src/core/namespace.h

   1 /* SPDX-License-Identifier: LGPL-2.1+ */
   2 #pragma once
   3
   4 /***
   5   This file is part of systemd.
   6
   7   Copyright 2010 Lennart Poettering
   8   Copyright 2016 Djalal Harouni
   9 ***/
  10
  11 typedef struct NamespaceInfo NamespaceInfo;
  12 typedef struct BindMount BindMount;
  13 typedef struct TemporaryFileSystem TemporaryFileSystem;
  14
  15 #include <stdbool.h>
  16
  17 #include "dissect-image.h"
  18 #include "macro.h"
  19
  20 typedef enum ProtectHome {
  21         PROTECT_HOME_NO,
  22         PROTECT_HOME_YES,
  23         PROTECT_HOME_READ_ONLY,
  24         PROTECT_HOME_TMPFS,
  25         _PROTECT_HOME_MAX,
  26         _PROTECT_HOME_INVALID = -1
  27 } ProtectHome;
  28
  29 typedef enum NamespaceType {
  30         NAMESPACE_MOUNT,
  31         NAMESPACE_CGROUP,
  32         NAMESPACE_UTS,
  33         NAMESPACE_IPC,
  34         NAMESPACE_USER,
  35         NAMESPACE_PID,
  36         NAMESPACE_NET,
  37         _NAMESPACE_TYPE_MAX,
  38         _NAMESPACE_TYPE_INVALID = -1,
  39 } NamespaceType;
  40
  41 typedef enum ProtectSystem {
  42         PROTECT_SYSTEM_NO,
  43         PROTECT_SYSTEM_YES,
  44         PROTECT_SYSTEM_FULL,
  45         PROTECT_SYSTEM_STRICT,
  46         _PROTECT_SYSTEM_MAX,
  47         _PROTECT_SYSTEM_INVALID = -1
  48 } ProtectSystem;
  49
  50 struct NamespaceInfo {
  51         bool ignore_protect_paths:1;
  52         bool private_dev:1;
  53         bool private_mounts:1;
  54         bool protect_control_groups:1;
  55         bool protect_kernel_tunables:1;
  56         bool protect_kernel_modules:1;
  57         bool mount_apivfs:1;
  58 };
  59
  60 struct BindMount {
  61         char *source;
  62         char *destination;
  63         bool read_only:1;
  64         bool recursive:1;
  65         bool ignore_enoent:1;
  66 };
  67
  68 struct TemporaryFileSystem {
  69         char *path;
  70         char *options;
  71 };
  72
  73 int setup_namespace(
  74                 const char *root_directory,
  75                 const char *root_image,
  76                 const NamespaceInfo *ns_info,
  77                 char **read_write_paths,
  78                 char **read_only_paths,
  79                 char **inaccessible_paths,
  80                 char **empty_directories,
  81                 const BindMount *bind_mounts,
  82                 size_t n_bind_mounts,
  83                 const TemporaryFileSystem *temporary_filesystems,
  84                 size_t n_temporary_filesystems,
  85                 const char *tmp_dir,
  86                 const char *var_tmp_dir,
  87                 ProtectHome protect_home,
  88                 ProtectSystem protect_system,
  89                 unsigned long mount_flags,
  90                 DissectImageFlags dissected_image_flags);
  91
  92 int setup_tmp_dirs(
  93                 const char *id,
  94                 char **tmp_dir,
  95                 char **var_tmp_dir);
  96
  97 int setup_netns(int netns_storage_socket[2]);
  98
  99 const char* protect_home_to_string(ProtectHome p) _const_;
 100 ProtectHome protect_home_from_string(const char *s) _pure_;
 101 ProtectHome protect_home_or_bool_from_string(const char *s);
 102
 103 const char* protect_system_to_string(ProtectSystem p) _const_;
 104 ProtectSystem protect_system_from_string(const char *s) _pure_;
 105 ProtectSystem protect_system_or_bool_from_string(const char *s);
 106
 107 void bind_mount_free_many(BindMount *b, size_t n);
 108 int bind_mount_add(BindMount **b, size_t *n, const BindMount *item);
 109
 110 void temporary_filesystem_free_many(TemporaryFileSystem *t, size_t n);
 111 int temporary_filesystem_add(TemporaryFileSystem **t, size_t *n,
 112                              const char *path, const char *options);
 113
 114 const char* namespace_type_to_string(NamespaceType t) _const_;
 115 NamespaceType namespace_type_from_string(const char *s) _pure_;
 116
 117 bool ns_type_supported(NamespaceType type);