summary refs log tree commit diff
path: root/src/plugin/mod.rs
diff options
context:
space:
mode:
Diffstat (limited to 'src/plugin/mod.rs')
-rw-r--r--src/plugin/mod.rs28
1 files changed, 22 insertions, 6 deletions
diff --git a/src/plugin/mod.rs b/src/plugin/mod.rs
index 6a22494..750f22b 100644
--- a/src/plugin/mod.rs
+++ b/src/plugin/mod.rs
@@ -60,7 +60,7 @@ pub enum Error {
     MountPlugin(io_jail::Error),
     MountPluginLib(io_jail::Error),
     MountRoot(io_jail::Error),
-    NoVarEmpty,
+    NoRootDir,
     ParsePivotRoot(io_jail::Error),
     ParseSeccomp(io_jail::Error),
     PluginFailed(i32),
@@ -76,6 +76,8 @@ pub enum Error {
     PluginWait(SysError),
     Poll(SysError),
     PollContextAdd(SysError),
+    RootNotAbsolute,
+    RootNotDir,
     SetGidMap(io_jail::Error),
     SetUidMap(io_jail::Error),
     SigChild {
@@ -121,7 +123,7 @@ impl fmt::Display for Error {
             Error::MountPlugin(ref e) => write!(f, "failed to mount: {}", e),
             Error::MountPluginLib(ref e) => write!(f, "failed to mount: {}", e),
             Error::MountRoot(ref e) => write!(f, "failed to mount: {}", e),
-            Error::NoVarEmpty => write!(f, "no /var/empty for jailed process to pivot root into"),
+            Error::NoRootDir => write!(f, "no root directory for jailed process to pivot root into"),
             Error::ParsePivotRoot(ref e) => write!(f, "failed to set jail pivot root: {}", e),
             Error::ParseSeccomp(ref e) => write!(f, "failed to parse jail seccomp filter: {}", e),
             Error::PluginFailed(ref e) => write!(f, "plugin exited with error: {}", e),
@@ -143,6 +145,8 @@ impl fmt::Display for Error {
             Error::PluginWait(ref e) => write!(f, "error waiting for plugin to exit: {:?}", e),
             Error::Poll(ref e) => write!(f, "failed to poll all FDs: {:?}", e),
             Error::PollContextAdd(ref e) => write!(f, "failed to add fd to poll context: {:?}", e),
+            Error::RootNotAbsolute => write!(f, "path to the root directory must be absolute"),
+            Error::RootNotDir => write!(f, "specified root directory is not a directory"),
             Error::SetGidMap(ref e) => write!(f, "failed to set gidmap for jail: {}", e),
             Error::SetUidMap(ref e) => write!(f, "failed to set uidmap for jail: {}", e),
             Error::SigChild {
@@ -423,13 +427,25 @@ pub fn run_config(cfg: Config) -> Result<()> {
 
     let jail = if cfg.multiprocess {
         // An empty directory for jailed plugin pivot root.
-        let empty_root_path = Path::new("/var/empty");
-        if !empty_root_path.exists() {
-            return Err(Error::NoVarEmpty);
+        let root_path = match cfg.plugin_root {
+            Some(ref dir) => Path::new(dir),
+            None => Path::new("/var/empty"),
+        };
+
+        if root_path.is_relative() {
+            return Err(Error::RootNotAbsolute);
+        }
+
+        if !root_path.exists() {
+            return Err(Error::NoRootDir);
+        }
+
+        if !root_path.is_dir() {
+            return Err(Error::RootNotDir);
         }
 
         let policy_path = cfg.seccomp_policy_dir.join("plugin.policy");
-        let jail = create_plugin_jail(empty_root_path, &policy_path)?;
+        let jail = create_plugin_jail(root_path, &policy_path)?;
         Some(jail)
     } else {
         None
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-05-23 21:21:21 +0000