[thirdparty/systemd.git] / src / core / namespace.h

/* SPDX-License-Identifier: LGPL-2.1-or-later */
#pragma once

/***
  Copyright © 2016 Djalal Harouni
***/

#include "forward.h"
#include "list.h"
#include "runtime-scope.h"

typedef enum ProtectHome {
        PROTECT_HOME_NO,
        PROTECT_HOME_YES,
        PROTECT_HOME_READ_ONLY,
        PROTECT_HOME_TMPFS,
        _PROTECT_HOME_MAX,
        _PROTECT_HOME_INVALID = -EINVAL,
} ProtectHome;

typedef enum ProtectHostname {
        PROTECT_HOSTNAME_NO,
        PROTECT_HOSTNAME_YES,
        PROTECT_HOSTNAME_PRIVATE,
        _PROTECT_HOSTNAME_MAX,
        _PROTECT_HOSTNAME_INVALID = -EINVAL,
} ProtectHostname;

typedef enum ProtectSystem {
        PROTECT_SYSTEM_NO,
        PROTECT_SYSTEM_YES,
        PROTECT_SYSTEM_FULL,
        PROTECT_SYSTEM_STRICT,
        _PROTECT_SYSTEM_MAX,
        _PROTECT_SYSTEM_INVALID = -EINVAL,
} ProtectSystem;

typedef enum ProtectProc {
        PROTECT_PROC_DEFAULT,
        PROTECT_PROC_NOACCESS,   /* hidepid=noaccess */
        PROTECT_PROC_INVISIBLE,  /* hidepid=invisible */
        PROTECT_PROC_PTRACEABLE, /* hidepid=ptraceable */
        _PROTECT_PROC_MAX,
        _PROTECT_PROC_INVALID = -EINVAL,
} ProtectProc;

typedef enum ProcSubset {
        PROC_SUBSET_ALL,
        PROC_SUBSET_PID, /* subset=pid */
        _PROC_SUBSET_MAX,
        _PROC_SUBSET_INVALID = -EINVAL,
} ProcSubset;

typedef enum PrivateTmp {
        PRIVATE_TMP_NO,
        PRIVATE_TMP_CONNECTED, /* Bind mounted from the host's filesystem */
        PRIVATE_TMP_DISCONNECTED, /* A completely private tmpfs, invisible from the host */
        _PRIVATE_TMP_MAX,
        _PRIVATE_TMP_INVALID = -EINVAL,
} PrivateTmp;

typedef enum PrivateUsers {
        PRIVATE_USERS_NO,
        PRIVATE_USERS_SELF,
        PRIVATE_USERS_IDENTITY,
        PRIVATE_USERS_FULL,
        _PRIVATE_USERS_MAX,
        _PRIVATE_USERS_INVALID = -EINVAL,
} PrivateUsers;

typedef enum ProtectControlGroups {
        PROTECT_CONTROL_GROUPS_NO,
        PROTECT_CONTROL_GROUPS_YES,
        PROTECT_CONTROL_GROUPS_PRIVATE,
        PROTECT_CONTROL_GROUPS_STRICT,
        _PROTECT_CONTROL_GROUPS_MAX,
        _PROTECT_CONTROL_GROUPS_INVALID = -EINVAL,
} ProtectControlGroups;

typedef enum PrivatePIDs {
        PRIVATE_PIDS_NO,
        PRIVATE_PIDS_YES,
        _PRIVATE_PIDS_MAX,
        _PRIVATE_PIDS_INVALID = -EINVAL,
} PrivatePIDs;

typedef struct BindMount {
        char *source;
        char *destination;
        bool read_only;
        bool nodev;
        bool nosuid;
        bool noexec;
        bool recursive;
        bool ignore_enoent;
        bool idmapped;
        uid_t uid;
        gid_t gid;
} BindMount;

typedef struct TemporaryFileSystem {
        char *path;
        char *options;
} TemporaryFileSystem;

typedef enum MountImageType {
        MOUNT_IMAGE_DISCRETE,
        MOUNT_IMAGE_EXTENSION,
        _MOUNT_IMAGE_TYPE_MAX,
        _MOUNT_IMAGE_TYPE_INVALID = -EINVAL,
} MountImageType;

typedef struct MountImage {
        char *source;
        char *destination; /* Unused if MountImageType == MOUNT_IMAGE_EXTENSION */
        LIST_HEAD(MountOptions, mount_options);
        bool ignore_enoent;
        MountImageType type;
} MountImage;

typedef struct NamespaceParameters {
        RuntimeScope runtime_scope;

        const char *root_directory;
        const char *root_image;
        const MountOptions *root_image_options;
        const ImagePolicy *root_image_policy;

        char **read_write_paths;
        char **read_only_paths;
        char **inaccessible_paths;

        char **exec_paths;
        char **no_exec_paths;

        char **empty_directories;
        char **symlinks;

        const BindMount *bind_mounts;
        size_t n_bind_mounts;

        const TemporaryFileSystem *temporary_filesystems;
        size_t n_temporary_filesystems;

        const MountImage *mount_images;
        size_t n_mount_images;
        const ImagePolicy *mount_image_policy;

        const char *tmp_dir;
        const char *var_tmp_dir;

        const char *creds_path;
        const char *log_namespace;

        unsigned long mount_propagation_flag;
        VeritySettings *verity;

        const MountImage *extension_images;
        size_t n_extension_images;
        const ImagePolicy *extension_image_policy;
        char **extension_directories;

        const char *propagate_dir;
        const char *incoming_dir;

        const char *private_namespace_dir;
        const char *host_notify_socket;
        const char *notify_socket_path;
        const char *host_os_release_stage;

        bool ignore_protect_paths;

        bool protect_kernel_tunables;
        bool protect_kernel_modules;
        bool protect_kernel_logs;

        bool private_dev;
        bool private_network;
        bool private_ipc;

        bool mount_apivfs;
        bool bind_log_sockets;
        bool mount_nosuid;

        ProtectControlGroups protect_control_groups;
        ProtectHome protect_home;
        ProtectHostname protect_hostname;
        ProtectSystem protect_system;
        ProtectProc protect_proc;
        ProcSubset proc_subset;
        PrivateTmp private_tmp;
        PrivateTmp private_var_tmp;
        PrivatePIDs private_pids;
} NamespaceParameters;

int setup_namespace(const NamespaceParameters *p, char **reterr_path);

#define RUN_SYSTEMD_EMPTY "/run/systemd/empty"

char* namespace_cleanup_tmpdir(char *p);
DEFINE_TRIVIAL_CLEANUP_FUNC(char*, namespace_cleanup_tmpdir);

int setup_tmp_dirs(
                const char *id,
                char **tmp_dir,
                char **var_tmp_dir);

int setup_shareable_ns(int ns_storage_socket[static 2], unsigned long nsflag);
int open_shareable_ns_path(int netns_storage_socket[static 2], const char *path, unsigned long nsflag);

const char* protect_home_to_string(ProtectHome p) _const_;
ProtectHome protect_home_from_string(const char *s) _pure_;

const char* protect_hostname_to_string(ProtectHostname p) _const_;
ProtectHostname protect_hostname_from_string(const char *s) _pure_;

const char* protect_system_to_string(ProtectSystem p) _const_;
ProtectSystem protect_system_from_string(const char *s) _pure_;

const char* protect_proc_to_string(ProtectProc i) _const_;
ProtectProc protect_proc_from_string(const char *s) _pure_;

const char* proc_subset_to_string(ProcSubset i) _const_;
ProcSubset proc_subset_from_string(const char *s) _pure_;

const char* private_tmp_to_string(PrivateTmp i) _const_;
PrivateTmp private_tmp_from_string(const char *s) _pure_;

const char* private_users_to_string(PrivateUsers i) _const_;
PrivateUsers private_users_from_string(const char *s) _pure_;

const char* protect_control_groups_to_string(ProtectControlGroups i) _const_;
ProtectControlGroups protect_control_groups_from_string(const char *s) _pure_;

const char* private_pids_to_string(PrivatePIDs i) _const_;
PrivatePIDs private_pids_from_string(const char *s) _pure_;

void bind_mount_free_many(BindMount *b, size_t n);
int bind_mount_add(BindMount **b, size_t *n, const BindMount *item);

void temporary_filesystem_free_many(TemporaryFileSystem *t, size_t n);
int temporary_filesystem_add(TemporaryFileSystem **t, size_t *n,
                             const char *path, const char *options);

MountImage* mount_image_free_many(MountImage *m, size_t *n);
int mount_image_add(MountImage **m, size_t *n, const MountImage *item);

int refresh_extensions_in_namespace(
                const PidRef *target,
                const char *hierarchy_env,
                const NamespaceParameters *p);
Commit	Line	Data
db9ecf05	1	/* SPDX-License-Identifier: LGPL-2.1-or-later */
c2f1db8f	2	#pragma once
15ae422b LP	3
15ae422b LP	4	/***
96b2fb93	5	Copyright © 2016 Djalal Harouni
15ae422b LP	6	***/
15ae422b LP	7
836e4e7e DDM	8	#include "forward.h"
836e4e7e DDM	9	#include "list.h"
cd7f3702	10	#include "runtime-scope.h"
417116f2	11
1b8689f9 LP	12	typedef enum ProtectHome {
	13	PROTECT_HOME_NO,
	14	PROTECT_HOME_YES,
	15	PROTECT_HOME_READ_ONLY,
e4da7d8c	16	PROTECT_HOME_TMPFS,
1b8689f9	17	_PROTECT_HOME_MAX,
2d93c20e	18	_PROTECT_HOME_INVALID = -EINVAL,
1b8689f9 LP	19	} ProtectHome;
1b8689f9 LP	20
6746f288 RW	21	typedef enum ProtectHostname {
	22	PROTECT_HOSTNAME_NO,
	23	PROTECT_HOSTNAME_YES,
cf48bde7	24	PROTECT_HOSTNAME_PRIVATE,
6746f288 RW	25	_PROTECT_HOSTNAME_MAX,
	26	_PROTECT_HOSTNAME_INVALID = -EINVAL,
	27	} ProtectHostname;
	28
1b8689f9 LP	29	typedef enum ProtectSystem {
	30	PROTECT_SYSTEM_NO,
	31	PROTECT_SYSTEM_YES,
	32	PROTECT_SYSTEM_FULL,
3f815163	33	PROTECT_SYSTEM_STRICT,
1b8689f9	34	_PROTECT_SYSTEM_MAX,
2d93c20e	35	_PROTECT_SYSTEM_INVALID = -EINVAL,
1b8689f9	36	} ProtectSystem;
417116f2	37
4e399953 LP	38	typedef enum ProtectProc {
	39	PROTECT_PROC_DEFAULT,
	40	PROTECT_PROC_NOACCESS, /* hidepid=noaccess */
	41	PROTECT_PROC_INVISIBLE, /* hidepid=invisible */
	42	PROTECT_PROC_PTRACEABLE, /* hidepid=ptraceable */
	43	_PROTECT_PROC_MAX,
2d93c20e	44	_PROTECT_PROC_INVALID = -EINVAL,
4e399953 LP	45	} ProtectProc;
	46
	47	typedef enum ProcSubset {
	48	PROC_SUBSET_ALL,
	49	PROC_SUBSET_PID, /* subset=pid */
	50	_PROC_SUBSET_MAX,
2d93c20e	51	_PROC_SUBSET_INVALID = -EINVAL,
4e399953 LP	52	} ProcSubset;
4e399953 LP	53
0e551b04	54	typedef enum PrivateTmp {
2e8a581b	55	PRIVATE_TMP_NO,
0e551b04 LB	56	PRIVATE_TMP_CONNECTED, /* Bind mounted from the host's filesystem */
	57	PRIVATE_TMP_DISCONNECTED, /* A completely private tmpfs, invisible from the host */
	58	_PRIVATE_TMP_MAX,
	59	_PRIVATE_TMP_INVALID = -EINVAL,
	60	} PrivateTmp;
	61
fa693fdc	62	typedef enum PrivateUsers {
edd3f4d9	63	PRIVATE_USERS_NO,
fa693fdc DDM	64	PRIVATE_USERS_SELF,
fa693fdc DDM	65	PRIVATE_USERS_IDENTITY,
705cc829	66	PRIVATE_USERS_FULL,
fa693fdc DDM	67	_PRIVATE_USERS_MAX,
	68	_PRIVATE_USERS_INVALID = -EINVAL,
	69	} PrivateUsers;
	70
5fe29238 RW	71	typedef enum ProtectControlGroups {
	72	PROTECT_CONTROL_GROUPS_NO,
	73	PROTECT_CONTROL_GROUPS_YES,
cd58b5a1 RW	74	PROTECT_CONTROL_GROUPS_PRIVATE,
cd58b5a1 RW	75	PROTECT_CONTROL_GROUPS_STRICT,
5fe29238 RW	76	_PROTECT_CONTROL_GROUPS_MAX,
	77	_PROTECT_CONTROL_GROUPS_INVALID = -EINVAL,
	78	} ProtectControlGroups;
	79
406f1775 DDM	80	typedef enum PrivatePIDs {
	81	PRIVATE_PIDS_NO,
	82	PRIVATE_PIDS_YES,
	83	_PRIVATE_PIDS_MAX,
	84	_PRIVATE_PIDS_INVALID = -EINVAL,
	85	} PrivatePIDs;
	86
836e4e7e	87	typedef struct BindMount {
d2d6c096 LP	88	char *source;
d2d6c096 LP	89	char *destination;
89de370e	90	bool read_only;
95f9e85a	91	bool nodev;
89de370e	92	bool nosuid;
95f9e85a	93	bool noexec;
89de370e ZJS	94	bool recursive;
89de370e ZJS	95	bool ignore_enoent;
eae51272 AB	96	bool idmapped;
	97	uid_t uid;
	98	gid_t gid;
836e4e7e	99	} BindMount;
d2d6c096	100
836e4e7e	101	typedef struct TemporaryFileSystem {
2abd4e38 YW	102	char *path;
2abd4e38 YW	103	char *options;
836e4e7e	104	} TemporaryFileSystem;
2abd4e38	105
93f59701 LB	106	typedef enum MountImageType {
	107	MOUNT_IMAGE_DISCRETE,
	108	MOUNT_IMAGE_EXTENSION,
	109	_MOUNT_IMAGE_TYPE_MAX,
	110	_MOUNT_IMAGE_TYPE_INVALID = -EINVAL,
	111	} MountImageType;
	112
836e4e7e	113	typedef struct MountImage {
b3d13314	114	char *source;
93f59701	115	char destination; / Unused if MountImageType == MOUNT_IMAGE_EXTENSION */
427353f6	116	LIST_HEAD(MountOptions, mount_options);
b3d13314	117	bool ignore_enoent;
93f59701	118	MountImageType type;
836e4e7e	119	} MountImage;
b3d13314	120
836e4e7e	121	typedef struct NamespaceParameters {
79d956db LP	122	RuntimeScope runtime_scope;
	123
	124	const char *root_directory;
	125	const char *root_image;
	126	const MountOptions *root_image_options;
	127	const ImagePolicy *root_image_policy;
	128
	129	char **read_write_paths;
	130	char **read_only_paths;
	131	char **inaccessible_paths;
	132
	133	char **exec_paths;
	134	char **no_exec_paths;
	135
	136	char **empty_directories;
	137	char **symlinks;
	138
	139	const BindMount *bind_mounts;
	140	size_t n_bind_mounts;
	141
	142	const TemporaryFileSystem *temporary_filesystems;
	143	size_t n_temporary_filesystems;
	144
	145	const MountImage *mount_images;
	146	size_t n_mount_images;
	147	const ImagePolicy *mount_image_policy;
	148
	149	const char *tmp_dir;
	150	const char *var_tmp_dir;
	151
	152	const char *creds_path;
	153	const char *log_namespace;
	154
	155	unsigned long mount_propagation_flag;
	156	VeritySettings *verity;
	157
	158	const MountImage *extension_images;
	159	size_t n_extension_images;
	160	const ImagePolicy *extension_image_policy;
	161	char **extension_directories;
	162
	163	const char *propagate_dir;
	164	const char *incoming_dir;
	165
0e551b04	166	const char *private_namespace_dir;
15816441	167	const char *host_notify_socket;
284dd31e	168	const char *notify_socket_path;
79d956db LP	169	const char *host_os_release_stage;
	170
	171	bool ignore_protect_paths;
	172
79d956db LP	173	bool protect_kernel_tunables;
	174	bool protect_kernel_modules;
	175	bool protect_kernel_logs;
79d956db LP	176
	177	bool private_dev;
	178	bool private_network;
	179	bool private_ipc;
	180
	181	bool mount_apivfs;
7a9f0125	182	bool bind_log_sockets;
79d956db LP	183	bool mount_nosuid;
79d956db LP	184
5fe29238	185	ProtectControlGroups protect_control_groups;
79d956db	186	ProtectHome protect_home;
2e6025b1	187	ProtectHostname protect_hostname;
79d956db LP	188	ProtectSystem protect_system;
	189	ProtectProc protect_proc;
	190	ProcSubset proc_subset;
0e551b04	191	PrivateTmp private_tmp;
6156bec7	192	PrivateTmp private_var_tmp;
406f1775	193	PrivatePIDs private_pids;
836e4e7e	194	} NamespaceParameters;
79d956db	195
e73c042b	196	int setup_namespace(const NamespaceParameters p, char *reterr_path);
d2d6c096	197
56a13a49 ZJS	198	#define RUN_SYSTEMD_EMPTY "/run/systemd/empty"
56a13a49 ZJS	199
836e4e7e	200	char* namespace_cleanup_tmpdir(char *p);
56a13a49 ZJS	201	DEFINE_TRIVIAL_CLEANUP_FUNC(char*, namespace_cleanup_tmpdir);
56a13a49 ZJS	202
d2d6c096 LP	203	int setup_tmp_dirs(
	204	const char *id,
	205	char **tmp_dir,
	206	char **var_tmp_dir);
613b411c	207
13339577 DDM	208	int setup_shareable_ns(int ns_storage_socket[static 2], unsigned long nsflag);
13339577 DDM	209	int open_shareable_ns_path(int netns_storage_socket[static 2], const char *path, unsigned long nsflag);
417116f2	210
1b8689f9 LP	211	const char* protect_home_to_string(ProtectHome p) _const_;
	212	ProtectHome protect_home_from_string(const char *s) _pure_;
	213
6746f288 RW	214	const char* protect_hostname_to_string(ProtectHostname p) _const_;
	215	ProtectHostname protect_hostname_from_string(const char *s) _pure_;
	216
1b8689f9 LP	217	const char* protect_system_to_string(ProtectSystem p) _const_;
1b8689f9 LP	218	ProtectSystem protect_system_from_string(const char *s) _pure_;
d2d6c096	219
4e399953 LP	220	const char* protect_proc_to_string(ProtectProc i) _const_;
	221	ProtectProc protect_proc_from_string(const char *s) _pure_;
	222
	223	const char* proc_subset_to_string(ProcSubset i) _const_;
	224	ProcSubset proc_subset_from_string(const char *s) _pure_;
	225
0e551b04 LB	226	const char* private_tmp_to_string(PrivateTmp i) _const_;
	227	PrivateTmp private_tmp_from_string(const char *s) _pure_;
	228
fa693fdc DDM	229	const char* private_users_to_string(PrivateUsers i) _const_;
	230	PrivateUsers private_users_from_string(const char *s) _pure_;
	231
5fe29238 RW	232	const char* protect_control_groups_to_string(ProtectControlGroups i) _const_;
	233	ProtectControlGroups protect_control_groups_from_string(const char *s) _pure_;
	234
406f1775 DDM	235	const char* private_pids_to_string(PrivatePIDs i) _const_;
	236	PrivatePIDs private_pids_from_string(const char *s) _pure_;
	237
da6053d0 LP	238	void bind_mount_free_many(BindMount *b, size_t n);
da6053d0 LP	239	int bind_mount_add(BindMount *b, size_t n, const BindMount *item);
6e2d7c4f	240
da6053d0 LP	241	void temporary_filesystem_free_many(TemporaryFileSystem *t, size_t n);
da6053d0 LP	242	int temporary_filesystem_add(TemporaryFileSystem *t, size_t n,
2abd4e38 YW	243	const char path, const char options);
2abd4e38 YW	244
b3d13314 LB	245	MountImage* mount_image_free_many(MountImage m, size_t n);
b3d13314 LB	246	int mount_image_add(MountImage *m, size_t n, const MountImage *item);
dfdeb0b1	247
	248	int refresh_extensions_in_namespace(
	249	const PidRef *target,
	250	const char *hierarchy_env,
	251	const NamespaceParameters *p);