]>
Commit | Line | Data |
---|---|---|
53e1b683 | 1 | /* SPDX-License-Identifier: LGPL-2.1+ */ |
c2f1db8f | 2 | #pragma once |
15ae422b LP |
3 | |
4 | /*** | |
96b2fb93 | 5 | Copyright © 2016 Djalal Harouni |
15ae422b LP |
6 | ***/ |
7 | ||
bb0ff3fb | 8 | typedef struct NamespaceInfo NamespaceInfo; |
d2d6c096 | 9 | typedef struct BindMount BindMount; |
2abd4e38 | 10 | typedef struct TemporaryFileSystem TemporaryFileSystem; |
b3d13314 | 11 | typedef struct MountImage MountImage; |
c575770b | 12 | |
15ae422b LP |
13 | #include <stdbool.h> |
14 | ||
915e6d16 | 15 | #include "dissect-image.h" |
56a13a49 | 16 | #include "fs-util.h" |
417116f2 | 17 | #include "macro.h" |
56a13a49 | 18 | #include "string-util.h" |
417116f2 | 19 | |
1b8689f9 LP |
20 | typedef enum ProtectHome { |
21 | PROTECT_HOME_NO, | |
22 | PROTECT_HOME_YES, | |
23 | PROTECT_HOME_READ_ONLY, | |
e4da7d8c | 24 | PROTECT_HOME_TMPFS, |
1b8689f9 LP |
25 | _PROTECT_HOME_MAX, |
26 | _PROTECT_HOME_INVALID = -1 | |
27 | } ProtectHome; | |
28 | ||
6e2d7c4f MS |
29 | typedef enum NamespaceType { |
30 | NAMESPACE_MOUNT, | |
31 | NAMESPACE_CGROUP, | |
32 | NAMESPACE_UTS, | |
33 | NAMESPACE_IPC, | |
34 | NAMESPACE_USER, | |
35 | NAMESPACE_PID, | |
36 | NAMESPACE_NET, | |
37 | _NAMESPACE_TYPE_MAX, | |
38 | _NAMESPACE_TYPE_INVALID = -1, | |
39 | } NamespaceType; | |
40 | ||
1b8689f9 LP |
41 | typedef enum ProtectSystem { |
42 | PROTECT_SYSTEM_NO, | |
43 | PROTECT_SYSTEM_YES, | |
44 | PROTECT_SYSTEM_FULL, | |
3f815163 | 45 | PROTECT_SYSTEM_STRICT, |
1b8689f9 LP |
46 | _PROTECT_SYSTEM_MAX, |
47 | _PROTECT_SYSTEM_INVALID = -1 | |
48 | } ProtectSystem; | |
417116f2 | 49 | |
bb0ff3fb | 50 | struct NamespaceInfo { |
af964954 | 51 | bool ignore_protect_paths:1; |
c575770b | 52 | bool private_dev:1; |
228af36f | 53 | bool private_mounts:1; |
c575770b DH |
54 | bool protect_control_groups:1; |
55 | bool protect_kernel_tunables:1; | |
56 | bool protect_kernel_modules:1; | |
94a7b275 | 57 | bool protect_kernel_logs:1; |
5d997827 | 58 | bool mount_apivfs:1; |
aecd5ac6 | 59 | bool protect_hostname:1; |
c575770b DH |
60 | }; |
61 | ||
d2d6c096 LP |
62 | struct BindMount { |
63 | char *source; | |
64 | char *destination; | |
65 | bool read_only:1; | |
9ce4e4b0 | 66 | bool nosuid:1; |
d2d6c096 LP |
67 | bool recursive:1; |
68 | bool ignore_enoent:1; | |
69 | }; | |
70 | ||
2abd4e38 YW |
71 | struct TemporaryFileSystem { |
72 | char *path; | |
73 | char *options; | |
74 | }; | |
75 | ||
b3d13314 LB |
76 | struct MountImage { |
77 | char *source; | |
78 | char *destination; | |
427353f6 | 79 | LIST_HEAD(MountOptions, mount_options); |
b3d13314 LB |
80 | bool ignore_enoent; |
81 | }; | |
82 | ||
d2d6c096 LP |
83 | int setup_namespace( |
84 | const char *root_directory, | |
915e6d16 | 85 | const char *root_image, |
18d73705 | 86 | const MountOptions *root_image_options, |
bb0ff3fb | 87 | const NamespaceInfo *ns_info, |
d2d6c096 LP |
88 | char **read_write_paths, |
89 | char **read_only_paths, | |
90 | char **inaccessible_paths, | |
6c47cd7d | 91 | char **empty_directories, |
d2d6c096 | 92 | const BindMount *bind_mounts, |
da6053d0 | 93 | size_t n_bind_mounts, |
2abd4e38 | 94 | const TemporaryFileSystem *temporary_filesystems, |
da6053d0 | 95 | size_t n_temporary_filesystems, |
b3d13314 LB |
96 | const MountImage *mount_images, |
97 | size_t n_mount_images, | |
d2d6c096 LP |
98 | const char *tmp_dir, |
99 | const char *var_tmp_dir, | |
91dd5f7c | 100 | const char *log_namespace, |
d2d6c096 LP |
101 | ProtectHome protect_home, |
102 | ProtectSystem protect_system, | |
915e6d16 | 103 | unsigned long mount_flags, |
0389f4fa LB |
104 | const void *root_hash, |
105 | size_t root_hash_size, | |
106 | const char *root_hash_path, | |
d4d55b0d LB |
107 | const void *root_hash_sig, |
108 | size_t root_hash_sig_size, | |
109 | const char *root_hash_sig_path, | |
0389f4fa | 110 | const char *root_verity, |
7cc5ef5f ZJS |
111 | DissectImageFlags dissected_image_flags, |
112 | char **error_path); | |
d2d6c096 | 113 | |
56a13a49 ZJS |
114 | #define RUN_SYSTEMD_EMPTY "/run/systemd/empty" |
115 | ||
116 | static inline void namespace_cleanup_tmpdir(char *p) { | |
117 | PROTECT_ERRNO; | |
118 | if (!streq_ptr(p, RUN_SYSTEMD_EMPTY)) | |
119 | (void) rmdir(p); | |
120 | free(p); | |
121 | } | |
122 | DEFINE_TRIVIAL_CLEANUP_FUNC(char*, namespace_cleanup_tmpdir); | |
123 | ||
d2d6c096 LP |
124 | int setup_tmp_dirs( |
125 | const char *id, | |
126 | char **tmp_dir, | |
127 | char **var_tmp_dir); | |
613b411c | 128 | |
2caa38e9 LP |
129 | int setup_netns(const int netns_storage_socket[static 2]); |
130 | int open_netns_path(const int netns_storage_socket[static 2], const char *path); | |
417116f2 | 131 | |
1b8689f9 LP |
132 | const char* protect_home_to_string(ProtectHome p) _const_; |
133 | ProtectHome protect_home_from_string(const char *s) _pure_; | |
134 | ||
135 | const char* protect_system_to_string(ProtectSystem p) _const_; | |
136 | ProtectSystem protect_system_from_string(const char *s) _pure_; | |
d2d6c096 | 137 | |
da6053d0 LP |
138 | void bind_mount_free_many(BindMount *b, size_t n); |
139 | int bind_mount_add(BindMount **b, size_t *n, const BindMount *item); | |
6e2d7c4f | 140 | |
da6053d0 LP |
141 | void temporary_filesystem_free_many(TemporaryFileSystem *t, size_t n); |
142 | int temporary_filesystem_add(TemporaryFileSystem **t, size_t *n, | |
2abd4e38 YW |
143 | const char *path, const char *options); |
144 | ||
b3d13314 LB |
145 | MountImage* mount_image_free_many(MountImage *m, size_t *n); |
146 | int mount_image_add(MountImage **m, size_t *n, const MountImage *item); | |
147 | ||
6e2d7c4f MS |
148 | const char* namespace_type_to_string(NamespaceType t) _const_; |
149 | NamespaceType namespace_type_from_string(const char *s) _pure_; | |
150 | ||
151 | bool ns_type_supported(NamespaceType type); |