1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
5 Copyright © 2016 Djalal Harouni
8 typedef struct NamespaceInfo NamespaceInfo
;
9 typedef struct BindMount BindMount
;
10 typedef struct TemporaryFileSystem TemporaryFileSystem
;
11 typedef struct MountImage MountImage
;
15 #include "dissect-image.h"
18 #include "string-util.h"
20 typedef enum ProtectHome
{
23 PROTECT_HOME_READ_ONLY
,
26 _PROTECT_HOME_INVALID
= -EINVAL
,
29 typedef enum NamespaceType
{
38 _NAMESPACE_TYPE_INVALID
= -EINVAL
,
41 typedef enum ProtectSystem
{
45 PROTECT_SYSTEM_STRICT
,
47 _PROTECT_SYSTEM_INVALID
= -EINVAL
,
50 typedef enum ProtectProc
{
52 PROTECT_PROC_NOACCESS
, /* hidepid=noaccess */
53 PROTECT_PROC_INVISIBLE
, /* hidepid=invisible */
54 PROTECT_PROC_PTRACEABLE
, /* hidepid=ptraceable */
56 _PROTECT_PROC_INVALID
= -EINVAL
,
59 typedef enum ProcSubset
{
61 PROC_SUBSET_PID
, /* subset=pid */
63 _PROC_SUBSET_INVALID
= -EINVAL
,
66 struct NamespaceInfo
{
67 bool ignore_protect_paths
;
70 bool protect_control_groups
;
71 bool protect_kernel_tunables
;
72 bool protect_kernel_modules
;
73 bool protect_kernel_logs
;
75 bool protect_hostname
;
78 ProtectHome protect_home
;
79 ProtectSystem protect_system
;
80 ProtectProc protect_proc
;
81 ProcSubset proc_subset
;
93 struct TemporaryFileSystem
{
98 typedef enum MountImageType
{
100 MOUNT_IMAGE_EXTENSION
,
101 _MOUNT_IMAGE_TYPE_MAX
,
102 _MOUNT_IMAGE_TYPE_INVALID
= -EINVAL
,
107 char *destination
; /* Unused if MountImageType == MOUNT_IMAGE_EXTENSION */
108 LIST_HEAD(MountOptions
, mount_options
);
114 const char *root_directory
,
115 const char *root_image
,
116 const MountOptions
*root_image_options
,
117 const NamespaceInfo
*ns_info
,
118 char **read_write_paths
,
119 char **read_only_paths
,
120 char **inaccessible_paths
,
122 char **no_exec_paths
,
123 char **empty_directories
,
124 char **exec_dir_symlinks
,
125 const BindMount
*bind_mounts
,
126 size_t n_bind_mounts
,
127 const TemporaryFileSystem
*temporary_filesystems
,
128 size_t n_temporary_filesystems
,
129 const MountImage
*mount_images
,
130 size_t n_mount_images
,
132 const char *var_tmp_dir
,
133 const char *creds_path
,
134 const char *log_namespace
,
135 unsigned long mount_flags
,
136 const void *root_hash
,
137 size_t root_hash_size
,
138 const char *root_hash_path
,
139 const void *root_hash_sig
,
140 size_t root_hash_sig_size
,
141 const char *root_hash_sig_path
,
142 const char *root_verity
,
143 const MountImage
*extension_images
,
144 size_t n_extension_images
,
145 const char *propagate_dir
,
146 const char *incoming_dir
,
147 const char *notify_socket
,
150 #define RUN_SYSTEMD_EMPTY "/run/systemd/empty"
152 static inline char* namespace_cleanup_tmpdir(char *p
) {
154 if (!streq_ptr(p
, RUN_SYSTEMD_EMPTY
))
158 DEFINE_TRIVIAL_CLEANUP_FUNC(char*, namespace_cleanup_tmpdir
);
165 int setup_shareable_ns(const int ns_storage_socket
[static 2], unsigned long nsflag
);
166 int open_shareable_ns_path(const int netns_storage_socket
[static 2], const char *path
, unsigned long nsflag
);
168 const char* protect_home_to_string(ProtectHome p
) _const_
;
169 ProtectHome
protect_home_from_string(const char *s
) _pure_
;
171 const char* protect_system_to_string(ProtectSystem p
) _const_
;
172 ProtectSystem
protect_system_from_string(const char *s
) _pure_
;
174 const char* protect_proc_to_string(ProtectProc i
) _const_
;
175 ProtectProc
protect_proc_from_string(const char *s
) _pure_
;
177 const char* proc_subset_to_string(ProcSubset i
) _const_
;
178 ProcSubset
proc_subset_from_string(const char *s
) _pure_
;
180 void bind_mount_free_many(BindMount
*b
, size_t n
);
181 int bind_mount_add(BindMount
**b
, size_t *n
, const BindMount
*item
);
183 void temporary_filesystem_free_many(TemporaryFileSystem
*t
, size_t n
);
184 int temporary_filesystem_add(TemporaryFileSystem
**t
, size_t *n
,
185 const char *path
, const char *options
);
187 MountImage
* mount_image_free_many(MountImage
*m
, size_t *n
);
188 int mount_image_add(MountImage
**m
, size_t *n
, const MountImage
*item
);
190 const char* namespace_type_to_string(NamespaceType t
) _const_
;
191 NamespaceType
namespace_type_from_string(const char *s
) _pure_
;
193 bool ns_type_supported(NamespaceType type
);