diff options
-rwxr-xr-x | rainbow/bin/rainbow-run | 7 | ||||
-rw-r--r-- | rainbow/rainbow/inject.py | 7 | ||||
-rw-r--r-- | rainbow/rainbow/permissions/permlist.py | 5 |
3 files changed, 13 insertions, 6 deletions
diff --git a/rainbow/bin/rainbow-run b/rainbow/bin/rainbow-run index 3b6c2ba..99eb16f 100755 --- a/rainbow/bin/rainbow-run +++ b/rainbow/bin/rainbow-run @@ -35,7 +35,7 @@ def main(): parser.add_option('-i', '--id', default=[], action='append', help="ID of shared-data group.") parser.add_option('-o', '--option', default=[], action='append', - help="Options: video, audio, serial, constant-uid, xephyr.") + help="Options: video, audio, serial, constant-uid, xephyr, network.") parser.add_option('-p', '--permissions', default=None, help="Location of a permissions.info file.") parser.add_option('-u', '--user', default=None, @@ -90,6 +90,9 @@ def main(): def check_serial(opts): return 'serial' in opts.option + def check_network(opts): + return 'network' in opts.option + def check_resume_user(opts): uid = None if opts.resume_user: @@ -117,7 +120,7 @@ def main(): pset = PermissionSet(opts.permissions or []) # Dirty hack -- pass 'constant-uid' and 'strace' in as permissions. <MS> - for perm in ('constant-uid', 'audio', 'video', 'serial'): + for perm in ('constant-uid', 'audio', 'video', 'serial', 'network'): pset._permissions.setdefault(perm, locals()['check_'+perm.replace('-','_')](opts)) data_ids = check_data_ids(opts) diff --git a/rainbow/rainbow/inject.py b/rainbow/rainbow/inject.py index 4480114..f5195e4 100644 --- a/rainbow/rainbow/inject.py +++ b/rainbow/rainbow/inject.py @@ -11,6 +11,7 @@ from pwd import getpwuid import resource from rainbow.util import Checker, mount, make_dirs, get_fds, read_envdir +from rainbow.util import unshare, CLONE_NEWNET def reserve_elt(pool_dir, elt, max_elt, incr, elt_name): fd = None @@ -249,6 +250,11 @@ def configure_xephyr(_, spool, owner_gid, uid, env, safe_fds): newenv = {'DISPLAY' : ':%d' % display, 'XAUTHORITY' : auth_path} return newenv +def configure_network(log, pset): + log(1, "networking shared with parent: %s", pset.has_permission("network")) + if not pset.has_permission("network"): + unshare(CLONE_NEWNET) + def check_uid(_, spool, owner_uid, uid): assert 10000 <= uid and uid <= 65534 assert getpwuid(owner_uid).pw_name in getgrgid(uid).gr_mem @@ -290,5 +296,6 @@ def inject(log, spool, env, argv, cwd, pset, safe_fds, owner_uid, owner_gid, env.update(run_assistant(log, assistant, env, owner_uid, owner_gid, uid, groups, safe_fds)) mount_fsen(log, home) + configure_network(log, pset) launch(log, home, uid, gid, groups, argv, env, cwd, pset, safe_fds) diff --git a/rainbow/rainbow/permissions/permlist.py b/rainbow/rainbow/permissions/permlist.py index 5f30218..897beca 100644 --- a/rainbow/rainbow/permissions/permlist.py +++ b/rainbow/rainbow/permissions/permlist.py @@ -59,10 +59,7 @@ class PermissionSet(object): these_values = these_values.split(',') if value in these_values: return True - elif self._permissions[domain] == True: - return True - else: - return False + return self._permissions[domain] == True def permission_params(self, domain): if domain not in self._permissions: |