src/core/namespace.h

   1 /* SPDX-License-Identifier: LGPL-2.1+ */
   2 #pragma once
   3
   4 /***
   5   This file is part of systemd.
   6
   7   Copyright 2010 Lennart Poettering
   8   Copyright 2016 Djalal Harouni
   9 ***/
  10
  11 typedef struct NamespaceInfo NamespaceInfo;
  12 typedef struct BindMount BindMount;
  13 typedef struct TemporaryFileSystem TemporaryFileSystem;
  14
  15 #include <stdbool.h>
  16
  17 #include "dissect-image.h"
  18 #include "macro.h"
  19
  20 typedef enum ProtectHome {
  21         PROTECT_HOME_NO,
  22         PROTECT_HOME_YES,
  23         PROTECT_HOME_READ_ONLY,
  24         PROTECT_HOME_TMPFS,
  25         _PROTECT_HOME_MAX,
  26         _PROTECT_HOME_INVALID = -1
  27 } ProtectHome;
  28
  29 typedef enum NamespaceType {
  30         NAMESPACE_MOUNT,
  31         NAMESPACE_CGROUP,
  32         NAMESPACE_UTS,
  33         NAMESPACE_IPC,
  34         NAMESPACE_USER,
  35         NAMESPACE_PID,
  36         NAMESPACE_NET,
  37         _NAMESPACE_TYPE_MAX,
  38         _NAMESPACE_TYPE_INVALID = -1,
  39 } NamespaceType;
  40
  41 typedef enum ProtectSystem {
  42         PROTECT_SYSTEM_NO,
  43         PROTECT_SYSTEM_YES,
  44         PROTECT_SYSTEM_FULL,
  45         PROTECT_SYSTEM_STRICT,
  46         _PROTECT_SYSTEM_MAX,
  47         _PROTECT_SYSTEM_INVALID = -1
  48 } ProtectSystem;
  49
  50 struct NamespaceInfo {
  51         bool ignore_protect_paths:1;
  52         bool private_dev:1;
  53         bool protect_control_groups:1;
  54         bool protect_kernel_tunables:1;
  55         bool protect_kernel_modules:1;
  56         bool mount_apivfs:1;
  57 };
  58
  59 struct BindMount {
  60         char *source;
  61         char *destination;
  62         bool read_only:1;
  63         bool recursive:1;
  64         bool ignore_enoent:1;
  65 };
  66
  67 struct TemporaryFileSystem {
  68         char *path;
  69         char *options;
  70 };
  71
  72 int setup_namespace(
  73                 const char *root_directory,
  74                 const char *root_image,
  75                 const NamespaceInfo *ns_info,
  76                 char **read_write_paths,
  77                 char **read_only_paths,
  78                 char **inaccessible_paths,
  79                 char **empty_directories,
  80                 const BindMount *bind_mounts,
  81                 unsigned n_bind_mounts,
  82                 const TemporaryFileSystem *temporary_filesystems,
  83                 unsigned n_temporary_filesystems,
  84                 const char *tmp_dir,
  85                 const char *var_tmp_dir,
  86                 ProtectHome protect_home,
  87                 ProtectSystem protect_system,
  88                 unsigned long mount_flags,
  89                 DissectImageFlags dissected_image_flags);
  90
  91 int setup_tmp_dirs(
  92                 const char *id,
  93                 char **tmp_dir,
  94                 char **var_tmp_dir);
  95
  96 int setup_netns(int netns_storage_socket[2]);
  97
  98 const char* protect_home_to_string(ProtectHome p) _const_;
  99 ProtectHome protect_home_from_string(const char *s) _pure_;
 100 ProtectHome parse_protect_home_or_bool(const char *s);
 101
 102 const char* protect_system_to_string(ProtectSystem p) _const_;
 103 ProtectSystem protect_system_from_string(const char *s) _pure_;
 104 ProtectSystem parse_protect_system_or_bool(const char *s);
 105
 106 void bind_mount_free_many(BindMount *b, unsigned n);
 107 int bind_mount_add(BindMount **b, unsigned *n, const BindMount *item);
 108
 109 void temporary_filesystem_free_many(TemporaryFileSystem *t, unsigned n);
 110 int temporary_filesystem_add(TemporaryFileSystem **t, unsigned *n,
 111                              const char *path, const char *options);
 112
 113 const char* namespace_type_to_string(NamespaceType t) _const_;
 114 NamespaceType namespace_type_from_string(const char *s) _pure_;
 115
 116 bool ns_type_supported(NamespaceType type);