1 /* SPDX-License-Identifier: LGPL-2.1+ */
4 #include <linux/magic.h>
6 #include "alloc-util.h"
12 #include "mount-util.h"
13 #include "mountpoint-util.h"
14 #include "nspawn-mount.h"
15 #include "parse-util.h"
16 #include "path-util.h"
19 #include "stat-util.h"
20 #include "string-util.h"
22 #include "tmpfile-util.h"
23 #include "user-util.h"
26 CustomMount
* custom_mount_add(CustomMount
**l
, size_t *n
, CustomMountType t
) {
32 assert(t
< _CUSTOM_MOUNT_TYPE_MAX
);
34 c
= reallocarray(*l
, *n
+ 1, sizeof(CustomMount
));
42 *ret
= (CustomMount
) { .type
= t
};
47 void custom_mount_free_all(CustomMount
*l
, size_t n
) {
50 for (i
= 0; i
< n
; i
++) {
51 CustomMount
*m
= l
+ i
;
58 (void) rm_rf(m
->work_dir
, REMOVE_ROOT
|REMOVE_PHYSICAL
);
62 if (m
->rm_rf_tmpdir
) {
63 (void) rm_rf(m
->rm_rf_tmpdir
, REMOVE_ROOT
|REMOVE_PHYSICAL
);
64 free(m
->rm_rf_tmpdir
);
73 static int custom_mount_compare(const CustomMount
*a
, const CustomMount
*b
) {
76 r
= path_compare(a
->destination
, b
->destination
);
80 return CMP(a
->type
, b
->type
);
83 static bool source_path_is_valid(const char *p
) {
89 return path_is_absolute(p
);
92 static char *resolve_source_path(const char *dest
, const char *source
) {
98 return prefix_root(dest
, source
+ 1);
100 return strdup(source
);
103 int custom_mount_prepare_all(const char *dest
, CustomMount
*l
, size_t n
) {
107 /* Prepare all custom mounts. This will make source we know all temporary directories. This is called in the
108 * parent process, so that we know the temporary directories to remove on exit before we fork off the
113 /* Order the custom mounts, and make sure we have a working directory */
114 typesafe_qsort(l
, n
, custom_mount_compare
);
116 for (i
= 0; i
< n
; i
++) {
117 CustomMount
*m
= l
+ i
;
122 s
= resolve_source_path(dest
, m
->source
);
126 free_and_replace(m
->source
, s
);
128 /* No source specified? In that case, use a throw-away temporary directory in /var/tmp */
130 m
->rm_rf_tmpdir
= strdup("/var/tmp/nspawn-temp-XXXXXX");
131 if (!m
->rm_rf_tmpdir
)
134 if (!mkdtemp(m
->rm_rf_tmpdir
)) {
135 m
->rm_rf_tmpdir
= mfree(m
->rm_rf_tmpdir
);
136 return log_error_errno(errno
, "Failed to acquire temporary directory: %m");
139 m
->source
= strjoin(m
->rm_rf_tmpdir
, "/src");
143 if (mkdir(m
->source
, 0755) < 0)
144 return log_error_errno(errno
, "Failed to create %s: %m", m
->source
);
147 if (m
->type
== CUSTOM_MOUNT_OVERLAY
) {
150 STRV_FOREACH(j
, m
->lower
) {
153 s
= resolve_source_path(dest
, *j
);
157 free_and_replace(*j
, s
);
163 s
= resolve_source_path(dest
, m
->work_dir
);
167 free_and_replace(m
->work_dir
, s
);
171 r
= tempfn_random(m
->source
, NULL
, &m
->work_dir
);
173 return log_error_errno(r
, "Failed to acquire working directory: %m");
176 (void) mkdir_label(m
->work_dir
, 0700);
183 int bind_mount_parse(CustomMount
**l
, size_t *n
, const char *s
, bool read_only
) {
184 _cleanup_free_
char *source
= NULL
, *destination
= NULL
, *opts
= NULL
;
192 r
= extract_many_words(&p
, ":", EXTRACT_DONT_COALESCE_SEPARATORS
, &source
, &destination
, NULL
);
198 destination
= strdup(source
[0] == '+' ? source
+1 : source
);
202 if (r
== 2 && !isempty(p
)) {
210 else if (!source_path_is_valid(source
))
213 if (!path_is_absolute(destination
))
215 if (empty_or_root(destination
))
218 m
= custom_mount_add(l
, n
, CUSTOM_MOUNT_BIND
);
223 m
->destination
= destination
;
224 m
->read_only
= read_only
;
227 source
= destination
= opts
= NULL
;
231 int tmpfs_mount_parse(CustomMount
**l
, size_t *n
, const char *s
) {
232 _cleanup_free_
char *path
= NULL
, *opts
= NULL
;
241 r
= extract_first_word(&p
, &path
, ":", EXTRACT_DONT_COALESCE_SEPARATORS
);
248 opts
= strdup("mode=0755");
254 if (!path_is_absolute(path
))
256 if (empty_or_root(path
))
259 m
= custom_mount_add(l
, n
, CUSTOM_MOUNT_TMPFS
);
263 m
->destination
= TAKE_PTR(path
);
264 m
->options
= TAKE_PTR(opts
);
269 int overlay_mount_parse(CustomMount
**l
, size_t *n
, const char *s
, bool read_only
) {
270 _cleanup_free_
char *upper
= NULL
, *destination
= NULL
;
271 _cleanup_strv_free_
char **lower
= NULL
;
275 k
= strv_split_extract(&lower
, s
, ":", EXTRACT_DONT_COALESCE_SEPARATORS
);
279 return -EADDRNOTAVAIL
;
281 /* If two parameters are specified, the first one is the lower, the second one the upper directory. And
282 * we'll also define the destination mount point the same as the upper. */
284 if (!source_path_is_valid(lower
[0]) ||
285 !source_path_is_valid(lower
[1]))
288 upper
= TAKE_PTR(lower
[1]);
290 destination
= strdup(upper
[0] == '+' ? upper
+1 : upper
); /* take the destination without "+" prefix */
296 /* If more than two parameters are specified, the last one is the destination, the second to last one
297 * the "upper", and all before that the "lower" directories. */
299 destination
= lower
[k
- 1];
300 upper
= TAKE_PTR(lower
[k
- 2]);
302 STRV_FOREACH(i
, lower
)
303 if (!source_path_is_valid(*i
))
306 /* If the upper directory is unspecified, then let's create it automatically as a throw-away directory
310 else if (!source_path_is_valid(upper
))
313 if (!path_is_absolute(destination
))
317 if (empty_or_root(destination
))
320 m
= custom_mount_add(l
, n
, CUSTOM_MOUNT_OVERLAY
);
324 m
->destination
= TAKE_PTR(destination
);
325 m
->source
= TAKE_PTR(upper
);
326 m
->lower
= TAKE_PTR(lower
);
327 m
->read_only
= read_only
;
332 int tmpfs_patch_options(
335 const char *selinux_apifs_context
,
340 if (uid_shift
!= UID_INVALID
) {
341 if (asprintf(&buf
, "%s%suid=" UID_FMT
",gid=" UID_FMT
,
342 strempty(options
), options
? "," : "",
343 uid_shift
, uid_shift
) < 0)
350 if (selinux_apifs_context
) {
353 t
= strjoin(strempty(options
), options
? "," : "",
354 "context=\"", selinux_apifs_context
, "\"");
363 if (!buf
&& options
) {
364 buf
= strdup(options
);
373 int mount_sysfs(const char *dest
, MountSettingsMask mount_settings
) {
374 const char *full
, *top
, *x
;
376 unsigned long extra_flags
= 0;
378 top
= prefix_roota(dest
, "/sys");
379 r
= path_is_fs_type(top
, SYSFS_MAGIC
);
381 return log_error_errno(r
, "Failed to determine filesystem type of %s: %m", top
);
382 /* /sys might already be mounted as sysfs by the outer child in the
383 * !netns case. In this case, it's all good. Don't touch it because we
384 * don't have the right to do so, see https://github.com/systemd/systemd/issues/1555.
389 full
= prefix_roota(top
, "/full");
391 (void) mkdir(full
, 0755);
393 if (mount_settings
& MOUNT_APPLY_APIVFS_RO
)
394 extra_flags
|= MS_RDONLY
;
396 r
= mount_verbose(LOG_ERR
, "sysfs", full
, "sysfs",
397 MS_NOSUID
|MS_NOEXEC
|MS_NODEV
|extra_flags
, NULL
);
401 FOREACH_STRING(x
, "block", "bus", "class", "dev", "devices", "kernel") {
402 _cleanup_free_
char *from
= NULL
, *to
= NULL
;
404 from
= prefix_root(full
, x
);
408 to
= prefix_root(top
, x
);
412 (void) mkdir(to
, 0755);
414 r
= mount_verbose(LOG_ERR
, from
, to
, NULL
, MS_BIND
, NULL
);
418 r
= mount_verbose(LOG_ERR
, NULL
, to
, NULL
,
419 MS_BIND
|MS_NOSUID
|MS_NOEXEC
|MS_NODEV
|MS_REMOUNT
|extra_flags
, NULL
);
424 r
= umount_verbose(full
);
429 return log_error_errno(errno
, "Failed to remove %s: %m", full
);
431 /* Create mountpoint for cgroups. Otherwise we are not allowed since we
432 * remount /sys read-only.
434 x
= prefix_roota(top
, "/fs/cgroup");
435 (void) mkdir_p(x
, 0755);
437 return mount_verbose(LOG_ERR
, NULL
, top
, NULL
,
438 MS_BIND
|MS_NOSUID
|MS_NOEXEC
|MS_NODEV
|MS_REMOUNT
|extra_flags
, NULL
);
441 static int mkdir_userns(const char *path
, mode_t mode
, uid_t uid_shift
) {
446 r
= mkdir_errno_wrapper(path
, mode
);
447 if (r
< 0 && r
!= -EEXIST
)
450 if (uid_shift
== UID_INVALID
)
453 if (lchown(path
, uid_shift
, uid_shift
) < 0)
459 static int mkdir_userns_p(const char *prefix
, const char *path
, mode_t mode
, uid_t uid_shift
) {
465 if (prefix
&& !path_startswith(path
, prefix
))
468 /* create every parent directory in the path, except the last component */
469 p
= path
+ strspn(path
, "/");
471 char t
[strlen(path
) + 1];
473 e
= p
+ strcspn(p
, "/");
474 p
= e
+ strspn(e
, "/");
476 /* Is this the last component? If so, then we're done */
480 memcpy(t
, path
, e
- path
);
483 if (prefix
&& path_startswith(prefix
, t
))
486 r
= mkdir_userns(t
, mode
, uid_shift
);
491 return mkdir_userns(path
, mode
, uid_shift
);
494 int mount_all(const char *dest
,
495 MountSettingsMask mount_settings
,
497 const char *selinux_apifs_context
) {
499 #define PROC_INACCESSIBLE(path) \
500 { NULL, (path), NULL, NULL, MS_BIND, \
501 MOUNT_IN_USERNS|MOUNT_APPLY_APIVFS_RO|MOUNT_INACCESSIBLE_REG }, /* Bind mount first ... */ \
502 { NULL, (path), NULL, NULL, MS_BIND|MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REMOUNT, \
503 MOUNT_IN_USERNS|MOUNT_APPLY_APIVFS_RO } /* Then, make it r/o */
505 #define PROC_READ_ONLY(path) \
506 { (path), (path), NULL, NULL, MS_BIND, \
507 MOUNT_IN_USERNS|MOUNT_APPLY_APIVFS_RO }, /* Bind mount first ... */ \
508 { NULL, (path), NULL, NULL, MS_BIND|MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REMOUNT, \
509 MOUNT_IN_USERNS|MOUNT_APPLY_APIVFS_RO } /* Then, make it r/o */
511 typedef struct MountPoint
{
517 MountSettingsMask mount_settings
;
520 static const MountPoint mount_table
[] = {
521 /* First we list inner child mounts (i.e. mounts applied *after* entering user namespacing) */
522 { "proc", "/proc", "proc", NULL
, MS_NOSUID
|MS_NOEXEC
|MS_NODEV
,
523 MOUNT_FATAL
|MOUNT_IN_USERNS
},
525 { "/proc/sys", "/proc/sys", NULL
, NULL
, MS_BIND
,
526 MOUNT_FATAL
|MOUNT_IN_USERNS
|MOUNT_APPLY_APIVFS_RO
}, /* Bind mount first ... */
528 { "/proc/sys/net", "/proc/sys/net", NULL
, NULL
, MS_BIND
,
529 MOUNT_FATAL
|MOUNT_IN_USERNS
|MOUNT_APPLY_APIVFS_RO
|MOUNT_APPLY_APIVFS_NETNS
}, /* (except for this) */
531 { NULL
, "/proc/sys", NULL
, NULL
, MS_BIND
|MS_RDONLY
|MS_NOSUID
|MS_NOEXEC
|MS_NODEV
|MS_REMOUNT
,
532 MOUNT_FATAL
|MOUNT_IN_USERNS
|MOUNT_APPLY_APIVFS_RO
}, /* ... then, make it r/o */
534 /* Make these files inaccessible to container payloads: they potentially leak information about kernel
535 * internals or the host's execution environment to the container */
536 PROC_INACCESSIBLE("/proc/kallsyms"),
537 PROC_INACCESSIBLE("/proc/kcore"),
538 PROC_INACCESSIBLE("/proc/keys"),
539 PROC_INACCESSIBLE("/proc/sysrq-trigger"),
540 PROC_INACCESSIBLE("/proc/timer_list"),
542 /* Make these directories read-only to container payloads: they show hardware information, and in some
543 * cases contain tunables the container really shouldn't have access to. */
544 PROC_READ_ONLY("/proc/acpi"),
545 PROC_READ_ONLY("/proc/apm"),
546 PROC_READ_ONLY("/proc/asound"),
547 PROC_READ_ONLY("/proc/bus"),
548 PROC_READ_ONLY("/proc/fs"),
549 PROC_READ_ONLY("/proc/irq"),
550 PROC_READ_ONLY("/proc/scsi"),
552 /* Then we list outer child mounts (i.e. mounts applied *before* entering user namespacing) */
553 { "tmpfs", "/tmp", "tmpfs", "mode=1777", MS_NOSUID
|MS_NODEV
|MS_STRICTATIME
,
554 MOUNT_FATAL
|MOUNT_APPLY_TMPFS_TMP
},
555 { "tmpfs", "/sys", "tmpfs", "mode=555", MS_NOSUID
|MS_NOEXEC
|MS_NODEV
,
556 MOUNT_FATAL
|MOUNT_APPLY_APIVFS_NETNS
},
557 { "sysfs", "/sys", "sysfs", NULL
, MS_RDONLY
|MS_NOSUID
|MS_NOEXEC
|MS_NODEV
,
558 MOUNT_FATAL
|MOUNT_APPLY_APIVFS_RO
}, /* skipped if above was mounted */
559 { "sysfs", "/sys", "sysfs", NULL
, MS_NOSUID
|MS_NOEXEC
|MS_NODEV
,
560 MOUNT_FATAL
}, /* skipped if above was mounted */
561 { "tmpfs", "/dev", "tmpfs", "mode=755", MS_NOSUID
|MS_STRICTATIME
,
563 { "tmpfs", "/dev/shm", "tmpfs", "mode=1777", MS_NOSUID
|MS_NODEV
|MS_STRICTATIME
,
565 { "tmpfs", "/run", "tmpfs", "mode=755", MS_NOSUID
|MS_NODEV
|MS_STRICTATIME
,
567 { "mqueue", "/dev/mqueue", "mqueue", NULL
, 0,
571 { "/sys/fs/selinux", "/sys/fs/selinux", NULL
, NULL
, MS_BIND
,
572 0 }, /* Bind mount first */
573 { NULL
, "/sys/fs/selinux", NULL
, NULL
, MS_BIND
|MS_RDONLY
|MS_NOSUID
|MS_NOEXEC
|MS_NODEV
|MS_REMOUNT
,
574 0 }, /* Then, make it r/o */
578 _cleanup_(unlink_and_freep
) char *inaccessible
= NULL
;
579 bool use_userns
= (mount_settings
& MOUNT_USE_USERNS
);
580 bool netns
= (mount_settings
& MOUNT_APPLY_APIVFS_NETNS
);
581 bool ro
= (mount_settings
& MOUNT_APPLY_APIVFS_RO
);
582 bool in_userns
= (mount_settings
& MOUNT_IN_USERNS
);
583 bool tmpfs_tmp
= (mount_settings
& MOUNT_APPLY_TMPFS_TMP
);
587 for (k
= 0; k
< ELEMENTSOF(mount_table
); k
++) {
588 _cleanup_free_
char *where
= NULL
, *options
= NULL
;
589 const char *o
, *what
;
590 bool fatal
= (mount_table
[k
].mount_settings
& MOUNT_FATAL
);
592 if (in_userns
!= (bool)(mount_table
[k
].mount_settings
& MOUNT_IN_USERNS
))
595 if (!netns
&& (bool)(mount_table
[k
].mount_settings
& MOUNT_APPLY_APIVFS_NETNS
))
598 if (!ro
&& (bool)(mount_table
[k
].mount_settings
& MOUNT_APPLY_APIVFS_RO
))
601 if (!tmpfs_tmp
&& (bool)(mount_table
[k
].mount_settings
& MOUNT_APPLY_TMPFS_TMP
))
604 r
= chase_symlinks(mount_table
[k
].where
, dest
, CHASE_NONEXISTENT
|CHASE_PREFIX_ROOT
, &where
);
606 return log_error_errno(r
, "Failed to resolve %s/%s: %m", dest
, mount_table
[k
].where
);
608 if (mount_table
[k
].mount_settings
& MOUNT_INACCESSIBLE_REG
) {
611 _cleanup_free_
char *np
= NULL
;
613 r
= tempfn_random_child(NULL
, "inaccessible", &np
);
615 return log_error_errno(r
, "Failed to generate inaccessible file node path: %m");
617 r
= touch_file(np
, false, USEC_INFINITY
, UID_INVALID
, GID_INVALID
, 0000);
619 return log_error_errno(r
, "Failed to create inaccessible file node '%s': %m", np
);
621 inaccessible
= TAKE_PTR(np
);
626 what
= mount_table
[k
].what
;
628 r
= path_is_mount_point(where
, NULL
, 0);
629 if (r
< 0 && r
!= -ENOENT
)
630 return log_error_errno(r
, "Failed to detect whether %s is a mount point: %m", where
);
632 /* Skip this entry if it is not a remount. */
636 r
= mkdir_userns_p(dest
, where
, 0755, (use_userns
&& !in_userns
) ? uid_shift
: UID_INVALID
);
637 if (r
< 0 && r
!= -EEXIST
) {
638 if (fatal
&& r
!= -EROFS
)
639 return log_error_errno(r
, "Failed to create directory %s: %m", where
);
641 log_debug_errno(r
, "Failed to create directory %s: %m", where
);
642 /* If we failed mkdir() or chown() due to the root
643 * directory being read only, attempt to mount this fs
644 * anyway and let mount_verbose log any errors */
649 o
= mount_table
[k
].options
;
650 if (streq_ptr(mount_table
[k
].type
, "tmpfs")) {
651 r
= tmpfs_patch_options(o
, in_userns
? 0 : uid_shift
, selinux_apifs_context
, &options
);
658 r
= mount_verbose(fatal
? LOG_ERR
: LOG_DEBUG
,
662 mount_table
[k
].flags
,
671 static int mount_bind(const char *dest
, CustomMount
*m
) {
673 _cleanup_free_
char *where
= NULL
;
674 struct stat source_st
, dest_st
;
680 if (stat(m
->source
, &source_st
) < 0)
681 return log_error_errno(errno
, "Failed to stat %s: %m", m
->source
);
683 r
= chase_symlinks(m
->destination
, dest
, CHASE_PREFIX_ROOT
|CHASE_NONEXISTENT
, &where
);
685 return log_error_errno(r
, "Failed to resolve %s/%s: %m", dest
, m
->destination
);
686 if (r
> 0) { /* Path exists already? */
688 if (stat(where
, &dest_st
) < 0)
689 return log_error_errno(errno
, "Failed to stat %s: %m", where
);
691 if (S_ISDIR(source_st
.st_mode
) && !S_ISDIR(dest_st
.st_mode
))
692 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
693 "Cannot bind mount directory %s on file %s.",
696 if (!S_ISDIR(source_st
.st_mode
) && S_ISDIR(dest_st
.st_mode
))
697 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
698 "Cannot bind mount file %s on directory %s.",
701 } else { /* Path doesn't exist yet? */
702 r
= mkdir_parents_label(where
, 0755);
704 return log_error_errno(r
, "Failed to make parents of %s: %m", where
);
706 /* Create the mount point. Any non-directory file can be
707 * mounted on any non-directory file (regular, fifo, socket,
710 if (S_ISDIR(source_st
.st_mode
))
711 r
= mkdir_label(where
, 0755);
715 return log_error_errno(r
, "Failed to create mount point %s: %m", where
);
719 r
= mount_verbose(LOG_ERR
, m
->source
, where
, NULL
, MS_BIND
| MS_REC
, m
->options
);
724 r
= bind_remount_recursive(where
, true, NULL
);
726 return log_error_errno(r
, "Read-only bind mount failed: %m");
732 static int mount_tmpfs(
735 bool userns
, uid_t uid_shift
, uid_t uid_range
,
736 const char *selinux_apifs_context
) {
739 _cleanup_free_
char *buf
= NULL
, *where
= NULL
;
745 r
= chase_symlinks(m
->destination
, dest
, CHASE_PREFIX_ROOT
|CHASE_NONEXISTENT
, &where
);
747 return log_error_errno(r
, "Failed to resolve %s/%s: %m", dest
, m
->destination
);
748 if (r
== 0) { /* Doesn't exist yet? */
749 r
= mkdir_p_label(where
, 0755);
751 return log_error_errno(r
, "Creating mount point for tmpfs %s failed: %m", where
);
754 r
= tmpfs_patch_options(m
->options
, uid_shift
== 0 ? UID_INVALID
: uid_shift
, selinux_apifs_context
, &buf
);
757 options
= r
> 0 ? buf
: m
->options
;
759 return mount_verbose(LOG_ERR
, "tmpfs", where
, "tmpfs", MS_NODEV
|MS_STRICTATIME
, options
);
762 static char *joined_and_escaped_lower_dirs(char **lower
) {
763 _cleanup_strv_free_
char **sv
= NULL
;
765 sv
= strv_copy(lower
);
771 if (!strv_shell_escape(sv
, ",:"))
774 return strv_join(sv
, ":");
777 static int mount_overlay(const char *dest
, CustomMount
*m
) {
779 _cleanup_free_
char *lower
= NULL
, *where
= NULL
, *escaped_source
= NULL
;
786 r
= chase_symlinks(m
->destination
, dest
, CHASE_PREFIX_ROOT
|CHASE_NONEXISTENT
, &where
);
788 return log_error_errno(r
, "Failed to resolve %s/%s: %m", dest
, m
->destination
);
789 if (r
== 0) { /* Doesn't exist yet? */
790 r
= mkdir_label(where
, 0755);
792 return log_error_errno(r
, "Creating mount point for overlay %s failed: %m", where
);
795 (void) mkdir_p_label(m
->source
, 0755);
797 lower
= joined_and_escaped_lower_dirs(m
->lower
);
801 escaped_source
= shell_escape(m
->source
, ",:");
806 options
= strjoina("lowerdir=", escaped_source
, ":", lower
);
808 _cleanup_free_
char *escaped_work_dir
= NULL
;
810 escaped_work_dir
= shell_escape(m
->work_dir
, ",:");
811 if (!escaped_work_dir
)
814 options
= strjoina("lowerdir=", lower
, ",upperdir=", escaped_source
, ",workdir=", escaped_work_dir
);
817 return mount_verbose(LOG_ERR
, "overlay", where
, "overlay", m
->read_only
? MS_RDONLY
: 0, options
);
822 CustomMount
*mounts
, size_t n
,
823 bool userns
, uid_t uid_shift
, uid_t uid_range
,
824 const char *selinux_apifs_context
) {
831 for (i
= 0; i
< n
; i
++) {
832 CustomMount
*m
= mounts
+ i
;
836 case CUSTOM_MOUNT_BIND
:
837 r
= mount_bind(dest
, m
);
840 case CUSTOM_MOUNT_TMPFS
:
841 r
= mount_tmpfs(dest
, m
, userns
, uid_shift
, uid_range
, selinux_apifs_context
);
844 case CUSTOM_MOUNT_OVERLAY
:
845 r
= mount_overlay(dest
, m
);
849 assert_not_reached("Unknown custom mount type");
859 static int setup_volatile_state(
860 const char *directory
,
861 bool userns
, uid_t uid_shift
, uid_t uid_range
,
862 const char *selinux_apifs_context
) {
864 _cleanup_free_
char *buf
= NULL
;
865 const char *p
, *options
;
870 /* --volatile=state means we simply overmount /var with a tmpfs, and the rest read-only. */
872 r
= bind_remount_recursive(directory
, true, NULL
);
874 return log_error_errno(r
, "Failed to remount %s read-only: %m", directory
);
876 p
= prefix_roota(directory
, "/var");
878 if (r
< 0 && errno
!= EEXIST
)
879 return log_error_errno(errno
, "Failed to create %s: %m", directory
);
881 options
= "mode=755";
882 r
= tmpfs_patch_options(options
, uid_shift
== 0 ? UID_INVALID
: uid_shift
, selinux_apifs_context
, &buf
);
888 return mount_verbose(LOG_ERR
, "tmpfs", p
, "tmpfs", MS_STRICTATIME
, options
);
891 static int setup_volatile_yes(
892 const char *directory
,
893 bool userns
, uid_t uid_shift
, uid_t uid_range
,
894 const char *selinux_apifs_context
) {
896 bool tmpfs_mounted
= false, bind_mounted
= false;
897 char template[] = "/tmp/nspawn-volatile-XXXXXX";
898 _cleanup_free_
char *buf
= NULL
;
899 const char *f
, *t
, *options
;
904 /* --volatile=yes means we mount a tmpfs to the root dir, and the original /usr to use inside it, and that
907 if (!mkdtemp(template))
908 return log_error_errno(errno
, "Failed to create temporary directory: %m");
910 options
= "mode=755";
911 r
= tmpfs_patch_options(options
, uid_shift
== 0 ? UID_INVALID
: uid_shift
, selinux_apifs_context
, &buf
);
917 r
= mount_verbose(LOG_ERR
, "tmpfs", template, "tmpfs", MS_STRICTATIME
, options
);
921 tmpfs_mounted
= true;
923 f
= prefix_roota(directory
, "/usr");
924 t
= prefix_roota(template, "/usr");
927 if (r
< 0 && errno
!= EEXIST
) {
928 r
= log_error_errno(errno
, "Failed to create %s: %m", t
);
932 r
= mount_verbose(LOG_ERR
, f
, t
, NULL
, MS_BIND
|MS_REC
, NULL
);
938 r
= bind_remount_recursive(t
, true, NULL
);
940 log_error_errno(r
, "Failed to remount %s read-only: %m", t
);
944 r
= mount_verbose(LOG_ERR
, template, directory
, NULL
, MS_MOVE
, NULL
);
948 (void) rmdir(template);
954 (void) umount_verbose(t
);
957 (void) umount_verbose(template);
958 (void) rmdir(template);
962 static int setup_volatile_overlay(
963 const char *directory
,
964 bool userns
, uid_t uid_shift
, uid_t uid_range
,
965 const char *selinux_apifs_context
) {
967 _cleanup_free_
char *buf
= NULL
, *escaped_directory
= NULL
, *escaped_upper
= NULL
, *escaped_work
= NULL
;
968 char template[] = "/tmp/nspawn-volatile-XXXXXX";
969 const char *upper
, *work
, *options
;
970 bool tmpfs_mounted
= false;
975 /* --volatile=overlay means we mount an overlayfs to the root dir. */
977 if (!mkdtemp(template))
978 return log_error_errno(errno
, "Failed to create temporary directory: %m");
980 options
= "mode=755";
981 r
= tmpfs_patch_options(options
, uid_shift
== 0 ? UID_INVALID
: uid_shift
, selinux_apifs_context
, &buf
);
987 r
= mount_verbose(LOG_ERR
, "tmpfs", template, "tmpfs", MS_STRICTATIME
, options
);
991 tmpfs_mounted
= true;
993 upper
= strjoina(template, "/upper");
994 work
= strjoina(template, "/work");
996 if (mkdir(upper
, 0755) < 0) {
997 r
= log_error_errno(errno
, "Failed to create %s: %m", upper
);
1000 if (mkdir(work
, 0755) < 0) {
1001 r
= log_error_errno(errno
, "Failed to create %s: %m", work
);
1005 /* And now, let's overmount the root dir with an overlayfs that uses the root dir as lower dir. It's kinda nice
1006 * that the kernel allows us to do that without going through some mount point rearrangements. */
1008 escaped_directory
= shell_escape(directory
, ",:");
1009 escaped_upper
= shell_escape(upper
, ",:");
1010 escaped_work
= shell_escape(work
, ",:");
1011 if (!escaped_directory
|| !escaped_upper
|| !escaped_work
) {
1016 options
= strjoina("lowerdir=", escaped_directory
, ",upperdir=", escaped_upper
, ",workdir=", escaped_work
);
1017 r
= mount_verbose(LOG_ERR
, "overlay", directory
, "overlay", 0, options
);
1021 (void) umount_verbose(template);
1023 (void) rmdir(template);
1027 int setup_volatile_mode(
1028 const char *directory
,
1030 bool userns
, uid_t uid_shift
, uid_t uid_range
,
1031 const char *selinux_apifs_context
) {
1036 return setup_volatile_yes(directory
, userns
, uid_shift
, uid_range
, selinux_apifs_context
);
1038 case VOLATILE_STATE
:
1039 return setup_volatile_state(directory
, userns
, uid_shift
, uid_range
, selinux_apifs_context
);
1041 case VOLATILE_OVERLAY
:
1042 return setup_volatile_overlay(directory
, userns
, uid_shift
, uid_range
, selinux_apifs_context
);
1049 /* Expects *pivot_root_new and *pivot_root_old to be initialised to allocated memory or NULL. */
1050 int pivot_root_parse(char **pivot_root_new
, char **pivot_root_old
, const char *s
) {
1051 _cleanup_free_
char *root_new
= NULL
, *root_old
= NULL
;
1055 assert(pivot_root_new
);
1056 assert(pivot_root_old
);
1058 r
= extract_first_word(&p
, &root_new
, ":", EXTRACT_DONT_COALESCE_SEPARATORS
);
1067 root_old
= strdup(p
);
1072 if (!path_is_absolute(root_new
))
1074 if (root_old
&& !path_is_absolute(root_old
))
1077 free_and_replace(*pivot_root_new
, root_new
);
1078 free_and_replace(*pivot_root_old
, root_old
);
1083 int setup_pivot_root(const char *directory
, const char *pivot_root_new
, const char *pivot_root_old
) {
1084 _cleanup_free_
char *directory_pivot_root_new
= NULL
;
1085 _cleanup_free_
char *pivot_tmp_pivot_root_old
= NULL
;
1086 char pivot_tmp
[] = "/tmp/nspawn-pivot-XXXXXX";
1087 bool remove_pivot_tmp
= false;
1092 if (!pivot_root_new
)
1095 /* Pivot pivot_root_new to / and the existing / to pivot_root_old.
1096 * If pivot_root_old is NULL, the existing / disappears.
1097 * This requires a temporary directory, pivot_tmp, which is
1098 * not a child of either.
1100 * This is typically used for OSTree-style containers, where
1101 * the root partition contains several sysroots which could be
1102 * run. Normally, one would be chosen by the bootloader and
1103 * pivoted to / by initramfs.
1105 * For example, for an OSTree deployment, pivot_root_new
1106 * would be: /ostree/deploy/$os/deploy/$checksum. Note that this
1107 * code doesn’t do the /var mount which OSTree expects: use
1108 * --bind +/sysroot/ostree/deploy/$os/var:/var for that.
1110 * So in the OSTree case, we’ll end up with something like:
1111 * - directory = /tmp/nspawn-root-123456
1112 * - pivot_root_new = /ostree/deploy/os/deploy/123abc
1113 * - pivot_root_old = /sysroot
1114 * - directory_pivot_root_new =
1115 * /tmp/nspawn-root-123456/ostree/deploy/os/deploy/123abc
1116 * - pivot_tmp = /tmp/nspawn-pivot-123456
1117 * - pivot_tmp_pivot_root_old = /tmp/nspawn-pivot-123456/sysroot
1119 * Requires all file systems at directory and below to be mounted
1120 * MS_PRIVATE or MS_SLAVE so they can be moved.
1122 directory_pivot_root_new
= prefix_root(directory
, pivot_root_new
);
1124 /* Remount directory_pivot_root_new to make it movable. */
1125 r
= mount_verbose(LOG_ERR
, directory_pivot_root_new
, directory_pivot_root_new
, NULL
, MS_BIND
, NULL
);
1129 if (pivot_root_old
) {
1130 if (!mkdtemp(pivot_tmp
)) {
1131 r
= log_error_errno(errno
, "Failed to create temporary directory: %m");
1135 remove_pivot_tmp
= true;
1136 pivot_tmp_pivot_root_old
= prefix_root(pivot_tmp
, pivot_root_old
);
1138 r
= mount_verbose(LOG_ERR
, directory_pivot_root_new
, pivot_tmp
, NULL
, MS_MOVE
, NULL
);
1142 r
= mount_verbose(LOG_ERR
, directory
, pivot_tmp_pivot_root_old
, NULL
, MS_MOVE
, NULL
);
1146 r
= mount_verbose(LOG_ERR
, pivot_tmp
, directory
, NULL
, MS_MOVE
, NULL
);
1150 r
= mount_verbose(LOG_ERR
, directory_pivot_root_new
, directory
, NULL
, MS_MOVE
, NULL
);
1156 if (remove_pivot_tmp
)
1157 (void) rmdir(pivot_tmp
);