]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/nspawn/nspawn-oci.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge pull request #12055 from poettering/save-argc-argv
[thirdparty/systemd.git] / src / nspawn / nspawn-oci.c
1 /* SPDX-License-Identifier: LGPL-2.1+ */
2
3 #include <linux/oom.h>
4 #if HAVE_SECCOMP
5 #include <seccomp.h>
6 #endif
7
8 #include "bus-util.h"
9 #include "cap-list.h"
10 #include "cpu-set-util.h"
11 #include "env-util.h"
12 #include "fs-util.h"
13 #include "hostname-util.h"
14 #include "json.h"
15 #include "missing_sched.h"
16 #include "nspawn-oci.h"
17 #include "path-util.h"
18 #include "rlimit-util.h"
19 #if HAVE_SECCOMP
20 #include "seccomp-util.h"
21 #endif
22 #include "stat-util.h"
23 #include "stdio-util.h"
24 #include "string-util.h"
25 #include "strv.h"
26 #include "user-util.h"
27
28 /* TODO:
29 * OCI runtime tool implementation
30 * hooks
31 *
32 * Spec issues:
33 *
34 * How is RLIM_INFINITY supposed to be encoded?
35 * configured effective caps is bullshit, as execv() corrupts it anyway
36 * pipes bind mounted is *very* different from pipes newly created, comments regarding bind mount or not are bogus
37 * annotation values structured? or string?
38 * configurable file system namespace path, but then also root path? wtf?
39 * apply sysctl inside of the container? or outside?
40 * how is unlimited pids tasks limit to be encoded?
41 * what are the defaults for caps if not specified?
42 * what are the default uid/gid mappings if one is missing but the other set, or when user ns is on but no namespace configured
43 * the source field of "mounts" is really weird, as it cannot realistically be relative to the bundle, since we never know if that's what the fs wants
44 * spec contradicts itself on the mount "type" field, as the example uses "bind" as type, but it's not listed in /proc/filesystem, and is something made up by /bin/mount
45 * if type of mount is left out, what shall be assumed? "bind"?
46 * readonly mounts is entirely redundant?
47 * should escaping be applied when joining mount options with ","?
48 * devices cgroup support is bogus, "allow" and "deny" on the kernel level is about adding/removing entries, not about access
49 * spec needs to say that "rwm" devices cgroup combination can't be the empty string
50 * cgrouspv1 crap: kernel, kernelTCP, swapiness, disableOOMKiller, swap, devices, leafWeight
51 * general: it shouldn't leak lower level abstractions this obviously
52 * unmanagable cgroups stuff: realtimeRuntime/realtimePeriod
53 * needs to say what happense when some option is not specified, i.e. which defautls apply
54 * no architecture? no personality?
55 * seccomp example and logic is simply broken: there's no constant "SCMP_ACT_ERRNO".
56 * spec should say what to do with unknown props
57 * /bin/mount regarding NFS and FUSE required?
58 * what does terminal=false mean?
59 * sysctl inside or outside? whitelisting?
60 *
61 * Unsupported:
62 *
63 * apparmorProfile
64 * selinuxLabel + mountLabel
65 * hugepageLimits
66 * network
67 * rdma
68 * intelRdt
69 * swappiness, disableOOMKiller, kernel, kernelTCP, leafWeight (because it's dead, cgroupsv2 can't do it and hence systemd neither)
70 *
71 * Non-slice cgroup paths
72 * Propagation that is not slave + shared
73 * more than one uid/gid mapping, mappings with a container base != 0, or non-matching uid/gid mappings
74 * device cgroups access = false items that are not catchall
75 * device cgroups matches where minor is specified, but major isn't. similar where major is specified but char/block is not. also, any match that only has a type set that has less than "rwm" set. also, any entry that has none of rwm set.
76 *
77 */
78
79 static int oci_unexpected(const char *name, JsonVariant *v, JsonDispatchFlags flags, void *userdata) {
80 return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
81 "Unexpected OCI element '%s' of type '%s'.", name, json_variant_type_to_string(json_variant_type(v)));
82 }
83
84 static int oci_unsupported(const char *name, JsonVariant *v, JsonDispatchFlags flags, void *userdata) {
85 return json_log(v, flags, SYNTHETIC_ERRNO(EOPNOTSUPP),
86 "Unsupported OCI element '%s' of type '%s'.", name, json_variant_type_to_string(json_variant_type(v)));
87 }
88
89 static int oci_terminal(const char *name, JsonVariant *v, JsonDispatchFlags flags, void *userdata) {
90 Settings *s = userdata;
91
92 /* If not specified, or set to true, we'll default to either an interactive or a read-only
93 * console. If specified as false, we'll forcibly move to "pipe" mode though. */
94 s->console_mode = json_variant_boolean(v) ? _CONSOLE_MODE_INVALID : CONSOLE_PIPE;
95 return 0;
96 }
97
98 static int oci_console_dimension(const char *name, JsonVariant *variant, JsonDispatchFlags flags, void *userdata) {
99 unsigned *u = userdata;
100 uintmax_t k;
101
102 assert(u);
103
104 k = json_variant_unsigned(variant);
105 if (k == 0)
106 return json_log(variant, flags, SYNTHETIC_ERRNO(ERANGE),
107 "Console size field '%s' is too small.", strna(name));
108 if (k > USHRT_MAX) /* TIOCSWINSZ's struct winsize uses "unsigned short" for width and height */
109 return json_log(variant, flags, SYNTHETIC_ERRNO(ERANGE),
110 "Console size field '%s' is too large.", strna(name));
111
112 *u = (unsigned) k;
113 return 0;
114 }
115
116 static int oci_console_size(const char *name, JsonVariant *v, JsonDispatchFlags flags, void *userdata) {
117
118 static const JsonDispatch table[] = {
119 { "height", JSON_VARIANT_UNSIGNED, oci_console_dimension, offsetof(Settings, console_height), JSON_MANDATORY },
120 { "width", JSON_VARIANT_UNSIGNED, oci_console_dimension, offsetof(Settings, console_width), JSON_MANDATORY },
121 {}
122 };
123
124 return json_dispatch(v, table, oci_unexpected, flags, userdata);
125 }
126
127 static int oci_absolute_path(const char *name, JsonVariant *v, JsonDispatchFlags flags, void *userdata) {
128 char **p = userdata;
129 const char *n;
130
131 assert(p);
132
133 n = json_variant_string(v);
134
135 if (!path_is_absolute(n))
136 return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
137 "Path in JSON field '%s' is not absolute: %s", strna(name), n);
138
139 return free_and_strdup_warn(p, n);
140 }
141
142 static int oci_env(const char *name, JsonVariant *v, JsonDispatchFlags flags, void *userdata) {
143 char ***l = userdata;
144 JsonVariant *e;
145 int r;
146
147 assert(l);
148
149 JSON_VARIANT_ARRAY_FOREACH(e, v) {
150 const char *n;
151
152 if (!json_variant_is_string(e))
153 return json_log(e, flags, SYNTHETIC_ERRNO(EINVAL),
154 "Environment array contains non-string.");
155
156 assert_se(n = json_variant_string(e));
157
158 if (!env_assignment_is_valid(n))
159 return json_log(e, flags, SYNTHETIC_ERRNO(EINVAL),
160 "Environment assignment not valid: %s", n);
161
162 r = strv_extend(l, n);
163 if (r < 0)
164 return log_oom();
165 }
166
167 return 0;
168 }
169
170 static int oci_args(const char *name, JsonVariant *v, JsonDispatchFlags flags, void *userdata) {
171 _cleanup_strv_free_ char **l = NULL;
172 char ***value = userdata;
173 JsonVariant *e;
174 int r;
175
176 assert(value);
177
178 JSON_VARIANT_ARRAY_FOREACH(e, v) {
179 const char *n;
180
181 if (!json_variant_is_string(e))
182 return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
183 "Argument is not a string.");
184
185 assert_se(n = json_variant_string(e));
186
187 r = strv_extend(&l, n);
188 if (r < 0)
189 return log_oom();
190 }
191
192 if (strv_isempty(l))
193 return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
194 "Argument list empty, refusing.");
195
196 if (isempty(l[0]))
197 return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
198 "Executable name is empty, refusing.");
199
200 return strv_free_and_replace(*value, l);
201 }
202
203 static int oci_rlimit_type(const char *name, JsonVariant *v, JsonDispatchFlags flags, void *userdata) {
204 const char *z;
205 int t, *type = userdata;
206
207 assert_se(type);
208
209 z = startswith(json_variant_string(v), "RLIMIT_");
210 if (!z)
211 return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
212 "rlimit entry's name does not begin with 'RLIMIT_', refusing: %s",
213 json_variant_string(v));
214
215 t = rlimit_from_string(z);
216 if (t < 0)
217 return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
218 "rlimit name unknown: %s", json_variant_string(v));
219
220 *type = t;
221 return 0;
222 }
223
224 static int oci_rlimit_value(const char *name, JsonVariant *v, JsonDispatchFlags flags, void *userdata) {
225 rlim_t z, *value = userdata;
226
227 assert(value);
228
229 if (json_variant_is_negative(v))
230 z = RLIM_INFINITY;
231 else {
232 if (!json_variant_is_unsigned(v))
233 return json_log(v, flags, SYNTHETIC_ERRNO(ERANGE),
234 "rlimits limit not unsigned, refusing.");
235
236 z = (rlim_t) json_variant_unsigned(v);
237
238 if ((uintmax_t) z != json_variant_unsigned(v))
239 return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
240 "rlimits limit out of range, refusing.");
241 }
242
243 *value = z;
244 return 0;
245 }
246
247 static int oci_rlimits(const char *name, JsonVariant *v, JsonDispatchFlags flags, void *userdata) {
248
249 Settings *s = userdata;
250 JsonVariant *e;
251 int r;
252
253 assert(s);
254
255 JSON_VARIANT_ARRAY_FOREACH(e, v) {
256
257 struct rlimit_data {
258 int type;
259 rlim_t soft;
260 rlim_t hard;
261 } data = {
262 .type = -1,
263 .soft = RLIM_INFINITY,
264 .hard = RLIM_INFINITY,
265 };
266
267 static const JsonDispatch table[] = {
268 { "soft", JSON_VARIANT_NUMBER, oci_rlimit_value, offsetof(struct rlimit_data, soft), JSON_MANDATORY },
269 { "hard", JSON_VARIANT_NUMBER, oci_rlimit_value, offsetof(struct rlimit_data, hard), JSON_MANDATORY },
270 { "type", JSON_VARIANT_STRING, oci_rlimit_type, offsetof(struct rlimit_data, type), JSON_MANDATORY },
271 {}
272 };
273
274
275 r = json_dispatch(e, table, oci_unexpected, flags, &data);
276 if (r < 0)
277 return r;
278
279 assert(data.type >= 0);
280 assert(data.type < _RLIMIT_MAX);
281
282 if (s->rlimit[data.type])
283 return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
284 "rlimits array contains duplicate entry, refusing.");
285
286 s->rlimit[data.type] = new(struct rlimit, 1);
287 if (!s->rlimit[data.type])
288 return log_oom();
289
290 *s->rlimit[data.type] = (struct rlimit) {
291 .rlim_cur = data.soft,
292 .rlim_max = data.hard,
293 };
294
295 }
296 return 0;
297 }
298
299 static int oci_capability_array(const char *name, JsonVariant *v, JsonDispatchFlags flags, void *userdata) {
300 uint64_t *mask = userdata, m = 0;
301 JsonVariant *e;
302
303 JSON_VARIANT_ARRAY_FOREACH(e, v) {
304 const char *n;
305 int cap;
306
307 if (!json_variant_is_string(e))
308 return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
309 "Entry in capabilities array is not a string.");
310
311 assert_se(n = json_variant_string(e));
312
313 cap = capability_from_name(n);
314 if (cap < 0)
315 return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
316 "Unknown capability: %s", n);
317
318 m |= UINT64_C(1) << cap;
319 }
320
321 if (*mask == (uint64_t) -1)
322 *mask = m;
323 else
324 *mask |= m;
325
326 return 0;
327 }
328
329 static int oci_capabilities(const char *name, JsonVariant *v, JsonDispatchFlags flags, void *userdata) {
330
331 static const JsonDispatch table[] = {
332 { "effective", JSON_VARIANT_ARRAY, oci_capability_array, offsetof(CapabilityQuintet, effective) },
333 { "bounding", JSON_VARIANT_ARRAY, oci_capability_array, offsetof(CapabilityQuintet, bounding) },
334 { "inheritable", JSON_VARIANT_ARRAY, oci_capability_array, offsetof(CapabilityQuintet, inheritable) },
335 { "permitted", JSON_VARIANT_ARRAY, oci_capability_array, offsetof(CapabilityQuintet, permitted) },
336 { "ambient", JSON_VARIANT_ARRAY, oci_capability_array, offsetof(CapabilityQuintet, ambient) },
337 {}
338 };
339
340 Settings *s = userdata;
341 int r;
342
343 assert(s);
344
345 r = json_dispatch(v, table, oci_unexpected, flags, &s->full_capabilities);
346 if (r < 0)
347 return r;
348
349 if (s->full_capabilities.bounding != (uint64_t) -1) {
350 s->capability = s->full_capabilities.bounding;
351 s->drop_capability = ~s->full_capabilities.bounding;
352 }
353
354 return 0;
355 }
356
357 static int oci_oom_score_adj(const char *name, JsonVariant *v, JsonDispatchFlags flags, void *userdata) {
358 Settings *s = userdata;
359 intmax_t k;
360
361 assert(s);
362
363 k = json_variant_integer(v);
364 if (k < OOM_SCORE_ADJ_MIN || k > OOM_SCORE_ADJ_MAX)
365 return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
366 "oomScoreAdj value out of range: %ji", k);
367
368 s->oom_score_adjust = (int) k;
369 s->oom_score_adjust_set = true;
370
371 return 0;
372 }
373
374 static int oci_uid_gid(const char *name, JsonVariant *v, JsonDispatchFlags flags, void *userdata) {
375 uid_t *uid = userdata, u;
376 uintmax_t k;
377
378 assert(uid);
379 assert_cc(sizeof(uid_t) == sizeof(gid_t));
380
381 k = json_variant_unsigned(v);
382 u = (uid_t) k;
383 if ((uintmax_t) u != k)
384 return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
385 "UID/GID out of range: %ji", k);
386
387 if (!uid_is_valid(u))
388 return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
389 "UID/GID is not valid: " UID_FMT, u);
390
391 *uid = u;
392 return 0;
393 }
394
395 static int oci_supplementary_gids(const char *name, JsonVariant *v, JsonDispatchFlags flags, void *userdata) {
396 Settings *s = userdata;
397 JsonVariant *e;
398 int r;
399
400 assert(s);
401
402 JSON_VARIANT_ARRAY_FOREACH(e, v) {
403 gid_t gid, *a;
404
405 if (!json_variant_is_unsigned(e))
406 return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
407 "Supplementary GID entry is not a UID.");
408
409 r = oci_uid_gid(name, e, flags, &gid);
410 if (r < 0)
411 return r;
412
413 a = reallocarray(s->supplementary_gids, s->n_supplementary_gids + 1, sizeof(gid_t));
414 if (!a)
415 return log_oom();
416
417 s->supplementary_gids = a;
418 s->supplementary_gids[s->n_supplementary_gids++] = gid;
419 }
420
421 return 0;
422 }
423
424 static int oci_user(const char *name, JsonVariant *v, JsonDispatchFlags flags, void *userdata) {
425 static const JsonDispatch table[] = {
426 { "uid", JSON_VARIANT_UNSIGNED, oci_uid_gid, offsetof(Settings, uid), JSON_MANDATORY },
427 { "gid", JSON_VARIANT_UNSIGNED, oci_uid_gid, offsetof(Settings, gid), JSON_MANDATORY },
428 { "additionalGids", JSON_VARIANT_ARRAY, oci_supplementary_gids, 0, 0 },
429 {}
430 };
431
432 return json_dispatch(v, table, oci_unexpected, flags, userdata);
433 }
434
435 static int oci_process(const char *name, JsonVariant *v, JsonDispatchFlags flags, void *userdata) {
436
437 static const JsonDispatch table[] = {
438 { "terminal", JSON_VARIANT_BOOLEAN, oci_terminal, 0, 0 },
439 { "consoleSize", JSON_VARIANT_OBJECT, oci_console_size, 0, 0 },
440 { "cwd", JSON_VARIANT_STRING, oci_absolute_path, offsetof(Settings, working_directory), 0 },
441 { "env", JSON_VARIANT_ARRAY, oci_env, offsetof(Settings, environment), 0 },
442 { "args", JSON_VARIANT_ARRAY, oci_args, offsetof(Settings, parameters), 0 },
443 { "rlimits", JSON_VARIANT_ARRAY, oci_rlimits, 0, 0 },
444 { "apparmorProfile", JSON_VARIANT_STRING, oci_unsupported, 0, JSON_PERMISSIVE },
445 { "capabilities", JSON_VARIANT_OBJECT, oci_capabilities, 0, 0 },
446 { "noNewPrivileges", JSON_VARIANT_BOOLEAN, json_dispatch_boolean, offsetof(Settings, no_new_privileges), 0 },
447 { "oomScoreAdj", JSON_VARIANT_INTEGER, oci_oom_score_adj, 0, 0 },
448 { "selinuxLabel", JSON_VARIANT_STRING, oci_unsupported, 0, JSON_PERMISSIVE },
449 { "user", JSON_VARIANT_OBJECT, oci_user, 0, 0 },
450 {}
451 };
452
453 return json_dispatch(v, table, oci_unexpected, flags, userdata);
454 }
455
456 static int oci_root(const char *name, JsonVariant *v, JsonDispatchFlags flags, void *userdata) {
457
458 static const JsonDispatch table[] = {
459 { "path", JSON_VARIANT_STRING, json_dispatch_string, offsetof(Settings, root) },
460 { "readonly", JSON_VARIANT_BOOLEAN, json_dispatch_boolean, offsetof(Settings, read_only) },
461 {}
462 };
463
464 return json_dispatch(v, table, oci_unexpected, flags, userdata);
465 }
466
467 static int oci_hostname(const char *name, JsonVariant *v, JsonDispatchFlags flags, void *userdata) {
468 Settings *s = userdata;
469 const char *n;
470
471 assert(s);
472
473 assert_se(n = json_variant_string(v));
474
475 if (!hostname_is_valid(n, false))
476 return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
477 "Hostname string is not a valid hostname: %s", n);
478
479 return free_and_strdup_warn(&s->hostname, n);
480 }
481
482 static bool oci_exclude_mount(const char *path) {
483
484 /* Returns "true" for all mounts we insist to mount on our own, and hence ignore the OCI data. */
485
486 if (PATH_IN_SET(path,
487 "/dev",
488 "/dev/mqueue",
489 "/dev/pts",
490 "/dev/shm",
491 "/proc",
492 "/proc/acpi",
493 "/proc/apm",
494 "/proc/asound",
495 "/proc/bus",
496 "/proc/fs",
497 "/proc/irq",
498 "/proc/kallsyms",
499 "/proc/kcore",
500 "/proc/keys",
501 "/proc/scsi",
502 "/proc/sys",
503 "/proc/sys/net",
504 "/proc/sysrq-trigger",
505 "/proc/timer_list",
506 "/run",
507 "/sys",
508 "/sys",
509 "/sys/fs/selinux",
510 "/tmp"))
511 return true;
512
513 /* Similar, skip the whole /sys/fs/cgroups subtree */
514 if (path_startswith(path, "/sys/fs/cgroup"))
515 return true;
516
517 return false;
518 }
519
520 static int oci_mounts(const char *name, JsonVariant *v, JsonDispatchFlags flags, void *userdata) {
521 Settings *s = userdata;
522 JsonVariant *e;
523 int r;
524
525 assert(s);
526
527 JSON_VARIANT_ARRAY_FOREACH(e, v) {
528
529 struct mount_data {
530 char *destination;
531 char *source;
532 char *type;
533 char **options;
534 } data = {};
535
536 static const JsonDispatch table[] = {
537 { "destination", JSON_VARIANT_STRING, oci_absolute_path, offsetof(struct mount_data, destination), JSON_MANDATORY },
538 { "source", JSON_VARIANT_STRING, json_dispatch_string, offsetof(struct mount_data, source), 0 },
539 { "options", JSON_VARIANT_ARRAY, json_dispatch_strv, offsetof(struct mount_data, options), 0, },
540 { "type", JSON_VARIANT_STRING, json_dispatch_string, offsetof(struct mount_data, type), 0 },
541 {}
542 };
543
544 _cleanup_free_ char *joined_options = NULL;
545 CustomMount *m;
546
547 r = json_dispatch(e, table, oci_unexpected, flags, &data);
548 if (r < 0)
549 goto fail_item;
550
551 if (!path_is_absolute(data.destination)) {
552 r = json_log(e, flags, SYNTHETIC_ERRNO(EINVAL),
553 "Mount destination not an absolute path: %s", data.destination);
554 goto fail_item;
555 }
556
557 if (oci_exclude_mount(data.destination))
558 goto skip_item;
559
560 if (data.options) {
561 joined_options = strv_join(data.options, ",");
562 if (!joined_options) {
563 r = log_oom();
564 goto fail_item;
565 }
566 }
567
568 if (!data.type || streq(data.type, "bind")) {
569
570 if (!path_is_absolute(data.source)) {
571 char *joined;
572
573 joined = path_join(s->bundle, data.source);
574 if (!joined) {
575 r = log_oom();
576 goto fail_item;
577 }
578
579 free_and_replace(data.source, joined);
580 }
581
582 data.type = mfree(data.type);
583
584 m = custom_mount_add(&s->custom_mounts, &s->n_custom_mounts, CUSTOM_MOUNT_BIND);
585 } else
586 m = custom_mount_add(&s->custom_mounts, &s->n_custom_mounts, CUSTOM_MOUNT_ARBITRARY);
587 if (!m) {
588 r = log_oom();
589 goto fail_item;
590 }
591
592 m->destination = TAKE_PTR(data.destination);
593 m->source = TAKE_PTR(data.source);
594 m->options = TAKE_PTR(joined_options);
595 m->type_argument = TAKE_PTR(data.type);
596
597 strv_free(data.options);
598 continue;
599
600 fail_item:
601 free(data.destination);
602 free(data.source);
603 strv_free(data.options);
604 free(data.type);
605
606 return r;
607
608 skip_item:
609 free(data.destination);
610 free(data.source);
611 strv_free(data.options);
612 free(data.type);
613 }
614
615 return 0;
616 }
617
618 static int oci_namespace_type(const char *name, JsonVariant *v, JsonDispatchFlags flags, void *userdata) {
619 unsigned long *nsflags = userdata;
620 const char *n;
621
622 assert(nsflags);
623 assert_se(n = json_variant_string(v));
624
625 /* We don't use namespace_flags_from_string() here, as the OCI spec uses slightly different names than the
626 * kernel here. */
627 if (streq(n, "pid"))
628 *nsflags = CLONE_NEWPID;
629 else if (streq(n, "network"))
630 *nsflags = CLONE_NEWNET;
631 else if (streq(n, "mount"))
632 *nsflags = CLONE_NEWNS;
633 else if (streq(n, "ipc"))
634 *nsflags = CLONE_NEWIPC;
635 else if (streq(n, "uts"))
636 *nsflags = CLONE_NEWUTS;
637 else if (streq(n, "user"))
638 *nsflags = CLONE_NEWUSER;
639 else if (streq(n, "cgroup"))
640 *nsflags = CLONE_NEWCGROUP;
641 else
642 return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
643 "Unknown cgroup type, refusing: %s", n);
644
645 return 0;
646 }
647
648 static int oci_namespaces(const char *name, JsonVariant *v, JsonDispatchFlags flags, void *userdata) {
649 Settings *s = userdata;
650 unsigned long n = 0;
651 JsonVariant *e;
652 int r;
653
654 assert_se(s);
655
656 JSON_VARIANT_ARRAY_FOREACH(e, v) {
657
658 struct namespace_data {
659 unsigned long type;
660 char *path;
661 } data = {};
662
663 static const JsonDispatch table[] = {
664 { "type", JSON_VARIANT_STRING, oci_namespace_type, offsetof(struct namespace_data, type), JSON_MANDATORY },
665 { "path", JSON_VARIANT_STRING, oci_absolute_path, offsetof(struct namespace_data, path), 0 },
666 {}
667 };
668
669 r = json_dispatch(e, table, oci_unexpected, flags, &data);
670 if (r < 0) {
671 free(data.path);
672 return r;
673 }
674
675 if (data.path) {
676 if (data.type != CLONE_NEWNET) {
677 free(data.path);
678 return json_log(e, flags, SYNTHETIC_ERRNO(EOPNOTSUPP),
679 "Specifying namespace path for non-network namespace is not supported.");
680 }
681
682 if (s->network_namespace_path) {
683 free(data.path);
684 return json_log(e, flags, SYNTHETIC_ERRNO(EINVAL),
685 "Network namespace path specified more than once, refusing.");
686 }
687
688 free(s->network_namespace_path);
689 s->network_namespace_path = data.path;
690 }
691
692 if (FLAGS_SET(n, data.type)) {
693 return json_log(e, flags, SYNTHETIC_ERRNO(EINVAL),
694 "Duplicate namespace specification, refusing.");
695 }
696
697 n |= data.type;
698 }
699
700 if (!FLAGS_SET(n, CLONE_NEWNS))
701 return json_log(v, flags, SYNTHETIC_ERRNO(EOPNOTSUPP),
702 "Containers without file system namespace aren't supported.");
703
704 s->private_network = FLAGS_SET(n, CLONE_NEWNET);
705 s->userns_mode = FLAGS_SET(n, CLONE_NEWUSER) ? USER_NAMESPACE_FIXED : USER_NAMESPACE_NO;
706 s->use_cgns = FLAGS_SET(n, CLONE_NEWCGROUP);
707
708 s->clone_ns_flags = n & (CLONE_NEWIPC|CLONE_NEWPID|CLONE_NEWUTS);
709
710 return 0;
711 }
712
713 static int oci_uid_gid_range(const char *name, JsonVariant *v, JsonDispatchFlags flags, void *userdata) {
714 uid_t *uid = userdata, u;
715 uintmax_t k;
716
717 assert(uid);
718 assert_cc(sizeof(uid_t) == sizeof(gid_t));
719
720 /* This is very much like oci_uid_gid(), except the checks are a bit different, as this is a UID range rather
721 * than a specific UID, and hence (uid_t) -1 has no special significance. OTOH a range of zero makes no
722 * sense. */
723
724 k = json_variant_unsigned(v);
725 u = (uid_t) k;
726 if ((uintmax_t) u != k)
727 return json_log(v, flags, SYNTHETIC_ERRNO(ERANGE),
728 "UID/GID out of range: %ji", k);
729 if (u == 0)
730 return json_log(v, flags, SYNTHETIC_ERRNO(ERANGE),
731 "UID/GID range can't be zero.");
732
733 *uid = u;
734 return 0;
735 }
736
737 static int oci_uid_gid_mappings(const char *name, JsonVariant *v, JsonDispatchFlags flags, void *userdata) {
738 struct mapping_data {
739 uid_t host_id;
740 uid_t container_id;
741 uid_t range;
742 } data = {
743 .host_id = UID_INVALID,
744 .container_id = UID_INVALID,
745 .range = 0,
746 };
747
748 static const JsonDispatch table[] = {
749 { "containerID", JSON_VARIANT_UNSIGNED, oci_uid_gid, offsetof(struct mapping_data, container_id), JSON_MANDATORY },
750 { "hostID", JSON_VARIANT_UNSIGNED, oci_uid_gid, offsetof(struct mapping_data, host_id), JSON_MANDATORY },
751 { "size", JSON_VARIANT_UNSIGNED, oci_uid_gid_range, offsetof(struct mapping_data, range), JSON_MANDATORY },
752 {}
753 };
754
755 Settings *s = userdata;
756 JsonVariant *e;
757 int r;
758
759 assert(s);
760
761 if (json_variant_elements(v) == 0)
762 return 0;
763
764 if (json_variant_elements(v) > 1)
765 return json_log(v, flags, SYNTHETIC_ERRNO(EOPNOTSUPP),
766 "UID/GID mappings with more than one entry are not supported.");
767
768 assert_se(e = json_variant_by_index(v, 0));
769
770 r = json_dispatch(e, table, oci_unexpected, flags, &data);
771 if (r < 0)
772 return r;
773
774 if (data.host_id + data.range < data.host_id ||
775 data.container_id + data.range < data.container_id)
776 return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
777 "UID/GID range goes beyond UID/GID validity range, refusing.");
778
779 if (data.container_id != 0)
780 return json_log(v, flags, SYNTHETIC_ERRNO(EOPNOTSUPP),
781 "UID/GID mappings with a non-zero container base are not supported.");
782
783 if (data.range < 0x10000)
784 json_log(v, flags|JSON_WARNING, 0,
785 "UID/GID mapping with less than 65536 UID/GIDS set up, you are looking for trouble.");
786
787 if (s->uid_range != UID_INVALID &&
788 (s->uid_shift != data.host_id || s->uid_range != data.range))
789 return json_log(v, flags, SYNTHETIC_ERRNO(EOPNOTSUPP),
790 "Non-matching UID and GID mappings are not supported.");
791
792 s->uid_shift = data.host_id;
793 s->uid_range = data.range;
794
795 return 0;
796 }
797
798 static int oci_device_type(const char *name, JsonVariant *v, JsonDispatchFlags flags, void *userdata) {
799 mode_t *mode = userdata;
800 const char *t;
801
802 assert(mode);
803 assert_se(t = json_variant_string(v));
804
805 if (STR_IN_SET(t, "c", "u"))
806 *mode = (*mode & ~S_IFMT) | S_IFCHR;
807 else if (streq(t, "b"))
808 *mode = (*mode & ~S_IFMT) | S_IFBLK;
809 else if (streq(t, "p"))
810 *mode = (*mode & ~S_IFMT) | S_IFIFO;
811 else
812 return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
813 "Unknown device type: %s", t);
814
815 return 0;
816 }
817
818 static int oci_device_major(const char *name, JsonVariant *v, JsonDispatchFlags flags, void *userdata) {
819 unsigned *u = userdata;
820 uintmax_t k;
821
822 assert_se(u);
823
824 k = json_variant_unsigned(v);
825 if (!DEVICE_MAJOR_VALID(k))
826 return json_log(v, flags, SYNTHETIC_ERRNO(ERANGE),
827 "Device major %ji out of range.", k);
828
829 *u = (unsigned) k;
830 return 0;
831 }
832
833 static int oci_device_minor(const char *name, JsonVariant *v, JsonDispatchFlags flags, void *userdata) {
834 unsigned *u = userdata;
835 uintmax_t k;
836
837 assert_se(u);
838
839 k = json_variant_unsigned(v);
840 if (!DEVICE_MINOR_VALID(k))
841 return json_log(v, flags, SYNTHETIC_ERRNO(ERANGE),
842 "Device minor %ji out of range.", k);
843
844 *u = (unsigned) k;
845 return 0;
846 }
847
848 static int oci_device_file_mode(const char *name, JsonVariant *v, JsonDispatchFlags flags, void *userdata) {
849 mode_t *mode = userdata, m;
850 uintmax_t k;
851
852 assert(mode);
853
854 k = json_variant_unsigned(v);
855 m = (mode_t) k;
856
857 if ((m & ~07777) != 0 || (uintmax_t) m != k)
858 return json_log(v, flags, SYNTHETIC_ERRNO(ERANGE),
859 "fileMode out of range, refusing.");
860
861 *mode = m;
862 return 0;
863 }
864
865 static int oci_devices(const char *name, JsonVariant *v, JsonDispatchFlags flags, void *userdata) {
866 Settings *s = userdata;
867 JsonVariant *e;
868 int r;
869
870 assert(s);
871
872 JSON_VARIANT_ARRAY_FOREACH(e, v) {
873
874 static const JsonDispatch table[] = {
875 { "type", JSON_VARIANT_STRING, oci_device_type, offsetof(DeviceNode, mode), JSON_MANDATORY },
876 { "path", JSON_VARIANT_STRING, oci_absolute_path, offsetof(DeviceNode, path), JSON_MANDATORY },
877 { "major", JSON_VARIANT_UNSIGNED, oci_device_major, offsetof(DeviceNode, major), 0 },
878 { "minor", JSON_VARIANT_UNSIGNED, oci_device_minor, offsetof(DeviceNode, minor), 0 },
879 { "fileMode", JSON_VARIANT_UNSIGNED, oci_device_file_mode, offsetof(DeviceNode, mode), 0 },
880 { "uid", JSON_VARIANT_UNSIGNED, oci_uid_gid, offsetof(DeviceNode, uid), 0 },
881 { "gid", JSON_VARIANT_UNSIGNED, oci_uid_gid, offsetof(DeviceNode, gid), 0 },
882 {}
883 };
884
885 DeviceNode *node, *nodes;
886
887 nodes = reallocarray(s->extra_nodes, s->n_extra_nodes + 1, sizeof(DeviceNode));
888 if (!nodes)
889 return log_oom();
890
891 s->extra_nodes = nodes;
892
893 node = nodes + s->n_extra_nodes;
894 *node = (DeviceNode) {
895 .uid = UID_INVALID,
896 .gid = GID_INVALID,
897 .major = (unsigned) -1,
898 .minor = (unsigned) -1,
899 .mode = 0644,
900 };
901
902 r = json_dispatch(e, table, oci_unexpected, flags, node);
903 if (r < 0)
904 goto fail_element;
905
906 if (S_ISCHR(node->mode) || S_ISBLK(node->mode)) {
907 _cleanup_free_ char *path = NULL;
908
909 if (node->major == (unsigned) -1 || node->minor == (unsigned) -1) {
910 r = json_log(e, flags, SYNTHETIC_ERRNO(EINVAL),
911 "Major/minor required when device node is device node");
912 goto fail_element;
913 }
914
915 /* Suppress a couple of implicit device nodes */
916 r = device_path_make_canonical(node->mode, makedev(node->major, node->minor), &path);
917 if (r < 0)
918 json_log(e, flags|JSON_DEBUG, 0, "Failed to resolve device node %u:%u, ignoring: %m", node->major, node->minor);
919 else {
920 if (PATH_IN_SET(path,
921 "/dev/null",
922 "/dev/zero",
923 "/dev/full",
924 "/dev/random",
925 "/dev/urandom",
926 "/dev/tty",
927 "/dev/net/tun",
928 "/dev/ptmx",
929 "/dev/pts/ptmx",
930 "/dev/console")) {
931
932 json_log(e, flags|JSON_DEBUG, 0, "Ignoring devices item for device '%s', as it is implicitly created anyway.", path);
933 free(node->path);
934 continue;
935 }
936 }
937 }
938
939 s->n_extra_nodes++;
940 continue;
941
942 fail_element:
943 free(node->path);
944 return r;
945 }
946
947 return 0;
948 }
949
950 static int oci_cgroups_path(const char *name, JsonVariant *v, JsonDispatchFlags flags, void *userdata) {
951 _cleanup_free_ char *slice = NULL, *backwards = NULL;
952 Settings *s = userdata;
953 const char *p;
954 int r;
955
956 assert(s);
957
958 assert_se(p = json_variant_string(v));
959
960 r = cg_path_get_slice(p, &slice);
961 if (r < 0)
962 return json_log(v, flags, r, "Couldn't derive slice unit name from path '%s': %m", p);
963
964 r = cg_slice_to_path(slice, &backwards);
965 if (r < 0)
966 return json_log(v, flags, r, "Couldn't convert slice unit name '%s' back to path: %m", slice);
967
968 if (!path_equal(backwards, p))
969 return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
970 "Control group path '%s' does not refer to slice unit, refusing.", p);
971
972 free_and_replace(s->slice, slice);
973 return 0;
974 }
975
976 static int oci_cgroup_device_type(const char *name, JsonVariant *v, JsonDispatchFlags flags, void *userdata) {
977 mode_t *mode = userdata;
978 const char *n;
979
980 assert_se(n = json_variant_string(v));
981
982 if (streq(n, "c"))
983 *mode = S_IFCHR;
984 else if (streq(n, "b"))
985 *mode = S_IFBLK;
986 else
987 return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
988 "Control group device type unknown: %s", n);
989
990 return 0;
991 }
992
993 struct device_data {
994 bool allow;
995 bool r;
996 bool w;
997 bool m;
998 mode_t type;
999 unsigned major;
1000 unsigned minor;
1001 };
1002
1003 static int oci_cgroup_device_access(const char *name, JsonVariant *v, JsonDispatchFlags flags, void *userdata) {
1004 struct device_data *d = userdata;
1005 bool r = false, w = false, m = false;
1006 const char *s;
1007 size_t i;
1008
1009 assert_se(s = json_variant_string(v));
1010
1011 for (i = 0; s[i]; i++)
1012 if (s[i] == 'r')
1013 r = true;
1014 else if (s[i] == 'w')
1015 w = true;
1016 else if (s[i] == 'm')
1017 m = true;
1018 else
1019 return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
1020 "Unknown device access character '%c'.", s[i]);
1021
1022 d->r = r;
1023 d->w = w;
1024 d->m = m;
1025
1026 return 0;
1027 }
1028
1029 static int oci_cgroup_devices(const char *name, JsonVariant *v, JsonDispatchFlags flags, void *userdata) {
1030
1031 _cleanup_free_ struct device_data *list = NULL;
1032 Settings *s = userdata;
1033 size_t n_list = 0, i;
1034 bool noop = false;
1035 JsonVariant *e;
1036 int r;
1037
1038 assert(s);
1039
1040 JSON_VARIANT_ARRAY_FOREACH(e, v) {
1041
1042 struct device_data data = {
1043 .major = (unsigned) -1,
1044 .minor = (unsigned) -1,
1045 }, *a;
1046
1047 static const JsonDispatch table[] = {
1048 { "allow", JSON_VARIANT_BOOLEAN, json_dispatch_boolean, offsetof(struct device_data, allow), JSON_MANDATORY },
1049 { "type", JSON_VARIANT_STRING, oci_cgroup_device_type, offsetof(struct device_data, type), 0 },
1050 { "major", JSON_VARIANT_UNSIGNED, oci_device_major, offsetof(struct device_data, major), 0 },
1051 { "minor", JSON_VARIANT_UNSIGNED, oci_device_minor, offsetof(struct device_data, minor), 0 },
1052 { "access", JSON_VARIANT_STRING, oci_cgroup_device_access, 0, 0 },
1053 {}
1054 };
1055
1056 r = json_dispatch(e, table, oci_unexpected, flags, &data);
1057 if (r < 0)
1058 return r;
1059
1060 if (!data.allow) {
1061 /* The fact that OCI allows 'deny' entries makes really no sense, as 'allow' vs. 'deny' for the
1062 * devices cgroup controller is really not about whitelisting and blacklisting but about adding
1063 * and removing entries from the whitelist. Since we always start out with an empty whitelist
1064 * we hence ignore the whole thing, as removing entries which don't exist make no sense. We'll
1065 * log about this, since this is really borked in the spec, with one exception: the entry
1066 * that's supposed to drop the kernel's default we ignore silently */
1067
1068 if (!data.r || !data.w || !data.m || data.type != 0 || data.major != (unsigned) -1 || data.minor != (unsigned) -1)
1069 json_log(v, flags|JSON_WARNING, 0, "Devices cgroup whitelist with arbitrary 'allow' entries not supported, ignoring.");
1070
1071 /* We ignore the 'deny' entry as for us that's implied */
1072 continue;
1073 }
1074
1075 if (!data.r && !data.w && !data.m) {
1076 json_log(v, flags|LOG_WARNING, 0, "Device cgroup whitelist entry with no effect found, ignoring.");
1077 continue;
1078 }
1079
1080 if (data.minor != (unsigned) -1 && data.major == (unsigned) -1)
1081 return json_log(v, flags, SYNTHETIC_ERRNO(EOPNOTSUPP),
1082 "Device cgroup whitelist entries with minors but no majors not supported.");
1083
1084 if (data.major != (unsigned) -1 && data.type == 0)
1085 return json_log(v, flags, SYNTHETIC_ERRNO(EOPNOTSUPP),
1086 "Device cgroup whitelist entries with majors but no device node type not supported.");
1087
1088 if (data.type == 0) {
1089 if (data.r && data.w && data.m) /* a catchall whitelist entry means we are looking at a noop */
1090 noop = true;
1091 else
1092 return json_log(v, flags, SYNTHETIC_ERRNO(EOPNOTSUPP),
1093 "Device cgroup whitelist entries with no type not supported.");
1094 }
1095
1096 a = reallocarray(list, n_list + 1, sizeof(struct device_data));
1097 if (!a)
1098 return log_oom();
1099
1100 list = a;
1101 list[n_list++] = data;
1102 }
1103
1104 if (noop)
1105 return 0;
1106
1107 r = settings_allocate_properties(s);
1108 if (r < 0)
1109 return r;
1110
1111 r = sd_bus_message_open_container(s->properties, 'r', "sv");
1112 if (r < 0)
1113 return bus_log_create_error(r);
1114
1115 r = sd_bus_message_append(s->properties, "s", "DeviceAllow");
1116 if (r < 0)
1117 return bus_log_create_error(r);
1118
1119 r = sd_bus_message_open_container(s->properties, 'v', "a(ss)");
1120 if (r < 0)
1121 return bus_log_create_error(r);
1122
1123 r = sd_bus_message_open_container(s->properties, 'a', "(ss)");
1124 if (r < 0)
1125 return bus_log_create_error(r);
1126
1127 for (i = 0; i < n_list; i++) {
1128 _cleanup_free_ char *pattern = NULL;
1129 char access[4];
1130 size_t n = 0;
1131
1132 if (list[i].minor == (unsigned) -1) {
1133 const char *t;
1134
1135 if (list[i].type == S_IFBLK)
1136 t = "block";
1137 else {
1138 assert(list[i].type == S_IFCHR);
1139 t = "char";
1140 }
1141
1142 if (list[i].major == (unsigned) -1) {
1143 pattern = strjoin(t, "-*");
1144 if (!pattern)
1145 return log_oom();
1146 } else {
1147 if (asprintf(&pattern, "%s-%u", t, list[i].major) < 0)
1148 return log_oom();
1149 }
1150
1151 } else {
1152 assert(list[i].major != (unsigned) -1); /* If a minor is specified, then a major also needs to be specified */
1153
1154 r = device_path_make_major_minor(list[i].type, makedev(list[i].major, list[i].minor), &pattern);
1155 if (r < 0)
1156 return log_oom();
1157 }
1158
1159 if (list[i].r)
1160 access[n++] = 'r';
1161 if (list[i].w)
1162 access[n++] = 'w';
1163 if (list[i].m)
1164 access[n++] = 'm';
1165 access[n] = 0;
1166
1167 assert(n > 0);
1168
1169 r = sd_bus_message_append(s->properties, "(ss)", pattern, access);
1170 if (r < 0)
1171 return bus_log_create_error(r);
1172 }
1173
1174 r = sd_bus_message_close_container(s->properties);
1175 if (r < 0)
1176 return bus_log_create_error(r);
1177
1178 r = sd_bus_message_close_container(s->properties);
1179 if (r < 0)
1180 return bus_log_create_error(r);
1181
1182 r = sd_bus_message_close_container(s->properties);
1183 if (r < 0)
1184 return bus_log_create_error(r);
1185
1186 return 0;
1187 }
1188
1189 static int oci_cgroup_memory_limit(const char *name, JsonVariant *v, JsonDispatchFlags flags, void *userdata) {
1190 uint64_t *m = userdata;
1191 uintmax_t k;
1192
1193 assert(m);
1194
1195 if (json_variant_is_negative(v)) {
1196 *m = UINT64_MAX;
1197 return 0;
1198 }
1199
1200 if (!json_variant_is_unsigned(v))
1201 return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
1202 "Memory limit is not an unsigned integer");
1203
1204 k = json_variant_unsigned(v);
1205 if (k >= UINT64_MAX)
1206 return json_log(v, flags, SYNTHETIC_ERRNO(ERANGE),
1207 "Memory limit too large: %ji", k);
1208
1209 *m = (uint64_t) k;
1210 return 0;
1211 }
1212
1213 static int oci_cgroup_memory(const char *name, JsonVariant *v, JsonDispatchFlags flags, void *userdata) {
1214
1215 struct memory_data {
1216 uint64_t limit;
1217 uint64_t reservation;
1218 uint64_t swap;
1219 } data = {
1220 .limit = UINT64_MAX,
1221 .reservation = UINT64_MAX,
1222 .swap = UINT64_MAX,
1223 };
1224
1225 static const JsonDispatch table[] = {
1226 { "limit", JSON_VARIANT_NUMBER, oci_cgroup_memory_limit, offsetof(struct memory_data, limit), 0 },
1227 { "reservation", JSON_VARIANT_NUMBER, oci_cgroup_memory_limit, offsetof(struct memory_data, reservation), 0 },
1228 { "swap", JSON_VARIANT_NUMBER, oci_cgroup_memory_limit, offsetof(struct memory_data, swap), 0 },
1229 { "kernel", JSON_VARIANT_NUMBER, oci_unsupported, 0, JSON_PERMISSIVE },
1230 { "kernelTCP", JSON_VARIANT_NUMBER, oci_unsupported, 0, JSON_PERMISSIVE },
1231 { "swapiness", JSON_VARIANT_NUMBER, oci_unsupported, 0, JSON_PERMISSIVE },
1232 { "disableOOMKiller", JSON_VARIANT_NUMBER, oci_unsupported, 0, JSON_PERMISSIVE },
1233 {}
1234 };
1235
1236 Settings *s = userdata;
1237 int r;
1238
1239 r = json_dispatch(v, table, oci_unexpected, flags, &data);
1240 if (r < 0)
1241 return r;
1242
1243 if (data.swap != UINT64_MAX) {
1244 if (data.limit == UINT64_MAX)
1245 json_log(v, flags|LOG_WARNING, 0, "swap limit without memory limit is not supported, ignoring.");
1246 else if (data.swap < data.limit)
1247 json_log(v, flags|LOG_WARNING, 0, "swap limit is below memory limit, ignoring.");
1248 else {
1249 r = settings_allocate_properties(s);
1250 if (r < 0)
1251 return r;
1252
1253 r = sd_bus_message_append(s->properties, "(sv)", "MemorySwapMax", "t", data.swap - data.limit);
1254 if (r < 0)
1255 return bus_log_create_error(r);
1256 }
1257 }
1258
1259 if (data.limit != UINT64_MAX) {
1260 r = settings_allocate_properties(s);
1261 if (r < 0)
1262 return r;
1263
1264 r = sd_bus_message_append(s->properties, "(sv)", "MemoryMax", "t", data.limit);
1265 if (r < 0)
1266 return bus_log_create_error(r);
1267 }
1268
1269 if (data.reservation != UINT64_MAX) {
1270 r = settings_allocate_properties(s);
1271 if (r < 0)
1272 return r;
1273
1274 r = sd_bus_message_append(s->properties, "(sv)", "MemoryLow", "t", data.reservation);
1275 if (r < 0)
1276 return bus_log_create_error(r);
1277 }
1278
1279 return 0;
1280 }
1281
1282 struct cpu_data {
1283 uint64_t shares;
1284 uint64_t quota;
1285 uint64_t period;
1286 cpu_set_t *cpuset;
1287 unsigned ncpus;
1288 };
1289
1290 static int oci_cgroup_cpu_shares(const char *name, JsonVariant *v, JsonDispatchFlags flags, void *userdata) {
1291 uint64_t *u = userdata;
1292 uintmax_t k;
1293
1294 assert(u);
1295
1296 k = json_variant_unsigned(v);
1297 if (k < CGROUP_CPU_SHARES_MIN || k > CGROUP_CPU_SHARES_MAX)
1298 return json_log(v, flags, SYNTHETIC_ERRNO(ERANGE),
1299 "shares value out of range.");
1300
1301 *u = (uint64_t) k;
1302 return 0;
1303 }
1304
1305 static int oci_cgroup_cpu_quota(const char *name, JsonVariant *v, JsonDispatchFlags flags, void *userdata) {
1306 uint64_t *u = userdata;
1307 uintmax_t k;
1308
1309 assert(u);
1310
1311 k = json_variant_unsigned(v);
1312 if (k <= 0 || k >= UINT64_MAX)
1313 return json_log(v, flags, SYNTHETIC_ERRNO(ERANGE),
1314 "period/quota value out of range.");
1315
1316 *u = (uint64_t) k;
1317 return 0;
1318 }
1319
1320 static int oci_cgroup_cpu_cpus(const char *name, JsonVariant *v, JsonDispatchFlags flags, void *userdata) {
1321 struct cpu_data *data = userdata;
1322 cpu_set_t *set;
1323 const char *n;
1324 int ncpus;
1325
1326 assert(data);
1327
1328 assert_se(n = json_variant_string(v));
1329
1330 ncpus = parse_cpu_set(n, &set);
1331 if (ncpus < 0)
1332 return json_log(v, flags, ncpus, "Failed to parse CPU set specification: %s", n);
1333
1334 CPU_FREE(data->cpuset);
1335 data->cpuset = set;
1336 data->ncpus = ncpus;
1337
1338 return 0;
1339 }
1340
1341 static int oci_cgroup_cpu(const char *name, JsonVariant *v, JsonDispatchFlags flags, void *userdata) {
1342
1343 static const JsonDispatch table[] = {
1344 { "shares", JSON_VARIANT_UNSIGNED, oci_cgroup_cpu_shares, offsetof(struct cpu_data, shares), 0 },
1345 { "quota", JSON_VARIANT_UNSIGNED, oci_cgroup_cpu_quota, offsetof(struct cpu_data, quota), 0 },
1346 { "period", JSON_VARIANT_UNSIGNED, oci_cgroup_cpu_quota, offsetof(struct cpu_data, period), 0 },
1347 { "realtimeRuntime", JSON_VARIANT_UNSIGNED, oci_unsupported, 0, 0 },
1348 { "realtimePeriod", JSON_VARIANT_UNSIGNED, oci_unsupported, 0, 0 },
1349 { "cpus", JSON_VARIANT_STRING, oci_cgroup_cpu_cpus, 0, 0 },
1350 { "mems", JSON_VARIANT_STRING, oci_unsupported, 0, 0 },
1351 {}
1352 };
1353
1354 struct cpu_data data = {
1355 .shares = UINT64_MAX,
1356 .quota = UINT64_MAX,
1357 .period = UINT64_MAX,
1358 };
1359
1360 Settings *s = userdata;
1361 int r;
1362
1363 r = json_dispatch(v, table, oci_unexpected, flags, &data);
1364 if (r < 0) {
1365 CPU_FREE(data.cpuset);
1366 return r;
1367 }
1368
1369 CPU_FREE(s->cpuset);
1370 s->cpuset = data.cpuset;
1371 s->cpuset_ncpus = data.ncpus;
1372
1373 if (data.shares != UINT64_MAX) {
1374 r = settings_allocate_properties(s);
1375 if (r < 0)
1376 return r;
1377
1378 r = sd_bus_message_append(s->properties, "(sv)", "CPUShares", "t", data.shares);
1379 if (r < 0)
1380 return bus_log_create_error(r);
1381 }
1382
1383 if (data.quota != UINT64_MAX && data.period != UINT64_MAX) {
1384 r = settings_allocate_properties(s);
1385 if (r < 0)
1386 return r;
1387
1388 r = sd_bus_message_append(s->properties, "(sv)", "CPUQuotaPerSecUSec", "t", (uint64_t) (data.quota * USEC_PER_SEC / data.period));
1389 if (r < 0)
1390 return bus_log_create_error(r);
1391
1392 } else if ((data.quota != UINT64_MAX) != (data.period != UINT64_MAX))
1393 return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
1394 "CPU quota and period not used together.");
1395
1396 return 0;
1397 }
1398
1399 static int oci_cgroup_block_io_weight(const char *name, JsonVariant *v, JsonDispatchFlags flags, void *userdata) {
1400 Settings *s = userdata;
1401 uintmax_t k;
1402 int r;
1403
1404 assert(s);
1405
1406 k = json_variant_unsigned(v);
1407 if (k < CGROUP_BLKIO_WEIGHT_MIN || k > CGROUP_BLKIO_WEIGHT_MAX)
1408 return json_log(v, flags, SYNTHETIC_ERRNO(ERANGE),
1409 "Block I/O weight out of range.");
1410
1411 r = settings_allocate_properties(s);
1412 if (r < 0)
1413 return r;
1414
1415 r = sd_bus_message_append(s->properties, "(sv)", "BlockIOWeight", "t", (uint64_t) k);
1416 if (r < 0)
1417 return bus_log_create_error(r);
1418
1419 return 0;
1420 }
1421
1422 static int oci_cgroup_block_io_weight_device(const char *name, JsonVariant *v, JsonDispatchFlags flags, void *userdata) {
1423 Settings *s = userdata;
1424 JsonVariant *e;
1425 int r;
1426
1427 assert(s);
1428
1429 JSON_VARIANT_ARRAY_FOREACH(e, v) {
1430 struct device_data {
1431 unsigned major;
1432 unsigned minor;
1433 uintmax_t weight;
1434 } data = {
1435 .major = (unsigned) -1,
1436 .minor = (unsigned) -1,
1437 .weight = UINTMAX_MAX,
1438 };
1439
1440 static const JsonDispatch table[] = {
1441 { "major", JSON_VARIANT_UNSIGNED, oci_device_major, offsetof(struct device_data, major), JSON_MANDATORY },
1442 { "minor", JSON_VARIANT_UNSIGNED, oci_device_minor, offsetof(struct device_data, minor), JSON_MANDATORY },
1443 { "weight", JSON_VARIANT_UNSIGNED, json_dispatch_unsigned, offsetof(struct device_data, weight), 0 },
1444 { "leafWeight", JSON_VARIANT_INTEGER, oci_unsupported, 0, JSON_PERMISSIVE },
1445 {}
1446 };
1447
1448 _cleanup_free_ char *path = NULL;
1449
1450 r = json_dispatch(e, table, oci_unexpected, flags, &data);
1451 if (r < 0)
1452 return r;
1453
1454 if (data.weight == UINTMAX_MAX)
1455 continue;
1456
1457 if (data.weight < CGROUP_BLKIO_WEIGHT_MIN || data.weight > CGROUP_BLKIO_WEIGHT_MAX)
1458 return json_log(v, flags, SYNTHETIC_ERRNO(ERANGE),
1459 "Block I/O device weight out of range.");
1460
1461 r = device_path_make_major_minor(S_IFBLK, makedev(data.major, data.minor), &path);
1462 if (r < 0)
1463 return json_log(v, flags, r, "Failed to build device path: %m");
1464
1465 r = settings_allocate_properties(s);
1466 if (r < 0)
1467 return r;
1468
1469 r = sd_bus_message_append(s->properties, "(sv)", "BlockIODeviceWeight", "a(st)", 1, path, (uint64_t) data.weight);
1470 if (r < 0)
1471 return bus_log_create_error(r);
1472 }
1473
1474 return 0;
1475 }
1476
1477 static int oci_cgroup_block_io_throttle(const char *name, JsonVariant *v, JsonDispatchFlags flags, void *userdata) {
1478 Settings *s = userdata;
1479 const char *pname;
1480 JsonVariant *e;
1481 int r;
1482
1483 assert(s);
1484
1485 pname = streq(name, "throttleReadBpsDevice") ? "IOReadBandwidthMax" :
1486 streq(name, "throttleWriteBpsDevice") ? "IOWriteBandwidthMax" :
1487 streq(name, "throttleReadIOPSDevice") ? "IOReadIOPSMax" :
1488 "IOWriteIOPSMax";
1489
1490 JSON_VARIANT_ARRAY_FOREACH(e, v) {
1491 struct device_data {
1492 unsigned major;
1493 unsigned minor;
1494 uintmax_t rate;
1495 } data = {
1496 .major = (unsigned) -1,
1497 .minor = (unsigned) -1,
1498 };
1499
1500 static const JsonDispatch table[] = {
1501 { "major", JSON_VARIANT_UNSIGNED, oci_device_major, offsetof(struct device_data, major), JSON_MANDATORY },
1502 { "minor", JSON_VARIANT_UNSIGNED, oci_device_minor, offsetof(struct device_data, minor), JSON_MANDATORY },
1503 { "rate", JSON_VARIANT_UNSIGNED, json_dispatch_unsigned, offsetof(struct device_data, rate), JSON_MANDATORY },
1504 {}
1505 };
1506
1507 _cleanup_free_ char *path = NULL;
1508
1509 r = json_dispatch(e, table, oci_unexpected, flags, &data);
1510 if (r < 0)
1511 return r;
1512
1513 if (data.rate >= UINT64_MAX)
1514 return json_log(v, flags, SYNTHETIC_ERRNO(ERANGE),
1515 "Block I/O device rate out of range.");
1516
1517 r = device_path_make_major_minor(S_IFBLK, makedev(data.major, data.minor), &path);
1518 if (r < 0)
1519 return json_log(v, flags, r, "Failed to build device path: %m");
1520
1521 r = settings_allocate_properties(s);
1522 if (r < 0)
1523 return r;
1524
1525 r = sd_bus_message_append(s->properties, "(sv)", pname, "a(st)", 1, path, (uint64_t) data.rate);
1526 if (r < 0)
1527 return bus_log_create_error(r);
1528 }
1529
1530 return 0;
1531 }
1532
1533 static int oci_cgroup_block_io(const char *name, JsonVariant *v, JsonDispatchFlags flags, void *userdata) {
1534
1535 static const JsonDispatch table[] = {
1536 { "weight", JSON_VARIANT_UNSIGNED, oci_cgroup_block_io_weight, 0, 0 },
1537 { "leafWeight", JSON_VARIANT_UNSIGNED, oci_unsupported, 0, JSON_PERMISSIVE },
1538 { "weightDevice", JSON_VARIANT_ARRAY, oci_cgroup_block_io_weight_device, 0, 0 },
1539 { "throttleReadBpsDevice", JSON_VARIANT_ARRAY, oci_cgroup_block_io_throttle, 0, 0 },
1540 { "throttleWriteBpsDevice", JSON_VARIANT_ARRAY, oci_cgroup_block_io_throttle, 0, 0 },
1541 { "throttleReadIOPSDevice", JSON_VARIANT_ARRAY, oci_cgroup_block_io_throttle, 0, 0 },
1542 { "throttleWriteIOPSDevice", JSON_VARIANT_ARRAY, oci_cgroup_block_io_throttle, 0, 0 },
1543 {}
1544 };
1545
1546 return json_dispatch(v, table, oci_unexpected, flags, userdata);
1547 }
1548
1549 static int oci_cgroup_pids(const char *name, JsonVariant *v, JsonDispatchFlags flags, void *userdata) {
1550
1551 static const JsonDispatch table[] = {
1552 { "limit", JSON_VARIANT_NUMBER, json_dispatch_variant, 0, JSON_MANDATORY },
1553 {}
1554 };
1555
1556 _cleanup_(json_variant_unrefp) JsonVariant *k = NULL;
1557 Settings *s = userdata;
1558 uint64_t m;
1559 int r;
1560
1561 assert(s);
1562
1563 r = json_dispatch(v, table, oci_unexpected, flags, &k);
1564 if (r < 0)
1565 return r;
1566
1567 if (json_variant_is_negative(k))
1568 m = UINT64_MAX;
1569 else {
1570 if (!json_variant_is_unsigned(k))
1571 return json_log(k, flags, SYNTHETIC_ERRNO(EINVAL),
1572 "pids limit not unsigned integer, refusing.");
1573
1574 m = (uint64_t) json_variant_unsigned(k);
1575
1576 if ((uintmax_t) m != json_variant_unsigned(k))
1577 return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
1578 "pids limit out of range, refusing.");
1579 }
1580
1581 r = settings_allocate_properties(s);
1582 if (r < 0)
1583 return r;
1584
1585 r = sd_bus_message_append(s->properties, "(sv)", "TasksMax", "t", m);
1586 if (r < 0)
1587 return bus_log_create_error(r);
1588
1589 return 0;
1590 }
1591
1592 static int oci_resources(const char *name, JsonVariant *v, JsonDispatchFlags flags, void *userdata) {
1593
1594 static const JsonDispatch table[] = {
1595 { "devices", JSON_VARIANT_ARRAY, oci_cgroup_devices, 0, 0 },
1596 { "memory", JSON_VARIANT_OBJECT, oci_cgroup_memory, 0, 0 },
1597 { "cpu", JSON_VARIANT_OBJECT, oci_cgroup_cpu, 0, 0 },
1598 { "blockIO", JSON_VARIANT_OBJECT, oci_cgroup_block_io, 0, 0 },
1599 { "hugepageLimits", JSON_VARIANT_ARRAY, oci_unsupported, 0, 0 },
1600 { "network", JSON_VARIANT_OBJECT, oci_unsupported, 0, 0 },
1601 { "pids", JSON_VARIANT_OBJECT, oci_cgroup_pids, 0, 0 },
1602 { "rdma", JSON_VARIANT_OBJECT, oci_unsupported, 0, 0 },
1603 {}
1604 };
1605
1606 return json_dispatch(v, table, oci_unexpected, flags, userdata);
1607 }
1608
1609 static bool sysctl_key_valid(const char *s) {
1610 bool dot = true;
1611
1612 /* Note that we are a bit stricter here than in systemd-sysctl, as that inherited semantics from the old sysctl
1613 * tool, which were really weird (as it swaps / and . in both ways) */
1614
1615 if (isempty(s))
1616 return false;
1617
1618 for (; *s; s++) {
1619
1620 if (*s <= ' ' || *s >= 127)
1621 return false;
1622 if (*s == '/')
1623 return false;
1624 if (*s == '.') {
1625
1626 if (dot) /* Don't allow two dots next to each other (or at the beginning) */
1627 return false;
1628
1629 dot = true;
1630 } else
1631 dot = false;
1632 }
1633
1634 if (dot) /* don't allow a dot at the end */
1635 return false;
1636
1637 return true;
1638 }
1639
1640 static int oci_sysctl(const char *name, JsonVariant *v, JsonDispatchFlags flags, void *userdata) {
1641 Settings *s = userdata;
1642 JsonVariant *k, *w;
1643 int r;
1644
1645 assert(s);
1646
1647 JSON_VARIANT_OBJECT_FOREACH(k, w, v) {
1648 const char *n, *m;
1649
1650 if (!json_variant_is_string(w))
1651 return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
1652 "sysctl parameter is not a string, refusing.");
1653
1654 assert_se(n = json_variant_string(k));
1655 assert_se(m = json_variant_string(w));
1656
1657 if (sysctl_key_valid(n))
1658 return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
1659 "sysctl key invalid, refusing: %s", n);
1660
1661 r = strv_extend_strv(&s->sysctl, STRV_MAKE(n, m), false);
1662 if (r < 0)
1663 return log_oom();
1664 }
1665
1666 return 0;
1667 }
1668
1669 #if HAVE_SECCOMP
1670 static int oci_seccomp_action_from_string(const char *name, uint32_t *ret) {
1671
1672 static const struct {
1673 const char *name;
1674 uint32_t action;
1675 } table[] = {
1676 { "SCMP_ACT_ALLOW", SCMP_ACT_ALLOW },
1677 { "SCMP_ACT_ERRNO", SCMP_ACT_ERRNO(EPERM) }, /* the OCI spec doesn't document the error, but it appears EPERM is supposed to be used */
1678 { "SCMP_ACT_KILL", SCMP_ACT_KILL },
1679 #ifdef SCMP_ACT_LOG
1680 { "SCMP_ACT_LOG", SCMP_ACT_LOG },
1681 #endif
1682 { "SCMP_ACT_TRAP", SCMP_ACT_TRAP },
1683
1684 /* We don't support SCMP_ACT_TRACE because that requires a tracer, and that doesn't really make sense
1685 * here */
1686 };
1687
1688 size_t i;
1689
1690 for (i = 0; i < ELEMENTSOF(table); i++)
1691 if (streq_ptr(name, table[i].name)) {
1692 *ret = table[i].action;
1693 return 0;
1694 }
1695
1696 return -EINVAL;
1697 }
1698
1699 static int oci_seccomp_arch_from_string(const char *name, uint32_t *ret) {
1700
1701 static const struct {
1702 const char *name;
1703 uint32_t arch;
1704 } table[] = {
1705 { "SCMP_ARCH_AARCH64", SCMP_ARCH_AARCH64 },
1706 { "SCMP_ARCH_ARM", SCMP_ARCH_ARM },
1707 { "SCMP_ARCH_MIPS", SCMP_ARCH_MIPS },
1708 { "SCMP_ARCH_MIPS64", SCMP_ARCH_MIPS64 },
1709 { "SCMP_ARCH_MIPS64N32", SCMP_ARCH_MIPS64N32 },
1710 { "SCMP_ARCH_MIPSEL", SCMP_ARCH_MIPSEL },
1711 { "SCMP_ARCH_MIPSEL64", SCMP_ARCH_MIPSEL64 },
1712 { "SCMP_ARCH_MIPSEL64N32", SCMP_ARCH_MIPSEL64N32 },
1713 { "SCMP_ARCH_NATIVE", SCMP_ARCH_NATIVE },
1714 #ifdef SCMP_ARCH_PARISC
1715 { "SCMP_ARCH_PARISC", SCMP_ARCH_PARISC },
1716 #endif
1717 #ifdef SCMP_ARCH_PARISC64
1718 { "SCMP_ARCH_PARISC64", SCMP_ARCH_PARISC64 },
1719 #endif
1720 { "SCMP_ARCH_PPC", SCMP_ARCH_PPC },
1721 { "SCMP_ARCH_PPC64", SCMP_ARCH_PPC64 },
1722 { "SCMP_ARCH_PPC64LE", SCMP_ARCH_PPC64LE },
1723 { "SCMP_ARCH_S390", SCMP_ARCH_S390 },
1724 { "SCMP_ARCH_S390X", SCMP_ARCH_S390X },
1725 { "SCMP_ARCH_X32", SCMP_ARCH_X32 },
1726 { "SCMP_ARCH_X86", SCMP_ARCH_X86 },
1727 { "SCMP_ARCH_X86_64", SCMP_ARCH_X86_64 },
1728 };
1729
1730 size_t i;
1731
1732 for (i = 0; i < ELEMENTSOF(table); i++)
1733 if (streq_ptr(table[i].name, name)) {
1734 *ret = table[i].arch;
1735 return 0;
1736 }
1737
1738 return -EINVAL;
1739 }
1740
1741 static int oci_seccomp_compare_from_string(const char *name, enum scmp_compare *ret) {
1742
1743 static const struct {
1744 const char *name;
1745 enum scmp_compare op;
1746 } table[] = {
1747 { "SCMP_CMP_NE", SCMP_CMP_NE },
1748 { "SCMP_CMP_LT", SCMP_CMP_LT },
1749 { "SCMP_CMP_LE", SCMP_CMP_LE },
1750 { "SCMP_CMP_EQ", SCMP_CMP_EQ },
1751 { "SCMP_CMP_GE", SCMP_CMP_GE },
1752 { "SCMP_CMP_GT", SCMP_CMP_GT },
1753 { "SCMP_CMP_MASKED_EQ", SCMP_CMP_MASKED_EQ },
1754 };
1755
1756 size_t i;
1757
1758 for (i = 0; i < ELEMENTSOF(table); i++)
1759 if (streq_ptr(table[i].name, name)) {
1760 *ret = table[i].op;
1761 return 0;
1762 }
1763
1764 return -EINVAL;
1765 }
1766
1767 static int oci_seccomp_archs(const char *name, JsonVariant *v, JsonDispatchFlags flags, void *userdata) {
1768 scmp_filter_ctx *sc = userdata;
1769 JsonVariant *e;
1770 int r;
1771
1772 assert(sc);
1773
1774 JSON_VARIANT_ARRAY_FOREACH(e, v) {
1775 uint32_t a;
1776
1777 if (!json_variant_is_string(e))
1778 return json_log(e, flags, SYNTHETIC_ERRNO(EINVAL),
1779 "Architecture entry is not a string");
1780
1781 r = oci_seccomp_arch_from_string(json_variant_string(e), &a);
1782 if (r < 0)
1783 return json_log(e, flags, r, "Unknown architecture: %s", json_variant_string(e));
1784
1785 r = seccomp_arch_add(sc, a);
1786 if (r == -EEXIST)
1787 continue;
1788 if (r < 0)
1789 return json_log(e, flags, r, "Failed to add architecture to seccomp filter: %m");
1790 }
1791
1792 return 0;
1793 }
1794
1795 struct syscall_rule {
1796 char **names;
1797 uint32_t action;
1798 struct scmp_arg_cmp *arguments;
1799 size_t n_arguments;
1800 };
1801
1802 static void syscall_rule_free(struct syscall_rule *rule) {
1803 assert(rule);
1804
1805 strv_free(rule->names);
1806 free(rule->arguments);
1807 };
1808
1809 static int oci_seccomp_action(const char *name, JsonVariant *v, JsonDispatchFlags flags, void *userdata) {
1810 uint32_t *action = userdata;
1811 int r;
1812
1813 assert(action);
1814
1815 r = oci_seccomp_action_from_string(json_variant_string(v), action);
1816 if (r < 0)
1817 return json_log(v, flags, r, "Unknown system call action '%s': %m", json_variant_string(v));
1818
1819 return 0;
1820 }
1821
1822 static int oci_seccomp_op(const char *name, JsonVariant *v, JsonDispatchFlags flags, void *userdata) {
1823 enum scmp_compare *op = userdata;
1824 int r;
1825
1826 assert(op);
1827
1828 r = oci_seccomp_compare_from_string(json_variant_string(v), op);
1829 if (r < 0)
1830 return json_log(v, flags, r, "Unknown seccomp operator '%s': %m", json_variant_string(v));
1831
1832 return 0;
1833 }
1834
1835 static int oci_seccomp_args(const char *name, JsonVariant *v, JsonDispatchFlags flags, void *userdata) {
1836 struct syscall_rule *rule = userdata;
1837 JsonVariant *e;
1838 int r;
1839
1840 assert(rule);
1841
1842 JSON_VARIANT_ARRAY_FOREACH(e, v) {
1843 static const struct JsonDispatch table[] = {
1844 { "index", JSON_VARIANT_UNSIGNED, json_dispatch_uint32, offsetof(struct scmp_arg_cmp, arg), JSON_MANDATORY },
1845 { "value", JSON_VARIANT_UNSIGNED, json_dispatch_uint64, offsetof(struct scmp_arg_cmp, datum_a), JSON_MANDATORY },
1846 { "valueTwo", JSON_VARIANT_UNSIGNED, json_dispatch_uint64, offsetof(struct scmp_arg_cmp, datum_b), 0 },
1847 { "op", JSON_VARIANT_STRING, oci_seccomp_op, offsetof(struct scmp_arg_cmp, op), JSON_MANDATORY },
1848 {},
1849 };
1850
1851 struct scmp_arg_cmp *a, *p;
1852 int expected;
1853
1854 a = reallocarray(rule->arguments, rule->n_arguments + 1, sizeof(struct syscall_rule));
1855 if (!a)
1856 return log_oom();
1857
1858 rule->arguments = a;
1859 p = rule->arguments + rule->n_arguments;
1860
1861 *p = (struct scmp_arg_cmp) {
1862 .arg = 0,
1863 .datum_a = 0,
1864 .datum_b = 0,
1865 .op = 0,
1866 };
1867
1868 r = json_dispatch(e, table, oci_unexpected, flags, p);
1869 if (r < 0)
1870 return r;
1871
1872 expected = p->op == SCMP_CMP_MASKED_EQ ? 4 : 3;
1873 if (r != expected)
1874 json_log(e, flags|JSON_WARNING, 0, "Wrong number of system call arguments for JSON data data, ignoring.");
1875
1876 /* Note that we are a bit sloppy here and do not insist that SCMP_CMP_MASKED_EQ gets two datum values,
1877 * and the other only one. That's because buildah for example by default calls things with
1878 * SCMP_CMP_MASKED_EQ but only one argument. We use 0 when the value is not specified. */
1879
1880 rule->n_arguments++;
1881 }
1882
1883 return 0;
1884 }
1885
1886 static int oci_seccomp_syscalls(const char *name, JsonVariant *v, JsonDispatchFlags flags, void *userdata) {
1887 scmp_filter_ctx *sc = userdata;
1888 JsonVariant *e;
1889 int r;
1890
1891 assert(sc);
1892
1893 JSON_VARIANT_ARRAY_FOREACH(e, v) {
1894 static const JsonDispatch table[] = {
1895 { "names", JSON_VARIANT_ARRAY, json_dispatch_strv, offsetof(struct syscall_rule, names), JSON_MANDATORY },
1896 { "action", JSON_VARIANT_STRING, oci_seccomp_action, offsetof(struct syscall_rule, action), JSON_MANDATORY },
1897 { "args", JSON_VARIANT_ARRAY, oci_seccomp_args, 0, 0 },
1898 };
1899 struct syscall_rule rule = {
1900 .action = (uint32_t) -1,
1901 };
1902 char **i;
1903
1904 r = json_dispatch(e, table, oci_unexpected, flags, &rule);
1905 if (r < 0)
1906 goto fail_rule;
1907
1908 if (strv_isempty(rule.names)) {
1909 json_log(e, flags, 0, "System call name list is empty.");
1910 r = -EINVAL;
1911 goto fail_rule;
1912 }
1913
1914 STRV_FOREACH(i, rule.names) {
1915 int nr;
1916
1917 nr = seccomp_syscall_resolve_name(*i);
1918 if (nr == __NR_SCMP_ERROR) {
1919 log_debug("Unknown syscall %s, skipping.", *i);
1920 continue;
1921 }
1922
1923 r = seccomp_rule_add_array(sc, rule.action, nr, rule.n_arguments, rule.arguments);
1924 if (r < 0)
1925 goto fail_rule;
1926 }
1927
1928 syscall_rule_free(&rule);
1929 continue;
1930
1931 fail_rule:
1932 syscall_rule_free(&rule);
1933 return r;
1934 }
1935
1936 return 0;
1937 }
1938 #endif
1939
1940 static int oci_seccomp(const char *name, JsonVariant *v, JsonDispatchFlags flags, void *userdata) {
1941
1942 #if HAVE_SECCOMP
1943 static const JsonDispatch table[] = {
1944 { "defaultAction", JSON_VARIANT_STRING, NULL, 0, JSON_MANDATORY },
1945 { "architectures", JSON_VARIANT_ARRAY, oci_seccomp_archs, 0, 0 },
1946 { "syscalls", JSON_VARIANT_ARRAY, oci_seccomp_syscalls, 0, 0 },
1947 {}
1948 };
1949
1950 _cleanup_(seccomp_releasep) scmp_filter_ctx sc = NULL;
1951 Settings *s = userdata;
1952 JsonVariant *def;
1953 uint32_t d;
1954 int r;
1955
1956 assert(s);
1957
1958 def = json_variant_by_key(v, "defaultAction");
1959 if (!def)
1960 return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL), "defaultAction element missing.");
1961
1962 if (!json_variant_is_string(def))
1963 return json_log(def, flags, SYNTHETIC_ERRNO(EINVAL), "defaultAction is not a string.");
1964
1965 r = oci_seccomp_action_from_string(json_variant_string(def), &d);
1966 if (r < 0)
1967 return json_log(def, flags, r, "Unknown default action: %s", json_variant_string(def));
1968
1969 sc = seccomp_init(d);
1970 if (!sc)
1971 return json_log(v, flags, SYNTHETIC_ERRNO(ENOMEM), "Couldn't allocate seccomp object.");
1972
1973 r = json_dispatch(v, table, oci_unexpected, flags, sc);
1974 if (r < 0)
1975 return r;
1976
1977 seccomp_release(s->seccomp);
1978 s->seccomp = TAKE_PTR(sc);
1979 return 0;
1980 #else
1981 return json_log(v, flags, SYNTHETIC_ERRNO(EOPNOTSUPP), "libseccomp support not enabled, can't parse seccomp object.");
1982 #endif
1983 }
1984
1985 static int oci_rootfs_propagation(const char *name, JsonVariant *v, JsonDispatchFlags flags, void *userdata) {
1986 const char *s;
1987
1988 s = json_variant_string(v);
1989
1990 if (streq(s, "shared"))
1991 return 0;
1992
1993 json_log(v, flags|JSON_DEBUG, 0, "Ignoring rootfsPropagation setting '%s'.", s);
1994 return 0;
1995 }
1996
1997 static int oci_masked_paths(const char *name, JsonVariant *v, JsonDispatchFlags flags, void *userdata) {
1998 Settings *s = userdata;
1999 JsonVariant *e;
2000
2001 assert(s);
2002
2003 JSON_VARIANT_ARRAY_FOREACH(e, v) {
2004 _cleanup_free_ char *destination = NULL;
2005 CustomMount *m;
2006 const char *p;
2007
2008 if (!json_variant_is_string(e))
2009 return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
2010 "Path is not a string, refusing.");
2011
2012 assert_se(p = json_variant_string(e));
2013
2014 if (!path_is_absolute(p))
2015 return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
2016 "Path is not not absolute, refusing: %s", p);
2017
2018 if (oci_exclude_mount(p))
2019 continue;
2020
2021 destination = strdup(p);
2022 if (!destination)
2023 return log_oom();
2024
2025 m = custom_mount_add(&s->custom_mounts, &s->n_custom_mounts, CUSTOM_MOUNT_INACCESSIBLE);
2026 if (!m)
2027 return log_oom();
2028
2029 m->destination = TAKE_PTR(destination);
2030
2031 /* The spec doesn't say this, but apparently pre-existing implementations are lenient towards
2032 * non-existing paths to mask. Let's hence be too. */
2033 m->graceful = true;
2034 }
2035
2036 return 0;
2037 }
2038
2039 static int oci_readonly_paths(const char *name, JsonVariant *v, JsonDispatchFlags flags, void *userdata) {
2040 Settings *s = userdata;
2041 JsonVariant *e;
2042
2043 assert(s);
2044
2045 JSON_VARIANT_ARRAY_FOREACH(e, v) {
2046 _cleanup_free_ char *source = NULL, *destination = NULL;
2047 CustomMount *m;
2048 const char *p;
2049
2050 if (!json_variant_is_string(e))
2051 return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
2052 "Path is not a string, refusing.");
2053
2054 assert_se(p = json_variant_string(e));
2055
2056 if (!path_is_absolute(p))
2057 return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
2058 "Path is not not absolute, refusing: %s", p);
2059
2060 if (oci_exclude_mount(p))
2061 continue;
2062
2063 source = strjoin("+", p);
2064 if (!source)
2065 return log_oom();
2066
2067 destination = strdup(p);
2068 if (!destination)
2069 return log_oom();
2070
2071 m = custom_mount_add(&s->custom_mounts, &s->n_custom_mounts, CUSTOM_MOUNT_BIND);
2072 if (!m)
2073 return log_oom();
2074
2075 m->source = TAKE_PTR(source);
2076 m->destination = TAKE_PTR(destination);
2077 m->read_only = true;
2078 }
2079
2080 return 0;
2081 }
2082
2083 static int oci_linux(const char *name, JsonVariant *v, JsonDispatchFlags flags, void *userdata) {
2084
2085 static const JsonDispatch table[] = {
2086 { "namespaces", JSON_VARIANT_ARRAY, oci_namespaces, 0, 0 },
2087 { "uidMappings", JSON_VARIANT_ARRAY, oci_uid_gid_mappings, 0, 0 },
2088 { "gidMappings", JSON_VARIANT_ARRAY, oci_uid_gid_mappings, 0, 0 },
2089 { "devices", JSON_VARIANT_ARRAY, oci_devices, 0, 0 },
2090 { "cgroupsPath", JSON_VARIANT_STRING, oci_cgroups_path, 0, 0 },
2091 { "resources", JSON_VARIANT_OBJECT, oci_resources, 0, 0 },
2092 { "intelRdt", JSON_VARIANT_OBJECT, oci_unsupported, 0, JSON_PERMISSIVE },
2093 { "sysctl", JSON_VARIANT_OBJECT, oci_sysctl, 0, 0 },
2094 { "seccomp", JSON_VARIANT_OBJECT, oci_seccomp, 0, 0 },
2095 { "rootfsPropagation", JSON_VARIANT_STRING, oci_rootfs_propagation, 0, 0 },
2096 { "maskedPaths", JSON_VARIANT_ARRAY, oci_masked_paths, 0, 0 },
2097 { "readonlyPaths", JSON_VARIANT_ARRAY, oci_readonly_paths, 0, 0 },
2098 { "mountLabel", JSON_VARIANT_STRING, oci_unsupported, 0, JSON_PERMISSIVE },
2099 {}
2100 };
2101
2102 return json_dispatch(v, table, oci_unexpected, flags, userdata);
2103 }
2104
2105 static int oci_hook_timeout(const char *name, JsonVariant *v, JsonDispatchFlags flags, void *userdata) {
2106 usec_t *u = userdata;
2107 uintmax_t k;
2108
2109 k = json_variant_unsigned(v);
2110 if (k == 0)
2111 return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
2112 "Hook timeout cannot be zero.");
2113
2114 if (k > (UINT64_MAX-1/USEC_PER_SEC))
2115 return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
2116 "Hook timeout too large.");
2117
2118 *u = k * USEC_PER_SEC;
2119 return 0;
2120 }
2121
2122 static int oci_hooks_array(const char *name, JsonVariant *v, JsonDispatchFlags flags, void *userdata) {
2123 Settings *s = userdata;
2124 JsonVariant *e;
2125 int r;
2126
2127 assert(s);
2128
2129 JSON_VARIANT_ARRAY_FOREACH(e, v) {
2130
2131 static const JsonDispatch table[] = {
2132 { "path", JSON_VARIANT_STRING, oci_absolute_path, offsetof(OciHook, path), JSON_MANDATORY },
2133 { "args", JSON_VARIANT_ARRAY, oci_args, offsetof(OciHook, args), 0 },
2134 { "env", JSON_VARIANT_ARRAY, oci_env, offsetof(OciHook, env), 0 },
2135 { "timeout", JSON_VARIANT_UNSIGNED, oci_hook_timeout, offsetof(OciHook, timeout), 0 },
2136 {}
2137 };
2138
2139 OciHook *a, **array, *new_item;
2140 size_t *n_array;
2141
2142 if (streq(name, "prestart")) {
2143 array = &s->oci_hooks_prestart;
2144 n_array = &s->n_oci_hooks_prestart;
2145 } else if (streq(name, "poststart")) {
2146 array = &s->oci_hooks_poststart;
2147 n_array = &s->n_oci_hooks_poststart;
2148 } else {
2149 assert(streq(name, "poststop"));
2150 array = &s->oci_hooks_poststop;
2151 n_array = &s->n_oci_hooks_poststop;
2152 }
2153
2154 a = reallocarray(*array, *n_array + 1, sizeof(OciHook));
2155 if (!a)
2156 return log_oom();
2157
2158 *array = a;
2159 new_item = a + *n_array;
2160
2161 *new_item = (OciHook) {
2162 .timeout = USEC_INFINITY,
2163 };
2164
2165 r = json_dispatch(e, table, oci_unexpected, flags, userdata);
2166 if (r < 0) {
2167 free(new_item->path);
2168 strv_free(new_item->args);
2169 strv_free(new_item->env);
2170 return r;
2171 }
2172
2173 (*n_array) ++;
2174 }
2175
2176 return 0;
2177 }
2178
2179 static int oci_hooks(const char *name, JsonVariant *v, JsonDispatchFlags flags, void *userdata) {
2180
2181 static const JsonDispatch table[] = {
2182 { "prestart", JSON_VARIANT_OBJECT, oci_hooks_array, 0, 0 },
2183 { "poststart", JSON_VARIANT_OBJECT, oci_hooks_array, 0, 0 },
2184 { "poststop", JSON_VARIANT_OBJECT, oci_hooks_array, 0, 0 },
2185 {}
2186 };
2187
2188 return json_dispatch(v, table, oci_unexpected, flags, userdata);
2189 }
2190
2191 static int oci_annotations(const char *name, JsonVariant *v, JsonDispatchFlags flags, void *userdata) {
2192 JsonVariant *k, *w;
2193
2194 JSON_VARIANT_OBJECT_FOREACH(k, w, v) {
2195 const char *n;
2196
2197 assert_se(n = json_variant_string(k));
2198
2199 if (isempty(n))
2200 return json_log(k, flags, SYNTHETIC_ERRNO(EINVAL),
2201 "Annotation with empty key, refusing.");
2202
2203 if (!json_variant_is_string(w))
2204 return json_log(w, flags, SYNTHETIC_ERRNO(EINVAL),
2205 "Annotation has non-string value, refusing.");
2206
2207 json_log(k, flags|JSON_DEBUG, 0, "Ignoring annotation '%s' with value '%s'.", n, json_variant_string(w));
2208 }
2209
2210 return 0;
2211 }
2212
2213 int oci_load(FILE *f, const char *bundle, Settings **ret) {
2214
2215 static const JsonDispatch table[] = {
2216 { "ociVersion", JSON_VARIANT_STRING, NULL, 0, JSON_MANDATORY },
2217 { "process", JSON_VARIANT_OBJECT, oci_process, 0, 0 },
2218 { "root", JSON_VARIANT_OBJECT, oci_root, 0, 0 },
2219 { "hostname", JSON_VARIANT_STRING, oci_hostname, 0, 0 },
2220 { "mounts", JSON_VARIANT_ARRAY, oci_mounts, 0, 0 },
2221 { "linux", JSON_VARIANT_OBJECT, oci_linux, 0, 0 },
2222 { "hooks", JSON_VARIANT_OBJECT, oci_hooks, 0, 0 },
2223 { "annotations", JSON_VARIANT_OBJECT, oci_annotations, 0, 0 },
2224 {}
2225 };
2226
2227 _cleanup_(json_variant_unrefp) JsonVariant *oci = NULL;
2228 _cleanup_(settings_freep) Settings *s = NULL;
2229 unsigned line = 0, column = 0;
2230 JsonVariant *v;
2231 const char *path;
2232 int r;
2233
2234 assert_se(bundle);
2235
2236 path = strjoina(bundle, "/config.json");
2237
2238 r = json_parse_file(f, path, &oci, &line, &column);
2239 if (r < 0) {
2240 if (line != 0 && column != 0)
2241 return log_error_errno(r, "Failed to parse '%s' at %u:%u: %m", path, line, column);
2242 else
2243 return log_error_errno(r, "Failed to parse '%s': %m", path);
2244 }
2245
2246 v = json_variant_by_key(oci, "ociVersion");
2247 if (!v) {
2248 log_error("JSON file '%s' is not an OCI bundle configuration file. Refusing.", path);
2249 return -EINVAL;
2250 }
2251 if (!streq_ptr(json_variant_string(v), "1.0.0")) {
2252 log_error("OCI bundle version not supported: %s", strna(json_variant_string(v)));
2253 return -EINVAL;
2254 }
2255
2256 // {
2257 // _cleanup_free_ char *formatted = NULL;
2258 // assert_se(json_variant_format(oci, JSON_FORMAT_PRETTY|JSON_FORMAT_COLOR, &formatted) >= 0);
2259 // fputs(formatted, stdout);
2260 // }
2261
2262 s = settings_new();
2263 if (!s)
2264 return log_oom();
2265
2266 s->start_mode = START_PID1;
2267 s->resolv_conf = RESOLV_CONF_OFF;
2268 s->link_journal = LINK_NO;
2269 s->timezone = TIMEZONE_OFF;
2270
2271 s->bundle = strdup(bundle);
2272 if (!s->bundle)
2273 return log_oom();
2274
2275 r = json_dispatch(oci, table, oci_unexpected, 0, s);
2276 if (r < 0)
2277 return r;
2278
2279 if (s->properties) {
2280 r = sd_bus_message_seal(s->properties, 0, 0);
2281 if (r < 0)
2282 return log_error_errno(r, "Cannot seal properties bus message: %m");
2283 }
2284
2285 *ret = TAKE_PTR(s);
2286 return 0;
2287 }
Unnamed repository; edit this file 'description' to name the repository.