[thirdparty/systemd.git] / src / core / namespace.c

/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/

/***
  This file is part of systemd.

  Copyright 2010 Lennart Poettering

  systemd is free software; you can redistribute it and/or modify it
  under the terms of the GNU Lesser General Public License as published by
  the Free Software Foundation; either version 2.1 of the License, or
  (at your option) any later version.

  systemd is distributed in the hope that it will be useful, but
  WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  Lesser General Public License for more details.

  You should have received a copy of the GNU Lesser General Public License
  along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/

#include <errno.h>
#include <sys/mount.h>
#include <string.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/stat.h>
#include <sched.h>
#include <linux/fs.h>

#include "strv.h"
#include "util.h"
#include "path-util.h"
#include "missing.h"
#include "loopback-setup.h"
#include "dev-setup.h"
#include "selinux-util.h"
#include "namespace.h"
#include "mkdir.h"

typedef enum MountMode {
        /* This is ordered by priority! */
        INACCESSIBLE,
        READONLY,
        PRIVATE_TMP,
        PRIVATE_VAR_TMP,
        PRIVATE_DEV,
        PRIVATE_BUS_ENDPOINT,
        READWRITE
} MountMode;

typedef struct BindMount {
        const char *path;
        MountMode mode;
        bool done;
        bool ignore;
} BindMount;

static int append_mounts(BindMount **p, char **strv, MountMode mode) {
        char **i;

        assert(p);

        STRV_FOREACH(i, strv) {

                (*p)->ignore = false;
                (*p)->done = false;

                if ((mode == INACCESSIBLE || mode == READONLY || mode == READWRITE) && (*i)[0] == '-') {
                        (*p)->ignore = true;
                        (*i)++;
                }

                if (!path_is_absolute(*i))
                        return -EINVAL;

                (*p)->path = *i;
                (*p)->mode = mode;
                (*p)++;
        }

        return 0;
}

static int mount_path_compare(const void *a, const void *b) {
        const BindMount *p = a, *q = b;
        int d;

        d = path_compare(p->path, q->path);

        if (d == 0) {
                /* If the paths are equal, check the mode */
                if (p->mode < q->mode)
                        return -1;

                if (p->mode > q->mode)
                        return 1;

                return 0;
        }

        /* If the paths are not equal, then order prefixes first */
        return d;
}

static void drop_duplicates(BindMount *m, unsigned *n) {
        BindMount *f, *t, *previous;

        assert(m);
        assert(n);

        for (f = m, t = m, previous = NULL; f < m+*n; f++) {

                /* The first one wins */
                if (previous && path_equal(f->path, previous->path))
                        continue;

                *t = *f;

                previous = t;

                t++;
        }

        *n = t - m;
}

static int mount_dev(BindMount *m) {
        static const char devnodes[] =
                "/dev/null\0"
                "/dev/zero\0"
                "/dev/full\0"
                "/dev/random\0"
                "/dev/urandom\0"
                "/dev/tty\0";

        char temporary_mount[] = "/tmp/namespace-dev-XXXXXX";
        const char *d, *dev = NULL, *devpts = NULL, *devshm = NULL, *devhugepages = NULL, *devmqueue = NULL, *devlog = NULL, *devptmx = NULL;
        _cleanup_umask_ mode_t u;
        int r;

        assert(m);

        u = umask(0000);

        if (!mkdtemp(temporary_mount))
                return -errno;

        dev = strjoina(temporary_mount, "/dev");
        (void) mkdir(dev, 0755);
        if (mount("tmpfs", dev, "tmpfs", MS_NOSUID|MS_STRICTATIME, "mode=755") < 0) {
                r = -errno;
                goto fail;
        }

        devpts = strjoina(temporary_mount, "/dev/pts");
        (void) mkdir(devpts, 0755);
        if (mount("/dev/pts", devpts, NULL, MS_BIND, NULL) < 0) {
                r = -errno;
                goto fail;
        }

        devptmx = strjoina(temporary_mount, "/dev/ptmx");
        if (symlink("pts/ptmx", devptmx) < 0) {
                r = -errno;
                goto fail;
        }

        devshm = strjoina(temporary_mount, "/dev/shm");
        (void) mkdir(devshm, 01777);
        r = mount("/dev/shm", devshm, NULL, MS_BIND, NULL);
        if (r < 0) {
                r = -errno;
                goto fail;
        }

        devmqueue = strjoina(temporary_mount, "/dev/mqueue");
        (void) mkdir(devmqueue, 0755);
        (void) mount("/dev/mqueue", devmqueue, NULL, MS_BIND, NULL);

        devhugepages = strjoina(temporary_mount, "/dev/hugepages");
        (void) mkdir(devhugepages, 0755);
        (void) mount("/dev/hugepages", devhugepages, NULL, MS_BIND, NULL);

        devlog = strjoina(temporary_mount, "/dev/log");
        (void) symlink("/run/systemd/journal/dev-log", devlog);

        NULSTR_FOREACH(d, devnodes) {
                _cleanup_free_ char *dn = NULL;
                struct stat st;

                r = stat(d, &st);
                if (r < 0) {

                        if (errno == ENOENT)
                                continue;

                        r = -errno;
                        goto fail;
                }

                if (!S_ISBLK(st.st_mode) &&
                    !S_ISCHR(st.st_mode)) {
                        r = -EINVAL;
                        goto fail;
                }

                if (st.st_rdev == 0)
                        continue;

                dn = strappend(temporary_mount, d);
                if (!dn) {
                        r = -ENOMEM;
                        goto fail;
                }

                mac_selinux_create_file_prepare(d, st.st_mode);
                r = mknod(dn, st.st_mode, st.st_rdev);
                mac_selinux_create_file_clear();

                if (r < 0) {
                        r = -errno;
                        goto fail;
                }
        }

        dev_setup(temporary_mount, UID_INVALID, GID_INVALID);

        /* Create the /dev directory if missing. It is more likely to be
         * missing when the service is started with RootDirectory. This is
         * consistent with mount units creating the mount points when missing.
         */
        (void) mkdir_p_label(m->path, 0755);

        if (mount(dev, m->path, NULL, MS_MOVE, NULL) < 0) {
                r = -errno;
                goto fail;
        }

        rmdir(dev);
        rmdir(temporary_mount);

        return 0;

fail:
        if (devpts)
                umount(devpts);

        if (devshm)
                umount(devshm);

        if (devhugepages)
                umount(devhugepages);

        if (devmqueue)
                umount(devmqueue);

        umount(dev);
        rmdir(dev);
        rmdir(temporary_mount);

        return r;
}

static int mount_kdbus(BindMount *m) {

        char temporary_mount[] = "/tmp/kdbus-dev-XXXXXX";
        _cleanup_free_ char *basepath = NULL;
        _cleanup_umask_ mode_t u;
        char *busnode = NULL, *root;
        struct stat st;
        int r;

        assert(m);

        u = umask(0000);

        if (!mkdtemp(temporary_mount))
                return log_error_errno(errno, "Failed create temp dir: %m");

        root = strjoina(temporary_mount, "/kdbus");
        (void) mkdir(root, 0755);
        if (mount("tmpfs", root, "tmpfs", MS_NOSUID|MS_STRICTATIME, "mode=777") < 0) {
                r = -errno;
                goto fail;
        }

        /* create a new /dev/null dev node copy so we have some fodder to
         * bind-mount the custom endpoint over. */
        if (stat("/dev/null", &st) < 0) {
                log_error_errno(errno, "Failed to stat /dev/null: %m");
                r = -errno;
                goto fail;
        }

        busnode = strjoina(root, "/bus");
        if (mknod(busnode, (st.st_mode & ~07777) | 0600, st.st_rdev) < 0) {
                log_error_errno(errno, "mknod() for %s failed: %m", busnode);
                r = -errno;
                goto fail;
        }

        r = mount(m->path, busnode, NULL, MS_BIND, NULL);
        if (r < 0) {
                log_error_errno(errno, "bind mount of %s failed: %m", m->path);
                r = -errno;
                goto fail;
        }

        basepath = dirname_malloc(m->path);
        if (!basepath) {
                r = -ENOMEM;
                goto fail;
        }

        if (mount(root, basepath, NULL, MS_MOVE, NULL) < 0) {
                log_error_errno(errno, "bind mount of %s failed: %m", basepath);
                r = -errno;
                goto fail;
        }

        rmdir(temporary_mount);
        return 0;

fail:
        if (busnode) {
                umount(busnode);
                unlink(busnode);
        }

        umount(root);
        rmdir(root);
        rmdir(temporary_mount);

        return r;
}

static int apply_mount(
                BindMount *m,
                const char *tmp_dir,
                const char *var_tmp_dir) {

        const char *what;
        int r;

        assert(m);

        switch (m->mode) {

        case INACCESSIBLE:

                /* First, get rid of everything that is below if there
                 * is anything... Then, overmount it with an
                 * inaccessible directory. */
                umount_recursive(m->path, 0);

                what = "/run/systemd/inaccessible";
                break;

        case READONLY:
        case READWRITE:
                /* Nothing to mount here, we just later toggle the
                 * MS_RDONLY bit for the mount point */
                return 0;

        case PRIVATE_TMP:
                what = tmp_dir;
                break;

        case PRIVATE_VAR_TMP:
                what = var_tmp_dir;
                break;

        case PRIVATE_DEV:
                return mount_dev(m);

        case PRIVATE_BUS_ENDPOINT:
                return mount_kdbus(m);

        default:
                assert_not_reached("Unknown mode");
        }

        assert(what);

        r = mount(what, m->path, NULL, MS_BIND|MS_REC, NULL);
        if (r >= 0)
                log_debug("Successfully mounted %s to %s", what, m->path);
        else if (m->ignore && errno == ENOENT)
                return 0;

        return r;
}

static int make_read_only(BindMount *m) {
        int r;

        assert(m);

        if (IN_SET(m->mode, INACCESSIBLE, READONLY))
                r = bind_remount_recursive(m->path, true);
        else if (IN_SET(m->mode, READWRITE, PRIVATE_TMP, PRIVATE_VAR_TMP, PRIVATE_DEV))
                r = bind_remount_recursive(m->path, false);
        else
                r = 0;

        if (m->ignore && r == -ENOENT)
                return 0;

        return r;
}

int setup_namespace(
                const char* root_directory,
                char** read_write_dirs,
                char** read_only_dirs,
                char** inaccessible_dirs,
                const char* tmp_dir,
                const char* var_tmp_dir,
                const char* bus_endpoint_path,
                bool private_dev,
                ProtectHome protect_home,
                ProtectSystem protect_system,
                unsigned long mount_flags) {

        BindMount *m, *mounts = NULL;
        unsigned n;
        int r = 0;

        if (mount_flags == 0)
                mount_flags = MS_SHARED;

        if (unshare(CLONE_NEWNS) < 0)
                return -errno;

        n = !!tmp_dir + !!var_tmp_dir + !!bus_endpoint_path +
                strv_length(read_write_dirs) +
                strv_length(read_only_dirs) +
                strv_length(inaccessible_dirs) +
                private_dev +
                (protect_home != PROTECT_HOME_NO ? 3 : 0) +
                (protect_system != PROTECT_SYSTEM_NO ? 2 : 0) +
                (protect_system == PROTECT_SYSTEM_FULL ? 1 : 0);

        if (n > 0) {
                m = mounts = (BindMount *) alloca0(n * sizeof(BindMount));
                r = append_mounts(&m, read_write_dirs, READWRITE);
                if (r < 0)
                        return r;

                r = append_mounts(&m, read_only_dirs, READONLY);
                if (r < 0)
                        return r;

                r = append_mounts(&m, inaccessible_dirs, INACCESSIBLE);
                if (r < 0)
                        return r;

                if (tmp_dir) {
                        m->path = prefix_roota(root_directory, "/tmp");
                        m->mode = PRIVATE_TMP;
                        m++;
                }

                if (var_tmp_dir) {
                        m->path = prefix_roota(root_directory, "/var/tmp");
                        m->mode = PRIVATE_VAR_TMP;
                        m++;
                }

                if (private_dev) {
                        m->path = prefix_roota(root_directory, "/dev");
                        m->mode = PRIVATE_DEV;
                        m++;
                }

                if (bus_endpoint_path) {
                        m->path = prefix_roota(root_directory, bus_endpoint_path);
                        m->mode = PRIVATE_BUS_ENDPOINT;
                        m++;
                }

                if (protect_home != PROTECT_HOME_NO) {
                        const char *home_dir, *run_user_dir, *root_dir;

                        home_dir = prefix_roota(root_directory, "/home");
                        home_dir = strjoina("-", home_dir);
                        run_user_dir = prefix_roota(root_directory, "/run/user");
                        run_user_dir = strjoina("-", run_user_dir);
                        root_dir = prefix_roota(root_directory, "/root");
                        root_dir = strjoina("-", root_dir);

                        r = append_mounts(&m, STRV_MAKE(home_dir, run_user_dir, root_dir),
                                protect_home == PROTECT_HOME_READ_ONLY ? READONLY : INACCESSIBLE);
                        if (r < 0)
                                return r;
                }

                if (protect_system != PROTECT_SYSTEM_NO) {
                        const char *usr_dir, *boot_dir, *etc_dir;

                        usr_dir = prefix_roota(root_directory, "/usr");
                        boot_dir = prefix_roota(root_directory, "/boot");
                        boot_dir = strjoina("-", boot_dir);
                        etc_dir = prefix_roota(root_directory, "/etc");

                        r = append_mounts(&m, protect_system == PROTECT_SYSTEM_FULL
                                ? STRV_MAKE(usr_dir, boot_dir, etc_dir)
                                : STRV_MAKE(usr_dir, boot_dir), READONLY);
                        if (r < 0)
                                return r;
                }

                assert(mounts + n == m);

                qsort(mounts, n, sizeof(BindMount), mount_path_compare);
                drop_duplicates(mounts, &n);
        }

        if (n > 0 || root_directory) {
                /* Remount / as SLAVE so that nothing now mounted in the namespace
                   shows up in the parent */
                if (mount(NULL, "/", NULL, MS_SLAVE|MS_REC, NULL) < 0)
                        return -errno;
        }

        if (root_directory) {
                /* Turn directory into bind mount */
                if (mount(root_directory, root_directory, NULL, MS_BIND|MS_REC, NULL) < 0)
                        return -errno;
        }

        if (n > 0) {
                for (m = mounts; m < mounts + n; ++m) {
                        r = apply_mount(m, tmp_dir, var_tmp_dir);
                        if (r < 0)
                                goto fail;
                }

                for (m = mounts; m < mounts + n; ++m) {
                        r = make_read_only(m);
                        if (r < 0)
                                goto fail;
                }
        }

        if (root_directory) {
                /* MS_MOVE does not work on MS_SHARED so the remount MS_SHARED will be done later */
                r = mount_move_root(root_directory);

                /* at this point, we cannot rollback */
                if (r < 0)
                        return r;
        }

        /* Remount / as the desired mode. Not that this will not
         * reestablish propagation from our side to the host, since
         * what's disconnected is disconnected. */
        if (mount(NULL, "/", NULL, mount_flags | MS_REC, NULL) < 0) {
                /* at this point, we cannot rollback */
                return -errno;
        }

        return 0;

fail:
        if (n > 0) {
                for (m = mounts; m < mounts + n; ++m)
                        if (m->done)
                                (void) umount2(m->path, MNT_DETACH);
        }

        return r;
}

static int setup_one_tmp_dir(const char *id, const char *prefix, char **path) {
        _cleanup_free_ char *x = NULL;
        char bid[SD_ID128_STRING_MAX];
        sd_id128_t boot_id;
        int r;

        assert(id);
        assert(prefix);
        assert(path);

        /* We include the boot id in the directory so that after a
         * reboot we can easily identify obsolete directories. */

        r = sd_id128_get_boot(&boot_id);
        if (r < 0)
                return r;

        x = strjoin(prefix, "/systemd-private-", sd_id128_to_string(boot_id, bid), "-", id, "-XXXXXX", NULL);
        if (!x)
                return -ENOMEM;

        RUN_WITH_UMASK(0077)
                if (!mkdtemp(x))
                        return -errno;

        RUN_WITH_UMASK(0000) {
                char *y;

                y = strjoina(x, "/tmp");

                if (mkdir(y, 0777 | S_ISVTX) < 0)
                        return -errno;
        }

        *path = x;
        x = NULL;

        return 0;
}

int setup_tmp_dirs(const char *id, char **tmp_dir, char **var_tmp_dir) {
        char *a, *b;
        int r;

        assert(id);
        assert(tmp_dir);
        assert(var_tmp_dir);

        r = setup_one_tmp_dir(id, "/tmp", &a);
        if (r < 0)
                return r;

        r = setup_one_tmp_dir(id, "/var/tmp", &b);
        if (r < 0) {
                char *t;

                t = strjoina(a, "/tmp");
                rmdir(t);
                rmdir(a);

                free(a);
                return r;
        }

        *tmp_dir = a;
        *var_tmp_dir = b;

        return 0;
}

int setup_netns(int netns_storage_socket[2]) {
        _cleanup_close_ int netns = -1;
        union {
                struct cmsghdr cmsghdr;
                uint8_t buf[CMSG_SPACE(sizeof(int))];
        } control = {};
        struct msghdr mh = {
                .msg_control = &control,
                .msg_controllen = sizeof(control),
        };
        struct cmsghdr *cmsg;
        int r;

        assert(netns_storage_socket);
        assert(netns_storage_socket[0] >= 0);
        assert(netns_storage_socket[1] >= 0);

        /* We use the passed socketpair as a storage buffer for our
         * namespace reference fd. Whatever process runs this first
         * shall create a new namespace, all others should just join
         * it. To serialize that we use a file lock on the socket
         * pair.
         *
         * It's a bit crazy, but hey, works great! */

        if (lockf(netns_storage_socket[0], F_LOCK, 0) < 0)
                return -errno;

        if (recvmsg(netns_storage_socket[0], &mh, MSG_DONTWAIT|MSG_CMSG_CLOEXEC) < 0) {
                if (errno != EAGAIN) {
                        r = -errno;
                        goto fail;
                }

                /* Nothing stored yet, so let's create a new namespace */

                if (unshare(CLONE_NEWNET) < 0) {
                        r = -errno;
                        goto fail;
                }

                loopback_setup();

                netns = open("/proc/self/ns/net", O_RDONLY|O_CLOEXEC|O_NOCTTY);
                if (netns < 0) {
                        r = -errno;
                        goto fail;
                }

                r = 1;
        } else {
                /* Yay, found something, so let's join the namespace */

                CMSG_FOREACH(cmsg, &mh)
                        if (cmsg->cmsg_level == SOL_SOCKET && cmsg->cmsg_type == SCM_RIGHTS) {
                                assert(cmsg->cmsg_len == CMSG_LEN(sizeof(int)));
                                netns = *(int*) CMSG_DATA(cmsg);
                        }

                if (setns(netns, CLONE_NEWNET) < 0) {
                        r = -errno;
                        goto fail;
                }

                r = 0;
        }

        cmsg = CMSG_FIRSTHDR(&mh);
        cmsg->cmsg_level = SOL_SOCKET;
        cmsg->cmsg_type = SCM_RIGHTS;
        cmsg->cmsg_len = CMSG_LEN(sizeof(int));
        memcpy(CMSG_DATA(cmsg), &netns, sizeof(int));
        mh.msg_controllen = cmsg->cmsg_len;

        if (sendmsg(netns_storage_socket[1], &mh, MSG_DONTWAIT|MSG_NOSIGNAL) < 0) {
                r = -errno;
                goto fail;
        }

fail:
        lockf(netns_storage_socket[0], F_ULOCK, 0);

        return r;
}

static const char *const protect_home_table[_PROTECT_HOME_MAX] = {
        [PROTECT_HOME_NO] = "no",
        [PROTECT_HOME_YES] = "yes",
        [PROTECT_HOME_READ_ONLY] = "read-only",
};

DEFINE_STRING_TABLE_LOOKUP(protect_home, ProtectHome);

static const char *const protect_system_table[_PROTECT_SYSTEM_MAX] = {
        [PROTECT_SYSTEM_NO] = "no",
        [PROTECT_SYSTEM_YES] = "yes",
        [PROTECT_SYSTEM_FULL] = "full",
};

DEFINE_STRING_TABLE_LOOKUP(protect_system, ProtectSystem);
Commit	Line	Data
d6c9574f	1	/-- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil --/
15ae422b LP	2
	3	/***
	4	This file is part of systemd.
	5
	6	Copyright 2010 Lennart Poettering
	7
	8	systemd is free software; you can redistribute it and/or modify it
5430f7f2 LP	9	under the terms of the GNU Lesser General Public License as published by
5430f7f2 LP	10	the Free Software Foundation; either version 2.1 of the License, or
15ae422b LP	11	(at your option) any later version.
	12
	13	systemd is distributed in the hope that it will be useful, but
	14	WITHOUT ANY WARRANTY; without even the implied warranty of
	15	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
5430f7f2	16	Lesser General Public License for more details.
15ae422b	17
5430f7f2	18	You should have received a copy of the GNU Lesser General Public License
15ae422b LP	19	along with systemd; If not, see <http://www.gnu.org/licenses/>.
	20	***/
	21
	22	#include <errno.h>
	23	#include <sys/mount.h>
	24	#include <string.h>
	25	#include <stdio.h>
	26	#include <unistd.h>
	27	#include <sys/stat.h>
15ae422b	28	#include <sched.h>
25e870b5	29	#include <linux/fs.h>
15ae422b LP	30
	31	#include "strv.h"
	32	#include "util.h"
9eb977db	33	#include "path-util.h"
15ae422b	34	#include "missing.h"
613b411c	35	#include "loopback-setup.h"
7f112f50	36	#include "dev-setup.h"
d7b8eec7 LP	37	#include "selinux-util.h"
d7b8eec7 LP	38	#include "namespace.h"
ee818b89	39	#include "mkdir.h"
15ae422b	40
c17ec25e	41	typedef enum MountMode {
15ae422b LP	42	/* This is ordered by priority! */
	43	INACCESSIBLE,
	44	READONLY,
ac0930c8 LP	45	PRIVATE_TMP,
ac0930c8 LP	46	PRIVATE_VAR_TMP,
7f112f50	47	PRIVATE_DEV,
a610cc4f	48	PRIVATE_BUS_ENDPOINT,
15ae422b	49	READWRITE
c17ec25e	50	} MountMode;
15ae422b	51
c17ec25e	52	typedef struct BindMount {
15ae422b	53	const char *path;
c17ec25e	54	MountMode mode;
ac0930c8	55	bool done;
ea92ae33	56	bool ignore;
c17ec25e	57	} BindMount;
15ae422b	58
c17ec25e	59	static int append_mounts(BindMount p, char strv, MountMode mode) {
15ae422b LP	60	char **i;
15ae422b LP	61
613b411c LP	62	assert(p);
613b411c LP	63
15ae422b LP	64	STRV_FOREACH(i, strv) {
15ae422b LP	65
ea92ae33	66	(*p)->ignore = false;
002b2268	67	(*p)->done = false;
ea92ae33	68
94828d2d	69	if ((mode == INACCESSIBLE \|\| mode == READONLY \|\| mode == READWRITE) && (*i)[0] == '-') {
ea92ae33 MW	70	(*p)->ignore = true;
	71	(*i)++;
	72	}
	73
15ae422b LP	74	if (!path_is_absolute(*i))
	75	return -EINVAL;
	76
	77	(p)->path = i;
	78	(*p)->mode = mode;
	79	(*p)++;
	80	}
	81
	82	return 0;
	83	}
	84
c17ec25e MS	85	static int mount_path_compare(const void a, const void b) {
c17ec25e MS	86	const BindMount p = a, q = b;
a0827e2b	87	int d;
15ae422b	88
a0827e2b	89	d = path_compare(p->path, q->path);
15ae422b	90
5a8af538	91	if (d == 0) {
15ae422b LP	92	/* If the paths are equal, check the mode */
	93	if (p->mode < q->mode)
	94	return -1;
	95
	96	if (p->mode > q->mode)
	97	return 1;
	98
	99	return 0;
	100	}
	101
	102	/* If the paths are not equal, then order prefixes first */
a0827e2b	103	return d;
15ae422b LP	104	}
15ae422b LP	105
c17ec25e MS	106	static void drop_duplicates(BindMount m, unsigned n) {
c17ec25e MS	107	BindMount f, t, *previous;
15ae422b	108
c17ec25e	109	assert(m);
15ae422b	110	assert(n);
15ae422b	111
c17ec25e	112	for (f = m, t = m, previous = NULL; f < m+*n; f++) {
15ae422b	113
ac0930c8	114	/* The first one wins */
15ae422b LP	115	if (previous && path_equal(f->path, previous->path))
	116	continue;
	117
e2d7c1a0	118	t = f;
15ae422b	119
15ae422b LP	120	previous = t;
	121
	122	t++;
	123	}
	124
c17ec25e	125	*n = t - m;
15ae422b LP	126	}
15ae422b LP	127
7f112f50 LP	128	static int mount_dev(BindMount *m) {
	129	static const char devnodes[] =
	130	"/dev/null\0"
	131	"/dev/zero\0"
	132	"/dev/full\0"
	133	"/dev/random\0"
	134	"/dev/urandom\0"
	135	"/dev/tty\0";
	136
2b85f4e1	137	char temporary_mount[] = "/tmp/namespace-dev-XXXXXX";
63cc4c31	138	const char d, dev = NULL, devpts = NULL, devshm = NULL, devhugepages = NULL, devmqueue = NULL, devlog = NULL, devptmx = NULL;
7f112f50 LP	139	_cleanup_umask_ mode_t u;
	140	int r;
	141
	142	assert(m);
	143
	144	u = umask(0000);
	145
2b85f4e1 LP	146	if (!mkdtemp(temporary_mount))
	147	return -errno;
	148
63c372cb	149	dev = strjoina(temporary_mount, "/dev");
dc751688	150	(void) mkdir(dev, 0755);
2b85f4e1 LP	151	if (mount("tmpfs", dev, "tmpfs", MS_NOSUID\|MS_STRICTATIME, "mode=755") < 0) {
	152	r = -errno;
	153	goto fail;
	154	}
	155
63c372cb	156	devpts = strjoina(temporary_mount, "/dev/pts");
dc751688	157	(void) mkdir(devpts, 0755);
2b85f4e1 LP	158	if (mount("/dev/pts", devpts, NULL, MS_BIND, NULL) < 0) {
	159	r = -errno;
	160	goto fail;
	161	}
	162
63c372cb	163	devptmx = strjoina(temporary_mount, "/dev/ptmx");
3164e3cb ZJS	164	if (symlink("pts/ptmx", devptmx) < 0) {
	165	r = -errno;
	166	goto fail;
	167	}
e06b6479	168
63c372cb	169	devshm = strjoina(temporary_mount, "/dev/shm");
dc751688	170	(void) mkdir(devshm, 01777);
2b85f4e1 LP	171	r = mount("/dev/shm", devshm, NULL, MS_BIND, NULL);
	172	if (r < 0) {
	173	r = -errno;
	174	goto fail;
	175	}
	176
63c372cb	177	devmqueue = strjoina(temporary_mount, "/dev/mqueue");
dc751688	178	(void) mkdir(devmqueue, 0755);
3164e3cb	179	(void) mount("/dev/mqueue", devmqueue, NULL, MS_BIND, NULL);
2b85f4e1	180
63c372cb	181	devhugepages = strjoina(temporary_mount, "/dev/hugepages");
dc751688	182	(void) mkdir(devhugepages, 0755);
3164e3cb	183	(void) mount("/dev/hugepages", devhugepages, NULL, MS_BIND, NULL);
2b85f4e1	184
63c372cb	185	devlog = strjoina(temporary_mount, "/dev/log");
3164e3cb	186	(void) symlink("/run/systemd/journal/dev-log", devlog);
82d25240	187
7f112f50	188	NULSTR_FOREACH(d, devnodes) {
2b85f4e1 LP	189	_cleanup_free_ char *dn = NULL;
	190	struct stat st;
	191
	192	r = stat(d, &st);
7f112f50	193	if (r < 0) {
2b85f4e1 LP	194
	195	if (errno == ENOENT)
	196	continue;
	197
	198	r = -errno;
	199	goto fail;
7f112f50 LP	200	}
7f112f50 LP	201
2b85f4e1 LP	202	if (!S_ISBLK(st.st_mode) &&
	203	!S_ISCHR(st.st_mode)) {
	204	r = -EINVAL;
	205	goto fail;
	206	}
	207
	208	if (st.st_rdev == 0)
	209	continue;
	210
	211	dn = strappend(temporary_mount, d);
	212	if (!dn) {
	213	r = -ENOMEM;
	214	goto fail;
	215	}
	216
ecabcf8b	217	mac_selinux_create_file_prepare(d, st.st_mode);
2b85f4e1	218	r = mknod(dn, st.st_mode, st.st_rdev);
ecabcf8b	219	mac_selinux_create_file_clear();
dd078a1e	220
2b85f4e1 LP	221	if (r < 0) {
	222	r = -errno;
	223	goto fail;
	224	}
7f112f50 LP	225	}
7f112f50 LP	226
03cfe0d5	227	dev_setup(temporary_mount, UID_INVALID, GID_INVALID);
7f112f50	228
ee818b89 AC	229	/* Create the /dev directory if missing. It is more likely to be
	230	* missing when the service is started with RootDirectory. This is
	231	* consistent with mount units creating the mount points when missing.
	232	*/
	233	(void) mkdir_p_label(m->path, 0755);
	234
	235	if (mount(dev, m->path, NULL, MS_MOVE, NULL) < 0) {
2b85f4e1 LP	236	r = -errno;
	237	goto fail;
	238	}
7f112f50	239
2b85f4e1 LP	240	rmdir(dev);
2b85f4e1 LP	241	rmdir(temporary_mount);
7f112f50	242
2b85f4e1	243	return 0;
7f112f50	244
2b85f4e1 LP	245	fail:
	246	if (devpts)
	247	umount(devpts);
7f112f50	248
2b85f4e1 LP	249	if (devshm)
2b85f4e1 LP	250	umount(devshm);
7f112f50	251
2b85f4e1 LP	252	if (devhugepages)
2b85f4e1 LP	253	umount(devhugepages);
7f112f50	254
2b85f4e1 LP	255	if (devmqueue)
2b85f4e1 LP	256	umount(devmqueue);
7f112f50	257
d267c5aa ZJS	258	umount(dev);
d267c5aa ZJS	259	rmdir(dev);
2b85f4e1	260	rmdir(temporary_mount);
7f112f50	261
2b85f4e1	262	return r;
7f112f50 LP	263	}
7f112f50 LP	264
a610cc4f DM	265	static int mount_kdbus(BindMount *m) {
	266
	267	char temporary_mount[] = "/tmp/kdbus-dev-XXXXXX";
	268	_cleanup_free_ char *basepath = NULL;
	269	_cleanup_umask_ mode_t u;
120d578e	270	char busnode = NULL, root;
a610cc4f DM	271	struct stat st;
	272	int r;
	273
	274	assert(m);
	275
	276	u = umask(0000);
	277
4a62c710 MS	278	if (!mkdtemp(temporary_mount))
4a62c710 MS	279	return log_error_errno(errno, "Failed create temp dir: %m");
a610cc4f	280
63c372cb	281	root = strjoina(temporary_mount, "/kdbus");
dc751688	282	(void) mkdir(root, 0755);
a610cc4f DM	283	if (mount("tmpfs", root, "tmpfs", MS_NOSUID\|MS_STRICTATIME, "mode=777") < 0) {
	284	r = -errno;
	285	goto fail;
	286	}
	287
	288	/* create a new /dev/null dev node copy so we have some fodder to
	289	* bind-mount the custom endpoint over. */
	290	if (stat("/dev/null", &st) < 0) {
56f64d95	291	log_error_errno(errno, "Failed to stat /dev/null: %m");
a610cc4f DM	292	r = -errno;
	293	goto fail;
	294	}
	295
63c372cb	296	busnode = strjoina(root, "/bus");
a610cc4f	297	if (mknod(busnode, (st.st_mode & ~07777) \| 0600, st.st_rdev) < 0) {
56f64d95	298	log_error_errno(errno, "mknod() for %s failed: %m", busnode);
a610cc4f DM	299	r = -errno;
	300	goto fail;
	301	}
	302
4543768d	303	r = mount(m->path, busnode, NULL, MS_BIND, NULL);
a610cc4f	304	if (r < 0) {
56f64d95	305	log_error_errno(errno, "bind mount of %s failed: %m", m->path);
a610cc4f DM	306	r = -errno;
	307	goto fail;
	308	}
	309
	310	basepath = dirname_malloc(m->path);
	311	if (!basepath) {
	312	r = -ENOMEM;
	313	goto fail;
	314	}
	315
	316	if (mount(root, basepath, NULL, MS_MOVE, NULL) < 0) {
56f64d95	317	log_error_errno(errno, "bind mount of %s failed: %m", basepath);
a610cc4f DM	318	r = -errno;
	319	goto fail;
	320	}
	321
	322	rmdir(temporary_mount);
	323	return 0;
	324
	325	fail:
	326	if (busnode) {
	327	umount(busnode);
	328	unlink(busnode);
	329	}
	330
1775f1eb ZJS	331	umount(root);
1775f1eb ZJS	332	rmdir(root);
a610cc4f DM	333	rmdir(temporary_mount);
	334
	335	return r;
	336	}
	337
ac0930c8	338	static int apply_mount(
c17ec25e	339	BindMount *m,
ac0930c8	340	const char *tmp_dir,
c17ec25e	341	const char *var_tmp_dir) {
ac0930c8	342
15ae422b	343	const char *what;
15ae422b	344	int r;
15ae422b	345
c17ec25e	346	assert(m);
15ae422b	347
c17ec25e	348	switch (m->mode) {
15ae422b LP	349
15ae422b LP	350	case INACCESSIBLE:
6d313367 LP	351
	352	/* First, get rid of everything that is below if there
	353	* is anything... Then, overmount it with an
	354	* inaccessible directory. */
	355	umount_recursive(m->path, 0);
	356
c17ec25e	357	what = "/run/systemd/inaccessible";
15ae422b LP	358	break;
	359
	360	case READONLY:
15ae422b	361	case READWRITE:
d6797c92 LP	362	/* Nothing to mount here, we just later toggle the
	363	* MS_RDONLY bit for the mount point */
	364	return 0;
15ae422b	365
ac0930c8 LP	366	case PRIVATE_TMP:
	367	what = tmp_dir;
	368	break;
	369
	370	case PRIVATE_VAR_TMP:
	371	what = var_tmp_dir;
15ae422b	372	break;
e364ad06	373
d6797c92 LP	374	case PRIVATE_DEV:
	375	return mount_dev(m);
	376
a610cc4f DM	377	case PRIVATE_BUS_ENDPOINT:
	378	return mount_kdbus(m);
	379
e364ad06 LP	380	default:
e364ad06 LP	381	assert_not_reached("Unknown mode");
15ae422b LP	382	}
15ae422b LP	383
ac0930c8	384	assert(what);
15ae422b	385
c17ec25e	386	r = mount(what, m->path, NULL, MS_BIND\|MS_REC, NULL);
ac0930c8	387	if (r >= 0)
c17ec25e	388	log_debug("Successfully mounted %s to %s", what, m->path);
ea92ae33	389	else if (m->ignore && errno == ENOENT)
d6797c92	390	return 0;
15ae422b	391
ac0930c8 LP	392	return r;
ac0930c8 LP	393	}
15ae422b	394
c17ec25e	395	static int make_read_only(BindMount *m) {
ac0930c8	396	int r;
15ae422b	397
c17ec25e	398	assert(m);
ac0930c8	399
d6797c92 LP	400	if (IN_SET(m->mode, INACCESSIBLE, READONLY))
d6797c92 LP	401	r = bind_remount_recursive(m->path, true);
664064d6	402	else if (IN_SET(m->mode, READWRITE, PRIVATE_TMP, PRIVATE_VAR_TMP, PRIVATE_DEV))
d6797c92 LP	403	r = bind_remount_recursive(m->path, false);
	404	else
	405	r = 0;
ac0930c8	406
d6797c92 LP	407	if (m->ignore && r == -ENOENT)
d6797c92 LP	408	return 0;
ac0930c8	409
d6797c92	410	return r;
15ae422b LP	411	}
15ae422b LP	412
613b411c	413	int setup_namespace(
ee818b89	414	const char* root_directory,
613b411c LP	415	char** read_write_dirs,
	416	char** read_only_dirs,
	417	char** inaccessible_dirs,
a004cb4c LP	418	const char* tmp_dir,
	419	const char* var_tmp_dir,
	420	const char* bus_endpoint_path,
7f112f50	421	bool private_dev,
1b8689f9 LP	422	ProtectHome protect_home,
1b8689f9 LP	423	ProtectSystem protect_system,
e6547662	424	unsigned long mount_flags) {
15ae422b	425
7ff7394d	426	BindMount m, mounts = NULL;
613b411c	427	unsigned n;
c17ec25e	428	int r = 0;
15ae422b	429
613b411c	430	if (mount_flags == 0)
c17ec25e	431	mount_flags = MS_SHARED;
ac0930c8	432
d5a3f0ea ZJS	433	if (unshare(CLONE_NEWNS) < 0)
d5a3f0ea ZJS	434	return -errno;
15ae422b	435
a610cc4f	436	n = !!tmp_dir + !!var_tmp_dir + !!bus_endpoint_path +
613b411c LP	437	strv_length(read_write_dirs) +
613b411c LP	438	strv_length(read_only_dirs) +
7f112f50	439	strv_length(inaccessible_dirs) +
417116f2	440	private_dev +
c8835999	441	(protect_home != PROTECT_HOME_NO ? 3 : 0) +
051be1f7	442	(protect_system != PROTECT_SYSTEM_NO ? 2 : 0) +
1b8689f9	443	(protect_system == PROTECT_SYSTEM_FULL ? 1 : 0);
613b411c LP	444
613b411c LP	445	if (n > 0) {
002b2268	446	m = mounts = (BindMount ) alloca0(n sizeof(BindMount));
613b411c LP	447	r = append_mounts(&m, read_write_dirs, READWRITE);
	448	if (r < 0)
	449	return r;
	450
	451	r = append_mounts(&m, read_only_dirs, READONLY);
	452	if (r < 0)
	453	return r;
	454
	455	r = append_mounts(&m, inaccessible_dirs, INACCESSIBLE);
	456	if (r < 0)
7ff7394d ZJS	457	return r;
7ff7394d ZJS	458
613b411c	459	if (tmp_dir) {
ee818b89	460	m->path = prefix_roota(root_directory, "/tmp");
7ff7394d ZJS	461	m->mode = PRIVATE_TMP;
7ff7394d ZJS	462	m++;
613b411c	463	}
7ff7394d	464
613b411c	465	if (var_tmp_dir) {
ee818b89	466	m->path = prefix_roota(root_directory, "/var/tmp");
7ff7394d ZJS	467	m->mode = PRIVATE_VAR_TMP;
	468	m++;
	469	}
ac0930c8	470
7f112f50	471	if (private_dev) {
ee818b89	472	m->path = prefix_roota(root_directory, "/dev");
7f112f50 LP	473	m->mode = PRIVATE_DEV;
	474	m++;
	475	}
	476
a610cc4f	477	if (bus_endpoint_path) {
ee818b89	478	m->path = prefix_roota(root_directory, bus_endpoint_path);
a610cc4f DM	479	m->mode = PRIVATE_BUS_ENDPOINT;
	480	m++;
	481	}
	482
1b8689f9	483	if (protect_home != PROTECT_HOME_NO) {
ee818b89 AC	484	const char home_dir, run_user_dir, *root_dir;
	485
	486	home_dir = prefix_roota(root_directory, "/home");
	487	home_dir = strjoina("-", home_dir);
	488	run_user_dir = prefix_roota(root_directory, "/run/user");
	489	run_user_dir = strjoina("-", run_user_dir);
	490	root_dir = prefix_roota(root_directory, "/root");
	491	root_dir = strjoina("-", root_dir);
	492
	493	r = append_mounts(&m, STRV_MAKE(home_dir, run_user_dir, root_dir),
	494	protect_home == PROTECT_HOME_READ_ONLY ? READONLY : INACCESSIBLE);
417116f2 LP	495	if (r < 0)
	496	return r;
	497	}
	498
1b8689f9	499	if (protect_system != PROTECT_SYSTEM_NO) {
ee818b89 AC	500	const char usr_dir, boot_dir, *etc_dir;
ee818b89 AC	501
d38e01dc	502	usr_dir = prefix_roota(root_directory, "/usr");
ee818b89 AC	503	boot_dir = prefix_roota(root_directory, "/boot");
	504	boot_dir = strjoina("-", boot_dir);
	505	etc_dir = prefix_roota(root_directory, "/etc");
	506
	507	r = append_mounts(&m, protect_system == PROTECT_SYSTEM_FULL
	508	? STRV_MAKE(usr_dir, boot_dir, etc_dir)
	509	: STRV_MAKE(usr_dir, boot_dir), READONLY);
417116f2 LP	510	if (r < 0)
	511	return r;
	512	}
	513
7ff7394d	514	assert(mounts + n == m);
ac0930c8	515
7ff7394d ZJS	516	qsort(mounts, n, sizeof(BindMount), mount_path_compare);
7ff7394d ZJS	517	drop_duplicates(mounts, &n);
15ae422b LP	518	}
15ae422b LP	519
ee818b89	520	if (n > 0 \|\| root_directory) {
c2c13f2d LP	521	/* Remount / as SLAVE so that nothing now mounted in the namespace
	522	shows up in the parent */
	523	if (mount(NULL, "/", NULL, MS_SLAVE\|MS_REC, NULL) < 0)
	524	return -errno;
ee818b89 AC	525	}
	526
	527	if (root_directory) {
	528	/* Turn directory into bind mount */
	529	if (mount(root_directory, root_directory, NULL, MS_BIND\|MS_REC, NULL) < 0)
	530	return -errno;
	531	}
c2c13f2d	532
ee818b89	533	if (n > 0) {
c2c13f2d LP	534	for (m = mounts; m < mounts + n; ++m) {
	535	r = apply_mount(m, tmp_dir, var_tmp_dir);
	536	if (r < 0)
	537	goto fail;
	538	}
15ae422b	539
c2c13f2d LP	540	for (m = mounts; m < mounts + n; ++m) {
	541	r = make_read_only(m);
	542	if (r < 0)
	543	goto fail;
	544	}
15ae422b LP	545	}
15ae422b LP	546
ee818b89 AC	547	if (root_directory) {
	548	/* MS_MOVE does not work on MS_SHARED so the remount MS_SHARED will be done later */
	549	r = mount_move_root(root_directory);
	550
	551	/* at this point, we cannot rollback */
	552	if (r < 0)
	553	return r;
	554	}
	555
c2c13f2d LP	556	/* Remount / as the desired mode. Not that this will not
	557	* reestablish propagation from our side to the host, since
	558	* what's disconnected is disconnected. */
c17ec25e	559	if (mount(NULL, "/", NULL, mount_flags \| MS_REC, NULL) < 0) {
ee818b89 AC	560	/* at this point, we cannot rollback */
ee818b89 AC	561	return -errno;
15ae422b LP	562	}
15ae422b LP	563
15ae422b LP	564	return 0;
15ae422b LP	565
613b411c	566	fail:
c2c13f2d LP	567	if (n > 0) {
	568	for (m = mounts; m < mounts + n; ++m)
	569	if (m->done)
42b1b990	570	(void) umount2(m->path, MNT_DETACH);
c2c13f2d	571	}
613b411c LP	572
	573	return r;
	574	}
	575
	576	static int setup_one_tmp_dir(const char id, const char prefix, char **path) {
	577	_cleanup_free_ char *x = NULL;
6b46ea73 LP	578	char bid[SD_ID128_STRING_MAX];
	579	sd_id128_t boot_id;
	580	int r;
613b411c LP	581
	582	assert(id);
	583	assert(prefix);
	584	assert(path);
	585
6b46ea73 LP	586	/* We include the boot id in the directory so that after a
	587	* reboot we can easily identify obsolete directories. */
	588
	589	r = sd_id128_get_boot(&boot_id);
	590	if (r < 0)
	591	return r;
	592
	593	x = strjoin(prefix, "/systemd-private-", sd_id128_to_string(boot_id, bid), "-", id, "-XXXXXX", NULL);
613b411c LP	594	if (!x)
	595	return -ENOMEM;
	596
	597	RUN_WITH_UMASK(0077)
	598	if (!mkdtemp(x))
	599	return -errno;
	600
	601	RUN_WITH_UMASK(0000) {
	602	char *y;
	603
63c372cb	604	y = strjoina(x, "/tmp");
613b411c LP	605
	606	if (mkdir(y, 0777 \| S_ISVTX) < 0)
	607	return -errno;
c17ec25e	608	}
15ae422b	609
613b411c LP	610	*path = x;
	611	x = NULL;
	612
	613	return 0;
	614	}
	615
	616	int setup_tmp_dirs(const char id, char tmp_dir, char *var_tmp_dir) {
	617	char a, b;
	618	int r;
	619
	620	assert(id);
	621	assert(tmp_dir);
	622	assert(var_tmp_dir);
	623
	624	r = setup_one_tmp_dir(id, "/tmp", &a);
	625	if (r < 0)
	626	return r;
	627
	628	r = setup_one_tmp_dir(id, "/var/tmp", &b);
	629	if (r < 0) {
	630	char *t;
	631
63c372cb	632	t = strjoina(a, "/tmp");
613b411c LP	633	rmdir(t);
	634	rmdir(a);
	635
	636	free(a);
	637	return r;
	638	}
	639
	640	*tmp_dir = a;
	641	*var_tmp_dir = b;
	642
	643	return 0;
	644	}
	645
	646	int setup_netns(int netns_storage_socket[2]) {
	647	_cleanup_close_ int netns = -1;
	648	union {
	649	struct cmsghdr cmsghdr;
	650	uint8_t buf[CMSG_SPACE(sizeof(int))];
	651	} control = {};
	652	struct msghdr mh = {
	653	.msg_control = &control,
	654	.msg_controllen = sizeof(control),
	655	};
	656	struct cmsghdr *cmsg;
	657	int r;
	658
	659	assert(netns_storage_socket);
	660	assert(netns_storage_socket[0] >= 0);
	661	assert(netns_storage_socket[1] >= 0);
	662
	663	/* We use the passed socketpair as a storage buffer for our
76cd584b LP	664	* namespace reference fd. Whatever process runs this first
	665	* shall create a new namespace, all others should just join
	666	* it. To serialize that we use a file lock on the socket
	667	* pair.
613b411c LP	668	*
	669	* It's a bit crazy, but hey, works great! */
	670
	671	if (lockf(netns_storage_socket[0], F_LOCK, 0) < 0)
	672	return -errno;
	673
	674	if (recvmsg(netns_storage_socket[0], &mh, MSG_DONTWAIT\|MSG_CMSG_CLOEXEC) < 0) {
	675	if (errno != EAGAIN) {
	676	r = -errno;
	677	goto fail;
	678	}
	679
	680	/* Nothing stored yet, so let's create a new namespace */
	681
	682	if (unshare(CLONE_NEWNET) < 0) {
	683	r = -errno;
	684	goto fail;
	685	}
	686
	687	loopback_setup();
	688
	689	netns = open("/proc/self/ns/net", O_RDONLY\|O_CLOEXEC\|O_NOCTTY);
	690	if (netns < 0) {
	691	r = -errno;
	692	goto fail;
	693	}
	694
	695	r = 1;
	696	} else {
	697	/* Yay, found something, so let's join the namespace */
	698
2a1288ff	699	CMSG_FOREACH(cmsg, &mh)
613b411c LP	700	if (cmsg->cmsg_level == SOL_SOCKET && cmsg->cmsg_type == SCM_RIGHTS) {
	701	assert(cmsg->cmsg_len == CMSG_LEN(sizeof(int)));
	702	netns = (int) CMSG_DATA(cmsg);
	703	}
613b411c LP	704
	705	if (setns(netns, CLONE_NEWNET) < 0) {
	706	r = -errno;
	707	goto fail;
	708	}
	709
	710	r = 0;
	711	}
	712
	713	cmsg = CMSG_FIRSTHDR(&mh);
	714	cmsg->cmsg_level = SOL_SOCKET;
	715	cmsg->cmsg_type = SCM_RIGHTS;
	716	cmsg->cmsg_len = CMSG_LEN(sizeof(int));
	717	memcpy(CMSG_DATA(cmsg), &netns, sizeof(int));
	718	mh.msg_controllen = cmsg->cmsg_len;
	719
	720	if (sendmsg(netns_storage_socket[1], &mh, MSG_DONTWAIT\|MSG_NOSIGNAL) < 0) {
	721	r = -errno;
	722	goto fail;
	723	}
	724
	725	fail:
	726	lockf(netns_storage_socket[0], F_ULOCK, 0);
	727
15ae422b LP	728	return r;
15ae422b LP	729	}
417116f2	730
1b8689f9 LP	731	static const char *const protect_home_table[_PROTECT_HOME_MAX] = {
	732	[PROTECT_HOME_NO] = "no",
	733	[PROTECT_HOME_YES] = "yes",
	734	[PROTECT_HOME_READ_ONLY] = "read-only",
417116f2 LP	735	};
417116f2 LP	736
1b8689f9 LP	737	DEFINE_STRING_TABLE_LOOKUP(protect_home, ProtectHome);
	738
	739	static const char *const protect_system_table[_PROTECT_SYSTEM_MAX] = {
	740	[PROTECT_SYSTEM_NO] = "no",
	741	[PROTECT_SYSTEM_YES] = "yes",
	742	[PROTECT_SYSTEM_FULL] = "full",
	743	};
	744
	745	DEFINE_STRING_TABLE_LOOKUP(protect_system, ProtectSystem);