]>
Commit | Line | Data |
---|---|---|
15ae422b LP |
1 | /*-*- Mode: C; c-basic-offset: 8 -*-*/ |
2 | ||
3 | /*** | |
4 | This file is part of systemd. | |
5 | ||
6 | Copyright 2010 Lennart Poettering | |
7 | ||
8 | systemd is free software; you can redistribute it and/or modify it | |
9 | under the terms of the GNU General Public License as published by | |
10 | the Free Software Foundation; either version 2 of the License, or | |
11 | (at your option) any later version. | |
12 | ||
13 | systemd is distributed in the hope that it will be useful, but | |
14 | WITHOUT ANY WARRANTY; without even the implied warranty of | |
15 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |
16 | General Public License for more details. | |
17 | ||
18 | You should have received a copy of the GNU General Public License | |
19 | along with systemd; If not, see <http://www.gnu.org/licenses/>. | |
20 | ***/ | |
21 | ||
22 | #include <errno.h> | |
23 | #include <sys/mount.h> | |
24 | #include <string.h> | |
25 | #include <stdio.h> | |
26 | #include <unistd.h> | |
27 | #include <sys/stat.h> | |
28 | #include <sys/types.h> | |
29 | #include <sched.h> | |
30 | #include <sys/syscall.h> | |
31 | #include <limits.h> | |
32 | ||
33 | #include "strv.h" | |
34 | #include "util.h" | |
35 | #include "namespace.h" | |
36 | #include "missing.h" | |
37 | ||
38 | typedef enum PathMode { | |
39 | /* This is ordered by priority! */ | |
40 | INACCESSIBLE, | |
41 | READONLY, | |
42 | PRIVATE, | |
43 | READWRITE | |
44 | } PathMode; | |
45 | ||
46 | typedef struct Path { | |
47 | const char *path; | |
48 | PathMode mode; | |
49 | } Path; | |
50 | ||
51 | static int append_paths(Path **p, char **strv, PathMode mode) { | |
52 | char **i; | |
53 | ||
54 | STRV_FOREACH(i, strv) { | |
55 | ||
56 | if (!path_is_absolute(*i)) | |
57 | return -EINVAL; | |
58 | ||
59 | (*p)->path = *i; | |
60 | (*p)->mode = mode; | |
61 | (*p)++; | |
62 | } | |
63 | ||
64 | return 0; | |
65 | } | |
66 | ||
67 | static int path_compare(const void *a, const void *b) { | |
68 | const Path *p = a, *q = b; | |
69 | ||
70 | if (path_equal(p->path, q->path)) { | |
71 | ||
72 | /* If the paths are equal, check the mode */ | |
73 | if (p->mode < q->mode) | |
74 | return -1; | |
75 | ||
76 | if (p->mode > q->mode) | |
77 | return 1; | |
78 | ||
79 | return 0; | |
80 | } | |
81 | ||
82 | /* If the paths are not equal, then order prefixes first */ | |
83 | if (path_startswith(p->path, q->path)) | |
84 | return 1; | |
85 | ||
86 | if (path_startswith(q->path, p->path)) | |
87 | return -1; | |
88 | ||
89 | return 0; | |
90 | } | |
91 | ||
92 | static void drop_duplicates(Path *p, unsigned *n, bool *need_inaccessible, bool *need_private) { | |
93 | Path *f, *t, *previous; | |
94 | ||
95 | assert(p); | |
96 | assert(n); | |
97 | assert(need_inaccessible); | |
98 | assert(need_private); | |
99 | ||
100 | for (f = p, t = p, previous = NULL; f < p+*n; f++) { | |
101 | ||
102 | if (previous && path_equal(f->path, previous->path)) | |
103 | continue; | |
104 | ||
105 | t->path = f->path; | |
106 | t->mode = f->mode; | |
107 | ||
108 | if (t->mode == PRIVATE) | |
109 | *need_private = true; | |
110 | ||
111 | if (t->mode == INACCESSIBLE) | |
112 | *need_inaccessible = true; | |
113 | ||
114 | previous = t; | |
115 | ||
116 | t++; | |
117 | } | |
118 | ||
119 | *n = t - p; | |
120 | } | |
121 | ||
122 | static int apply_mount(Path *p, const char *root_dir, const char *inaccessible_dir, const char *private_dir, unsigned long flags) { | |
123 | const char *what; | |
124 | char *where; | |
125 | int r; | |
15ae422b LP |
126 | |
127 | assert(p); | |
128 | assert(root_dir); | |
129 | assert(inaccessible_dir); | |
130 | assert(private_dir); | |
131 | ||
132 | if (!(where = strappend(root_dir, p->path))) | |
133 | return -ENOMEM; | |
134 | ||
135 | switch (p->mode) { | |
136 | ||
137 | case INACCESSIBLE: | |
138 | what = inaccessible_dir; | |
5dcfe57b | 139 | flags |= MS_RDONLY; |
15ae422b LP |
140 | break; |
141 | ||
142 | case READONLY: | |
5dcfe57b | 143 | flags |= MS_RDONLY; |
15ae422b LP |
144 | /* Fall through */ |
145 | ||
146 | case READWRITE: | |
147 | what = p->path; | |
148 | break; | |
149 | ||
150 | case PRIVATE: | |
151 | what = private_dir; | |
152 | break; | |
153 | } | |
154 | ||
155 | if ((r = mount(what, where, NULL, MS_BIND|MS_REC, NULL)) >= 0) { | |
156 | log_debug("Successfully mounted %s to %s", what, where); | |
157 | ||
158 | /* The bind mount will always inherit the original | |
159 | * flags. If we want to set any flag we need | |
160 | * to do so in a second indepdant step. */ | |
161 | if (flags) | |
5dcfe57b | 162 | r = mount(NULL, where, NULL, MS_REMOUNT|MS_BIND|MS_REC|flags, NULL); |
15ae422b LP |
163 | |
164 | /* Avoid expontial growth of trees */ | |
165 | if (r >= 0 && path_equal(p->path, "/")) | |
5dcfe57b | 166 | r = mount(NULL, where, NULL, MS_REMOUNT|MS_BIND|MS_UNBINDABLE|flags, NULL); |
15ae422b LP |
167 | |
168 | if (r < 0) { | |
169 | r = -errno; | |
170 | umount2(where, MNT_DETACH); | |
171 | } | |
172 | } | |
173 | ||
174 | free(where); | |
175 | return r; | |
176 | } | |
177 | ||
178 | int setup_namespace( | |
179 | char **writable, | |
180 | char **readable, | |
181 | char **inaccessible, | |
182 | bool private_tmp, | |
183 | unsigned long flags) { | |
184 | ||
185 | char | |
186 | tmp_dir[] = "/tmp/systemd-namespace-XXXXXX", | |
187 | root_dir[] = "/tmp/systemd-namespace-XXXXXX/root", | |
188 | old_root_dir[] = "/tmp/systemd-namespace-XXXXXX/root/tmp/old-root-XXXXXX", | |
189 | inaccessible_dir[] = "/tmp/systemd-namespace-XXXXXX/inaccessible", | |
190 | private_dir[] = "/tmp/systemd-namespace-XXXXXX/private"; | |
191 | ||
192 | Path *paths, *p; | |
193 | unsigned n; | |
194 | bool need_private = false, need_inaccessible = false; | |
195 | bool remove_tmp = false, remove_root = false, remove_old_root = false, remove_inaccessible = false, remove_private = false; | |
196 | int r; | |
197 | const char *t; | |
198 | ||
199 | n = | |
200 | strv_length(writable) + | |
201 | strv_length(readable) + | |
202 | strv_length(inaccessible) + | |
203 | (private_tmp ? 2 : 1); | |
204 | ||
205 | if (!(paths = new(Path, n))) | |
206 | return -ENOMEM; | |
207 | ||
208 | p = paths; | |
209 | if ((r = append_paths(&p, writable, READWRITE)) < 0 || | |
210 | (r = append_paths(&p, readable, READONLY)) < 0 || | |
211 | (r = append_paths(&p, inaccessible, INACCESSIBLE)) < 0) | |
212 | goto fail; | |
213 | ||
214 | if (private_tmp) { | |
215 | p->path = "/tmp"; | |
216 | p->mode = PRIVATE; | |
217 | p++; | |
218 | } | |
219 | ||
220 | p->path = "/"; | |
221 | p->mode = READWRITE; | |
222 | p++; | |
223 | ||
224 | assert(paths + n == p); | |
225 | ||
226 | qsort(paths, n, sizeof(Path), path_compare); | |
227 | drop_duplicates(paths, &n, &need_inaccessible, &need_private); | |
228 | ||
229 | if (!mkdtemp(tmp_dir)) { | |
230 | r = -errno; | |
231 | goto fail; | |
232 | } | |
233 | remove_tmp = true; | |
234 | ||
235 | memcpy(root_dir, tmp_dir, sizeof(tmp_dir)-1); | |
236 | if (mkdir(root_dir, 0777) < 0) { | |
237 | r = -errno; | |
238 | goto fail; | |
239 | } | |
240 | remove_root = true; | |
241 | ||
242 | if (need_inaccessible) { | |
243 | memcpy(inaccessible_dir, tmp_dir, sizeof(tmp_dir)-1); | |
244 | if (mkdir(inaccessible_dir, 0) < 0) { | |
245 | r = -errno; | |
246 | goto fail; | |
247 | } | |
248 | remove_inaccessible = true; | |
249 | } | |
250 | ||
251 | if (need_private) { | |
252 | memcpy(private_dir, tmp_dir, sizeof(tmp_dir)-1); | |
253 | if (mkdir(private_dir, 0777 + S_ISVTX) < 0) { | |
254 | r = -errno; | |
255 | goto fail; | |
256 | } | |
257 | remove_private = true; | |
258 | } | |
259 | ||
260 | if (unshare(CLONE_NEWNS) < 0) { | |
261 | r = -errno; | |
262 | goto fail; | |
263 | } | |
264 | ||
265 | /* We assume that by default mount events from us won't be | |
266 | * propagated to the root namespace. */ | |
267 | ||
268 | for (p = paths; p < paths + n; p++) | |
269 | if ((r = apply_mount(p, root_dir, inaccessible_dir, private_dir, flags)) < 0) | |
270 | goto undo_mounts; | |
271 | ||
272 | memcpy(old_root_dir, tmp_dir, sizeof(tmp_dir)-1); | |
273 | if (!mkdtemp(old_root_dir)) { | |
274 | r = -errno; | |
275 | goto undo_mounts; | |
276 | } | |
277 | remove_old_root = true; | |
278 | ||
279 | if (chdir(root_dir) < 0) { | |
280 | r = -errno; | |
281 | goto undo_mounts; | |
282 | } | |
283 | ||
284 | if (pivot_root(root_dir, old_root_dir) < 0) { | |
285 | r = -errno; | |
286 | goto undo_mounts; | |
287 | } | |
288 | ||
289 | t = old_root_dir + sizeof(root_dir) - 1; | |
290 | if (umount2(t, MNT_DETACH) < 0) | |
291 | /* At this point it's too late to turn anything back, | |
292 | * since we are already in the new root. */ | |
293 | return -errno; | |
294 | ||
295 | if (rmdir(t) < 0) | |
296 | return -errno; | |
297 | ||
298 | return 0; | |
299 | ||
300 | undo_mounts: | |
301 | ||
302 | for (p--; p >= paths; p--) { | |
303 | char full_path[PATH_MAX]; | |
304 | ||
305 | snprintf(full_path, sizeof(full_path), "%s%s", root_dir, p->path); | |
306 | char_array_0(full_path); | |
307 | ||
308 | umount2(full_path, MNT_DETACH); | |
309 | } | |
310 | ||
311 | fail: | |
312 | if (remove_old_root) | |
313 | rmdir(old_root_dir); | |
314 | ||
315 | if (remove_inaccessible) | |
316 | rmdir(inaccessible_dir); | |
317 | ||
318 | if (remove_private) | |
319 | rmdir(private_dir); | |
320 | ||
321 | if (remove_root) | |
322 | rmdir(root_dir); | |
323 | ||
324 | if (remove_tmp) | |
325 | rmdir(tmp_dir); | |
326 | ||
327 | free(paths); | |
328 | ||
329 | return r; | |
330 | } |