]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/core/namespace.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge pull request #2594 from keszybz/spelling
[thirdparty/systemd.git] / src / core / namespace.c
1 /***
2 This file is part of systemd.
3
4 Copyright 2010 Lennart Poettering
5
6 systemd is free software; you can redistribute it and/or modify it
7 under the terms of the GNU Lesser General Public License as published by
8 the Free Software Foundation; either version 2.1 of the License, or
9 (at your option) any later version.
10
11 systemd is distributed in the hope that it will be useful, but
12 WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 Lesser General Public License for more details.
15
16 You should have received a copy of the GNU Lesser General Public License
17 along with systemd; If not, see <http://www.gnu.org/licenses/>.
18 ***/
19
20 #include <errno.h>
21 #include <sched.h>
22 #include <stdio.h>
23 #include <string.h>
24 #include <sys/mount.h>
25 #include <sys/stat.h>
26 #include <unistd.h>
27 #include <linux/fs.h>
28
29 #include "alloc-util.h"
30 #include "dev-setup.h"
31 #include "fd-util.h"
32 #include "loopback-setup.h"
33 #include "missing.h"
34 #include "mkdir.h"
35 #include "mount-util.h"
36 #include "namespace.h"
37 #include "path-util.h"
38 #include "selinux-util.h"
39 #include "socket-util.h"
40 #include "string-table.h"
41 #include "string-util.h"
42 #include "strv.h"
43 #include "umask-util.h"
44 #include "user-util.h"
45 #include "util.h"
46
47 typedef enum MountMode {
48 /* This is ordered by priority! */
49 INACCESSIBLE,
50 READONLY,
51 PRIVATE_TMP,
52 PRIVATE_VAR_TMP,
53 PRIVATE_DEV,
54 READWRITE
55 } MountMode;
56
57 typedef struct BindMount {
58 const char *path;
59 MountMode mode;
60 bool done;
61 bool ignore;
62 } BindMount;
63
64 static int append_mounts(BindMount **p, char **strv, MountMode mode) {
65 char **i;
66
67 assert(p);
68
69 STRV_FOREACH(i, strv) {
70
71 (*p)->ignore = false;
72 (*p)->done = false;
73
74 if ((mode == INACCESSIBLE || mode == READONLY || mode == READWRITE) && (*i)[0] == '-') {
75 (*p)->ignore = true;
76 (*i)++;
77 }
78
79 if (!path_is_absolute(*i))
80 return -EINVAL;
81
82 (*p)->path = *i;
83 (*p)->mode = mode;
84 (*p)++;
85 }
86
87 return 0;
88 }
89
90 static int mount_path_compare(const void *a, const void *b) {
91 const BindMount *p = a, *q = b;
92 int d;
93
94 d = path_compare(p->path, q->path);
95
96 if (d == 0) {
97 /* If the paths are equal, check the mode */
98 if (p->mode < q->mode)
99 return -1;
100
101 if (p->mode > q->mode)
102 return 1;
103
104 return 0;
105 }
106
107 /* If the paths are not equal, then order prefixes first */
108 return d;
109 }
110
111 static void drop_duplicates(BindMount *m, unsigned *n) {
112 BindMount *f, *t, *previous;
113
114 assert(m);
115 assert(n);
116
117 for (f = m, t = m, previous = NULL; f < m+*n; f++) {
118
119 /* The first one wins */
120 if (previous && path_equal(f->path, previous->path))
121 continue;
122
123 *t = *f;
124
125 previous = t;
126
127 t++;
128 }
129
130 *n = t - m;
131 }
132
133 static int mount_dev(BindMount *m) {
134 static const char devnodes[] =
135 "/dev/null\0"
136 "/dev/zero\0"
137 "/dev/full\0"
138 "/dev/random\0"
139 "/dev/urandom\0"
140 "/dev/tty\0";
141
142 char temporary_mount[] = "/tmp/namespace-dev-XXXXXX";
143 const char *d, *dev = NULL, *devpts = NULL, *devshm = NULL, *devhugepages = NULL, *devmqueue = NULL, *devlog = NULL, *devptmx = NULL;
144 _cleanup_umask_ mode_t u;
145 int r;
146
147 assert(m);
148
149 u = umask(0000);
150
151 if (!mkdtemp(temporary_mount))
152 return -errno;
153
154 dev = strjoina(temporary_mount, "/dev");
155 (void) mkdir(dev, 0755);
156 if (mount("tmpfs", dev, "tmpfs", MS_NOSUID|MS_STRICTATIME, "mode=755") < 0) {
157 r = -errno;
158 goto fail;
159 }
160
161 devpts = strjoina(temporary_mount, "/dev/pts");
162 (void) mkdir(devpts, 0755);
163 if (mount("/dev/pts", devpts, NULL, MS_BIND, NULL) < 0) {
164 r = -errno;
165 goto fail;
166 }
167
168 devptmx = strjoina(temporary_mount, "/dev/ptmx");
169 if (symlink("pts/ptmx", devptmx) < 0) {
170 r = -errno;
171 goto fail;
172 }
173
174 devshm = strjoina(temporary_mount, "/dev/shm");
175 (void) mkdir(devshm, 01777);
176 r = mount("/dev/shm", devshm, NULL, MS_BIND, NULL);
177 if (r < 0) {
178 r = -errno;
179 goto fail;
180 }
181
182 devmqueue = strjoina(temporary_mount, "/dev/mqueue");
183 (void) mkdir(devmqueue, 0755);
184 (void) mount("/dev/mqueue", devmqueue, NULL, MS_BIND, NULL);
185
186 devhugepages = strjoina(temporary_mount, "/dev/hugepages");
187 (void) mkdir(devhugepages, 0755);
188 (void) mount("/dev/hugepages", devhugepages, NULL, MS_BIND, NULL);
189
190 devlog = strjoina(temporary_mount, "/dev/log");
191 (void) symlink("/run/systemd/journal/dev-log", devlog);
192
193 NULSTR_FOREACH(d, devnodes) {
194 _cleanup_free_ char *dn = NULL;
195 struct stat st;
196
197 r = stat(d, &st);
198 if (r < 0) {
199
200 if (errno == ENOENT)
201 continue;
202
203 r = -errno;
204 goto fail;
205 }
206
207 if (!S_ISBLK(st.st_mode) &&
208 !S_ISCHR(st.st_mode)) {
209 r = -EINVAL;
210 goto fail;
211 }
212
213 if (st.st_rdev == 0)
214 continue;
215
216 dn = strappend(temporary_mount, d);
217 if (!dn) {
218 r = -ENOMEM;
219 goto fail;
220 }
221
222 mac_selinux_create_file_prepare(d, st.st_mode);
223 r = mknod(dn, st.st_mode, st.st_rdev);
224 mac_selinux_create_file_clear();
225
226 if (r < 0) {
227 r = -errno;
228 goto fail;
229 }
230 }
231
232 dev_setup(temporary_mount, UID_INVALID, GID_INVALID);
233
234 /* Create the /dev directory if missing. It is more likely to be
235 * missing when the service is started with RootDirectory. This is
236 * consistent with mount units creating the mount points when missing.
237 */
238 (void) mkdir_p_label(m->path, 0755);
239
240 if (mount(dev, m->path, NULL, MS_MOVE, NULL) < 0) {
241 r = -errno;
242 goto fail;
243 }
244
245 rmdir(dev);
246 rmdir(temporary_mount);
247
248 return 0;
249
250 fail:
251 if (devpts)
252 umount(devpts);
253
254 if (devshm)
255 umount(devshm);
256
257 if (devhugepages)
258 umount(devhugepages);
259
260 if (devmqueue)
261 umount(devmqueue);
262
263 umount(dev);
264 rmdir(dev);
265 rmdir(temporary_mount);
266
267 return r;
268 }
269
270 static int apply_mount(
271 BindMount *m,
272 const char *tmp_dir,
273 const char *var_tmp_dir) {
274
275 const char *what;
276 int r;
277
278 assert(m);
279
280 switch (m->mode) {
281
282 case INACCESSIBLE:
283
284 /* First, get rid of everything that is below if there
285 * is anything... Then, overmount it with an
286 * inaccessible directory. */
287 umount_recursive(m->path, 0);
288
289 what = "/run/systemd/inaccessible";
290 break;
291
292 case READONLY:
293 case READWRITE:
294 /* Nothing to mount here, we just later toggle the
295 * MS_RDONLY bit for the mount point */
296 return 0;
297
298 case PRIVATE_TMP:
299 what = tmp_dir;
300 break;
301
302 case PRIVATE_VAR_TMP:
303 what = var_tmp_dir;
304 break;
305
306 case PRIVATE_DEV:
307 return mount_dev(m);
308
309 default:
310 assert_not_reached("Unknown mode");
311 }
312
313 assert(what);
314
315 r = mount(what, m->path, NULL, MS_BIND|MS_REC, NULL);
316 if (r >= 0)
317 log_debug("Successfully mounted %s to %s", what, m->path);
318 else if (m->ignore && errno == ENOENT)
319 return 0;
320
321 return r;
322 }
323
324 static int make_read_only(BindMount *m) {
325 int r;
326
327 assert(m);
328
329 if (IN_SET(m->mode, INACCESSIBLE, READONLY))
330 r = bind_remount_recursive(m->path, true);
331 else if (IN_SET(m->mode, READWRITE, PRIVATE_TMP, PRIVATE_VAR_TMP, PRIVATE_DEV))
332 r = bind_remount_recursive(m->path, false);
333 else
334 r = 0;
335
336 if (m->ignore && r == -ENOENT)
337 return 0;
338
339 return r;
340 }
341
342 int setup_namespace(
343 const char* root_directory,
344 char** read_write_dirs,
345 char** read_only_dirs,
346 char** inaccessible_dirs,
347 const char* tmp_dir,
348 const char* var_tmp_dir,
349 bool private_dev,
350 ProtectHome protect_home,
351 ProtectSystem protect_system,
352 unsigned long mount_flags) {
353
354 BindMount *m, *mounts = NULL;
355 unsigned n;
356 int r = 0;
357
358 if (mount_flags == 0)
359 mount_flags = MS_SHARED;
360
361 if (unshare(CLONE_NEWNS) < 0)
362 return -errno;
363
364 n = !!tmp_dir + !!var_tmp_dir +
365 strv_length(read_write_dirs) +
366 strv_length(read_only_dirs) +
367 strv_length(inaccessible_dirs) +
368 private_dev +
369 (protect_home != PROTECT_HOME_NO ? 3 : 0) +
370 (protect_system != PROTECT_SYSTEM_NO ? 2 : 0) +
371 (protect_system == PROTECT_SYSTEM_FULL ? 1 : 0);
372
373 if (n > 0) {
374 m = mounts = (BindMount *) alloca0(n * sizeof(BindMount));
375 r = append_mounts(&m, read_write_dirs, READWRITE);
376 if (r < 0)
377 return r;
378
379 r = append_mounts(&m, read_only_dirs, READONLY);
380 if (r < 0)
381 return r;
382
383 r = append_mounts(&m, inaccessible_dirs, INACCESSIBLE);
384 if (r < 0)
385 return r;
386
387 if (tmp_dir) {
388 m->path = prefix_roota(root_directory, "/tmp");
389 m->mode = PRIVATE_TMP;
390 m++;
391 }
392
393 if (var_tmp_dir) {
394 m->path = prefix_roota(root_directory, "/var/tmp");
395 m->mode = PRIVATE_VAR_TMP;
396 m++;
397 }
398
399 if (private_dev) {
400 m->path = prefix_roota(root_directory, "/dev");
401 m->mode = PRIVATE_DEV;
402 m++;
403 }
404
405 if (protect_home != PROTECT_HOME_NO) {
406 const char *home_dir, *run_user_dir, *root_dir;
407
408 home_dir = prefix_roota(root_directory, "/home");
409 home_dir = strjoina("-", home_dir);
410 run_user_dir = prefix_roota(root_directory, "/run/user");
411 run_user_dir = strjoina("-", run_user_dir);
412 root_dir = prefix_roota(root_directory, "/root");
413 root_dir = strjoina("-", root_dir);
414
415 r = append_mounts(&m, STRV_MAKE(home_dir, run_user_dir, root_dir),
416 protect_home == PROTECT_HOME_READ_ONLY ? READONLY : INACCESSIBLE);
417 if (r < 0)
418 return r;
419 }
420
421 if (protect_system != PROTECT_SYSTEM_NO) {
422 const char *usr_dir, *boot_dir, *etc_dir;
423
424 usr_dir = prefix_roota(root_directory, "/usr");
425 boot_dir = prefix_roota(root_directory, "/boot");
426 boot_dir = strjoina("-", boot_dir);
427 etc_dir = prefix_roota(root_directory, "/etc");
428
429 r = append_mounts(&m, protect_system == PROTECT_SYSTEM_FULL
430 ? STRV_MAKE(usr_dir, boot_dir, etc_dir)
431 : STRV_MAKE(usr_dir, boot_dir), READONLY);
432 if (r < 0)
433 return r;
434 }
435
436 assert(mounts + n == m);
437
438 qsort(mounts, n, sizeof(BindMount), mount_path_compare);
439 drop_duplicates(mounts, &n);
440 }
441
442 if (n > 0 || root_directory) {
443 /* Remount / as SLAVE so that nothing now mounted in the namespace
444 shows up in the parent */
445 if (mount(NULL, "/", NULL, MS_SLAVE|MS_REC, NULL) < 0)
446 return -errno;
447 }
448
449 if (root_directory) {
450 /* Turn directory into bind mount */
451 if (mount(root_directory, root_directory, NULL, MS_BIND|MS_REC, NULL) < 0)
452 return -errno;
453 }
454
455 if (n > 0) {
456 for (m = mounts; m < mounts + n; ++m) {
457 r = apply_mount(m, tmp_dir, var_tmp_dir);
458 if (r < 0)
459 goto fail;
460 }
461
462 for (m = mounts; m < mounts + n; ++m) {
463 r = make_read_only(m);
464 if (r < 0)
465 goto fail;
466 }
467 }
468
469 if (root_directory) {
470 /* MS_MOVE does not work on MS_SHARED so the remount MS_SHARED will be done later */
471 r = mount_move_root(root_directory);
472
473 /* at this point, we cannot rollback */
474 if (r < 0)
475 return r;
476 }
477
478 /* Remount / as the desired mode. Not that this will not
479 * reestablish propagation from our side to the host, since
480 * what's disconnected is disconnected. */
481 if (mount(NULL, "/", NULL, mount_flags | MS_REC, NULL) < 0)
482 /* at this point, we cannot rollback */
483 return -errno;
484
485 return 0;
486
487 fail:
488 if (n > 0) {
489 for (m = mounts; m < mounts + n; ++m)
490 if (m->done)
491 (void) umount2(m->path, MNT_DETACH);
492 }
493
494 return r;
495 }
496
497 static int setup_one_tmp_dir(const char *id, const char *prefix, char **path) {
498 _cleanup_free_ char *x = NULL;
499 char bid[SD_ID128_STRING_MAX];
500 sd_id128_t boot_id;
501 int r;
502
503 assert(id);
504 assert(prefix);
505 assert(path);
506
507 /* We include the boot id in the directory so that after a
508 * reboot we can easily identify obsolete directories. */
509
510 r = sd_id128_get_boot(&boot_id);
511 if (r < 0)
512 return r;
513
514 x = strjoin(prefix, "/systemd-private-", sd_id128_to_string(boot_id, bid), "-", id, "-XXXXXX", NULL);
515 if (!x)
516 return -ENOMEM;
517
518 RUN_WITH_UMASK(0077)
519 if (!mkdtemp(x))
520 return -errno;
521
522 RUN_WITH_UMASK(0000) {
523 char *y;
524
525 y = strjoina(x, "/tmp");
526
527 if (mkdir(y, 0777 | S_ISVTX) < 0)
528 return -errno;
529 }
530
531 *path = x;
532 x = NULL;
533
534 return 0;
535 }
536
537 int setup_tmp_dirs(const char *id, char **tmp_dir, char **var_tmp_dir) {
538 char *a, *b;
539 int r;
540
541 assert(id);
542 assert(tmp_dir);
543 assert(var_tmp_dir);
544
545 r = setup_one_tmp_dir(id, "/tmp", &a);
546 if (r < 0)
547 return r;
548
549 r = setup_one_tmp_dir(id, "/var/tmp", &b);
550 if (r < 0) {
551 char *t;
552
553 t = strjoina(a, "/tmp");
554 rmdir(t);
555 rmdir(a);
556
557 free(a);
558 return r;
559 }
560
561 *tmp_dir = a;
562 *var_tmp_dir = b;
563
564 return 0;
565 }
566
567 int setup_netns(int netns_storage_socket[2]) {
568 _cleanup_close_ int netns = -1;
569 int r, q;
570
571 assert(netns_storage_socket);
572 assert(netns_storage_socket[0] >= 0);
573 assert(netns_storage_socket[1] >= 0);
574
575 /* We use the passed socketpair as a storage buffer for our
576 * namespace reference fd. Whatever process runs this first
577 * shall create a new namespace, all others should just join
578 * it. To serialize that we use a file lock on the socket
579 * pair.
580 *
581 * It's a bit crazy, but hey, works great! */
582
583 if (lockf(netns_storage_socket[0], F_LOCK, 0) < 0)
584 return -errno;
585
586 netns = receive_one_fd(netns_storage_socket[0], MSG_DONTWAIT);
587 if (netns == -EAGAIN) {
588 /* Nothing stored yet, so let's create a new namespace */
589
590 if (unshare(CLONE_NEWNET) < 0) {
591 r = -errno;
592 goto fail;
593 }
594
595 loopback_setup();
596
597 netns = open("/proc/self/ns/net", O_RDONLY|O_CLOEXEC|O_NOCTTY);
598 if (netns < 0) {
599 r = -errno;
600 goto fail;
601 }
602
603 r = 1;
604
605 } else if (netns < 0) {
606 r = netns;
607 goto fail;
608
609 } else {
610 /* Yay, found something, so let's join the namespace */
611 if (setns(netns, CLONE_NEWNET) < 0) {
612 r = -errno;
613 goto fail;
614 }
615
616 r = 0;
617 }
618
619 q = send_one_fd(netns_storage_socket[1], netns, MSG_DONTWAIT);
620 if (q < 0) {
621 r = q;
622 goto fail;
623 }
624
625 fail:
626 lockf(netns_storage_socket[0], F_ULOCK, 0);
627 return r;
628 }
629
630 static const char *const protect_home_table[_PROTECT_HOME_MAX] = {
631 [PROTECT_HOME_NO] = "no",
632 [PROTECT_HOME_YES] = "yes",
633 [PROTECT_HOME_READ_ONLY] = "read-only",
634 };
635
636 DEFINE_STRING_TABLE_LOOKUP(protect_home, ProtectHome);
637
638 static const char *const protect_system_table[_PROTECT_SYSTEM_MAX] = {
639 [PROTECT_SYSTEM_NO] = "no",
640 [PROTECT_SYSTEM_YES] = "yes",
641 [PROTECT_SYSTEM_FULL] = "full",
642 };
643
644 DEFINE_STRING_TABLE_LOOKUP(protect_system, ProtectSystem);
Unnamed repository; edit this file 'description' to name the repository.