]> git.ipfire.org Git - thirdparty/systemd.git/blame - src/core/namespace.c
projects / thirdparty / systemd.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
basic/log: add concept of "synthethic errnos"
[thirdparty/systemd.git] / src / core / namespace.c
CommitLineData
53e1b683 1/* SPDX-License-Identifier: LGPL-2.1+ */
15ae422b
LP		 2
3#include <errno.h>
07630cea 4#include <sched.h>
15ae422b 5#include <stdio.h>
07630cea
LP		 6#include <string.h>
7#include <sys/mount.h>
15ae422b 8#include <sys/stat.h>
07630cea 9#include <unistd.h>
25e870b5 10#include <linux/fs.h>
15ae422b 11
b5efdb8a 12#include "alloc-util.h"
10404d52 13#include "base-filesystem.h"
7f112f50 14#include "dev-setup.h"
3ffd4af2 15#include "fd-util.h"
d944dc95 16#include "fs-util.h"
e908468b 17#include "label.h"
915e6d16 18#include "loop-util.h"
07630cea
LP		 19#include "loopback-setup.h"
20#include "missing.h"
21#include "mkdir.h"
4349cd7c 22#include "mount-util.h"
3ffd4af2 23#include "namespace.h"
07630cea 24#include "path-util.h"
d7b8eec7 25#include "selinux-util.h"
2583fbea 26#include "socket-util.h"
36ce7110 27#include "stat-util.h"
8b43440b 28#include "string-table.h"
07630cea
LP		 29#include "string-util.h"
30#include "strv.h"
affb60b1 31#include "umask-util.h"
ee104e11 32#include "user-util.h"
07630cea 33#include "util.h"
15ae422b 34
737ba3c8 35#define DEV_MOUNT_OPTIONS (MS_NOSUID|MS_STRICTATIME|MS_NOEXEC)
36
c17ec25e 37typedef enum MountMode {
15ae422b
LP		 38 /* This is ordered by priority! */
39 INACCESSIBLE,
d2d6c096
LP		 40 BIND_MOUNT,
41 BIND_MOUNT_RECURSIVE,
ac0930c8 42 PRIVATE_TMP,
7f112f50 43 PRIVATE_DEV,
5d997827 44 BIND_DEV,
6c47cd7d 45 EMPTY_DIR,
5d997827
LP		 46 SYSFS,
47 PROCFS,
48 READONLY,
59eeb84b 49 READWRITE,
2abd4e38 50 TMPFS,
c17ec25e 51} MountMode;
15ae422b 52
34de407a 53typedef struct MountEntry {
5327c910 54 const char *path_const; /* Memory allocated on stack or static */
cfbeb4ef 55 MountMode mode:5;
5327c910
LP		 56 bool ignore:1; /* Ignore if path does not exist? */
57 bool has_prefix:1; /* Already is prefixed by the root dir? */
cfbeb4ef 58 bool read_only:1; /* Shall this mount point be read-only? */
088696fe 59 bool applied:1; /* Already applied */
55fe7432 60 char *path_malloc; /* Use this instead of 'path_const' if we had to allocate memory */
d2d6c096
LP		 61 const char *source_const; /* The source path, for bind mounts */
62 char *source_malloc;
2abd4e38
YW		 63 const char *options_const;/* Mount options for tmpfs */
64 char *options_malloc;
65 unsigned long flags; /* Mount flags used by EMPTY_DIR and TMPFS. Do not include MS_RDONLY here, but please use read_only. */
088696fe 66 unsigned n_followed;
34de407a 67} MountEntry;
15ae422b 68
5d997827 69/* If MountAPIVFS= is used, let's mount /sys and /proc into the it, but only as a fallback if the user hasn't mounted
3fe91079 70 * something there already. These mounts are hence overridden by any other explicitly configured mounts. */
5d997827
LP		 71static const MountEntry apivfs_table[] = {
72 { "/proc", PROCFS, false },
73 { "/dev", BIND_DEV, false },
74 { "/sys", SYSFS, false },
75};
f471b2af 76
11a30cec 77/* ProtectKernelTunables= option and the related filesystem APIs */
34de407a 78static const MountEntry protect_kernel_tunables_table[] = {
c6232fb0 79 { "/proc/acpi", READONLY, true },
4e2c0a22 80 { "/proc/apm", READONLY, true }, /* Obsolete API, there's no point in permitting access to this, ever */
c6232fb0
LP		 81 { "/proc/asound", READONLY, true },
82 { "/proc/bus", READONLY, true },
83 { "/proc/fs", READONLY, true },
84 { "/proc/irq", READONLY, true },
4e2c0a22
LP		 85 { "/proc/kallsyms", INACCESSIBLE, true },
86 { "/proc/kcore", INACCESSIBLE, true },
87 { "/proc/latency_stats", READONLY, true },
88 { "/proc/mtrr", READONLY, true },
89 { "/proc/scsi", READONLY, true },
90 { "/proc/sys", READONLY, false },
91 { "/proc/sysrq-trigger", READONLY, true },
92 { "/proc/timer_stats", READONLY, true },
c6232fb0 93 { "/sys", READONLY, false },
13a141f0 94 { "/sys/fs/bpf", READONLY, true },
c6232fb0 95 { "/sys/fs/cgroup", READWRITE, false }, /* READONLY is set by ProtectControlGroups= option */
3a0bf6d6 96 { "/sys/fs/selinux", READWRITE, true },
4e2c0a22
LP		 97 { "/sys/kernel/debug", READONLY, true },
98 { "/sys/kernel/tracing", READONLY, true },
11a30cec
DH		 99};
100
c575770b 101/* ProtectKernelModules= option */
34de407a 102static const MountEntry protect_kernel_modules_table[] = {
349cc4a5 103#if HAVE_SPLIT_USR
c6232fb0 104 { "/lib/modules", INACCESSIBLE, true },
c575770b 105#endif
c6232fb0 106 { "/usr/lib/modules", INACCESSIBLE, true },
c575770b
DH		 107};
108
b6c432ca
DH		 109/*
110 * ProtectHome=read-only table, protect $HOME and $XDG_RUNTIME_DIR and rest of
111 * system should be protected by ProtectSystem=
112 */
34de407a 113static const MountEntry protect_home_read_only_table[] = {
c6232fb0
LP		 114 { "/home", READONLY, true },
115 { "/run/user", READONLY, true },
116 { "/root", READONLY, true },
b6c432ca
DH		 117};
118
e4da7d8c
YW		 119/* ProtectHome=tmpfs table */
120static const MountEntry protect_home_tmpfs_table[] = {
121 { "/home", TMPFS, true, .read_only = true, .options_const = "mode=0755", .flags = MS_NODEV|MS_STRICTATIME },
122 { "/run/user", TMPFS, true, .read_only = true, .options_const = "mode=0755", .flags = MS_NODEV|MS_STRICTATIME },
123 { "/root", TMPFS, true, .read_only = true, .options_const = "mode=0700", .flags = MS_NODEV|MS_STRICTATIME },
124};
125
b6c432ca 126/* ProtectHome=yes table */
34de407a 127static const MountEntry protect_home_yes_table[] = {
c6232fb0
LP		 128 { "/home", INACCESSIBLE, true },
129 { "/run/user", INACCESSIBLE, true },
130 { "/root", INACCESSIBLE, true },
b6c432ca
DH		 131};
132
f471b2af 133/* ProtectSystem=yes table */
34de407a 134static const MountEntry protect_system_yes_table[] = {
c6232fb0
LP		 135 { "/usr", READONLY, false },
136 { "/boot", READONLY, true },
137 { "/efi", READONLY, true },
7486f305
AB		 138#if HAVE_SPLIT_USR
139 { "/lib", READONLY, true },
140 { "/lib64", READONLY, true },
141 { "/bin", READONLY, true },
671f0f8d 142# if HAVE_SPLIT_BIN
7486f305 143 { "/sbin", READONLY, true },
671f0f8d 144# endif
7486f305 145#endif
f471b2af
DH		 146};
147
148/* ProtectSystem=full includes ProtectSystem=yes */
34de407a 149static const MountEntry protect_system_full_table[] = {
c6232fb0
LP		 150 { "/usr", READONLY, false },
151 { "/boot", READONLY, true },
152 { "/efi", READONLY, true },
153 { "/etc", READONLY, false },
7486f305
AB		 154#if HAVE_SPLIT_USR
155 { "/lib", READONLY, true },
156 { "/lib64", READONLY, true },
157 { "/bin", READONLY, true },
671f0f8d 158# if HAVE_SPLIT_BIN
7486f305 159 { "/sbin", READONLY, true },
671f0f8d 160# endif
7486f305 161#endif
f471b2af
DH		 162};
163
164/*
165 * ProtectSystem=strict table. In this strict mode, we mount everything
166 * read-only, except for /proc, /dev, /sys which are the kernel API VFS,
167 * which are left writable, but PrivateDevices= + ProtectKernelTunables=
168 * protect those, and these options should be fully orthogonal.
169 * (And of course /home and friends are also left writable, as ProtectHome=
170 * shall manage those, orthogonally).
171 */
34de407a 172static const MountEntry protect_system_strict_table[] = {
ddbe0412
LP		 173 { "/", READONLY, false },
174 { "/proc", READWRITE, false }, /* ProtectKernelTunables= */
175 { "/sys", READWRITE, false }, /* ProtectKernelTunables= */
176 { "/dev", READWRITE, false }, /* PrivateDevices= */
177 { "/home", READWRITE, true }, /* ProtectHome= */
178 { "/run/user", READWRITE, true }, /* ProtectHome= */
179 { "/root", READWRITE, true }, /* ProtectHome= */
f471b2af
DH		 180};
181
34de407a 182static const char *mount_entry_path(const MountEntry *p) {
f0a4feb0
DH		 183 assert(p);
184
5327c910
LP		 185 /* Returns the path of this bind mount. If the malloc()-allocated ->path_buffer field is set we return that,
186 * otherwise the stack/static ->path field is returned. */
f0a4feb0 187
5327c910 188 return p->path_malloc ?: p->path_const;
f0a4feb0
DH		 189}
190
34de407a 191static bool mount_entry_read_only(const MountEntry *p) {
cfbeb4ef
LP		 192 assert(p);
193
194 return p->read_only || IN_SET(p->mode, READONLY, INACCESSIBLE);
195}
196
d2d6c096
LP		 197static const char *mount_entry_source(const MountEntry *p) {
198 assert(p);
199
200 return p->source_malloc ?: p->source_const;
201}
202
2abd4e38
YW		 203static const char *mount_entry_options(const MountEntry *p) {
204 assert(p);
205
206 return p->options_malloc ?: p->options_const;
207}
208
1eb7e08e
LP		 209static void mount_entry_done(MountEntry *p) {
210 assert(p);
211
212 p->path_malloc = mfree(p->path_malloc);
213 p->source_malloc = mfree(p->source_malloc);
2abd4e38 214 p->options_malloc = mfree(p->options_malloc);
1eb7e08e
LP		 215}
216
d18aff04 217static int append_access_mounts(MountEntry **p, char **strv, MountMode mode, bool forcibly_require_prefix) {
15ae422b
LP		 218 char **i;
219
613b411c
LP		 220 assert(p);
221
5327c910
LP		 222 /* Adds a list of user-supplied READWRITE/READONLY/INACCESSIBLE entries */
223
15ae422b 224 STRV_FOREACH(i, strv) {
5327c910
LP		 225 bool ignore = false, needs_prefix = false;
226 const char *e = *i;
15ae422b 227
5327c910
LP		 228 /* Look for any prefixes */
229 if (startswith(e, "-")) {
230 e++;
9c94d52e 231 ignore = true;
ea92ae33 232 }
5327c910
LP		 233 if (startswith(e, "+")) {
234 e++;
235 needs_prefix = true;
236 }
ea92ae33 237
763a260a
YW		 238 if (!path_is_absolute(e)) {
239 log_debug("Path is not absolute: %s", e);
15ae422b 240 return -EINVAL;
763a260a 241 }
15ae422b 242
34de407a 243 *((*p)++) = (MountEntry) {
5327c910
LP		 244 .path_const = e,
245 .mode = mode,
246 .ignore = ignore,
d18aff04 247 .has_prefix = !needs_prefix && !forcibly_require_prefix,
5327c910 248 };
15ae422b
LP		 249 }
250
251 return 0;
252}
253
6c47cd7d
LP		 254static int append_empty_dir_mounts(MountEntry **p, char **strv) {
255 char **i;
256
257 assert(p);
258
259 /* Adds tmpfs mounts to provide readable but empty directories. This is primarily used to implement the
260 * "/private/" boundary directories for DynamicUser=1. */
261
262 STRV_FOREACH(i, strv) {
263
264 *((*p)++) = (MountEntry) {
265 .path_const = *i,
266 .mode = EMPTY_DIR,
267 .ignore = false,
6c47cd7d 268 .read_only = true,
2abd4e38
YW		 269 .options_const = "mode=755",
270 .flags = MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME,
6c47cd7d
LP		 271 };
272 }
273
274 return 0;
275}
276
da6053d0
LP		 277static int append_bind_mounts(MountEntry **p, const BindMount *binds, size_t n) {
278 size_t i;
d2d6c096
LP		 279
280 assert(p);
281
282 for (i = 0; i < n; i++) {
283 const BindMount *b = binds + i;
284
285 *((*p)++) = (MountEntry) {
286 .path_const = b->destination,
287 .mode = b->recursive ? BIND_MOUNT_RECURSIVE : BIND_MOUNT,
288 .read_only = b->read_only,
289 .source_const = b->source,
4ca763a9 290 .ignore = b->ignore_enoent,
d2d6c096
LP		 291 };
292 }
293
294 return 0;
295}
296
da6053d0
LP		 297static int append_tmpfs_mounts(MountEntry **p, const TemporaryFileSystem *tmpfs, size_t n) {
298 size_t i;
2abd4e38
YW		 299 int r;
300
301 assert(p);
302
303 for (i = 0; i < n; i++) {
304 const TemporaryFileSystem *t = tmpfs + i;
305 _cleanup_free_ char *o = NULL, *str = NULL;
ad8e66dc 306 unsigned long flags;
2abd4e38
YW		 307 bool ro = false;
308
763a260a
YW		 309 if (!path_is_absolute(t->path)) {
310 log_debug("Path is not absolute: %s", t->path);
2abd4e38 311 return -EINVAL;
763a260a 312 }
2abd4e38 313
ad8e66dc
AJ		 314 str = strjoin("mode=0755,", t->options);
315 if (!str)
316 return -ENOMEM;
2abd4e38 317
ad8e66dc
AJ		 318 r = mount_option_mangle(str, MS_NODEV|MS_STRICTATIME, &flags, &o);
319 if (r < 0)
320 return log_debug_errno(r, "Failed to parse mount option '%s': %m", str);
2abd4e38 321
ad8e66dc
AJ		 322 ro = flags & MS_RDONLY;
323 if (ro)
324 flags ^= MS_RDONLY;
2abd4e38
YW		 325
326 *((*p)++) = (MountEntry) {
327 .path_const = t->path,
328 .mode = TMPFS,
329 .read_only = ro,
ad8e66dc 330 .options_malloc = TAKE_PTR(o),
2abd4e38
YW		 331 .flags = flags,
332 };
2abd4e38
YW		 333 }
334
335 return 0;
336}
337
da6053d0
LP		 338static int append_static_mounts(MountEntry **p, const MountEntry *mounts, size_t n, bool ignore_protect) {
339 size_t i;
11a30cec
DH		 340
341 assert(p);
f471b2af 342 assert(mounts);
11a30cec 343
5327c910 344 /* Adds a list of static pre-defined entries */
f471b2af 345
5327c910 346 for (i = 0; i < n; i++)
34de407a
LP		 347 *((*p)++) = (MountEntry) {
348 .path_const = mount_entry_path(mounts+i),
5327c910
LP		 349 .mode = mounts[i].mode,
350 .ignore = mounts[i].ignore || ignore_protect,
351 };
f471b2af
DH		 352
353 return 0;
354}
355
34de407a 356static int append_protect_home(MountEntry **p, ProtectHome protect_home, bool ignore_protect) {
c575770b
DH		 357 assert(p);
358
5327c910 359 switch (protect_home) {
b6c432ca 360
5327c910 361 case PROTECT_HOME_NO:
b6c432ca
DH		 362 return 0;
363
b6c432ca 364 case PROTECT_HOME_READ_ONLY:
5327c910
LP		 365 return append_static_mounts(p, protect_home_read_only_table, ELEMENTSOF(protect_home_read_only_table), ignore_protect);
366
e4da7d8c
YW		 367 case PROTECT_HOME_TMPFS:
368 return append_static_mounts(p, protect_home_tmpfs_table, ELEMENTSOF(protect_home_tmpfs_table), ignore_protect);
369
b6c432ca 370 case PROTECT_HOME_YES:
5327c910
LP		 371 return append_static_mounts(p, protect_home_yes_table, ELEMENTSOF(protect_home_yes_table), ignore_protect);
372
b6c432ca 373 default:
5327c910 374 assert_not_reached("Unexpected ProtectHome= value");
b6c432ca 375 }
b6c432ca
DH		 376}
377
34de407a 378static int append_protect_system(MountEntry **p, ProtectSystem protect_system, bool ignore_protect) {
f471b2af
DH		 379 assert(p);
380
5327c910
LP		 381 switch (protect_system) {
382
383 case PROTECT_SYSTEM_NO:
f471b2af
DH		 384 return 0;
385
f471b2af 386 case PROTECT_SYSTEM_STRICT:
5327c910
LP		 387 return append_static_mounts(p, protect_system_strict_table, ELEMENTSOF(protect_system_strict_table), ignore_protect);
388
f471b2af 389 case PROTECT_SYSTEM_YES:
5327c910
LP		 390 return append_static_mounts(p, protect_system_yes_table, ELEMENTSOF(protect_system_yes_table), ignore_protect);
391
f471b2af 392 case PROTECT_SYSTEM_FULL:
5327c910
LP		 393 return append_static_mounts(p, protect_system_full_table, ELEMENTSOF(protect_system_full_table), ignore_protect);
394
f471b2af 395 default:
5327c910 396 assert_not_reached("Unexpected ProtectSystem= value");
f471b2af 397 }
11a30cec
DH		 398}
399
93bab288 400static int mount_path_compare(const MountEntry *a, const MountEntry *b) {
a0827e2b 401 int d;
15ae422b 402
6ee1a919 403 /* If the paths are not equal, then order prefixes first */
93bab288 404 d = path_compare(mount_entry_path(a), mount_entry_path(b));
6ee1a919
LP		 405 if (d != 0)
406 return d;
15ae422b 407
6ee1a919 408 /* If the paths are equal, check the mode */
93bab288 409 return CMP((int) a->mode, (int) b->mode);
15ae422b
LP		 410}
411
da6053d0
LP		 412static int prefix_where_needed(MountEntry *m, size_t n, const char *root_directory) {
413 size_t i;
5327c910 414
4a756839 415 /* Prefixes all paths in the bind mount table with the root directory if the entry needs that. */
5327c910
LP		 416
417 for (i = 0; i < n; i++) {
418 char *s;
419
420 if (m[i].has_prefix)
421 continue;
422
34de407a 423 s = prefix_root(root_directory, mount_entry_path(m+i));
5327c910
LP		 424 if (!s)
425 return -ENOMEM;
426
e282f51f 427 free_and_replace(m[i].path_malloc, s);
5327c910
LP		 428 m[i].has_prefix = true;
429 }
430
431 return 0;
432}
433
da6053d0 434static void drop_duplicates(MountEntry *m, size_t *n) {
34de407a 435 MountEntry *f, *t, *previous;
15ae422b 436
c17ec25e 437 assert(m);
15ae422b 438 assert(n);
15ae422b 439
fe3c2583
LP		 440 /* Drops duplicate entries. Expects that the array is properly ordered already. */
441
1d54cd5d 442 for (f = m, t = m, previous = NULL; f < m + *n; f++) {
15ae422b 443
fe3c2583 444 /* The first one wins (which is the one with the more restrictive mode), see mount_path_compare()
088696fe
LP		 445 * above. Note that we only drop duplicates that haven't been mounted yet. */
446 if (previous &&
447 path_equal(mount_entry_path(f), mount_entry_path(previous)) &&
448 !f->applied && !previous->applied) {
34de407a
LP		 449 log_debug("%s is duplicate.", mount_entry_path(f));
450 previous->read_only = previous->read_only || mount_entry_read_only(f); /* Propagate the read-only flag to the remaining entry */
1eb7e08e 451 mount_entry_done(f);
15ae422b 452 continue;
fe3c2583 453 }
15ae422b 454
e2d7c1a0 455 *t = *f;
15ae422b 456 previous = t;
fe3c2583
LP		 457 t++;
458 }
459
460 *n = t - m;
461}
462
da6053d0 463static void drop_inaccessible(MountEntry *m, size_t *n) {
34de407a 464 MountEntry *f, *t;
fe3c2583
LP		 465 const char *clear = NULL;
466
467 assert(m);
468 assert(n);
469
470 /* Drops all entries obstructed by another entry further up the tree. Expects that the array is properly
471 * ordered already. */
472
1d54cd5d 473 for (f = m, t = m; f < m + *n; f++) {
fe3c2583
LP		 474
475 /* If we found a path set for INACCESSIBLE earlier, and this entry has it as prefix we should drop
476 * it, as inaccessible paths really should drop the entire subtree. */
34de407a
LP		 477 if (clear && path_startswith(mount_entry_path(f), clear)) {
478 log_debug("%s is masked by %s.", mount_entry_path(f), clear);
1eb7e08e 479 mount_entry_done(f);
fe3c2583
LP		 480 continue;
481 }
15ae422b 482
34de407a 483 clear = f->mode == INACCESSIBLE ? mount_entry_path(f) : NULL;
fe3c2583
LP		 484
485 *t = *f;
15ae422b
LP		 486 t++;
487 }
488
c17ec25e 489 *n = t - m;
15ae422b
LP		 490}
491
da6053d0 492static void drop_nop(MountEntry *m, size_t *n) {
34de407a 493 MountEntry *f, *t;
7648a565
LP		 494
495 assert(m);
496 assert(n);
497
498 /* Drops all entries which have an immediate parent that has the same type, as they are redundant. Assumes the
499 * list is ordered by prefixes. */
500
1d54cd5d 501 for (f = m, t = m; f < m + *n; f++) {
7648a565
LP		 502
503 /* Only suppress such subtrees for READONLY and READWRITE entries */
504 if (IN_SET(f->mode, READONLY, READWRITE)) {
34de407a 505 MountEntry *p;
7648a565
LP		 506 bool found = false;
507
508 /* Now let's find the first parent of the entry we are looking at. */
509 for (p = t-1; p >= m; p--) {
34de407a 510 if (path_startswith(mount_entry_path(f), mount_entry_path(p))) {
7648a565
LP		 511 found = true;
512 break;
513 }
514 }
515
516 /* We found it, let's see if it's the same mode, if so, we can drop this entry */
517 if (found && p->mode == f->mode) {
34de407a 518 log_debug("%s is redundant by %s", mount_entry_path(f), mount_entry_path(p));
1eb7e08e 519 mount_entry_done(f);
7648a565
LP		 520 continue;
521 }
522 }
523
524 *t = *f;
525 t++;
526 }
527
528 *n = t - m;
529}
530
da6053d0 531static void drop_outside_root(const char *root_directory, MountEntry *m, size_t *n) {
34de407a 532 MountEntry *f, *t;
cd2902c9
LP		 533
534 assert(m);
535 assert(n);
536
1d54cd5d 537 /* Nothing to do */
cd2902c9
LP		 538 if (!root_directory)
539 return;
540
541 /* Drops all mounts that are outside of the root directory. */
542
1d54cd5d 543 for (f = m, t = m; f < m + *n; f++) {
cd2902c9 544
34de407a
LP		 545 if (!path_startswith(mount_entry_path(f), root_directory)) {
546 log_debug("%s is outside of root directory.", mount_entry_path(f));
1eb7e08e 547 mount_entry_done(f);
cd2902c9
LP		 548 continue;
549 }
550
551 *t = *f;
552 t++;
553 }
554
555 *n = t - m;
556}
557
b2a60844
LP		 558static int clone_device_node(
559 const char *d,
560 const char *temporary_mount,
561 bool *make_devnode) {
562
563 _cleanup_free_ char *sl = NULL;
564 const char *dn, *bn, *t;
b5e99f23
ДГ		 565 struct stat st;
566 int r;
567
414b304b 568 if (stat(d, &st) < 0) {
b2a60844
LP		 569 if (errno == ENOENT) {
570 log_debug_errno(errno, "Device node '%s' to clone does not exist, ignoring.", d);
af984e13 571 return -ENXIO;
b2a60844
LP		 572 }
573
574 return log_debug_errno(errno, "Failed to stat() device node '%s' to clone, ignoring: %m", d);
b5e99f23
ДГ		 575 }
576
577 if (!S_ISBLK(st.st_mode) &&
b2a60844
LP		 578 !S_ISCHR(st.st_mode)) {
579 log_debug("Device node '%s' to clone is not a device node, ignoring.", d);
b5e99f23 580 return -EINVAL;
b2a60844 581 }
b5e99f23 582
6f7f3a33 583 dn = strjoina(temporary_mount, d);
b5e99f23 584
b2a60844 585 /* First, try to create device node properly */
16498617
CB		 586 if (*make_devnode) {
587 mac_selinux_create_file_prepare(d, st.st_mode);
588 r = mknod(dn, st.st_mode, st.st_rdev);
589 mac_selinux_create_file_clear();
b2a60844
LP		 590 if (r >= 0)
591 goto add_symlink;
16498617
CB		 592 if (errno != EPERM)
593 return log_debug_errno(errno, "mknod failed for %s: %m", d);
594
b2a60844 595 /* This didn't work, let's not try this again for the next iterations. */
16498617
CB		 596 *make_devnode = false;
597 }
598
599 /* We're about to fallback to bind-mounting the device
600 * node. So create a dummy bind-mount target. */
601 mac_selinux_create_file_prepare(d, 0);
602 r = mknod(dn, S_IFREG, 0);
b5e99f23 603 mac_selinux_create_file_clear();
16498617 604 if (r < 0 && errno != EEXIST)
b2a60844 605 return log_debug_errno(errno, "mknod() fallback failed for '%s': %m", d);
16498617
CB		 606
607 /* Fallback to bind-mounting:
608 * The assumption here is that all used device nodes carry standard
609 * properties. Specifically, the devices nodes we bind-mount should
610 * either be owned by root:root or root:tty (e.g. /dev/tty, /dev/ptmx)
611 * and should not carry ACLs. */
612 if (mount(d, dn, NULL, MS_BIND, NULL) < 0)
b2a60844
LP		 613 return log_debug_errno(errno, "Bind mounting failed for '%s': %m", d);
614
615add_symlink:
616 bn = path_startswith(d, "/dev/");
617 if (!bn)
618 return 0;
619
620 /* Create symlinks like /dev/char/1:9 → ../urandom */
621 if (asprintf(&sl, "%s/dev/%s/%u:%u", temporary_mount, S_ISCHR(st.st_mode) ? "char" : "block", major(st.st_rdev), minor(st.st_rdev)) < 0)
622 return log_oom();
623
624 (void) mkdir_parents(sl, 0755);
625
626 t = strjoina("../", bn);
627
628 if (symlink(t, sl) < 0)
2e4a4fae 629 log_debug_errno(errno, "Failed to symlink '%s' to '%s', ignoring: %m", t, sl);
b5e99f23 630
af984e13 631 return 0;
b5e99f23
ДГ		 632}
633
5d997827 634static int mount_private_dev(MountEntry *m) {
7f112f50
LP		 635 static const char devnodes[] =
636 "/dev/null\0"
637 "/dev/zero\0"
638 "/dev/full\0"
639 "/dev/random\0"
640 "/dev/urandom\0"
641 "/dev/tty\0";
642
2b85f4e1 643 char temporary_mount[] = "/tmp/namespace-dev-XXXXXX";
63cc4c31 644 const char *d, *dev = NULL, *devpts = NULL, *devshm = NULL, *devhugepages = NULL, *devmqueue = NULL, *devlog = NULL, *devptmx = NULL;
16498617 645 bool can_mknod = true;
7f112f50
LP		 646 _cleanup_umask_ mode_t u;
647 int r;
648
649 assert(m);
650
651 u = umask(0000);
652
2b85f4e1 653 if (!mkdtemp(temporary_mount))
2e4a4fae 654 return log_debug_errno(errno, "Failed to create temporary directory '%s': %m", temporary_mount);
2b85f4e1 655
63c372cb 656 dev = strjoina(temporary_mount, "/dev");
dc751688 657 (void) mkdir(dev, 0755);
737ba3c8 658 if (mount("tmpfs", dev, "tmpfs", DEV_MOUNT_OPTIONS, "mode=755") < 0) {
2e4a4fae 659 r = log_debug_errno(errno, "Failed to mount tmpfs on '%s': %m", dev);
2b85f4e1
LP		 660 goto fail;
661 }
662
63c372cb 663 devpts = strjoina(temporary_mount, "/dev/pts");
dc751688 664 (void) mkdir(devpts, 0755);
2b85f4e1 665 if (mount("/dev/pts", devpts, NULL, MS_BIND, NULL) < 0) {
2e4a4fae 666 r = log_debug_errno(errno, "Failed to bind mount /dev/pts on '%s': %m", devpts);
2b85f4e1
LP		 667 goto fail;
668 }
669
2e4a4fae
YW		 670 /* /dev/ptmx can either be a device node or a symlink to /dev/pts/ptmx.
671 * When /dev/ptmx a device node, /dev/pts/ptmx has 000 permissions making it inaccessible.
672 * Thus, in that case make a clone.
673 * In nspawn and other containers it will be a symlink, in that case make it a symlink. */
36ce7110 674 r = is_symlink("/dev/ptmx");
2e4a4fae
YW		 675 if (r < 0) {
676 log_debug_errno(r, "Failed to detect whether /dev/ptmx is a symlink or not: %m");
3164e3cb 677 goto fail;
2e4a4fae 678 } else if (r > 0) {
414b304b
ДГ		 679 devptmx = strjoina(temporary_mount, "/dev/ptmx");
680 if (symlink("pts/ptmx", devptmx) < 0) {
2e4a4fae 681 r = log_debug_errno(errno, "Failed to create a symlink '%s' to pts/ptmx: %m", devptmx);
414b304b
ДГ		 682 goto fail;
683 }
684 } else {
16498617 685 r = clone_device_node("/dev/ptmx", temporary_mount, &can_mknod);
152c475f
LP		 686 if (r < 0)
687 goto fail;
414b304b 688 }
e06b6479 689
63c372cb 690 devshm = strjoina(temporary_mount, "/dev/shm");
8d953682 691 (void) mkdir(devshm, 0755);
2b85f4e1
LP		 692 r = mount("/dev/shm", devshm, NULL, MS_BIND, NULL);
693 if (r < 0) {
2e4a4fae 694 r = log_debug_errno(errno, "Failed to bind mount /dev/shm on '%s': %m", devshm);
2b85f4e1
LP		 695 goto fail;
696 }
697
63c372cb 698 devmqueue = strjoina(temporary_mount, "/dev/mqueue");
dc751688 699 (void) mkdir(devmqueue, 0755);
2e4a4fae
YW		 700 if (mount("/dev/mqueue", devmqueue, NULL, MS_BIND, NULL) < 0)
701 log_debug_errno(errno, "Failed to bind mount /dev/mqueue on '%s', ignoring: %m", devmqueue);
2b85f4e1 702
63c372cb 703 devhugepages = strjoina(temporary_mount, "/dev/hugepages");
dc751688 704 (void) mkdir(devhugepages, 0755);
2e4a4fae
YW		 705 if (mount("/dev/hugepages", devhugepages, NULL, MS_BIND, NULL) < 0)
706 log_debug_errno(errno, "Failed to bind mount /dev/hugepages on '%s', ignoring: %m", devhugepages);
2b85f4e1 707
63c372cb 708 devlog = strjoina(temporary_mount, "/dev/log");
2e4a4fae
YW		 709 if (symlink("/run/systemd/journal/dev-log", devlog) < 0)
710 log_debug_errno(errno, "Failed to create a symlink '%s' to /run/systemd/journal/dev-log, ignoring: %m", devlog);
82d25240 711
7f112f50 712 NULSTR_FOREACH(d, devnodes) {
16498617 713 r = clone_device_node(d, temporary_mount, &can_mknod);
af984e13
ZJS		 714 /* ENXIO means the the *source* is not a device file, skip creation in that case */
715 if (r < 0 && r != -ENXIO)
2b85f4e1 716 goto fail;
7f112f50
LP		 717 }
718
2e4a4fae
YW		 719 r = dev_setup(temporary_mount, UID_INVALID, GID_INVALID);
720 if (r < 0)
721 log_debug_errno(r, "Failed to setup basic device tree at '%s', ignoring: %m", temporary_mount);
7f112f50 722
ee818b89
AC		 723 /* Create the /dev directory if missing. It is more likely to be
724 * missing when the service is started with RootDirectory. This is
725 * consistent with mount units creating the mount points when missing.
726 */
34de407a 727 (void) mkdir_p_label(mount_entry_path(m), 0755);
ee818b89 728
9e5f8252 729 /* Unmount everything in old /dev */
2e4a4fae
YW		 730 r = umount_recursive(mount_entry_path(m), 0);
731 if (r < 0)
732 log_debug_errno(r, "Failed to unmount directories below '%s', ignoring: %m", mount_entry_path(m));
733
34de407a 734 if (mount(dev, mount_entry_path(m), NULL, MS_MOVE, NULL) < 0) {
2e4a4fae 735 r = log_debug_errno(errno, "Failed to move mount point '%s' to '%s': %m", dev, mount_entry_path(m));
2b85f4e1
LP		 736 goto fail;
737 }
7f112f50 738
2b85f4e1
LP		 739 rmdir(dev);
740 rmdir(temporary_mount);
7f112f50 741
2b85f4e1 742 return 0;
7f112f50 743
2b85f4e1
LP		 744fail:
745 if (devpts)
746 umount(devpts);
7f112f50 747
2b85f4e1
LP		 748 if (devshm)
749 umount(devshm);
7f112f50 750
2b85f4e1
LP		 751 if (devhugepages)
752 umount(devhugepages);
7f112f50 753
2b85f4e1
LP		 754 if (devmqueue)
755 umount(devmqueue);
7f112f50 756
d267c5aa
ZJS		 757 umount(dev);
758 rmdir(dev);
2b85f4e1 759 rmdir(temporary_mount);
7f112f50 760
2b85f4e1 761 return r;
7f112f50
LP		 762}
763
2a2969fd 764static int mount_bind_dev(const MountEntry *m) {
5d997827
LP		 765 int r;
766
767 assert(m);
768
769 /* Implements the little brother of mount_private_dev(): simply bind mounts the host's /dev into the service's
770 * /dev. This is only used when RootDirectory= is set. */
771
645767d6
LP		 772 (void) mkdir_p_label(mount_entry_path(m), 0755);
773
5d997827
LP		 774 r = path_is_mount_point(mount_entry_path(m), NULL, 0);
775 if (r < 0)
776 return log_debug_errno(r, "Unable to determine whether /dev is already mounted: %m");
777 if (r > 0) /* make this a NOP if /dev is already a mount point */
778 return 0;
779
780 if (mount("/dev", mount_entry_path(m), NULL, MS_BIND|MS_REC, NULL) < 0)
781 return log_debug_errno(errno, "Failed to bind mount %s: %m", mount_entry_path(m));
782
783 return 1;
784}
785
2a2969fd 786static int mount_sysfs(const MountEntry *m) {
5d997827
LP		 787 int r;
788
789 assert(m);
790
645767d6
LP		 791 (void) mkdir_p_label(mount_entry_path(m), 0755);
792
5d997827
LP		 793 r = path_is_mount_point(mount_entry_path(m), NULL, 0);
794 if (r < 0)
795 return log_debug_errno(r, "Unable to determine whether /sys is already mounted: %m");
796 if (r > 0) /* make this a NOP if /sys is already a mount point */
797 return 0;
798
799 /* Bind mount the host's version so that we get all child mounts of it, too. */
800 if (mount("/sys", mount_entry_path(m), NULL, MS_BIND|MS_REC, NULL) < 0)
801 return log_debug_errno(errno, "Failed to mount %s: %m", mount_entry_path(m));
802
803 return 1;
804}
805
2a2969fd 806static int mount_procfs(const MountEntry *m) {
5d997827
LP		 807 int r;
808
809 assert(m);
810
645767d6
LP		 811 (void) mkdir_p_label(mount_entry_path(m), 0755);
812
5d997827
LP		 813 r = path_is_mount_point(mount_entry_path(m), NULL, 0);
814 if (r < 0)
815 return log_debug_errno(r, "Unable to determine whether /proc is already mounted: %m");
816 if (r > 0) /* make this a NOP if /proc is already a mount point */
817 return 0;
818
819 /* Mount a new instance, so that we get the one that matches our user namespace, if we are running in one */
820 if (mount("proc", mount_entry_path(m), "proc", MS_NOSUID|MS_NOEXEC|MS_NODEV, NULL) < 0)
821 return log_debug_errno(errno, "Failed to mount %s: %m", mount_entry_path(m));
822
823 return 1;
824}
825
2abd4e38 826static int mount_tmpfs(const MountEntry *m) {
6c47cd7d
LP		 827 assert(m);
828
2abd4e38 829 /* First, get rid of everything that is below if there is anything. Then, overmount with our new tmpfs */
6c47cd7d
LP		 830
831 (void) mkdir_p_label(mount_entry_path(m), 0755);
832 (void) umount_recursive(mount_entry_path(m), 0);
833
2abd4e38 834 if (mount("tmpfs", mount_entry_path(m), "tmpfs", m->flags, mount_entry_options(m)) < 0)
6c47cd7d
LP		 835 return log_debug_errno(errno, "Failed to mount %s: %m", mount_entry_path(m));
836
837 return 1;
838}
839
088696fe 840static int follow_symlink(
d2d6c096 841 const char *root_directory,
088696fe 842 MountEntry *m) {
d2d6c096 843
088696fe 844 _cleanup_free_ char *target = NULL;
8fceda93
LP		 845 int r;
846
088696fe
LP		 847 /* Let's chase symlinks, but only one step at a time. That's because depending where the symlink points we
848 * might need to change the order in which we mount stuff. Hence: let's normalize piecemeal, and do one step at
849 * a time by specifying CHASE_STEP. This function returns 0 if we resolved one step, and > 0 if we reached the
850 * end and already have a fully normalized name. */
8fceda93 851
088696fe
LP		 852 r = chase_symlinks(mount_entry_path(m), root_directory, CHASE_STEP|CHASE_NONEXISTENT, &target);
853 if (r < 0)
854 return log_debug_errno(r, "Failed to chase symlinks '%s': %m", mount_entry_path(m));
855 if (r > 0) /* Reached the end, nothing more to resolve */
856 return 1;
8fceda93 857
088696fe
LP		 858 if (m->n_followed >= CHASE_SYMLINKS_MAX) { /* put a boundary on things */
859 log_debug("Symlink loop on '%s'.", mount_entry_path(m));
860 return -ELOOP;
8fceda93 861 }
8fceda93 862
088696fe 863 log_debug("Followed mount entry path symlink %s → %s.", mount_entry_path(m), target);
8fceda93 864
088696fe
LP		 865 free_and_replace(m->path_malloc, target);
866 m->has_prefix = true;
8fceda93 867
088696fe
LP		 868 m->n_followed ++;
869
870 return 0;
8fceda93
LP		 871}
872
ac0930c8 873static int apply_mount(
8fceda93 874 const char *root_directory,
89bd586c 875 MountEntry *m) {
ac0930c8 876
a227a4be 877 bool rbind = true, make = false;
15ae422b 878 const char *what;
15ae422b 879 int r;
15ae422b 880
c17ec25e 881 assert(m);
15ae422b 882
34de407a 883 log_debug("Applying namespace mount on %s", mount_entry_path(m));
fe3c2583 884
c17ec25e 885 switch (m->mode) {
15ae422b 886
160cfdbe
LP		 887 case INACCESSIBLE: {
888 struct stat target;
6d313367
LP		 889
890 /* First, get rid of everything that is below if there
891 * is anything... Then, overmount it with an
c4b41707 892 * inaccessible path. */
34de407a 893 (void) umount_recursive(mount_entry_path(m), 0);
6d313367 894
088696fe
LP		 895 if (lstat(mount_entry_path(m), &target) < 0) {
896 if (errno == ENOENT && m->ignore)
897 return 0;
898
34de407a 899 return log_debug_errno(errno, "Failed to lstat() %s to determine what to mount over it: %m", mount_entry_path(m));
088696fe 900 }
15ae422b 901
c4b41707 902 what = mode_to_inaccessible_node(target.st_mode);
5fd7cf6f
LP		 903 if (!what) {
904 log_debug("File type not supported for inaccessible mounts. Note that symlinks are not allowed");
c4b41707
AP		 905 return -ELOOP;
906 }
907 break;
160cfdbe 908 }
fe3c2583 909
15ae422b 910 case READONLY:
15ae422b 911 case READWRITE:
8fceda93 912 r = path_is_mount_point(mount_entry_path(m), root_directory, 0);
088696fe
LP		 913 if (r == -ENOENT && m->ignore)
914 return 0;
d944dc95 915 if (r < 0)
34de407a 916 return log_debug_errno(r, "Failed to determine whether %s is already a mount point: %m", mount_entry_path(m));
6b7c9f8b
LP		 917 if (r > 0) /* Nothing to do here, it is already a mount. We just later toggle the MS_RDONLY bit for the mount point if needed. */
918 return 0;
6b7c9f8b 919 /* This isn't a mount point yet, let's make it one. */
34de407a 920 what = mount_entry_path(m);
6b7c9f8b 921 break;
15ae422b 922
d2d6c096
LP		 923 case BIND_MOUNT:
924 rbind = false;
d2d6c096 925
4831981d 926 _fallthrough_;
088696fe
LP		 927 case BIND_MOUNT_RECURSIVE: {
928 _cleanup_free_ char *chased = NULL;
5d997827 929
088696fe
LP		 930 /* Since mount() will always follow symlinks we chase the symlinks on our own first. Note that bind
931 * mount source paths are always relative to the host root, hence we pass NULL as root directory to
932 * chase_symlinks() here. */
933
934 r = chase_symlinks(mount_entry_source(m), NULL, CHASE_TRAIL_SLASH, &chased);
935 if (r == -ENOENT && m->ignore) {
936 log_debug_errno(r, "Path %s does not exist, ignoring.", mount_entry_source(m));
937 return 0;
938 }
939 if (r < 0)
940 return log_debug_errno(r, "Failed to follow symlinks on %s: %m", mount_entry_source(m));
941
942 log_debug("Followed source symlinks %s → %s.", mount_entry_source(m), chased);
943
944 free_and_replace(m->source_malloc, chased);
d2d6c096
LP		 945
946 what = mount_entry_source(m);
a227a4be 947 make = true;
d2d6c096 948 break;
088696fe 949 }
d2d6c096 950
6c47cd7d 951 case EMPTY_DIR:
2abd4e38
YW		 952 case TMPFS:
953 return mount_tmpfs(m);
6c47cd7d 954
ac0930c8 955 case PRIVATE_TMP:
89bd586c 956 what = mount_entry_source(m);
a227a4be 957 make = true;
15ae422b 958 break;
e364ad06 959
d6797c92 960 case PRIVATE_DEV:
5d997827
LP		 961 return mount_private_dev(m);
962
963 case BIND_DEV:
964 return mount_bind_dev(m);
965
966 case SYSFS:
967 return mount_sysfs(m);
968
969 case PROCFS:
970 return mount_procfs(m);
d6797c92 971
e364ad06
LP		 972 default:
973 assert_not_reached("Unknown mode");
15ae422b
LP		 974 }
975
ac0930c8 976 assert(what);
15ae422b 977
a227a4be
LP		 978 if (mount(what, mount_entry_path(m), NULL, MS_BIND|(rbind ? MS_REC : 0), NULL) < 0) {
979 bool try_again = false;
980 r = -errno;
981
982 if (r == -ENOENT && make) {
983 struct stat st;
984
985 /* Hmm, either the source or the destination are missing. Let's see if we can create the destination, then try again */
986
e8717862
LP		 987 if (stat(what, &st) < 0)
988 log_debug_errno(errno, "Mount point source '%s' is not accessible: %m", what);
989 else {
990 int q;
a227a4be
LP		 991
992 (void) mkdir_parents(mount_entry_path(m), 0755);
993
994 if (S_ISDIR(st.st_mode))
e8717862 995 q = mkdir(mount_entry_path(m), 0755) < 0 ? -errno : 0;
a227a4be 996 else
e8717862
LP		 997 q = touch(mount_entry_path(m));
998
999 if (q < 0)
1000 log_debug_errno(q, "Failed to create destination mount point node '%s': %m", mount_entry_path(m));
1001 else
1002 try_again = true;
a227a4be
LP		 1003 }
1004 }
1005
1006 if (try_again) {
1007 if (mount(what, mount_entry_path(m), NULL, MS_BIND|(rbind ? MS_REC : 0), NULL) < 0)
1008 r = -errno;
1009 else
1010 r = 0;
1011 }
1012
1013 if (r < 0)
1014 return log_debug_errno(r, "Failed to mount %s to %s: %m", what, mount_entry_path(m));
1015 }
6b7c9f8b 1016
34de407a 1017 log_debug("Successfully mounted %s to %s", what, mount_entry_path(m));
6b7c9f8b 1018 return 0;
ac0930c8 1019}
15ae422b 1020
69338c3d
AJ		 1021/* Change the per-mount readonly flag on an existing mount */
1022static int remount_bind_readonly(const char *path, unsigned long orig_flags) {
1023 int r;
1024
1025 r = mount(NULL, path, NULL, MS_REMOUNT | MS_BIND | MS_RDONLY | orig_flags, NULL);
1026
1027 return r < 0 ? -errno : 0;
1028}
1029
2a2969fd 1030static int make_read_only(const MountEntry *m, char **blacklist, FILE *proc_self_mountinfo) {
763a260a 1031 bool submounts = false;
6b7c9f8b 1032 int r = 0;
15ae422b 1033
c17ec25e 1034 assert(m);
ac9de0b3 1035 assert(proc_self_mountinfo);
ac0930c8 1036
2abd4e38
YW		 1037 if (mount_entry_read_only(m)) {
1038 if (IN_SET(m->mode, EMPTY_DIR, TMPFS)) {
69338c3d 1039 r = remount_bind_readonly(mount_entry_path(m), m->flags);
763a260a
YW		 1040 } else {
1041 submounts = true;
2abd4e38 1042 r = bind_remount_recursive_with_mountinfo(mount_entry_path(m), true, blacklist, proc_self_mountinfo);
763a260a 1043 }
2abd4e38 1044 } else if (m->mode == PRIVATE_DEV) {
69338c3d
AJ		 1045 /* Set /dev readonly, but not submounts like /dev/shm. Also, we only set the per-mount read-only flag.
1046 * We can't set it on the superblock, if we are inside a user namespace and running Linux <= 4.17. */
1047 r = remount_bind_readonly(mount_entry_path(m), DEV_MOUNT_OPTIONS);
737ba3c8 1048 } else
6b7c9f8b
LP		 1049 return 0;
1050
1051 /* Not that we only turn on the MS_RDONLY flag here, we never turn it off. Something that was marked read-only
1052 * already stays this way. This improves compatibility with container managers, where we won't attempt to undo
1053 * read-only mounts already applied. */
ac0930c8 1054
8fceda93
LP		 1055 if (r == -ENOENT && m->ignore)
1056 r = 0;
5327c910 1057
763a260a
YW		 1058 if (r < 0)
1059 return log_debug_errno(r, "Failed to re-mount '%s'%s read-only: %m", mount_entry_path(m),
1060 submounts ? " and its submounts" : "");
1061
1062 return 0;
d944dc95
LP		 1063}
1064
9b68367b 1065static bool namespace_info_mount_apivfs(const NamespaceInfo *ns_info) {
5d997827
LP		 1066 assert(ns_info);
1067
9c988f93
DH		 1068 /*
1069 * ProtectControlGroups= and ProtectKernelTunables= imply MountAPIVFS=,
1070 * since to protect the API VFS mounts, they need to be around in the
9b68367b 1071 * first place...
9c988f93 1072 */
5d997827 1073
9b68367b
YW		 1074 return ns_info->mount_apivfs ||
1075 ns_info->protect_control_groups ||
1076 ns_info->protect_kernel_tunables;
5d997827
LP		 1077}
1078
da6053d0 1079static size_t namespace_calculate_mounts(
bb0ff3fb 1080 const NamespaceInfo *ns_info,
2652c6c1
DH		 1081 char** read_write_paths,
1082 char** read_only_paths,
1083 char** inaccessible_paths,
6c47cd7d 1084 char** empty_directories,
da6053d0
LP		 1085 size_t n_bind_mounts,
1086 size_t n_temporary_filesystems,
2652c6c1
DH		 1087 const char* tmp_dir,
1088 const char* var_tmp_dir,
2652c6c1
DH		 1089 ProtectHome protect_home,
1090 ProtectSystem protect_system) {
1091
da6053d0
LP		 1092 size_t protect_home_cnt;
1093 size_t protect_system_cnt =
f471b2af
DH		 1094 (protect_system == PROTECT_SYSTEM_STRICT ?
1095 ELEMENTSOF(protect_system_strict_table) :
1096 ((protect_system == PROTECT_SYSTEM_FULL) ?
1097 ELEMENTSOF(protect_system_full_table) :
1098 ((protect_system == PROTECT_SYSTEM_YES) ?
1099 ELEMENTSOF(protect_system_yes_table) : 0)));
1100
b6c432ca
DH		 1101 protect_home_cnt =
1102 (protect_home == PROTECT_HOME_YES ?
1103 ELEMENTSOF(protect_home_yes_table) :
1104 ((protect_home == PROTECT_HOME_READ_ONLY) ?
e4da7d8c
YW		 1105 ELEMENTSOF(protect_home_read_only_table) :
1106 ((protect_home == PROTECT_HOME_TMPFS) ?
1107 ELEMENTSOF(protect_home_tmpfs_table) : 0)));
b6c432ca 1108
2652c6c1
DH		 1109 return !!tmp_dir + !!var_tmp_dir +
1110 strv_length(read_write_paths) +
1111 strv_length(read_only_paths) +
1112 strv_length(inaccessible_paths) +
6c47cd7d 1113 strv_length(empty_directories) +
d2d6c096 1114 n_bind_mounts +
2abd4e38 1115 n_temporary_filesystems +
c575770b
DH		 1116 ns_info->private_dev +
1117 (ns_info->protect_kernel_tunables ? ELEMENTSOF(protect_kernel_tunables_table) : 0) +
1118 (ns_info->protect_control_groups ? 1 : 0) +
1119 (ns_info->protect_kernel_modules ? ELEMENTSOF(protect_kernel_modules_table) : 0) +
5d997827 1120 protect_home_cnt + protect_system_cnt +
9b68367b 1121 (namespace_info_mount_apivfs(ns_info) ? ELEMENTSOF(apivfs_table) : 0);
2652c6c1
DH		 1122}
1123
da6053d0 1124static void normalize_mounts(const char *root_directory, MountEntry *mounts, size_t *n_mounts) {
9b68367b 1125 assert(root_directory);
f8b64b57
LP		 1126 assert(n_mounts);
1127 assert(mounts || *n_mounts == 0);
1128
93bab288 1129 typesafe_qsort(mounts, *n_mounts, mount_path_compare);
f8b64b57
LP		 1130
1131 drop_duplicates(mounts, n_mounts);
1132 drop_outside_root(root_directory, mounts, n_mounts);
1133 drop_inaccessible(mounts, n_mounts);
1134 drop_nop(mounts, n_mounts);
1135}
1136
613b411c 1137int setup_namespace(
ee818b89 1138 const char* root_directory,
915e6d16 1139 const char* root_image,
bb0ff3fb 1140 const NamespaceInfo *ns_info,
2a624c36
AP		 1141 char** read_write_paths,
1142 char** read_only_paths,
1143 char** inaccessible_paths,
6c47cd7d 1144 char** empty_directories,
d2d6c096 1145 const BindMount *bind_mounts,
da6053d0 1146 size_t n_bind_mounts,
2abd4e38 1147 const TemporaryFileSystem *temporary_filesystems,
da6053d0 1148 size_t n_temporary_filesystems,
a004cb4c
LP		 1149 const char* tmp_dir,
1150 const char* var_tmp_dir,
1b8689f9
LP		 1151 ProtectHome protect_home,
1152 ProtectSystem protect_system,
915e6d16
LP		 1153 unsigned long mount_flags,
1154 DissectImageFlags dissect_image_flags) {
15ae422b 1155
915e6d16 1156 _cleanup_(loop_device_unrefp) LoopDevice *loop_device = NULL;
78ebe980 1157 _cleanup_(decrypted_image_unrefp) DecryptedImage *decrypted_image = NULL;
915e6d16 1158 _cleanup_(dissected_image_unrefp) DissectedImage *dissected_image = NULL;
78ebe980 1159 _cleanup_free_ void *root_hash = NULL;
34de407a 1160 MountEntry *m, *mounts = NULL;
9b68367b 1161 size_t n_mounts, root_hash_size = 0;
d18aff04 1162 bool require_prefix = false;
9b68367b 1163 const char *root;
c17ec25e 1164 int r = 0;
15ae422b 1165
915e6d16
LP		 1166 assert(ns_info);
1167
613b411c 1168 if (mount_flags == 0)
c17ec25e 1169 mount_flags = MS_SHARED;
ac0930c8 1170
915e6d16
LP		 1171 if (root_image) {
1172 dissect_image_flags |= DISSECT_IMAGE_REQUIRE_ROOT;
1173
c9ef8573
LP		 1174 if (protect_system == PROTECT_SYSTEM_STRICT &&
1175 protect_home != PROTECT_HOME_NO &&
1176 strv_isempty(read_write_paths))
915e6d16
LP		 1177 dissect_image_flags |= DISSECT_IMAGE_READ_ONLY;
1178
1179 r = loop_device_make_by_path(root_image,
1180 dissect_image_flags & DISSECT_IMAGE_READ_ONLY ? O_RDONLY : O_RDWR,
1181 &loop_device);
1182 if (r < 0)
763a260a 1183 return log_debug_errno(r, "Failed to create loop device for root image: %m");
915e6d16 1184
78ebe980
LP		 1185 r = root_hash_load(root_image, &root_hash, &root_hash_size);
1186 if (r < 0)
763a260a 1187 return log_debug_errno(r, "Failed to load root hash: %m");
78ebe980
LP		 1188
1189 r = dissect_image(loop_device->fd, root_hash, root_hash_size, dissect_image_flags, &dissected_image);
1190 if (r < 0)
763a260a 1191 return log_debug_errno(r, "Failed to dissect image: %m");
78ebe980
LP		 1192
1193 r = dissected_image_decrypt(dissected_image, NULL, root_hash, root_hash_size, dissect_image_flags, &decrypted_image);
915e6d16 1194 if (r < 0)
763a260a 1195 return log_debug_errno(r, "Failed to decrypt dissected image: %m");
915e6d16
LP		 1196 }
1197
e908468b
LP		 1198 if (root_directory)
1199 root = root_directory;
0722b359
JS		 1200 else {
1201 /* Always create the mount namespace in a temporary directory, instead of operating
1202 * directly in the root. The temporary directory prevents any mounts from being
1203 * potentially obscured my other mounts we already applied.
1204 * We use the same mount point for all images, which is safe, since they all live
1205 * in their own namespaces after all, and hence won't see each other. */
e908468b
LP		 1206
1207 root = "/run/systemd/unit-root";
1208 (void) mkdir_label(root, 0700);
d18aff04 1209 require_prefix = true;
0722b359 1210 }
e908468b 1211
cfbeb4ef
LP		 1212 n_mounts = namespace_calculate_mounts(
1213 ns_info,
1214 read_write_paths,
1215 read_only_paths,
1216 inaccessible_paths,
6c47cd7d 1217 empty_directories,
f5c52a77 1218 n_bind_mounts,
2abd4e38 1219 n_temporary_filesystems,
cfbeb4ef
LP		 1220 tmp_dir, var_tmp_dir,
1221 protect_home, protect_system);
613b411c 1222
f0a4feb0 1223 if (n_mounts > 0) {
34de407a 1224 m = mounts = (MountEntry *) alloca0(n_mounts * sizeof(MountEntry));
d18aff04 1225 r = append_access_mounts(&m, read_write_paths, READWRITE, require_prefix);
613b411c 1226 if (r < 0)
f0a4feb0 1227 goto finish;
613b411c 1228
d18aff04 1229 r = append_access_mounts(&m, read_only_paths, READONLY, require_prefix);
613b411c 1230 if (r < 0)
f0a4feb0 1231 goto finish;
613b411c 1232
d18aff04 1233 r = append_access_mounts(&m, inaccessible_paths, INACCESSIBLE, require_prefix);
613b411c 1234 if (r < 0)
f0a4feb0 1235 goto finish;
7ff7394d 1236
6c47cd7d
LP		 1237 r = append_empty_dir_mounts(&m, empty_directories);
1238 if (r < 0)
1239 goto finish;
1240
d2d6c096
LP		 1241 r = append_bind_mounts(&m, bind_mounts, n_bind_mounts);
1242 if (r < 0)
1243 goto finish;
1244
2abd4e38
YW		 1245 r = append_tmpfs_mounts(&m, temporary_filesystems, n_temporary_filesystems);
1246 if (r < 0)
1247 goto finish;
1248
613b411c 1249 if (tmp_dir) {
34de407a 1250 *(m++) = (MountEntry) {
5327c910
LP		 1251 .path_const = "/tmp",
1252 .mode = PRIVATE_TMP,
89bd586c 1253 .source_const = tmp_dir,
5327c910 1254 };
613b411c 1255 }
7ff7394d 1256
613b411c 1257 if (var_tmp_dir) {
34de407a 1258 *(m++) = (MountEntry) {
5327c910 1259 .path_const = "/var/tmp",
89bd586c
YW		 1260 .mode = PRIVATE_TMP,
1261 .source_const = var_tmp_dir,
5327c910 1262 };
7ff7394d 1263 }
ac0930c8 1264
c575770b 1265 if (ns_info->private_dev) {
34de407a 1266 *(m++) = (MountEntry) {
5327c910
LP		 1267 .path_const = "/dev",
1268 .mode = PRIVATE_DEV,
1269 };
7f112f50
LP		 1270 }
1271
c575770b 1272 if (ns_info->protect_kernel_tunables) {
5327c910 1273 r = append_static_mounts(&m, protect_kernel_tunables_table, ELEMENTSOF(protect_kernel_tunables_table), ns_info->ignore_protect_paths);
c575770b 1274 if (r < 0)
f0a4feb0 1275 goto finish;
c575770b
DH		 1276 }
1277
1278 if (ns_info->protect_kernel_modules) {
5327c910 1279 r = append_static_mounts(&m, protect_kernel_modules_table, ELEMENTSOF(protect_kernel_modules_table), ns_info->ignore_protect_paths);
c575770b 1280 if (r < 0)
f0a4feb0 1281 goto finish;
c575770b 1282 }
59eeb84b 1283
c575770b 1284 if (ns_info->protect_control_groups) {
34de407a 1285 *(m++) = (MountEntry) {
5327c910
LP		 1286 .path_const = "/sys/fs/cgroup",
1287 .mode = READONLY,
1288 };
59eeb84b
LP		 1289 }
1290
5327c910 1291 r = append_protect_home(&m, protect_home, ns_info->ignore_protect_paths);
b6c432ca 1292 if (r < 0)
f0a4feb0 1293 goto finish;
417116f2 1294
5327c910 1295 r = append_protect_system(&m, protect_system, false);
f471b2af 1296 if (r < 0)
f0a4feb0 1297 goto finish;
417116f2 1298
9b68367b 1299 if (namespace_info_mount_apivfs(ns_info)) {
5d997827
LP		 1300 r = append_static_mounts(&m, apivfs_table, ELEMENTSOF(apivfs_table), ns_info->ignore_protect_paths);
1301 if (r < 0)
1302 goto finish;
1303 }
1304
f0a4feb0 1305 assert(mounts + n_mounts == m);
ac0930c8 1306
5327c910 1307 /* Prepend the root directory where that's necessary */
e908468b 1308 r = prefix_where_needed(mounts, n_mounts, root);
5327c910
LP		 1309 if (r < 0)
1310 goto finish;
1311
839f1877 1312 normalize_mounts(root, mounts, &n_mounts);
15ae422b
LP		 1313 }
1314
1beab8b0
LP		 1315 /* All above is just preparation, figuring out what to do. Let's now actually start doing something. */
1316
d944dc95 1317 if (unshare(CLONE_NEWNS) < 0) {
763a260a 1318 r = log_debug_errno(errno, "Failed to unshare the mount namespace: %m");
1beab8b0
LP		 1319 if (IN_SET(r, -EACCES, -EPERM, -EOPNOTSUPP, -ENOSYS))
1320 /* If the kernel doesn't support namespaces, or when there's a MAC or seccomp filter in place
1321 * that doesn't allow us to create namespaces (or a missing cap), then propagate a recognizable
1322 * error back, which the caller can use to detect this case (and only this) and optionally
1323 * continue without namespacing applied. */
1324 r = -ENOANO;
1325
d944dc95
LP		 1326 goto finish;
1327 }
1e4e94c8 1328
9b68367b
YW		 1329 /* Remount / as SLAVE so that nothing now mounted in the namespace
1330 * shows up in the parent */
1331 if (mount(NULL, "/", NULL, MS_SLAVE|MS_REC, NULL) < 0) {
763a260a 1332 r = log_debug_errno(errno, "Failed to remount '/' as SLAVE: %m");
9b68367b 1333 goto finish;
ee818b89
AC		 1334 }
1335
915e6d16 1336 if (root_image) {
e908468b 1337 /* A root image is specified, mount it to the right place */
2d3a5a73 1338 r = dissected_image_mount(dissected_image, root, UID_INVALID, dissect_image_flags);
763a260a
YW		 1339 if (r < 0) {
1340 log_debug_errno(r, "Failed to mount root image: %m");
915e6d16 1341 goto finish;
763a260a 1342 }
915e6d16 1343
07ce7407
TM		 1344 if (decrypted_image) {
1345 r = decrypted_image_relinquish(decrypted_image);
763a260a
YW		 1346 if (r < 0) {
1347 log_debug_errno(r, "Failed to relinquish decrypted image: %m");
07ce7407 1348 goto finish;
763a260a 1349 }
07ce7407 1350 }
78ebe980 1351
915e6d16
LP		 1352 loop_device_relinquish(loop_device);
1353
1354 } else if (root_directory) {
1355
e908468b
LP		 1356 /* A root directory is specified. Turn its directory into bind mount, if it isn't one yet. */
1357 r = path_is_mount_point(root, NULL, AT_SYMLINK_FOLLOW);
763a260a
YW		 1358 if (r < 0) {
1359 log_debug_errno(r, "Failed to detect that %s is a mount point or not: %m", root);
d944dc95 1360 goto finish;
763a260a 1361 }
8f1ad200 1362 if (r == 0) {
e908468b 1363 if (mount(root, root, NULL, MS_BIND|MS_REC, NULL) < 0) {
763a260a 1364 r = log_debug_errno(errno, "Failed to bind mount '%s': %m", root);
8f1ad200
LP		 1365 goto finish;
1366 }
d944dc95 1367 }
e908468b 1368
9b68367b 1369 } else {
e908468b
LP		 1370
1371 /* Let's mount the main root directory to the root directory to use */
1372 if (mount("/", root, NULL, MS_BIND|MS_REC, NULL) < 0) {
763a260a 1373 r = log_debug_errno(errno, "Failed to bind mount '/' on '%s': %m", root);
e908468b
LP		 1374 goto finish;
1375 }
ee818b89 1376 }
c2c13f2d 1377
4e0c20de
LP		 1378 /* Try to set up the new root directory before mounting anything else there. */
1379 if (root_image || root_directory)
1380 (void) base_filesystem_create(root, UID_INVALID, GID_INVALID);
1381
f0a4feb0 1382 if (n_mounts > 0) {
ac9de0b3 1383 _cleanup_fclose_ FILE *proc_self_mountinfo = NULL;
6b7c9f8b 1384 char **blacklist;
da6053d0 1385 size_t j;
6b7c9f8b 1386
ac9de0b3
TR		 1387 /* Open /proc/self/mountinfo now as it may become unavailable if we mount anything on top of /proc.
1388 * For example, this is the case with the option: 'InaccessiblePaths=/proc' */
1389 proc_self_mountinfo = fopen("/proc/self/mountinfo", "re");
1390 if (!proc_self_mountinfo) {
763a260a 1391 r = log_debug_errno(errno, "Failed to open /proc/self/mountinfo: %m");
ac9de0b3
TR		 1392 goto finish;
1393 }
1394
088696fe
LP		 1395 /* First round, establish all mounts we need */
1396 for (;;) {
1397 bool again = false;
1398
1399 for (m = mounts; m < mounts + n_mounts; ++m) {
1400
1401 if (m->applied)
1402 continue;
1403
1404 r = follow_symlink(root, m);
1405 if (r < 0)
1406 goto finish;
1407 if (r == 0) {
1408 /* We hit a symlinked mount point. The entry got rewritten and might point to a
1409 * very different place now. Let's normalize the changed list, and start from
1410 * the beginning. After all to mount the entry at the new location we might
1411 * need some other mounts first */
1412 again = true;
1413 break;
1414 }
1415
1416 r = apply_mount(root, m);
1417 if (r < 0)
1418 goto finish;
1419
1420 m->applied = true;
1421 }
1422
1423 if (!again)
1424 break;
1425
839f1877 1426 normalize_mounts(root, mounts, &n_mounts);
c2c13f2d 1427 }
15ae422b 1428
6b7c9f8b 1429 /* Create a blacklist we can pass to bind_mount_recursive() */
f0a4feb0
DH		 1430 blacklist = newa(char*, n_mounts+1);
1431 for (j = 0; j < n_mounts; j++)
34de407a 1432 blacklist[j] = (char*) mount_entry_path(mounts+j);
6b7c9f8b
LP		 1433 blacklist[j] = NULL;
1434
1435 /* Second round, flip the ro bits if necessary. */
f0a4feb0 1436 for (m = mounts; m < mounts + n_mounts; ++m) {
ac9de0b3 1437 r = make_read_only(m, blacklist, proc_self_mountinfo);
c2c13f2d 1438 if (r < 0)
d944dc95 1439 goto finish;
c2c13f2d 1440 }
15ae422b
LP		 1441 }
1442
9b68367b
YW		 1443 /* MS_MOVE does not work on MS_SHARED so the remount MS_SHARED will be done later */
1444 r = mount_move_root(root);
763a260a
YW		 1445 if (r < 0) {
1446 log_debug_errno(r, "Failed to mount root with MS_MOVE: %m");
9b68367b 1447 goto finish;
763a260a 1448 }
ee818b89 1449
55fe7432 1450 /* Remount / as the desired mode. Note that this will not
c2c13f2d
LP		 1451 * reestablish propagation from our side to the host, since
1452 * what's disconnected is disconnected. */
d944dc95 1453 if (mount(NULL, "/", NULL, mount_flags | MS_REC, NULL) < 0) {
763a260a 1454 r = log_debug_errno(errno, "Failed to remount '/' with desired mount flags: %m");
d944dc95
LP		 1455 goto finish;
1456 }
15ae422b 1457
d944dc95 1458 r = 0;
15ae422b 1459
d944dc95 1460finish:
f0a4feb0 1461 for (m = mounts; m < mounts + n_mounts; m++)
1eb7e08e 1462 mount_entry_done(m);
613b411c
LP		 1463
1464 return r;
1465}
1466
da6053d0
LP		 1467void bind_mount_free_many(BindMount *b, size_t n) {
1468 size_t i;
d2d6c096
LP		 1469
1470 assert(b || n == 0);
1471
1472 for (i = 0; i < n; i++) {
1473 free(b[i].source);
1474 free(b[i].destination);
1475 }
1476
1477 free(b);
1478}
1479
da6053d0 1480int bind_mount_add(BindMount **b, size_t *n, const BindMount *item) {
d2d6c096
LP		 1481 _cleanup_free_ char *s = NULL, *d = NULL;
1482 BindMount *c;
1483
1484 assert(b);
1485 assert(n);
1486 assert(item);
1487
1488 s = strdup(item->source);
1489 if (!s)
1490 return -ENOMEM;
1491
1492 d = strdup(item->destination);
1493 if (!d)
1494 return -ENOMEM;
1495
aa484f35 1496 c = reallocarray(*b, *n + 1, sizeof(BindMount));
d2d6c096
LP		 1497 if (!c)
1498 return -ENOMEM;
1499
1500 *b = c;
1501
1502 c[(*n) ++] = (BindMount) {
1cc6c93a
YW		 1503 .source = TAKE_PTR(s),
1504 .destination = TAKE_PTR(d),
d2d6c096
LP		 1505 .read_only = item->read_only,
1506 .recursive = item->recursive,
1507 .ignore_enoent = item->ignore_enoent,
1508 };
1509
d2d6c096
LP		 1510 return 0;
1511}
1512
da6053d0
LP		 1513void temporary_filesystem_free_many(TemporaryFileSystem *t, size_t n) {
1514 size_t i;
2abd4e38
YW		 1515
1516 assert(t || n == 0);
1517
1518 for (i = 0; i < n; i++) {
1519 free(t[i].path);
1520 free(t[i].options);
1521 }
1522
1523 free(t);
1524}
1525
1526int temporary_filesystem_add(
1527 TemporaryFileSystem **t,
da6053d0 1528 size_t *n,
2abd4e38
YW		 1529 const char *path,
1530 const char *options) {
1531
1532 _cleanup_free_ char *p = NULL, *o = NULL;
1533 TemporaryFileSystem *c;
1534
1535 assert(t);
1536 assert(n);
1537 assert(path);
1538
1539 p = strdup(path);
1540 if (!p)
1541 return -ENOMEM;
1542
1543 if (!isempty(options)) {
1544 o = strdup(options);
1545 if (!o)
1546 return -ENOMEM;
1547 }
1548
aa484f35 1549 c = reallocarray(*t, *n + 1, sizeof(TemporaryFileSystem));
2abd4e38
YW		 1550 if (!c)
1551 return -ENOMEM;
1552
1553 *t = c;
1554
1555 c[(*n) ++] = (TemporaryFileSystem) {
1cc6c93a
YW		 1556 .path = TAKE_PTR(p),
1557 .options = TAKE_PTR(o),
2abd4e38
YW		 1558 };
1559
2abd4e38
YW		 1560 return 0;
1561}
1562
613b411c
LP		 1563static int setup_one_tmp_dir(const char *id, const char *prefix, char **path) {
1564 _cleanup_free_ char *x = NULL;
6b46ea73
LP		 1565 char bid[SD_ID128_STRING_MAX];
1566 sd_id128_t boot_id;
1567 int r;
613b411c
LP		 1568
1569 assert(id);
1570 assert(prefix);
1571 assert(path);
1572
6b46ea73
LP		 1573 /* We include the boot id in the directory so that after a
1574 * reboot we can easily identify obsolete directories. */
1575
1576 r = sd_id128_get_boot(&boot_id);
1577 if (r < 0)
1578 return r;
1579
605405c6 1580 x = strjoin(prefix, "/systemd-private-", sd_id128_to_string(boot_id, bid), "-", id, "-XXXXXX");
613b411c
LP		 1581 if (!x)
1582 return -ENOMEM;
1583
1584 RUN_WITH_UMASK(0077)
1585 if (!mkdtemp(x))
1586 return -errno;
1587
1588 RUN_WITH_UMASK(0000) {
1589 char *y;
1590
63c372cb 1591 y = strjoina(x, "/tmp");
613b411c
LP		 1592
1593 if (mkdir(y, 0777 | S_ISVTX) < 0)
1594 return -errno;
c17ec25e 1595 }
15ae422b 1596
1cc6c93a 1597 *path = TAKE_PTR(x);
613b411c
LP		 1598
1599 return 0;
1600}
1601
1602int setup_tmp_dirs(const char *id, char **tmp_dir, char **var_tmp_dir) {
1603 char *a, *b;
1604 int r;
1605
1606 assert(id);
1607 assert(tmp_dir);
1608 assert(var_tmp_dir);
1609
1610 r = setup_one_tmp_dir(id, "/tmp", &a);
1611 if (r < 0)
1612 return r;
1613
1614 r = setup_one_tmp_dir(id, "/var/tmp", &b);
1615 if (r < 0) {
1616 char *t;
1617
63c372cb 1618 t = strjoina(a, "/tmp");
613b411c
LP		 1619 rmdir(t);
1620 rmdir(a);
1621
1622 free(a);
1623 return r;
1624 }
1625
1626 *tmp_dir = a;
1627 *var_tmp_dir = b;
1628
1629 return 0;
1630}
1631
1632int setup_netns(int netns_storage_socket[2]) {
1633 _cleanup_close_ int netns = -1;
3ee897d6 1634 int r, q;
613b411c
LP		 1635
1636 assert(netns_storage_socket);
1637 assert(netns_storage_socket[0] >= 0);
1638 assert(netns_storage_socket[1] >= 0);
1639
1640 /* We use the passed socketpair as a storage buffer for our
76cd584b
LP		 1641 * namespace reference fd. Whatever process runs this first
1642 * shall create a new namespace, all others should just join
1643 * it. To serialize that we use a file lock on the socket
1644 * pair.
613b411c
LP		 1645 *
1646 * It's a bit crazy, but hey, works great! */
1647
1648 if (lockf(netns_storage_socket[0], F_LOCK, 0) < 0)
1649 return -errno;
1650
3ee897d6
LP		 1651 netns = receive_one_fd(netns_storage_socket[0], MSG_DONTWAIT);
1652 if (netns == -EAGAIN) {
613b411c
LP		 1653 /* Nothing stored yet, so let's create a new namespace */
1654
1655 if (unshare(CLONE_NEWNET) < 0) {
1656 r = -errno;
1657 goto fail;
1658 }
1659
1660 loopback_setup();
1661
1662 netns = open("/proc/self/ns/net", O_RDONLY|O_CLOEXEC|O_NOCTTY);
1663 if (netns < 0) {
1664 r = -errno;
1665 goto fail;
1666 }
1667
1668 r = 1;
613b411c 1669
3ee897d6
LP		 1670 } else if (netns < 0) {
1671 r = netns;
1672 goto fail;
613b411c 1673
3ee897d6
LP		 1674 } else {
1675 /* Yay, found something, so let's join the namespace */
613b411c
LP		 1676 if (setns(netns, CLONE_NEWNET) < 0) {
1677 r = -errno;
1678 goto fail;
1679 }
1680
1681 r = 0;
1682 }
1683
3ee897d6
LP		 1684 q = send_one_fd(netns_storage_socket[1], netns, MSG_DONTWAIT);
1685 if (q < 0) {
1686 r = q;
613b411c
LP		 1687 goto fail;
1688 }
1689
1690fail:
fe048ce5 1691 (void) lockf(netns_storage_socket[0], F_ULOCK, 0);
15ae422b
LP		 1692 return r;
1693}
417116f2 1694
6e2d7c4f
MS		 1695bool ns_type_supported(NamespaceType type) {
1696 const char *t, *ns_proc;
1697
0fa5b831
LP		 1698 t = namespace_type_to_string(type);
1699 if (!t) /* Don't know how to translate this? Then it's not supported */
6e2d7c4f
MS		 1700 return false;
1701
6e2d7c4f 1702 ns_proc = strjoina("/proc/self/ns/", t);
6e2d7c4f
MS		 1703 return access(ns_proc, F_OK) == 0;
1704}
1705
1b8689f9
LP		 1706static const char *const protect_home_table[_PROTECT_HOME_MAX] = {
1707 [PROTECT_HOME_NO] = "no",
1708 [PROTECT_HOME_YES] = "yes",
1709 [PROTECT_HOME_READ_ONLY] = "read-only",
e4da7d8c 1710 [PROTECT_HOME_TMPFS] = "tmpfs",
417116f2
LP		 1711};
1712
1e8c7bd5 1713DEFINE_STRING_TABLE_LOOKUP_WITH_BOOLEAN(protect_home, ProtectHome, PROTECT_HOME_YES);
5e1c6154 1714
1b8689f9
LP		 1715static const char *const protect_system_table[_PROTECT_SYSTEM_MAX] = {
1716 [PROTECT_SYSTEM_NO] = "no",
1717 [PROTECT_SYSTEM_YES] = "yes",
1718 [PROTECT_SYSTEM_FULL] = "full",
3f815163 1719 [PROTECT_SYSTEM_STRICT] = "strict",
1b8689f9
LP		 1720};
1721
1e8c7bd5 1722DEFINE_STRING_TABLE_LOOKUP_WITH_BOOLEAN(protect_system, ProtectSystem, PROTECT_SYSTEM_YES);
03c791aa 1723
6e2d7c4f
MS		 1724static const char* const namespace_type_table[] = {
1725 [NAMESPACE_MOUNT] = "mnt",
1726 [NAMESPACE_CGROUP] = "cgroup",
1727 [NAMESPACE_UTS] = "uts",
1728 [NAMESPACE_IPC] = "ipc",
1729 [NAMESPACE_USER] = "user",
1730 [NAMESPACE_PID] = "pid",
1731 [NAMESPACE_NET] = "net",
1732};
1733
1734DEFINE_STRING_TABLE_LOOKUP(namespace_type, NamespaceType);
Unnamed repository; edit this file 'description' to name the repository.