[thirdparty/systemd.git] / src / nss-mymachines / nss-mymachines.c

/* SPDX-License-Identifier: LGPL-2.1+ */

#include <netdb.h>
#include <nss.h>

#include "sd-bus.h"
#include "sd-login.h"

#include "alloc-util.h"
#include "bus-common-errors.h"
#include "env-util.h"
#include "hostname-util.h"
#include "in-addr-util.h"
#include "macro.h"
#include "nss-util.h"
#include "signal-util.h"
#include "string-util.h"
#include "user-util.h"
#include "util.h"

NSS_GETHOSTBYNAME_PROTOTYPES(mymachines);
NSS_GETPW_PROTOTYPES(mymachines);
NSS_GETGR_PROTOTYPES(mymachines);

#define HOST_UID_LIMIT ((uid_t) UINT32_C(0x10000))
#define HOST_GID_LIMIT ((gid_t) UINT32_C(0x10000))

static int count_addresses(sd_bus_message *m, int af, unsigned *ret) {
        unsigned c = 0;
        int r;

        assert(m);
        assert(ret);

        while ((r = sd_bus_message_enter_container(m, 'r', "iay")) > 0) {
                int family;

                r = sd_bus_message_read(m, "i", &family);
                if (r < 0)
                        return r;

                r = sd_bus_message_skip(m, "ay");
                if (r < 0)
                        return r;

                r = sd_bus_message_exit_container(m);
                if (r < 0)
                        return r;

                if (af != AF_UNSPEC && family != af)
                        continue;

                c++;
        }
        if (r < 0)
                return r;

        r = sd_bus_message_rewind(m, false);
        if (r < 0)
                return r;

        *ret = c;
        return 0;
}

enum nss_status _nss_mymachines_gethostbyname4_r(
                const char *name,
                struct gaih_addrtuple **pat,
                char *buffer, size_t buflen,
                int *errnop, int *h_errnop,
                int32_t *ttlp) {

        struct gaih_addrtuple *r_tuple, *r_tuple_first = NULL;
        _cleanup_(sd_bus_message_unrefp) sd_bus_message* reply = NULL;
        _cleanup_(sd_bus_flush_close_unrefp) sd_bus *bus = NULL;
        _cleanup_free_ int *ifindices = NULL;
        _cleanup_free_ char *class = NULL;
        size_t l, ms, idx;
        unsigned i = 0, c = 0;
        char *r_name;
        int n_ifindices, r;

        BLOCK_SIGNALS(NSS_SIGNALS_BLOCK);

        assert(name);
        assert(pat);
        assert(buffer);
        assert(errnop);
        assert(h_errnop);

        r = sd_machine_get_class(name, &class);
        if (r < 0)
                goto fail;
        if (!streq(class, "container")) {
                r = -ENOTTY;
                goto fail;
        }

        n_ifindices = sd_machine_get_ifindices(name, &ifindices);
        if (n_ifindices < 0) {
                r = n_ifindices;
                goto fail;
        }

        r = sd_bus_open_system(&bus);
        if (r < 0)
                goto fail;

        r = sd_bus_call_method(bus,
                               "org.freedesktop.machine1",
                               "/org/freedesktop/machine1",
                               "org.freedesktop.machine1.Manager",
                               "GetMachineAddresses",
                               NULL,
                               &reply,
                               "s", name);
        if (r < 0)
                goto fail;

        r = sd_bus_message_enter_container(reply, 'a', "(iay)");
        if (r < 0)
                goto fail;

        r = count_addresses(reply, AF_UNSPEC, &c);
        if (r < 0)
                goto fail;

        if (c <= 0) {
                *errnop = ESRCH;
                *h_errnop = HOST_NOT_FOUND;
                return NSS_STATUS_NOTFOUND;
        }

        l = strlen(name);
        ms = ALIGN(l+1) + ALIGN(sizeof(struct gaih_addrtuple)) * c;
        if (buflen < ms) {
                *errnop = ERANGE;
                *h_errnop = NETDB_INTERNAL;
                return NSS_STATUS_TRYAGAIN;
        }

        /* First, append name */
        r_name = buffer;
        memcpy(r_name, name, l+1);
        idx = ALIGN(l+1);

        /* Second, append addresses */
        r_tuple_first = (struct gaih_addrtuple*) (buffer + idx);
        while ((r = sd_bus_message_enter_container(reply, 'r', "iay")) > 0) {
                int family;
                const void *a;
                size_t sz;

                r = sd_bus_message_read(reply, "i", &family);
                if (r < 0)
                        goto fail;

                r = sd_bus_message_read_array(reply, 'y', &a, &sz);
                if (r < 0)
                        goto fail;

                r = sd_bus_message_exit_container(reply);
                if (r < 0)
                        goto fail;

                if (!IN_SET(family, AF_INET, AF_INET6)) {
                        r = -EAFNOSUPPORT;
                        goto fail;
                }

                if (sz != FAMILY_ADDRESS_SIZE(family)) {
                        r = -EINVAL;
                        goto fail;
                }

                r_tuple = (struct gaih_addrtuple*) (buffer + idx);
                r_tuple->next = i == c-1 ? NULL : (struct gaih_addrtuple*) ((char*) r_tuple + ALIGN(sizeof(struct gaih_addrtuple)));
                r_tuple->name = r_name;
                r_tuple->family = family;
                r_tuple->scopeid = n_ifindices == 1 ? ifindices[0] : 0;
                memcpy(r_tuple->addr, a, sz);

                idx += ALIGN(sizeof(struct gaih_addrtuple));
                i++;
        }

        assert(i == c);

        r = sd_bus_message_exit_container(reply);
        if (r < 0)
                goto fail;

        assert(idx == ms);

        if (*pat)
                **pat = *r_tuple_first;
        else
                *pat = r_tuple_first;

        if (ttlp)
                *ttlp = 0;

        /* Explicitly reset all error variables */
        *errnop = 0;
        *h_errnop = NETDB_SUCCESS;
        h_errno = 0;

        return NSS_STATUS_SUCCESS;

fail:
        *errnop = -r;
        *h_errnop = NO_DATA;
        return NSS_STATUS_UNAVAIL;
}

enum nss_status _nss_mymachines_gethostbyname3_r(
                const char *name,
                int af,
                struct hostent *result,
                char *buffer, size_t buflen,
                int *errnop, int *h_errnop,
                int32_t *ttlp,
                char **canonp) {

        _cleanup_(sd_bus_message_unrefp) sd_bus_message* reply = NULL;
        _cleanup_(sd_bus_flush_close_unrefp) sd_bus *bus = NULL;
        _cleanup_free_ char *class = NULL;
        unsigned c = 0, i = 0;
        char *r_name, *r_aliases, *r_addr, *r_addr_list;
        size_t l, idx, ms, alen;
        int r;

        BLOCK_SIGNALS(NSS_SIGNALS_BLOCK);

        assert(name);
        assert(result);
        assert(buffer);
        assert(errnop);
        assert(h_errnop);

        if (af == AF_UNSPEC)
                af = AF_INET;

        if (af != AF_INET && af != AF_INET6) {
                r = -EAFNOSUPPORT;
                goto fail;
        }

        r = sd_machine_get_class(name, &class);
        if (r < 0)
                goto fail;
        if (!streq(class, "container")) {
                r = -ENOTTY;
                goto fail;
        }

        r = sd_bus_open_system(&bus);
        if (r < 0)
                goto fail;

        r = sd_bus_call_method(bus,
                               "org.freedesktop.machine1",
                               "/org/freedesktop/machine1",
                               "org.freedesktop.machine1.Manager",
                               "GetMachineAddresses",
                               NULL,
                               &reply,
                               "s", name);
        if (r < 0)
                goto fail;

        r = sd_bus_message_enter_container(reply, 'a', "(iay)");
        if (r < 0)
                goto fail;

        r = count_addresses(reply, af, &c);
        if (r < 0)
                goto fail;

        if (c <= 0) {
                *errnop = ENOENT;
                *h_errnop = HOST_NOT_FOUND;
                return NSS_STATUS_NOTFOUND;
        }

        alen = FAMILY_ADDRESS_SIZE(af);
        l = strlen(name);

        ms = ALIGN(l+1) + c * ALIGN(alen) + (c+2) * sizeof(char*);

        if (buflen < ms) {
                *errnop = ERANGE;
                *h_errnop = NETDB_INTERNAL;
                return NSS_STATUS_TRYAGAIN;
        }

        /* First, append name */
        r_name = buffer;
        memcpy(r_name, name, l+1);
        idx = ALIGN(l+1);

        /* Second, create aliases array */
        r_aliases = buffer + idx;
        ((char**) r_aliases)[0] = NULL;
        idx += sizeof(char*);

        /* Third, append addresses */
        r_addr = buffer + idx;
        while ((r = sd_bus_message_enter_container(reply, 'r', "iay")) > 0) {
                int family;
                const void *a;
                size_t sz;

                r = sd_bus_message_read(reply, "i", &family);
                if (r < 0)
                        goto fail;

                r = sd_bus_message_read_array(reply, 'y', &a, &sz);
                if (r < 0)
                        goto fail;

                r = sd_bus_message_exit_container(reply);
                if (r < 0)
                        goto fail;

                if (family != af)
                        continue;

                if (sz != alen) {
                        r = -EINVAL;
                        goto fail;
                }

                memcpy(r_addr + i*ALIGN(alen), a, alen);
                i++;
        }

        assert(i == c);
        idx += c * ALIGN(alen);

        r = sd_bus_message_exit_container(reply);
        if (r < 0)
                goto fail;

        /* Third, append address pointer array */
        r_addr_list = buffer + idx;
        for (i = 0; i < c; i++)
                ((char**) r_addr_list)[i] = r_addr + i*ALIGN(alen);

        ((char**) r_addr_list)[i] = NULL;
        idx += (c+1) * sizeof(char*);

        assert(idx == ms);

        result->h_name = r_name;
        result->h_aliases = (char**) r_aliases;
        result->h_addrtype = af;
        result->h_length = alen;
        result->h_addr_list = (char**) r_addr_list;

        if (ttlp)
                *ttlp = 0;

        if (canonp)
                *canonp = r_name;

        /* Explicitly reset all error variables */
        *errnop = 0;
        *h_errnop = NETDB_SUCCESS;
        h_errno = 0;

        return NSS_STATUS_SUCCESS;

fail:
        *errnop = -r;
        *h_errnop = NO_DATA;
        return NSS_STATUS_UNAVAIL;
}

NSS_GETHOSTBYNAME_FALLBACKS(mymachines);

enum nss_status _nss_mymachines_getpwnam_r(
                const char *name,
                struct passwd *pwd,
                char *buffer, size_t buflen,
                int *errnop) {

        _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
        _cleanup_(sd_bus_message_unrefp) sd_bus_message* reply = NULL;
        _cleanup_(sd_bus_flush_close_unrefp) sd_bus *bus = NULL;
        const char *p, *e, *machine;
        uint32_t mapped;
        uid_t uid;
        size_t l;
        int r;

        BLOCK_SIGNALS(NSS_SIGNALS_BLOCK);

        assert(name);
        assert(pwd);

        p = startswith(name, "vu-");
        if (!p)
                goto not_found;

        e = strrchr(p, '-');
        if (!e || e == p)
                goto not_found;

        if (e - p > HOST_NAME_MAX - 1) /* -1 for the last dash */
                goto not_found;

        r = parse_uid(e + 1, &uid);
        if (r < 0)
                goto not_found;

        machine = strndupa(p, e - p);
        if (!machine_name_is_valid(machine))
                goto not_found;

        if (getenv_bool_secure("SYSTEMD_NSS_BYPASS_BUS") > 0)
                /* Make sure we can't deadlock if we are invoked by dbus-daemon. This way, it won't be able to resolve
                 * these UIDs, but that should be unproblematic as containers should never be able to connect to a bus
                 * running on the host. */
                goto not_found;

        r = sd_bus_open_system(&bus);
        if (r < 0)
                goto fail;

        r = sd_bus_call_method(bus,
                               "org.freedesktop.machine1",
                               "/org/freedesktop/machine1",
                               "org.freedesktop.machine1.Manager",
                               "MapFromMachineUser",
                               &error,
                               &reply,
                               "su",
                               machine, (uint32_t) uid);
        if (r < 0) {
                if (sd_bus_error_has_name(&error, BUS_ERROR_NO_SUCH_USER_MAPPING))
                        goto not_found;

                goto fail;
        }

        r = sd_bus_message_read(reply, "u", &mapped);
        if (r < 0)
                goto fail;

        /* Refuse to work if the mapped address is in the host UID range, or if there was no mapping at all. */
        if (mapped < HOST_UID_LIMIT || mapped == uid)
                goto not_found;

        l = strlen(name);
        if (buflen < l+1) {
                *errnop = ERANGE;
                return NSS_STATUS_TRYAGAIN;
        }

        memcpy(buffer, name, l+1);

        pwd->pw_name = buffer;
        pwd->pw_uid = mapped;
        pwd->pw_gid = GID_NOBODY;
        pwd->pw_gecos = buffer;
        pwd->pw_passwd = (char*) "*"; /* locked */
        pwd->pw_dir = (char*) "/";
        pwd->pw_shell = (char*) "/sbin/nologin";

        *errnop = 0;
        return NSS_STATUS_SUCCESS;

not_found:
        *errnop = 0;
        return NSS_STATUS_NOTFOUND;

fail:
        *errnop = -r;
        return NSS_STATUS_UNAVAIL;
}

enum nss_status _nss_mymachines_getpwuid_r(
                uid_t uid,
                struct passwd *pwd,
                char *buffer, size_t buflen,
                int *errnop) {

        _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
        _cleanup_(sd_bus_message_unrefp) sd_bus_message* reply = NULL;
        _cleanup_(sd_bus_flush_close_unrefp) sd_bus *bus = NULL;
        const char *machine;
        uint32_t mapped;
        int r;

        BLOCK_SIGNALS(NSS_SIGNALS_BLOCK);

        if (!uid_is_valid(uid))
                goto not_found;

        /* We consider all uids < 65536 host uids */
        if (uid < HOST_UID_LIMIT)
                goto not_found;

        if (getenv_bool_secure("SYSTEMD_NSS_BYPASS_BUS") > 0)
                goto not_found;

        r = sd_bus_open_system(&bus);
        if (r < 0)
                goto fail;

        r = sd_bus_call_method(bus,
                               "org.freedesktop.machine1",
                               "/org/freedesktop/machine1",
                               "org.freedesktop.machine1.Manager",
                               "MapToMachineUser",
                               &error,
                               &reply,
                               "u",
                               (uint32_t) uid);
        if (r < 0) {
                if (sd_bus_error_has_name(&error, BUS_ERROR_NO_SUCH_USER_MAPPING))
                        goto not_found;

                goto fail;
        }

        r = sd_bus_message_read(reply, "sou", &machine, NULL, &mapped);
        if (r < 0)
                goto fail;

        if (mapped == uid)
                goto not_found;

        if (snprintf(buffer, buflen, "vu-%s-" UID_FMT, machine, (uid_t) mapped) >= (int) buflen) {
                *errnop = ERANGE;
                return NSS_STATUS_TRYAGAIN;
        }

        pwd->pw_name = buffer;
        pwd->pw_uid = uid;
        pwd->pw_gid = GID_NOBODY;
        pwd->pw_gecos = buffer;
        pwd->pw_passwd = (char*) "*"; /* locked */
        pwd->pw_dir = (char*) "/";
        pwd->pw_shell = (char*) "/sbin/nologin";

        *errnop = 0;
        return NSS_STATUS_SUCCESS;

not_found:
        *errnop = 0;
        return NSS_STATUS_NOTFOUND;

fail:
        *errnop = -r;
        return NSS_STATUS_UNAVAIL;
}

#pragma GCC diagnostic ignored "-Wsizeof-pointer-memaccess"

enum nss_status _nss_mymachines_getgrnam_r(
                const char *name,
                struct group *gr,
                char *buffer, size_t buflen,
                int *errnop) {

        _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
        _cleanup_(sd_bus_message_unrefp) sd_bus_message* reply = NULL;
        _cleanup_(sd_bus_flush_close_unrefp) sd_bus *bus = NULL;
        const char *p, *e, *machine;
        uint32_t mapped;
        uid_t gid;
        size_t l;
        int r;

        BLOCK_SIGNALS(NSS_SIGNALS_BLOCK);

        assert(name);
        assert(gr);

        p = startswith(name, "vg-");
        if (!p)
                goto not_found;

        e = strrchr(p, '-');
        if (!e || e == p)
                goto not_found;

        if (e - p > HOST_NAME_MAX - 1)  /* -1 for the last dash */
                goto not_found;

        r = parse_gid(e + 1, &gid);
        if (r < 0)
                goto not_found;

        machine = strndupa(p, e - p);
        if (!machine_name_is_valid(machine))
                goto not_found;

        if (getenv_bool_secure("SYSTEMD_NSS_BYPASS_BUS") > 0)
                goto not_found;

        r = sd_bus_open_system(&bus);
        if (r < 0)
                goto fail;

        r = sd_bus_call_method(bus,
                               "org.freedesktop.machine1",
                               "/org/freedesktop/machine1",
                               "org.freedesktop.machine1.Manager",
                               "MapFromMachineGroup",
                               &error,
                               &reply,
                               "su",
                               machine, (uint32_t) gid);
        if (r < 0) {
                if (sd_bus_error_has_name(&error, BUS_ERROR_NO_SUCH_GROUP_MAPPING))
                        goto not_found;

                goto fail;
        }

        r = sd_bus_message_read(reply, "u", &mapped);
        if (r < 0)
                goto fail;

        if (mapped < HOST_GID_LIMIT || mapped == gid)
                goto not_found;

        l = sizeof(char*) + strlen(name) + 1;
        if (buflen < l) {
                *errnop = ERANGE;
                return NSS_STATUS_TRYAGAIN;
        }

        memzero(buffer, sizeof(char*));
        strcpy(buffer + sizeof(char*), name);

        gr->gr_name = buffer + sizeof(char*);
        gr->gr_gid = mapped;
        gr->gr_passwd = (char*) "*"; /* locked */
        gr->gr_mem = (char**) buffer;

        *errnop = 0;
        return NSS_STATUS_SUCCESS;

not_found:
        *errnop = 0;
        return NSS_STATUS_NOTFOUND;

fail:
        *errnop = -r;
        return NSS_STATUS_UNAVAIL;
}

enum nss_status _nss_mymachines_getgrgid_r(
                gid_t gid,
                struct group *gr,
                char *buffer, size_t buflen,
                int *errnop) {

        _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
        _cleanup_(sd_bus_message_unrefp) sd_bus_message* reply = NULL;
        _cleanup_(sd_bus_flush_close_unrefp) sd_bus *bus = NULL;
        const char *machine;
        uint32_t mapped;
        int r;

        BLOCK_SIGNALS(NSS_SIGNALS_BLOCK);

        if (!gid_is_valid(gid))
                goto not_found;

        /* We consider all gids < 65536 host gids */
        if (gid < HOST_GID_LIMIT)
                goto not_found;

        if (getenv_bool_secure("SYSTEMD_NSS_BYPASS_BUS") > 0)
                goto not_found;

        r = sd_bus_open_system(&bus);
        if (r < 0)
                goto fail;

        r = sd_bus_call_method(bus,
                               "org.freedesktop.machine1",
                               "/org/freedesktop/machine1",
                               "org.freedesktop.machine1.Manager",
                               "MapToMachineGroup",
                               &error,
                               &reply,
                               "u",
                               (uint32_t) gid);
        if (r < 0) {
                if (sd_bus_error_has_name(&error, BUS_ERROR_NO_SUCH_GROUP_MAPPING))
                        goto not_found;

                goto fail;
        }

        r = sd_bus_message_read(reply, "sou", &machine, NULL, &mapped);
        if (r < 0)
                goto fail;

        if (mapped == gid)
                goto not_found;

        if (buflen < sizeof(char*) + 1) {
                *errnop = ERANGE;
                return NSS_STATUS_TRYAGAIN;
        }

        memzero(buffer, sizeof(char*));
        if (snprintf(buffer + sizeof(char*), buflen - sizeof(char*), "vg-%s-" GID_FMT, machine, (gid_t) mapped) >= (int) buflen) {
                *errnop = ERANGE;
                return NSS_STATUS_TRYAGAIN;
        }

        gr->gr_name = buffer + sizeof(char*);
        gr->gr_gid = gid;
        gr->gr_passwd = (char*) "*"; /* locked */
        gr->gr_mem = (char**) buffer;

        *errnop = 0;
        return NSS_STATUS_SUCCESS;

not_found:
        *errnop = 0;
        return NSS_STATUS_NOTFOUND;

fail:
        *errnop = -r;
        return NSS_STATUS_UNAVAIL;
}
Commit	Line	Data
53e1b683	1	/* SPDX-License-Identifier: LGPL-2.1+ */
cabb0bc6	2
cabb0bc6	3	#include <netdb.h>
07630cea	4	#include <nss.h>
cabb0bc6 LP	5
	6	#include "sd-bus.h"
	7	#include "sd-login.h"
07630cea	8
b5efdb8a	9	#include "alloc-util.h"
c01ff965	10	#include "bus-common-errors.h"
6e32c03e	11	#include "env-util.h"
25300b5a	12	#include "hostname-util.h"
07630cea LP	13	#include "in-addr-util.h"
	14	#include "macro.h"
	15	#include "nss-util.h"
0c5eb056	16	#include "signal-util.h"
07630cea	17	#include "string-util.h"
b1d4f8e1	18	#include "user-util.h"
07630cea	19	#include "util.h"
cabb0bc6 LP	20
cabb0bc6 LP	21	NSS_GETHOSTBYNAME_PROTOTYPES(mymachines);
c01ff965 LP	22	NSS_GETPW_PROTOTYPES(mymachines);
c01ff965 LP	23	NSS_GETGR_PROTOTYPES(mymachines);
cabb0bc6	24
cf3bdcfe LP	25	#define HOST_UID_LIMIT ((uid_t) UINT32_C(0x10000))
	26	#define HOST_GID_LIMIT ((gid_t) UINT32_C(0x10000))
	27
0dd25fb9	28	static int count_addresses(sd_bus_message m, int af, unsigned ret) {
cabb0bc6 LP	29	unsigned c = 0;
	30	int r;
	31
	32	assert(m);
	33	assert(ret);
	34
3a6fb33c	35	while ((r = sd_bus_message_enter_container(m, 'r', "iay")) > 0) {
0dd25fb9	36	int family;
cabb0bc6	37
0dd25fb9	38	r = sd_bus_message_read(m, "i", &family);
cabb0bc6 LP	39	if (r < 0)
	40	return r;
	41
	42	r = sd_bus_message_skip(m, "ay");
	43	if (r < 0)
	44	return r;
	45
	46	r = sd_bus_message_exit_container(m);
	47	if (r < 0)
	48	return r;
	49
	50	if (af != AF_UNSPEC && family != af)
	51	continue;
	52
313cefa1	53	c++;
cabb0bc6 LP	54	}
	55	if (r < 0)
	56	return r;
	57
	58	r = sd_bus_message_rewind(m, false);
	59	if (r < 0)
	60	return r;
	61
	62	*ret = c;
	63	return 0;
	64	}
	65
	66	enum nss_status _nss_mymachines_gethostbyname4_r(
	67	const char *name,
	68	struct gaih_addrtuple **pat,
	69	char *buffer, size_t buflen,
	70	int errnop, int h_errnop,
	71	int32_t *ttlp) {
	72
	73	struct gaih_addrtuple r_tuple, r_tuple_first = NULL;
4afd3348 LP	74	_cleanup_(sd_bus_message_unrefp) sd_bus_message* reply = NULL;
4afd3348 LP	75	_cleanup_(sd_bus_flush_close_unrefp) sd_bus *bus = NULL;
634af566	76	_cleanup_free_ int *ifindices = NULL;
cabb0bc6 LP	77	_cleanup_free_ char *class = NULL;
	78	size_t l, ms, idx;
	79	unsigned i = 0, c = 0;
	80	char *r_name;
634af566	81	int n_ifindices, r;
cabb0bc6	82
0c5eb056 LP	83	BLOCK_SIGNALS(NSS_SIGNALS_BLOCK);
0c5eb056 LP	84
cabb0bc6 LP	85	assert(name);
	86	assert(pat);
	87	assert(buffer);
	88	assert(errnop);
	89	assert(h_errnop);
	90
	91	r = sd_machine_get_class(name, &class);
	92	if (r < 0)
	93	goto fail;
	94	if (!streq(class, "container")) {
	95	r = -ENOTTY;
	96	goto fail;
	97	}
	98
634af566 LP	99	n_ifindices = sd_machine_get_ifindices(name, &ifindices);
	100	if (n_ifindices < 0) {
	101	r = n_ifindices;
cabb0bc6 LP	102	goto fail;
	103	}
	104
	105	r = sd_bus_open_system(&bus);
	106	if (r < 0)
	107	goto fail;
	108
	109	r = sd_bus_call_method(bus,
	110	"org.freedesktop.machine1",
	111	"/org/freedesktop/machine1",
	112	"org.freedesktop.machine1.Manager",
	113	"GetMachineAddresses",
	114	NULL,
	115	&reply,
	116	"s", name);
	117	if (r < 0)
	118	goto fail;
	119
0dd25fb9	120	r = sd_bus_message_enter_container(reply, 'a', "(iay)");
cabb0bc6 LP	121	if (r < 0)
	122	goto fail;
	123
	124	r = count_addresses(reply, AF_UNSPEC, &c);
	125	if (r < 0)
	126	goto fail;
	127
	128	if (c <= 0) {
555bd6e9	129	*errnop = ESRCH;
cabb0bc6 LP	130	*h_errnop = HOST_NOT_FOUND;
	131	return NSS_STATUS_NOTFOUND;
	132	}
	133
	134	l = strlen(name);
	135	ms = ALIGN(l+1) + ALIGN(sizeof(struct gaih_addrtuple)) * c;
	136	if (buflen < ms) {
cda458a5 LP	137	*errnop = ERANGE;
cda458a5 LP	138	*h_errnop = NETDB_INTERNAL;
cabb0bc6 LP	139	return NSS_STATUS_TRYAGAIN;
	140	}
	141
	142	/* First, append name */
	143	r_name = buffer;
	144	memcpy(r_name, name, l+1);
	145	idx = ALIGN(l+1);
	146
	147	/* Second, append addresses */
	148	r_tuple_first = (struct gaih_addrtuple*) (buffer + idx);
0dd25fb9 LP	149	while ((r = sd_bus_message_enter_container(reply, 'r', "iay")) > 0) {
0dd25fb9 LP	150	int family;
cabb0bc6 LP	151	const void *a;
	152	size_t sz;
	153
0dd25fb9	154	r = sd_bus_message_read(reply, "i", &family);
cabb0bc6 LP	155	if (r < 0)
	156	goto fail;
	157
	158	r = sd_bus_message_read_array(reply, 'y', &a, &sz);
	159	if (r < 0)
	160	goto fail;
	161
	162	r = sd_bus_message_exit_container(reply);
	163	if (r < 0)
	164	goto fail;
	165
555bd6e9 LP	166	if (!IN_SET(family, AF_INET, AF_INET6)) {
	167	r = -EAFNOSUPPORT;
	168	goto fail;
	169	}
	170
9d485985	171	if (sz != FAMILY_ADDRESS_SIZE(family)) {
cabb0bc6 LP	172	r = -EINVAL;
	173	goto fail;
	174	}
	175
	176	r_tuple = (struct gaih_addrtuple*) (buffer + idx);
	177	r_tuple->next = i == c-1 ? NULL : (struct gaih_addrtuple) ((char) r_tuple + ALIGN(sizeof(struct gaih_addrtuple)));
	178	r_tuple->name = r_name;
	179	r_tuple->family = family;
634af566	180	r_tuple->scopeid = n_ifindices == 1 ? ifindices[0] : 0;
cabb0bc6 LP	181	memcpy(r_tuple->addr, a, sz);
	182
	183	idx += ALIGN(sizeof(struct gaih_addrtuple));
	184	i++;
	185	}
	186
	187	assert(i == c);
	188
	189	r = sd_bus_message_exit_container(reply);
	190	if (r < 0)
	191	goto fail;
	192
	193	assert(idx == ms);
	194
	195	if (*pat)
	196	*pat = r_tuple_first;
	197	else
	198	*pat = r_tuple_first;
	199
	200	if (ttlp)
	201	*ttlp = 0;
	202
e70df46b LP	203	/* Explicitly reset all error variables */
	204	*errnop = 0;
	205	*h_errnop = NETDB_SUCCESS;
	206	h_errno = 0;
	207
cabb0bc6 LP	208	return NSS_STATUS_SUCCESS;
	209
	210	fail:
	211	*errnop = -r;
	212	*h_errnop = NO_DATA;
	213	return NSS_STATUS_UNAVAIL;
	214	}
	215
	216	enum nss_status _nss_mymachines_gethostbyname3_r(
	217	const char *name,
	218	int af,
	219	struct hostent *result,
	220	char *buffer, size_t buflen,
	221	int errnop, int h_errnop,
	222	int32_t *ttlp,
	223	char **canonp) {
	224
4afd3348 LP	225	_cleanup_(sd_bus_message_unrefp) sd_bus_message* reply = NULL;
4afd3348 LP	226	_cleanup_(sd_bus_flush_close_unrefp) sd_bus *bus = NULL;
cabb0bc6 LP	227	_cleanup_free_ char *class = NULL;
	228	unsigned c = 0, i = 0;
	229	char r_name, r_aliases, r_addr, r_addr_list;
	230	size_t l, idx, ms, alen;
	231	int r;
	232
0c5eb056 LP	233	BLOCK_SIGNALS(NSS_SIGNALS_BLOCK);
0c5eb056 LP	234
cabb0bc6 LP	235	assert(name);
	236	assert(result);
	237	assert(buffer);
	238	assert(errnop);
	239	assert(h_errnop);
	240
	241	if (af == AF_UNSPEC)
	242	af = AF_INET;
	243
	244	if (af != AF_INET && af != AF_INET6) {
	245	r = -EAFNOSUPPORT;
	246	goto fail;
	247	}
	248
	249	r = sd_machine_get_class(name, &class);
	250	if (r < 0)
	251	goto fail;
	252	if (!streq(class, "container")) {
	253	r = -ENOTTY;
	254	goto fail;
	255	}
	256
	257	r = sd_bus_open_system(&bus);
	258	if (r < 0)
	259	goto fail;
	260
	261	r = sd_bus_call_method(bus,
	262	"org.freedesktop.machine1",
	263	"/org/freedesktop/machine1",
	264	"org.freedesktop.machine1.Manager",
	265	"GetMachineAddresses",
	266	NULL,
	267	&reply,
	268	"s", name);
	269	if (r < 0)
	270	goto fail;
	271
0dd25fb9	272	r = sd_bus_message_enter_container(reply, 'a', "(iay)");
cabb0bc6 LP	273	if (r < 0)
	274	goto fail;
	275
	276	r = count_addresses(reply, af, &c);
	277	if (r < 0)
	278	goto fail;
	279
	280	if (c <= 0) {
	281	*errnop = ENOENT;
	282	*h_errnop = HOST_NOT_FOUND;
	283	return NSS_STATUS_NOTFOUND;
	284	}
	285
9d485985	286	alen = FAMILY_ADDRESS_SIZE(af);
cabb0bc6 LP	287	l = strlen(name);
cabb0bc6 LP	288
66a16e7e	289	ms = ALIGN(l+1) + c * ALIGN(alen) + (c+2) * sizeof(char*);
cabb0bc6 LP	290
cabb0bc6 LP	291	if (buflen < ms) {
cda458a5 LP	292	*errnop = ERANGE;
cda458a5 LP	293	*h_errnop = NETDB_INTERNAL;
cabb0bc6 LP	294	return NSS_STATUS_TRYAGAIN;
	295	}
	296
	297	/* First, append name */
	298	r_name = buffer;
	299	memcpy(r_name, name, l+1);
	300	idx = ALIGN(l+1);
	301
	302	/* Second, create aliases array */
	303	r_aliases = buffer + idx;
	304	((char**) r_aliases)[0] = NULL;
	305	idx += sizeof(char*);
	306
	307	/* Third, append addresses */
	308	r_addr = buffer + idx;
0dd25fb9 LP	309	while ((r = sd_bus_message_enter_container(reply, 'r', "iay")) > 0) {
0dd25fb9 LP	310	int family;
cabb0bc6 LP	311	const void *a;
	312	size_t sz;
	313
0dd25fb9	314	r = sd_bus_message_read(reply, "i", &family);
cabb0bc6 LP	315	if (r < 0)
	316	goto fail;
	317
	318	r = sd_bus_message_read_array(reply, 'y', &a, &sz);
	319	if (r < 0)
	320	goto fail;
	321
	322	r = sd_bus_message_exit_container(reply);
	323	if (r < 0)
	324	goto fail;
	325
	326	if (family != af)
	327	continue;
	328
	329	if (sz != alen) {
	330	r = -EINVAL;
	331	goto fail;
	332	}
	333
	334	memcpy(r_addr + i*ALIGN(alen), a, alen);
	335	i++;
	336	}
	337
	338	assert(i == c);
	339	idx += c * ALIGN(alen);
	340
	341	r = sd_bus_message_exit_container(reply);
	342	if (r < 0)
	343	goto fail;
	344
	345	/* Third, append address pointer array */
	346	r_addr_list = buffer + idx;
	347	for (i = 0; i < c; i++)
	348	((char*) r_addr_list)[i] = r_addr + iALIGN(alen);
	349
	350	((char**) r_addr_list)[i] = NULL;
	351	idx += (c+1) * sizeof(char*);
	352
	353	assert(idx == ms);
	354
	355	result->h_name = r_name;
	356	result->h_aliases = (char**) r_aliases;
	357	result->h_addrtype = af;
	358	result->h_length = alen;
	359	result->h_addr_list = (char**) r_addr_list;
	360
	361	if (ttlp)
	362	*ttlp = 0;
	363
	364	if (canonp)
	365	*canonp = r_name;
	366
e70df46b LP	367	/* Explicitly reset all error variables */
	368	*errnop = 0;
	369	*h_errnop = NETDB_SUCCESS;
	370	h_errno = 0;
	371
cabb0bc6 LP	372	return NSS_STATUS_SUCCESS;
	373
	374	fail:
	375	*errnop = -r;
	376	*h_errnop = NO_DATA;
	377	return NSS_STATUS_UNAVAIL;
	378	}
	379
c01ff965 LP	380	NSS_GETHOSTBYNAME_FALLBACKS(mymachines);
	381
	382	enum nss_status _nss_mymachines_getpwnam_r(
	383	const char *name,
	384	struct passwd *pwd,
	385	char *buffer, size_t buflen,
	386	int *errnop) {
	387
4afd3348 LP	388	_cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
	389	_cleanup_(sd_bus_message_unrefp) sd_bus_message* reply = NULL;
	390	_cleanup_(sd_bus_flush_close_unrefp) sd_bus *bus = NULL;
c01ff965 LP	391	const char p, e, *machine;
	392	uint32_t mapped;
	393	uid_t uid;
	394	size_t l;
	395	int r;
	396
0c5eb056 LP	397	BLOCK_SIGNALS(NSS_SIGNALS_BLOCK);
0c5eb056 LP	398
c01ff965 LP	399	assert(name);
	400	assert(pwd);
	401
	402	p = startswith(name, "vu-");
	403	if (!p)
	404	goto not_found;
	405
	406	e = strrchr(p, '-');
	407	if (!e \|\| e == p)
	408	goto not_found;
	409
cb31827d ZJS	410	if (e - p > HOST_NAME_MAX - 1) /* -1 for the last dash */
	411	goto not_found;
	412
c01ff965 LP	413	r = parse_uid(e + 1, &uid);
	414	if (r < 0)
	415	goto not_found;
	416
	417	machine = strndupa(p, e - p);
	418	if (!machine_name_is_valid(machine))
	419	goto not_found;
	420
71e0accc	421	if (getenv_bool_secure("SYSTEMD_NSS_BYPASS_BUS") > 0)
6e32c03e LP	422	/* Make sure we can't deadlock if we are invoked by dbus-daemon. This way, it won't be able to resolve
	423	* these UIDs, but that should be unproblematic as containers should never be able to connect to a bus
	424	* running on the host. */
	425	goto not_found;
	426
c01ff965 LP	427	r = sd_bus_open_system(&bus);
	428	if (r < 0)
	429	goto fail;
	430
	431	r = sd_bus_call_method(bus,
	432	"org.freedesktop.machine1",
	433	"/org/freedesktop/machine1",
	434	"org.freedesktop.machine1.Manager",
	435	"MapFromMachineUser",
	436	&error,
	437	&reply,
	438	"su",
	439	machine, (uint32_t) uid);
	440	if (r < 0) {
	441	if (sd_bus_error_has_name(&error, BUS_ERROR_NO_SUCH_USER_MAPPING))
	442	goto not_found;
	443
	444	goto fail;
	445	}
	446
	447	r = sd_bus_message_read(reply, "u", &mapped);
	448	if (r < 0)
	449	goto fail;
	450
cf3bdcfe LP	451	/* Refuse to work if the mapped address is in the host UID range, or if there was no mapping at all. */
	452	if (mapped < HOST_UID_LIMIT \|\| mapped == uid)
	453	goto not_found;
	454
c01ff965 LP	455	l = strlen(name);
c01ff965 LP	456	if (buflen < l+1) {
cda458a5	457	*errnop = ERANGE;
c01ff965 LP	458	return NSS_STATUS_TRYAGAIN;
	459	}
	460
	461	memcpy(buffer, name, l+1);
	462
	463	pwd->pw_name = buffer;
	464	pwd->pw_uid = mapped;
3a664727	465	pwd->pw_gid = GID_NOBODY;
c01ff965 LP	466	pwd->pw_gecos = buffer;
	467	pwd->pw_passwd = (char) ""; /* locked */
	468	pwd->pw_dir = (char*) "/";
	469	pwd->pw_shell = (char*) "/sbin/nologin";
	470
	471	*errnop = 0;
	472	return NSS_STATUS_SUCCESS;
	473
	474	not_found:
	475	*errnop = 0;
	476	return NSS_STATUS_NOTFOUND;
	477
	478	fail:
	479	*errnop = -r;
	480	return NSS_STATUS_UNAVAIL;
	481	}
	482
	483	enum nss_status _nss_mymachines_getpwuid_r(
	484	uid_t uid,
	485	struct passwd *pwd,
	486	char *buffer, size_t buflen,
	487	int *errnop) {
	488
4afd3348 LP	489	_cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
	490	_cleanup_(sd_bus_message_unrefp) sd_bus_message* reply = NULL;
	491	_cleanup_(sd_bus_flush_close_unrefp) sd_bus *bus = NULL;
31d99bd1	492	const char *machine;
c01ff965 LP	493	uint32_t mapped;
	494	int r;
	495
0c5eb056 LP	496	BLOCK_SIGNALS(NSS_SIGNALS_BLOCK);
0c5eb056 LP	497
d6c575e3 LP	498	if (!uid_is_valid(uid))
d6c575e3 LP	499	goto not_found;
c01ff965 LP	500
c01ff965 LP	501	/* We consider all uids < 65536 host uids */
cf3bdcfe	502	if (uid < HOST_UID_LIMIT)
c01ff965 LP	503	goto not_found;
c01ff965 LP	504
71e0accc	505	if (getenv_bool_secure("SYSTEMD_NSS_BYPASS_BUS") > 0)
6e32c03e LP	506	goto not_found;
6e32c03e LP	507
c01ff965 LP	508	r = sd_bus_open_system(&bus);
	509	if (r < 0)
	510	goto fail;
	511
	512	r = sd_bus_call_method(bus,
	513	"org.freedesktop.machine1",
	514	"/org/freedesktop/machine1",
	515	"org.freedesktop.machine1.Manager",
	516	"MapToMachineUser",
	517	&error,
	518	&reply,
	519	"u",
	520	(uint32_t) uid);
	521	if (r < 0) {
	522	if (sd_bus_error_has_name(&error, BUS_ERROR_NO_SUCH_USER_MAPPING))
	523	goto not_found;
	524
	525	goto fail;
	526	}
	527
31d99bd1	528	r = sd_bus_message_read(reply, "sou", &machine, NULL, &mapped);
c01ff965 LP	529	if (r < 0)
	530	goto fail;
	531
cf3bdcfe LP	532	if (mapped == uid)
	533	goto not_found;
	534
c01ff965	535	if (snprintf(buffer, buflen, "vu-%s-" UID_FMT, machine, (uid_t) mapped) >= (int) buflen) {
cda458a5	536	*errnop = ERANGE;
c01ff965 LP	537	return NSS_STATUS_TRYAGAIN;
	538	}
	539
	540	pwd->pw_name = buffer;
	541	pwd->pw_uid = uid;
3a664727	542	pwd->pw_gid = GID_NOBODY;
c01ff965 LP	543	pwd->pw_gecos = buffer;
	544	pwd->pw_passwd = (char) ""; /* locked */
	545	pwd->pw_dir = (char*) "/";
	546	pwd->pw_shell = (char*) "/sbin/nologin";
	547
	548	*errnop = 0;
	549	return NSS_STATUS_SUCCESS;
	550
	551	not_found:
	552	*errnop = 0;
	553	return NSS_STATUS_NOTFOUND;
	554
	555	fail:
	556	*errnop = -r;
	557	return NSS_STATUS_UNAVAIL;
	558	}
	559
3e75a1bb YW	560	#pragma GCC diagnostic ignored "-Wsizeof-pointer-memaccess"
3e75a1bb YW	561
c01ff965 LP	562	enum nss_status _nss_mymachines_getgrnam_r(
	563	const char *name,
	564	struct group *gr,
	565	char *buffer, size_t buflen,
	566	int *errnop) {
	567
4afd3348 LP	568	_cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
	569	_cleanup_(sd_bus_message_unrefp) sd_bus_message* reply = NULL;
	570	_cleanup_(sd_bus_flush_close_unrefp) sd_bus *bus = NULL;
c01ff965 LP	571	const char p, e, *machine;
	572	uint32_t mapped;
	573	uid_t gid;
	574	size_t l;
	575	int r;
	576
0c5eb056 LP	577	BLOCK_SIGNALS(NSS_SIGNALS_BLOCK);
0c5eb056 LP	578
c01ff965 LP	579	assert(name);
	580	assert(gr);
	581
	582	p = startswith(name, "vg-");
	583	if (!p)
	584	goto not_found;
	585
	586	e = strrchr(p, '-');
	587	if (!e \|\| e == p)
	588	goto not_found;
	589
cb31827d ZJS	590	if (e - p > HOST_NAME_MAX - 1) /* -1 for the last dash */
	591	goto not_found;
	592
c01ff965 LP	593	r = parse_gid(e + 1, &gid);
	594	if (r < 0)
	595	goto not_found;
	596
	597	machine = strndupa(p, e - p);
	598	if (!machine_name_is_valid(machine))
	599	goto not_found;
	600
71e0accc	601	if (getenv_bool_secure("SYSTEMD_NSS_BYPASS_BUS") > 0)
6e32c03e LP	602	goto not_found;
6e32c03e LP	603
c01ff965 LP	604	r = sd_bus_open_system(&bus);
	605	if (r < 0)
	606	goto fail;
	607
	608	r = sd_bus_call_method(bus,
	609	"org.freedesktop.machine1",
	610	"/org/freedesktop/machine1",
	611	"org.freedesktop.machine1.Manager",
	612	"MapFromMachineGroup",
	613	&error,
	614	&reply,
	615	"su",
	616	machine, (uint32_t) gid);
	617	if (r < 0) {
	618	if (sd_bus_error_has_name(&error, BUS_ERROR_NO_SUCH_GROUP_MAPPING))
	619	goto not_found;
	620
	621	goto fail;
	622	}
	623
	624	r = sd_bus_message_read(reply, "u", &mapped);
	625	if (r < 0)
	626	goto fail;
	627
cf3bdcfe LP	628	if (mapped < HOST_GID_LIMIT \|\| mapped == gid)
	629	goto not_found;
	630
c01ff965 LP	631	l = sizeof(char*) + strlen(name) + 1;
c01ff965 LP	632	if (buflen < l) {
cda458a5	633	*errnop = ERANGE;
c01ff965 LP	634	return NSS_STATUS_TRYAGAIN;
	635	}
	636
	637	memzero(buffer, sizeof(char*));
	638	strcpy(buffer + sizeof(char*), name);
	639
	640	gr->gr_name = buffer + sizeof(char*);
ee73a176	641	gr->gr_gid = mapped;
c01ff965 LP	642	gr->gr_passwd = (char) ""; /* locked */
	643	gr->gr_mem = (char**) buffer;
	644
	645	*errnop = 0;
	646	return NSS_STATUS_SUCCESS;
	647
	648	not_found:
	649	*errnop = 0;
	650	return NSS_STATUS_NOTFOUND;
	651
	652	fail:
	653	*errnop = -r;
	654	return NSS_STATUS_UNAVAIL;
	655	}
	656
	657	enum nss_status _nss_mymachines_getgrgid_r(
	658	gid_t gid,
	659	struct group *gr,
	660	char *buffer, size_t buflen,
	661	int *errnop) {
	662
4afd3348 LP	663	_cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
	664	_cleanup_(sd_bus_message_unrefp) sd_bus_message* reply = NULL;
	665	_cleanup_(sd_bus_flush_close_unrefp) sd_bus *bus = NULL;
31d99bd1	666	const char *machine;
c01ff965 LP	667	uint32_t mapped;
	668	int r;
	669
0c5eb056 LP	670	BLOCK_SIGNALS(NSS_SIGNALS_BLOCK);
0c5eb056 LP	671
d6c575e3 LP	672	if (!gid_is_valid(gid))
d6c575e3 LP	673	goto not_found;
c01ff965 LP	674
c01ff965 LP	675	/* We consider all gids < 65536 host gids */
cf3bdcfe	676	if (gid < HOST_GID_LIMIT)
c01ff965 LP	677	goto not_found;
c01ff965 LP	678
71e0accc	679	if (getenv_bool_secure("SYSTEMD_NSS_BYPASS_BUS") > 0)
6e32c03e LP	680	goto not_found;
6e32c03e LP	681
c01ff965 LP	682	r = sd_bus_open_system(&bus);
	683	if (r < 0)
	684	goto fail;
	685
	686	r = sd_bus_call_method(bus,
	687	"org.freedesktop.machine1",
	688	"/org/freedesktop/machine1",
	689	"org.freedesktop.machine1.Manager",
	690	"MapToMachineGroup",
	691	&error,
	692	&reply,
	693	"u",
	694	(uint32_t) gid);
	695	if (r < 0) {
	696	if (sd_bus_error_has_name(&error, BUS_ERROR_NO_SUCH_GROUP_MAPPING))
	697	goto not_found;
	698
	699	goto fail;
	700	}
	701
31d99bd1	702	r = sd_bus_message_read(reply, "sou", &machine, NULL, &mapped);
c01ff965 LP	703	if (r < 0)
	704	goto fail;
	705
cf3bdcfe LP	706	if (mapped == gid)
	707	goto not_found;
	708
c01ff965	709	if (buflen < sizeof(char*) + 1) {
cda458a5	710	*errnop = ERANGE;
c01ff965 LP	711	return NSS_STATUS_TRYAGAIN;
	712	}
	713
	714	memzero(buffer, sizeof(char*));
	715	if (snprintf(buffer + sizeof(char), buflen - sizeof(char), "vg-%s-" GID_FMT, machine, (gid_t) mapped) >= (int) buflen) {
cda458a5	716	*errnop = ERANGE;
c01ff965 LP	717	return NSS_STATUS_TRYAGAIN;
	718	}
	719
	720	gr->gr_name = buffer + sizeof(char*);
	721	gr->gr_gid = gid;
	722	gr->gr_passwd = (char) ""; /* locked */
	723	gr->gr_mem = (char**) buffer;
	724
	725	*errnop = 0;
	726	return NSS_STATUS_SUCCESS;
	727
	728	not_found:
	729	*errnop = 0;
	730	return NSS_STATUS_NOTFOUND;
	731
	732	fail:
	733	*errnop = -r;
	734	return NSS_STATUS_UNAVAIL;
	735	}