[thirdparty/systemd.git] / src / core / namespace.c

/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/

/***
  This file is part of systemd.

  Copyright 2010 Lennart Poettering

  systemd is free software; you can redistribute it and/or modify it
  under the terms of the GNU Lesser General Public License as published by
  the Free Software Foundation; either version 2.1 of the License, or
  (at your option) any later version.

  systemd is distributed in the hope that it will be useful, but
  WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  Lesser General Public License for more details.

  You should have received a copy of the GNU Lesser General Public License
  along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/

#include <errno.h>
#include <sys/mount.h>
#include <string.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sched.h>
#include <sys/syscall.h>
#include <limits.h>
#include <linux/fs.h>
#include <sys/file.h>

#include "strv.h"
#include "util.h"
#include "path-util.h"
#include "namespace.h"
#include "missing.h"
#include "execute.h"
#include "loopback-setup.h"
#include "mkdir.h"
#include "dev-setup.h"
#include "def.h"

typedef enum MountMode {
        /* This is ordered by priority! */
        INACCESSIBLE,
        READONLY,
        PRIVATE_TMP,
        PRIVATE_VAR_TMP,
        PRIVATE_DEV,
        READWRITE
} MountMode;

typedef struct BindMount {
        const char *path;
        MountMode mode;
        bool done;
        bool ignore;
} BindMount;

static int append_mounts(BindMount **p, char **strv, MountMode mode) {
        char **i;

        assert(p);

        STRV_FOREACH(i, strv) {

                (*p)->ignore = false;

                if ((mode == INACCESSIBLE || mode == READONLY || mode == READWRITE) && (*i)[0] == '-') {
                        (*p)->ignore = true;
                        (*i)++;
                }

                if (!path_is_absolute(*i))
                        return -EINVAL;

                (*p)->path = *i;
                (*p)->mode = mode;
                (*p)++;
        }

        return 0;
}

static int mount_path_compare(const void *a, const void *b) {
        const BindMount *p = a, *q = b;

        if (path_equal(p->path, q->path)) {

                /* If the paths are equal, check the mode */
                if (p->mode < q->mode)
                        return -1;

                if (p->mode > q->mode)
                        return 1;

                return 0;
        }

        /* If the paths are not equal, then order prefixes first */
        if (path_startswith(p->path, q->path))
                return 1;

        if (path_startswith(q->path, p->path))
                return -1;

        return 0;
}

static void drop_duplicates(BindMount *m, unsigned *n) {
        BindMount *f, *t, *previous;

        assert(m);
        assert(n);

        for (f = m, t = m, previous = NULL; f < m+*n; f++) {

                /* The first one wins */
                if (previous && path_equal(f->path, previous->path))
                        continue;

                t->path = f->path;
                t->mode = f->mode;

                previous = t;

                t++;
        }

        *n = t - m;
}

static int mount_dev(BindMount *m) {
        static const char devnodes[] =
                "/dev/null\0"
                "/dev/zero\0"
                "/dev/full\0"
                "/dev/random\0"
                "/dev/urandom\0"
                "/dev/tty\0";

        char temporary_mount[] = "/tmp/namespace-dev-XXXXXX";
        const char *d, *dev = NULL, *devpts = NULL, *devshm = NULL, *devkdbus = NULL, *devhugepages = NULL, *devmqueue = NULL, *devlog = NULL;
        _cleanup_umask_ mode_t u;
        int r;

        assert(m);

        u = umask(0000);

        if (!mkdtemp(temporary_mount))
                return -errno;

        dev = strappenda(temporary_mount, "/dev");
        mkdir(dev, 0755);
        if (mount("tmpfs", dev, "tmpfs", MS_NOSUID|MS_STRICTATIME, "mode=755") < 0) {
                r = -errno;
                goto fail;
        }

        devpts = strappenda(temporary_mount, "/dev/pts");
        mkdir(devpts, 0755);
        if (mount("/dev/pts", devpts, NULL, MS_BIND, NULL) < 0) {
                r = -errno;
                goto fail;
        }

        devshm = strappenda(temporary_mount, "/dev/shm");
        mkdir(devshm, 01777);
        r = mount("/dev/shm", devshm, NULL, MS_BIND, NULL);
        if (r < 0) {
                r = -errno;
                goto fail;
        }

        devmqueue = strappenda(temporary_mount, "/dev/mqueue");
        mkdir(devmqueue, 0755);
        mount("/dev/mqueue", devmqueue, NULL, MS_BIND, NULL);

        devkdbus = strappenda(temporary_mount, "/dev/kdbus");
        mkdir(devkdbus, 0755);
        mount("/dev/kdbus", devkdbus, NULL, MS_BIND, NULL);

        devhugepages = strappenda(temporary_mount, "/dev/hugepages");
        mkdir(devhugepages, 0755);
        mount("/dev/hugepages", devhugepages, NULL, MS_BIND, NULL);

        devlog = strappenda(temporary_mount, "/dev/log");
        symlink("/run/systemd/journal/dev-log", devlog);

        NULSTR_FOREACH(d, devnodes) {
                _cleanup_free_ char *dn = NULL;
                struct stat st;

                r = stat(d, &st);
                if (r < 0) {

                        if (errno == ENOENT)
                                continue;

                        r = -errno;
                        goto fail;
                }

                if (!S_ISBLK(st.st_mode) &&
                    !S_ISCHR(st.st_mode)) {
                        r = -EINVAL;
                        goto fail;
                }

                if (st.st_rdev == 0)
                        continue;

                dn = strappend(temporary_mount, d);
                if (!dn) {
                        r = -ENOMEM;
                        goto fail;
                }

                r = mknod(dn, st.st_mode, st.st_rdev);
                if (r < 0) {
                        r = -errno;
                        goto fail;
                }
        }

        dev_setup(temporary_mount);

        if (mount(dev, "/dev/", NULL, MS_MOVE, NULL) < 0) {
                r = -errno;
                goto fail;
        }

        rmdir(dev);
        rmdir(temporary_mount);

        return 0;

fail:
        if (devpts)
                umount(devpts);

        if (devshm)
                umount(devshm);

        if (devkdbus)
                umount(devkdbus);

        if (devhugepages)
                umount(devhugepages);

        if (devmqueue)
                umount(devmqueue);

        if (dev) {
                umount(dev);
                rmdir(dev);
        }

        rmdir(temporary_mount);

        return r;
}

static int apply_mount(
                BindMount *m,
                const char *tmp_dir,
                const char *var_tmp_dir) {

        const char *what;
        int r;

        assert(m);

        switch (m->mode) {

        case PRIVATE_DEV:
                return mount_dev(m);

        case INACCESSIBLE:
                what = "/run/systemd/inaccessible";
                break;

        case READONLY:
        case READWRITE:
                what = m->path;
                break;

        case PRIVATE_TMP:
                what = tmp_dir;
                break;

        case PRIVATE_VAR_TMP:
                what = var_tmp_dir;
                break;

        default:
                assert_not_reached("Unknown mode");
        }

        assert(what);

        r = mount(what, m->path, NULL, MS_BIND|MS_REC, NULL);
        if (r >= 0)
                log_debug("Successfully mounted %s to %s", what, m->path);
        else if (m->ignore && errno == ENOENT)
                r = 0;

        return r;
}

static int make_read_only(BindMount *m) {
        int r;

        assert(m);

        if (m->mode != INACCESSIBLE && m->mode != READONLY)
                return 0;

        r = mount(NULL, m->path, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY|MS_REC, NULL);
        if (r < 0 && !(m->ignore && errno == ENOENT))
                return -errno;

        return 0;
}

int setup_namespace(
                char** read_write_dirs,
                char** read_only_dirs,
                char** inaccessible_dirs,
                char* tmp_dir,
                char* var_tmp_dir,
                bool private_dev,
                ProtectedHome protected_home,
                bool read_only_system,
                unsigned mount_flags) {

        BindMount *m, *mounts = NULL;
        unsigned n;
        int r = 0;

        if (mount_flags == 0)
                mount_flags = MS_SHARED;

        if (unshare(CLONE_NEWNS) < 0)
                return -errno;

        n = !!tmp_dir + !!var_tmp_dir +
                strv_length(read_write_dirs) +
                strv_length(read_only_dirs) +
                strv_length(inaccessible_dirs) +
                private_dev +
                (protected_home != PROTECTED_HOME_NO ? 2 : 0) +
                (read_only_system ? 2 : 0);

        if (n > 0) {
                m = mounts = (BindMount *) alloca(n * sizeof(BindMount));
                r = append_mounts(&m, read_write_dirs, READWRITE);
                if (r < 0)
                        return r;

                r = append_mounts(&m, read_only_dirs, READONLY);
                if (r < 0)
                        return r;

                r = append_mounts(&m, inaccessible_dirs, INACCESSIBLE);
                if (r < 0)
                        return r;

                if (tmp_dir) {
                        m->path = "/tmp";
                        m->mode = PRIVATE_TMP;
                        m++;
                }

                if (var_tmp_dir) {
                        m->path = "/var/tmp";
                        m->mode = PRIVATE_VAR_TMP;
                        m++;
                }

                if (private_dev) {
                        m->path = "/dev";
                        m->mode = PRIVATE_DEV;
                        m++;
                }

                if (protected_home != PROTECTED_HOME_NO) {
                        r = append_mounts(&m, STRV_MAKE("-/home", "-/run/user"), protected_home == PROTECTED_HOME_READ_ONLY ? READONLY : INACCESSIBLE);
                        if (r < 0)
                                return r;
                }

                if (read_only_system) {
                        r = append_mounts(&m, STRV_MAKE("/usr", "-/boot"), READONLY);
                        if (r < 0)
                                return r;
                }

                assert(mounts + n == m);

                qsort(mounts, n, sizeof(BindMount), mount_path_compare);
                drop_duplicates(mounts, &n);
        }

        if (n > 0) {
                /* Remount / as SLAVE so that nothing now mounted in the namespace
                   shows up in the parent */
                if (mount(NULL, "/", NULL, MS_SLAVE|MS_REC, NULL) < 0)
                        return -errno;

                for (m = mounts; m < mounts + n; ++m) {
                        r = apply_mount(m, tmp_dir, var_tmp_dir);
                        if (r < 0)
                                goto fail;
                }

                for (m = mounts; m < mounts + n; ++m) {
                        r = make_read_only(m);
                        if (r < 0)
                                goto fail;
                }
        }

        /* Remount / as the desired mode. Not that this will not
         * reestablish propagation from our side to the host, since
         * what's disconnected is disconnected. */
        if (mount(NULL, "/", NULL, mount_flags | MS_REC, NULL) < 0) {
                r = -errno;
                goto fail;
        }

        return 0;

fail:
        if (n > 0) {
                for (m = mounts; m < mounts + n; ++m)
                        if (m->done)
                                umount2(m->path, MNT_DETACH);
        }

        return r;
}

static int setup_one_tmp_dir(const char *id, const char *prefix, char **path) {
        _cleanup_free_ char *x = NULL;
        char bid[SD_ID128_STRING_MAX];
        sd_id128_t boot_id;
        int r;

        assert(id);
        assert(prefix);
        assert(path);

        /* We include the boot id in the directory so that after a
         * reboot we can easily identify obsolete directories. */

        r = sd_id128_get_boot(&boot_id);
        if (r < 0)
                return r;

        x = strjoin(prefix, "/systemd-private-", sd_id128_to_string(boot_id, bid), "-", id, "-XXXXXX", NULL);
        if (!x)
                return -ENOMEM;

        RUN_WITH_UMASK(0077)
                if (!mkdtemp(x))
                        return -errno;

        RUN_WITH_UMASK(0000) {
                char *y;

                y = strappenda(x, "/tmp");

                if (mkdir(y, 0777 | S_ISVTX) < 0)
                        return -errno;
        }

        *path = x;
        x = NULL;

        return 0;
}

int setup_tmp_dirs(const char *id, char **tmp_dir, char **var_tmp_dir) {
        char *a, *b;
        int r;

        assert(id);
        assert(tmp_dir);
        assert(var_tmp_dir);

        r = setup_one_tmp_dir(id, "/tmp", &a);
        if (r < 0)
                return r;

        r = setup_one_tmp_dir(id, "/var/tmp", &b);
        if (r < 0) {
                char *t;

                t = strappenda(a, "/tmp");
                rmdir(t);
                rmdir(a);

                free(a);
                return r;
        }

        *tmp_dir = a;
        *var_tmp_dir = b;

        return 0;
}

int setup_netns(int netns_storage_socket[2]) {
        _cleanup_close_ int netns = -1;
        union {
                struct cmsghdr cmsghdr;
                uint8_t buf[CMSG_SPACE(sizeof(int))];
        } control = {};
        struct msghdr mh = {
                .msg_control = &control,
                .msg_controllen = sizeof(control),
        };
        struct cmsghdr *cmsg;
        int r;

        assert(netns_storage_socket);
        assert(netns_storage_socket[0] >= 0);
        assert(netns_storage_socket[1] >= 0);

        /* We use the passed socketpair as a storage buffer for our
         * namespace reference fd. Whatever process runs this first
         * shall create a new namespace, all others should just join
         * it. To serialize that we use a file lock on the socket
         * pair.
         *
         * It's a bit crazy, but hey, works great! */

        if (lockf(netns_storage_socket[0], F_LOCK, 0) < 0)
                return -errno;

        if (recvmsg(netns_storage_socket[0], &mh, MSG_DONTWAIT|MSG_CMSG_CLOEXEC) < 0) {
                if (errno != EAGAIN) {
                        r = -errno;
                        goto fail;
                }

                /* Nothing stored yet, so let's create a new namespace */

                if (unshare(CLONE_NEWNET) < 0) {
                        r = -errno;
                        goto fail;
                }

                loopback_setup();

                netns = open("/proc/self/ns/net", O_RDONLY|O_CLOEXEC|O_NOCTTY);
                if (netns < 0) {
                        r = -errno;
                        goto fail;
                }

                r = 1;
        } else {
                /* Yay, found something, so let's join the namespace */

                for (cmsg = CMSG_FIRSTHDR(&mh); cmsg; cmsg = CMSG_NXTHDR(&mh, cmsg)) {
                        if (cmsg->cmsg_level == SOL_SOCKET && cmsg->cmsg_type == SCM_RIGHTS) {
                                assert(cmsg->cmsg_len == CMSG_LEN(sizeof(int)));
                                netns = *(int*) CMSG_DATA(cmsg);
                        }
                }

                if (setns(netns, CLONE_NEWNET) < 0) {
                        r = -errno;
                        goto fail;
                }

                r = 0;
        }

        cmsg = CMSG_FIRSTHDR(&mh);
        cmsg->cmsg_level = SOL_SOCKET;
        cmsg->cmsg_type = SCM_RIGHTS;
        cmsg->cmsg_len = CMSG_LEN(sizeof(int));
        memcpy(CMSG_DATA(cmsg), &netns, sizeof(int));
        mh.msg_controllen = cmsg->cmsg_len;

        if (sendmsg(netns_storage_socket[1], &mh, MSG_DONTWAIT|MSG_NOSIGNAL) < 0) {
                r = -errno;
                goto fail;
        }

fail:
        lockf(netns_storage_socket[0], F_ULOCK, 0);

        return r;
}

static const char *const protected_home_table[_PROTECTED_HOME_MAX] = {
        [PROTECTED_HOME_NO] = "no",
        [PROTECTED_HOME_YES] = "yes",
        [PROTECTED_HOME_READ_ONLY] = "read-only",
};

DEFINE_STRING_TABLE_LOOKUP(protected_home, ProtectedHome);
Commit	Line	Data
d6c9574f	1	/-- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil --/
15ae422b LP	2
	3	/***
	4	This file is part of systemd.
	5
	6	Copyright 2010 Lennart Poettering
	7
	8	systemd is free software; you can redistribute it and/or modify it
5430f7f2 LP	9	under the terms of the GNU Lesser General Public License as published by
5430f7f2 LP	10	the Free Software Foundation; either version 2.1 of the License, or
15ae422b LP	11	(at your option) any later version.
	12
	13	systemd is distributed in the hope that it will be useful, but
	14	WITHOUT ANY WARRANTY; without even the implied warranty of
	15	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
5430f7f2	16	Lesser General Public License for more details.
15ae422b	17
5430f7f2	18	You should have received a copy of the GNU Lesser General Public License
15ae422b LP	19	along with systemd; If not, see <http://www.gnu.org/licenses/>.
	20	***/
	21
	22	#include <errno.h>
	23	#include <sys/mount.h>
	24	#include <string.h>
	25	#include <stdio.h>
	26	#include <unistd.h>
	27	#include <sys/stat.h>
	28	#include <sys/types.h>
	29	#include <sched.h>
	30	#include <sys/syscall.h>
	31	#include <limits.h>
25e870b5	32	#include <linux/fs.h>
613b411c	33	#include <sys/file.h>
15ae422b LP	34
	35	#include "strv.h"
	36	#include "util.h"
9eb977db	37	#include "path-util.h"
15ae422b LP	38	#include "namespace.h"
15ae422b LP	39	#include "missing.h"
c17ec25e	40	#include "execute.h"
613b411c	41	#include "loopback-setup.h"
7f112f50 LP	42	#include "mkdir.h"
	43	#include "dev-setup.h"
	44	#include "def.h"
15ae422b	45
c17ec25e	46	typedef enum MountMode {
15ae422b LP	47	/* This is ordered by priority! */
	48	INACCESSIBLE,
	49	READONLY,
ac0930c8 LP	50	PRIVATE_TMP,
ac0930c8 LP	51	PRIVATE_VAR_TMP,
7f112f50	52	PRIVATE_DEV,
15ae422b	53	READWRITE
c17ec25e	54	} MountMode;
15ae422b	55
c17ec25e	56	typedef struct BindMount {
15ae422b	57	const char *path;
c17ec25e	58	MountMode mode;
ac0930c8	59	bool done;
ea92ae33	60	bool ignore;
c17ec25e	61	} BindMount;
15ae422b	62
c17ec25e	63	static int append_mounts(BindMount p, char strv, MountMode mode) {
15ae422b LP	64	char **i;
15ae422b LP	65
613b411c LP	66	assert(p);
613b411c LP	67
15ae422b LP	68	STRV_FOREACH(i, strv) {
15ae422b LP	69
ea92ae33 MW	70	(*p)->ignore = false;
ea92ae33 MW	71
94828d2d	72	if ((mode == INACCESSIBLE \|\| mode == READONLY \|\| mode == READWRITE) && (*i)[0] == '-') {
ea92ae33 MW	73	(*p)->ignore = true;
	74	(*i)++;
	75	}
	76
15ae422b LP	77	if (!path_is_absolute(*i))
	78	return -EINVAL;
	79
	80	(p)->path = i;
	81	(*p)->mode = mode;
	82	(*p)++;
	83	}
	84
	85	return 0;
	86	}
	87
c17ec25e MS	88	static int mount_path_compare(const void a, const void b) {
c17ec25e MS	89	const BindMount p = a, q = b;
15ae422b LP	90
	91	if (path_equal(p->path, q->path)) {
	92
	93	/* If the paths are equal, check the mode */
	94	if (p->mode < q->mode)
	95	return -1;
	96
	97	if (p->mode > q->mode)
	98	return 1;
	99
	100	return 0;
	101	}
	102
	103	/* If the paths are not equal, then order prefixes first */
	104	if (path_startswith(p->path, q->path))
	105	return 1;
	106
	107	if (path_startswith(q->path, p->path))
	108	return -1;
	109
	110	return 0;
	111	}
	112
c17ec25e MS	113	static void drop_duplicates(BindMount m, unsigned n) {
c17ec25e MS	114	BindMount f, t, *previous;
15ae422b	115
c17ec25e	116	assert(m);
15ae422b	117	assert(n);
15ae422b	118
c17ec25e	119	for (f = m, t = m, previous = NULL; f < m+*n; f++) {
15ae422b	120
ac0930c8	121	/* The first one wins */
15ae422b LP	122	if (previous && path_equal(f->path, previous->path))
	123	continue;
	124
	125	t->path = f->path;
	126	t->mode = f->mode;
	127
15ae422b LP	128	previous = t;
	129
	130	t++;
	131	}
	132
c17ec25e	133	*n = t - m;
15ae422b LP	134	}
15ae422b LP	135
7f112f50 LP	136	static int mount_dev(BindMount *m) {
	137	static const char devnodes[] =
	138	"/dev/null\0"
	139	"/dev/zero\0"
	140	"/dev/full\0"
	141	"/dev/random\0"
	142	"/dev/urandom\0"
	143	"/dev/tty\0";
	144
2b85f4e1	145	char temporary_mount[] = "/tmp/namespace-dev-XXXXXX";
82d25240	146	const char d, dev = NULL, devpts = NULL, devshm = NULL, devkdbus = NULL, devhugepages = NULL, devmqueue = NULL, devlog = NULL;
7f112f50 LP	147	_cleanup_umask_ mode_t u;
	148	int r;
	149
	150	assert(m);
	151
	152	u = umask(0000);
	153
2b85f4e1 LP	154	if (!mkdtemp(temporary_mount))
	155	return -errno;
	156
	157	dev = strappenda(temporary_mount, "/dev");
	158	mkdir(dev, 0755);
	159	if (mount("tmpfs", dev, "tmpfs", MS_NOSUID\|MS_STRICTATIME, "mode=755") < 0) {
	160	r = -errno;
	161	goto fail;
	162	}
	163
	164	devpts = strappenda(temporary_mount, "/dev/pts");
	165	mkdir(devpts, 0755);
	166	if (mount("/dev/pts", devpts, NULL, MS_BIND, NULL) < 0) {
	167	r = -errno;
	168	goto fail;
	169	}
	170
	171	devshm = strappenda(temporary_mount, "/dev/shm");
	172	mkdir(devshm, 01777);
	173	r = mount("/dev/shm", devshm, NULL, MS_BIND, NULL);
	174	if (r < 0) {
	175	r = -errno;
	176	goto fail;
	177	}
	178
	179	devmqueue = strappenda(temporary_mount, "/dev/mqueue");
	180	mkdir(devmqueue, 0755);
	181	mount("/dev/mqueue", devmqueue, NULL, MS_BIND, NULL);
	182
	183	devkdbus = strappenda(temporary_mount, "/dev/kdbus");
	184	mkdir(devkdbus, 0755);
	185	mount("/dev/kdbus", devkdbus, NULL, MS_BIND, NULL);
	186
	187	devhugepages = strappenda(temporary_mount, "/dev/hugepages");
	188	mkdir(devhugepages, 0755);
	189	mount("/dev/hugepages", devhugepages, NULL, MS_BIND, NULL);
	190
82d25240 LP	191	devlog = strappenda(temporary_mount, "/dev/log");
	192	symlink("/run/systemd/journal/dev-log", devlog);
	193
7f112f50	194	NULSTR_FOREACH(d, devnodes) {
2b85f4e1 LP	195	_cleanup_free_ char *dn = NULL;
	196	struct stat st;
	197
	198	r = stat(d, &st);
7f112f50	199	if (r < 0) {
2b85f4e1 LP	200
	201	if (errno == ENOENT)
	202	continue;
	203
	204	r = -errno;
	205	goto fail;
7f112f50 LP	206	}
7f112f50 LP	207
2b85f4e1 LP	208	if (!S_ISBLK(st.st_mode) &&
	209	!S_ISCHR(st.st_mode)) {
	210	r = -EINVAL;
	211	goto fail;
	212	}
	213
	214	if (st.st_rdev == 0)
	215	continue;
	216
	217	dn = strappend(temporary_mount, d);
	218	if (!dn) {
	219	r = -ENOMEM;
	220	goto fail;
	221	}
	222
	223	r = mknod(dn, st.st_mode, st.st_rdev);
	224	if (r < 0) {
	225	r = -errno;
	226	goto fail;
	227	}
7f112f50 LP	228	}
7f112f50 LP	229
2b85f4e1	230	dev_setup(temporary_mount);
7f112f50	231
2b85f4e1 LP	232	if (mount(dev, "/dev/", NULL, MS_MOVE, NULL) < 0) {
	233	r = -errno;
	234	goto fail;
	235	}
7f112f50	236
2b85f4e1 LP	237	rmdir(dev);
2b85f4e1 LP	238	rmdir(temporary_mount);
7f112f50	239
2b85f4e1	240	return 0;
7f112f50	241
2b85f4e1 LP	242	fail:
	243	if (devpts)
	244	umount(devpts);
7f112f50	245
2b85f4e1 LP	246	if (devshm)
2b85f4e1 LP	247	umount(devshm);
7f112f50	248
2b85f4e1 LP	249	if (devkdbus)
2b85f4e1 LP	250	umount(devkdbus);
7f112f50	251
2b85f4e1 LP	252	if (devhugepages)
2b85f4e1 LP	253	umount(devhugepages);
7f112f50	254
2b85f4e1 LP	255	if (devmqueue)
2b85f4e1 LP	256	umount(devmqueue);
7f112f50	257
2b85f4e1 LP	258	if (dev) {
	259	umount(dev);
	260	rmdir(dev);
7f112f50 LP	261	}
7f112f50 LP	262
2b85f4e1	263	rmdir(temporary_mount);
7f112f50	264
2b85f4e1	265	return r;
7f112f50 LP	266	}
7f112f50 LP	267
ac0930c8	268	static int apply_mount(
c17ec25e	269	BindMount *m,
ac0930c8	270	const char *tmp_dir,
c17ec25e	271	const char *var_tmp_dir) {
ac0930c8	272
15ae422b	273	const char *what;
15ae422b	274	int r;
15ae422b	275
c17ec25e	276	assert(m);
15ae422b	277
c17ec25e	278	switch (m->mode) {
15ae422b	279
7f112f50 LP	280	case PRIVATE_DEV:
	281	return mount_dev(m);
	282
15ae422b	283	case INACCESSIBLE:
c17ec25e	284	what = "/run/systemd/inaccessible";
15ae422b LP	285	break;
	286
	287	case READONLY:
15ae422b	288	case READWRITE:
c17ec25e	289	what = m->path;
15ae422b LP	290	break;
15ae422b LP	291
ac0930c8 LP	292	case PRIVATE_TMP:
	293	what = tmp_dir;
	294	break;
	295
	296	case PRIVATE_VAR_TMP:
	297	what = var_tmp_dir;
15ae422b	298	break;
e364ad06 LP	299
	300	default:
	301	assert_not_reached("Unknown mode");
15ae422b LP	302	}
15ae422b LP	303
ac0930c8	304	assert(what);
15ae422b	305
c17ec25e	306	r = mount(what, m->path, NULL, MS_BIND\|MS_REC, NULL);
ac0930c8	307	if (r >= 0)
c17ec25e	308	log_debug("Successfully mounted %s to %s", what, m->path);
ea92ae33 MW	309	else if (m->ignore && errno == ENOENT)
ea92ae33 MW	310	r = 0;
15ae422b	311
ac0930c8 LP	312	return r;
ac0930c8 LP	313	}
15ae422b	314
c17ec25e	315	static int make_read_only(BindMount *m) {
ac0930c8	316	int r;
15ae422b	317
c17ec25e	318	assert(m);
ac0930c8	319
c17ec25e	320	if (m->mode != INACCESSIBLE && m->mode != READONLY)
ac0930c8 LP	321	return 0;
ac0930c8 LP	322
c17ec25e	323	r = mount(NULL, m->path, NULL, MS_BIND\|MS_REMOUNT\|MS_RDONLY\|MS_REC, NULL);
ea92ae33	324	if (r < 0 && !(m->ignore && errno == ENOENT))
ac0930c8 LP	325	return -errno;
	326
	327	return 0;
15ae422b LP	328	}
15ae422b LP	329
613b411c LP	330	int setup_namespace(
	331	char** read_write_dirs,
	332	char** read_only_dirs,
	333	char** inaccessible_dirs,
	334	char* tmp_dir,
	335	char* var_tmp_dir,
7f112f50	336	bool private_dev,
417116f2 LP	337	ProtectedHome protected_home,
417116f2 LP	338	bool read_only_system,
613b411c	339	unsigned mount_flags) {
15ae422b	340
7ff7394d	341	BindMount m, mounts = NULL;
613b411c	342	unsigned n;
c17ec25e	343	int r = 0;
15ae422b	344
613b411c	345	if (mount_flags == 0)
c17ec25e	346	mount_flags = MS_SHARED;
ac0930c8	347
d5a3f0ea ZJS	348	if (unshare(CLONE_NEWNS) < 0)
d5a3f0ea ZJS	349	return -errno;
15ae422b	350
613b411c LP	351	n = !!tmp_dir + !!var_tmp_dir +
	352	strv_length(read_write_dirs) +
	353	strv_length(read_only_dirs) +
7f112f50	354	strv_length(inaccessible_dirs) +
417116f2 LP	355	private_dev +
	356	(protected_home != PROTECTED_HOME_NO ? 2 : 0) +
	357	(read_only_system ? 2 : 0);
613b411c LP	358
613b411c LP	359	if (n > 0) {
7ff7394d	360	m = mounts = (BindMount ) alloca(n sizeof(BindMount));
613b411c LP	361	r = append_mounts(&m, read_write_dirs, READWRITE);
	362	if (r < 0)
	363	return r;
	364
	365	r = append_mounts(&m, read_only_dirs, READONLY);
	366	if (r < 0)
	367	return r;
	368
	369	r = append_mounts(&m, inaccessible_dirs, INACCESSIBLE);
	370	if (r < 0)
7ff7394d ZJS	371	return r;
7ff7394d ZJS	372
613b411c	373	if (tmp_dir) {
7ff7394d ZJS	374	m->path = "/tmp";
	375	m->mode = PRIVATE_TMP;
	376	m++;
613b411c	377	}
7ff7394d	378
613b411c	379	if (var_tmp_dir) {
7ff7394d ZJS	380	m->path = "/var/tmp";
	381	m->mode = PRIVATE_VAR_TMP;
	382	m++;
	383	}
ac0930c8	384
7f112f50 LP	385	if (private_dev) {
	386	m->path = "/dev";
	387	m->mode = PRIVATE_DEV;
	388	m++;
	389	}
	390
417116f2 LP	391	if (protected_home != PROTECTED_HOME_NO) {
	392	r = append_mounts(&m, STRV_MAKE("-/home", "-/run/user"), protected_home == PROTECTED_HOME_READ_ONLY ? READONLY : INACCESSIBLE);
	393	if (r < 0)
	394	return r;
	395	}
	396
	397	if (read_only_system) {
	398	r = append_mounts(&m, STRV_MAKE("/usr", "-/boot"), READONLY);
	399	if (r < 0)
	400	return r;
	401	}
	402
7ff7394d	403	assert(mounts + n == m);
ac0930c8	404
7ff7394d ZJS	405	qsort(mounts, n, sizeof(BindMount), mount_path_compare);
7ff7394d ZJS	406	drop_duplicates(mounts, &n);
15ae422b LP	407	}
15ae422b LP	408
c2c13f2d LP	409	if (n > 0) {
	410	/* Remount / as SLAVE so that nothing now mounted in the namespace
	411	shows up in the parent */
	412	if (mount(NULL, "/", NULL, MS_SLAVE\|MS_REC, NULL) < 0)
	413	return -errno;
	414
	415	for (m = mounts; m < mounts + n; ++m) {
	416	r = apply_mount(m, tmp_dir, var_tmp_dir);
	417	if (r < 0)
	418	goto fail;
	419	}
15ae422b	420
c2c13f2d LP	421	for (m = mounts; m < mounts + n; ++m) {
	422	r = make_read_only(m);
	423	if (r < 0)
	424	goto fail;
	425	}
15ae422b LP	426	}
15ae422b LP	427
c2c13f2d LP	428	/* Remount / as the desired mode. Not that this will not
	429	* reestablish propagation from our side to the host, since
	430	* what's disconnected is disconnected. */
c17ec25e	431	if (mount(NULL, "/", NULL, mount_flags \| MS_REC, NULL) < 0) {
15ae422b	432	r = -errno;
613b411c	433	goto fail;
15ae422b LP	434	}
15ae422b LP	435
15ae422b LP	436	return 0;
15ae422b LP	437
613b411c	438	fail:
c2c13f2d LP	439	if (n > 0) {
	440	for (m = mounts; m < mounts + n; ++m)
	441	if (m->done)
	442	umount2(m->path, MNT_DETACH);
	443	}
613b411c LP	444
	445	return r;
	446	}
	447
	448	static int setup_one_tmp_dir(const char id, const char prefix, char **path) {
	449	_cleanup_free_ char *x = NULL;
6b46ea73 LP	450	char bid[SD_ID128_STRING_MAX];
	451	sd_id128_t boot_id;
	452	int r;
613b411c LP	453
	454	assert(id);
	455	assert(prefix);
	456	assert(path);
	457
6b46ea73 LP	458	/* We include the boot id in the directory so that after a
	459	* reboot we can easily identify obsolete directories. */
	460
	461	r = sd_id128_get_boot(&boot_id);
	462	if (r < 0)
	463	return r;
	464
	465	x = strjoin(prefix, "/systemd-private-", sd_id128_to_string(boot_id, bid), "-", id, "-XXXXXX", NULL);
613b411c LP	466	if (!x)
	467	return -ENOMEM;
	468
	469	RUN_WITH_UMASK(0077)
	470	if (!mkdtemp(x))
	471	return -errno;
	472
	473	RUN_WITH_UMASK(0000) {
	474	char *y;
	475
	476	y = strappenda(x, "/tmp");
	477
	478	if (mkdir(y, 0777 \| S_ISVTX) < 0)
	479	return -errno;
c17ec25e	480	}
15ae422b	481
613b411c LP	482	*path = x;
	483	x = NULL;
	484
	485	return 0;
	486	}
	487
	488	int setup_tmp_dirs(const char id, char tmp_dir, char *var_tmp_dir) {
	489	char a, b;
	490	int r;
	491
	492	assert(id);
	493	assert(tmp_dir);
	494	assert(var_tmp_dir);
	495
	496	r = setup_one_tmp_dir(id, "/tmp", &a);
	497	if (r < 0)
	498	return r;
	499
	500	r = setup_one_tmp_dir(id, "/var/tmp", &b);
	501	if (r < 0) {
	502	char *t;
	503
	504	t = strappenda(a, "/tmp");
	505	rmdir(t);
	506	rmdir(a);
	507
	508	free(a);
	509	return r;
	510	}
	511
	512	*tmp_dir = a;
	513	*var_tmp_dir = b;
	514
	515	return 0;
	516	}
	517
	518	int setup_netns(int netns_storage_socket[2]) {
	519	_cleanup_close_ int netns = -1;
	520	union {
	521	struct cmsghdr cmsghdr;
	522	uint8_t buf[CMSG_SPACE(sizeof(int))];
	523	} control = {};
	524	struct msghdr mh = {
	525	.msg_control = &control,
	526	.msg_controllen = sizeof(control),
	527	};
	528	struct cmsghdr *cmsg;
	529	int r;
	530
	531	assert(netns_storage_socket);
	532	assert(netns_storage_socket[0] >= 0);
	533	assert(netns_storage_socket[1] >= 0);
	534
	535	/* We use the passed socketpair as a storage buffer for our
76cd584b LP	536	* namespace reference fd. Whatever process runs this first
	537	* shall create a new namespace, all others should just join
	538	* it. To serialize that we use a file lock on the socket
	539	* pair.
613b411c LP	540	*
	541	* It's a bit crazy, but hey, works great! */
	542
	543	if (lockf(netns_storage_socket[0], F_LOCK, 0) < 0)
	544	return -errno;
	545
	546	if (recvmsg(netns_storage_socket[0], &mh, MSG_DONTWAIT\|MSG_CMSG_CLOEXEC) < 0) {
	547	if (errno != EAGAIN) {
	548	r = -errno;
	549	goto fail;
	550	}
	551
	552	/* Nothing stored yet, so let's create a new namespace */
	553
	554	if (unshare(CLONE_NEWNET) < 0) {
	555	r = -errno;
	556	goto fail;
	557	}
	558
	559	loopback_setup();
	560
	561	netns = open("/proc/self/ns/net", O_RDONLY\|O_CLOEXEC\|O_NOCTTY);
	562	if (netns < 0) {
	563	r = -errno;
	564	goto fail;
	565	}
	566
	567	r = 1;
	568	} else {
	569	/* Yay, found something, so let's join the namespace */
	570
	571	for (cmsg = CMSG_FIRSTHDR(&mh); cmsg; cmsg = CMSG_NXTHDR(&mh, cmsg)) {
	572	if (cmsg->cmsg_level == SOL_SOCKET && cmsg->cmsg_type == SCM_RIGHTS) {
	573	assert(cmsg->cmsg_len == CMSG_LEN(sizeof(int)));
	574	netns = (int) CMSG_DATA(cmsg);
	575	}
	576	}
	577
	578	if (setns(netns, CLONE_NEWNET) < 0) {
	579	r = -errno;
	580	goto fail;
	581	}
	582
	583	r = 0;
	584	}
	585
	586	cmsg = CMSG_FIRSTHDR(&mh);
	587	cmsg->cmsg_level = SOL_SOCKET;
	588	cmsg->cmsg_type = SCM_RIGHTS;
	589	cmsg->cmsg_len = CMSG_LEN(sizeof(int));
	590	memcpy(CMSG_DATA(cmsg), &netns, sizeof(int));
	591	mh.msg_controllen = cmsg->cmsg_len;
	592
	593	if (sendmsg(netns_storage_socket[1], &mh, MSG_DONTWAIT\|MSG_NOSIGNAL) < 0) {
	594	r = -errno;
	595	goto fail;
	596	}
	597
	598	fail:
	599	lockf(netns_storage_socket[0], F_ULOCK, 0);
	600
15ae422b LP	601	return r;
15ae422b LP	602	}
417116f2 LP	603
	604	static const char *const protected_home_table[_PROTECTED_HOME_MAX] = {
	605	[PROTECTED_HOME_NO] = "no",
	606	[PROTECTED_HOME_YES] = "yes",
	607	[PROTECTED_HOME_READ_ONLY] = "read-only",
	608	};
	609
	610	DEFINE_STRING_TABLE_LOOKUP(protected_home, ProtectedHome);