1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
5 Copyright © 2016 Djalal Harouni
8 typedef struct NamespaceInfo NamespaceInfo
;
9 typedef struct BindMount BindMount
;
10 typedef struct TemporaryFileSystem TemporaryFileSystem
;
11 typedef struct MountImage MountImage
;
15 #include "dissect-image.h"
18 #include "string-util.h"
20 typedef enum ProtectHome
{
23 PROTECT_HOME_READ_ONLY
,
26 _PROTECT_HOME_INVALID
= -1
29 typedef enum NamespaceType
{
38 _NAMESPACE_TYPE_INVALID
= -1,
41 typedef enum ProtectSystem
{
45 PROTECT_SYSTEM_STRICT
,
47 _PROTECT_SYSTEM_INVALID
= -1
50 typedef enum ProtectProc
{
52 PROTECT_PROC_NOACCESS
, /* hidepid=noaccess */
53 PROTECT_PROC_INVISIBLE
, /* hidepid=invisible */
54 PROTECT_PROC_PTRACEABLE
, /* hidepid=ptraceable */
56 _PROTECT_PROC_INVALID
= -1,
59 typedef enum ProcSubset
{
61 PROC_SUBSET_PID
, /* subset=pid */
63 _PROC_SUBSET_INVALID
= -1,
66 struct NamespaceInfo
{
67 bool ignore_protect_paths
;
70 bool protect_control_groups
;
71 bool protect_kernel_tunables
;
72 bool protect_kernel_modules
;
73 bool protect_kernel_logs
;
75 bool protect_hostname
;
76 ProtectHome protect_home
;
77 ProtectSystem protect_system
;
78 ProtectProc protect_proc
;
79 ProcSubset proc_subset
;
91 struct TemporaryFileSystem
{
99 LIST_HEAD(MountOptions
, mount_options
);
104 const char *root_directory
,
105 const char *root_image
,
106 const MountOptions
*root_image_options
,
107 const NamespaceInfo
*ns_info
,
108 char **read_write_paths
,
109 char **read_only_paths
,
110 char **inaccessible_paths
,
111 char **empty_directories
,
112 const BindMount
*bind_mounts
,
113 size_t n_bind_mounts
,
114 const TemporaryFileSystem
*temporary_filesystems
,
115 size_t n_temporary_filesystems
,
116 const MountImage
*mount_images
,
117 size_t n_mount_images
,
119 const char *var_tmp_dir
,
120 const char *creds_path
,
121 const char *log_namespace
,
122 unsigned long mount_flags
,
123 const void *root_hash
,
124 size_t root_hash_size
,
125 const char *root_hash_path
,
126 const void *root_hash_sig
,
127 size_t root_hash_sig_size
,
128 const char *root_hash_sig_path
,
129 const char *root_verity
,
130 DissectImageFlags dissected_image_flags
,
133 #define RUN_SYSTEMD_EMPTY "/run/systemd/empty"
135 static inline void namespace_cleanup_tmpdir(char *p
) {
137 if (!streq_ptr(p
, RUN_SYSTEMD_EMPTY
))
141 DEFINE_TRIVIAL_CLEANUP_FUNC(char*, namespace_cleanup_tmpdir
);
148 int setup_netns(const int netns_storage_socket
[static 2]);
149 int open_netns_path(const int netns_storage_socket
[static 2], const char *path
);
151 const char* protect_home_to_string(ProtectHome p
) _const_
;
152 ProtectHome
protect_home_from_string(const char *s
) _pure_
;
154 const char* protect_system_to_string(ProtectSystem p
) _const_
;
155 ProtectSystem
protect_system_from_string(const char *s
) _pure_
;
157 const char* protect_proc_to_string(ProtectProc i
) _const_
;
158 ProtectProc
protect_proc_from_string(const char *s
) _pure_
;
160 const char* proc_subset_to_string(ProcSubset i
) _const_
;
161 ProcSubset
proc_subset_from_string(const char *s
) _pure_
;
163 void bind_mount_free_many(BindMount
*b
, size_t n
);
164 int bind_mount_add(BindMount
**b
, size_t *n
, const BindMount
*item
);
166 void temporary_filesystem_free_many(TemporaryFileSystem
*t
, size_t n
);
167 int temporary_filesystem_add(TemporaryFileSystem
**t
, size_t *n
,
168 const char *path
, const char *options
);
170 MountImage
* mount_image_free_many(MountImage
*m
, size_t *n
);
171 int mount_image_add(MountImage
**m
, size_t *n
, const MountImage
*item
);
173 const char* namespace_type_to_string(NamespaceType t
) _const_
;
174 NamespaceType
namespace_type_from_string(const char *s
) _pure_
;
176 bool ns_type_supported(NamespaceType type
);