jail: don't fail unless requirejail is set

Pass requirejail attribute to ujail and only fail to start a service
which has seccomp policy defined on a system which doesn't have
procd-seccomp installed in case requirejail is set.

Fixes: bcb8655 ("instance: add 'requirejail' attribute")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>

diff --git a/jail/jail.c b/jail/jail.c
index 5a1c05b939729b42ea00213bfb17ae6f0842ce61..cc310aab0c9cc34691c5e8c76413e14babd01524 100644 (file)
--- a/jail/jail.c
+++ b/jail/jail.c
@@ -40,7 +40,7 @@
 #include <libubus.h>
 
 #define STACK_SIZE     (1024 * 1024)
-#define OPT_ARGS       "S:C:n:h:r:w:d:psulocU:G:NR:fFO:T:"
+#define OPT_ARGS       "S:C:n:h:r:w:d:psulocU:G:NR:fFO:T:E"
 
 static struct {
        char *name;
@@ -61,6 +61,7 @@ static struct {
        int pw_uid;
        int pw_gid;
        int gr_gid;
+       int require_jail;
 } opts;
 
 
@@ -466,6 +467,7 @@ static void usage(void)
        fprintf(stderr, "  -R <dir>\texternal jail rootfs (system container)\n");
        fprintf(stderr, "  -O <dir>\tdirectory for r/w overlayfs\n");
        fprintf(stderr, "  -T <size>\tuse tmpfs r/w overlayfs with <size>\n");
+       fprintf(stderr, "  -E\t\tfail if jail cannot be setup\n");
        fprintf(stderr, "\nWarning: by default root inside the jail is the same\n\
 and he has the same powers as root outside the jail,\n\
 thus he can escape the jail and/or break stuff.\n\
@@ -715,6 +717,9 @@ int main(int argc, char **argv)
                case 'T':
                        opts.tmpoverlaysize = optarg;
                        break;
+               case 'E':
+                       opts.require_jail = 1;
+                       break;
                }
        }
 
@@ -754,7 +759,8 @@ int main(int argc, char **argv)
 
        if (opts.namespace && opts.seccomp && add_path_and_deps("libpreload-seccomp.so", 1, -1, 1)) {
                ERROR("failed to load libpreload-seccomp.so\n");
-               return -1;
+               if (opts.require_jail)
+                       return -1;
        }
 
        if (opts.name)

diff --git a/service/instance.c b/service/instance.c
index 47d563cf9c0ebf27fc36a9ae2c1953d296ace9d8..75fd91ff079076928b85fae1665b79bef3c60a3f 100644 (file)
--- a/service/instance.c
+++ b/service/instance.c
@@ -289,6 +289,9 @@ jail_run(struct service_instance *in, char **argv)
                argv[argc++] = in->tmpoverlaysize;
        }
 
+       if (in->require_jail)
+               argv[argc++] = "-E";
+
        blobmsg_list_for_each(&jail->mount, var) {
                const char *type = blobmsg_data(var->data);