]>
Commit | Line | Data |
---|---|---|
db9ecf05 | 1 | /* SPDX-License-Identifier: LGPL-2.1-or-later */ |
de40a303 | 2 | |
de40a303 | 3 | #include <linux/oom.h> |
de40a303 | 4 | |
309a747f LP |
5 | #include "sd-json.h" |
6 | ||
de40a303 LP |
7 | #include "bus-util.h" |
8 | #include "cap-list.h" | |
9 | #include "cpu-set-util.h" | |
ca822829 | 10 | #include "device-util.h" |
7176f06c | 11 | #include "devnum-util.h" |
de40a303 | 12 | #include "env-util.h" |
ca78ad1d | 13 | #include "format-util.h" |
de40a303 LP |
14 | #include "fs-util.h" |
15 | #include "hostname-util.h" | |
309a747f | 16 | #include "json-util.h" |
de40a303 LP |
17 | #include "missing_sched.h" |
18 | #include "nspawn-oci.h" | |
19 | #include "path-util.h" | |
20 | #include "rlimit-util.h" | |
21 | #include "seccomp-util.h" | |
de40a303 LP |
22 | #include "stdio-util.h" |
23 | #include "string-util.h" | |
24 | #include "strv.h" | |
25 | #include "user-util.h" | |
26 | ||
27 | /* TODO: | |
28 | * OCI runtime tool implementation | |
29 | * hooks | |
30 | * | |
31 | * Spec issues: | |
32 | * | |
33 | * How is RLIM_INFINITY supposed to be encoded? | |
34 | * configured effective caps is bullshit, as execv() corrupts it anyway | |
35 | * pipes bind mounted is *very* different from pipes newly created, comments regarding bind mount or not are bogus | |
36 | * annotation values structured? or string? | |
37 | * configurable file system namespace path, but then also root path? wtf? | |
38 | * apply sysctl inside of the container? or outside? | |
39 | * how is unlimited pids tasks limit to be encoded? | |
40 | * what are the defaults for caps if not specified? | |
41 | * what are the default uid/gid mappings if one is missing but the other set, or when user ns is on but no namespace configured | |
42 | * the source field of "mounts" is really weird, as it cannot realistically be relative to the bundle, since we never know if that's what the fs wants | |
43 | * spec contradicts itself on the mount "type" field, as the example uses "bind" as type, but it's not listed in /proc/filesystem, and is something made up by /bin/mount | |
44 | * if type of mount is left out, what shall be assumed? "bind"? | |
45 | * readonly mounts is entirely redundant? | |
46 | * should escaping be applied when joining mount options with ","? | |
47 | * devices cgroup support is bogus, "allow" and "deny" on the kernel level is about adding/removing entries, not about access | |
48 | * spec needs to say that "rwm" devices cgroup combination can't be the empty string | |
ba669952 | 49 | * cgrouspv1 crap: kernel, kernelTCP, swappiness, disableOOMKiller, swap, devices, leafWeight |
de40a303 LP |
50 | * general: it shouldn't leak lower level abstractions this obviously |
51 | * unmanagable cgroups stuff: realtimeRuntime/realtimePeriod | |
86b52a39 | 52 | * needs to say what happense when some option is not specified, i.e. which defaults apply |
de40a303 LP |
53 | * no architecture? no personality? |
54 | * seccomp example and logic is simply broken: there's no constant "SCMP_ACT_ERRNO". | |
55 | * spec should say what to do with unknown props | |
56 | * /bin/mount regarding NFS and FUSE required? | |
57 | * what does terminal=false mean? | |
6b000af4 | 58 | * sysctl inside or outside? allow-listing? |
5238e957 | 59 | * swapiness typo -> swappiness |
de40a303 LP |
60 | * |
61 | * Unsupported: | |
62 | * | |
63 | * apparmorProfile | |
64 | * selinuxLabel + mountLabel | |
65 | * hugepageLimits | |
66 | * network | |
67 | * rdma | |
68 | * intelRdt | |
69 | * swappiness, disableOOMKiller, kernel, kernelTCP, leafWeight (because it's dead, cgroupsv2 can't do it and hence systemd neither) | |
70 | * | |
71 | * Non-slice cgroup paths | |
72 | * Propagation that is not slave + shared | |
73 | * more than one uid/gid mapping, mappings with a container base != 0, or non-matching uid/gid mappings | |
74 | * device cgroups access = false items that are not catchall | |
75 | * device cgroups matches where minor is specified, but major isn't. similar where major is specified but char/block is not. also, any match that only has a type set that has less than "rwm" set. also, any entry that has none of rwm set. | |
76 | * | |
77 | */ | |
78 | ||
309a747f | 79 | static int oci_unexpected(const char *name, sd_json_variant *v, sd_json_dispatch_flags_t flags, void *userdata) { |
19130626 | 80 | return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL), |
309a747f | 81 | "Unexpected OCI element '%s' of type '%s'.", name, sd_json_variant_type_to_string(sd_json_variant_type(v))); |
de40a303 LP |
82 | } |
83 | ||
309a747f LP |
84 | static int oci_dispatch(sd_json_variant *v, const sd_json_dispatch_field table[], sd_json_dispatch_flags_t flags, void *userdata) { |
85 | return sd_json_dispatch_full(v, table, oci_unexpected, flags, userdata, /* reterr_bad_field= */ NULL); | |
f1b622a0 LP |
86 | } |
87 | ||
309a747f | 88 | static int oci_unsupported(const char *name, sd_json_variant *v, sd_json_dispatch_flags_t flags, void *userdata) { |
19130626 | 89 | return json_log(v, flags, SYNTHETIC_ERRNO(EOPNOTSUPP), |
309a747f | 90 | "Unsupported OCI element '%s' of type '%s'.", name, sd_json_variant_type_to_string(sd_json_variant_type(v))); |
de40a303 LP |
91 | } |
92 | ||
309a747f | 93 | static int oci_terminal(const char *name, sd_json_variant *v, sd_json_dispatch_flags_t flags, void *userdata) { |
79742424 | 94 | Settings *s = ASSERT_PTR(userdata); |
de40a303 LP |
95 | |
96 | /* If not specified, or set to true, we'll default to either an interactive or a read-only | |
6757a013 | 97 | * console. If specified as false, we'll forcibly move to "pipe" mode though. */ |
309a747f | 98 | s->console_mode = sd_json_variant_boolean(v) ? _CONSOLE_MODE_INVALID : CONSOLE_PIPE; |
de40a303 LP |
99 | return 0; |
100 | } | |
101 | ||
309a747f | 102 | static int oci_console_dimension(const char *name, sd_json_variant *variant, sd_json_dispatch_flags_t flags, void *userdata) { |
99534007 | 103 | unsigned *u = ASSERT_PTR(userdata); |
718ca772 | 104 | uint64_t k; |
de40a303 | 105 | |
309a747f | 106 | k = sd_json_variant_unsigned(variant); |
19130626 ZJS |
107 | if (k == 0) |
108 | return json_log(variant, flags, SYNTHETIC_ERRNO(ERANGE), | |
109 | "Console size field '%s' is too small.", strna(name)); | |
110 | if (k > USHRT_MAX) /* TIOCSWINSZ's struct winsize uses "unsigned short" for width and height */ | |
111 | return json_log(variant, flags, SYNTHETIC_ERRNO(ERANGE), | |
112 | "Console size field '%s' is too large.", strna(name)); | |
de40a303 LP |
113 | |
114 | *u = (unsigned) k; | |
115 | return 0; | |
116 | } | |
117 | ||
309a747f | 118 | static int oci_console_size(const char *name, sd_json_variant *v, sd_json_dispatch_flags_t flags, void *userdata) { |
79742424 | 119 | Settings *s = ASSERT_PTR(userdata); |
de40a303 | 120 | |
309a747f LP |
121 | static const sd_json_dispatch_field table[] = { |
122 | { "height", SD_JSON_VARIANT_UNSIGNED, oci_console_dimension, offsetof(Settings, console_height), SD_JSON_MANDATORY }, | |
123 | { "width", SD_JSON_VARIANT_UNSIGNED, oci_console_dimension, offsetof(Settings, console_width), SD_JSON_MANDATORY }, | |
de40a303 LP |
124 | {} |
125 | }; | |
126 | ||
f1b622a0 | 127 | return oci_dispatch(v, table, flags, s); |
de40a303 LP |
128 | } |
129 | ||
309a747f | 130 | static int oci_env(const char *name, sd_json_variant *v, sd_json_dispatch_flags_t flags, void *userdata) { |
99534007 | 131 | char ***l = ASSERT_PTR(userdata); |
309a747f | 132 | sd_json_variant *e; |
de40a303 LP |
133 | int r; |
134 | ||
de40a303 LP |
135 | JSON_VARIANT_ARRAY_FOREACH(e, v) { |
136 | const char *n; | |
137 | ||
309a747f | 138 | if (!sd_json_variant_is_string(e)) |
19130626 ZJS |
139 | return json_log(e, flags, SYNTHETIC_ERRNO(EINVAL), |
140 | "Environment array contains non-string."); | |
de40a303 | 141 | |
309a747f | 142 | assert_se(n = sd_json_variant_string(e)); |
de40a303 | 143 | |
19130626 ZJS |
144 | if (!env_assignment_is_valid(n)) |
145 | return json_log(e, flags, SYNTHETIC_ERRNO(EINVAL), | |
146 | "Environment assignment not valid: %s", n); | |
de40a303 LP |
147 | |
148 | r = strv_extend(l, n); | |
149 | if (r < 0) | |
150 | return log_oom(); | |
151 | } | |
152 | ||
153 | return 0; | |
154 | } | |
155 | ||
309a747f | 156 | static int oci_args(const char *name, sd_json_variant *v, sd_json_dispatch_flags_t flags, void *userdata) { |
de40a303 | 157 | _cleanup_strv_free_ char **l = NULL; |
99534007 | 158 | char ***value = ASSERT_PTR(userdata); |
de40a303 LP |
159 | int r; |
160 | ||
309a747f | 161 | r = sd_json_variant_strv(v, &l); |
a7f8c9ce LP |
162 | if (r < 0) |
163 | return json_log(v, flags, r, "Cannot parse arguments as list of strings: %m"); | |
de40a303 | 164 | |
19130626 ZJS |
165 | if (strv_isempty(l)) |
166 | return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL), | |
167 | "Argument list empty, refusing."); | |
de40a303 | 168 | |
19130626 ZJS |
169 | if (isempty(l[0])) |
170 | return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL), | |
171 | "Executable name is empty, refusing."); | |
de40a303 | 172 | |
6757a013 | 173 | return strv_free_and_replace(*value, l); |
de40a303 LP |
174 | } |
175 | ||
309a747f | 176 | static int oci_rlimit_type(const char *name, sd_json_variant *v, sd_json_dispatch_flags_t flags, void *userdata) { |
de40a303 | 177 | const char *z; |
79742424 FS |
178 | int *type = ASSERT_PTR(userdata); |
179 | int t; | |
de40a303 | 180 | |
309a747f | 181 | z = startswith(sd_json_variant_string(v), "RLIMIT_"); |
19130626 ZJS |
182 | if (!z) |
183 | return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL), | |
184 | "rlimit entry's name does not begin with 'RLIMIT_', refusing: %s", | |
309a747f | 185 | sd_json_variant_string(v)); |
de40a303 LP |
186 | |
187 | t = rlimit_from_string(z); | |
19130626 | 188 | if (t < 0) |
7211c853 | 189 | return json_log(v, flags, t, |
309a747f | 190 | "rlimit name unknown: %s", sd_json_variant_string(v)); |
de40a303 LP |
191 | |
192 | *type = t; | |
193 | return 0; | |
194 | } | |
195 | ||
309a747f | 196 | static int oci_rlimit_value(const char *name, sd_json_variant *v, sd_json_dispatch_flags_t flags, void *userdata) { |
79742424 FS |
197 | rlim_t *value = ASSERT_PTR(userdata); |
198 | rlim_t z; | |
de40a303 | 199 | |
309a747f | 200 | if (sd_json_variant_is_negative(v)) |
de40a303 LP |
201 | z = RLIM_INFINITY; |
202 | else { | |
309a747f | 203 | if (!sd_json_variant_is_unsigned(v)) |
19130626 ZJS |
204 | return json_log(v, flags, SYNTHETIC_ERRNO(ERANGE), |
205 | "rlimits limit not unsigned, refusing."); | |
de40a303 | 206 | |
309a747f | 207 | z = (rlim_t) sd_json_variant_unsigned(v); |
de40a303 | 208 | |
309a747f | 209 | if ((uint64_t) z != sd_json_variant_unsigned(v)) |
19130626 ZJS |
210 | return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL), |
211 | "rlimits limit out of range, refusing."); | |
de40a303 LP |
212 | } |
213 | ||
214 | *value = z; | |
215 | return 0; | |
216 | } | |
217 | ||
309a747f | 218 | static int oci_rlimits(const char *name, sd_json_variant *v, sd_json_dispatch_flags_t flags, void *userdata) { |
99534007 | 219 | Settings *s = ASSERT_PTR(userdata); |
309a747f | 220 | sd_json_variant *e; |
de40a303 LP |
221 | int r; |
222 | ||
de40a303 LP |
223 | JSON_VARIANT_ARRAY_FOREACH(e, v) { |
224 | ||
225 | struct rlimit_data { | |
226 | int type; | |
227 | rlim_t soft; | |
228 | rlim_t hard; | |
229 | } data = { | |
230 | .type = -1, | |
231 | .soft = RLIM_INFINITY, | |
232 | .hard = RLIM_INFINITY, | |
233 | }; | |
234 | ||
309a747f LP |
235 | static const sd_json_dispatch_field table[] = { |
236 | { "soft", SD_JSON_VARIANT_NUMBER, oci_rlimit_value, offsetof(struct rlimit_data, soft), SD_JSON_MANDATORY }, | |
237 | { "hard", SD_JSON_VARIANT_NUMBER, oci_rlimit_value, offsetof(struct rlimit_data, hard), SD_JSON_MANDATORY }, | |
238 | { "type", SD_JSON_VARIANT_STRING, oci_rlimit_type, offsetof(struct rlimit_data, type), SD_JSON_MANDATORY }, | |
de40a303 LP |
239 | {} |
240 | }; | |
241 | ||
f1b622a0 | 242 | r = oci_dispatch(e, table, flags, &data); |
de40a303 LP |
243 | if (r < 0) |
244 | return r; | |
245 | ||
246 | assert(data.type >= 0); | |
247 | assert(data.type < _RLIMIT_MAX); | |
248 | ||
19130626 ZJS |
249 | if (s->rlimit[data.type]) |
250 | return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL), | |
251 | "rlimits array contains duplicate entry, refusing."); | |
de40a303 LP |
252 | |
253 | s->rlimit[data.type] = new(struct rlimit, 1); | |
254 | if (!s->rlimit[data.type]) | |
255 | return log_oom(); | |
256 | ||
257 | *s->rlimit[data.type] = (struct rlimit) { | |
258 | .rlim_cur = data.soft, | |
259 | .rlim_max = data.hard, | |
260 | }; | |
261 | ||
262 | } | |
263 | return 0; | |
264 | } | |
265 | ||
309a747f | 266 | static int oci_capability_array(const char *name, sd_json_variant *v, sd_json_dispatch_flags_t flags, void *userdata) { |
79742424 FS |
267 | uint64_t *mask = ASSERT_PTR(userdata); |
268 | uint64_t m = 0; | |
309a747f | 269 | sd_json_variant *e; |
de40a303 LP |
270 | |
271 | JSON_VARIANT_ARRAY_FOREACH(e, v) { | |
272 | const char *n; | |
273 | int cap; | |
274 | ||
309a747f | 275 | if (!sd_json_variant_is_string(e)) |
19130626 ZJS |
276 | return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL), |
277 | "Entry in capabilities array is not a string."); | |
de40a303 | 278 | |
309a747f | 279 | assert_se(n = sd_json_variant_string(e)); |
de40a303 LP |
280 | |
281 | cap = capability_from_name(n); | |
19130626 ZJS |
282 | if (cap < 0) |
283 | return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL), | |
284 | "Unknown capability: %s", n); | |
de40a303 LP |
285 | |
286 | m |= UINT64_C(1) << cap; | |
287 | } | |
288 | ||
f5fbe71d | 289 | if (*mask == UINT64_MAX) |
de40a303 LP |
290 | *mask = m; |
291 | else | |
292 | *mask |= m; | |
293 | ||
294 | return 0; | |
295 | } | |
296 | ||
309a747f | 297 | static int oci_capabilities(const char *name, sd_json_variant *v, sd_json_dispatch_flags_t flags, void *userdata) { |
de40a303 | 298 | |
309a747f LP |
299 | static const sd_json_dispatch_field table[] = { |
300 | { "effective", SD_JSON_VARIANT_ARRAY, oci_capability_array, offsetof(CapabilityQuintet, effective) }, | |
301 | { "bounding", SD_JSON_VARIANT_ARRAY, oci_capability_array, offsetof(CapabilityQuintet, bounding) }, | |
302 | { "inheritable", SD_JSON_VARIANT_ARRAY, oci_capability_array, offsetof(CapabilityQuintet, inheritable) }, | |
303 | { "permitted", SD_JSON_VARIANT_ARRAY, oci_capability_array, offsetof(CapabilityQuintet, permitted) }, | |
304 | { "ambient", SD_JSON_VARIANT_ARRAY, oci_capability_array, offsetof(CapabilityQuintet, ambient) }, | |
de40a303 LP |
305 | {} |
306 | }; | |
307 | ||
99534007 | 308 | Settings *s = ASSERT_PTR(userdata); |
de40a303 LP |
309 | int r; |
310 | ||
f1b622a0 | 311 | r = oci_dispatch(v, table, flags, &s->full_capabilities); |
de40a303 LP |
312 | if (r < 0) |
313 | return r; | |
314 | ||
f5fbe71d | 315 | if (s->full_capabilities.bounding != UINT64_MAX) { |
de40a303 LP |
316 | s->capability = s->full_capabilities.bounding; |
317 | s->drop_capability = ~s->full_capabilities.bounding; | |
318 | } | |
319 | ||
320 | return 0; | |
321 | } | |
322 | ||
309a747f | 323 | static int oci_oom_score_adj(const char *name, sd_json_variant *v, sd_json_dispatch_flags_t flags, void *userdata) { |
99534007 | 324 | Settings *s = ASSERT_PTR(userdata); |
718ca772 | 325 | int64_t k; |
de40a303 | 326 | |
309a747f | 327 | k = sd_json_variant_integer(v); |
19130626 ZJS |
328 | if (k < OOM_SCORE_ADJ_MIN || k > OOM_SCORE_ADJ_MAX) |
329 | return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL), | |
c0f86d66 | 330 | "oomScoreAdj value out of range: %" PRIi64, k); |
de40a303 LP |
331 | |
332 | s->oom_score_adjust = (int) k; | |
333 | s->oom_score_adjust_set = true; | |
334 | ||
335 | return 0; | |
336 | } | |
337 | ||
309a747f | 338 | static int oci_supplementary_gids(const char *name, sd_json_variant *v, sd_json_dispatch_flags_t flags, void *userdata) { |
99534007 | 339 | Settings *s = ASSERT_PTR(userdata); |
309a747f | 340 | sd_json_variant *e; |
de40a303 LP |
341 | int r; |
342 | ||
de40a303 LP |
343 | JSON_VARIANT_ARRAY_FOREACH(e, v) { |
344 | gid_t gid, *a; | |
345 | ||
309a747f | 346 | if (!sd_json_variant_is_unsigned(e)) |
19130626 ZJS |
347 | return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL), |
348 | "Supplementary GID entry is not a UID."); | |
de40a303 | 349 | |
309a747f | 350 | r = sd_json_dispatch_uid_gid(name, e, flags, &gid); |
de40a303 LP |
351 | if (r < 0) |
352 | return r; | |
353 | ||
354 | a = reallocarray(s->supplementary_gids, s->n_supplementary_gids + 1, sizeof(gid_t)); | |
355 | if (!a) | |
356 | return log_oom(); | |
357 | ||
358 | s->supplementary_gids = a; | |
359 | s->supplementary_gids[s->n_supplementary_gids++] = gid; | |
360 | } | |
361 | ||
362 | return 0; | |
363 | } | |
364 | ||
309a747f | 365 | static int oci_user(const char *name, sd_json_variant *v, sd_json_dispatch_flags_t flags, void *userdata) { |
79742424 | 366 | |
309a747f LP |
367 | static const sd_json_dispatch_field table[] = { |
368 | { "uid", SD_JSON_VARIANT_UNSIGNED, sd_json_dispatch_uid_gid, offsetof(Settings, uid), SD_JSON_MANDATORY }, | |
369 | { "gid", SD_JSON_VARIANT_UNSIGNED, sd_json_dispatch_uid_gid, offsetof(Settings, gid), SD_JSON_MANDATORY }, | |
370 | { "additionalGids", SD_JSON_VARIANT_ARRAY, oci_supplementary_gids, 0, 0 }, | |
de40a303 LP |
371 | {} |
372 | }; | |
373 | ||
f1b622a0 | 374 | return oci_dispatch(v, table, flags, userdata); |
de40a303 LP |
375 | } |
376 | ||
309a747f LP |
377 | static int oci_process(const char *name, sd_json_variant *v, sd_json_dispatch_flags_t flags, void *userdata) { |
378 | ||
379 | static const sd_json_dispatch_field table[] = { | |
380 | { "terminal", SD_JSON_VARIANT_BOOLEAN, oci_terminal, 0, 0 }, | |
381 | { "consoleSize", SD_JSON_VARIANT_OBJECT, oci_console_size, 0, 0 }, | |
382 | { "cwd", SD_JSON_VARIANT_STRING, json_dispatch_path, offsetof(Settings, working_directory), 0 }, | |
383 | { "env", SD_JSON_VARIANT_ARRAY, oci_env, offsetof(Settings, environment), 0 }, | |
384 | { "args", SD_JSON_VARIANT_ARRAY, oci_args, offsetof(Settings, parameters), 0 }, | |
385 | { "rlimits", SD_JSON_VARIANT_ARRAY, oci_rlimits, 0, 0 }, | |
386 | { "apparmorProfile", SD_JSON_VARIANT_STRING, oci_unsupported, 0, SD_JSON_PERMISSIVE }, | |
387 | { "capabilities", SD_JSON_VARIANT_OBJECT, oci_capabilities, 0, 0 }, | |
388 | { "noNewPrivileges", SD_JSON_VARIANT_BOOLEAN, sd_json_dispatch_tristate, offsetof(Settings, no_new_privileges), 0 }, | |
389 | { "oomScoreAdj", SD_JSON_VARIANT_INTEGER, oci_oom_score_adj, 0, 0 }, | |
390 | { "selinuxLabel", SD_JSON_VARIANT_STRING, oci_unsupported, 0, SD_JSON_PERMISSIVE }, | |
391 | { "user", SD_JSON_VARIANT_OBJECT, oci_user, 0, 0 }, | |
de40a303 LP |
392 | {} |
393 | }; | |
394 | ||
f1b622a0 | 395 | return oci_dispatch(v, table, flags, userdata); |
de40a303 LP |
396 | } |
397 | ||
309a747f | 398 | static int oci_root(const char *name, sd_json_variant *v, sd_json_dispatch_flags_t flags, void *userdata) { |
79742424 | 399 | Settings *s = ASSERT_PTR(userdata); |
089cd8b3 | 400 | int r; |
de40a303 | 401 | |
309a747f LP |
402 | static const sd_json_dispatch_field table[] = { |
403 | { "path", SD_JSON_VARIANT_STRING, sd_json_dispatch_string, offsetof(Settings, root) }, | |
404 | { "readonly", SD_JSON_VARIANT_BOOLEAN, sd_json_dispatch_tristate, offsetof(Settings, read_only) }, | |
de40a303 LP |
405 | {} |
406 | }; | |
407 | ||
f1b622a0 | 408 | r = oci_dispatch(v, table, flags, s); |
089cd8b3 AP |
409 | if (r < 0) |
410 | return r; | |
411 | ||
412 | if (s->root && !path_is_absolute(s->root)) { | |
413 | char *joined; | |
414 | ||
415 | joined = path_join(s->bundle, s->root); | |
416 | if (!joined) | |
417 | return log_oom(); | |
418 | ||
419 | free_and_replace(s->root, joined); | |
420 | } | |
421 | ||
422 | return 0; | |
de40a303 LP |
423 | } |
424 | ||
309a747f | 425 | static int oci_hostname(const char *name, sd_json_variant *v, sd_json_dispatch_flags_t flags, void *userdata) { |
99534007 | 426 | Settings *s = ASSERT_PTR(userdata); |
de40a303 LP |
427 | const char *n; |
428 | ||
309a747f | 429 | assert_se(n = sd_json_variant_string(v)); |
de40a303 | 430 | |
52ef5dd7 | 431 | if (!hostname_is_valid(n, 0)) |
19130626 ZJS |
432 | return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL), |
433 | "Hostname string is not a valid hostname: %s", n); | |
de40a303 | 434 | |
f1531db5 | 435 | return free_and_strdup_warn(&s->hostname, n); |
de40a303 LP |
436 | } |
437 | ||
438 | static bool oci_exclude_mount(const char *path) { | |
439 | ||
440 | /* Returns "true" for all mounts we insist to mount on our own, and hence ignore the OCI data. */ | |
441 | ||
442 | if (PATH_IN_SET(path, | |
443 | "/dev", | |
444 | "/dev/mqueue", | |
445 | "/dev/pts", | |
446 | "/dev/shm", | |
447 | "/proc", | |
448 | "/proc/acpi", | |
449 | "/proc/apm", | |
450 | "/proc/asound", | |
451 | "/proc/bus", | |
452 | "/proc/fs", | |
453 | "/proc/irq", | |
454 | "/proc/kallsyms", | |
455 | "/proc/kcore", | |
456 | "/proc/keys", | |
457 | "/proc/scsi", | |
458 | "/proc/sys", | |
459 | "/proc/sys/net", | |
460 | "/proc/sysrq-trigger", | |
461 | "/proc/timer_list", | |
462 | "/run", | |
463 | "/sys", | |
464 | "/sys", | |
465 | "/sys/fs/selinux", | |
466 | "/tmp")) | |
467 | return true; | |
468 | ||
469 | /* Similar, skip the whole /sys/fs/cgroups subtree */ | |
470 | if (path_startswith(path, "/sys/fs/cgroup")) | |
471 | return true; | |
472 | ||
473 | return false; | |
474 | } | |
475 | ||
b2e07b1a ZJS |
476 | typedef struct oci_mount_data { |
477 | char *destination; | |
478 | char *source; | |
479 | char *type; | |
480 | char **options; | |
481 | } oci_mount_data; | |
482 | ||
7244c6db | 483 | static void oci_mount_data_done(oci_mount_data *data) { |
f95c9f46 ZJS |
484 | assert(data); |
485 | ||
b2e07b1a ZJS |
486 | free(data->destination); |
487 | free(data->source); | |
b2e07b1a | 488 | free(data->type); |
7244c6db | 489 | strv_free(data->options); |
b2e07b1a ZJS |
490 | } |
491 | ||
309a747f | 492 | static int oci_mounts(const char *name, sd_json_variant *v, sd_json_dispatch_flags_t flags, void *userdata) { |
99534007 | 493 | Settings *s = ASSERT_PTR(userdata); |
309a747f | 494 | sd_json_variant *e; |
de40a303 LP |
495 | int r; |
496 | ||
de40a303 | 497 | JSON_VARIANT_ARRAY_FOREACH(e, v) { |
309a747f LP |
498 | static const sd_json_dispatch_field table[] = { |
499 | { "destination", SD_JSON_VARIANT_STRING, json_dispatch_path, offsetof(oci_mount_data, destination), SD_JSON_MANDATORY }, | |
500 | { "source", SD_JSON_VARIANT_STRING, sd_json_dispatch_string, offsetof(oci_mount_data, source), 0 }, | |
501 | { "options", SD_JSON_VARIANT_ARRAY, sd_json_dispatch_strv, offsetof(oci_mount_data, options), 0, }, | |
502 | { "type", SD_JSON_VARIANT_STRING, sd_json_dispatch_string, offsetof(oci_mount_data, type), 0 }, | |
de40a303 LP |
503 | {} |
504 | }; | |
505 | ||
506 | _cleanup_free_ char *joined_options = NULL; | |
f95c9f46 | 507 | _cleanup_(oci_mount_data_done) oci_mount_data data = {}; |
de40a303 LP |
508 | CustomMount *m; |
509 | ||
f1b622a0 | 510 | r = oci_dispatch(e, table, flags, &data); |
de40a303 | 511 | if (r < 0) |
b2e07b1a | 512 | return r; |
de40a303 | 513 | |
b2e07b1a ZJS |
514 | if (!path_is_absolute(data.destination)) |
515 | return json_log(e, flags, SYNTHETIC_ERRNO(EINVAL), | |
516 | "Mount destination not an absolute path: %s", data.destination); | |
de40a303 LP |
517 | |
518 | if (oci_exclude_mount(data.destination)) | |
b2e07b1a | 519 | continue; |
de40a303 LP |
520 | |
521 | if (data.options) { | |
522 | joined_options = strv_join(data.options, ","); | |
b2e07b1a ZJS |
523 | if (!joined_options) |
524 | return log_oom(); | |
de40a303 LP |
525 | } |
526 | ||
527 | if (!data.type || streq(data.type, "bind")) { | |
b1f13b0e | 528 | if (data.source && !path_is_absolute(data.source)) { |
de40a303 LP |
529 | char *joined; |
530 | ||
531 | joined = path_join(s->bundle, data.source); | |
b2e07b1a ZJS |
532 | if (!joined) |
533 | return log_oom(); | |
de40a303 LP |
534 | |
535 | free_and_replace(data.source, joined); | |
536 | } | |
537 | ||
538 | data.type = mfree(data.type); | |
539 | ||
540 | m = custom_mount_add(&s->custom_mounts, &s->n_custom_mounts, CUSTOM_MOUNT_BIND); | |
541 | } else | |
542 | m = custom_mount_add(&s->custom_mounts, &s->n_custom_mounts, CUSTOM_MOUNT_ARBITRARY); | |
b2e07b1a ZJS |
543 | if (!m) |
544 | return log_oom(); | |
de40a303 LP |
545 | |
546 | m->destination = TAKE_PTR(data.destination); | |
547 | m->source = TAKE_PTR(data.source); | |
548 | m->options = TAKE_PTR(joined_options); | |
549 | m->type_argument = TAKE_PTR(data.type); | |
de40a303 LP |
550 | } |
551 | ||
552 | return 0; | |
553 | } | |
554 | ||
309a747f | 555 | static int oci_namespace_type(const char *name, sd_json_variant *v, sd_json_dispatch_flags_t flags, void *userdata) { |
99534007 | 556 | unsigned long *nsflags = ASSERT_PTR(userdata); |
de40a303 LP |
557 | const char *n; |
558 | ||
309a747f | 559 | assert_se(n = sd_json_variant_string(v)); |
de40a303 LP |
560 | |
561 | /* We don't use namespace_flags_from_string() here, as the OCI spec uses slightly different names than the | |
562 | * kernel here. */ | |
563 | if (streq(n, "pid")) | |
564 | *nsflags = CLONE_NEWPID; | |
565 | else if (streq(n, "network")) | |
566 | *nsflags = CLONE_NEWNET; | |
567 | else if (streq(n, "mount")) | |
568 | *nsflags = CLONE_NEWNS; | |
569 | else if (streq(n, "ipc")) | |
570 | *nsflags = CLONE_NEWIPC; | |
571 | else if (streq(n, "uts")) | |
572 | *nsflags = CLONE_NEWUTS; | |
573 | else if (streq(n, "user")) | |
574 | *nsflags = CLONE_NEWUSER; | |
575 | else if (streq(n, "cgroup")) | |
576 | *nsflags = CLONE_NEWCGROUP; | |
19130626 ZJS |
577 | else |
578 | return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL), | |
55d3c136 | 579 | "Unknown namespace type, refusing: %s", n); |
de40a303 LP |
580 | |
581 | return 0; | |
582 | } | |
583 | ||
7244c6db FS |
584 | struct namespace_data { |
585 | unsigned long type; | |
586 | char *path; | |
587 | }; | |
588 | ||
f95c9f46 ZJS |
589 | static void namespace_data_done(struct namespace_data *data) { |
590 | assert(data); | |
7244c6db | 591 | |
f95c9f46 | 592 | free(data->path); |
7244c6db FS |
593 | } |
594 | ||
309a747f | 595 | static int oci_namespaces(const char *name, sd_json_variant *v, sd_json_dispatch_flags_t flags, void *userdata) { |
79742424 | 596 | Settings *s = ASSERT_PTR(userdata); |
de40a303 | 597 | unsigned long n = 0; |
309a747f | 598 | sd_json_variant *e; |
de40a303 LP |
599 | int r; |
600 | ||
de40a303 | 601 | JSON_VARIANT_ARRAY_FOREACH(e, v) { |
f95c9f46 | 602 | _cleanup_(namespace_data_done) struct namespace_data data = {}; |
de40a303 | 603 | |
309a747f LP |
604 | static const sd_json_dispatch_field table[] = { |
605 | { "type", SD_JSON_VARIANT_STRING, oci_namespace_type, offsetof(struct namespace_data, type), SD_JSON_MANDATORY }, | |
606 | { "path", SD_JSON_VARIANT_STRING, json_dispatch_path, offsetof(struct namespace_data, path), 0 }, | |
de40a303 LP |
607 | {} |
608 | }; | |
609 | ||
f1b622a0 | 610 | r = oci_dispatch(e, table, flags, &data); |
7244c6db | 611 | if (r < 0) |
de40a303 | 612 | return r; |
de40a303 LP |
613 | |
614 | if (data.path) { | |
7244c6db | 615 | if (data.type != CLONE_NEWNET) |
19130626 ZJS |
616 | return json_log(e, flags, SYNTHETIC_ERRNO(EOPNOTSUPP), |
617 | "Specifying namespace path for non-network namespace is not supported."); | |
de40a303 | 618 | |
7244c6db | 619 | if (s->network_namespace_path) |
19130626 ZJS |
620 | return json_log(e, flags, SYNTHETIC_ERRNO(EINVAL), |
621 | "Network namespace path specified more than once, refusing."); | |
de40a303 | 622 | |
7244c6db | 623 | free_and_replace(s->network_namespace_path, data.path); |
de40a303 LP |
624 | } |
625 | ||
d7a0f1f4 | 626 | if (FLAGS_SET(n, data.type)) |
19130626 ZJS |
627 | return json_log(e, flags, SYNTHETIC_ERRNO(EINVAL), |
628 | "Duplicate namespace specification, refusing."); | |
de40a303 LP |
629 | |
630 | n |= data.type; | |
631 | } | |
632 | ||
19130626 ZJS |
633 | if (!FLAGS_SET(n, CLONE_NEWNS)) |
634 | return json_log(v, flags, SYNTHETIC_ERRNO(EOPNOTSUPP), | |
3426ec8e | 635 | "Containers without a mount namespace aren't supported."); |
de40a303 LP |
636 | |
637 | s->private_network = FLAGS_SET(n, CLONE_NEWNET); | |
638 | s->userns_mode = FLAGS_SET(n, CLONE_NEWUSER) ? USER_NAMESPACE_FIXED : USER_NAMESPACE_NO; | |
639 | s->use_cgns = FLAGS_SET(n, CLONE_NEWCGROUP); | |
640 | ||
641 | s->clone_ns_flags = n & (CLONE_NEWIPC|CLONE_NEWPID|CLONE_NEWUTS); | |
642 | ||
643 | return 0; | |
644 | } | |
645 | ||
309a747f | 646 | static int oci_uid_gid_range(const char *name, sd_json_variant *v, sd_json_dispatch_flags_t flags, void *userdata) { |
79742424 FS |
647 | uid_t *uid = ASSERT_PTR(userdata); |
648 | uid_t u; | |
718ca772 | 649 | uint64_t k; |
de40a303 | 650 | |
de40a303 LP |
651 | assert_cc(sizeof(uid_t) == sizeof(gid_t)); |
652 | ||
653 | /* This is very much like oci_uid_gid(), except the checks are a bit different, as this is a UID range rather | |
f5fbe71d | 654 | * than a specific UID, and hence UID_INVALID has no special significance. OTOH a range of zero makes no |
de40a303 LP |
655 | * sense. */ |
656 | ||
309a747f | 657 | k = sd_json_variant_unsigned(v); |
de40a303 | 658 | u = (uid_t) k; |
718ca772 | 659 | if ((uint64_t) u != k) |
19130626 | 660 | return json_log(v, flags, SYNTHETIC_ERRNO(ERANGE), |
c0f86d66 | 661 | "UID/GID out of range: %" PRIu64, k); |
19130626 ZJS |
662 | if (u == 0) |
663 | return json_log(v, flags, SYNTHETIC_ERRNO(ERANGE), | |
664 | "UID/GID range can't be zero."); | |
de40a303 LP |
665 | |
666 | *uid = u; | |
667 | return 0; | |
668 | } | |
669 | ||
309a747f | 670 | static int oci_uid_gid_mappings(const char *name, sd_json_variant *v, sd_json_dispatch_flags_t flags, void *userdata) { |
de40a303 LP |
671 | struct mapping_data { |
672 | uid_t host_id; | |
673 | uid_t container_id; | |
674 | uid_t range; | |
675 | } data = { | |
676 | .host_id = UID_INVALID, | |
677 | .container_id = UID_INVALID, | |
678 | .range = 0, | |
679 | }; | |
680 | ||
309a747f LP |
681 | static const sd_json_dispatch_field table[] = { |
682 | { "containerID", SD_JSON_VARIANT_UNSIGNED, sd_json_dispatch_uid_gid, offsetof(struct mapping_data, container_id), SD_JSON_MANDATORY }, | |
683 | { "hostID", SD_JSON_VARIANT_UNSIGNED, sd_json_dispatch_uid_gid, offsetof(struct mapping_data, host_id), SD_JSON_MANDATORY }, | |
684 | { "size", SD_JSON_VARIANT_UNSIGNED, oci_uid_gid_range, offsetof(struct mapping_data, range), SD_JSON_MANDATORY }, | |
de40a303 LP |
685 | {} |
686 | }; | |
687 | ||
99534007 | 688 | Settings *s = ASSERT_PTR(userdata); |
309a747f | 689 | sd_json_variant *e; |
de40a303 LP |
690 | int r; |
691 | ||
309a747f | 692 | if (sd_json_variant_elements(v) == 0) |
de40a303 LP |
693 | return 0; |
694 | ||
309a747f | 695 | if (sd_json_variant_elements(v) > 1) |
19130626 ZJS |
696 | return json_log(v, flags, SYNTHETIC_ERRNO(EOPNOTSUPP), |
697 | "UID/GID mappings with more than one entry are not supported."); | |
de40a303 | 698 | |
309a747f | 699 | assert_se(e = sd_json_variant_by_index(v, 0)); |
de40a303 | 700 | |
f1b622a0 | 701 | r = oci_dispatch(e, table, flags, &data); |
de40a303 LP |
702 | if (r < 0) |
703 | return r; | |
704 | ||
705 | if (data.host_id + data.range < data.host_id || | |
19130626 ZJS |
706 | data.container_id + data.range < data.container_id) |
707 | return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL), | |
708 | "UID/GID range goes beyond UID/GID validity range, refusing."); | |
de40a303 | 709 | |
19130626 ZJS |
710 | if (data.container_id != 0) |
711 | return json_log(v, flags, SYNTHETIC_ERRNO(EOPNOTSUPP), | |
712 | "UID/GID mappings with a non-zero container base are not supported."); | |
de40a303 LP |
713 | |
714 | if (data.range < 0x10000) | |
309a747f | 715 | json_log(v, flags|SD_JSON_WARNING, 0, |
19130626 | 716 | "UID/GID mapping with less than 65536 UID/GIDS set up, you are looking for trouble."); |
de40a303 LP |
717 | |
718 | if (s->uid_range != UID_INVALID && | |
19130626 ZJS |
719 | (s->uid_shift != data.host_id || s->uid_range != data.range)) |
720 | return json_log(v, flags, SYNTHETIC_ERRNO(EOPNOTSUPP), | |
721 | "Non-matching UID and GID mappings are not supported."); | |
de40a303 LP |
722 | |
723 | s->uid_shift = data.host_id; | |
724 | s->uid_range = data.range; | |
725 | ||
726 | return 0; | |
727 | } | |
728 | ||
309a747f | 729 | static int oci_device_type(const char *name, sd_json_variant *v, sd_json_dispatch_flags_t flags, void *userdata) { |
99534007 | 730 | mode_t *mode = ASSERT_PTR(userdata); |
de40a303 LP |
731 | const char *t; |
732 | ||
309a747f | 733 | assert_se(t = sd_json_variant_string(v)); |
de40a303 LP |
734 | |
735 | if (STR_IN_SET(t, "c", "u")) | |
736 | *mode = (*mode & ~S_IFMT) | S_IFCHR; | |
737 | else if (streq(t, "b")) | |
738 | *mode = (*mode & ~S_IFMT) | S_IFBLK; | |
739 | else if (streq(t, "p")) | |
740 | *mode = (*mode & ~S_IFMT) | S_IFIFO; | |
19130626 ZJS |
741 | else |
742 | return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL), | |
743 | "Unknown device type: %s", t); | |
de40a303 LP |
744 | |
745 | return 0; | |
746 | } | |
747 | ||
309a747f | 748 | static int oci_device_major(const char *name, sd_json_variant *v, sd_json_dispatch_flags_t flags, void *userdata) { |
79742424 | 749 | unsigned *u = ASSERT_PTR(userdata); |
718ca772 | 750 | uint64_t k; |
de40a303 | 751 | |
309a747f | 752 | k = sd_json_variant_unsigned(v); |
19130626 ZJS |
753 | if (!DEVICE_MAJOR_VALID(k)) |
754 | return json_log(v, flags, SYNTHETIC_ERRNO(ERANGE), | |
c0f86d66 | 755 | "Device major %" PRIu64 " out of range.", k); |
de40a303 LP |
756 | |
757 | *u = (unsigned) k; | |
758 | return 0; | |
759 | } | |
760 | ||
309a747f | 761 | static int oci_device_minor(const char *name, sd_json_variant *v, sd_json_dispatch_flags_t flags, void *userdata) { |
79742424 | 762 | unsigned *u = ASSERT_PTR(userdata); |
718ca772 | 763 | uint64_t k; |
de40a303 | 764 | |
309a747f | 765 | k = sd_json_variant_unsigned(v); |
19130626 ZJS |
766 | if (!DEVICE_MINOR_VALID(k)) |
767 | return json_log(v, flags, SYNTHETIC_ERRNO(ERANGE), | |
c0f86d66 | 768 | "Device minor %" PRIu64 " out of range.", k); |
de40a303 LP |
769 | |
770 | *u = (unsigned) k; | |
771 | return 0; | |
772 | } | |
773 | ||
309a747f | 774 | static int oci_device_file_mode(const char *name, sd_json_variant *v, sd_json_dispatch_flags_t flags, void *userdata) { |
79742424 FS |
775 | mode_t *mode = ASSERT_PTR(userdata); |
776 | mode_t m; | |
718ca772 | 777 | uint64_t k; |
de40a303 | 778 | |
309a747f | 779 | k = sd_json_variant_unsigned(v); |
de40a303 LP |
780 | m = (mode_t) k; |
781 | ||
718ca772 | 782 | if ((m & ~07777) != 0 || (uint64_t) m != k) |
19130626 ZJS |
783 | return json_log(v, flags, SYNTHETIC_ERRNO(ERANGE), |
784 | "fileMode out of range, refusing."); | |
de40a303 | 785 | |
cd70372b | 786 | *mode = (*mode & ~07777) | m; |
de40a303 LP |
787 | return 0; |
788 | } | |
789 | ||
309a747f | 790 | static int oci_devices(const char *name, sd_json_variant *v, sd_json_dispatch_flags_t flags, void *userdata) { |
99534007 | 791 | Settings *s = ASSERT_PTR(userdata); |
309a747f | 792 | sd_json_variant *e; |
de40a303 LP |
793 | int r; |
794 | ||
de40a303 LP |
795 | JSON_VARIANT_ARRAY_FOREACH(e, v) { |
796 | ||
309a747f LP |
797 | static const sd_json_dispatch_field table[] = { |
798 | { "type", SD_JSON_VARIANT_STRING, oci_device_type, offsetof(DeviceNode, mode), SD_JSON_MANDATORY }, | |
799 | { "path", SD_JSON_VARIANT_STRING, json_dispatch_path, offsetof(DeviceNode, path), SD_JSON_MANDATORY }, | |
800 | { "major", SD_JSON_VARIANT_UNSIGNED, oci_device_major, offsetof(DeviceNode, major), 0 }, | |
801 | { "minor", SD_JSON_VARIANT_UNSIGNED, oci_device_minor, offsetof(DeviceNode, minor), 0 }, | |
802 | { "fileMode", SD_JSON_VARIANT_UNSIGNED, oci_device_file_mode, offsetof(DeviceNode, mode), 0 }, | |
803 | { "uid", SD_JSON_VARIANT_UNSIGNED, sd_json_dispatch_uid_gid, offsetof(DeviceNode, uid), 0 }, | |
804 | { "gid", SD_JSON_VARIANT_UNSIGNED, sd_json_dispatch_uid_gid, offsetof(DeviceNode, gid), 0 }, | |
de40a303 LP |
805 | {} |
806 | }; | |
807 | ||
808 | DeviceNode *node, *nodes; | |
809 | ||
810 | nodes = reallocarray(s->extra_nodes, s->n_extra_nodes + 1, sizeof(DeviceNode)); | |
811 | if (!nodes) | |
812 | return log_oom(); | |
813 | ||
814 | s->extra_nodes = nodes; | |
815 | ||
816 | node = nodes + s->n_extra_nodes; | |
817 | *node = (DeviceNode) { | |
818 | .uid = UID_INVALID, | |
819 | .gid = GID_INVALID, | |
f5fbe71d YW |
820 | .major = UINT_MAX, |
821 | .minor = UINT_MAX, | |
de40a303 LP |
822 | .mode = 0644, |
823 | }; | |
824 | ||
f1b622a0 | 825 | r = oci_dispatch(e, table, flags, node); |
de40a303 LP |
826 | if (r < 0) |
827 | goto fail_element; | |
828 | ||
829 | if (S_ISCHR(node->mode) || S_ISBLK(node->mode)) { | |
830 | _cleanup_free_ char *path = NULL; | |
831 | ||
f5fbe71d | 832 | if (node->major == UINT_MAX || node->minor == UINT_MAX) { |
19130626 | 833 | r = json_log(e, flags, SYNTHETIC_ERRNO(EINVAL), |
4e494e6a | 834 | "Major/minor required when device node is device node."); |
de40a303 LP |
835 | goto fail_element; |
836 | } | |
837 | ||
838 | /* Suppress a couple of implicit device nodes */ | |
4fe46c34 | 839 | r = devname_from_devnum(node->mode, makedev(node->major, node->minor), &path); |
de40a303 | 840 | if (r < 0) |
309a747f | 841 | json_log(e, flags|SD_JSON_DEBUG, r, "Failed to resolve device node %u:%u, ignoring: %m", node->major, node->minor); |
de40a303 LP |
842 | else { |
843 | if (PATH_IN_SET(path, | |
844 | "/dev/null", | |
845 | "/dev/zero", | |
846 | "/dev/full", | |
847 | "/dev/random", | |
848 | "/dev/urandom", | |
849 | "/dev/tty", | |
850 | "/dev/net/tun", | |
851 | "/dev/ptmx", | |
852 | "/dev/pts/ptmx", | |
853 | "/dev/console")) { | |
854 | ||
309a747f | 855 | json_log(e, flags|SD_JSON_DEBUG, 0, "Ignoring devices item for device '%s', as it is implicitly created anyway.", path); |
de40a303 LP |
856 | free(node->path); |
857 | continue; | |
858 | } | |
859 | } | |
860 | } | |
861 | ||
862 | s->n_extra_nodes++; | |
863 | continue; | |
864 | ||
865 | fail_element: | |
866 | free(node->path); | |
867 | return r; | |
868 | } | |
869 | ||
870 | return 0; | |
871 | } | |
872 | ||
309a747f | 873 | static int oci_cgroups_path(const char *name, sd_json_variant *v, sd_json_dispatch_flags_t flags, void *userdata) { |
de40a303 | 874 | _cleanup_free_ char *slice = NULL, *backwards = NULL; |
99534007 | 875 | Settings *s = ASSERT_PTR(userdata); |
de40a303 LP |
876 | const char *p; |
877 | int r; | |
878 | ||
309a747f | 879 | assert_se(p = sd_json_variant_string(v)); |
de40a303 LP |
880 | |
881 | r = cg_path_get_slice(p, &slice); | |
882 | if (r < 0) | |
883 | return json_log(v, flags, r, "Couldn't derive slice unit name from path '%s': %m", p); | |
884 | ||
885 | r = cg_slice_to_path(slice, &backwards); | |
886 | if (r < 0) | |
887 | return json_log(v, flags, r, "Couldn't convert slice unit name '%s' back to path: %m", slice); | |
888 | ||
19130626 ZJS |
889 | if (!path_equal(backwards, p)) |
890 | return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL), | |
891 | "Control group path '%s' does not refer to slice unit, refusing.", p); | |
de40a303 LP |
892 | |
893 | free_and_replace(s->slice, slice); | |
894 | return 0; | |
895 | } | |
896 | ||
309a747f | 897 | static int oci_cgroup_device_type(const char *name, sd_json_variant *v, sd_json_dispatch_flags_t flags, void *userdata) { |
79742424 | 898 | mode_t *mode = ASSERT_PTR(userdata); |
de40a303 LP |
899 | const char *n; |
900 | ||
309a747f | 901 | assert_se(n = sd_json_variant_string(v)); |
de40a303 LP |
902 | |
903 | if (streq(n, "c")) | |
904 | *mode = S_IFCHR; | |
905 | else if (streq(n, "b")) | |
906 | *mode = S_IFBLK; | |
19130626 ZJS |
907 | else |
908 | return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL), | |
909 | "Control group device type unknown: %s", n); | |
de40a303 LP |
910 | |
911 | return 0; | |
912 | } | |
913 | ||
914 | struct device_data { | |
915 | bool allow; | |
916 | bool r; | |
917 | bool w; | |
918 | bool m; | |
919 | mode_t type; | |
920 | unsigned major; | |
921 | unsigned minor; | |
922 | }; | |
923 | ||
309a747f | 924 | static int oci_cgroup_device_access(const char *name, sd_json_variant *v, sd_json_dispatch_flags_t flags, void *userdata) { |
79742424 | 925 | struct device_data *d = ASSERT_PTR(userdata); |
de40a303 LP |
926 | bool r = false, w = false, m = false; |
927 | const char *s; | |
928 | size_t i; | |
929 | ||
309a747f | 930 | assert_se(s = sd_json_variant_string(v)); |
de40a303 | 931 | |
19130626 | 932 | for (i = 0; s[i]; i++) |
de40a303 LP |
933 | if (s[i] == 'r') |
934 | r = true; | |
935 | else if (s[i] == 'w') | |
936 | w = true; | |
937 | else if (s[i] == 'm') | |
938 | m = true; | |
19130626 ZJS |
939 | else |
940 | return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL), | |
941 | "Unknown device access character '%c'.", s[i]); | |
de40a303 LP |
942 | |
943 | d->r = r; | |
944 | d->w = w; | |
945 | d->m = m; | |
946 | ||
947 | return 0; | |
948 | } | |
949 | ||
309a747f | 950 | static int oci_cgroup_devices(const char *name, sd_json_variant *v, sd_json_dispatch_flags_t flags, void *userdata) { |
de40a303 | 951 | _cleanup_free_ struct device_data *list = NULL; |
99534007 | 952 | Settings *s = ASSERT_PTR(userdata); |
de40a303 LP |
953 | size_t n_list = 0, i; |
954 | bool noop = false; | |
309a747f | 955 | sd_json_variant *e; |
de40a303 LP |
956 | int r; |
957 | ||
de40a303 LP |
958 | JSON_VARIANT_ARRAY_FOREACH(e, v) { |
959 | ||
960 | struct device_data data = { | |
f5fbe71d YW |
961 | .major = UINT_MAX, |
962 | .minor = UINT_MAX, | |
de40a303 LP |
963 | }, *a; |
964 | ||
309a747f LP |
965 | static const sd_json_dispatch_field table[] = { |
966 | { "allow", SD_JSON_VARIANT_BOOLEAN, sd_json_dispatch_stdbool, offsetof(struct device_data, allow), SD_JSON_MANDATORY }, | |
967 | { "type", SD_JSON_VARIANT_STRING, oci_cgroup_device_type, offsetof(struct device_data, type), 0 }, | |
968 | { "major", SD_JSON_VARIANT_UNSIGNED, oci_device_major, offsetof(struct device_data, major), 0 }, | |
969 | { "minor", SD_JSON_VARIANT_UNSIGNED, oci_device_minor, offsetof(struct device_data, minor), 0 }, | |
970 | { "access", SD_JSON_VARIANT_STRING, oci_cgroup_device_access, 0, 0 }, | |
de40a303 LP |
971 | {} |
972 | }; | |
973 | ||
f1b622a0 | 974 | r = oci_dispatch(e, table, flags, &data); |
de40a303 LP |
975 | if (r < 0) |
976 | return r; | |
977 | ||
978 | if (!data.allow) { | |
6b000af4 LP |
979 | /* The fact that OCI allows 'deny' entries makes really no sense, as 'allow' |
980 | * vs. 'deny' for the devices cgroup controller is really not about allow-listing and | |
981 | * deny-listing but about adding and removing entries from the allow list. Since we | |
982 | * always start out with an empty allow list we hence ignore the whole thing, as | |
983 | * removing entries which don't exist make no sense. We'll log about this, since this | |
984 | * is really borked in the spec, with one exception: the entry that's supposed to | |
985 | * drop the kernel's default we ignore silently */ | |
de40a303 | 986 | |
f5fbe71d | 987 | if (!data.r || !data.w || !data.m || data.type != 0 || data.major != UINT_MAX || data.minor != UINT_MAX) |
309a747f | 988 | json_log(v, flags|SD_JSON_WARNING, 0, "Devices cgroup allow list with arbitrary 'allow' entries not supported, ignoring."); |
de40a303 LP |
989 | |
990 | /* We ignore the 'deny' entry as for us that's implied */ | |
991 | continue; | |
992 | } | |
993 | ||
994 | if (!data.r && !data.w && !data.m) { | |
6b000af4 | 995 | json_log(v, flags|LOG_WARNING, 0, "Device cgroup allow list entry with no effect found, ignoring."); |
de40a303 LP |
996 | continue; |
997 | } | |
998 | ||
f5fbe71d | 999 | if (data.minor != UINT_MAX && data.major == UINT_MAX) |
19130626 | 1000 | return json_log(v, flags, SYNTHETIC_ERRNO(EOPNOTSUPP), |
6b000af4 | 1001 | "Device cgroup allow list entries with minors but no majors not supported."); |
de40a303 | 1002 | |
f5fbe71d | 1003 | if (data.major != UINT_MAX && data.type == 0) |
19130626 | 1004 | return json_log(v, flags, SYNTHETIC_ERRNO(EOPNOTSUPP), |
6b000af4 | 1005 | "Device cgroup allow list entries with majors but no device node type not supported."); |
de40a303 LP |
1006 | |
1007 | if (data.type == 0) { | |
6b000af4 | 1008 | if (data.r && data.w && data.m) /* a catchall allow list entry means we are looking at a noop */ |
de40a303 | 1009 | noop = true; |
19130626 ZJS |
1010 | else |
1011 | return json_log(v, flags, SYNTHETIC_ERRNO(EOPNOTSUPP), | |
6b000af4 | 1012 | "Device cgroup allow list entries with no type not supported."); |
de40a303 LP |
1013 | } |
1014 | ||
1015 | a = reallocarray(list, n_list + 1, sizeof(struct device_data)); | |
1016 | if (!a) | |
1017 | return log_oom(); | |
1018 | ||
1019 | list = a; | |
1020 | list[n_list++] = data; | |
1021 | } | |
1022 | ||
1023 | if (noop) | |
1024 | return 0; | |
1025 | ||
1026 | r = settings_allocate_properties(s); | |
1027 | if (r < 0) | |
1028 | return r; | |
1029 | ||
1030 | r = sd_bus_message_open_container(s->properties, 'r', "sv"); | |
1031 | if (r < 0) | |
1032 | return bus_log_create_error(r); | |
1033 | ||
1034 | r = sd_bus_message_append(s->properties, "s", "DeviceAllow"); | |
1035 | if (r < 0) | |
1036 | return bus_log_create_error(r); | |
1037 | ||
1038 | r = sd_bus_message_open_container(s->properties, 'v', "a(ss)"); | |
1039 | if (r < 0) | |
1040 | return bus_log_create_error(r); | |
1041 | ||
1042 | r = sd_bus_message_open_container(s->properties, 'a', "(ss)"); | |
1043 | if (r < 0) | |
1044 | return bus_log_create_error(r); | |
1045 | ||
1046 | for (i = 0; i < n_list; i++) { | |
1047 | _cleanup_free_ char *pattern = NULL; | |
1048 | char access[4]; | |
1049 | size_t n = 0; | |
1050 | ||
f5fbe71d | 1051 | if (list[i].minor == UINT_MAX) { |
de40a303 LP |
1052 | const char *t; |
1053 | ||
1054 | if (list[i].type == S_IFBLK) | |
1055 | t = "block"; | |
1056 | else { | |
1057 | assert(list[i].type == S_IFCHR); | |
1058 | t = "char"; | |
1059 | } | |
1060 | ||
f5fbe71d | 1061 | if (list[i].major == UINT_MAX) { |
de40a303 LP |
1062 | pattern = strjoin(t, "-*"); |
1063 | if (!pattern) | |
1064 | return log_oom(); | |
1065 | } else { | |
1066 | if (asprintf(&pattern, "%s-%u", t, list[i].major) < 0) | |
1067 | return log_oom(); | |
1068 | } | |
1069 | ||
1070 | } else { | |
f5fbe71d | 1071 | assert(list[i].major != UINT_MAX); /* If a minor is specified, then a major also needs to be specified */ |
de40a303 LP |
1072 | |
1073 | r = device_path_make_major_minor(list[i].type, makedev(list[i].major, list[i].minor), &pattern); | |
1074 | if (r < 0) | |
1075 | return log_oom(); | |
1076 | } | |
1077 | ||
1078 | if (list[i].r) | |
1079 | access[n++] = 'r'; | |
1080 | if (list[i].w) | |
1081 | access[n++] = 'w'; | |
1082 | if (list[i].m) | |
1083 | access[n++] = 'm'; | |
1084 | access[n] = 0; | |
1085 | ||
1086 | assert(n > 0); | |
1087 | ||
1088 | r = sd_bus_message_append(s->properties, "(ss)", pattern, access); | |
1089 | if (r < 0) | |
1090 | return bus_log_create_error(r); | |
1091 | } | |
1092 | ||
1093 | r = sd_bus_message_close_container(s->properties); | |
1094 | if (r < 0) | |
1095 | return bus_log_create_error(r); | |
1096 | ||
1097 | r = sd_bus_message_close_container(s->properties); | |
1098 | if (r < 0) | |
1099 | return bus_log_create_error(r); | |
1100 | ||
1101 | r = sd_bus_message_close_container(s->properties); | |
1102 | if (r < 0) | |
1103 | return bus_log_create_error(r); | |
1104 | ||
1105 | return 0; | |
1106 | } | |
1107 | ||
309a747f | 1108 | static int oci_cgroup_memory_limit(const char *name, sd_json_variant *v, sd_json_dispatch_flags_t flags, void *userdata) { |
99534007 | 1109 | uint64_t *m = ASSERT_PTR(userdata); |
718ca772 | 1110 | uint64_t k; |
de40a303 | 1111 | |
309a747f | 1112 | if (sd_json_variant_is_negative(v)) { |
de40a303 LP |
1113 | *m = UINT64_MAX; |
1114 | return 0; | |
1115 | } | |
1116 | ||
309a747f | 1117 | if (!sd_json_variant_is_unsigned(v)) |
19130626 | 1118 | return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL), |
4e494e6a | 1119 | "Memory limit is not an unsigned integer."); |
de40a303 | 1120 | |
309a747f | 1121 | k = sd_json_variant_unsigned(v); |
19130626 ZJS |
1122 | if (k >= UINT64_MAX) |
1123 | return json_log(v, flags, SYNTHETIC_ERRNO(ERANGE), | |
c0f86d66 | 1124 | "Memory limit too large: %" PRIu64, k); |
de40a303 LP |
1125 | |
1126 | *m = (uint64_t) k; | |
1127 | return 0; | |
1128 | } | |
1129 | ||
309a747f | 1130 | static int oci_cgroup_memory(const char *name, sd_json_variant *v, sd_json_dispatch_flags_t flags, void *userdata) { |
de40a303 LP |
1131 | |
1132 | struct memory_data { | |
1133 | uint64_t limit; | |
1134 | uint64_t reservation; | |
1135 | uint64_t swap; | |
1136 | } data = { | |
1137 | .limit = UINT64_MAX, | |
1138 | .reservation = UINT64_MAX, | |
1139 | .swap = UINT64_MAX, | |
1140 | }; | |
1141 | ||
309a747f LP |
1142 | static const sd_json_dispatch_field table[] = { |
1143 | { "limit", SD_JSON_VARIANT_NUMBER, oci_cgroup_memory_limit, offsetof(struct memory_data, limit), 0 }, | |
1144 | { "reservation", SD_JSON_VARIANT_NUMBER, oci_cgroup_memory_limit, offsetof(struct memory_data, reservation), 0 }, | |
1145 | { "swap", SD_JSON_VARIANT_NUMBER, oci_cgroup_memory_limit, offsetof(struct memory_data, swap), 0 }, | |
1146 | { "kernel", SD_JSON_VARIANT_NUMBER, oci_unsupported, 0, SD_JSON_PERMISSIVE }, | |
1147 | { "kernelTCP", SD_JSON_VARIANT_NUMBER, oci_unsupported, 0, SD_JSON_PERMISSIVE }, | |
1148 | { "swapiness", SD_JSON_VARIANT_NUMBER, oci_unsupported, 0, SD_JSON_PERMISSIVE }, | |
1149 | { "disableOOMKiller", SD_JSON_VARIANT_BOOLEAN, oci_unsupported, 0, SD_JSON_PERMISSIVE }, | |
de40a303 LP |
1150 | {} |
1151 | }; | |
1152 | ||
79742424 | 1153 | Settings *s = ASSERT_PTR(userdata); |
de40a303 LP |
1154 | int r; |
1155 | ||
f1b622a0 | 1156 | r = oci_dispatch(v, table, flags, &data); |
de40a303 LP |
1157 | if (r < 0) |
1158 | return r; | |
1159 | ||
1160 | if (data.swap != UINT64_MAX) { | |
1161 | if (data.limit == UINT64_MAX) | |
1162 | json_log(v, flags|LOG_WARNING, 0, "swap limit without memory limit is not supported, ignoring."); | |
1163 | else if (data.swap < data.limit) | |
1164 | json_log(v, flags|LOG_WARNING, 0, "swap limit is below memory limit, ignoring."); | |
1165 | else { | |
1166 | r = settings_allocate_properties(s); | |
1167 | if (r < 0) | |
1168 | return r; | |
1169 | ||
1170 | r = sd_bus_message_append(s->properties, "(sv)", "MemorySwapMax", "t", data.swap - data.limit); | |
1171 | if (r < 0) | |
1172 | return bus_log_create_error(r); | |
1173 | } | |
1174 | } | |
1175 | ||
1176 | if (data.limit != UINT64_MAX) { | |
1177 | r = settings_allocate_properties(s); | |
1178 | if (r < 0) | |
1179 | return r; | |
1180 | ||
1181 | r = sd_bus_message_append(s->properties, "(sv)", "MemoryMax", "t", data.limit); | |
1182 | if (r < 0) | |
1183 | return bus_log_create_error(r); | |
1184 | } | |
1185 | ||
1186 | if (data.reservation != UINT64_MAX) { | |
1187 | r = settings_allocate_properties(s); | |
1188 | if (r < 0) | |
1189 | return r; | |
1190 | ||
1191 | r = sd_bus_message_append(s->properties, "(sv)", "MemoryLow", "t", data.reservation); | |
1192 | if (r < 0) | |
1193 | return bus_log_create_error(r); | |
1194 | } | |
1195 | ||
1196 | return 0; | |
1197 | } | |
1198 | ||
1199 | struct cpu_data { | |
1200 | uint64_t shares; | |
1201 | uint64_t quota; | |
1202 | uint64_t period; | |
0985c7c4 | 1203 | CPUSet cpu_set; |
de40a303 LP |
1204 | }; |
1205 | ||
309a747f | 1206 | static int oci_cgroup_cpu_shares(const char *name, sd_json_variant *v, sd_json_dispatch_flags_t flags, void *userdata) { |
99534007 | 1207 | uint64_t *u = ASSERT_PTR(userdata); |
718ca772 | 1208 | uint64_t k; |
de40a303 | 1209 | |
309a747f | 1210 | k = sd_json_variant_unsigned(v); |
19130626 ZJS |
1211 | if (k < CGROUP_CPU_SHARES_MIN || k > CGROUP_CPU_SHARES_MAX) |
1212 | return json_log(v, flags, SYNTHETIC_ERRNO(ERANGE), | |
1213 | "shares value out of range."); | |
de40a303 LP |
1214 | |
1215 | *u = (uint64_t) k; | |
1216 | return 0; | |
1217 | } | |
1218 | ||
309a747f | 1219 | static int oci_cgroup_cpu_quota(const char *name, sd_json_variant *v, sd_json_dispatch_flags_t flags, void *userdata) { |
99534007 | 1220 | uint64_t *u = ASSERT_PTR(userdata); |
718ca772 | 1221 | uint64_t k; |
de40a303 | 1222 | |
309a747f | 1223 | k = sd_json_variant_unsigned(v); |
19130626 ZJS |
1224 | if (k <= 0 || k >= UINT64_MAX) |
1225 | return json_log(v, flags, SYNTHETIC_ERRNO(ERANGE), | |
1226 | "period/quota value out of range."); | |
de40a303 LP |
1227 | |
1228 | *u = (uint64_t) k; | |
1229 | return 0; | |
1230 | } | |
1231 | ||
309a747f | 1232 | static int oci_cgroup_cpu_cpus(const char *name, sd_json_variant *v, sd_json_dispatch_flags_t flags, void *userdata) { |
99534007 | 1233 | struct cpu_data *data = ASSERT_PTR(userdata); |
0985c7c4 | 1234 | CPUSet set; |
de40a303 | 1235 | const char *n; |
0985c7c4 | 1236 | int r; |
de40a303 | 1237 | |
309a747f | 1238 | assert_se(n = sd_json_variant_string(v)); |
de40a303 | 1239 | |
0985c7c4 ZJS |
1240 | r = parse_cpu_set(n, &set); |
1241 | if (r < 0) | |
1242 | return json_log(v, flags, r, "Failed to parse CPU set specification: %s", n); | |
de40a303 | 1243 | |
0985c7c4 ZJS |
1244 | cpu_set_reset(&data->cpu_set); |
1245 | data->cpu_set = set; | |
de40a303 LP |
1246 | |
1247 | return 0; | |
1248 | } | |
1249 | ||
309a747f | 1250 | static int oci_cgroup_cpu(const char *name, sd_json_variant *v, sd_json_dispatch_flags_t flags, void *userdata) { |
de40a303 | 1251 | |
309a747f LP |
1252 | static const sd_json_dispatch_field table[] = { |
1253 | { "shares", SD_JSON_VARIANT_UNSIGNED, oci_cgroup_cpu_shares, offsetof(struct cpu_data, shares), 0 }, | |
1254 | { "quota", SD_JSON_VARIANT_UNSIGNED, oci_cgroup_cpu_quota, offsetof(struct cpu_data, quota), 0 }, | |
1255 | { "period", SD_JSON_VARIANT_UNSIGNED, oci_cgroup_cpu_quota, offsetof(struct cpu_data, period), 0 }, | |
1256 | { "realtimeRuntime", SD_JSON_VARIANT_UNSIGNED, oci_unsupported, 0, 0 }, | |
1257 | { "realtimePeriod", SD_JSON_VARIANT_UNSIGNED, oci_unsupported, 0, 0 }, | |
1258 | { "cpus", SD_JSON_VARIANT_STRING, oci_cgroup_cpu_cpus, 0, 0 }, | |
1259 | { "mems", SD_JSON_VARIANT_STRING, oci_unsupported, 0, 0 }, | |
de40a303 LP |
1260 | {} |
1261 | }; | |
1262 | ||
1263 | struct cpu_data data = { | |
1264 | .shares = UINT64_MAX, | |
1265 | .quota = UINT64_MAX, | |
1266 | .period = UINT64_MAX, | |
1267 | }; | |
1268 | ||
79742424 | 1269 | Settings *s = ASSERT_PTR(userdata); |
de40a303 LP |
1270 | int r; |
1271 | ||
f1b622a0 | 1272 | r = oci_dispatch(v, table, flags, &data); |
de40a303 | 1273 | if (r < 0) { |
0985c7c4 | 1274 | cpu_set_reset(&data.cpu_set); |
de40a303 LP |
1275 | return r; |
1276 | } | |
1277 | ||
0985c7c4 ZJS |
1278 | cpu_set_reset(&s->cpu_set); |
1279 | s->cpu_set = data.cpu_set; | |
de40a303 LP |
1280 | |
1281 | if (data.shares != UINT64_MAX) { | |
1282 | r = settings_allocate_properties(s); | |
1283 | if (r < 0) | |
1284 | return r; | |
1285 | ||
1286 | r = sd_bus_message_append(s->properties, "(sv)", "CPUShares", "t", data.shares); | |
1287 | if (r < 0) | |
1288 | return bus_log_create_error(r); | |
1289 | } | |
1290 | ||
1291 | if (data.quota != UINT64_MAX && data.period != UINT64_MAX) { | |
1292 | r = settings_allocate_properties(s); | |
1293 | if (r < 0) | |
1294 | return r; | |
1295 | ||
1296 | r = sd_bus_message_append(s->properties, "(sv)", "CPUQuotaPerSecUSec", "t", (uint64_t) (data.quota * USEC_PER_SEC / data.period)); | |
1297 | if (r < 0) | |
1298 | return bus_log_create_error(r); | |
1299 | ||
19130626 ZJS |
1300 | } else if ((data.quota != UINT64_MAX) != (data.period != UINT64_MAX)) |
1301 | return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL), | |
1302 | "CPU quota and period not used together."); | |
de40a303 LP |
1303 | |
1304 | return 0; | |
1305 | } | |
1306 | ||
309a747f | 1307 | static int oci_cgroup_block_io_weight(const char *name, sd_json_variant *v, sd_json_dispatch_flags_t flags, void *userdata) { |
99534007 | 1308 | Settings *s = ASSERT_PTR(userdata); |
718ca772 | 1309 | uint64_t k; |
de40a303 LP |
1310 | int r; |
1311 | ||
309a747f | 1312 | k = sd_json_variant_unsigned(v); |
19130626 ZJS |
1313 | if (k < CGROUP_BLKIO_WEIGHT_MIN || k > CGROUP_BLKIO_WEIGHT_MAX) |
1314 | return json_log(v, flags, SYNTHETIC_ERRNO(ERANGE), | |
1315 | "Block I/O weight out of range."); | |
de40a303 LP |
1316 | |
1317 | r = settings_allocate_properties(s); | |
1318 | if (r < 0) | |
1319 | return r; | |
1320 | ||
1321 | r = sd_bus_message_append(s->properties, "(sv)", "BlockIOWeight", "t", (uint64_t) k); | |
1322 | if (r < 0) | |
1323 | return bus_log_create_error(r); | |
1324 | ||
1325 | return 0; | |
1326 | } | |
1327 | ||
309a747f | 1328 | static int oci_cgroup_block_io_weight_device(const char *name, sd_json_variant *v, sd_json_dispatch_flags_t flags, void *userdata) { |
99534007 | 1329 | Settings *s = ASSERT_PTR(userdata); |
309a747f | 1330 | sd_json_variant *e; |
de40a303 LP |
1331 | int r; |
1332 | ||
de40a303 LP |
1333 | JSON_VARIANT_ARRAY_FOREACH(e, v) { |
1334 | struct device_data { | |
1335 | unsigned major; | |
1336 | unsigned minor; | |
718ca772 | 1337 | uint64_t weight; |
de40a303 | 1338 | } data = { |
f5fbe71d YW |
1339 | .major = UINT_MAX, |
1340 | .minor = UINT_MAX, | |
718ca772 | 1341 | .weight = UINT64_MAX, |
de40a303 LP |
1342 | }; |
1343 | ||
309a747f LP |
1344 | static const sd_json_dispatch_field table[] = { |
1345 | { "major", SD_JSON_VARIANT_UNSIGNED, oci_device_major, offsetof(struct device_data, major), SD_JSON_MANDATORY }, | |
1346 | { "minor", SD_JSON_VARIANT_UNSIGNED, oci_device_minor, offsetof(struct device_data, minor), SD_JSON_MANDATORY }, | |
1347 | { "weight", SD_JSON_VARIANT_UNSIGNED, sd_json_dispatch_uint64, offsetof(struct device_data, weight), 0 }, | |
1348 | { "leafWeight", SD_JSON_VARIANT_INTEGER, oci_unsupported, 0, SD_JSON_PERMISSIVE }, | |
de40a303 LP |
1349 | {} |
1350 | }; | |
1351 | ||
1352 | _cleanup_free_ char *path = NULL; | |
1353 | ||
f1b622a0 | 1354 | r = oci_dispatch(e, table, flags, &data); |
de40a303 LP |
1355 | if (r < 0) |
1356 | return r; | |
1357 | ||
718ca772 | 1358 | if (data.weight == UINT64_MAX) |
de40a303 LP |
1359 | continue; |
1360 | ||
19130626 ZJS |
1361 | if (data.weight < CGROUP_BLKIO_WEIGHT_MIN || data.weight > CGROUP_BLKIO_WEIGHT_MAX) |
1362 | return json_log(v, flags, SYNTHETIC_ERRNO(ERANGE), | |
1363 | "Block I/O device weight out of range."); | |
de40a303 LP |
1364 | |
1365 | r = device_path_make_major_minor(S_IFBLK, makedev(data.major, data.minor), &path); | |
1366 | if (r < 0) | |
1367 | return json_log(v, flags, r, "Failed to build device path: %m"); | |
1368 | ||
1369 | r = settings_allocate_properties(s); | |
1370 | if (r < 0) | |
1371 | return r; | |
1372 | ||
1373 | r = sd_bus_message_append(s->properties, "(sv)", "BlockIODeviceWeight", "a(st)", 1, path, (uint64_t) data.weight); | |
1374 | if (r < 0) | |
1375 | return bus_log_create_error(r); | |
1376 | } | |
1377 | ||
1378 | return 0; | |
1379 | } | |
1380 | ||
309a747f | 1381 | static int oci_cgroup_block_io_throttle(const char *name, sd_json_variant *v, sd_json_dispatch_flags_t flags, void *userdata) { |
99534007 | 1382 | Settings *s = ASSERT_PTR(userdata); |
de40a303 | 1383 | const char *pname; |
309a747f | 1384 | sd_json_variant *e; |
de40a303 LP |
1385 | int r; |
1386 | ||
de40a303 LP |
1387 | pname = streq(name, "throttleReadBpsDevice") ? "IOReadBandwidthMax" : |
1388 | streq(name, "throttleWriteBpsDevice") ? "IOWriteBandwidthMax" : | |
1389 | streq(name, "throttleReadIOPSDevice") ? "IOReadIOPSMax" : | |
1390 | "IOWriteIOPSMax"; | |
1391 | ||
1392 | JSON_VARIANT_ARRAY_FOREACH(e, v) { | |
1393 | struct device_data { | |
1394 | unsigned major; | |
1395 | unsigned minor; | |
718ca772 | 1396 | uint64_t rate; |
de40a303 | 1397 | } data = { |
f5fbe71d YW |
1398 | .major = UINT_MAX, |
1399 | .minor = UINT_MAX, | |
de40a303 LP |
1400 | }; |
1401 | ||
309a747f LP |
1402 | static const sd_json_dispatch_field table[] = { |
1403 | { "major", SD_JSON_VARIANT_UNSIGNED, oci_device_major, offsetof(struct device_data, major), SD_JSON_MANDATORY }, | |
1404 | { "minor", SD_JSON_VARIANT_UNSIGNED, oci_device_minor, offsetof(struct device_data, minor), SD_JSON_MANDATORY }, | |
1405 | { "rate", SD_JSON_VARIANT_UNSIGNED, sd_json_dispatch_uint64, offsetof(struct device_data, rate), SD_JSON_MANDATORY }, | |
de40a303 LP |
1406 | {} |
1407 | }; | |
1408 | ||
1409 | _cleanup_free_ char *path = NULL; | |
1410 | ||
f1b622a0 | 1411 | r = oci_dispatch(e, table, flags, &data); |
de40a303 LP |
1412 | if (r < 0) |
1413 | return r; | |
1414 | ||
19130626 ZJS |
1415 | if (data.rate >= UINT64_MAX) |
1416 | return json_log(v, flags, SYNTHETIC_ERRNO(ERANGE), | |
1417 | "Block I/O device rate out of range."); | |
de40a303 LP |
1418 | |
1419 | r = device_path_make_major_minor(S_IFBLK, makedev(data.major, data.minor), &path); | |
1420 | if (r < 0) | |
1421 | return json_log(v, flags, r, "Failed to build device path: %m"); | |
1422 | ||
1423 | r = settings_allocate_properties(s); | |
1424 | if (r < 0) | |
1425 | return r; | |
1426 | ||
1427 | r = sd_bus_message_append(s->properties, "(sv)", pname, "a(st)", 1, path, (uint64_t) data.rate); | |
1428 | if (r < 0) | |
1429 | return bus_log_create_error(r); | |
1430 | } | |
1431 | ||
1432 | return 0; | |
1433 | } | |
1434 | ||
309a747f | 1435 | static int oci_cgroup_block_io(const char *name, sd_json_variant *v, sd_json_dispatch_flags_t flags, void *userdata) { |
de40a303 | 1436 | |
309a747f LP |
1437 | static const sd_json_dispatch_field table[] = { |
1438 | { "weight", SD_JSON_VARIANT_UNSIGNED, oci_cgroup_block_io_weight, 0, 0 }, | |
1439 | { "leafWeight", SD_JSON_VARIANT_UNSIGNED, oci_unsupported, 0, SD_JSON_PERMISSIVE }, | |
1440 | { "weightDevice", SD_JSON_VARIANT_ARRAY, oci_cgroup_block_io_weight_device, 0, 0 }, | |
1441 | { "throttleReadBpsDevice", SD_JSON_VARIANT_ARRAY, oci_cgroup_block_io_throttle, 0, 0 }, | |
1442 | { "throttleWriteBpsDevice", SD_JSON_VARIANT_ARRAY, oci_cgroup_block_io_throttle, 0, 0 }, | |
1443 | { "throttleReadIOPSDevice", SD_JSON_VARIANT_ARRAY, oci_cgroup_block_io_throttle, 0, 0 }, | |
1444 | { "throttleWriteIOPSDevice", SD_JSON_VARIANT_ARRAY, oci_cgroup_block_io_throttle, 0, 0 }, | |
de40a303 LP |
1445 | {} |
1446 | }; | |
1447 | ||
f1b622a0 | 1448 | return oci_dispatch(v, table, flags, userdata); |
de40a303 LP |
1449 | } |
1450 | ||
309a747f | 1451 | static int oci_cgroup_pids(const char *name, sd_json_variant *v, sd_json_dispatch_flags_t flags, void *userdata) { |
de40a303 | 1452 | |
309a747f LP |
1453 | static const sd_json_dispatch_field table[] = { |
1454 | { "limit", SD_JSON_VARIANT_NUMBER, sd_json_dispatch_variant, 0, SD_JSON_MANDATORY }, | |
de40a303 LP |
1455 | {} |
1456 | }; | |
1457 | ||
309a747f | 1458 | _cleanup_(sd_json_variant_unrefp) sd_json_variant *k = NULL; |
99534007 | 1459 | Settings *s = ASSERT_PTR(userdata); |
de40a303 LP |
1460 | uint64_t m; |
1461 | int r; | |
1462 | ||
f1b622a0 | 1463 | r = oci_dispatch(v, table, flags, &k); |
de40a303 LP |
1464 | if (r < 0) |
1465 | return r; | |
1466 | ||
309a747f | 1467 | if (sd_json_variant_is_negative(k)) |
de40a303 LP |
1468 | m = UINT64_MAX; |
1469 | else { | |
309a747f | 1470 | if (!sd_json_variant_is_unsigned(k)) |
19130626 ZJS |
1471 | return json_log(k, flags, SYNTHETIC_ERRNO(EINVAL), |
1472 | "pids limit not unsigned integer, refusing."); | |
de40a303 | 1473 | |
309a747f | 1474 | m = (uint64_t) sd_json_variant_unsigned(k); |
de40a303 | 1475 | |
309a747f | 1476 | if ((uint64_t) m != sd_json_variant_unsigned(k)) |
19130626 ZJS |
1477 | return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL), |
1478 | "pids limit out of range, refusing."); | |
de40a303 LP |
1479 | } |
1480 | ||
1481 | r = settings_allocate_properties(s); | |
1482 | if (r < 0) | |
1483 | return r; | |
1484 | ||
1485 | r = sd_bus_message_append(s->properties, "(sv)", "TasksMax", "t", m); | |
1486 | if (r < 0) | |
1487 | return bus_log_create_error(r); | |
1488 | ||
1489 | return 0; | |
1490 | } | |
1491 | ||
309a747f | 1492 | static int oci_resources(const char *name, sd_json_variant *v, sd_json_dispatch_flags_t flags, void *userdata) { |
de40a303 | 1493 | |
309a747f LP |
1494 | static const sd_json_dispatch_field table[] = { |
1495 | { "devices", SD_JSON_VARIANT_ARRAY, oci_cgroup_devices, 0, 0 }, | |
1496 | { "memory", SD_JSON_VARIANT_OBJECT, oci_cgroup_memory, 0, 0 }, | |
1497 | { "cpu", SD_JSON_VARIANT_OBJECT, oci_cgroup_cpu, 0, 0 }, | |
1498 | { "blockIO", SD_JSON_VARIANT_OBJECT, oci_cgroup_block_io, 0, 0 }, | |
1499 | { "hugepageLimits", SD_JSON_VARIANT_ARRAY, oci_unsupported, 0, 0 }, | |
1500 | { "network", SD_JSON_VARIANT_OBJECT, oci_unsupported, 0, 0 }, | |
1501 | { "pids", SD_JSON_VARIANT_OBJECT, oci_cgroup_pids, 0, 0 }, | |
1502 | { "rdma", SD_JSON_VARIANT_OBJECT, oci_unsupported, 0, 0 }, | |
de40a303 LP |
1503 | {} |
1504 | }; | |
1505 | ||
f1b622a0 | 1506 | return oci_dispatch(v, table, flags, userdata); |
de40a303 LP |
1507 | } |
1508 | ||
1509 | static bool sysctl_key_valid(const char *s) { | |
1510 | bool dot = true; | |
1511 | ||
1512 | /* Note that we are a bit stricter here than in systemd-sysctl, as that inherited semantics from the old sysctl | |
1513 | * tool, which were really weird (as it swaps / and . in both ways) */ | |
1514 | ||
1515 | if (isempty(s)) | |
1516 | return false; | |
1517 | ||
1518 | for (; *s; s++) { | |
1519 | ||
1520 | if (*s <= ' ' || *s >= 127) | |
1521 | return false; | |
1522 | if (*s == '/') | |
1523 | return false; | |
1524 | if (*s == '.') { | |
1525 | ||
1526 | if (dot) /* Don't allow two dots next to each other (or at the beginning) */ | |
1527 | return false; | |
1528 | ||
1529 | dot = true; | |
1530 | } else | |
1531 | dot = false; | |
1532 | } | |
1533 | ||
1534 | if (dot) /* don't allow a dot at the end */ | |
1535 | return false; | |
1536 | ||
1537 | return true; | |
1538 | } | |
1539 | ||
309a747f | 1540 | static int oci_sysctl(const char *name, sd_json_variant *v, sd_json_dispatch_flags_t flags, void *userdata) { |
99534007 | 1541 | Settings *s = ASSERT_PTR(userdata); |
309a747f | 1542 | sd_json_variant *w; |
33d60b8d | 1543 | const char *k; |
de40a303 LP |
1544 | int r; |
1545 | ||
de40a303 | 1546 | JSON_VARIANT_OBJECT_FOREACH(k, w, v) { |
33d60b8d | 1547 | const char *m; |
de40a303 | 1548 | |
309a747f | 1549 | if (!sd_json_variant_is_string(w)) |
19130626 ZJS |
1550 | return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL), |
1551 | "sysctl parameter is not a string, refusing."); | |
de40a303 | 1552 | |
309a747f | 1553 | assert_se(m = sd_json_variant_string(w)); |
de40a303 | 1554 | |
fc832965 | 1555 | if (!sysctl_key_valid(k)) |
19130626 | 1556 | return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL), |
33d60b8d | 1557 | "sysctl key invalid, refusing: %s", k); |
de40a303 | 1558 | |
69f3c619 | 1559 | r = strv_extend_many(&s->sysctl, k, m); |
de40a303 LP |
1560 | if (r < 0) |
1561 | return log_oom(); | |
1562 | } | |
1563 | ||
1564 | return 0; | |
1565 | } | |
1566 | ||
ae408d77 | 1567 | #if HAVE_SECCOMP |
de40a303 LP |
1568 | static int oci_seccomp_action_from_string(const char *name, uint32_t *ret) { |
1569 | ||
1570 | static const struct { | |
1571 | const char *name; | |
1572 | uint32_t action; | |
1573 | } table[] = { | |
f9a3d8e2 LP |
1574 | { "SCMP_ACT_ALLOW", SCMP_ACT_ALLOW }, |
1575 | { "SCMP_ACT_ERRNO", SCMP_ACT_ERRNO(EPERM) }, /* the OCI spec doesn't document the error, but it appears EPERM is supposed to be used */ | |
1576 | { "SCMP_ACT_KILL", SCMP_ACT_KILL }, | |
1577 | #ifdef SCMP_ACT_KILL_PROCESS | |
1578 | { "SCMP_ACT_KILL_PROCESS", SCMP_ACT_KILL_PROCESS }, | |
1579 | #endif | |
1580 | #ifdef SCMP_ACT_KILL_THREAD | |
1581 | { "SCMP_ACT_KILL_THREAD", SCMP_ACT_KILL_THREAD }, | |
1582 | #endif | |
de40a303 | 1583 | #ifdef SCMP_ACT_LOG |
f9a3d8e2 | 1584 | { "SCMP_ACT_LOG", SCMP_ACT_LOG }, |
de40a303 | 1585 | #endif |
f9a3d8e2 | 1586 | { "SCMP_ACT_TRAP", SCMP_ACT_TRAP }, |
de40a303 LP |
1587 | |
1588 | /* We don't support SCMP_ACT_TRACE because that requires a tracer, and that doesn't really make sense | |
1589 | * here */ | |
1590 | }; | |
1591 | ||
1592 | size_t i; | |
1593 | ||
1594 | for (i = 0; i < ELEMENTSOF(table); i++) | |
1595 | if (streq_ptr(name, table[i].name)) { | |
1596 | *ret = table[i].action; | |
1597 | return 0; | |
1598 | } | |
1599 | ||
1600 | return -EINVAL; | |
1601 | } | |
1602 | ||
1603 | static int oci_seccomp_arch_from_string(const char *name, uint32_t *ret) { | |
1604 | ||
1605 | static const struct { | |
1606 | const char *name; | |
1607 | uint32_t arch; | |
1608 | } table[] = { | |
1609 | { "SCMP_ARCH_AARCH64", SCMP_ARCH_AARCH64 }, | |
1610 | { "SCMP_ARCH_ARM", SCMP_ARCH_ARM }, | |
f9d3fb6b XW |
1611 | #ifdef SCMP_ARCH_LOONGARCH64 |
1612 | { "SCMP_ARCH_LOONGARCH64", SCMP_ARCH_LOONGARCH64 }, | |
1613 | #endif | |
de40a303 LP |
1614 | { "SCMP_ARCH_MIPS", SCMP_ARCH_MIPS }, |
1615 | { "SCMP_ARCH_MIPS64", SCMP_ARCH_MIPS64 }, | |
1616 | { "SCMP_ARCH_MIPS64N32", SCMP_ARCH_MIPS64N32 }, | |
1617 | { "SCMP_ARCH_MIPSEL", SCMP_ARCH_MIPSEL }, | |
1618 | { "SCMP_ARCH_MIPSEL64", SCMP_ARCH_MIPSEL64 }, | |
1619 | { "SCMP_ARCH_MIPSEL64N32", SCMP_ARCH_MIPSEL64N32 }, | |
1620 | { "SCMP_ARCH_NATIVE", SCMP_ARCH_NATIVE }, | |
1621 | #ifdef SCMP_ARCH_PARISC | |
1622 | { "SCMP_ARCH_PARISC", SCMP_ARCH_PARISC }, | |
1623 | #endif | |
1624 | #ifdef SCMP_ARCH_PARISC64 | |
1625 | { "SCMP_ARCH_PARISC64", SCMP_ARCH_PARISC64 }, | |
1626 | #endif | |
1627 | { "SCMP_ARCH_PPC", SCMP_ARCH_PPC }, | |
1628 | { "SCMP_ARCH_PPC64", SCMP_ARCH_PPC64 }, | |
1629 | { "SCMP_ARCH_PPC64LE", SCMP_ARCH_PPC64LE }, | |
f9252236 AJ |
1630 | #ifdef SCMP_ARCH_RISCV64 |
1631 | { "SCMP_ARCH_RISCV64", SCMP_ARCH_RISCV64 }, | |
1632 | #endif | |
de40a303 LP |
1633 | { "SCMP_ARCH_S390", SCMP_ARCH_S390 }, |
1634 | { "SCMP_ARCH_S390X", SCMP_ARCH_S390X }, | |
1635 | { "SCMP_ARCH_X32", SCMP_ARCH_X32 }, | |
1636 | { "SCMP_ARCH_X86", SCMP_ARCH_X86 }, | |
1637 | { "SCMP_ARCH_X86_64", SCMP_ARCH_X86_64 }, | |
1638 | }; | |
1639 | ||
1640 | size_t i; | |
1641 | ||
1642 | for (i = 0; i < ELEMENTSOF(table); i++) | |
1643 | if (streq_ptr(table[i].name, name)) { | |
1644 | *ret = table[i].arch; | |
1645 | return 0; | |
1646 | } | |
1647 | ||
1648 | return -EINVAL; | |
1649 | } | |
1650 | ||
1651 | static int oci_seccomp_compare_from_string(const char *name, enum scmp_compare *ret) { | |
1652 | ||
1653 | static const struct { | |
1654 | const char *name; | |
1655 | enum scmp_compare op; | |
1656 | } table[] = { | |
1657 | { "SCMP_CMP_NE", SCMP_CMP_NE }, | |
1658 | { "SCMP_CMP_LT", SCMP_CMP_LT }, | |
1659 | { "SCMP_CMP_LE", SCMP_CMP_LE }, | |
1660 | { "SCMP_CMP_EQ", SCMP_CMP_EQ }, | |
1661 | { "SCMP_CMP_GE", SCMP_CMP_GE }, | |
1662 | { "SCMP_CMP_GT", SCMP_CMP_GT }, | |
1663 | { "SCMP_CMP_MASKED_EQ", SCMP_CMP_MASKED_EQ }, | |
1664 | }; | |
1665 | ||
1666 | size_t i; | |
1667 | ||
1668 | for (i = 0; i < ELEMENTSOF(table); i++) | |
1669 | if (streq_ptr(table[i].name, name)) { | |
1670 | *ret = table[i].op; | |
1671 | return 0; | |
1672 | } | |
1673 | ||
1674 | return -EINVAL; | |
1675 | } | |
1676 | ||
309a747f | 1677 | static int oci_seccomp_archs(const char *name, sd_json_variant *v, sd_json_dispatch_flags_t flags, void *userdata) { |
99534007 | 1678 | scmp_filter_ctx *sc = ASSERT_PTR(userdata); |
309a747f | 1679 | sd_json_variant *e; |
de40a303 LP |
1680 | int r; |
1681 | ||
de40a303 LP |
1682 | JSON_VARIANT_ARRAY_FOREACH(e, v) { |
1683 | uint32_t a; | |
1684 | ||
309a747f | 1685 | if (!sd_json_variant_is_string(e)) |
19130626 | 1686 | return json_log(e, flags, SYNTHETIC_ERRNO(EINVAL), |
4e494e6a | 1687 | "Architecture entry is not a string."); |
de40a303 | 1688 | |
309a747f | 1689 | r = oci_seccomp_arch_from_string(sd_json_variant_string(e), &a); |
de40a303 | 1690 | if (r < 0) |
309a747f | 1691 | return json_log(e, flags, r, "Unknown architecture: %s", sd_json_variant_string(e)); |
de40a303 LP |
1692 | |
1693 | r = seccomp_arch_add(sc, a); | |
1694 | if (r == -EEXIST) | |
1695 | continue; | |
1696 | if (r < 0) | |
1697 | return json_log(e, flags, r, "Failed to add architecture to seccomp filter: %m"); | |
1698 | } | |
1699 | ||
1700 | return 0; | |
1701 | } | |
1702 | ||
1703 | struct syscall_rule { | |
1704 | char **names; | |
1705 | uint32_t action; | |
1706 | struct scmp_arg_cmp *arguments; | |
1707 | size_t n_arguments; | |
1708 | }; | |
1709 | ||
7244c6db | 1710 | static void syscall_rule_done(struct syscall_rule *rule) { |
de40a303 LP |
1711 | assert(rule); |
1712 | ||
1713 | strv_free(rule->names); | |
1714 | free(rule->arguments); | |
1715 | }; | |
1716 | ||
309a747f | 1717 | static int oci_seccomp_action(const char *name, sd_json_variant *v, sd_json_dispatch_flags_t flags, void *userdata) { |
99534007 | 1718 | uint32_t *action = ASSERT_PTR(userdata); |
de40a303 LP |
1719 | int r; |
1720 | ||
309a747f | 1721 | r = oci_seccomp_action_from_string(sd_json_variant_string(v), action); |
de40a303 | 1722 | if (r < 0) |
309a747f | 1723 | return json_log(v, flags, r, "Unknown system call action '%s': %m", sd_json_variant_string(v)); |
de40a303 LP |
1724 | |
1725 | return 0; | |
1726 | } | |
1727 | ||
309a747f | 1728 | static int oci_seccomp_op(const char *name, sd_json_variant *v, sd_json_dispatch_flags_t flags, void *userdata) { |
99534007 | 1729 | enum scmp_compare *op = ASSERT_PTR(userdata); |
de40a303 LP |
1730 | int r; |
1731 | ||
309a747f | 1732 | r = oci_seccomp_compare_from_string(sd_json_variant_string(v), op); |
de40a303 | 1733 | if (r < 0) |
309a747f | 1734 | return json_log(v, flags, r, "Unknown seccomp operator '%s': %m", sd_json_variant_string(v)); |
de40a303 LP |
1735 | |
1736 | return 0; | |
1737 | } | |
1738 | ||
309a747f | 1739 | static int oci_seccomp_args(const char *name, sd_json_variant *v, sd_json_dispatch_flags_t flags, void *userdata) { |
99534007 | 1740 | struct syscall_rule *rule = ASSERT_PTR(userdata); |
309a747f | 1741 | sd_json_variant *e; |
de40a303 LP |
1742 | int r; |
1743 | ||
de40a303 | 1744 | JSON_VARIANT_ARRAY_FOREACH(e, v) { |
309a747f LP |
1745 | static const struct sd_json_dispatch_field table[] = { |
1746 | { "index", SD_JSON_VARIANT_UNSIGNED, sd_json_dispatch_uint32, offsetof(struct scmp_arg_cmp, arg), SD_JSON_MANDATORY }, | |
1747 | { "value", SD_JSON_VARIANT_UNSIGNED, sd_json_dispatch_uint64, offsetof(struct scmp_arg_cmp, datum_a), SD_JSON_MANDATORY }, | |
1748 | { "valueTwo", SD_JSON_VARIANT_UNSIGNED, sd_json_dispatch_uint64, offsetof(struct scmp_arg_cmp, datum_b), 0 }, | |
1749 | { "op", SD_JSON_VARIANT_STRING, oci_seccomp_op, offsetof(struct scmp_arg_cmp, op), SD_JSON_MANDATORY }, | |
de40a303 LP |
1750 | {}, |
1751 | }; | |
1752 | ||
1753 | struct scmp_arg_cmp *a, *p; | |
1754 | int expected; | |
1755 | ||
1756 | a = reallocarray(rule->arguments, rule->n_arguments + 1, sizeof(struct syscall_rule)); | |
1757 | if (!a) | |
1758 | return log_oom(); | |
1759 | ||
1760 | rule->arguments = a; | |
1761 | p = rule->arguments + rule->n_arguments; | |
1762 | ||
1763 | *p = (struct scmp_arg_cmp) { | |
1764 | .arg = 0, | |
1765 | .datum_a = 0, | |
1766 | .datum_b = 0, | |
1767 | .op = 0, | |
1768 | }; | |
1769 | ||
f1b622a0 | 1770 | r = oci_dispatch(e, table, flags, p); |
de40a303 LP |
1771 | if (r < 0) |
1772 | return r; | |
1773 | ||
1774 | expected = p->op == SCMP_CMP_MASKED_EQ ? 4 : 3; | |
1775 | if (r != expected) | |
309a747f | 1776 | json_log(e, flags|SD_JSON_WARNING, 0, "Wrong number of system call arguments for JSON data, ignoring."); |
de40a303 LP |
1777 | |
1778 | /* Note that we are a bit sloppy here and do not insist that SCMP_CMP_MASKED_EQ gets two datum values, | |
1779 | * and the other only one. That's because buildah for example by default calls things with | |
1780 | * SCMP_CMP_MASKED_EQ but only one argument. We use 0 when the value is not specified. */ | |
1781 | ||
1782 | rule->n_arguments++; | |
1783 | } | |
1784 | ||
1785 | return 0; | |
1786 | } | |
1787 | ||
309a747f | 1788 | static int oci_seccomp_syscalls(const char *name, sd_json_variant *v, sd_json_dispatch_flags_t flags, void *userdata) { |
99534007 | 1789 | scmp_filter_ctx *sc = ASSERT_PTR(userdata); |
309a747f | 1790 | sd_json_variant *e; |
de40a303 LP |
1791 | int r; |
1792 | ||
de40a303 | 1793 | JSON_VARIANT_ARRAY_FOREACH(e, v) { |
309a747f LP |
1794 | static const sd_json_dispatch_field table[] = { |
1795 | { "names", SD_JSON_VARIANT_ARRAY, sd_json_dispatch_strv, offsetof(struct syscall_rule, names), SD_JSON_MANDATORY }, | |
1796 | { "action", SD_JSON_VARIANT_STRING, oci_seccomp_action, offsetof(struct syscall_rule, action), SD_JSON_MANDATORY }, | |
1797 | { "args", SD_JSON_VARIANT_ARRAY, oci_seccomp_args, 0, 0 }, | |
525c3e34 | 1798 | {} |
de40a303 | 1799 | }; |
f95c9f46 | 1800 | _cleanup_(syscall_rule_done) struct syscall_rule rule = { |
f5fbe71d | 1801 | .action = UINT32_MAX, |
de40a303 | 1802 | }; |
de40a303 | 1803 | |
f1b622a0 | 1804 | r = oci_dispatch(e, table, flags, &rule); |
de40a303 | 1805 | if (r < 0) |
7244c6db | 1806 | return r; |
de40a303 | 1807 | |
34e2897f FS |
1808 | if (strv_isempty(rule.names)) |
1809 | return json_log(e, flags, SYNTHETIC_ERRNO(EINVAL), "System call name list is empty."); | |
de40a303 LP |
1810 | |
1811 | STRV_FOREACH(i, rule.names) { | |
1812 | int nr; | |
1813 | ||
1814 | nr = seccomp_syscall_resolve_name(*i); | |
1815 | if (nr == __NR_SCMP_ERROR) { | |
1816 | log_debug("Unknown syscall %s, skipping.", *i); | |
1817 | continue; | |
1818 | } | |
1819 | ||
1820 | r = seccomp_rule_add_array(sc, rule.action, nr, rule.n_arguments, rule.arguments); | |
1821 | if (r < 0) | |
7244c6db | 1822 | return r; |
de40a303 | 1823 | } |
de40a303 LP |
1824 | } |
1825 | ||
1826 | return 0; | |
1827 | } | |
ae408d77 | 1828 | #endif |
de40a303 | 1829 | |
309a747f | 1830 | static int oci_seccomp(const char *name, sd_json_variant *v, sd_json_dispatch_flags_t flags, void *userdata) { |
de40a303 | 1831 | |
ae408d77 | 1832 | #if HAVE_SECCOMP |
309a747f LP |
1833 | static const sd_json_dispatch_field table[] = { |
1834 | { "defaultAction", SD_JSON_VARIANT_STRING, NULL, 0, SD_JSON_MANDATORY }, | |
1835 | { "architectures", SD_JSON_VARIANT_ARRAY, oci_seccomp_archs, 0, 0 }, | |
1836 | { "syscalls", SD_JSON_VARIANT_ARRAY, oci_seccomp_syscalls, 0, 0 }, | |
de40a303 LP |
1837 | {} |
1838 | }; | |
1839 | ||
1840 | _cleanup_(seccomp_releasep) scmp_filter_ctx sc = NULL; | |
99534007 | 1841 | Settings *s = ASSERT_PTR(userdata); |
309a747f | 1842 | sd_json_variant *def; |
de40a303 LP |
1843 | uint32_t d; |
1844 | int r; | |
1845 | ||
309a747f | 1846 | def = sd_json_variant_by_key(v, "defaultAction"); |
19130626 ZJS |
1847 | if (!def) |
1848 | return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL), "defaultAction element missing."); | |
de40a303 | 1849 | |
309a747f | 1850 | if (!sd_json_variant_is_string(def)) |
19130626 | 1851 | return json_log(def, flags, SYNTHETIC_ERRNO(EINVAL), "defaultAction is not a string."); |
de40a303 | 1852 | |
309a747f | 1853 | r = oci_seccomp_action_from_string(sd_json_variant_string(def), &d); |
de40a303 | 1854 | if (r < 0) |
309a747f | 1855 | return json_log(def, flags, r, "Unknown default action: %s", sd_json_variant_string(def)); |
de40a303 LP |
1856 | |
1857 | sc = seccomp_init(d); | |
19130626 | 1858 | if (!sc) |
ae408d77 | 1859 | return json_log(v, flags, SYNTHETIC_ERRNO(ENOMEM), "Couldn't allocate seccomp object."); |
de40a303 | 1860 | |
f1b622a0 | 1861 | r = oci_dispatch(v, table, flags, sc); |
de40a303 LP |
1862 | if (r < 0) |
1863 | return r; | |
1864 | ||
1865 | seccomp_release(s->seccomp); | |
1866 | s->seccomp = TAKE_PTR(sc); | |
de40a303 | 1867 | return 0; |
ae408d77 LP |
1868 | #else |
1869 | return json_log(v, flags, SYNTHETIC_ERRNO(EOPNOTSUPP), "libseccomp support not enabled, can't parse seccomp object."); | |
1870 | #endif | |
de40a303 LP |
1871 | } |
1872 | ||
309a747f | 1873 | static int oci_rootfs_propagation(const char *name, sd_json_variant *v, sd_json_dispatch_flags_t flags, void *userdata) { |
de40a303 LP |
1874 | const char *s; |
1875 | ||
309a747f | 1876 | s = sd_json_variant_string(v); |
de40a303 LP |
1877 | |
1878 | if (streq(s, "shared")) | |
1879 | return 0; | |
1880 | ||
309a747f | 1881 | json_log(v, flags|SD_JSON_DEBUG, 0, "Ignoring rootfsPropagation setting '%s'.", s); |
de40a303 LP |
1882 | return 0; |
1883 | } | |
1884 | ||
309a747f | 1885 | static int oci_masked_paths(const char *name, sd_json_variant *v, sd_json_dispatch_flags_t flags, void *userdata) { |
99534007 | 1886 | Settings *s = ASSERT_PTR(userdata); |
309a747f | 1887 | sd_json_variant *e; |
de40a303 | 1888 | |
de40a303 LP |
1889 | JSON_VARIANT_ARRAY_FOREACH(e, v) { |
1890 | _cleanup_free_ char *destination = NULL; | |
1891 | CustomMount *m; | |
1892 | const char *p; | |
1893 | ||
309a747f | 1894 | if (!sd_json_variant_is_string(e)) |
19130626 ZJS |
1895 | return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL), |
1896 | "Path is not a string, refusing."); | |
de40a303 | 1897 | |
309a747f | 1898 | assert_se(p = sd_json_variant_string(e)); |
de40a303 | 1899 | |
19130626 ZJS |
1900 | if (!path_is_absolute(p)) |
1901 | return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL), | |
ad337e55 | 1902 | "Path is not absolute, refusing: %s", p); |
de40a303 LP |
1903 | |
1904 | if (oci_exclude_mount(p)) | |
1905 | continue; | |
1906 | ||
1907 | destination = strdup(p); | |
1908 | if (!destination) | |
1909 | return log_oom(); | |
1910 | ||
1911 | m = custom_mount_add(&s->custom_mounts, &s->n_custom_mounts, CUSTOM_MOUNT_INACCESSIBLE); | |
1912 | if (!m) | |
1913 | return log_oom(); | |
1914 | ||
1915 | m->destination = TAKE_PTR(destination); | |
1916 | ||
1917 | /* The spec doesn't say this, but apparently pre-existing implementations are lenient towards | |
1918 | * non-existing paths to mask. Let's hence be too. */ | |
1919 | m->graceful = true; | |
1920 | } | |
1921 | ||
1922 | return 0; | |
1923 | } | |
1924 | ||
309a747f | 1925 | static int oci_readonly_paths(const char *name, sd_json_variant *v, sd_json_dispatch_flags_t flags, void *userdata) { |
99534007 | 1926 | Settings *s = ASSERT_PTR(userdata); |
309a747f | 1927 | sd_json_variant *e; |
de40a303 | 1928 | |
de40a303 LP |
1929 | JSON_VARIANT_ARRAY_FOREACH(e, v) { |
1930 | _cleanup_free_ char *source = NULL, *destination = NULL; | |
1931 | CustomMount *m; | |
1932 | const char *p; | |
1933 | ||
309a747f | 1934 | if (!sd_json_variant_is_string(e)) |
19130626 ZJS |
1935 | return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL), |
1936 | "Path is not a string, refusing."); | |
de40a303 | 1937 | |
309a747f | 1938 | assert_se(p = sd_json_variant_string(e)); |
de40a303 | 1939 | |
19130626 ZJS |
1940 | if (!path_is_absolute(p)) |
1941 | return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL), | |
ad337e55 | 1942 | "Path is not absolute, refusing: %s", p); |
de40a303 LP |
1943 | |
1944 | if (oci_exclude_mount(p)) | |
1945 | continue; | |
1946 | ||
1947 | source = strjoin("+", p); | |
1948 | if (!source) | |
1949 | return log_oom(); | |
1950 | ||
1951 | destination = strdup(p); | |
1952 | if (!destination) | |
1953 | return log_oom(); | |
1954 | ||
1955 | m = custom_mount_add(&s->custom_mounts, &s->n_custom_mounts, CUSTOM_MOUNT_BIND); | |
1956 | if (!m) | |
1957 | return log_oom(); | |
1958 | ||
1959 | m->source = TAKE_PTR(source); | |
1960 | m->destination = TAKE_PTR(destination); | |
1961 | m->read_only = true; | |
1962 | } | |
1963 | ||
1964 | return 0; | |
1965 | } | |
1966 | ||
309a747f LP |
1967 | static int oci_linux(const char *name, sd_json_variant *v, sd_json_dispatch_flags_t flags, void *userdata) { |
1968 | ||
1969 | static const sd_json_dispatch_field table[] = { | |
1970 | { "namespaces", SD_JSON_VARIANT_ARRAY, oci_namespaces, 0, 0 }, | |
1971 | { "uidMappings", SD_JSON_VARIANT_ARRAY, oci_uid_gid_mappings, 0, 0 }, | |
1972 | { "gidMappings", SD_JSON_VARIANT_ARRAY, oci_uid_gid_mappings, 0, 0 }, | |
1973 | { "devices", SD_JSON_VARIANT_ARRAY, oci_devices, 0, 0 }, | |
1974 | { "cgroupsPath", SD_JSON_VARIANT_STRING, oci_cgroups_path, 0, 0 }, | |
1975 | { "resources", SD_JSON_VARIANT_OBJECT, oci_resources, 0, 0 }, | |
1976 | { "intelRdt", SD_JSON_VARIANT_OBJECT, oci_unsupported, 0, SD_JSON_PERMISSIVE }, | |
1977 | { "sysctl", SD_JSON_VARIANT_OBJECT, oci_sysctl, 0, 0 }, | |
1978 | { "seccomp", SD_JSON_VARIANT_OBJECT, oci_seccomp, 0, 0 }, | |
1979 | { "rootfsPropagation", SD_JSON_VARIANT_STRING, oci_rootfs_propagation, 0, 0 }, | |
1980 | { "maskedPaths", SD_JSON_VARIANT_ARRAY, oci_masked_paths, 0, 0 }, | |
1981 | { "readonlyPaths", SD_JSON_VARIANT_ARRAY, oci_readonly_paths, 0, 0 }, | |
1982 | { "mountLabel", SD_JSON_VARIANT_STRING, oci_unsupported, 0, SD_JSON_PERMISSIVE }, | |
de40a303 LP |
1983 | {} |
1984 | }; | |
1985 | ||
f1b622a0 | 1986 | return oci_dispatch(v, table, flags, userdata); |
de40a303 LP |
1987 | } |
1988 | ||
309a747f | 1989 | static int oci_hook_timeout(const char *name, sd_json_variant *v, sd_json_dispatch_flags_t flags, void *userdata) { |
79742424 | 1990 | usec_t *u = ASSERT_PTR(userdata); |
718ca772 | 1991 | uint64_t k; |
de40a303 | 1992 | |
309a747f | 1993 | k = sd_json_variant_unsigned(v); |
fa8b675a ZJS |
1994 | if (k == 0 || k > (UINT64_MAX-1)/USEC_PER_SEC) |
1995 | return json_log(v, flags, SYNTHETIC_ERRNO(ERANGE), | |
1996 | "Hook timeout value out of range."); | |
de40a303 LP |
1997 | |
1998 | *u = k * USEC_PER_SEC; | |
1999 | return 0; | |
2000 | } | |
2001 | ||
309a747f | 2002 | static int oci_hooks_array(const char *name, sd_json_variant *v, sd_json_dispatch_flags_t flags, void *userdata) { |
99534007 | 2003 | Settings *s = ASSERT_PTR(userdata); |
309a747f | 2004 | sd_json_variant *e; |
de40a303 LP |
2005 | int r; |
2006 | ||
de40a303 LP |
2007 | JSON_VARIANT_ARRAY_FOREACH(e, v) { |
2008 | ||
309a747f LP |
2009 | static const sd_json_dispatch_field table[] = { |
2010 | { "path", SD_JSON_VARIANT_STRING, json_dispatch_path, offsetof(OciHook, path), SD_JSON_MANDATORY }, | |
2011 | { "args", SD_JSON_VARIANT_ARRAY, oci_args, offsetof(OciHook, args), 0, }, | |
2012 | { "env", SD_JSON_VARIANT_ARRAY, oci_env, offsetof(OciHook, env), 0 }, | |
2013 | { "timeout", SD_JSON_VARIANT_UNSIGNED, oci_hook_timeout, offsetof(OciHook, timeout), 0 }, | |
de40a303 LP |
2014 | {} |
2015 | }; | |
2016 | ||
2017 | OciHook *a, **array, *new_item; | |
2018 | size_t *n_array; | |
2019 | ||
2020 | if (streq(name, "prestart")) { | |
2021 | array = &s->oci_hooks_prestart; | |
2022 | n_array = &s->n_oci_hooks_prestart; | |
2023 | } else if (streq(name, "poststart")) { | |
2024 | array = &s->oci_hooks_poststart; | |
2025 | n_array = &s->n_oci_hooks_poststart; | |
2026 | } else { | |
2027 | assert(streq(name, "poststop")); | |
2028 | array = &s->oci_hooks_poststop; | |
2029 | n_array = &s->n_oci_hooks_poststop; | |
2030 | } | |
2031 | ||
2032 | a = reallocarray(*array, *n_array + 1, sizeof(OciHook)); | |
2033 | if (!a) | |
2034 | return log_oom(); | |
2035 | ||
2036 | *array = a; | |
2037 | new_item = a + *n_array; | |
2038 | ||
2039 | *new_item = (OciHook) { | |
2040 | .timeout = USEC_INFINITY, | |
2041 | }; | |
2042 | ||
f1b622a0 | 2043 | r = oci_dispatch(e, table, flags, new_item); |
de40a303 LP |
2044 | if (r < 0) { |
2045 | free(new_item->path); | |
2046 | strv_free(new_item->args); | |
2047 | strv_free(new_item->env); | |
2048 | return r; | |
2049 | } | |
2050 | ||
b3a9d980 | 2051 | (*n_array)++; |
de40a303 LP |
2052 | } |
2053 | ||
2054 | return 0; | |
2055 | } | |
2056 | ||
309a747f | 2057 | static int oci_hooks(const char *name, sd_json_variant *v, sd_json_dispatch_flags_t flags, void *userdata) { |
de40a303 | 2058 | |
309a747f LP |
2059 | static const sd_json_dispatch_field table[] = { |
2060 | { "prestart", SD_JSON_VARIANT_ARRAY, oci_hooks_array, 0, 0 }, | |
2061 | { "poststart", SD_JSON_VARIANT_ARRAY, oci_hooks_array, 0, 0 }, | |
2062 | { "poststop", SD_JSON_VARIANT_ARRAY, oci_hooks_array, 0, 0 }, | |
de40a303 LP |
2063 | {} |
2064 | }; | |
2065 | ||
f1b622a0 | 2066 | return oci_dispatch(v, table, flags, userdata); |
de40a303 LP |
2067 | } |
2068 | ||
309a747f LP |
2069 | static int oci_annotations(const char *name, sd_json_variant *v, sd_json_dispatch_flags_t flags, void *userdata) { |
2070 | sd_json_variant *w; | |
33d60b8d | 2071 | const char *k; |
de40a303 LP |
2072 | |
2073 | JSON_VARIANT_OBJECT_FOREACH(k, w, v) { | |
de40a303 | 2074 | |
33d60b8d LP |
2075 | if (isempty(k)) |
2076 | return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL), | |
19130626 | 2077 | "Annotation with empty key, refusing."); |
de40a303 | 2078 | |
309a747f | 2079 | if (!sd_json_variant_is_string(w)) |
19130626 ZJS |
2080 | return json_log(w, flags, SYNTHETIC_ERRNO(EINVAL), |
2081 | "Annotation has non-string value, refusing."); | |
de40a303 | 2082 | |
309a747f | 2083 | json_log(w, flags|SD_JSON_DEBUG, 0, "Ignoring annotation '%s' with value '%s'.", k, sd_json_variant_string(w)); |
de40a303 LP |
2084 | } |
2085 | ||
2086 | return 0; | |
2087 | } | |
2088 | ||
2089 | int oci_load(FILE *f, const char *bundle, Settings **ret) { | |
2090 | ||
309a747f LP |
2091 | static const sd_json_dispatch_field table[] = { |
2092 | { "ociVersion", SD_JSON_VARIANT_STRING, NULL, 0, SD_JSON_MANDATORY }, | |
2093 | { "process", SD_JSON_VARIANT_OBJECT, oci_process, 0, 0 }, | |
2094 | { "root", SD_JSON_VARIANT_OBJECT, oci_root, 0, 0 }, | |
2095 | { "hostname", SD_JSON_VARIANT_STRING, oci_hostname, 0, 0 }, | |
2096 | { "mounts", SD_JSON_VARIANT_ARRAY, oci_mounts, 0, 0 }, | |
2097 | { "linux", SD_JSON_VARIANT_OBJECT, oci_linux, 0, 0 }, | |
2098 | { "hooks", SD_JSON_VARIANT_OBJECT, oci_hooks, 0, 0 }, | |
2099 | { "annotations", SD_JSON_VARIANT_OBJECT, oci_annotations, 0, 0 }, | |
de40a303 LP |
2100 | {} |
2101 | }; | |
2102 | ||
309a747f | 2103 | _cleanup_(sd_json_variant_unrefp) sd_json_variant *oci = NULL; |
de40a303 LP |
2104 | _cleanup_(settings_freep) Settings *s = NULL; |
2105 | unsigned line = 0, column = 0; | |
309a747f | 2106 | sd_json_variant *v; |
de40a303 LP |
2107 | const char *path; |
2108 | int r; | |
2109 | ||
2110 | assert_se(bundle); | |
2111 | ||
2112 | path = strjoina(bundle, "/config.json"); | |
2113 | ||
309a747f | 2114 | r = sd_json_parse_file(f, path, 0, &oci, &line, &column); |
de40a303 LP |
2115 | if (r < 0) { |
2116 | if (line != 0 && column != 0) | |
2117 | return log_error_errno(r, "Failed to parse '%s' at %u:%u: %m", path, line, column); | |
2118 | else | |
2119 | return log_error_errno(r, "Failed to parse '%s': %m", path); | |
2120 | } | |
2121 | ||
309a747f | 2122 | v = sd_json_variant_by_key(oci, "ociVersion"); |
d7a0f1f4 FS |
2123 | if (!v) |
2124 | return log_error_errno(SYNTHETIC_ERRNO(EINVAL), | |
2125 | "JSON file '%s' is not an OCI bundle configuration file. Refusing.", | |
2126 | path); | |
309a747f | 2127 | if (!streq_ptr(sd_json_variant_string(v), "1.0.0")) |
d7a0f1f4 FS |
2128 | return log_error_errno(SYNTHETIC_ERRNO(EINVAL), |
2129 | "OCI bundle version not supported: %s", | |
309a747f | 2130 | strna(sd_json_variant_string(v))); |
de40a303 LP |
2131 | |
2132 | // { | |
2133 | // _cleanup_free_ char *formatted = NULL; | |
309a747f | 2134 | // assert_se(json_variant_format(oci, SD_JSON_FORMAT_PRETTY|JSON_FORMAT_COLOR, &formatted) >= 0); |
de40a303 LP |
2135 | // fputs(formatted, stdout); |
2136 | // } | |
2137 | ||
2138 | s = settings_new(); | |
2139 | if (!s) | |
2140 | return log_oom(); | |
2141 | ||
2142 | s->start_mode = START_PID1; | |
2143 | s->resolv_conf = RESOLV_CONF_OFF; | |
2144 | s->link_journal = LINK_NO; | |
2145 | s->timezone = TIMEZONE_OFF; | |
2146 | ||
2147 | s->bundle = strdup(bundle); | |
2148 | if (!s->bundle) | |
2149 | return log_oom(); | |
2150 | ||
f1b622a0 | 2151 | r = oci_dispatch(oci, table, 0, s); |
de40a303 LP |
2152 | if (r < 0) |
2153 | return r; | |
2154 | ||
2155 | if (s->properties) { | |
2156 | r = sd_bus_message_seal(s->properties, 0, 0); | |
2157 | if (r < 0) | |
2158 | return log_error_errno(r, "Cannot seal properties bus message: %m"); | |
2159 | } | |
2160 | ||
2161 | *ret = TAKE_PTR(s); | |
2162 | return 0; | |
2163 | } |