[thirdparty/systemd.git] / src / core / namespace.c

/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/

/***
  This file is part of systemd.

  Copyright 2010 Lennart Poettering

  systemd is free software; you can redistribute it and/or modify it
  under the terms of the GNU Lesser General Public License as published by
  the Free Software Foundation; either version 2.1 of the License, or
  (at your option) any later version.

  systemd is distributed in the hope that it will be useful, but
  WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  Lesser General Public License for more details.

  You should have received a copy of the GNU Lesser General Public License
  along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/

#include <errno.h>
#include <sys/mount.h>
#include <string.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sched.h>
#include <sys/syscall.h>
#include <limits.h>
#include <linux/fs.h>
#include <sys/file.h>

#include "strv.h"
#include "util.h"
#include "path-util.h"
#include "namespace.h"
#include "missing.h"
#include "execute.h"
#include "loopback-setup.h"
#include "mkdir.h"
#include "dev-setup.h"
#include "def.h"
#include "label.h"

typedef enum MountMode {
        /* This is ordered by priority! */
        INACCESSIBLE,
        READONLY,
        PRIVATE_TMP,
        PRIVATE_VAR_TMP,
        PRIVATE_DEV,
        PRIVATE_BUS_ENDPOINT,
        READWRITE
} MountMode;

typedef struct BindMount {
        const char *path;
        MountMode mode;
        bool done;
        bool ignore;
} BindMount;

static int append_mounts(BindMount **p, char **strv, MountMode mode) {
        char **i;

        assert(p);

        STRV_FOREACH(i, strv) {

                (*p)->ignore = false;
                (*p)->done = false;

                if ((mode == INACCESSIBLE || mode == READONLY || mode == READWRITE) && (*i)[0] == '-') {
                        (*p)->ignore = true;
                        (*i)++;
                }

                if (!path_is_absolute(*i))
                        return -EINVAL;

                (*p)->path = *i;
                (*p)->mode = mode;
                (*p)++;
        }

        return 0;
}

static int mount_path_compare(const void *a, const void *b) {
        const BindMount *p = a, *q = b;

        if (path_equal(p->path, q->path)) {

                /* If the paths are equal, check the mode */
                if (p->mode < q->mode)
                        return -1;

                if (p->mode > q->mode)
                        return 1;

                return 0;
        }

        /* If the paths are not equal, then order prefixes first */
        if (path_startswith(p->path, q->path))
                return 1;

        if (path_startswith(q->path, p->path))
                return -1;

        return 0;
}

static void drop_duplicates(BindMount *m, unsigned *n) {
        BindMount *f, *t, *previous;

        assert(m);
        assert(n);

        for (f = m, t = m, previous = NULL; f < m+*n; f++) {

                /* The first one wins */
                if (previous && path_equal(f->path, previous->path))
                        continue;

                *t = *f;

                previous = t;

                t++;
        }

        *n = t - m;
}

static int mount_dev(BindMount *m) {
        static const char devnodes[] =
                "/dev/null\0"
                "/dev/zero\0"
                "/dev/full\0"
                "/dev/random\0"
                "/dev/urandom\0"
                "/dev/tty\0";

        char temporary_mount[] = "/tmp/namespace-dev-XXXXXX";
        const char *d, *dev = NULL, *devpts = NULL, *devshm = NULL, *devkdbus = NULL, *devhugepages = NULL, *devmqueue = NULL, *devlog = NULL, *devptmx = NULL;
        _cleanup_umask_ mode_t u;
        int r;

        assert(m);

        u = umask(0000);

        if (!mkdtemp(temporary_mount))
                return -errno;

        dev = strappenda(temporary_mount, "/dev");
        mkdir(dev, 0755);
        if (mount("tmpfs", dev, "tmpfs", MS_NOSUID|MS_STRICTATIME, "mode=755") < 0) {
                r = -errno;
                goto fail;
        }

        devpts = strappenda(temporary_mount, "/dev/pts");
        mkdir(devpts, 0755);
        if (mount("/dev/pts", devpts, NULL, MS_BIND, NULL) < 0) {
                r = -errno;
                goto fail;
        }

        devptmx = strappenda(temporary_mount, "/dev/ptmx");
        symlink("pts/ptmx", devptmx);

        devshm = strappenda(temporary_mount, "/dev/shm");
        mkdir(devshm, 01777);
        r = mount("/dev/shm", devshm, NULL, MS_BIND, NULL);
        if (r < 0) {
                r = -errno;
                goto fail;
        }

        devmqueue = strappenda(temporary_mount, "/dev/mqueue");
        mkdir(devmqueue, 0755);
        mount("/dev/mqueue", devmqueue, NULL, MS_BIND, NULL);

        devkdbus = strappenda(temporary_mount, "/dev/kdbus");
        mkdir(devkdbus, 0755);
        mount("/dev/kdbus", devkdbus, NULL, MS_BIND, NULL);

        devhugepages = strappenda(temporary_mount, "/dev/hugepages");
        mkdir(devhugepages, 0755);
        mount("/dev/hugepages", devhugepages, NULL, MS_BIND, NULL);

        devlog = strappenda(temporary_mount, "/dev/log");
        symlink("/run/systemd/journal/dev-log", devlog);

        NULSTR_FOREACH(d, devnodes) {
                _cleanup_free_ char *dn = NULL;
                struct stat st;

                r = stat(d, &st);
                if (r < 0) {

                        if (errno == ENOENT)
                                continue;

                        r = -errno;
                        goto fail;
                }

                if (!S_ISBLK(st.st_mode) &&
                    !S_ISCHR(st.st_mode)) {
                        r = -EINVAL;
                        goto fail;
                }

                if (st.st_rdev == 0)
                        continue;

                dn = strappend(temporary_mount, d);
                if (!dn) {
                        r = -ENOMEM;
                        goto fail;
                }

                label_context_set(d, st.st_mode);
                r = mknod(dn, st.st_mode, st.st_rdev);
                label_context_clear();

                if (r < 0) {
                        r = -errno;
                        goto fail;
                }
        }

        dev_setup(temporary_mount);

        if (mount(dev, "/dev/", NULL, MS_MOVE, NULL) < 0) {
                r = -errno;
                goto fail;
        }

        rmdir(dev);
        rmdir(temporary_mount);

        return 0;

fail:
        if (devpts)
                umount(devpts);

        if (devshm)
                umount(devshm);

        if (devkdbus)
                umount(devkdbus);

        if (devhugepages)
                umount(devhugepages);

        if (devmqueue)
                umount(devmqueue);

        umount(dev);
        rmdir(dev);
        rmdir(temporary_mount);

        return r;
}

static int mount_kdbus(BindMount *m) {

        char temporary_mount[] = "/tmp/kdbus-dev-XXXXXX";
        _cleanup_free_ char *basepath = NULL;
        _cleanup_umask_ mode_t u;
        char *busnode = NULL, *root;
        struct stat st;
        int r;

        assert(m);

        u = umask(0000);

        if (!mkdtemp(temporary_mount)) {
                log_error("Failed create temp dir: %m");
                return -errno;
        }

        root = strappenda(temporary_mount, "/kdbus");
        mkdir(root, 0755);
        if (mount("tmpfs", root, "tmpfs", MS_NOSUID|MS_STRICTATIME, "mode=777") < 0) {
                r = -errno;
                goto fail;
        }

        /* create a new /dev/null dev node copy so we have some fodder to
         * bind-mount the custom endpoint over. */
        if (stat("/dev/null", &st) < 0) {
                log_error("Failed to stat /dev/null: %m");
                r = -errno;
                goto fail;
        }

        busnode = strappenda(root, "/bus");
        if (mknod(busnode, (st.st_mode & ~07777) | 0600, st.st_rdev) < 0) {
                log_error("mknod() for %s failed: %m", busnode);
                r = -errno;
                goto fail;
        }

        r = mount(m->path, busnode, "bind", MS_BIND, NULL);
        if (r < 0) {
                log_error("bind mount of %s failed: %m", m->path);
                r = -errno;
                goto fail;
        }

        basepath = dirname_malloc(m->path);
        if (!basepath) {
                r = -ENOMEM;
                goto fail;
        }

        if (mount(root, basepath, NULL, MS_MOVE, NULL) < 0) {
                log_error("bind mount of %s failed: %m", basepath);
                r = -errno;
                goto fail;
        }

        rmdir(temporary_mount);
        return 0;

fail:
        if (busnode) {
                umount(busnode);
                unlink(busnode);
        }

        umount(root);
        rmdir(root);
        rmdir(temporary_mount);

        return r;
}

static int apply_mount(
                BindMount *m,
                const char *tmp_dir,
                const char *var_tmp_dir) {

        const char *what;
        int r;

        assert(m);

        switch (m->mode) {

        case INACCESSIBLE:

                /* First, get rid of everything that is below if there
                 * is anything... Then, overmount it with an
                 * inaccessible directory. */
                umount_recursive(m->path, 0);

                what = "/run/systemd/inaccessible";
                break;

        case READONLY:
        case READWRITE:
                /* Nothing to mount here, we just later toggle the
                 * MS_RDONLY bit for the mount point */
                return 0;

        case PRIVATE_TMP:
                what = tmp_dir;
                break;

        case PRIVATE_VAR_TMP:
                what = var_tmp_dir;
                break;

        case PRIVATE_DEV:
                return mount_dev(m);

        case PRIVATE_BUS_ENDPOINT:
                return mount_kdbus(m);

        default:
                assert_not_reached("Unknown mode");
        }

        assert(what);

        r = mount(what, m->path, NULL, MS_BIND|MS_REC, NULL);
        if (r >= 0)
                log_debug("Successfully mounted %s to %s", what, m->path);
        else if (m->ignore && errno == ENOENT)
                return 0;

        return r;
}

static int make_read_only(BindMount *m) {
        int r;

        assert(m);

        if (IN_SET(m->mode, INACCESSIBLE, READONLY))
                r = bind_remount_recursive(m->path, true);
        else if (IN_SET(m->mode, READWRITE, PRIVATE_TMP, PRIVATE_VAR_TMP, PRIVATE_DEV))
                r = bind_remount_recursive(m->path, false);
        else
                r = 0;

        if (m->ignore && r == -ENOENT)
                return 0;

        return r;
}

int setup_namespace(
                char** read_write_dirs,
                char** read_only_dirs,
                char** inaccessible_dirs,
                char* tmp_dir,
                char* var_tmp_dir,
                char* bus_endpoint_path,
                bool private_dev,
                ProtectHome protect_home,
                ProtectSystem protect_system,
                unsigned mount_flags) {

        BindMount *m, *mounts = NULL;
        unsigned n;
        int r = 0;

        if (mount_flags == 0)
                mount_flags = MS_SHARED;

        if (unshare(CLONE_NEWNS) < 0)
                return -errno;

        n = !!tmp_dir + !!var_tmp_dir + !!bus_endpoint_path +
                strv_length(read_write_dirs) +
                strv_length(read_only_dirs) +
                strv_length(inaccessible_dirs) +
                private_dev +
                (protect_home != PROTECT_HOME_NO ? 3 : 0) +
                (protect_system != PROTECT_SYSTEM_NO ? 2 : 0) +
                (protect_system == PROTECT_SYSTEM_FULL ? 1 : 0);

        if (n > 0) {
                m = mounts = (BindMount *) alloca0(n * sizeof(BindMount));
                r = append_mounts(&m, read_write_dirs, READWRITE);
                if (r < 0)
                        return r;

                r = append_mounts(&m, read_only_dirs, READONLY);
                if (r < 0)
                        return r;

                r = append_mounts(&m, inaccessible_dirs, INACCESSIBLE);
                if (r < 0)
                        return r;

                if (tmp_dir) {
                        m->path = "/tmp";
                        m->mode = PRIVATE_TMP;
                        m++;
                }

                if (var_tmp_dir) {
                        m->path = "/var/tmp";
                        m->mode = PRIVATE_VAR_TMP;
                        m++;
                }

                if (private_dev) {
                        m->path = "/dev";
                        m->mode = PRIVATE_DEV;
                        m++;
                }

                if (bus_endpoint_path) {
                        m->path = bus_endpoint_path;
                        m->mode = PRIVATE_BUS_ENDPOINT;
                        m++;
                }

                if (protect_home != PROTECT_HOME_NO) {
                        r = append_mounts(&m, STRV_MAKE("-/home", "-/run/user", "-/root"), protect_home == PROTECT_HOME_READ_ONLY ? READONLY : INACCESSIBLE);
                        if (r < 0)
                                return r;
                }

                if (protect_system != PROTECT_SYSTEM_NO) {
                        r = append_mounts(&m, protect_system == PROTECT_SYSTEM_FULL ? STRV_MAKE("/usr", "-/boot", "/etc") : STRV_MAKE("/usr", "-/boot"), READONLY);
                        if (r < 0)
                                return r;
                }

                assert(mounts + n == m);

                qsort(mounts, n, sizeof(BindMount), mount_path_compare);
                drop_duplicates(mounts, &n);
        }

        if (n > 0) {
                /* Remount / as SLAVE so that nothing now mounted in the namespace
                   shows up in the parent */
                if (mount(NULL, "/", NULL, MS_SLAVE|MS_REC, NULL) < 0)
                        return -errno;

                for (m = mounts; m < mounts + n; ++m) {
                        r = apply_mount(m, tmp_dir, var_tmp_dir);
                        if (r < 0)
                                goto fail;
                }

                for (m = mounts; m < mounts + n; ++m) {
                        r = make_read_only(m);
                        if (r < 0)
                                goto fail;
                }
        }

        /* Remount / as the desired mode. Not that this will not
         * reestablish propagation from our side to the host, since
         * what's disconnected is disconnected. */
        if (mount(NULL, "/", NULL, mount_flags | MS_REC, NULL) < 0) {
                r = -errno;
                goto fail;
        }

        return 0;

fail:
        if (n > 0) {
                for (m = mounts; m < mounts + n; ++m)
                        if (m->done)
                                umount2(m->path, MNT_DETACH);
        }

        return r;
}

static int setup_one_tmp_dir(const char *id, const char *prefix, char **path) {
        _cleanup_free_ char *x = NULL;
        char bid[SD_ID128_STRING_MAX];
        sd_id128_t boot_id;
        int r;

        assert(id);
        assert(prefix);
        assert(path);

        /* We include the boot id in the directory so that after a
         * reboot we can easily identify obsolete directories. */

        r = sd_id128_get_boot(&boot_id);
        if (r < 0)
                return r;

        x = strjoin(prefix, "/systemd-private-", sd_id128_to_string(boot_id, bid), "-", id, "-XXXXXX", NULL);
        if (!x)
                return -ENOMEM;

        RUN_WITH_UMASK(0077)
                if (!mkdtemp(x))
                        return -errno;

        RUN_WITH_UMASK(0000) {
                char *y;

                y = strappenda(x, "/tmp");

                if (mkdir(y, 0777 | S_ISVTX) < 0)
                        return -errno;
        }

        *path = x;
        x = NULL;

        return 0;
}

int setup_tmp_dirs(const char *id, char **tmp_dir, char **var_tmp_dir) {
        char *a, *b;
        int r;

        assert(id);
        assert(tmp_dir);
        assert(var_tmp_dir);

        r = setup_one_tmp_dir(id, "/tmp", &a);
        if (r < 0)
                return r;

        r = setup_one_tmp_dir(id, "/var/tmp", &b);
        if (r < 0) {
                char *t;

                t = strappenda(a, "/tmp");
                rmdir(t);
                rmdir(a);

                free(a);
                return r;
        }

        *tmp_dir = a;
        *var_tmp_dir = b;

        return 0;
}

int setup_netns(int netns_storage_socket[2]) {
        _cleanup_close_ int netns = -1;
        union {
                struct cmsghdr cmsghdr;
                uint8_t buf[CMSG_SPACE(sizeof(int))];
        } control = {};
        struct msghdr mh = {
                .msg_control = &control,
                .msg_controllen = sizeof(control),
        };
        struct cmsghdr *cmsg;
        int r;

        assert(netns_storage_socket);
        assert(netns_storage_socket[0] >= 0);
        assert(netns_storage_socket[1] >= 0);

        /* We use the passed socketpair as a storage buffer for our
         * namespace reference fd. Whatever process runs this first
         * shall create a new namespace, all others should just join
         * it. To serialize that we use a file lock on the socket
         * pair.
         *
         * It's a bit crazy, but hey, works great! */

        if (lockf(netns_storage_socket[0], F_LOCK, 0) < 0)
                return -errno;

        if (recvmsg(netns_storage_socket[0], &mh, MSG_DONTWAIT|MSG_CMSG_CLOEXEC) < 0) {
                if (errno != EAGAIN) {
                        r = -errno;
                        goto fail;
                }

                /* Nothing stored yet, so let's create a new namespace */

                if (unshare(CLONE_NEWNET) < 0) {
                        r = -errno;
                        goto fail;
                }

                loopback_setup();

                netns = open("/proc/self/ns/net", O_RDONLY|O_CLOEXEC|O_NOCTTY);
                if (netns < 0) {
                        r = -errno;
                        goto fail;
                }

                r = 1;
        } else {
                /* Yay, found something, so let's join the namespace */

                for (cmsg = CMSG_FIRSTHDR(&mh); cmsg; cmsg = CMSG_NXTHDR(&mh, cmsg)) {
                        if (cmsg->cmsg_level == SOL_SOCKET && cmsg->cmsg_type == SCM_RIGHTS) {
                                assert(cmsg->cmsg_len == CMSG_LEN(sizeof(int)));
                                netns = *(int*) CMSG_DATA(cmsg);
                        }
                }

                if (setns(netns, CLONE_NEWNET) < 0) {
                        r = -errno;
                        goto fail;
                }

                r = 0;
        }

        cmsg = CMSG_FIRSTHDR(&mh);
        cmsg->cmsg_level = SOL_SOCKET;
        cmsg->cmsg_type = SCM_RIGHTS;
        cmsg->cmsg_len = CMSG_LEN(sizeof(int));
        memcpy(CMSG_DATA(cmsg), &netns, sizeof(int));
        mh.msg_controllen = cmsg->cmsg_len;

        if (sendmsg(netns_storage_socket[1], &mh, MSG_DONTWAIT|MSG_NOSIGNAL) < 0) {
                r = -errno;
                goto fail;
        }

fail:
        lockf(netns_storage_socket[0], F_ULOCK, 0);

        return r;
}

static const char *const protect_home_table[_PROTECT_HOME_MAX] = {
        [PROTECT_HOME_NO] = "no",
        [PROTECT_HOME_YES] = "yes",
        [PROTECT_HOME_READ_ONLY] = "read-only",
};

DEFINE_STRING_TABLE_LOOKUP(protect_home, ProtectHome);

static const char *const protect_system_table[_PROTECT_SYSTEM_MAX] = {
        [PROTECT_SYSTEM_NO] = "no",
        [PROTECT_SYSTEM_YES] = "yes",
        [PROTECT_SYSTEM_FULL] = "full",
};

DEFINE_STRING_TABLE_LOOKUP(protect_system, ProtectSystem);
Commit	Line	Data
d6c9574f	1	/-- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil --/
15ae422b LP	2
	3	/***
	4	This file is part of systemd.
	5
	6	Copyright 2010 Lennart Poettering
	7
	8	systemd is free software; you can redistribute it and/or modify it
5430f7f2 LP	9	under the terms of the GNU Lesser General Public License as published by
5430f7f2 LP	10	the Free Software Foundation; either version 2.1 of the License, or
15ae422b LP	11	(at your option) any later version.
	12
	13	systemd is distributed in the hope that it will be useful, but
	14	WITHOUT ANY WARRANTY; without even the implied warranty of
	15	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
5430f7f2	16	Lesser General Public License for more details.
15ae422b	17
5430f7f2	18	You should have received a copy of the GNU Lesser General Public License
15ae422b LP	19	along with systemd; If not, see <http://www.gnu.org/licenses/>.
	20	***/
	21
	22	#include <errno.h>
	23	#include <sys/mount.h>
	24	#include <string.h>
	25	#include <stdio.h>
	26	#include <unistd.h>
	27	#include <sys/stat.h>
	28	#include <sys/types.h>
	29	#include <sched.h>
	30	#include <sys/syscall.h>
	31	#include <limits.h>
25e870b5	32	#include <linux/fs.h>
613b411c	33	#include <sys/file.h>
15ae422b LP	34
	35	#include "strv.h"
	36	#include "util.h"
9eb977db	37	#include "path-util.h"
15ae422b LP	38	#include "namespace.h"
15ae422b LP	39	#include "missing.h"
c17ec25e	40	#include "execute.h"
613b411c	41	#include "loopback-setup.h"
7f112f50 LP	42	#include "mkdir.h"
	43	#include "dev-setup.h"
	44	#include "def.h"
dd078a1e	45	#include "label.h"
15ae422b	46
c17ec25e	47	typedef enum MountMode {
15ae422b LP	48	/* This is ordered by priority! */
	49	INACCESSIBLE,
	50	READONLY,
ac0930c8 LP	51	PRIVATE_TMP,
ac0930c8 LP	52	PRIVATE_VAR_TMP,
7f112f50	53	PRIVATE_DEV,
a610cc4f	54	PRIVATE_BUS_ENDPOINT,
15ae422b	55	READWRITE
c17ec25e	56	} MountMode;
15ae422b	57
c17ec25e	58	typedef struct BindMount {
15ae422b	59	const char *path;
c17ec25e	60	MountMode mode;
ac0930c8	61	bool done;
ea92ae33	62	bool ignore;
c17ec25e	63	} BindMount;
15ae422b	64
c17ec25e	65	static int append_mounts(BindMount p, char strv, MountMode mode) {
15ae422b LP	66	char **i;
15ae422b LP	67
613b411c LP	68	assert(p);
613b411c LP	69
15ae422b LP	70	STRV_FOREACH(i, strv) {
15ae422b LP	71
ea92ae33	72	(*p)->ignore = false;
002b2268	73	(*p)->done = false;
ea92ae33	74
94828d2d	75	if ((mode == INACCESSIBLE \|\| mode == READONLY \|\| mode == READWRITE) && (*i)[0] == '-') {
ea92ae33 MW	76	(*p)->ignore = true;
	77	(*i)++;
	78	}
	79
15ae422b LP	80	if (!path_is_absolute(*i))
	81	return -EINVAL;
	82
	83	(p)->path = i;
	84	(*p)->mode = mode;
	85	(*p)++;
	86	}
	87
	88	return 0;
	89	}
	90
c17ec25e MS	91	static int mount_path_compare(const void a, const void b) {
c17ec25e MS	92	const BindMount p = a, q = b;
15ae422b LP	93
	94	if (path_equal(p->path, q->path)) {
	95
	96	/* If the paths are equal, check the mode */
	97	if (p->mode < q->mode)
	98	return -1;
	99
	100	if (p->mode > q->mode)
	101	return 1;
	102
	103	return 0;
	104	}
	105
	106	/* If the paths are not equal, then order prefixes first */
	107	if (path_startswith(p->path, q->path))
	108	return 1;
	109
	110	if (path_startswith(q->path, p->path))
	111	return -1;
	112
	113	return 0;
	114	}
	115
c17ec25e MS	116	static void drop_duplicates(BindMount m, unsigned n) {
c17ec25e MS	117	BindMount f, t, *previous;
15ae422b	118
c17ec25e	119	assert(m);
15ae422b	120	assert(n);
15ae422b	121
c17ec25e	122	for (f = m, t = m, previous = NULL; f < m+*n; f++) {
15ae422b	123
ac0930c8	124	/* The first one wins */
15ae422b LP	125	if (previous && path_equal(f->path, previous->path))
	126	continue;
	127
e2d7c1a0	128	t = f;
15ae422b	129
15ae422b LP	130	previous = t;
	131
	132	t++;
	133	}
	134
c17ec25e	135	*n = t - m;
15ae422b LP	136	}
15ae422b LP	137
7f112f50 LP	138	static int mount_dev(BindMount *m) {
	139	static const char devnodes[] =
	140	"/dev/null\0"
	141	"/dev/zero\0"
	142	"/dev/full\0"
	143	"/dev/random\0"
	144	"/dev/urandom\0"
	145	"/dev/tty\0";
	146
2b85f4e1	147	char temporary_mount[] = "/tmp/namespace-dev-XXXXXX";
e06b6479	148	const char d, dev = NULL, devpts = NULL, devshm = NULL, devkdbus = NULL, devhugepages = NULL, devmqueue = NULL, devlog = NULL, *devptmx = NULL;
7f112f50 LP	149	_cleanup_umask_ mode_t u;
	150	int r;
	151
	152	assert(m);
	153
	154	u = umask(0000);
	155
2b85f4e1 LP	156	if (!mkdtemp(temporary_mount))
	157	return -errno;
	158
	159	dev = strappenda(temporary_mount, "/dev");
	160	mkdir(dev, 0755);
	161	if (mount("tmpfs", dev, "tmpfs", MS_NOSUID\|MS_STRICTATIME, "mode=755") < 0) {
	162	r = -errno;
	163	goto fail;
	164	}
	165
	166	devpts = strappenda(temporary_mount, "/dev/pts");
	167	mkdir(devpts, 0755);
	168	if (mount("/dev/pts", devpts, NULL, MS_BIND, NULL) < 0) {
	169	r = -errno;
	170	goto fail;
	171	}
	172
e06b6479 LP	173	devptmx = strappenda(temporary_mount, "/dev/ptmx");
	174	symlink("pts/ptmx", devptmx);
	175
2b85f4e1 LP	176	devshm = strappenda(temporary_mount, "/dev/shm");
	177	mkdir(devshm, 01777);
	178	r = mount("/dev/shm", devshm, NULL, MS_BIND, NULL);
	179	if (r < 0) {
	180	r = -errno;
	181	goto fail;
	182	}
	183
	184	devmqueue = strappenda(temporary_mount, "/dev/mqueue");
	185	mkdir(devmqueue, 0755);
	186	mount("/dev/mqueue", devmqueue, NULL, MS_BIND, NULL);
	187
	188	devkdbus = strappenda(temporary_mount, "/dev/kdbus");
	189	mkdir(devkdbus, 0755);
	190	mount("/dev/kdbus", devkdbus, NULL, MS_BIND, NULL);
	191
	192	devhugepages = strappenda(temporary_mount, "/dev/hugepages");
	193	mkdir(devhugepages, 0755);
	194	mount("/dev/hugepages", devhugepages, NULL, MS_BIND, NULL);
	195
82d25240 LP	196	devlog = strappenda(temporary_mount, "/dev/log");
	197	symlink("/run/systemd/journal/dev-log", devlog);
	198
7f112f50	199	NULSTR_FOREACH(d, devnodes) {
2b85f4e1 LP	200	_cleanup_free_ char *dn = NULL;
	201	struct stat st;
	202
	203	r = stat(d, &st);
7f112f50	204	if (r < 0) {
2b85f4e1 LP	205
	206	if (errno == ENOENT)
	207	continue;
	208
	209	r = -errno;
	210	goto fail;
7f112f50 LP	211	}
7f112f50 LP	212
2b85f4e1 LP	213	if (!S_ISBLK(st.st_mode) &&
	214	!S_ISCHR(st.st_mode)) {
	215	r = -EINVAL;
	216	goto fail;
	217	}
	218
	219	if (st.st_rdev == 0)
	220	continue;
	221
	222	dn = strappend(temporary_mount, d);
	223	if (!dn) {
	224	r = -ENOMEM;
	225	goto fail;
	226	}
	227
dd078a1e	228	label_context_set(d, st.st_mode);
2b85f4e1	229	r = mknod(dn, st.st_mode, st.st_rdev);
dd078a1e LP	230	label_context_clear();
dd078a1e LP	231
2b85f4e1 LP	232	if (r < 0) {
	233	r = -errno;
	234	goto fail;
	235	}
7f112f50 LP	236	}
7f112f50 LP	237
2b85f4e1	238	dev_setup(temporary_mount);
7f112f50	239
2b85f4e1 LP	240	if (mount(dev, "/dev/", NULL, MS_MOVE, NULL) < 0) {
	241	r = -errno;
	242	goto fail;
	243	}
7f112f50	244
2b85f4e1 LP	245	rmdir(dev);
2b85f4e1 LP	246	rmdir(temporary_mount);
7f112f50	247
2b85f4e1	248	return 0;
7f112f50	249
2b85f4e1 LP	250	fail:
	251	if (devpts)
	252	umount(devpts);
7f112f50	253
2b85f4e1 LP	254	if (devshm)
2b85f4e1 LP	255	umount(devshm);
7f112f50	256
2b85f4e1 LP	257	if (devkdbus)
2b85f4e1 LP	258	umount(devkdbus);
7f112f50	259
2b85f4e1 LP	260	if (devhugepages)
2b85f4e1 LP	261	umount(devhugepages);
7f112f50	262
2b85f4e1 LP	263	if (devmqueue)
2b85f4e1 LP	264	umount(devmqueue);
7f112f50	265
d267c5aa ZJS	266	umount(dev);
d267c5aa ZJS	267	rmdir(dev);
2b85f4e1	268	rmdir(temporary_mount);
7f112f50	269
2b85f4e1	270	return r;
7f112f50 LP	271	}
7f112f50 LP	272
a610cc4f DM	273	static int mount_kdbus(BindMount *m) {
	274
	275	char temporary_mount[] = "/tmp/kdbus-dev-XXXXXX";
	276	_cleanup_free_ char *basepath = NULL;
	277	_cleanup_umask_ mode_t u;
120d578e	278	char busnode = NULL, root;
a610cc4f DM	279	struct stat st;
	280	int r;
	281
	282	assert(m);
	283
	284	u = umask(0000);
	285
	286	if (!mkdtemp(temporary_mount)) {
	287	log_error("Failed create temp dir: %m");
	288	return -errno;
	289	}
	290
	291	root = strappenda(temporary_mount, "/kdbus");
	292	mkdir(root, 0755);
	293	if (mount("tmpfs", root, "tmpfs", MS_NOSUID\|MS_STRICTATIME, "mode=777") < 0) {
	294	r = -errno;
	295	goto fail;
	296	}
	297
	298	/* create a new /dev/null dev node copy so we have some fodder to
	299	* bind-mount the custom endpoint over. */
	300	if (stat("/dev/null", &st) < 0) {
	301	log_error("Failed to stat /dev/null: %m");
	302	r = -errno;
	303	goto fail;
	304	}
	305
	306	busnode = strappenda(root, "/bus");
	307	if (mknod(busnode, (st.st_mode & ~07777) \| 0600, st.st_rdev) < 0) {
	308	log_error("mknod() for %s failed: %m", busnode);
	309	r = -errno;
	310	goto fail;
	311	}
	312
	313	r = mount(m->path, busnode, "bind", MS_BIND, NULL);
	314	if (r < 0) {
	315	log_error("bind mount of %s failed: %m", m->path);
	316	r = -errno;
	317	goto fail;
	318	}
	319
	320	basepath = dirname_malloc(m->path);
	321	if (!basepath) {
	322	r = -ENOMEM;
	323	goto fail;
	324	}
	325
	326	if (mount(root, basepath, NULL, MS_MOVE, NULL) < 0) {
	327	log_error("bind mount of %s failed: %m", basepath);
	328	r = -errno;
	329	goto fail;
	330	}
	331
	332	rmdir(temporary_mount);
	333	return 0;
	334
	335	fail:
	336	if (busnode) {
	337	umount(busnode);
	338	unlink(busnode);
	339	}
	340
1775f1eb ZJS	341	umount(root);
1775f1eb ZJS	342	rmdir(root);
a610cc4f DM	343	rmdir(temporary_mount);
	344
	345	return r;
	346	}
	347
ac0930c8	348	static int apply_mount(
c17ec25e	349	BindMount *m,
ac0930c8	350	const char *tmp_dir,
c17ec25e	351	const char *var_tmp_dir) {
ac0930c8	352
15ae422b	353	const char *what;
15ae422b	354	int r;
15ae422b	355
c17ec25e	356	assert(m);
15ae422b	357
c17ec25e	358	switch (m->mode) {
15ae422b LP	359
15ae422b LP	360	case INACCESSIBLE:
6d313367 LP	361
	362	/* First, get rid of everything that is below if there
	363	* is anything... Then, overmount it with an
	364	* inaccessible directory. */
	365	umount_recursive(m->path, 0);
	366
c17ec25e	367	what = "/run/systemd/inaccessible";
15ae422b LP	368	break;
	369
	370	case READONLY:
15ae422b	371	case READWRITE:
d6797c92 LP	372	/* Nothing to mount here, we just later toggle the
	373	* MS_RDONLY bit for the mount point */
	374	return 0;
15ae422b	375
ac0930c8 LP	376	case PRIVATE_TMP:
	377	what = tmp_dir;
	378	break;
	379
	380	case PRIVATE_VAR_TMP:
	381	what = var_tmp_dir;
15ae422b	382	break;
e364ad06	383
d6797c92 LP	384	case PRIVATE_DEV:
	385	return mount_dev(m);
	386
a610cc4f DM	387	case PRIVATE_BUS_ENDPOINT:
	388	return mount_kdbus(m);
	389
e364ad06 LP	390	default:
e364ad06 LP	391	assert_not_reached("Unknown mode");
15ae422b LP	392	}
15ae422b LP	393
ac0930c8	394	assert(what);
15ae422b	395
c17ec25e	396	r = mount(what, m->path, NULL, MS_BIND\|MS_REC, NULL);
ac0930c8	397	if (r >= 0)
c17ec25e	398	log_debug("Successfully mounted %s to %s", what, m->path);
ea92ae33	399	else if (m->ignore && errno == ENOENT)
d6797c92	400	return 0;
15ae422b	401
ac0930c8 LP	402	return r;
ac0930c8 LP	403	}
15ae422b	404
c17ec25e	405	static int make_read_only(BindMount *m) {
ac0930c8	406	int r;
15ae422b	407
c17ec25e	408	assert(m);
ac0930c8	409
d6797c92 LP	410	if (IN_SET(m->mode, INACCESSIBLE, READONLY))
d6797c92 LP	411	r = bind_remount_recursive(m->path, true);
664064d6	412	else if (IN_SET(m->mode, READWRITE, PRIVATE_TMP, PRIVATE_VAR_TMP, PRIVATE_DEV))
d6797c92 LP	413	r = bind_remount_recursive(m->path, false);
	414	else
	415	r = 0;
ac0930c8	416
d6797c92 LP	417	if (m->ignore && r == -ENOENT)
d6797c92 LP	418	return 0;
ac0930c8	419
d6797c92	420	return r;
15ae422b LP	421	}
15ae422b LP	422
613b411c LP	423	int setup_namespace(
	424	char** read_write_dirs,
	425	char** read_only_dirs,
	426	char** inaccessible_dirs,
	427	char* tmp_dir,
	428	char* var_tmp_dir,
a610cc4f	429	char* bus_endpoint_path,
7f112f50	430	bool private_dev,
1b8689f9 LP	431	ProtectHome protect_home,
1b8689f9 LP	432	ProtectSystem protect_system,
613b411c	433	unsigned mount_flags) {
15ae422b	434
7ff7394d	435	BindMount m, mounts = NULL;
613b411c	436	unsigned n;
c17ec25e	437	int r = 0;
15ae422b	438
613b411c	439	if (mount_flags == 0)
c17ec25e	440	mount_flags = MS_SHARED;
ac0930c8	441
d5a3f0ea ZJS	442	if (unshare(CLONE_NEWNS) < 0)
d5a3f0ea ZJS	443	return -errno;
15ae422b	444
a610cc4f	445	n = !!tmp_dir + !!var_tmp_dir + !!bus_endpoint_path +
613b411c LP	446	strv_length(read_write_dirs) +
613b411c LP	447	strv_length(read_only_dirs) +
7f112f50	448	strv_length(inaccessible_dirs) +
417116f2	449	private_dev +
c8835999	450	(protect_home != PROTECT_HOME_NO ? 3 : 0) +
051be1f7	451	(protect_system != PROTECT_SYSTEM_NO ? 2 : 0) +
1b8689f9	452	(protect_system == PROTECT_SYSTEM_FULL ? 1 : 0);
613b411c LP	453
613b411c LP	454	if (n > 0) {
002b2268	455	m = mounts = (BindMount ) alloca0(n sizeof(BindMount));
613b411c LP	456	r = append_mounts(&m, read_write_dirs, READWRITE);
	457	if (r < 0)
	458	return r;
	459
	460	r = append_mounts(&m, read_only_dirs, READONLY);
	461	if (r < 0)
	462	return r;
	463
	464	r = append_mounts(&m, inaccessible_dirs, INACCESSIBLE);
	465	if (r < 0)
7ff7394d ZJS	466	return r;
7ff7394d ZJS	467
613b411c	468	if (tmp_dir) {
7ff7394d ZJS	469	m->path = "/tmp";
	470	m->mode = PRIVATE_TMP;
	471	m++;
613b411c	472	}
7ff7394d	473
613b411c	474	if (var_tmp_dir) {
7ff7394d ZJS	475	m->path = "/var/tmp";
	476	m->mode = PRIVATE_VAR_TMP;
	477	m++;
	478	}
ac0930c8	479
7f112f50 LP	480	if (private_dev) {
	481	m->path = "/dev";
	482	m->mode = PRIVATE_DEV;
	483	m++;
	484	}
	485
a610cc4f DM	486	if (bus_endpoint_path) {
	487	m->path = bus_endpoint_path;
	488	m->mode = PRIVATE_BUS_ENDPOINT;
	489	m++;
	490	}
	491
1b8689f9	492	if (protect_home != PROTECT_HOME_NO) {
c8835999	493	r = append_mounts(&m, STRV_MAKE("-/home", "-/run/user", "-/root"), protect_home == PROTECT_HOME_READ_ONLY ? READONLY : INACCESSIBLE);
417116f2 LP	494	if (r < 0)
	495	return r;
	496	}
	497
1b8689f9	498	if (protect_system != PROTECT_SYSTEM_NO) {
051be1f7	499	r = append_mounts(&m, protect_system == PROTECT_SYSTEM_FULL ? STRV_MAKE("/usr", "-/boot", "/etc") : STRV_MAKE("/usr", "-/boot"), READONLY);
417116f2 LP	500	if (r < 0)
	501	return r;
	502	}
	503
7ff7394d	504	assert(mounts + n == m);
ac0930c8	505
7ff7394d ZJS	506	qsort(mounts, n, sizeof(BindMount), mount_path_compare);
7ff7394d ZJS	507	drop_duplicates(mounts, &n);
15ae422b LP	508	}
15ae422b LP	509
c2c13f2d LP	510	if (n > 0) {
	511	/* Remount / as SLAVE so that nothing now mounted in the namespace
	512	shows up in the parent */
	513	if (mount(NULL, "/", NULL, MS_SLAVE\|MS_REC, NULL) < 0)
	514	return -errno;
	515
	516	for (m = mounts; m < mounts + n; ++m) {
	517	r = apply_mount(m, tmp_dir, var_tmp_dir);
	518	if (r < 0)
	519	goto fail;
	520	}
15ae422b	521
c2c13f2d LP	522	for (m = mounts; m < mounts + n; ++m) {
	523	r = make_read_only(m);
	524	if (r < 0)
	525	goto fail;
	526	}
15ae422b LP	527	}
15ae422b LP	528
c2c13f2d LP	529	/* Remount / as the desired mode. Not that this will not
	530	* reestablish propagation from our side to the host, since
	531	* what's disconnected is disconnected. */
c17ec25e	532	if (mount(NULL, "/", NULL, mount_flags \| MS_REC, NULL) < 0) {
15ae422b	533	r = -errno;
613b411c	534	goto fail;
15ae422b LP	535	}
15ae422b LP	536
15ae422b LP	537	return 0;
15ae422b LP	538
613b411c	539	fail:
c2c13f2d LP	540	if (n > 0) {
	541	for (m = mounts; m < mounts + n; ++m)
	542	if (m->done)
	543	umount2(m->path, MNT_DETACH);
	544	}
613b411c LP	545
	546	return r;
	547	}
	548
	549	static int setup_one_tmp_dir(const char id, const char prefix, char **path) {
	550	_cleanup_free_ char *x = NULL;
6b46ea73 LP	551	char bid[SD_ID128_STRING_MAX];
	552	sd_id128_t boot_id;
	553	int r;
613b411c LP	554
	555	assert(id);
	556	assert(prefix);
	557	assert(path);
	558
6b46ea73 LP	559	/* We include the boot id in the directory so that after a
	560	* reboot we can easily identify obsolete directories. */
	561
	562	r = sd_id128_get_boot(&boot_id);
	563	if (r < 0)
	564	return r;
	565
	566	x = strjoin(prefix, "/systemd-private-", sd_id128_to_string(boot_id, bid), "-", id, "-XXXXXX", NULL);
613b411c LP	567	if (!x)
	568	return -ENOMEM;
	569
	570	RUN_WITH_UMASK(0077)
	571	if (!mkdtemp(x))
	572	return -errno;
	573
	574	RUN_WITH_UMASK(0000) {
	575	char *y;
	576
	577	y = strappenda(x, "/tmp");
	578
	579	if (mkdir(y, 0777 \| S_ISVTX) < 0)
	580	return -errno;
c17ec25e	581	}
15ae422b	582
613b411c LP	583	*path = x;
	584	x = NULL;
	585
	586	return 0;
	587	}
	588
	589	int setup_tmp_dirs(const char id, char tmp_dir, char *var_tmp_dir) {
	590	char a, b;
	591	int r;
	592
	593	assert(id);
	594	assert(tmp_dir);
	595	assert(var_tmp_dir);
	596
	597	r = setup_one_tmp_dir(id, "/tmp", &a);
	598	if (r < 0)
	599	return r;
	600
	601	r = setup_one_tmp_dir(id, "/var/tmp", &b);
	602	if (r < 0) {
	603	char *t;
	604
	605	t = strappenda(a, "/tmp");
	606	rmdir(t);
	607	rmdir(a);
	608
	609	free(a);
	610	return r;
	611	}
	612
	613	*tmp_dir = a;
	614	*var_tmp_dir = b;
	615
	616	return 0;
	617	}
	618
	619	int setup_netns(int netns_storage_socket[2]) {
	620	_cleanup_close_ int netns = -1;
	621	union {
	622	struct cmsghdr cmsghdr;
	623	uint8_t buf[CMSG_SPACE(sizeof(int))];
	624	} control = {};
	625	struct msghdr mh = {
	626	.msg_control = &control,
	627	.msg_controllen = sizeof(control),
	628	};
	629	struct cmsghdr *cmsg;
	630	int r;
	631
	632	assert(netns_storage_socket);
	633	assert(netns_storage_socket[0] >= 0);
	634	assert(netns_storage_socket[1] >= 0);
	635
	636	/* We use the passed socketpair as a storage buffer for our
76cd584b LP	637	* namespace reference fd. Whatever process runs this first
	638	* shall create a new namespace, all others should just join
	639	* it. To serialize that we use a file lock on the socket
	640	* pair.
613b411c LP	641	*
	642	* It's a bit crazy, but hey, works great! */
	643
	644	if (lockf(netns_storage_socket[0], F_LOCK, 0) < 0)
	645	return -errno;
	646
	647	if (recvmsg(netns_storage_socket[0], &mh, MSG_DONTWAIT\|MSG_CMSG_CLOEXEC) < 0) {
	648	if (errno != EAGAIN) {
	649	r = -errno;
	650	goto fail;
	651	}
	652
	653	/* Nothing stored yet, so let's create a new namespace */
	654
	655	if (unshare(CLONE_NEWNET) < 0) {
	656	r = -errno;
	657	goto fail;
	658	}
	659
	660	loopback_setup();
	661
	662	netns = open("/proc/self/ns/net", O_RDONLY\|O_CLOEXEC\|O_NOCTTY);
	663	if (netns < 0) {
	664	r = -errno;
	665	goto fail;
	666	}
	667
	668	r = 1;
	669	} else {
	670	/* Yay, found something, so let's join the namespace */
	671
	672	for (cmsg = CMSG_FIRSTHDR(&mh); cmsg; cmsg = CMSG_NXTHDR(&mh, cmsg)) {
	673	if (cmsg->cmsg_level == SOL_SOCKET && cmsg->cmsg_type == SCM_RIGHTS) {
	674	assert(cmsg->cmsg_len == CMSG_LEN(sizeof(int)));
	675	netns = (int) CMSG_DATA(cmsg);
	676	}
	677	}
	678
	679	if (setns(netns, CLONE_NEWNET) < 0) {
	680	r = -errno;
	681	goto fail;
	682	}
	683
	684	r = 0;
	685	}
	686
	687	cmsg = CMSG_FIRSTHDR(&mh);
	688	cmsg->cmsg_level = SOL_SOCKET;
	689	cmsg->cmsg_type = SCM_RIGHTS;
	690	cmsg->cmsg_len = CMSG_LEN(sizeof(int));
	691	memcpy(CMSG_DATA(cmsg), &netns, sizeof(int));
	692	mh.msg_controllen = cmsg->cmsg_len;
	693
	694	if (sendmsg(netns_storage_socket[1], &mh, MSG_DONTWAIT\|MSG_NOSIGNAL) < 0) {
	695	r = -errno;
	696	goto fail;
	697	}
	698
	699	fail:
	700	lockf(netns_storage_socket[0], F_ULOCK, 0);
	701
15ae422b LP	702	return r;
15ae422b LP	703	}
417116f2	704
1b8689f9 LP	705	static const char *const protect_home_table[_PROTECT_HOME_MAX] = {
	706	[PROTECT_HOME_NO] = "no",
	707	[PROTECT_HOME_YES] = "yes",
	708	[PROTECT_HOME_READ_ONLY] = "read-only",
417116f2 LP	709	};
417116f2 LP	710
1b8689f9 LP	711	DEFINE_STRING_TABLE_LOOKUP(protect_home, ProtectHome);
	712
	713	static const char *const protect_system_table[_PROTECT_SYSTEM_MAX] = {
	714	[PROTECT_SYSTEM_NO] = "no",
	715	[PROTECT_SYSTEM_YES] = "yes",
	716	[PROTECT_SYSTEM_FULL] = "full",
	717	};
	718
	719	DEFINE_STRING_TABLE_LOOKUP(protect_system, ProtectSystem);