[thirdparty/systemd.git] / src / shared / mount-util.h

/* SPDX-License-Identifier: LGPL-2.1-or-later */
#pragma once

#include <mntent.h>
#include <stdio.h>
#include <sys/stat.h>
#include <unistd.h>

#include "alloc-util.h"
#include "dissect-image.h"
#include "errno-util.h"
#include "macro.h"

/* The limit used for /dev itself. 4MB should be enough since device nodes and symlinks don't
 * consume any space and udev isn't supposed to create regular file either. There's no limit on the
 * max number of inodes since such limit is hard to guess especially on large storage array
 * systems. */
#define TMPFS_LIMITS_DEV             ",size=4m"

/* The limit used for /dev in private namespaces. 4MB for contents of regular files. The number of
 * inodes should be relatively low in private namespaces but for now use a 64k limit. */
#define TMPFS_LIMITS_PRIVATE_DEV     ",size=4m,nr_inodes=64k"

/* Very little, if any use expected */
#define TMPFS_LIMITS_EMPTY_OR_ALMOST ",size=4m,nr_inodes=1k"
#define TMPFS_LIMITS_SYS             TMPFS_LIMITS_EMPTY_OR_ALMOST
#define TMPFS_LIMITS_SYS_FS_CGROUP   TMPFS_LIMITS_EMPTY_OR_ALMOST

/* On an extremely small device with only 256MB of RAM, 20% of RAM should be enough for the re-execution of
 * PID1 because 16MB of free space is required. */
#define TMPFS_LIMITS_RUN             ",size=20%,nr_inodes=800k"

/* The limit used for various nested tmpfs mounts, in particular for guests started by systemd-nspawn.
 * 10% of RAM (using 16GB of RAM as a baseline) translates to 400k inodes (assuming 4k each) and 25%
 * translates to 1M inodes.
 * (On the host, /tmp is configured through a .mount unit file.) */
#define NESTED_TMPFS_LIMITS          ",size=10%,nr_inodes=400k"

/* More space for volatile root and /var */
#define TMPFS_LIMITS_VAR             ",size=25%,nr_inodes=1m"
#define TMPFS_LIMITS_ROOTFS          TMPFS_LIMITS_VAR
#define TMPFS_LIMITS_VOLATILE_STATE  TMPFS_LIMITS_VAR

int mount_fd(const char *source, int target_fd, const char *filesystemtype, unsigned long mountflags, const void *data);
int mount_nofollow(const char *source, const char *target, const char *filesystemtype, unsigned long mountflags, const void *data);

int repeat_unmount(const char *path, int flags);
int umount_recursive(const char *target, int flags);

int bind_remount_recursive_with_mountinfo(const char *prefix, unsigned long new_flags, unsigned long flags_mask, char **deny_list, FILE *proc_self_mountinfo);
static inline int bind_remount_recursive(const char *prefix, unsigned long new_flags, unsigned long flags_mask, char **deny_list) {
        return bind_remount_recursive_with_mountinfo(prefix, new_flags, flags_mask, deny_list, NULL);
}

int bind_remount_one_with_mountinfo(const char *path, unsigned long new_flags, unsigned long flags_mask, FILE *proc_self_mountinfo);

int mount_move_root(const char *path);
int mount_pivot_root(const char *path);

DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(FILE*, endmntent, NULL);
#define _cleanup_endmntent_ _cleanup_(endmntentp)

int mount_verbose_full(
                int error_log_level,
                const char *what,
                const char *where,
                const char *type,
                unsigned long flags,
                const char *options,
                bool follow_symlink);

static inline int mount_follow_verbose(
                int error_log_level,
                const char *what,
                const char *where,
                const char *type,
                unsigned long flags,
                const char *options) {
        return mount_verbose_full(error_log_level, what, where, type, flags, options, true);
}

static inline int mount_nofollow_verbose(
                int error_log_level,
                const char *what,
                const char *where,
                const char *type,
                unsigned long flags,
                const char *options) {
        return mount_verbose_full(error_log_level, what, where, type, flags, options, false);
}

int umount_verbose(
                int error_log_level,
                const char *where,
                int flags);

int mount_option_mangle(
                const char *options,
                unsigned long mount_flags,
                unsigned long *ret_mount_flags,
                char **ret_remaining_options);

int mode_to_inaccessible_node(const char *runtime_dir, mode_t mode, char **dest);
int mount_flags_to_string(unsigned long flags, char **ret);

/* Useful for usage with _cleanup_(), unmounts, removes a directory and frees the pointer */
static inline char* umount_and_rmdir_and_free(char *p) {
        PROTECT_ERRNO;
        if (p) {
                (void) umount_recursive(p, 0);
                (void) rmdir(p);
        }
        return mfree(p);
}
DEFINE_TRIVIAL_CLEANUP_FUNC(char*, umount_and_rmdir_and_free);

int bind_mount_in_namespace(pid_t target, const char *propagate_path, const char *incoming_path, const char *src, const char *dest, bool read_only, bool make_file_or_directory);
int mount_image_in_namespace(pid_t target, const char *propagate_path, const char *incoming_path, const char *src, const char *dest, bool read_only, bool make_file_or_directory, const MountOptions *options);

int make_mount_point(const char *path);

typedef enum RemountIdmapping {
        REMOUNT_IDMAPPING_NONE,
        /* Include a mapping from UID_MAPPED_ROOT (i.e. UID 2^31-2) on the backing fs to UID 0 on the
         * uidmapped fs. This is useful to ensure that the host root user can safely add inodes to the
         * uidmapped fs (which otherwise wouldn't work as the host root user is not defined on the uidmapped
         * mount and any attempts to create inodes will then be refused with EOVERFLOW). The idea is that
         * these inodes are quickly re-chown()ed to more suitable UIDs/GIDs. Any code that intends to be able
         * to add inodes to file systems mapped this way should set this flag, but given it comes with
         * certain security implications defaults to off, and requires explicit opt-in. */
        REMOUNT_IDMAPPING_HOST_ROOT,
        /* Define a mapping from root user within the container to the owner of the bind mounted directory.
         * This ensure no root-owned files will be written in a bind-mounted directory owned by a different
         * user. No other users are mapped. */
        REMOUNT_IDMAPPING_HOST_OWNER,
        _REMOUNT_IDMAPPING_MAX,
        _REMOUNT_IDMAPPING_INVALID = -EINVAL,
} RemountIdmapping;

int remount_idmap(const char *p, uid_t uid_shift, uid_t uid_range, uid_t owner, RemountIdmapping idmapping);

/* Creates a mount point (not parents) based on the source path or stat - ie, a file or a directory */
int make_mount_point_inode_from_stat(const struct stat *st, const char *dest, mode_t mode);
int make_mount_point_inode_from_path(const char *source, const char *dest, mode_t mode);
Commit	Line	Data
db9ecf05	1	/* SPDX-License-Identifier: LGPL-2.1-or-later */
4349cd7c LP	2	#pragma once
4349cd7c LP	3
4349cd7c	4	#include <mntent.h>
11c3a366	5	#include <stdio.h>
9c653536	6	#include <sys/stat.h>
e49ee285	7	#include <unistd.h>
4e036b7a	8
75f79cd2	9	#include "alloc-util.h"
70599967	10	#include "dissect-image.h"
e49ee285	11	#include "errno-util.h"
11c3a366	12	#include "macro.h"
4349cd7c	13
570fe6f1 FB	14	/* The limit used for /dev itself. 4MB should be enough since device nodes and symlinks don't
	15	* consume any space and udev isn't supposed to create regular file either. There's no limit on the
	16	* max number of inodes since such limit is hard to guess especially on large storage array
	17	* systems. */
	18	#define TMPFS_LIMITS_DEV ",size=4m"
	19
	20	/* The limit used for /dev in private namespaces. 4MB for contents of regular files. The number of
	21	* inodes should be relatively low in private namespaces but for now use a 64k limit. */
	22	#define TMPFS_LIMITS_PRIVATE_DEV ",size=4m,nr_inodes=64k"
362a55fc	23
7d85383e TM	24	/* Very little, if any use expected */
	25	#define TMPFS_LIMITS_EMPTY_OR_ALMOST ",size=4m,nr_inodes=1k"
	26	#define TMPFS_LIMITS_SYS TMPFS_LIMITS_EMPTY_OR_ALMOST
	27	#define TMPFS_LIMITS_SYS_FS_CGROUP TMPFS_LIMITS_EMPTY_OR_ALMOST
362a55fc ZJS	28
	29	/* On an extremely small device with only 256MB of RAM, 20% of RAM should be enough for the re-execution of
	30	* PID1 because 16MB of free space is required. */
b4e1563f	31	#define TMPFS_LIMITS_RUN ",size=20%,nr_inodes=800k"
362a55fc	32
84f9a680	33	/* The limit used for various nested tmpfs mounts, in particular for guests started by systemd-nspawn.
362a55fc ZJS	34	* 10% of RAM (using 16GB of RAM as a baseline) translates to 400k inodes (assuming 4k each) and 25%
362a55fc ZJS	35	* translates to 1M inodes.
b67ec8e5 ZJS	36	* (On the host, /tmp is configured through a .mount unit file.) */
b67ec8e5 ZJS	37	#define NESTED_TMPFS_LIMITS ",size=10%,nr_inodes=400k"
362a55fc	38
b4e1563f	39	/* More space for volatile root and /var */
7d85383e TM	40	#define TMPFS_LIMITS_VAR ",size=25%,nr_inodes=1m"
	41	#define TMPFS_LIMITS_ROOTFS TMPFS_LIMITS_VAR
	42	#define TMPFS_LIMITS_VOLATILE_STATE TMPFS_LIMITS_VAR
	43
28126409 LP	44	int mount_fd(const char source, int target_fd, const char filesystemtype, unsigned long mountflags, const void *data);
	45	int mount_nofollow(const char source, const char target, const char filesystemtype, unsigned long mountflags, const void data);
	46
3f2c0bec	47	int repeat_unmount(const char *path, int flags);
4349cd7c	48	int umount_recursive(const char *target, int flags);
0289948e	49
6b000af4	50	int bind_remount_recursive_with_mountinfo(const char prefix, unsigned long new_flags, unsigned long flags_mask, char deny_list, FILE proc_self_mountinfo);
0289948e LP	51	static inline int bind_remount_recursive(const char prefix, unsigned long new_flags, unsigned long flags_mask, char *deny_list) {
	52	return bind_remount_recursive_with_mountinfo(prefix, new_flags, flags_mask, deny_list, NULL);
	53	}
	54
7cce68e1	55	int bind_remount_one_with_mountinfo(const char path, unsigned long new_flags, unsigned long flags_mask, FILE proc_self_mountinfo);
4349cd7c LP	56
4349cd7c LP	57	int mount_move_root(const char *path);
2e776ed6	58	int mount_pivot_root(const char *path);
4349cd7c	59
fd421c4a	60	DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(FILE*, endmntent, NULL);
4349cd7c	61	#define _cleanup_endmntent_ _cleanup_(endmntentp)
4e036b7a	62
511a8cfe	63	int mount_verbose_full(
60e76d48 ZJS	64	int error_log_level,
	65	const char *what,
	66	const char *where,
	67	const char *type,
	68	unsigned long flags,
511a8cfe LP	69	const char *options,
	70	bool follow_symlink);
	71
	72	static inline int mount_follow_verbose(
	73	int error_log_level,
	74	const char *what,
	75	const char *where,
	76	const char *type,
	77	unsigned long flags,
	78	const char *options) {
	79	return mount_verbose_full(error_log_level, what, where, type, flags, options, true);
	80	}
	81
	82	static inline int mount_nofollow_verbose(
	83	int error_log_level,
	84	const char *what,
	85	const char *where,
	86	const char *type,
	87	unsigned long flags,
	88	const char *options) {
	89	return mount_verbose_full(error_log_level, what, where, type, flags, options, false);
	90	}
	91
30f5d104 LP	92	int umount_verbose(
	93	int error_log_level,
	94	const char *where,
	95	int flags);
83555251	96
9e7f941a YW	97	int mount_option_mangle(
	98	const char *options,
	99	unsigned long mount_flags,
	100	unsigned long *ret_mount_flags,
	101	char **ret_remaining_options);
be1791ad	102
e5f10caf	103	int mode_to_inaccessible_node(const char runtime_dir, mode_t mode, char *dest);
da185cd0	104	int mount_flags_to_string(unsigned long flags, char **ret);
e49ee285 LP	105
e49ee285 LP	106	/* Useful for usage with _cleanup_(), unmounts, removes a directory and frees the pointer */
f93ba375	107	static inline char* umount_and_rmdir_and_free(char *p) {
e49ee285	108	PROTECT_ERRNO;
4d686e6b LP	109	if (p) {
	110	(void) umount_recursive(p, 0);
	111	(void) rmdir(p);
	112	}
75f79cd2	113	return mfree(p);
e49ee285 LP	114	}
e49ee285 LP	115	DEFINE_TRIVIAL_CLEANUP_FUNC(char*, umount_and_rmdir_and_free);
6af52c3a LB	116
6af52c3a LB	117	int bind_mount_in_namespace(pid_t target, const char propagate_path, const char incoming_path, const char src, const char dest, bool read_only, bool make_file_or_directory);
70599967	118	int mount_image_in_namespace(pid_t target, const char propagate_path, const char incoming_path, const char src, const char dest, bool read_only, bool make_file_or_directory, const MountOptions *options);
14a25e1f LP	119
14a25e1f LP	120	int make_mount_point(const char *path);
35fd3558	121
1aa18710 QD	122	typedef enum RemountIdmapping {
1aa18710 QD	123	REMOUNT_IDMAPPING_NONE,
50ae2966 LP	124	/* Include a mapping from UID_MAPPED_ROOT (i.e. UID 2^31-2) on the backing fs to UID 0 on the
	125	* uidmapped fs. This is useful to ensure that the host root user can safely add inodes to the
	126	* uidmapped fs (which otherwise wouldn't work as the host root user is not defined on the uidmapped
	127	* mount and any attempts to create inodes will then be refused with EOVERFLOW). The idea is that
	128	* these inodes are quickly re-chown()ed to more suitable UIDs/GIDs. Any code that intends to be able
	129	* to add inodes to file systems mapped this way should set this flag, but given it comes with
	130	* certain security implications defaults to off, and requires explicit opt-in. */
1aa18710	131	REMOUNT_IDMAPPING_HOST_ROOT,
2b2777ed QD	132	/* Define a mapping from root user within the container to the owner of the bind mounted directory.
	133	* This ensure no root-owned files will be written in a bind-mounted directory owned by a different
	134	* user. No other users are mapped. */
	135	REMOUNT_IDMAPPING_HOST_OWNER,
1aa18710 QD	136	_REMOUNT_IDMAPPING_MAX,
	137	_REMOUNT_IDMAPPING_INVALID = -EINVAL,
	138	} RemountIdmapping;
50ae2966	139
2b2777ed	140	int remount_idmap(const char *p, uid_t uid_shift, uid_t uid_range, uid_t owner, RemountIdmapping idmapping);
9c653536 ZJS	141
	142	/* Creates a mount point (not parents) based on the source path or stat - ie, a file or a directory */
	143	int make_mount_point_inode_from_stat(const struct stat st, const char dest, mode_t mode);
	144	int make_mount_point_inode_from_path(const char source, const char dest, mode_t mode);