]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/core/namespace.h
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge pull request #21172 from poettering/fix-systemctl-cgroup-tree
[thirdparty/systemd.git] / src / core / namespace.h
1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
2 #pragma once
3
4 /***
5 Copyright © 2016 Djalal Harouni
6 ***/
7
8 typedef struct NamespaceInfo NamespaceInfo;
9 typedef struct BindMount BindMount;
10 typedef struct TemporaryFileSystem TemporaryFileSystem;
11 typedef struct MountImage MountImage;
12
13 #include <stdbool.h>
14
15 #include "dissect-image.h"
16 #include "fs-util.h"
17 #include "macro.h"
18 #include "string-util.h"
19
20 typedef enum ProtectHome {
21 PROTECT_HOME_NO,
22 PROTECT_HOME_YES,
23 PROTECT_HOME_READ_ONLY,
24 PROTECT_HOME_TMPFS,
25 _PROTECT_HOME_MAX,
26 _PROTECT_HOME_INVALID = -EINVAL,
27 } ProtectHome;
28
29 typedef enum NamespaceType {
30 NAMESPACE_MOUNT,
31 NAMESPACE_CGROUP,
32 NAMESPACE_UTS,
33 NAMESPACE_IPC,
34 NAMESPACE_USER,
35 NAMESPACE_PID,
36 NAMESPACE_NET,
37 _NAMESPACE_TYPE_MAX,
38 _NAMESPACE_TYPE_INVALID = -EINVAL,
39 } NamespaceType;
40
41 typedef enum ProtectSystem {
42 PROTECT_SYSTEM_NO,
43 PROTECT_SYSTEM_YES,
44 PROTECT_SYSTEM_FULL,
45 PROTECT_SYSTEM_STRICT,
46 _PROTECT_SYSTEM_MAX,
47 _PROTECT_SYSTEM_INVALID = -EINVAL,
48 } ProtectSystem;
49
50 typedef enum ProtectProc {
51 PROTECT_PROC_DEFAULT,
52 PROTECT_PROC_NOACCESS, /* hidepid=noaccess */
53 PROTECT_PROC_INVISIBLE, /* hidepid=invisible */
54 PROTECT_PROC_PTRACEABLE, /* hidepid=ptraceable */
55 _PROTECT_PROC_MAX,
56 _PROTECT_PROC_INVALID = -EINVAL,
57 } ProtectProc;
58
59 typedef enum ProcSubset {
60 PROC_SUBSET_ALL,
61 PROC_SUBSET_PID, /* subset=pid */
62 _PROC_SUBSET_MAX,
63 _PROC_SUBSET_INVALID = -EINVAL,
64 } ProcSubset;
65
66 struct NamespaceInfo {
67 bool ignore_protect_paths;
68 bool private_dev;
69 bool private_mounts;
70 bool protect_control_groups;
71 bool protect_kernel_tunables;
72 bool protect_kernel_modules;
73 bool protect_kernel_logs;
74 bool mount_apivfs;
75 bool protect_hostname;
76 bool private_ipc;
77 bool mount_nosuid;
78 ProtectHome protect_home;
79 ProtectSystem protect_system;
80 ProtectProc protect_proc;
81 ProcSubset proc_subset;
82 };
83
84 struct BindMount {
85 char *source;
86 char *destination;
87 bool read_only;
88 bool nosuid;
89 bool recursive;
90 bool ignore_enoent;
91 };
92
93 struct TemporaryFileSystem {
94 char *path;
95 char *options;
96 };
97
98 typedef enum MountImageType {
99 MOUNT_IMAGE_DISCRETE,
100 MOUNT_IMAGE_EXTENSION,
101 _MOUNT_IMAGE_TYPE_MAX,
102 _MOUNT_IMAGE_TYPE_INVALID = -EINVAL,
103 } MountImageType;
104
105 struct MountImage {
106 char *source;
107 char *destination; /* Unused if MountImageType == MOUNT_IMAGE_EXTENSION */
108 LIST_HEAD(MountOptions, mount_options);
109 bool ignore_enoent;
110 MountImageType type;
111 };
112
113 int setup_namespace(
114 const char *root_directory,
115 const char *root_image,
116 const MountOptions *root_image_options,
117 const NamespaceInfo *ns_info,
118 char **read_write_paths,
119 char **read_only_paths,
120 char **inaccessible_paths,
121 char **exec_paths,
122 char **no_exec_paths,
123 char **empty_directories,
124 char **exec_dir_symlinks,
125 const BindMount *bind_mounts,
126 size_t n_bind_mounts,
127 const TemporaryFileSystem *temporary_filesystems,
128 size_t n_temporary_filesystems,
129 const MountImage *mount_images,
130 size_t n_mount_images,
131 const char *tmp_dir,
132 const char *var_tmp_dir,
133 const char *creds_path,
134 const char *log_namespace,
135 unsigned long mount_flags,
136 const void *root_hash,
137 size_t root_hash_size,
138 const char *root_hash_path,
139 const void *root_hash_sig,
140 size_t root_hash_sig_size,
141 const char *root_hash_sig_path,
142 const char *root_verity,
143 const MountImage *extension_images,
144 size_t n_extension_images,
145 const char *propagate_dir,
146 const char *incoming_dir,
147 const char *notify_socket,
148 char **error_path);
149
150 #define RUN_SYSTEMD_EMPTY "/run/systemd/empty"
151
152 static inline char* namespace_cleanup_tmpdir(char *p) {
153 PROTECT_ERRNO;
154 if (!streq_ptr(p, RUN_SYSTEMD_EMPTY))
155 (void) rmdir(p);
156 return mfree(p);
157 }
158 DEFINE_TRIVIAL_CLEANUP_FUNC(char*, namespace_cleanup_tmpdir);
159
160 int setup_tmp_dirs(
161 const char *id,
162 char **tmp_dir,
163 char **var_tmp_dir);
164
165 int setup_shareable_ns(const int ns_storage_socket[static 2], unsigned long nsflag);
166 int open_shareable_ns_path(const int netns_storage_socket[static 2], const char *path, unsigned long nsflag);
167
168 const char* protect_home_to_string(ProtectHome p) _const_;
169 ProtectHome protect_home_from_string(const char *s) _pure_;
170
171 const char* protect_system_to_string(ProtectSystem p) _const_;
172 ProtectSystem protect_system_from_string(const char *s) _pure_;
173
174 const char* protect_proc_to_string(ProtectProc i) _const_;
175 ProtectProc protect_proc_from_string(const char *s) _pure_;
176
177 const char* proc_subset_to_string(ProcSubset i) _const_;
178 ProcSubset proc_subset_from_string(const char *s) _pure_;
179
180 void bind_mount_free_many(BindMount *b, size_t n);
181 int bind_mount_add(BindMount **b, size_t *n, const BindMount *item);
182
183 void temporary_filesystem_free_many(TemporaryFileSystem *t, size_t n);
184 int temporary_filesystem_add(TemporaryFileSystem **t, size_t *n,
185 const char *path, const char *options);
186
187 MountImage* mount_image_free_many(MountImage *m, size_t *n);
188 int mount_image_add(MountImage **m, size_t *n, const MountImage *item);
189
190 const char* namespace_type_to_string(NamespaceType t) _const_;
191 NamespaceType namespace_type_from_string(const char *s) _pure_;
192
193 bool ns_type_supported(NamespaceType type);
Unnamed repository; edit this file 'description' to name the repository.