WIP: Handle SSL_CERT_DIR in chroot jail (!125) · Merge requests · GitLab.org / gitlab-pages

Jonathon Reinhart requested to merge JonathonReinhart/gitlab-pages:137-handle-SSL_CERT_DIR into master Jan 07, 2019

This adds support for SSL_CERT_DIR by bind-minding the directory into the jail (at /etc/ssl/certs/.

This required removing the single-bind-mount restriction. To do so, the following changes were made:

Jail.unmount() now checks to see if a bind mount was mounted and only tries to unmount ones that were
Jail.Build():
- Calls Jail.unmount() if jail.mount() fails
- Double-checks that nothing is left mounted before calling j.removeAll()

🔒 As an additional security feature, a readonly parameter was added to jail.Bind(), and all users now pass true. This causes an additional call to make the bind mount read-only (MS_REMOUNT | MS_BIND | MS_READONLY).

Closes #137 (closed)

WIP:

Needs docs and a test for SSL_CERT_DIR
internal/httptransport/transport.go loads SSL_CERT_FILE for macOS, needs SSL_CERT_DIR?
Test this on production box w/ custom CA

cc @nolith @nick.thomas

Edited Jan 07, 2019 by Jonathon Reinhart

WIP: Handle SSL_CERT_DIR in chroot jail

Merge request reports