From 385bcfb56e1b4a358ede978c4fc9f5133b3041a9 Mon Sep 17 00:00:00 2001
From: Luke Shumaker <LukeShu@sbcglobal.net>
Date: Fri, 25 Oct 2013 16:12:03 -0400
Subject: librechroot: check that copydir isn't mounted nosuid/noexec

---
 src/chroot-tools/librechroot | 12 ++++++++++++
 1 file changed, 12 insertions(+)

(limited to 'src/chroot-tools/librechroot')

diff --git a/src/chroot-tools/librechroot b/src/chroot-tools/librechroot
index 7c1c5a0..ccd8273 100755
--- a/src/chroot-tools/librechroot
+++ b/src/chroot-tools/librechroot
@@ -174,6 +174,13 @@ calculate_directories() {
 	declare -p copydir
 }
 
+check_mountpoint() {
+	local file=$1
+	local mountpoint="$(df -P "$file"|sed '1d;s/.*\s//')"
+	local mountopts=($(LANG=C mount|awk "{ if (\$3==\"$mountpoint\") { gsub(/[(,)]/, \" \", \$6); print \$6 } }"))
+	! in_array nosuid "${mountopts[@]}" && ! in_array noexec "${mountopts[@]}"
+}
+
 arch_nspawn_flags=()
 sysd_nspawn_flags=()
 arch-nspawn() {
@@ -271,6 +278,11 @@ main() {
 	lock 9 "$copydir.lock" \
 		"Waiting for existing lock on chroot copy to be released: [%s]" "$COPY"
 
+	if ! check_mountpoint "$copydir.lock"; then
+		error "Chroot copy is mounted with nosuid or noexec options: [%s]" "$COPY"
+		return 1
+	fi
+
 	if [[ ! -d $rootdir ]]; then
 		msg "Creating 'root' copy for chroot [%s]" "$CHROOT"
 		set +u # if an array is empty, it counts as unbound
-- 
cgit v1.2.2