src/nspawn/nspawn-settings.h

   1 /* SPDX-License-Identifier: LGPL-2.1+ */
   2 #pragma once
   3
   4 #include <sched.h>
   5 #include <stdio.h>
   6
   7 #if HAVE_SECCOMP
   8 #include <seccomp.h>
   9 #endif
  10
  11 #include "sd-bus.h"
  12 #include "sd-id128.h"
  13
  14 #include "capability-util.h"
  15 #include "conf-parser.h"
  16 #include "cpu-set-util.h"
  17 #include "macro.h"
  18 #include "missing_resource.h"
  19 #include "nspawn-expose-ports.h"
  20 #include "nspawn-mount.h"
  21 #include "time-util.h"
  22
  23 typedef enum StartMode {
  24         START_PID1, /* Run parameters as command line as process 1 */
  25         START_PID2, /* Use stub init process as PID 1, run parameters as command line as process 2 */
  26         START_BOOT, /* Search for init system, pass arguments as parameters */
  27         _START_MODE_MAX,
  28         _START_MODE_INVALID = -1
  29 } StartMode;
  30
  31 typedef enum UserNamespaceMode {
  32         USER_NAMESPACE_NO,
  33         USER_NAMESPACE_FIXED,
  34         USER_NAMESPACE_PICK,
  35         _USER_NAMESPACE_MODE_MAX,
  36         _USER_NAMESPACE_MODE_INVALID = -1,
  37 } UserNamespaceMode;
  38
  39 typedef enum ResolvConfMode {
  40         RESOLV_CONF_OFF,
  41         RESOLV_CONF_COPY_HOST,
  42         RESOLV_CONF_COPY_STATIC,
  43         RESOLV_CONF_BIND_HOST,
  44         RESOLV_CONF_BIND_STATIC,
  45         RESOLV_CONF_DELETE,
  46         RESOLV_CONF_AUTO,
  47         _RESOLV_CONF_MODE_MAX,
  48         _RESOLV_CONF_MODE_INVALID = -1
  49 } ResolvConfMode;
  50
  51 typedef enum LinkJournal {
  52         LINK_NO,
  53         LINK_AUTO,
  54         LINK_HOST,
  55         LINK_GUEST,
  56         _LINK_JOURNAL_MAX,
  57         _LINK_JOURNAL_INVALID = -1
  58 } LinkJournal;
  59
  60 typedef enum TimezoneMode {
  61         TIMEZONE_OFF,
  62         TIMEZONE_COPY,
  63         TIMEZONE_BIND,
  64         TIMEZONE_SYMLINK,
  65         TIMEZONE_DELETE,
  66         TIMEZONE_AUTO,
  67         _TIMEZONE_MODE_MAX,
  68         _TIMEZONE_MODE_INVALID = -1
  69 } TimezoneMode;
  70
  71 typedef enum ConsoleMode {
  72         CONSOLE_INTERACTIVE,
  73         CONSOLE_READ_ONLY,
  74         CONSOLE_PASSIVE,
  75         CONSOLE_PIPE,
  76         _CONSOLE_MODE_MAX,
  77         _CONSOLE_MODE_INVALID = -1,
  78 } ConsoleMode;
  79
  80 typedef enum SettingsMask {
  81         SETTING_START_MODE        = UINT64_C(1) << 0,
  82         SETTING_ENVIRONMENT       = UINT64_C(1) << 1,
  83         SETTING_USER              = UINT64_C(1) << 2,
  84         SETTING_CAPABILITY        = UINT64_C(1) << 3,
  85         SETTING_KILL_SIGNAL       = UINT64_C(1) << 4,
  86         SETTING_PERSONALITY       = UINT64_C(1) << 5,
  87         SETTING_MACHINE_ID        = UINT64_C(1) << 6,
  88         SETTING_NETWORK           = UINT64_C(1) << 7,
  89         SETTING_EXPOSE_PORTS      = UINT64_C(1) << 8,
  90         SETTING_READ_ONLY         = UINT64_C(1) << 9,
  91         SETTING_VOLATILE_MODE     = UINT64_C(1) << 10,
  92         SETTING_CUSTOM_MOUNTS     = UINT64_C(1) << 11,
  93         SETTING_WORKING_DIRECTORY = UINT64_C(1) << 12,
  94         SETTING_USERNS            = UINT64_C(1) << 13,
  95         SETTING_NOTIFY_READY      = UINT64_C(1) << 14,
  96         SETTING_PIVOT_ROOT        = UINT64_C(1) << 15,
  97         SETTING_SYSCALL_FILTER    = UINT64_C(1) << 16,
  98         SETTING_HOSTNAME          = UINT64_C(1) << 17,
  99         SETTING_NO_NEW_PRIVILEGES = UINT64_C(1) << 18,
 100         SETTING_OOM_SCORE_ADJUST  = UINT64_C(1) << 19,
 101         SETTING_CPU_AFFINITY      = UINT64_C(1) << 20,
 102         SETTING_RESOLV_CONF       = UINT64_C(1) << 21,
 103         SETTING_LINK_JOURNAL      = UINT64_C(1) << 22,
 104         SETTING_TIMEZONE          = UINT64_C(1) << 23,
 105         SETTING_EPHEMERAL         = UINT64_C(1) << 24,
 106         SETTING_SLICE             = UINT64_C(1) << 25,
 107         SETTING_DIRECTORY         = UINT64_C(1) << 26,
 108         SETTING_USE_CGNS          = UINT64_C(1) << 27,
 109         SETTING_CLONE_NS_FLAGS    = UINT64_C(1) << 28,
 110         SETTING_CONSOLE_MODE      = UINT64_C(1) << 29,
 111         SETTING_RLIMIT_FIRST      = UINT64_C(1) << 30, /* we define one bit per resource limit here */
 112         SETTING_RLIMIT_LAST       = UINT64_C(1) << (30 + _RLIMIT_MAX - 1),
 113         _SETTINGS_MASK_ALL        = (UINT64_C(1) << (30 + _RLIMIT_MAX)) -1,
 114         _SETTING_FORCE_ENUM_WIDTH = UINT64_MAX
 115 } SettingsMask;
 116
 117 /* We want to use SETTING_RLIMIT_FIRST in shifts, so make sure it is really 64 bits
 118  * when used in expressions. */
 119 #define SETTING_RLIMIT_FIRST ((uint64_t) SETTING_RLIMIT_FIRST)
 120 #define SETTING_RLIMIT_LAST ((uint64_t) SETTING_RLIMIT_LAST)
 121
 122 assert_cc(sizeof(SettingsMask) == 8);
 123 assert_cc(sizeof(SETTING_RLIMIT_FIRST) == 8);
 124 assert_cc(sizeof(SETTING_RLIMIT_LAST) == 8);
 125
 126 typedef struct DeviceNode {
 127         char *path;
 128         unsigned major;
 129         unsigned minor;
 130         mode_t mode;
 131         uid_t uid;
 132         gid_t gid;
 133 } DeviceNode;
 134
 135 typedef struct OciHook {
 136         char *path;
 137         char **args;
 138         char **env;
 139         usec_t timeout;
 140 } OciHook;
 141
 142 typedef struct Settings {
 143         /* [Run] */
 144         StartMode start_mode;
 145         bool ephemeral;
 146         char **parameters;
 147         char **environment;
 148         char *user;
 149         uint64_t capability;
 150         uint64_t drop_capability;
 151         int kill_signal;
 152         unsigned long personality;
 153         sd_id128_t machine_id;
 154         char *working_directory;
 155         char *pivot_root_new;
 156         char *pivot_root_old;
 157         UserNamespaceMode userns_mode;
 158         uid_t uid_shift, uid_range;
 159         bool notify_ready;
 160         char **syscall_whitelist;
 161         char **syscall_blacklist;
 162         struct rlimit *rlimit[_RLIMIT_MAX];
 163         char *hostname;
 164         int no_new_privileges;
 165         int oom_score_adjust;
 166         bool oom_score_adjust_set;
 167         CPUSet cpu_set;
 168         ResolvConfMode resolv_conf;
 169         LinkJournal link_journal;
 170         bool link_journal_try;
 171         TimezoneMode timezone;
 172
 173         /* [Image] */
 174         int read_only;
 175         VolatileMode volatile_mode;
 176         CustomMount *custom_mounts;
 177         size_t n_custom_mounts;
 178         int userns_chown;
 179
 180         /* [Network] */
 181         int private_network;
 182         int network_veth;
 183         char *network_bridge;
 184         char *network_zone;
 185         char **network_interfaces;
 186         char **network_macvlan;
 187         char **network_ipvlan;
 188         char **network_veth_extra;
 189         ExposePort *expose_ports;
 190
 191         /* Additional fields, that are specific to OCI runtime case */
 192         char *bundle;
 193         char *root;
 194         OciHook *oci_hooks_prestart, *oci_hooks_poststart, *oci_hooks_poststop;
 195         size_t n_oci_hooks_prestart, n_oci_hooks_poststart, n_oci_hooks_poststop;
 196         char *slice;
 197         sd_bus_message *properties;
 198         CapabilityQuintet full_capabilities;
 199         uid_t uid;
 200         gid_t gid;
 201         gid_t *supplementary_gids;
 202         size_t n_supplementary_gids;
 203         unsigned console_width, console_height;
 204         ConsoleMode console_mode;
 205         DeviceNode *extra_nodes;
 206         size_t n_extra_nodes;
 207         unsigned long clone_ns_flags;
 208         char *network_namespace_path;
 209         int use_cgns;
 210         char **sysctl;
 211 #if HAVE_SECCOMP
 212         scmp_filter_ctx seccomp;
 213 #endif
 214 } Settings;
 215
 216 Settings *settings_new(void);
 217 int settings_load(FILE *f, const char *path, Settings **ret);
 218 Settings* settings_free(Settings *s);
 219
 220 bool settings_network_veth(Settings *s);
 221 bool settings_private_network(Settings *s);
 222 int settings_allocate_properties(Settings *s);
 223
 224 DEFINE_TRIVIAL_CLEANUP_FUNC(Settings*, settings_free);
 225
 226 const struct ConfigPerfItem* nspawn_gperf_lookup(const char *key, GPERF_LEN_TYPE length);
 227
 228 CONFIG_PARSER_PROTOTYPE(config_parse_capability);
 229 CONFIG_PARSER_PROTOTYPE(config_parse_id128);
 230 CONFIG_PARSER_PROTOTYPE(config_parse_expose_port);
 231 CONFIG_PARSER_PROTOTYPE(config_parse_volatile_mode);
 232 CONFIG_PARSER_PROTOTYPE(config_parse_pivot_root);
 233 CONFIG_PARSER_PROTOTYPE(config_parse_bind);
 234 CONFIG_PARSER_PROTOTYPE(config_parse_tmpfs);
 235 CONFIG_PARSER_PROTOTYPE(config_parse_overlay);
 236 CONFIG_PARSER_PROTOTYPE(config_parse_inaccessible);
 237 CONFIG_PARSER_PROTOTYPE(config_parse_veth_extra);
 238 CONFIG_PARSER_PROTOTYPE(config_parse_network_zone);
 239 CONFIG_PARSER_PROTOTYPE(config_parse_boot);
 240 CONFIG_PARSER_PROTOTYPE(config_parse_pid2);
 241 CONFIG_PARSER_PROTOTYPE(config_parse_private_users);
 242 CONFIG_PARSER_PROTOTYPE(config_parse_syscall_filter);
 243 CONFIG_PARSER_PROTOTYPE(config_parse_hostname);
 244 CONFIG_PARSER_PROTOTYPE(config_parse_oom_score_adjust);
 245 CONFIG_PARSER_PROTOTYPE(config_parse_cpu_affinity);
 246 CONFIG_PARSER_PROTOTYPE(config_parse_resolv_conf);
 247 CONFIG_PARSER_PROTOTYPE(config_parse_link_journal);
 248 CONFIG_PARSER_PROTOTYPE(config_parse_timezone);
 249
 250 const char *resolv_conf_mode_to_string(ResolvConfMode a) _const_;
 251 ResolvConfMode resolv_conf_mode_from_string(const char *s) _pure_;
 252
 253 const char *timezone_mode_to_string(TimezoneMode a) _const_;
 254 TimezoneMode timezone_mode_from_string(const char *s) _pure_;
 255
 256 int parse_link_journal(const char *s, LinkJournal *ret_mode, bool *ret_try);
 257
 258 void device_node_array_free(DeviceNode *node, size_t n);