 't' : mnt.type = optarg; break;
704 case 'n' : opt.ignore_mtab = true; break;
705 case 'a' : opt.mount_all = true; break;
706 case 'o' : mnt.data = optarg; break;
707 case OPTION_RBIND : mnt.flag |= MS_REC; /*@fallthrough@*/
708 case OPTION_BIND : mnt.flag |= MS_BIND; break;
709 case OPTION_MOVE : mnt.flag |= MS_MOVE; break;
710 case OPTION_MTAB : opt.mtab = optarg; break;
711 case OPTION_FSTAB : opt.fstab = optarg; break;
712 case OPTION_CHROOT: opt.do_chroot = true; break;
713 case OPTION_ROOTFS: opt.rootfs = parseRootFS(optarg); break;
715 WRITE_MSG(2, "secure-mount: The '--secure' option is deprecated...\n");
718 WRITE_MSG(2, "Try '");
719 WRITE_STR(2, argv[0]);
720 WRITE_MSG(2, " --help' for more information.\n");
727 if (opt.mount_all && optind<argc) {
728 WRITE_MSG(2, "Can not specify <src> and '-a' at the same time\n");
733 signal(SIGCHLD, SIG_DFL);
736 if (!mountFstab(&opt)) return EXIT_FAILURE;
737 else return EXIT_SUCCESS;
740 if (optind+2!=argc) {
741 WRITE_MSG(2, "Invalid <src> <dst> pair specified\n");
746 mnt.data = strdup(mnt.data);
747 if (!transformOptionList(&mnt, 0)) {
748 WRITE_MSG(2, "Invalid options specified\n");
753 mnt.src = argv[optind++];
754 mnt.dst = argv[optind++];
756 if (!mountSingle(&mnt, &opt)) return EXIT_FAILURE;