Skip to content

WIP: Handle SSL_CERT_DIR in chroot jail

Jonathon Reinhartrequested to merge
JonathonReinhart/gitlab-pages:137-handle-SSL_CERT_DIR into master

This adds support for SSL_CERT_DIR by bind-minding the directory into the jail (at /etc/ssl/certs/.

This required removing the single-bind-mount restriction. To do so, the following changes were made:

  • Jail.unmount() now checks to see if a bind mount was mounted and only tries to unmount ones that were
  • Jail.Build():
    • Calls Jail.unmount() if jail.mount() fails
    • Double-checks that nothing is left mounted before calling j.removeAll()

🔒 As an additional security feature, a readonly parameter was added to jail.Bind(), and all users now pass true. This causes an additional call to make the bind mount read-only (MS_REMOUNT | MS_BIND | MS_READONLY).

Closes #137 (closed)

WIP:

  • Needs docs and a test for SSL_CERT_DIR
  • internal/httptransport/transport.go loads SSL_CERT_FILE for macOS, needs SSL_CERT_DIR?
  • Test this on production box w/ custom CA

cc @nolith @nick.thomas

Edited by Jonathon Reinhart

Merge request reports