]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/core/namespace.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
namespace: unmount old /dev under our new private /dev (#3254)
[thirdparty/systemd.git] / src / core / namespace.c
1 /***
2 This file is part of systemd.
3
4 Copyright 2010 Lennart Poettering
5
6 systemd is free software; you can redistribute it and/or modify it
7 under the terms of the GNU Lesser General Public License as published by
8 the Free Software Foundation; either version 2.1 of the License, or
9 (at your option) any later version.
10
11 systemd is distributed in the hope that it will be useful, but
12 WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 Lesser General Public License for more details.
15
16 You should have received a copy of the GNU Lesser General Public License
17 along with systemd; If not, see <http://www.gnu.org/licenses/>.
18 ***/
19
20 #include <errno.h>
21 #include <sched.h>
22 #include <stdio.h>
23 #include <string.h>
24 #include <sys/mount.h>
25 #include <sys/stat.h>
26 #include <unistd.h>
27 #include <linux/fs.h>
28
29 #include "alloc-util.h"
30 #include "dev-setup.h"
31 #include "fd-util.h"
32 #include "loopback-setup.h"
33 #include "missing.h"
34 #include "mkdir.h"
35 #include "mount-util.h"
36 #include "namespace.h"
37 #include "path-util.h"
38 #include "selinux-util.h"
39 #include "socket-util.h"
40 #include "string-table.h"
41 #include "string-util.h"
42 #include "strv.h"
43 #include "umask-util.h"
44 #include "user-util.h"
45 #include "util.h"
46
47 typedef enum MountMode {
48 /* This is ordered by priority! */
49 INACCESSIBLE,
50 READONLY,
51 PRIVATE_TMP,
52 PRIVATE_VAR_TMP,
53 PRIVATE_DEV,
54 READWRITE
55 } MountMode;
56
57 typedef struct BindMount {
58 const char *path;
59 MountMode mode;
60 bool done;
61 bool ignore;
62 } BindMount;
63
64 static int append_mounts(BindMount **p, char **strv, MountMode mode) {
65 char **i;
66
67 assert(p);
68
69 STRV_FOREACH(i, strv) {
70
71 (*p)->ignore = false;
72 (*p)->done = false;
73
74 if ((mode == INACCESSIBLE || mode == READONLY || mode == READWRITE) && (*i)[0] == '-') {
75 (*p)->ignore = true;
76 (*i)++;
77 }
78
79 if (!path_is_absolute(*i))
80 return -EINVAL;
81
82 (*p)->path = *i;
83 (*p)->mode = mode;
84 (*p)++;
85 }
86
87 return 0;
88 }
89
90 static int mount_path_compare(const void *a, const void *b) {
91 const BindMount *p = a, *q = b;
92 int d;
93
94 d = path_compare(p->path, q->path);
95
96 if (d == 0) {
97 /* If the paths are equal, check the mode */
98 if (p->mode < q->mode)
99 return -1;
100
101 if (p->mode > q->mode)
102 return 1;
103
104 return 0;
105 }
106
107 /* If the paths are not equal, then order prefixes first */
108 return d;
109 }
110
111 static void drop_duplicates(BindMount *m, unsigned *n) {
112 BindMount *f, *t, *previous;
113
114 assert(m);
115 assert(n);
116
117 for (f = m, t = m, previous = NULL; f < m+*n; f++) {
118
119 /* The first one wins */
120 if (previous && path_equal(f->path, previous->path))
121 continue;
122
123 *t = *f;
124
125 previous = t;
126
127 t++;
128 }
129
130 *n = t - m;
131 }
132
133 static int mount_dev(BindMount *m) {
134 static const char devnodes[] =
135 "/dev/null\0"
136 "/dev/zero\0"
137 "/dev/full\0"
138 "/dev/random\0"
139 "/dev/urandom\0"
140 "/dev/tty\0";
141
142 char temporary_mount[] = "/tmp/namespace-dev-XXXXXX";
143 const char *d, *dev = NULL, *devpts = NULL, *devshm = NULL, *devhugepages = NULL, *devmqueue = NULL, *devlog = NULL, *devptmx = NULL;
144 _cleanup_umask_ mode_t u;
145 int r;
146
147 assert(m);
148
149 u = umask(0000);
150
151 if (!mkdtemp(temporary_mount))
152 return -errno;
153
154 dev = strjoina(temporary_mount, "/dev");
155 (void) mkdir(dev, 0755);
156 if (mount("tmpfs", dev, "tmpfs", MS_NOSUID|MS_STRICTATIME, "mode=755") < 0) {
157 r = -errno;
158 goto fail;
159 }
160
161 devpts = strjoina(temporary_mount, "/dev/pts");
162 (void) mkdir(devpts, 0755);
163 if (mount("/dev/pts", devpts, NULL, MS_BIND, NULL) < 0) {
164 r = -errno;
165 goto fail;
166 }
167
168 devptmx = strjoina(temporary_mount, "/dev/ptmx");
169 if (symlink("pts/ptmx", devptmx) < 0) {
170 r = -errno;
171 goto fail;
172 }
173
174 devshm = strjoina(temporary_mount, "/dev/shm");
175 (void) mkdir(devshm, 01777);
176 r = mount("/dev/shm", devshm, NULL, MS_BIND, NULL);
177 if (r < 0) {
178 r = -errno;
179 goto fail;
180 }
181
182 devmqueue = strjoina(temporary_mount, "/dev/mqueue");
183 (void) mkdir(devmqueue, 0755);
184 (void) mount("/dev/mqueue", devmqueue, NULL, MS_BIND, NULL);
185
186 devhugepages = strjoina(temporary_mount, "/dev/hugepages");
187 (void) mkdir(devhugepages, 0755);
188 (void) mount("/dev/hugepages", devhugepages, NULL, MS_BIND, NULL);
189
190 devlog = strjoina(temporary_mount, "/dev/log");
191 (void) symlink("/run/systemd/journal/dev-log", devlog);
192
193 NULSTR_FOREACH(d, devnodes) {
194 _cleanup_free_ char *dn = NULL;
195 struct stat st;
196
197 r = stat(d, &st);
198 if (r < 0) {
199
200 if (errno == ENOENT)
201 continue;
202
203 r = -errno;
204 goto fail;
205 }
206
207 if (!S_ISBLK(st.st_mode) &&
208 !S_ISCHR(st.st_mode)) {
209 r = -EINVAL;
210 goto fail;
211 }
212
213 if (st.st_rdev == 0)
214 continue;
215
216 dn = strappend(temporary_mount, d);
217 if (!dn) {
218 r = -ENOMEM;
219 goto fail;
220 }
221
222 mac_selinux_create_file_prepare(d, st.st_mode);
223 r = mknod(dn, st.st_mode, st.st_rdev);
224 mac_selinux_create_file_clear();
225
226 if (r < 0) {
227 r = -errno;
228 goto fail;
229 }
230 }
231
232 dev_setup(temporary_mount, UID_INVALID, GID_INVALID);
233
234 /* Create the /dev directory if missing. It is more likely to be
235 * missing when the service is started with RootDirectory. This is
236 * consistent with mount units creating the mount points when missing.
237 */
238 (void) mkdir_p_label(m->path, 0755);
239
240 /* Unmount everything in old /dev */
241 umount_recursive(m->path, 0);
242 if (mount(dev, m->path, NULL, MS_MOVE, NULL) < 0) {
243 r = -errno;
244 goto fail;
245 }
246
247 rmdir(dev);
248 rmdir(temporary_mount);
249
250 return 0;
251
252 fail:
253 if (devpts)
254 umount(devpts);
255
256 if (devshm)
257 umount(devshm);
258
259 if (devhugepages)
260 umount(devhugepages);
261
262 if (devmqueue)
263 umount(devmqueue);
264
265 umount(dev);
266 rmdir(dev);
267 rmdir(temporary_mount);
268
269 return r;
270 }
271
272 static int apply_mount(
273 BindMount *m,
274 const char *tmp_dir,
275 const char *var_tmp_dir) {
276
277 const char *what;
278 int r;
279
280 assert(m);
281
282 switch (m->mode) {
283
284 case INACCESSIBLE:
285
286 /* First, get rid of everything that is below if there
287 * is anything... Then, overmount it with an
288 * inaccessible directory. */
289 umount_recursive(m->path, 0);
290
291 what = "/run/systemd/inaccessible";
292 break;
293
294 case READONLY:
295 case READWRITE:
296 /* Nothing to mount here, we just later toggle the
297 * MS_RDONLY bit for the mount point */
298 return 0;
299
300 case PRIVATE_TMP:
301 what = tmp_dir;
302 break;
303
304 case PRIVATE_VAR_TMP:
305 what = var_tmp_dir;
306 break;
307
308 case PRIVATE_DEV:
309 return mount_dev(m);
310
311 default:
312 assert_not_reached("Unknown mode");
313 }
314
315 assert(what);
316
317 r = mount(what, m->path, NULL, MS_BIND|MS_REC, NULL);
318 if (r >= 0)
319 log_debug("Successfully mounted %s to %s", what, m->path);
320 else if (m->ignore && errno == ENOENT)
321 return 0;
322
323 return r;
324 }
325
326 static int make_read_only(BindMount *m) {
327 int r;
328
329 assert(m);
330
331 if (IN_SET(m->mode, INACCESSIBLE, READONLY))
332 r = bind_remount_recursive(m->path, true);
333 else if (IN_SET(m->mode, READWRITE, PRIVATE_TMP, PRIVATE_VAR_TMP, PRIVATE_DEV))
334 r = bind_remount_recursive(m->path, false);
335 else
336 r = 0;
337
338 if (m->ignore && r == -ENOENT)
339 return 0;
340
341 return r;
342 }
343
344 int setup_namespace(
345 const char* root_directory,
346 char** read_write_dirs,
347 char** read_only_dirs,
348 char** inaccessible_dirs,
349 const char* tmp_dir,
350 const char* var_tmp_dir,
351 bool private_dev,
352 ProtectHome protect_home,
353 ProtectSystem protect_system,
354 unsigned long mount_flags) {
355
356 BindMount *m, *mounts = NULL;
357 unsigned n;
358 int r = 0;
359
360 if (mount_flags == 0)
361 mount_flags = MS_SHARED;
362
363 if (unshare(CLONE_NEWNS) < 0)
364 return -errno;
365
366 n = !!tmp_dir + !!var_tmp_dir +
367 strv_length(read_write_dirs) +
368 strv_length(read_only_dirs) +
369 strv_length(inaccessible_dirs) +
370 private_dev +
371 (protect_home != PROTECT_HOME_NO ? 3 : 0) +
372 (protect_system != PROTECT_SYSTEM_NO ? 2 : 0) +
373 (protect_system == PROTECT_SYSTEM_FULL ? 1 : 0);
374
375 if (n > 0) {
376 m = mounts = (BindMount *) alloca0(n * sizeof(BindMount));
377 r = append_mounts(&m, read_write_dirs, READWRITE);
378 if (r < 0)
379 return r;
380
381 r = append_mounts(&m, read_only_dirs, READONLY);
382 if (r < 0)
383 return r;
384
385 r = append_mounts(&m, inaccessible_dirs, INACCESSIBLE);
386 if (r < 0)
387 return r;
388
389 if (tmp_dir) {
390 m->path = prefix_roota(root_directory, "/tmp");
391 m->mode = PRIVATE_TMP;
392 m++;
393 }
394
395 if (var_tmp_dir) {
396 m->path = prefix_roota(root_directory, "/var/tmp");
397 m->mode = PRIVATE_VAR_TMP;
398 m++;
399 }
400
401 if (private_dev) {
402 m->path = prefix_roota(root_directory, "/dev");
403 m->mode = PRIVATE_DEV;
404 m++;
405 }
406
407 if (protect_home != PROTECT_HOME_NO) {
408 const char *home_dir, *run_user_dir, *root_dir;
409
410 home_dir = prefix_roota(root_directory, "/home");
411 home_dir = strjoina("-", home_dir);
412 run_user_dir = prefix_roota(root_directory, "/run/user");
413 run_user_dir = strjoina("-", run_user_dir);
414 root_dir = prefix_roota(root_directory, "/root");
415 root_dir = strjoina("-", root_dir);
416
417 r = append_mounts(&m, STRV_MAKE(home_dir, run_user_dir, root_dir),
418 protect_home == PROTECT_HOME_READ_ONLY ? READONLY : INACCESSIBLE);
419 if (r < 0)
420 return r;
421 }
422
423 if (protect_system != PROTECT_SYSTEM_NO) {
424 const char *usr_dir, *boot_dir, *etc_dir;
425
426 usr_dir = prefix_roota(root_directory, "/usr");
427 boot_dir = prefix_roota(root_directory, "/boot");
428 boot_dir = strjoina("-", boot_dir);
429 etc_dir = prefix_roota(root_directory, "/etc");
430
431 r = append_mounts(&m, protect_system == PROTECT_SYSTEM_FULL
432 ? STRV_MAKE(usr_dir, boot_dir, etc_dir)
433 : STRV_MAKE(usr_dir, boot_dir), READONLY);
434 if (r < 0)
435 return r;
436 }
437
438 assert(mounts + n == m);
439
440 qsort(mounts, n, sizeof(BindMount), mount_path_compare);
441 drop_duplicates(mounts, &n);
442 }
443
444 if (n > 0 || root_directory) {
445 /* Remount / as SLAVE so that nothing now mounted in the namespace
446 shows up in the parent */
447 if (mount(NULL, "/", NULL, MS_SLAVE|MS_REC, NULL) < 0)
448 return -errno;
449 }
450
451 if (root_directory) {
452 /* Turn directory into bind mount */
453 if (mount(root_directory, root_directory, NULL, MS_BIND|MS_REC, NULL) < 0)
454 return -errno;
455 }
456
457 if (n > 0) {
458 for (m = mounts; m < mounts + n; ++m) {
459 r = apply_mount(m, tmp_dir, var_tmp_dir);
460 if (r < 0)
461 goto fail;
462 }
463
464 for (m = mounts; m < mounts + n; ++m) {
465 r = make_read_only(m);
466 if (r < 0)
467 goto fail;
468 }
469 }
470
471 if (root_directory) {
472 /* MS_MOVE does not work on MS_SHARED so the remount MS_SHARED will be done later */
473 r = mount_move_root(root_directory);
474
475 /* at this point, we cannot rollback */
476 if (r < 0)
477 return r;
478 }
479
480 /* Remount / as the desired mode. Not that this will not
481 * reestablish propagation from our side to the host, since
482 * what's disconnected is disconnected. */
483 if (mount(NULL, "/", NULL, mount_flags | MS_REC, NULL) < 0)
484 /* at this point, we cannot rollback */
485 return -errno;
486
487 return 0;
488
489 fail:
490 if (n > 0) {
491 for (m = mounts; m < mounts + n; ++m)
492 if (m->done)
493 (void) umount2(m->path, MNT_DETACH);
494 }
495
496 return r;
497 }
498
499 static int setup_one_tmp_dir(const char *id, const char *prefix, char **path) {
500 _cleanup_free_ char *x = NULL;
501 char bid[SD_ID128_STRING_MAX];
502 sd_id128_t boot_id;
503 int r;
504
505 assert(id);
506 assert(prefix);
507 assert(path);
508
509 /* We include the boot id in the directory so that after a
510 * reboot we can easily identify obsolete directories. */
511
512 r = sd_id128_get_boot(&boot_id);
513 if (r < 0)
514 return r;
515
516 x = strjoin(prefix, "/systemd-private-", sd_id128_to_string(boot_id, bid), "-", id, "-XXXXXX", NULL);
517 if (!x)
518 return -ENOMEM;
519
520 RUN_WITH_UMASK(0077)
521 if (!mkdtemp(x))
522 return -errno;
523
524 RUN_WITH_UMASK(0000) {
525 char *y;
526
527 y = strjoina(x, "/tmp");
528
529 if (mkdir(y, 0777 | S_ISVTX) < 0)
530 return -errno;
531 }
532
533 *path = x;
534 x = NULL;
535
536 return 0;
537 }
538
539 int setup_tmp_dirs(const char *id, char **tmp_dir, char **var_tmp_dir) {
540 char *a, *b;
541 int r;
542
543 assert(id);
544 assert(tmp_dir);
545 assert(var_tmp_dir);
546
547 r = setup_one_tmp_dir(id, "/tmp", &a);
548 if (r < 0)
549 return r;
550
551 r = setup_one_tmp_dir(id, "/var/tmp", &b);
552 if (r < 0) {
553 char *t;
554
555 t = strjoina(a, "/tmp");
556 rmdir(t);
557 rmdir(a);
558
559 free(a);
560 return r;
561 }
562
563 *tmp_dir = a;
564 *var_tmp_dir = b;
565
566 return 0;
567 }
568
569 int setup_netns(int netns_storage_socket[2]) {
570 _cleanup_close_ int netns = -1;
571 int r, q;
572
573 assert(netns_storage_socket);
574 assert(netns_storage_socket[0] >= 0);
575 assert(netns_storage_socket[1] >= 0);
576
577 /* We use the passed socketpair as a storage buffer for our
578 * namespace reference fd. Whatever process runs this first
579 * shall create a new namespace, all others should just join
580 * it. To serialize that we use a file lock on the socket
581 * pair.
582 *
583 * It's a bit crazy, but hey, works great! */
584
585 if (lockf(netns_storage_socket[0], F_LOCK, 0) < 0)
586 return -errno;
587
588 netns = receive_one_fd(netns_storage_socket[0], MSG_DONTWAIT);
589 if (netns == -EAGAIN) {
590 /* Nothing stored yet, so let's create a new namespace */
591
592 if (unshare(CLONE_NEWNET) < 0) {
593 r = -errno;
594 goto fail;
595 }
596
597 loopback_setup();
598
599 netns = open("/proc/self/ns/net", O_RDONLY|O_CLOEXEC|O_NOCTTY);
600 if (netns < 0) {
601 r = -errno;
602 goto fail;
603 }
604
605 r = 1;
606
607 } else if (netns < 0) {
608 r = netns;
609 goto fail;
610
611 } else {
612 /* Yay, found something, so let's join the namespace */
613 if (setns(netns, CLONE_NEWNET) < 0) {
614 r = -errno;
615 goto fail;
616 }
617
618 r = 0;
619 }
620
621 q = send_one_fd(netns_storage_socket[1], netns, MSG_DONTWAIT);
622 if (q < 0) {
623 r = q;
624 goto fail;
625 }
626
627 fail:
628 lockf(netns_storage_socket[0], F_ULOCK, 0);
629 return r;
630 }
631
632 static const char *const protect_home_table[_PROTECT_HOME_MAX] = {
633 [PROTECT_HOME_NO] = "no",
634 [PROTECT_HOME_YES] = "yes",
635 [PROTECT_HOME_READ_ONLY] = "read-only",
636 };
637
638 DEFINE_STRING_TABLE_LOOKUP(protect_home, ProtectHome);
639
640 static const char *const protect_system_table[_PROTECT_SYSTEM_MAX] = {
641 [PROTECT_SYSTEM_NO] = "no",
642 [PROTECT_SYSTEM_YES] = "yes",
643 [PROTECT_SYSTEM_FULL] = "full",
644 };
645
646 DEFINE_STRING_TABLE_LOOKUP(protect_system, ProtectSystem);
Unnamed repository; edit this file 'description' to name the repository.