projects / thirdparty / systemd.git / blame
| Commit | Line | Data |
|---|---|---|
| db9ecf05 | 1 | /* SPDX-License-Identifier: LGPL-2.1-or-later */ |
| 5ba2dc25 | 2 | |
| 3b7d3320 | 3 | #include <sys/sysmacros.h> |
| 5ba2dc25 KS |
4 | #include <unistd.h> |
| 5 | ||
| b5efdb8a | 6 | #include "alloc-util.h" |
| ee104e11 | 7 | #include "dev-setup.h" |
| af189d7b | 8 | #include "fd-util.h" |
| a6a7983d | 9 | #include "fs-util.h" |
| 0690160e | 10 | #include "label-util.h" |
| a8fbdf54 | 11 | #include "log.h" |
| 35cd0ba5 | 12 | #include "mkdir-label.h" |
| d8b4d14d | 13 | #include "nulstr-util.h" |
| 03cfe0d5 | 14 | #include "path-util.h" |
| d9ccf6b3 | 15 | #include "stat-util.h" |
| 30874dda | 16 | #include "umask-util.h" |
| ee104e11 | 17 | #include "user-util.h" |
| 5ba2dc25 | 18 | |
| 03cfe0d5 | 19 | int dev_setup(const char *prefix, uid_t uid, gid_t gid) { |
| 5ba2dc25 | 20 | static const char symlinks[] = |
| 696fee7d | 21 | "-/proc/kcore\0" "/dev/core\0" |
| 5ba2dc25 KS |
22 | "/proc/self/fd\0" "/dev/fd\0" |
| 23 | "/proc/self/fd/0\0" "/dev/stdin\0" | |
| 24 | "/proc/self/fd/1\0" "/dev/stdout\0" | |
| 25 | "/proc/self/fd/2\0" "/dev/stderr\0"; | |
| 26 | ||
| 03cfe0d5 LP |
27 | int r; |
| 28 | ||
| 8f0e73f2 | 29 | NULSTR_FOREACH_PAIR(j, k, symlinks) { |
| 03cfe0d5 LP |
30 | _cleanup_free_ char *link_name = NULL; |
| 31 | const char *n; | |
| 32 | ||
| 696fee7d ZJS |
33 | if (j[0] == '-') { |
| 34 | j++; | |
| 35 | ||
| 2b85f4e1 | 36 | if (access(j, F_OK) < 0) |
| 696fee7d ZJS |
37 | continue; |
| 38 | } | |
| 8f0e73f2 | 39 | |
| 01ed0e23 | 40 | if (prefix) { |
| c6134d3e | 41 | link_name = path_join(prefix, k); |
| 7f112f50 LP |
42 | if (!link_name) |
| 43 | return -ENOMEM; | |
| 8f0e73f2 | 44 | |
| 03cfe0d5 | 45 | n = link_name; |
| 01ed0e23 | 46 | } else |
| 03cfe0d5 LP |
47 | n = k; |
| 48 | ||
| 49 | r = symlink_label(j, n); | |
| 50 | if (r < 0) | |
| 51 | log_debug_errno(r, "Failed to symlink %s to %s: %m", j, n); | |
| 52 | ||
| 53 | if (uid != UID_INVALID || gid != GID_INVALID) | |
| 54 | if (lchown(n, uid, gid) < 0) | |
| 55 | log_debug_errno(errno, "Failed to chown %s: %m", n); | |
| 8f0e73f2 | 56 | } |
| 7f112f50 LP |
57 | |
| 58 | return 0; | |
| 5ba2dc25 | 59 | } |
| 30874dda | 60 | |
| 48b747fa | 61 | int make_inaccessible_nodes( |
| 9fac5029 | 62 | const char *parent_dir, |
| 48b747fa LP |
63 | uid_t uid, |
| 64 | gid_t gid) { | |
| 65 | ||
| a6a7983d LP |
66 | static const mode_t table[] = { |
| 67 | S_IFREG, | |
| 68 | S_IFDIR, | |
| 69 | S_IFIFO, | |
| 70 | S_IFSOCK, | |
| 30874dda LP |
71 | |
| 72 | /* The following two are likely to fail if we lack the privs for it (for example in an userns | |
| 2aed63f4 ZJS |
73 | * environment, if CAP_SYS_MKNOD is missing, or if a device node policy prohibits creation of |
| 74 | * device nodes with a major/minor of 0). But that's entirely fine. Consumers of these files | |
| 75 | * should implement falling back to use a different node then, for example | |
| 76 | * <root>/inaccessible/sock, which is close enough in behaviour and semantics for most uses. | |
| 77 | */ | |
| a6a7983d LP |
78 | S_IFCHR, |
| 79 | S_IFBLK, | |
| 80 | ||
| 81 | /* NB: S_IFLNK is not listed here, as there is no such thing as an inaccessible symlink */ | |
| 30874dda LP |
82 | }; |
| 83 | ||
| a6a7983d | 84 | _cleanup_close_ int parent_fd = -EBADF, inaccessible_fd = -EBADF; |
| 30874dda LP |
85 | int r; |
| 86 | ||
| 9fac5029 LP |
87 | if (!parent_dir) |
| 88 | parent_dir = "/run/systemd"; | |
| 48b747fa | 89 | |
| 52f05ef2 | 90 | BLOCK_WITH_UMASK(0000); |
| 30874dda | 91 | |
| a6a7983d LP |
92 | parent_fd = open(parent_dir, O_DIRECTORY|O_CLOEXEC|O_PATH, 0); |
| 93 | if (parent_fd < 0) | |
| 94 | return -errno; | |
| 95 | ||
| b9a05e86 | 96 | inaccessible_fd = open_mkdir_at_full(parent_fd, "inaccessible", O_CLOEXEC, XO_LABEL, 0755); |
| a6a7983d LP |
97 | if (inaccessible_fd < 0) |
| 98 | return inaccessible_fd; | |
| 99 | ||
| 30874dda LP |
100 | /* Set up inaccessible (and empty) file nodes of all types. This are used to as mount sources for over-mounting |
| 101 | * ("masking") file nodes that shall become inaccessible and empty for specific containers or services. We try | |
| 102 | * to lock down these nodes as much as we can, but otherwise try to match them as closely as possible with the | |
| 103 | * underlying file, i.e. in the best case we offer the same node type as the underlying node. */ | |
| 104 | ||
| 85471164 | 105 | FOREACH_ELEMENT(m, table) { |
| 30874dda | 106 | _cleanup_free_ char *path = NULL; |
| a6a7983d LP |
107 | mode_t inode_type = *m; |
| 108 | const char *fn; | |
| 30874dda | 109 | |
| a6a7983d LP |
110 | fn = inode_type_to_string(inode_type); |
| 111 | path = path_join(parent_dir, fn); | |
| 30874dda LP |
112 | if (!path) |
| 113 | return log_oom(); | |
| 114 | ||
| a6a7983d LP |
115 | if (S_ISDIR(inode_type)) |
| 116 | r = mkdirat_label(inaccessible_fd, fn, 0000); | |
| 30874dda | 117 | else |
| b9a05e86 | 118 | r = mknodat_label(inaccessible_fd, fn, inode_type | 0000, makedev(0, 0)); |
| a6a7983d LP |
119 | if (r == -EEXIST) { |
| 120 | if (fchmodat(inaccessible_fd, fn, 0000, AT_SYMLINK_NOFOLLOW) < 0) | |
| 121 | log_debug_errno(errno, "Failed to adjust access mode of existing inode '%s', ignoring: %m", path); | |
| 122 | } else if (r < 0) { | |
| 9fac5029 | 123 | log_debug_errno(r, "Failed to create '%s', ignoring: %m", path); |
| 30874dda LP |
124 | continue; |
| 125 | } | |
| 126 | ||
| a6a7983d LP |
127 | if (uid_is_valid(uid) || gid_is_valid(gid)) |
| 128 | if (fchownat(inaccessible_fd, fn, uid, gid, AT_SYMLINK_NOFOLLOW) < 0) | |
| 129 | log_debug_errno(errno, "Failed to chown '%s', ignoring: %m", path); | |
| 30874dda LP |
130 | } |
| 131 | ||
| a6a7983d LP |
132 | if (fchmod(inaccessible_fd, 0555) < 0) |
| 133 | log_debug_errno(errno, "Failed to mark inaccessible directory read-only, ignoring: %m"); | |
| 134 | ||
| 30874dda LP |
135 | return 0; |
| 136 | } |