jailer: the chroot base dir is now a parameter

Jails no longer have to be somewhere in "/srv/jail", which is now just a
default. Instead, a different base directory can be specified using the
--chroot-base-dir command line parameter.

Signed-off-by: Alexandru Agache <[email protected]>

Author: alexandruag

jailer/src/env.rs

@@ -9,8 +9,6 @@ use libc;
 use super::cgroup::Cgroup;
 use super::{Error, JailerArgs, Result};
 
-const CHROOT_DIR_BASE: &str = "/srv/jailer";
-
 pub struct Env {
     cgroup: Cgroup,
     chroot_dir: PathBuf,
@@ -24,7 +22,8 @@ impl Env {
         let exec_file_name = args.exec_file_name()?;
         let cgroup = Cgroup::new(args.id, exec_file_name)?;
 
-        let mut chroot_dir = PathBuf::from(CHROOT_DIR_BASE);
+        let mut chroot_dir = PathBuf::from(&args.chroot_base_dir);
+
         chroot_dir.push(exec_file_name);
         chroot_dir.push(args.id);
         chroot_dir.push("root");

jailer/src/lib.rs

@@ -37,6 +37,7 @@ pub enum Error {
     Gid(String),
     Metadata(PathBuf, io::Error),
     NotAFile(PathBuf),
+    NotAFolder(PathBuf),
     OpenDevKvm(sys_util::Error),
     OpenDevNetTun(sys_util::Error),
     ReadLine(PathBuf, io::Error),
@@ -55,12 +56,19 @@ pub type Result<T> = result::Result<T, Error>;
 pub struct JailerArgs<'a> {
     id: &'a str,
     exec_file_path: PathBuf,
+    chroot_base_dir: PathBuf,
     uid: u32,
     gid: u32,
 }
 
 impl<'a> JailerArgs<'a> {
-    pub fn new(id: &'a str, exec_file: &'a str, uid: &str, gid: &str) -> Result<Self> {
+    pub fn new(
+        id: &'a str,
+        exec_file: &str,
+        chroot_base: &str,
+        uid: &str,
+        gid: &str,
+    ) -> Result<Self> {
         let exec_file_path =
             canonicalize(exec_file).map_err(|e| Error::Canonicalize(PathBuf::from(exec_file), e))?;
 
@@ -71,6 +79,16 @@ impl<'a> JailerArgs<'a> {
             return Err(Error::NotAFile(exec_file_path));
         }
 
+        let chroot_base_dir = canonicalize(chroot_base)
+            .map_err(|e| Error::Canonicalize(PathBuf::from(chroot_base), e))?;
+
+        if !metadata(&chroot_base_dir)
+            .map_err(|e| Error::Metadata(exec_file_path.clone(), e))?
+            .is_dir()
+        {
+            return Err(Error::NotAFolder(chroot_base_dir));
+        }
+
         let uid = uid.parse::<u32>()
             .map_err(|_| Error::Uid(String::from(uid)))?;
         let gid = gid.parse::<u32>()
@@ -79,6 +97,7 @@ impl<'a> JailerArgs<'a> {
         Ok(JailerArgs {
             id,
             exec_file_path,
+            chroot_base_dir,
             uid,
             gid,
         })
@@ -93,15 +112,14 @@ impl<'a> JailerArgs<'a> {
 
 pub fn run(args: JailerArgs) -> Result<()> {
     // We open /dev/kvm, /dev/tun, and create the listening socket. These file descriptors will be
-    // passed on to Firecracker post exec, and used as file descriptors 3, 4, and 5, respectively.
+    // passed on to Firecracker post exec, and used via knowing their values in advance.
 
     // TODO: use dup2 to make sure we're actually getting 3, 4, and 5?
 
     // TODO: can a malicious guest that takes over firecracker use its access to the KVM fd to
-    // starve  the host of resources? (cgroups should take care of that, but do they currently?)
+    // starve the host of resources? (cgroups should take care of that, but do they currently?)
 
-    // Safe because we use a constant nul-terminated string and verify the result. We should
-    // get our fd = 3 here.
+    // Safe because we use a constant null-terminated string and verify the result.
     let ret = unsafe { libc::open("/dev/kvm\0".as_ptr() as *const libc::c_char, libc::O_RDWR) };
     if ret < 0 {
         return Err(Error::OpenDevKvm(sys_util::Error::last()));
@@ -111,8 +129,7 @@ pub fn run(args: JailerArgs) -> Result<()> {
     }
 
     // TODO: is RDWR required for /dev/tun (most likely)?
-    // Safe because we use a constant nul-terminated string and verify the result. We should
-    // get our fd = 4 here.
+    // Safe because we use a constant null-terminated string and verify the result.
     let ret = unsafe {
         libc::open(
             "/dev/net/tun\0".as_ptr() as *const libc::c_char,
@@ -128,7 +145,6 @@ pub fn run(args: JailerArgs) -> Result<()> {
 
     let env = Env::new(args)?;
 
-    // We should get our fd = 5 here.
     let listener = UnixListener::bind(env.chroot_dir().join(SOCKET_FILE_NAME))
         .map_err(|e| Error::UnixListener(e))?;
 

src/bin/jailer.rs

@@ -34,7 +34,7 @@ fn main() -> jailer::Result<()> {
         .arg(
             Arg::with_name("exec_file")
                 .long("exec-file")
-                .help("File path to exec into")
+                .help("File path to exec into.")
                 .required(true)
                 .takes_value(true),
         )
@@ -52,12 +52,21 @@ fn main() -> jailer::Result<()> {
                 .required(true)
                 .takes_value(true),
         )
+        .arg(
+            Arg::with_name("chroot_base")
+                .long("chroot-base-dir")
+                .help("The base folder where chroot jails are located.")
+                .required(false)
+                .default_value("/srv/jailer")
+                .takes_value(true),
+        )
         .get_matches();
 
     // All arguments are either mandatory, or have default values, so the unwraps should not fail.
     let args = JailerArgs::new(
         cmd_arguments.value_of("id").unwrap(),
         cmd_arguments.value_of("exec_file").unwrap(),
+        cmd_arguments.value_of("chroot_base").unwrap(),
         cmd_arguments.value_of("uid").unwrap(),
         cmd_arguments.value_of("gid").unwrap(),
     )?;