]>
git.ipfire.org Git - thirdparty/systemd.git/blob - src/libsystemd/sd-bus/bus-container.c
1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
4 This file is part of systemd.
6 Copyright 2013 Lennart Poettering
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
26 #include "process-util.h"
27 #include "bus-internal.h"
28 #include "bus-socket.h"
29 #include "bus-container.h"
31 int bus_container_connect_socket(sd_bus
*b
) {
32 _cleanup_close_pair_
int pair
[2] = { -1, -1 };
33 _cleanup_close_
int pidnsfd
= -1, mntnsfd
= -1, usernsfd
= -1, rootfd
= -1;
40 assert(b
->input_fd
< 0);
41 assert(b
->output_fd
< 0);
42 assert(b
->nspid
> 0 || b
->machine
);
45 r
= container_get_leader(b
->machine
, &b
->nspid
);
50 r
= namespace_open(b
->nspid
, &pidnsfd
, &mntnsfd
, NULL
, &usernsfd
, &rootfd
);
54 b
->input_fd
= socket(b
->sockaddr
.sa
.sa_family
, SOCK_STREAM
|SOCK_CLOEXEC
|SOCK_NONBLOCK
, 0);
58 b
->output_fd
= b
->input_fd
;
62 if (socketpair(AF_UNIX
, SOCK_SEQPACKET
, 0, pair
) < 0)
72 pair
[0] = safe_close(pair
[0]);
74 r
= namespace_enter(pidnsfd
, mntnsfd
, -1, usernsfd
, rootfd
);
78 /* We just changed PID namespace, however it will only
79 * take effect on the children we now fork. Hence,
80 * let's fork another time, and connect from this
81 * grandchild, so that SO_PEERCRED of our connection
82 * comes from a process from within the container, and
83 * not outside of it */
89 if (grandchild
== 0) {
91 r
= connect(b
->input_fd
, &b
->sockaddr
.sa
, b
->sockaddr_size
);
93 /* Try to send error up */
95 (void) write(pair
[1], &error_buf
, sizeof(error_buf
));
102 r
= wait_for_terminate(grandchild
, &si
);
106 if (si
.si_code
!= CLD_EXITED
)
112 pair
[1] = safe_close(pair
[1]);
114 r
= wait_for_terminate(child
, &si
);
118 n
= read(pair
[0], &error_buf
, sizeof(error_buf
));
123 if (n
!= sizeof(error_buf
))
129 if (error_buf
== EINPROGRESS
)
136 if (si
.si_code
!= CLD_EXITED
)
139 if (si
.si_status
!= EXIT_SUCCESS
)
142 return bus_socket_start_auth(b
);
145 int bus_container_connect_kernel(sd_bus
*b
) {
146 _cleanup_close_pair_
int pair
[2] = { -1, -1 };
147 _cleanup_close_
int pidnsfd
= -1, mntnsfd
= -1, usernsfd
= -1, rootfd
= -1;
149 struct cmsghdr cmsghdr
;
150 uint8_t buf
[CMSG_SPACE(sizeof(int))];
154 .iov_base
= &error_buf
,
155 .iov_len
= sizeof(error_buf
),
158 .msg_control
= &control
,
159 .msg_controllen
= sizeof(control
),
163 struct cmsghdr
*cmsg
;
170 assert(b
->input_fd
< 0);
171 assert(b
->output_fd
< 0);
172 assert(b
->nspid
> 0 || b
->machine
);
175 r
= container_get_leader(b
->machine
, &b
->nspid
);
180 r
= namespace_open(b
->nspid
, &pidnsfd
, &mntnsfd
, NULL
, &usernsfd
, &rootfd
);
184 if (socketpair(AF_UNIX
, SOCK_SEQPACKET
, 0, pair
) < 0)
194 pair
[0] = safe_close(pair
[0]);
196 r
= namespace_enter(pidnsfd
, mntnsfd
, -1, usernsfd
, rootfd
);
200 /* We just changed PID namespace, however it will only
201 * take effect on the children we now fork. Hence,
202 * let's fork another time, and connect from this
203 * grandchild, so that kdbus only sees the credentials
204 * of this process which comes from within the
205 * container, and not outside of it */
211 if (grandchild
== 0) {
212 fd
= open(b
->kernel
, O_RDWR
|O_NOCTTY
|O_CLOEXEC
);
214 /* Try to send error up */
216 (void) write(pair
[1], &error_buf
, sizeof(error_buf
));
220 cmsg
= CMSG_FIRSTHDR(&mh
);
221 cmsg
->cmsg_level
= SOL_SOCKET
;
222 cmsg
->cmsg_type
= SCM_RIGHTS
;
223 cmsg
->cmsg_len
= CMSG_LEN(sizeof(int));
224 memcpy(CMSG_DATA(cmsg
), &fd
, sizeof(int));
226 mh
.msg_controllen
= cmsg
->cmsg_len
;
228 if (sendmsg(pair
[1], &mh
, MSG_NOSIGNAL
) < 0)
234 r
= wait_for_terminate(grandchild
, &si
);
238 if (si
.si_code
!= CLD_EXITED
)
244 pair
[1] = safe_close(pair
[1]);
246 r
= wait_for_terminate(child
, &si
);
250 n
= recvmsg(pair
[0], &mh
, MSG_NOSIGNAL
|MSG_CMSG_CLOEXEC
);
254 CMSG_FOREACH(cmsg
, &mh
) {
255 if (cmsg
->cmsg_level
== SOL_SOCKET
&& cmsg
->cmsg_type
== SCM_RIGHTS
) {
261 fds
= (int*) CMSG_DATA(cmsg
);
262 n_fds
= (cmsg
->cmsg_len
- CMSG_LEN(0)) / sizeof(int);
265 close_many(fds
, n_fds
);
273 /* If there's an fd passed, we are good. */
275 b
->input_fd
= b
->output_fd
= fd
;
276 return bus_kernel_take_fd(b
);
279 /* If there's an error passed, use it */
280 if (n
== sizeof(error_buf
) && error_buf
> 0)
283 /* Otherwise, we have no clue */