]>
Commit | Line | Data |
---|---|---|
db9ecf05 | 1 | /* SPDX-License-Identifier: LGPL-2.1-or-later */ |
5ba2dc25 KS |
2 | |
3 | #include <errno.h> | |
5ba2dc25 | 4 | #include <stdlib.h> |
5ba2dc25 KS |
5 | #include <unistd.h> |
6 | ||
b5efdb8a | 7 | #include "alloc-util.h" |
ee104e11 | 8 | #include "dev-setup.h" |
af189d7b | 9 | #include "fd-util.h" |
a6a7983d | 10 | #include "fs-util.h" |
0690160e | 11 | #include "label-util.h" |
af189d7b | 12 | #include "lock-util.h" |
a8fbdf54 | 13 | #include "log.h" |
35cd0ba5 | 14 | #include "mkdir-label.h" |
d8b4d14d | 15 | #include "nulstr-util.h" |
03cfe0d5 | 16 | #include "path-util.h" |
af189d7b | 17 | #include "terminal-util.h" |
30874dda | 18 | #include "umask-util.h" |
ee104e11 | 19 | #include "user-util.h" |
5ba2dc25 | 20 | |
af189d7b ZJS |
21 | int lock_dev_console(void) { |
22 | _cleanup_close_ int fd = -EBADF; | |
23 | int r; | |
24 | ||
25 | fd = open_terminal("/dev/console", O_RDONLY|O_CLOEXEC|O_NOCTTY|O_NOFOLLOW); | |
26 | if (fd < 0) | |
27 | return fd; | |
28 | ||
29 | r = lock_generic(fd, LOCK_BSD, LOCK_EX); | |
30 | if (r < 0) | |
a0f6b681 | 31 | return r; |
af189d7b ZJS |
32 | |
33 | return TAKE_FD(fd); | |
34 | } | |
35 | ||
03cfe0d5 | 36 | int dev_setup(const char *prefix, uid_t uid, gid_t gid) { |
5ba2dc25 | 37 | static const char symlinks[] = |
696fee7d | 38 | "-/proc/kcore\0" "/dev/core\0" |
5ba2dc25 KS |
39 | "/proc/self/fd\0" "/dev/fd\0" |
40 | "/proc/self/fd/0\0" "/dev/stdin\0" | |
41 | "/proc/self/fd/1\0" "/dev/stdout\0" | |
42 | "/proc/self/fd/2\0" "/dev/stderr\0"; | |
43 | ||
03cfe0d5 LP |
44 | int r; |
45 | ||
8f0e73f2 | 46 | NULSTR_FOREACH_PAIR(j, k, symlinks) { |
03cfe0d5 LP |
47 | _cleanup_free_ char *link_name = NULL; |
48 | const char *n; | |
49 | ||
696fee7d ZJS |
50 | if (j[0] == '-') { |
51 | j++; | |
52 | ||
2b85f4e1 | 53 | if (access(j, F_OK) < 0) |
696fee7d ZJS |
54 | continue; |
55 | } | |
8f0e73f2 | 56 | |
01ed0e23 | 57 | if (prefix) { |
c6134d3e | 58 | link_name = path_join(prefix, k); |
7f112f50 LP |
59 | if (!link_name) |
60 | return -ENOMEM; | |
8f0e73f2 | 61 | |
03cfe0d5 | 62 | n = link_name; |
01ed0e23 | 63 | } else |
03cfe0d5 LP |
64 | n = k; |
65 | ||
66 | r = symlink_label(j, n); | |
67 | if (r < 0) | |
68 | log_debug_errno(r, "Failed to symlink %s to %s: %m", j, n); | |
69 | ||
70 | if (uid != UID_INVALID || gid != GID_INVALID) | |
71 | if (lchown(n, uid, gid) < 0) | |
72 | log_debug_errno(errno, "Failed to chown %s: %m", n); | |
8f0e73f2 | 73 | } |
7f112f50 LP |
74 | |
75 | return 0; | |
5ba2dc25 | 76 | } |
30874dda | 77 | |
48b747fa | 78 | int make_inaccessible_nodes( |
9fac5029 | 79 | const char *parent_dir, |
48b747fa LP |
80 | uid_t uid, |
81 | gid_t gid) { | |
82 | ||
a6a7983d LP |
83 | static const mode_t table[] = { |
84 | S_IFREG, | |
85 | S_IFDIR, | |
86 | S_IFIFO, | |
87 | S_IFSOCK, | |
30874dda LP |
88 | |
89 | /* The following two are likely to fail if we lack the privs for it (for example in an userns | |
2aed63f4 ZJS |
90 | * environment, if CAP_SYS_MKNOD is missing, or if a device node policy prohibits creation of |
91 | * device nodes with a major/minor of 0). But that's entirely fine. Consumers of these files | |
92 | * should implement falling back to use a different node then, for example | |
93 | * <root>/inaccessible/sock, which is close enough in behaviour and semantics for most uses. | |
94 | */ | |
a6a7983d LP |
95 | S_IFCHR, |
96 | S_IFBLK, | |
97 | ||
98 | /* NB: S_IFLNK is not listed here, as there is no such thing as an inaccessible symlink */ | |
30874dda LP |
99 | }; |
100 | ||
a6a7983d | 101 | _cleanup_close_ int parent_fd = -EBADF, inaccessible_fd = -EBADF; |
30874dda LP |
102 | int r; |
103 | ||
9fac5029 LP |
104 | if (!parent_dir) |
105 | parent_dir = "/run/systemd"; | |
48b747fa | 106 | |
52f05ef2 | 107 | BLOCK_WITH_UMASK(0000); |
30874dda | 108 | |
a6a7983d LP |
109 | parent_fd = open(parent_dir, O_DIRECTORY|O_CLOEXEC|O_PATH, 0); |
110 | if (parent_fd < 0) | |
111 | return -errno; | |
112 | ||
113 | inaccessible_fd = open_mkdir_at(parent_fd, "inaccessible", O_CLOEXEC, 0755); | |
114 | if (inaccessible_fd < 0) | |
115 | return inaccessible_fd; | |
116 | ||
30874dda LP |
117 | /* Set up inaccessible (and empty) file nodes of all types. This are used to as mount sources for over-mounting |
118 | * ("masking") file nodes that shall become inaccessible and empty for specific containers or services. We try | |
119 | * to lock down these nodes as much as we can, but otherwise try to match them as closely as possible with the | |
120 | * underlying file, i.e. in the best case we offer the same node type as the underlying node. */ | |
121 | ||
85471164 | 122 | FOREACH_ELEMENT(m, table) { |
30874dda | 123 | _cleanup_free_ char *path = NULL; |
a6a7983d LP |
124 | mode_t inode_type = *m; |
125 | const char *fn; | |
30874dda | 126 | |
a6a7983d LP |
127 | fn = inode_type_to_string(inode_type); |
128 | path = path_join(parent_dir, fn); | |
30874dda LP |
129 | if (!path) |
130 | return log_oom(); | |
131 | ||
a6a7983d LP |
132 | if (S_ISDIR(inode_type)) |
133 | r = mkdirat_label(inaccessible_fd, fn, 0000); | |
30874dda | 134 | else |
a6a7983d LP |
135 | r = RET_NERRNO(mknodat(inaccessible_fd, fn, inode_type | 0000, makedev(0, 0))); |
136 | if (r == -EEXIST) { | |
137 | if (fchmodat(inaccessible_fd, fn, 0000, AT_SYMLINK_NOFOLLOW) < 0) | |
138 | log_debug_errno(errno, "Failed to adjust access mode of existing inode '%s', ignoring: %m", path); | |
139 | } else if (r < 0) { | |
9fac5029 | 140 | log_debug_errno(r, "Failed to create '%s', ignoring: %m", path); |
30874dda LP |
141 | continue; |
142 | } | |
143 | ||
a6a7983d LP |
144 | if (uid_is_valid(uid) || gid_is_valid(gid)) |
145 | if (fchownat(inaccessible_fd, fn, uid, gid, AT_SYMLINK_NOFOLLOW) < 0) | |
146 | log_debug_errno(errno, "Failed to chown '%s', ignoring: %m", path); | |
30874dda LP |
147 | } |
148 | ||
a6a7983d LP |
149 | if (fchmod(inaccessible_fd, 0555) < 0) |
150 | log_debug_errno(errno, "Failed to mark inaccessible directory read-only, ignoring: %m"); | |
151 | ||
30874dda LP |
152 | return 0; |
153 | } |