]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/nspawn/nspawn.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Add build/unit-tests CI jobs for s390x (#38232)
[thirdparty/systemd.git] / src / nspawn / nspawn.c
1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
2
3 #include <getopt.h>
4 #include <linux/loop.h>
5 #include <net/if.h>
6 #include <stdlib.h>
7 #include <sys/file.h>
8 #include <sys/ioctl.h>
9 #include <sys/keyctl.h>
10 #include <sys/mount.h>
11 #include <sys/personality.h>
12 #include <sys/prctl.h>
13 #include <sys/wait.h>
14 #include <unistd.h>
15
16 #if HAVE_SELINUX
17 #include <selinux/selinux.h>
18 #endif
19
20 #include "sd-bus.h"
21 #include "sd-daemon.h"
22 #include "sd-event.h"
23 #include "sd-id128.h"
24 #include "sd-netlink.h"
25
26 #include "alloc-util.h"
27 #include "barrier.h"
28 #include "base-filesystem.h"
29 #include "btrfs-util.h"
30 #include "build.h"
31 #include "bus-error.h"
32 #include "bus-locator.h"
33 #include "bus-util.h"
34 #include "capability-list.h"
35 #include "capability-util.h"
36 #include "cgroup-setup.h"
37 #include "chase.h"
38 #include "common-signal.h"
39 #include "constants.h"
40 #include "copy.h"
41 #include "cpu-set-util.h"
42 #include "daemon-util.h"
43 #include "dev-setup.h"
44 #include "devnum-util.h"
45 #include "discover-image.h"
46 #include "dissect-image.h"
47 #include "env-util.h"
48 #include "escape.h"
49 #include "ether-addr-util.h"
50 #include "extract-word.h"
51 #include "fd-util.h"
52 #include "fdset.h"
53 #include "fileio.h"
54 #include "format-util.h"
55 #include "fs-util.h"
56 #include "gpt.h"
57 #include "hexdecoct.h"
58 #include "hostname-setup.h"
59 #include "hostname-util.h"
60 #include "id128-util.h"
61 #include "image-policy.h"
62 #include "in-addr-util.h"
63 #include "io-util.h"
64 #include "log.h"
65 #include "loop-util.h"
66 #include "loopback-setup.h"
67 #include "machine-bind-user.h"
68 #include "machine-credential.h"
69 #include "main-func.h"
70 #include "mkdir.h"
71 #include "mount-util.h"
72 #include "mountpoint-util.h"
73 #include "namespace-util.h"
74 #include "notify-recv.h"
75 #include "nspawn-bind-user.h"
76 #include "nspawn-cgroup.h"
77 #include "nspawn-expose-ports.h"
78 #include "nspawn-mount.h"
79 #include "nspawn-network.h"
80 #include "nspawn-oci.h"
81 #include "nspawn-register.h"
82 #include "nspawn-seccomp.h"
83 #include "nspawn-settings.h"
84 #include "nspawn-setuid.h"
85 #include "nspawn-stub-pid1.h"
86 #include "nspawn.h"
87 #include "nsresource.h"
88 #include "os-util.h"
89 #include "osc-context.h"
90 #include "pager.h"
91 #include "parse-argument.h"
92 #include "parse-util.h"
93 #include "path-util.h"
94 #include "pidref.h"
95 #include "polkit-agent.h"
96 #include "pretty-print.h"
97 #include "process-util.h"
98 #include "ptyfwd.h"
99 #include "random-util.h"
100 #include "raw-clone.h"
101 #include "resolve-util.h"
102 #include "rlimit-util.h"
103 #include "rm-rf.h"
104 #include "runtime-scope.h"
105 #include "seccomp-util.h"
106 #include "shift-uid.h"
107 #include "signal-util.h"
108 #include "siphash24.h"
109 #include "socket-util.h"
110 #include "stat-util.h"
111 #include "stdio-util.h"
112 #include "string-table.h"
113 #include "string-util.h"
114 #include "strv.h"
115 #include "sysctl-util.h"
116 #include "terminal-util.h"
117 #include "tmpfile-util.h"
118 #include "uid-classification.h"
119 #include "umask-util.h"
120 #include "unit-name.h"
121 #include "user-record.h"
122 #include "user-util.h"
123 #include "vpick.h"
124
125 /* The notify socket inside the container it can use to talk to nspawn using the sd_notify(3) protocol */
126 #define NSPAWN_NOTIFY_SOCKET_PATH "/run/host/notify"
127 #define NSPAWN_MOUNT_TUNNEL "/run/host/incoming"
128
129 #define EXIT_FORCE_RESTART 133
130
131 typedef enum ContainerStatus {
132 CONTAINER_TERMINATED,
133 CONTAINER_REBOOTED,
134 } ContainerStatus;
135
136 static char *arg_directory = NULL;
137 static char *arg_template = NULL;
138 static char *arg_chdir = NULL;
139 static char *arg_pivot_root_new = NULL;
140 static char *arg_pivot_root_old = NULL;
141 static char *arg_user = NULL;
142 static uid_t arg_uid = UID_INVALID;
143 static gid_t arg_gid = GID_INVALID;
144 static gid_t* arg_supplementary_gids = NULL;
145 static size_t arg_n_supplementary_gids = 0;
146 static sd_id128_t arg_uuid = {};
147 static char *arg_machine = NULL; /* The name used by the host to refer to this */
148 static char *arg_hostname = NULL; /* The name the payload sees by default */
149 static const char *arg_selinux_context = NULL;
150 static const char *arg_selinux_apifs_context = NULL;
151 static char *arg_slice = NULL;
152 static bool arg_private_network; /* initialized depending on arg_privileged in run() */
153 static bool arg_read_only = false;
154 static StartMode arg_start_mode = START_PID1;
155 static bool arg_ephemeral = false;
156 static LinkJournal arg_link_journal = LINK_AUTO;
157 static bool arg_link_journal_try = false;
158 static uint64_t arg_caps_retain =
159 (1ULL << CAP_AUDIT_CONTROL) |
160 (1ULL << CAP_AUDIT_WRITE) |
161 (1ULL << CAP_CHOWN) |
162 (1ULL << CAP_DAC_OVERRIDE) |
163 (1ULL << CAP_DAC_READ_SEARCH) |
164 (1ULL << CAP_FOWNER) |
165 (1ULL << CAP_FSETID) |
166 (1ULL << CAP_IPC_OWNER) |
167 (1ULL << CAP_KILL) |
168 (1ULL << CAP_LEASE) |
169 (1ULL << CAP_LINUX_IMMUTABLE) |
170 (1ULL << CAP_MKNOD) |
171 (1ULL << CAP_NET_BIND_SERVICE) |
172 (1ULL << CAP_NET_BROADCAST) |
173 (1ULL << CAP_NET_RAW) |
174 (1ULL << CAP_SETFCAP) |
175 (1ULL << CAP_SETGID) |
176 (1ULL << CAP_SETPCAP) |
177 (1ULL << CAP_SETUID) |
178 (1ULL << CAP_SYS_ADMIN) |
179 (1ULL << CAP_SYS_BOOT) |
180 (1ULL << CAP_SYS_CHROOT) |
181 (1ULL << CAP_SYS_NICE) |
182 (1ULL << CAP_SYS_PTRACE) |
183 (1ULL << CAP_SYS_RESOURCE) |
184 (1ULL << CAP_SYS_TTY_CONFIG);
185 static uint64_t arg_caps_ambient = 0;
186 static CapabilityQuintet arg_full_capabilities = CAPABILITY_QUINTET_NULL;
187 static CustomMount *arg_custom_mounts = NULL;
188 static size_t arg_n_custom_mounts = 0;
189 static char **arg_setenv = NULL;
190 static bool arg_quiet = false;
191 static bool arg_register = true;
192 static bool arg_keep_unit = false;
193 static char **arg_network_interfaces = NULL;
194 static char **arg_network_macvlan = NULL;
195 static char **arg_network_ipvlan = NULL;
196 static bool arg_network_veth = false;
197 static char **arg_network_veth_extra = NULL;
198 static char *arg_network_bridge = NULL;
199 static char *arg_network_zone = NULL;
200 static char *arg_network_namespace_path = NULL;
201 struct ether_addr arg_network_provided_mac = {};
202 static PagerFlags arg_pager_flags = 0;
203 static unsigned long arg_personality = PERSONALITY_INVALID;
204 static char *arg_image = NULL;
205 static char *arg_oci_bundle = NULL;
206 static VolatileMode arg_volatile_mode = VOLATILE_NO;
207 static ExposePort *arg_expose_ports = NULL;
208 static char **arg_property = NULL;
209 static sd_bus_message *arg_property_message = NULL;
210 static UserNamespaceMode arg_userns_mode; /* initialized depending on arg_privileged in run() */
211 static uid_t arg_uid_shift = UID_INVALID, arg_uid_range = 0x10000U;
212 static UserNamespaceOwnership arg_userns_ownership = _USER_NAMESPACE_OWNERSHIP_INVALID;
213 static int arg_kill_signal = 0;
214 static SettingsMask arg_settings_mask = 0;
215 static int arg_settings_trusted = -1;
216 static char **arg_parameters = NULL;
217 static const char *arg_container_service_name = "systemd-nspawn";
218 static bool arg_notify_ready = false;
219 static bool arg_use_cgns = true;
220 static unsigned long arg_clone_ns_flags = CLONE_NEWIPC|CLONE_NEWPID|CLONE_NEWUTS;
221 static MountSettingsMask arg_mount_settings = MOUNT_APPLY_APIVFS_RO|MOUNT_APPLY_TMPFS_TMP;
222 static VeritySettings arg_verity_settings = VERITY_SETTINGS_DEFAULT;
223 static char **arg_syscall_allow_list = NULL;
224 static char **arg_syscall_deny_list = NULL;
225 #if HAVE_SECCOMP
226 static scmp_filter_ctx arg_seccomp = NULL;
227 #endif
228 static struct rlimit *arg_rlimit[_RLIMIT_MAX] = {};
229 static bool arg_no_new_privileges = false;
230 static int arg_oom_score_adjust = 0;
231 static bool arg_oom_score_adjust_set = false;
232 static CPUSet arg_cpu_set = {};
233 static ResolvConfMode arg_resolv_conf = RESOLV_CONF_AUTO;
234 static TimezoneMode arg_timezone = TIMEZONE_AUTO;
235 static unsigned arg_console_width = UINT_MAX, arg_console_height = UINT_MAX;
236 static DeviceNode* arg_extra_nodes = NULL;
237 static size_t arg_n_extra_nodes = 0;
238 static char **arg_sysctl = NULL;
239 static ConsoleMode arg_console_mode = _CONSOLE_MODE_INVALID;
240 static MachineCredentialContext arg_credentials = {};
241 static char **arg_bind_user = NULL;
242 static char *arg_bind_user_shell = NULL;
243 static bool arg_bind_user_shell_copy = false;
244 static bool arg_suppress_sync = false;
245 static char *arg_settings_filename = NULL;
246 static Architecture arg_architecture = _ARCHITECTURE_INVALID;
247 static ImagePolicy *arg_image_policy = NULL;
248 static char *arg_background = NULL;
249 static bool arg_privileged = false;
250 static bool arg_cleanup = false;
251 static bool arg_ask_password = true;
252
253 STATIC_DESTRUCTOR_REGISTER(arg_directory, freep);
254 STATIC_DESTRUCTOR_REGISTER(arg_template, freep);
255 STATIC_DESTRUCTOR_REGISTER(arg_chdir, freep);
256 STATIC_DESTRUCTOR_REGISTER(arg_pivot_root_new, freep);
257 STATIC_DESTRUCTOR_REGISTER(arg_pivot_root_old, freep);
258 STATIC_DESTRUCTOR_REGISTER(arg_user, freep);
259 STATIC_DESTRUCTOR_REGISTER(arg_supplementary_gids, freep);
260 STATIC_DESTRUCTOR_REGISTER(arg_machine, freep);
261 STATIC_DESTRUCTOR_REGISTER(arg_hostname, freep);
262 STATIC_DESTRUCTOR_REGISTER(arg_slice, freep);
263 STATIC_DESTRUCTOR_REGISTER(arg_setenv, strv_freep);
264 STATIC_DESTRUCTOR_REGISTER(arg_network_interfaces, strv_freep);
265 STATIC_DESTRUCTOR_REGISTER(arg_network_macvlan, strv_freep);
266 STATIC_DESTRUCTOR_REGISTER(arg_network_ipvlan, strv_freep);
267 STATIC_DESTRUCTOR_REGISTER(arg_network_veth_extra, strv_freep);
268 STATIC_DESTRUCTOR_REGISTER(arg_network_bridge, freep);
269 STATIC_DESTRUCTOR_REGISTER(arg_network_zone, freep);
270 STATIC_DESTRUCTOR_REGISTER(arg_network_namespace_path, freep);
271 STATIC_DESTRUCTOR_REGISTER(arg_image, freep);
272 STATIC_DESTRUCTOR_REGISTER(arg_oci_bundle, freep);
273 STATIC_DESTRUCTOR_REGISTER(arg_property, strv_freep);
274 STATIC_DESTRUCTOR_REGISTER(arg_property_message, sd_bus_message_unrefp);
275 STATIC_DESTRUCTOR_REGISTER(arg_parameters, strv_freep);
276 STATIC_DESTRUCTOR_REGISTER(arg_verity_settings, verity_settings_done);
277 STATIC_DESTRUCTOR_REGISTER(arg_syscall_allow_list, strv_freep);
278 STATIC_DESTRUCTOR_REGISTER(arg_syscall_deny_list, strv_freep);
279 #if HAVE_SECCOMP
280 STATIC_DESTRUCTOR_REGISTER(arg_seccomp, seccomp_releasep);
281 #endif
282 STATIC_DESTRUCTOR_REGISTER(arg_credentials, machine_credential_context_done);
283 STATIC_DESTRUCTOR_REGISTER(arg_cpu_set, cpu_set_done);
284 STATIC_DESTRUCTOR_REGISTER(arg_sysctl, strv_freep);
285 STATIC_DESTRUCTOR_REGISTER(arg_bind_user, strv_freep);
286 STATIC_DESTRUCTOR_REGISTER(arg_bind_user_shell, freep);
287 STATIC_DESTRUCTOR_REGISTER(arg_settings_filename, freep);
288 STATIC_DESTRUCTOR_REGISTER(arg_image_policy, image_policy_freep);
289 STATIC_DESTRUCTOR_REGISTER(arg_background, freep);
290
291 static int handle_arg_console(const char *arg) {
292 if (streq(arg, "help")) {
293 puts("autopipe\n"
294 "interactive\n"
295 "passive\n"
296 "pipe\n"
297 "read-only");
298 return 0;
299 }
300
301 if (streq(arg, "interactive"))
302 arg_console_mode = CONSOLE_INTERACTIVE;
303 else if (streq(arg, "read-only"))
304 arg_console_mode = CONSOLE_READ_ONLY;
305 else if (streq(arg, "passive"))
306 arg_console_mode = CONSOLE_PASSIVE;
307 else if (streq(arg, "pipe")) {
308 if (isatty_safe(STDIN_FILENO) && isatty_safe(STDOUT_FILENO))
309 log_full(arg_quiet ? LOG_DEBUG : LOG_NOTICE,
310 "Console mode 'pipe' selected, but standard input/output are connected to an interactive TTY. "
311 "Most likely you want to use 'interactive' console mode for proper interactivity and shell job control. "
312 "Proceeding anyway.");
313
314 arg_console_mode = CONSOLE_PIPE;
315 } else if (streq(arg, "autopipe")) {
316 if (isatty_safe(STDIN_FILENO) && isatty_safe(STDOUT_FILENO))
317 arg_console_mode = CONSOLE_INTERACTIVE;
318 else
319 arg_console_mode = CONSOLE_PIPE;
320 } else
321 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Unknown console mode: %s", optarg);
322
323 arg_settings_mask |= SETTING_CONSOLE_MODE;
324 return 1;
325 }
326
327 static int help(void) {
328 _cleanup_free_ char *link = NULL;
329 int r;
330
331 pager_open(arg_pager_flags);
332
333 r = terminal_urlify_man("systemd-nspawn", "1", &link);
334 if (r < 0)
335 return log_oom();
336
337 printf("%1$s [OPTIONS...] [PATH] [ARGUMENTS...]\n\n"
338 "%5$sSpawn a command or OS in a lightweight container.%6$s\n\n"
339 " -h --help Show this help\n"
340 " --version Print version string\n"
341 " -q --quiet Do not show status information\n"
342 " --no-pager Do not pipe output into a pager\n"
343 " --settings=BOOLEAN Load additional settings from .nspawn file\n"
344 " --cleanup Clean up left-over mounts and underlying mount\n"
345 " points used by the container\n"
346 " --no-ask-password Do not prompt for password\n"
347 "\n%3$sImage:%4$s\n"
348 " -D --directory=PATH Root directory for the container\n"
349 " --template=PATH Initialize root directory from template directory,\n"
350 " if missing\n"
351 " -x --ephemeral Run container with snapshot of root directory, and\n"
352 " remove it after exit\n"
353 " -i --image=PATH Root file system disk image (or device node) for\n"
354 " the container\n"
355 " --image-policy=POLICY Specify disk image dissection policy\n"
356 " --oci-bundle=PATH OCI bundle directory\n"
357 " --read-only Mount the root directory read-only\n"
358 " --volatile[=MODE] Run the system in volatile mode\n"
359 " --root-hash=HASH Specify verity root hash for root disk image\n"
360 " --root-hash-sig=SIG Specify pkcs7 signature of root hash for verity\n"
361 " as a DER encoded PKCS7, either as a path to a file\n"
362 " or as an ASCII base64 encoded string prefixed by\n"
363 " 'base64:'\n"
364 " --verity-data=PATH Specify hash device for verity\n"
365 " --pivot-root=PATH[:PATH]\n"
366 " Pivot root to given directory in the container\n"
367 "\n%3$sExecution:%4$s\n"
368 " -a --as-pid2 Maintain a stub init as PID1, invoke binary as PID2\n"
369 " -b --boot Boot up full system (i.e. invoke init)\n"
370 " --chdir=PATH Set working directory in the container\n"
371 " -E --setenv=NAME[=VALUE] Pass an environment variable to PID 1\n"
372 " -u --user=USER Run the command under specified user or UID\n"
373 " --kill-signal=SIGNAL Select signal to use for shutting down PID 1\n"
374 " --notify-ready=BOOLEAN Receive notifications from the child init process\n"
375 " --suppress-sync=BOOLEAN\n"
376 " Suppress any form of disk data synchronization\n"
377 "\n%3$sSystem Identity:%4$s\n"
378 " -M --machine=NAME Set the machine name for the container\n"
379 " --hostname=NAME Override the hostname for the container\n"
380 " --uuid=UUID Set a specific machine UUID for the container\n"
381 "\n%3$sProperties:%4$s\n"
382 " -S --slice=SLICE Place the container in the specified slice\n"
383 " --property=NAME=VALUE Set scope unit property\n"
384 " --register=BOOLEAN Register container as machine\n"
385 " --keep-unit Do not register a scope for the machine, reuse\n"
386 " the service unit nspawn is running in\n"
387 "\n%3$sUser Namespacing:%4$s\n"
388 " --private-users=no Run without user namespacing\n"
389 " --private-users=yes|pick|identity|managed\n"
390 " Run within user namespace, autoselect UID/GID range\n"
391 " --private-users=UIDBASE[:NUIDS]\n"
392 " Similar, but with user configured UID/GID range\n"
393 " --private-users-ownership=MODE\n"
394 " Adjust ('chown') or map ('map') OS tree ownership\n"
395 " to private UID/GID range\n"
396 " -U Equivalent to --private-users=pick and\n"
397 " --private-users-ownership=auto\n"
398 "\n%3$sNetworking:%4$s\n"
399 " --private-network Disable network in container\n"
400 " --network-interface=HOSTIF[:CONTAINERIF]\n"
401 " Assign an existing network interface to the\n"
402 " container\n"
403 " --network-macvlan=HOSTIF[:CONTAINERIF]\n"
404 " Create a macvlan network interface based on an\n"
405 " existing network interface to the container\n"
406 " --network-ipvlan=HOSTIF[:CONTAINERIF]\n"
407 " Create an ipvlan network interface based on an\n"
408 " existing network interface to the container\n"
409 " -n --network-veth Add a virtual Ethernet connection between host\n"
410 " and container\n"
411 " --network-veth-extra=HOSTIF[:CONTAINERIF]\n"
412 " Add an additional virtual Ethernet link between\n"
413 " host and container\n"
414 " --network-bridge=INTERFACE\n"
415 " Add a virtual Ethernet connection to the container\n"
416 " and attach it to an existing bridge on the host\n"
417 " --network-zone=NAME Similar, but attach the new interface to an\n"
418 " automatically managed bridge interface\n"
419 " --network-namespace-path=PATH\n"
420 " Set network namespace to the one represented by\n"
421 " the specified kernel namespace file node\n"
422 " -p --port=[PROTOCOL:]HOSTPORT[:CONTAINERPORT]\n"
423 " Expose a container IP port on the host\n"
424 "\n%3$sSecurity:%4$s\n"
425 " --capability=CAP In addition to the default, retain specified\n"
426 " capability\n"
427 " --drop-capability=CAP Drop the specified capability from the default set\n"
428 " --ambient-capability=CAP\n"
429 " Sets the specified capability for the started\n"
430 " process. Not useful if booting a machine.\n"
431 " --no-new-privileges Set PR_SET_NO_NEW_PRIVS flag for container payload\n"
432 " --system-call-filter=LIST|~LIST\n"
433 " Permit/prohibit specific system calls\n"
434 " -Z --selinux-context=SECLABEL\n"
435 " Set the SELinux security context to be used by\n"
436 " processes in the container\n"
437 " -L --selinux-apifs-context=SECLABEL\n"
438 " Set the SELinux security context to be used by\n"
439 " API/tmpfs file systems in the container\n"
440 "\n%3$sResources:%4$s\n"
441 " --rlimit=NAME=LIMIT Set a resource limit for the payload\n"
442 " --oom-score-adjust=VALUE\n"
443 " Adjust the OOM score value for the payload\n"
444 " --cpu-affinity=CPUS Adjust the CPU affinity of the container\n"
445 " --personality=ARCH Pick personality for this container\n"
446 "\n%3$sIntegration:%4$s\n"
447 " --resolv-conf=MODE Select mode of /etc/resolv.conf initialization\n"
448 " --timezone=MODE Select mode of /etc/localtime initialization\n"
449 " --link-journal=MODE Link up guest journal, one of no, auto, guest, \n"
450 " host, try-guest, try-host\n"
451 " -j Equivalent to --link-journal=try-guest\n"
452 "\n%3$sMounts:%4$s\n"
453 " --bind=PATH[:PATH[:OPTIONS]]\n"
454 " Bind mount a file or directory from the host into\n"
455 " the container\n"
456 " --bind-ro=PATH[:PATH[:OPTIONS]\n"
457 " Similar, but creates a read-only bind mount\n"
458 " --inaccessible=PATH Over-mount file node with inaccessible node to mask\n"
459 " it\n"
460 " --tmpfs=PATH:[OPTIONS] Mount an empty tmpfs to the specified directory\n"
461 " --overlay=PATH[:PATH...]:PATH\n"
462 " Create an overlay mount from the host to \n"
463 " the container\n"
464 " --overlay-ro=PATH[:PATH...]:PATH\n"
465 " Similar, but creates a read-only overlay mount\n"
466 " --bind-user=NAME Bind user from host to container\n"
467 "\n%3$sInput/Output:%4$s\n"
468 " --console=MODE Select how stdin/stdout/stderr and /dev/console are\n"
469 " set up for the container.\n"
470 " -P --pipe Equivalent to --console=pipe\n"
471 " --background=COLOR Set ANSI color for background\n"
472 "\n%3$sCredentials:%4$s\n"
473 " --set-credential=ID:VALUE\n"
474 " Pass a credential with literal value to container.\n"
475 " --load-credential=ID:PATH\n"
476 " Load credential to pass to container from file or\n"
477 " AF_UNIX stream socket.\n"
478 "\nSee the %2$s for details.\n",
479 program_invocation_short_name,
480 link,
481 ansi_underline(),
482 ansi_normal(),
483 ansi_highlight(),
484 ansi_normal());
485
486 return 0;
487 }
488
489 static int custom_mount_check_all(void) {
490 FOREACH_ARRAY(m, arg_custom_mounts, arg_n_custom_mounts)
491 if (path_equal(m->destination, "/") && arg_userns_mode != USER_NAMESPACE_NO) {
492 if (arg_userns_ownership != USER_NAMESPACE_OWNERSHIP_OFF)
493 return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
494 "--private-users-ownership=%s may not be combined with custom root mounts.",
495 user_namespace_ownership_to_string(arg_userns_ownership));
496 if (arg_uid_shift == UID_INVALID)
497 return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
498 "--private-users with automatic UID shift may not be combined with custom root mounts.");
499 }
500
501 return 0;
502 }
503
504 static int parse_capability_spec(const char *spec, uint64_t *ret_mask) {
505 uint64_t mask = 0;
506 int r;
507
508 for (;;) {
509 _cleanup_free_ char *t = NULL;
510
511 r = extract_first_word(&spec, &t, ",", 0);
512 if (r < 0)
513 return log_error_errno(r, "Failed to parse capability %s.", t);
514 if (r == 0)
515 break;
516
517 if (streq(t, "help")) {
518 for (int i = 0; i < capability_list_length(); i++) {
519 const char *name;
520
521 name = capability_to_name(i);
522 if (name)
523 puts(name);
524 }
525
526 return 0; /* quit */
527 }
528
529 if (streq(t, "all"))
530 mask = UINT64_MAX;
531 else {
532 r = capability_from_name(t);
533 if (r < 0)
534 return log_error_errno(r, "Failed to parse capability %s.", t);
535
536 mask |= 1ULL << r;
537 }
538 }
539
540 *ret_mask = mask;
541 return 1; /* continue */
542 }
543
544 static int parse_share_ns_env(const char *name, unsigned long ns_flag) {
545 int r;
546
547 r = getenv_bool(name);
548 if (r == -ENXIO)
549 return 0;
550 if (r < 0)
551 return log_error_errno(r, "Failed to parse $%s: %m", name);
552
553 arg_clone_ns_flags = (arg_clone_ns_flags & ~ns_flag) | (r > 0 ? 0 : ns_flag);
554 arg_settings_mask |= SETTING_CLONE_NS_FLAGS;
555 return 0;
556 }
557
558 static int parse_mount_settings_env(void) {
559 const char *e;
560 int r;
561
562 r = getenv_bool("SYSTEMD_NSPAWN_TMPFS_TMP");
563 if (r < 0 && r != -ENXIO)
564 return log_error_errno(r, "Failed to parse $SYSTEMD_NSPAWN_TMPFS_TMP: %m");
565 if (r >= 0)
566 SET_FLAG(arg_mount_settings, MOUNT_APPLY_TMPFS_TMP, r > 0);
567
568 e = getenv("SYSTEMD_NSPAWN_API_VFS_WRITABLE");
569 if (streq_ptr(e, "network"))
570 arg_mount_settings |= MOUNT_APPLY_APIVFS_RO|MOUNT_APPLY_APIVFS_NETNS;
571 else if (e) {
572 r = parse_boolean(e);
573 if (r < 0)
574 return log_error_errno(r, "Failed to parse $SYSTEMD_NSPAWN_API_VFS_WRITABLE: %m");
575
576 SET_FLAG(arg_mount_settings, MOUNT_APPLY_APIVFS_RO, r == 0);
577 SET_FLAG(arg_mount_settings, MOUNT_APPLY_APIVFS_NETNS, false);
578 }
579
580 return 0;
581 }
582
583 static int parse_environment(void) {
584 const char *e;
585 int r;
586
587 r = parse_share_ns_env("SYSTEMD_NSPAWN_SHARE_NS_IPC", CLONE_NEWIPC);
588 if (r < 0)
589 return r;
590 r = parse_share_ns_env("SYSTEMD_NSPAWN_SHARE_NS_PID", CLONE_NEWPID);
591 if (r < 0)
592 return r;
593 r = parse_share_ns_env("SYSTEMD_NSPAWN_SHARE_NS_UTS", CLONE_NEWUTS);
594 if (r < 0)
595 return r;
596 r = parse_share_ns_env("SYSTEMD_NSPAWN_SHARE_SYSTEM", CLONE_NEWIPC|CLONE_NEWPID|CLONE_NEWUTS);
597 if (r < 0)
598 return r;
599
600 r = parse_mount_settings_env();
601 if (r < 0)
602 return r;
603
604 /* SYSTEMD_NSPAWN_USE_CGNS=0 can be used to disable CLONE_NEWCGROUP use,
605 * even if it is supported. If not supported, it has no effect. */
606 if (!namespace_type_supported(NAMESPACE_CGROUP))
607 arg_use_cgns = false;
608 else {
609 r = getenv_bool("SYSTEMD_NSPAWN_USE_CGNS");
610 if (r < 0) {
611 if (r != -ENXIO)
612 return log_error_errno(r, "Failed to parse $SYSTEMD_NSPAWN_USE_CGNS: %m");
613
614 arg_use_cgns = true;
615 } else {
616 arg_use_cgns = r > 0;
617 arg_settings_mask |= SETTING_USE_CGNS;
618 }
619 }
620
621 e = getenv("SYSTEMD_NSPAWN_CONTAINER_SERVICE");
622 if (e)
623 arg_container_service_name = e;
624
625 e = getenv("SYSTEMD_NSPAWN_NETWORK_MAC");
626 if (e) {
627 r = parse_ether_addr(e, &arg_network_provided_mac);
628 if (r < 0)
629 return log_error_errno(r, "Failed to parse provided MAC address via environment variable");
630 }
631
632 r = getenv_bool("SYSTEMD_SUPPRESS_SYNC");
633 if (r >= 0)
634 arg_suppress_sync = r;
635 else if (r != -ENXIO)
636 log_debug_errno(r, "Failed to parse $SYSTEMD_SUPPRESS_SYNC, ignoring: %m");
637
638 return 0;
639 }
640
641 static int parse_argv(int argc, char *argv[]) {
642 enum {
643 ARG_VERSION = 0x100,
644 ARG_PRIVATE_NETWORK,
645 ARG_UUID,
646 ARG_READ_ONLY,
647 ARG_CAPABILITY,
648 ARG_AMBIENT_CAPABILITY,
649 ARG_DROP_CAPABILITY,
650 ARG_LINK_JOURNAL,
651 ARG_BIND,
652 ARG_BIND_RO,
653 ARG_TMPFS,
654 ARG_OVERLAY,
655 ARG_OVERLAY_RO,
656 ARG_INACCESSIBLE,
657 ARG_SHARE_SYSTEM,
658 ARG_REGISTER,
659 ARG_KEEP_UNIT,
660 ARG_NETWORK_INTERFACE,
661 ARG_NETWORK_MACVLAN,
662 ARG_NETWORK_IPVLAN,
663 ARG_NETWORK_BRIDGE,
664 ARG_NETWORK_ZONE,
665 ARG_NETWORK_VETH_EXTRA,
666 ARG_NETWORK_NAMESPACE_PATH,
667 ARG_PERSONALITY,
668 ARG_VOLATILE,
669 ARG_TEMPLATE,
670 ARG_PROPERTY,
671 ARG_PRIVATE_USERS,
672 ARG_KILL_SIGNAL,
673 ARG_SETTINGS,
674 ARG_CHDIR,
675 ARG_PIVOT_ROOT,
676 ARG_PRIVATE_USERS_CHOWN,
677 ARG_PRIVATE_USERS_OWNERSHIP,
678 ARG_NOTIFY_READY,
679 ARG_ROOT_HASH,
680 ARG_ROOT_HASH_SIG,
681 ARG_VERITY_DATA,
682 ARG_SYSTEM_CALL_FILTER,
683 ARG_RLIMIT,
684 ARG_HOSTNAME,
685 ARG_NO_NEW_PRIVILEGES,
686 ARG_OOM_SCORE_ADJUST,
687 ARG_CPU_AFFINITY,
688 ARG_RESOLV_CONF,
689 ARG_TIMEZONE,
690 ARG_CONSOLE,
691 ARG_PIPE,
692 ARG_OCI_BUNDLE,
693 ARG_NO_PAGER,
694 ARG_SET_CREDENTIAL,
695 ARG_LOAD_CREDENTIAL,
696 ARG_BIND_USER,
697 ARG_BIND_USER_SHELL,
698 ARG_SUPPRESS_SYNC,
699 ARG_IMAGE_POLICY,
700 ARG_BACKGROUND,
701 ARG_CLEANUP,
702 ARG_NO_ASK_PASSWORD,
703 };
704
705 static const struct option options[] = {
706 { "help", no_argument, NULL, 'h' },
707 { "version", no_argument, NULL, ARG_VERSION },
708 { "directory", required_argument, NULL, 'D' },
709 { "template", required_argument, NULL, ARG_TEMPLATE },
710 { "ephemeral", no_argument, NULL, 'x' },
711 { "user", required_argument, NULL, 'u' },
712 { "private-network", no_argument, NULL, ARG_PRIVATE_NETWORK },
713 { "as-pid2", no_argument, NULL, 'a' },
714 { "boot", no_argument, NULL, 'b' },
715 { "uuid", required_argument, NULL, ARG_UUID },
716 { "read-only", no_argument, NULL, ARG_READ_ONLY },
717 { "capability", required_argument, NULL, ARG_CAPABILITY },
718 { "ambient-capability", required_argument, NULL, ARG_AMBIENT_CAPABILITY },
719 { "drop-capability", required_argument, NULL, ARG_DROP_CAPABILITY },
720 { "no-new-privileges", required_argument, NULL, ARG_NO_NEW_PRIVILEGES },
721 { "link-journal", required_argument, NULL, ARG_LINK_JOURNAL },
722 { "bind", required_argument, NULL, ARG_BIND },
723 { "bind-ro", required_argument, NULL, ARG_BIND_RO },
724 { "tmpfs", required_argument, NULL, ARG_TMPFS },
725 { "overlay", required_argument, NULL, ARG_OVERLAY },
726 { "overlay-ro", required_argument, NULL, ARG_OVERLAY_RO },
727 { "inaccessible", required_argument, NULL, ARG_INACCESSIBLE },
728 { "machine", required_argument, NULL, 'M' },
729 { "hostname", required_argument, NULL, ARG_HOSTNAME },
730 { "slice", required_argument, NULL, 'S' },
731 { "setenv", required_argument, NULL, 'E' },
732 { "selinux-context", required_argument, NULL, 'Z' },
733 { "selinux-apifs-context", required_argument, NULL, 'L' },
734 { "quiet", no_argument, NULL, 'q' },
735 { "share-system", no_argument, NULL, ARG_SHARE_SYSTEM }, /* not documented */
736 { "register", required_argument, NULL, ARG_REGISTER },
737 { "keep-unit", no_argument, NULL, ARG_KEEP_UNIT },
738 { "network-interface", required_argument, NULL, ARG_NETWORK_INTERFACE },
739 { "network-macvlan", required_argument, NULL, ARG_NETWORK_MACVLAN },
740 { "network-ipvlan", required_argument, NULL, ARG_NETWORK_IPVLAN },
741 { "network-veth", no_argument, NULL, 'n' },
742 { "network-veth-extra", required_argument, NULL, ARG_NETWORK_VETH_EXTRA },
743 { "network-bridge", required_argument, NULL, ARG_NETWORK_BRIDGE },
744 { "network-zone", required_argument, NULL, ARG_NETWORK_ZONE },
745 { "network-namespace-path", required_argument, NULL, ARG_NETWORK_NAMESPACE_PATH },
746 { "personality", required_argument, NULL, ARG_PERSONALITY },
747 { "image", required_argument, NULL, 'i' },
748 { "volatile", optional_argument, NULL, ARG_VOLATILE },
749 { "port", required_argument, NULL, 'p' },
750 { "property", required_argument, NULL, ARG_PROPERTY },
751 { "private-users", optional_argument, NULL, ARG_PRIVATE_USERS },
752 { "private-users-chown", optional_argument, NULL, ARG_PRIVATE_USERS_CHOWN }, /* obsolete */
753 { "private-users-ownership",required_argument, NULL, ARG_PRIVATE_USERS_OWNERSHIP},
754 { "kill-signal", required_argument, NULL, ARG_KILL_SIGNAL },
755 { "settings", required_argument, NULL, ARG_SETTINGS },
756 { "chdir", required_argument, NULL, ARG_CHDIR },
757 { "pivot-root", required_argument, NULL, ARG_PIVOT_ROOT },
758 { "notify-ready", required_argument, NULL, ARG_NOTIFY_READY },
759 { "root-hash", required_argument, NULL, ARG_ROOT_HASH },
760 { "root-hash-sig", required_argument, NULL, ARG_ROOT_HASH_SIG },
761 { "verity-data", required_argument, NULL, ARG_VERITY_DATA },
762 { "system-call-filter", required_argument, NULL, ARG_SYSTEM_CALL_FILTER },
763 { "rlimit", required_argument, NULL, ARG_RLIMIT },
764 { "oom-score-adjust", required_argument, NULL, ARG_OOM_SCORE_ADJUST },
765 { "cpu-affinity", required_argument, NULL, ARG_CPU_AFFINITY },
766 { "resolv-conf", required_argument, NULL, ARG_RESOLV_CONF },
767 { "timezone", required_argument, NULL, ARG_TIMEZONE },
768 { "console", required_argument, NULL, ARG_CONSOLE },
769 { "pipe", no_argument, NULL, ARG_PIPE },
770 { "oci-bundle", required_argument, NULL, ARG_OCI_BUNDLE },
771 { "no-pager", no_argument, NULL, ARG_NO_PAGER },
772 { "set-credential", required_argument, NULL, ARG_SET_CREDENTIAL },
773 { "load-credential", required_argument, NULL, ARG_LOAD_CREDENTIAL },
774 { "bind-user", required_argument, NULL, ARG_BIND_USER },
775 { "bind-user-shell", required_argument, NULL, ARG_BIND_USER_SHELL },
776 { "suppress-sync", required_argument, NULL, ARG_SUPPRESS_SYNC },
777 { "image-policy", required_argument, NULL, ARG_IMAGE_POLICY },
778 { "background", required_argument, NULL, ARG_BACKGROUND },
779 { "cleanup", no_argument, NULL, ARG_CLEANUP },
780 { "no-ask-password", no_argument, NULL, ARG_NO_ASK_PASSWORD },
781 {}
782 };
783
784 int c, r;
785 uint64_t plus = 0, minus = 0;
786 bool mask_all_settings = false, mask_no_settings = false;
787
788 assert(argc >= 0);
789 assert(argv);
790
791 /* Resetting to 0 forces the invocation of an internal initialization routine of getopt_long()
792 * that checks for GNU extensions in optstring ('-' or '+' at the beginning). */
793 optind = 0;
794 while ((c = getopt_long(argc, argv, "+hD:u:abL:M:jS:Z:qi:xp:nUE:P", options, NULL)) >= 0)
795 switch (c) {
796
797 case 'h':
798 return help();
799
800 case ARG_VERSION:
801 return version();
802
803 case 'D':
804 r = parse_path_argument(optarg, false, &arg_directory);
805 if (r < 0)
806 return r;
807
808 arg_settings_mask |= SETTING_DIRECTORY;
809 break;
810
811 case ARG_TEMPLATE:
812 r = parse_path_argument(optarg, false, &arg_template);
813 if (r < 0)
814 return r;
815
816 arg_settings_mask |= SETTING_DIRECTORY;
817 break;
818
819 case 'i':
820 r = parse_path_argument(optarg, false, &arg_image);
821 if (r < 0)
822 return r;
823
824 arg_settings_mask |= SETTING_DIRECTORY;
825 break;
826
827 case ARG_OCI_BUNDLE:
828 r = parse_path_argument(optarg, false, &arg_oci_bundle);
829 if (r < 0)
830 return r;
831
832 break;
833
834 case 'x':
835 arg_ephemeral = true;
836 arg_settings_mask |= SETTING_EPHEMERAL;
837 break;
838
839 case 'u':
840 r = free_and_strdup(&arg_user, optarg);
841 if (r < 0)
842 return log_oom();
843
844 arg_settings_mask |= SETTING_USER;
845 break;
846
847 case ARG_NETWORK_ZONE: {
848 _cleanup_free_ char *j = NULL;
849
850 j = strjoin("vz-", optarg);
851 if (!j)
852 return log_oom();
853
854 if (!ifname_valid(j))
855 return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
856 "Network zone name not valid: %s", j);
857
858 free_and_replace(arg_network_zone, j);
859
860 arg_network_veth = true;
861 arg_private_network = true;
862 arg_settings_mask |= SETTING_NETWORK;
863 break;
864 }
865
866 case ARG_NETWORK_BRIDGE:
867
868 if (!ifname_valid(optarg))
869 return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
870 "Bridge interface name not valid: %s", optarg);
871
872 r = free_and_strdup(&arg_network_bridge, optarg);
873 if (r < 0)
874 return log_oom();
875
876 _fallthrough_;
877 case 'n':
878 arg_network_veth = true;
879 arg_private_network = true;
880 arg_settings_mask |= SETTING_NETWORK;
881 break;
882
883 case ARG_NETWORK_VETH_EXTRA:
884 r = veth_extra_parse(&arg_network_veth_extra, optarg);
885 if (r < 0)
886 return log_error_errno(r, "Failed to parse --network-veth-extra= parameter: %s", optarg);
887
888 arg_private_network = true;
889 arg_settings_mask |= SETTING_NETWORK;
890 break;
891
892 case ARG_NETWORK_INTERFACE:
893 r = interface_pair_parse(&arg_network_interfaces, optarg);
894 if (r < 0)
895 return r;
896
897 arg_private_network = true;
898 arg_settings_mask |= SETTING_NETWORK;
899 break;
900
901 case ARG_NETWORK_MACVLAN:
902 r = macvlan_pair_parse(&arg_network_macvlan, optarg);
903 if (r < 0)
904 return r;
905
906 arg_private_network = true;
907 arg_settings_mask |= SETTING_NETWORK;
908 break;
909
910 case ARG_NETWORK_IPVLAN:
911 r = ipvlan_pair_parse(&arg_network_ipvlan, optarg);
912 if (r < 0)
913 return r;
914
915 _fallthrough_;
916 case ARG_PRIVATE_NETWORK:
917 arg_private_network = true;
918 arg_settings_mask |= SETTING_NETWORK;
919 break;
920
921 case ARG_NETWORK_NAMESPACE_PATH:
922 r = parse_path_argument(optarg, false, &arg_network_namespace_path);
923 if (r < 0)
924 return r;
925
926 arg_settings_mask |= SETTING_NETWORK;
927 break;
928
929 case 'b':
930 if (arg_start_mode == START_PID2)
931 return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
932 "--boot and --as-pid2 may not be combined.");
933
934 arg_start_mode = START_BOOT;
935 arg_settings_mask |= SETTING_START_MODE;
936 break;
937
938 case 'a':
939 if (arg_start_mode == START_BOOT)
940 return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
941 "--boot and --as-pid2 may not be combined.");
942
943 arg_start_mode = START_PID2;
944 arg_settings_mask |= SETTING_START_MODE;
945 break;
946
947 case ARG_UUID:
948 r = id128_from_string_nonzero(optarg, &arg_uuid);
949 if (r == -ENXIO)
950 return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
951 "Machine UUID may not be all zeroes.");
952 if (r < 0)
953 return log_error_errno(r, "Invalid UUID: %s", optarg);
954
955 arg_settings_mask |= SETTING_MACHINE_ID;
956 break;
957
958 case 'S': {
959 _cleanup_free_ char *mangled = NULL;
960
961 r = unit_name_mangle_with_suffix(optarg, NULL, UNIT_NAME_MANGLE_WARN, ".slice", &mangled);
962 if (r < 0)
963 return log_oom();
964
965 free_and_replace(arg_slice, mangled);
966 arg_settings_mask |= SETTING_SLICE;
967 break;
968 }
969
970 case 'M':
971 if (isempty(optarg))
972 arg_machine = mfree(arg_machine);
973 else {
974 if (!hostname_is_valid(optarg, 0))
975 return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
976 "Invalid machine name: %s", optarg);
977
978 r = free_and_strdup(&arg_machine, optarg);
979 if (r < 0)
980 return log_oom();
981 }
982 break;
983
984 case ARG_HOSTNAME:
985 if (isempty(optarg))
986 arg_hostname = mfree(arg_hostname);
987 else {
988 if (!hostname_is_valid(optarg, 0))
989 return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
990 "Invalid hostname: %s", optarg);
991
992 r = free_and_strdup(&arg_hostname, optarg);
993 if (r < 0)
994 return log_oom();
995 }
996
997 arg_settings_mask |= SETTING_HOSTNAME;
998 break;
999
1000 case 'Z':
1001 arg_selinux_context = optarg;
1002 break;
1003
1004 case 'L':
1005 arg_selinux_apifs_context = optarg;
1006 break;
1007
1008 case ARG_READ_ONLY:
1009 arg_read_only = true;
1010 arg_settings_mask |= SETTING_READ_ONLY;
1011 break;
1012
1013 case ARG_AMBIENT_CAPABILITY: {
1014 uint64_t m;
1015 r = parse_capability_spec(optarg, &m);
1016 if (r <= 0)
1017 return r;
1018 arg_caps_ambient |= m;
1019 arg_settings_mask |= SETTING_CAPABILITY;
1020 break;
1021 }
1022 case ARG_CAPABILITY:
1023 case ARG_DROP_CAPABILITY: {
1024 uint64_t m;
1025 r = parse_capability_spec(optarg, &m);
1026 if (r <= 0)
1027 return r;
1028
1029 if (c == ARG_CAPABILITY)
1030 plus |= m;
1031 else
1032 minus |= m;
1033 arg_settings_mask |= SETTING_CAPABILITY;
1034 break;
1035 }
1036 case ARG_NO_NEW_PRIVILEGES:
1037 r = parse_boolean_argument("--no-new-privileges=", optarg, &arg_no_new_privileges);
1038 if (r < 0)
1039 return r;
1040
1041 arg_settings_mask |= SETTING_NO_NEW_PRIVILEGES;
1042 break;
1043
1044 case 'j':
1045 arg_link_journal = LINK_GUEST;
1046 arg_link_journal_try = true;
1047 arg_settings_mask |= SETTING_LINK_JOURNAL;
1048 break;
1049
1050 case ARG_LINK_JOURNAL:
1051 r = parse_link_journal(optarg, &arg_link_journal, &arg_link_journal_try);
1052 if (r < 0)
1053 return log_error_errno(r, "Failed to parse link journal mode %s", optarg);
1054
1055 arg_settings_mask |= SETTING_LINK_JOURNAL;
1056 break;
1057
1058 case ARG_BIND:
1059 case ARG_BIND_RO:
1060 r = bind_mount_parse(&arg_custom_mounts, &arg_n_custom_mounts, optarg, c == ARG_BIND_RO);
1061 if (r < 0)
1062 return log_error_errno(r, "Failed to parse --bind(-ro)= argument %s: %m", optarg);
1063
1064 arg_settings_mask |= SETTING_CUSTOM_MOUNTS;
1065 break;
1066
1067 case ARG_TMPFS:
1068 r = tmpfs_mount_parse(&arg_custom_mounts, &arg_n_custom_mounts, optarg);
1069 if (r < 0)
1070 return log_error_errno(r, "Failed to parse --tmpfs= argument %s: %m", optarg);
1071
1072 arg_settings_mask |= SETTING_CUSTOM_MOUNTS;
1073 break;
1074
1075 case ARG_OVERLAY:
1076 case ARG_OVERLAY_RO:
1077 r = overlay_mount_parse(&arg_custom_mounts, &arg_n_custom_mounts, optarg, c == ARG_OVERLAY_RO);
1078 if (r == -EADDRNOTAVAIL)
1079 return log_error_errno(r, "--overlay(-ro)= needs at least two colon-separated directories specified.");
1080 if (r < 0)
1081 return log_error_errno(r, "Failed to parse --overlay(-ro)= argument %s: %m", optarg);
1082
1083 arg_settings_mask |= SETTING_CUSTOM_MOUNTS;
1084 break;
1085
1086 case ARG_INACCESSIBLE:
1087 r = inaccessible_mount_parse(&arg_custom_mounts, &arg_n_custom_mounts, optarg);
1088 if (r < 0)
1089 return log_error_errno(r, "Failed to parse --inaccessible= argument %s: %m", optarg);
1090
1091 arg_settings_mask |= SETTING_CUSTOM_MOUNTS;
1092 break;
1093
1094 case 'E':
1095 r = strv_env_replace_strdup_passthrough(&arg_setenv, optarg);
1096 if (r < 0)
1097 return log_error_errno(r, "Cannot assign environment variable %s: %m", optarg);
1098
1099 arg_settings_mask |= SETTING_ENVIRONMENT;
1100 break;
1101
1102 case 'q':
1103 arg_quiet = true;
1104 break;
1105
1106 case ARG_SHARE_SYSTEM:
1107 /* We don't officially support this anymore, except for compat reasons. People should use the
1108 * $SYSTEMD_NSPAWN_SHARE_* environment variables instead. */
1109 log_warning("Please do not use --share-system anymore, use $SYSTEMD_NSPAWN_SHARE_* instead.");
1110 arg_clone_ns_flags = 0;
1111 break;
1112
1113 case ARG_REGISTER:
1114 r = parse_boolean_argument("--register=", optarg, &arg_register);
1115 if (r < 0)
1116 return r;
1117
1118 break;
1119
1120 case ARG_KEEP_UNIT:
1121 arg_keep_unit = true;
1122 break;
1123
1124 case ARG_PERSONALITY:
1125
1126 arg_personality = personality_from_string(optarg);
1127 if (arg_personality == PERSONALITY_INVALID)
1128 return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
1129 "Unknown or unsupported personality '%s'.", optarg);
1130
1131 arg_settings_mask |= SETTING_PERSONALITY;
1132 break;
1133
1134 case ARG_VOLATILE:
1135
1136 if (!optarg)
1137 arg_volatile_mode = VOLATILE_YES;
1138 else if (streq(optarg, "help")) {
1139 DUMP_STRING_TABLE(volatile_mode, VolatileMode, _VOLATILE_MODE_MAX);
1140 return 0;
1141 } else {
1142 VolatileMode m;
1143
1144 m = volatile_mode_from_string(optarg);
1145 if (m < 0)
1146 return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
1147 "Failed to parse --volatile= argument: %s", optarg);
1148 else
1149 arg_volatile_mode = m;
1150 }
1151
1152 arg_settings_mask |= SETTING_VOLATILE_MODE;
1153 break;
1154
1155 case 'p':
1156 r = expose_port_parse(&arg_expose_ports, optarg);
1157 if (r == -EEXIST)
1158 return log_error_errno(r, "Duplicate port specification: %s", optarg);
1159 if (r < 0)
1160 return log_error_errno(r, "Failed to parse host port %s: %m", optarg);
1161
1162 arg_settings_mask |= SETTING_EXPOSE_PORTS;
1163 break;
1164
1165 case ARG_PROPERTY:
1166 if (strv_extend(&arg_property, optarg) < 0)
1167 return log_oom();
1168
1169 break;
1170
1171 case ARG_PRIVATE_USERS: {
1172 int boolean;
1173
1174 if (!optarg)
1175 boolean = true;
1176 else if (!in_charset(optarg, DIGITS))
1177 /* do *not* parse numbers as booleans */
1178 boolean = parse_boolean(optarg);
1179 else
1180 boolean = -1;
1181
1182 if (boolean == 0) {
1183 /* no: User namespacing off */
1184 arg_userns_mode = USER_NAMESPACE_NO;
1185 arg_uid_shift = UID_INVALID;
1186 arg_uid_range = UINT32_C(0x10000);
1187 } else if (boolean > 0) {
1188 /* yes: User namespacing on, UID range is read from root dir */
1189 arg_userns_mode = USER_NAMESPACE_FIXED;
1190 arg_uid_shift = UID_INVALID;
1191 arg_uid_range = UINT32_C(0x10000);
1192 } else if (streq(optarg, "pick")) {
1193 /* pick: User namespacing on, UID range is picked randomly */
1194 arg_userns_mode = USER_NAMESPACE_PICK; /* Note that arg_userns_ownership is
1195 * implied by USER_NAMESPACE_PICK
1196 * further down. */
1197 arg_uid_shift = UID_INVALID;
1198 arg_uid_range = UINT32_C(0x10000);
1199
1200 } else if (streq(optarg, "identity")) {
1201 /* identity: User namespaces on, UID range is map of the 0…0xFFFF range to
1202 * itself, i.e. we don't actually map anything, but do take benefit of
1203 * isolation of capability sets. */
1204 arg_userns_mode = USER_NAMESPACE_FIXED;
1205 arg_uid_shift = 0;
1206 arg_uid_range = UINT32_C(0x10000);
1207 } else if (streq(optarg, "managed")) {
1208 /* managed: User namespace on, and acquire it from systemd-nsresourced */
1209 arg_userns_mode = USER_NAMESPACE_MANAGED;
1210 arg_uid_shift = UID_INVALID;
1211 arg_uid_range = UINT32_C(0x10000);
1212 } else {
1213 /* anything else: User namespacing on, UID range is explicitly configured */
1214 r = parse_userns_uid_range(optarg, &arg_uid_shift, &arg_uid_range);
1215 if (r < 0)
1216 return r;
1217 arg_userns_mode = USER_NAMESPACE_FIXED;
1218 }
1219
1220 arg_settings_mask |= SETTING_USERNS;
1221 break;
1222 }
1223
1224 case 'U':
1225 if (userns_supported()) {
1226 /* Note that arg_userns_ownership is implied by USER_NAMESPACE_PICK further down. */
1227 arg_userns_mode = arg_privileged ? USER_NAMESPACE_PICK : USER_NAMESPACE_MANAGED;
1228 arg_uid_shift = UID_INVALID;
1229 arg_uid_range = UINT32_C(0x10000);
1230
1231 arg_settings_mask |= SETTING_USERNS;
1232 }
1233
1234 break;
1235
1236 case ARG_PRIVATE_USERS_CHOWN:
1237 arg_userns_ownership = USER_NAMESPACE_OWNERSHIP_CHOWN;
1238
1239 arg_settings_mask |= SETTING_USERNS;
1240 break;
1241
1242 case ARG_PRIVATE_USERS_OWNERSHIP:
1243 if (streq(optarg, "help")) {
1244 DUMP_STRING_TABLE(user_namespace_ownership, UserNamespaceOwnership, _USER_NAMESPACE_OWNERSHIP_MAX);
1245 return 0;
1246 }
1247
1248 arg_userns_ownership = user_namespace_ownership_from_string(optarg);
1249 if (arg_userns_ownership < 0)
1250 return log_error_errno(arg_userns_ownership, "Cannot parse --user-namespace-ownership= value: %s", optarg);
1251
1252 arg_settings_mask |= SETTING_USERNS;
1253 break;
1254
1255 case ARG_KILL_SIGNAL:
1256 if (streq(optarg, "help")) {
1257 DUMP_STRING_TABLE(signal, int, _NSIG);
1258 return 0;
1259 }
1260
1261 arg_kill_signal = signal_from_string(optarg);
1262 if (arg_kill_signal < 0)
1263 return log_error_errno(arg_kill_signal, "Cannot parse signal: %s", optarg);
1264
1265 arg_settings_mask |= SETTING_KILL_SIGNAL;
1266 break;
1267
1268 case ARG_SETTINGS:
1269
1270 /* no → do not read files
1271 * yes → read files, do not override cmdline, trust only subset
1272 * override → read files, override cmdline, trust only subset
1273 * trusted → read files, do not override cmdline, trust all
1274 */
1275
1276 r = parse_boolean(optarg);
1277 if (r < 0) {
1278 if (streq(optarg, "trusted")) {
1279 mask_all_settings = false;
1280 mask_no_settings = false;
1281 arg_settings_trusted = true;
1282
1283 } else if (streq(optarg, "override")) {
1284 mask_all_settings = false;
1285 mask_no_settings = true;
1286 arg_settings_trusted = -1;
1287 } else
1288 return log_error_errno(r, "Failed to parse --settings= argument: %s", optarg);
1289 } else if (r > 0) {
1290 /* yes */
1291 mask_all_settings = false;
1292 mask_no_settings = false;
1293 arg_settings_trusted = -1;
1294 } else {
1295 /* no */
1296 mask_all_settings = true;
1297 mask_no_settings = false;
1298 arg_settings_trusted = false;
1299 }
1300
1301 break;
1302
1303 case ARG_CHDIR: {
1304 _cleanup_free_ char *wd = NULL;
1305
1306 if (!path_is_absolute(optarg))
1307 return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
1308 "Working directory %s is not an absolute path.", optarg);
1309
1310 r = path_simplify_alloc(optarg, &wd);
1311 if (r < 0)
1312 return log_error_errno(r, "Failed to simplify path %s: %m", optarg);
1313
1314 if (!path_is_normalized(wd))
1315 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Working directory path is not normalized: %s", wd);
1316
1317 if (path_below_api_vfs(wd))
1318 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Working directory is below API VFS, refusing: %s", wd);
1319
1320 free_and_replace(arg_chdir, wd);
1321 arg_settings_mask |= SETTING_WORKING_DIRECTORY;
1322 break;
1323 }
1324
1325 case ARG_PIVOT_ROOT:
1326 r = pivot_root_parse(&arg_pivot_root_new, &arg_pivot_root_old, optarg);
1327 if (r < 0)
1328 return log_error_errno(r, "Failed to parse --pivot-root= argument %s: %m", optarg);
1329
1330 arg_settings_mask |= SETTING_PIVOT_ROOT;
1331 break;
1332
1333 case ARG_NOTIFY_READY:
1334 r = parse_boolean_argument("--notify-ready=", optarg, &arg_notify_ready);
1335 if (r < 0)
1336 return r;
1337
1338 arg_settings_mask |= SETTING_NOTIFY_READY;
1339 break;
1340
1341 case ARG_ROOT_HASH: {
1342 _cleanup_free_ void *k = NULL;
1343 size_t l;
1344
1345 r = unhexmem(optarg, &k, &l);
1346 if (r < 0)
1347 return log_error_errno(r, "Failed to parse root hash: %s", optarg);
1348 if (l < sizeof(sd_id128_t))
1349 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Root hash must be at least 128-bit long: %s", optarg);
1350
1351 free_and_replace(arg_verity_settings.root_hash, k);
1352 arg_verity_settings.root_hash_size = l;
1353 break;
1354 }
1355
1356 case ARG_ROOT_HASH_SIG: {
1357 char *value;
1358 size_t l;
1359 void *p;
1360
1361 if ((value = startswith(optarg, "base64:"))) {
1362 r = unbase64mem(value, &p, &l);
1363 if (r < 0)
1364 return log_error_errno(r, "Failed to parse root hash signature '%s': %m", optarg);
1365
1366 } else {
1367 r = read_full_file(optarg, (char**) &p, &l);
1368 if (r < 0)
1369 return log_error_errno(r, "Failed parse root hash signature file '%s': %m", optarg);
1370 }
1371
1372 free_and_replace(arg_verity_settings.root_hash_sig, p);
1373 arg_verity_settings.root_hash_sig_size = l;
1374 break;
1375 }
1376
1377 case ARG_VERITY_DATA:
1378 r = parse_path_argument(optarg, false, &arg_verity_settings.data_path);
1379 if (r < 0)
1380 return r;
1381 break;
1382
1383 case ARG_SYSTEM_CALL_FILTER: {
1384 bool negative;
1385 const char *items;
1386
1387 negative = optarg[0] == '~';
1388 items = negative ? optarg + 1 : optarg;
1389
1390 for (;;) {
1391 _cleanup_free_ char *word = NULL;
1392
1393 r = extract_first_word(&items, &word, NULL, 0);
1394 if (r == 0)
1395 break;
1396 if (r == -ENOMEM)
1397 return log_oom();
1398 if (r < 0)
1399 return log_error_errno(r, "Failed to parse system call filter: %m");
1400
1401 if (negative)
1402 r = strv_extend(&arg_syscall_deny_list, word);
1403 else
1404 r = strv_extend(&arg_syscall_allow_list, word);
1405 if (r < 0)
1406 return log_oom();
1407 }
1408
1409 arg_settings_mask |= SETTING_SYSCALL_FILTER;
1410 break;
1411 }
1412
1413 case ARG_RLIMIT: {
1414 const char *eq;
1415 _cleanup_free_ char *name = NULL;
1416 int rl;
1417
1418 if (streq(optarg, "help")) {
1419 DUMP_STRING_TABLE(rlimit, int, _RLIMIT_MAX);
1420 return 0;
1421 }
1422
1423 eq = strchr(optarg, '=');
1424 if (!eq)
1425 return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
1426 "--rlimit= expects an '=' assignment.");
1427
1428 name = strndup(optarg, eq - optarg);
1429 if (!name)
1430 return log_oom();
1431
1432 rl = rlimit_from_string_harder(name);
1433 if (rl < 0)
1434 return log_error_errno(rl, "Unknown resource limit: %s", name);
1435
1436 if (!arg_rlimit[rl]) {
1437 arg_rlimit[rl] = new0(struct rlimit, 1);
1438 if (!arg_rlimit[rl])
1439 return log_oom();
1440 }
1441
1442 r = rlimit_parse(rl, eq + 1, arg_rlimit[rl]);
1443 if (r < 0)
1444 return log_error_errno(r, "Failed to parse resource limit: %s", eq + 1);
1445
1446 arg_settings_mask |= SETTING_RLIMIT_FIRST << rl;
1447 break;
1448 }
1449
1450 case ARG_OOM_SCORE_ADJUST:
1451 r = parse_oom_score_adjust(optarg, &arg_oom_score_adjust);
1452 if (r < 0)
1453 return log_error_errno(r, "Failed to parse --oom-score-adjust= parameter: %s", optarg);
1454
1455 arg_oom_score_adjust_set = true;
1456 arg_settings_mask |= SETTING_OOM_SCORE_ADJUST;
1457 break;
1458
1459 case ARG_CPU_AFFINITY: {
1460 CPUSet cpuset;
1461
1462 r = parse_cpu_set(optarg, &cpuset);
1463 if (r < 0)
1464 return log_error_errno(r, "Failed to parse CPU affinity mask %s: %m", optarg);
1465
1466 cpu_set_done_and_replace(arg_cpu_set, cpuset);
1467 arg_settings_mask |= SETTING_CPU_AFFINITY;
1468 break;
1469 }
1470
1471 case ARG_RESOLV_CONF:
1472 if (streq(optarg, "help")) {
1473 DUMP_STRING_TABLE(resolv_conf_mode, ResolvConfMode, _RESOLV_CONF_MODE_MAX);
1474 return 0;
1475 }
1476
1477 arg_resolv_conf = resolv_conf_mode_from_string(optarg);
1478 if (arg_resolv_conf < 0)
1479 return log_error_errno(arg_resolv_conf,
1480 "Failed to parse /etc/resolv.conf mode: %s", optarg);
1481
1482 arg_settings_mask |= SETTING_RESOLV_CONF;
1483 break;
1484
1485 case ARG_TIMEZONE:
1486 if (streq(optarg, "help")) {
1487 DUMP_STRING_TABLE(timezone_mode, TimezoneMode, _TIMEZONE_MODE_MAX);
1488 return 0;
1489 }
1490
1491 arg_timezone = timezone_mode_from_string(optarg);
1492 if (arg_timezone < 0)
1493 return log_error_errno(arg_timezone,
1494 "Failed to parse /etc/localtime mode: %s", optarg);
1495
1496 arg_settings_mask |= SETTING_TIMEZONE;
1497 break;
1498
1499 case ARG_CONSOLE:
1500 r = handle_arg_console(optarg);
1501 if (r <= 0)
1502 return r;
1503 break;
1504
1505 case 'P':
1506 case ARG_PIPE:
1507 r = handle_arg_console("pipe");
1508 if (r <= 0)
1509 return r;
1510 break;
1511
1512 case ARG_NO_PAGER:
1513 arg_pager_flags |= PAGER_DISABLE;
1514 break;
1515
1516 case ARG_SET_CREDENTIAL:
1517 r = machine_credential_set(&arg_credentials, optarg);
1518 if (r < 0)
1519 return r;
1520
1521 arg_settings_mask |= SETTING_CREDENTIALS;
1522 break;
1523
1524 case ARG_LOAD_CREDENTIAL:
1525 r = machine_credential_load(&arg_credentials, optarg);
1526 if (r < 0)
1527 return r;
1528
1529 arg_settings_mask |= SETTING_CREDENTIALS;
1530 break;
1531
1532 case ARG_BIND_USER:
1533 if (!valid_user_group_name(optarg, 0))
1534 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Invalid user name to bind: %s", optarg);
1535
1536 if (strv_extend(&arg_bind_user, optarg) < 0)
1537 return log_oom();
1538
1539 arg_settings_mask |= SETTING_BIND_USER;
1540 break;
1541
1542 case ARG_BIND_USER_SHELL: {
1543 bool copy = false;
1544 char *sh = NULL;
1545 r = parse_user_shell(optarg, &sh, &copy);
1546 if (r == -ENOMEM)
1547 return log_oom();
1548 if (r < 0)
1549 return log_error_errno(r, "Invalid user shell to bind: %s", optarg);
1550
1551 free_and_replace(arg_bind_user_shell, sh);
1552 arg_bind_user_shell_copy = copy;
1553
1554 arg_settings_mask |= SETTING_BIND_USER_SHELL;
1555 break;
1556 }
1557
1558 case ARG_SUPPRESS_SYNC:
1559 r = parse_boolean_argument("--suppress-sync=", optarg, &arg_suppress_sync);
1560 if (r < 0)
1561 return r;
1562
1563 arg_settings_mask |= SETTING_SUPPRESS_SYNC;
1564 break;
1565
1566 case ARG_IMAGE_POLICY:
1567 r = parse_image_policy_argument(optarg, &arg_image_policy);
1568 if (r < 0)
1569 return r;
1570 break;
1571
1572 case ARG_BACKGROUND:
1573 r = free_and_strdup_warn(&arg_background, optarg);
1574 if (r < 0)
1575 return r;
1576 break;
1577
1578 case ARG_CLEANUP:
1579 arg_cleanup = true;
1580 break;
1581
1582 case ARG_NO_ASK_PASSWORD:
1583 arg_ask_password = false;
1584 break;
1585
1586 case '?':
1587 return -EINVAL;
1588
1589 default:
1590 assert_not_reached();
1591 }
1592
1593 if (argc > optind) {
1594 strv_free(arg_parameters);
1595 arg_parameters = strv_copy(argv + optind);
1596 if (!arg_parameters)
1597 return log_oom();
1598
1599 arg_settings_mask |= SETTING_START_MODE;
1600 }
1601
1602 if (arg_ephemeral && arg_template && !arg_directory)
1603 /* User asked for ephemeral execution but specified --template= instead of --directory=. Semantically
1604 * such an invocation makes some sense, see https://github.com/systemd/systemd/issues/3667. Let's
1605 * accept this here, and silently make "--ephemeral --template=" equivalent to "--ephemeral
1606 * --directory=". */
1607 arg_directory = TAKE_PTR(arg_template);
1608
1609 arg_caps_retain |= plus;
1610 arg_caps_retain |= arg_private_network ? UINT64_C(1) << CAP_NET_ADMIN : 0;
1611 arg_caps_retain &= ~minus;
1612
1613 /* Make sure to parse environment before we reset the settings mask below */
1614 r = parse_environment();
1615 if (r < 0)
1616 return r;
1617
1618 /* Load all settings from .nspawn files */
1619 if (mask_no_settings)
1620 arg_settings_mask = 0;
1621
1622 /* Don't load any settings from .nspawn files */
1623 if (mask_all_settings)
1624 arg_settings_mask = _SETTINGS_MASK_ALL;
1625
1626 return 1;
1627 }
1628
1629 static int verify_arguments(void) {
1630 int r;
1631
1632 SET_FLAG(arg_mount_settings, MOUNT_UNMANAGED, arg_userns_mode != USER_NAMESPACE_MANAGED);
1633
1634 /* We can mount selinuxfs only if we are privileged and can do so before userns. In managed mode we
1635 * have to enter the userns earlier, hence cannot do that. */
1636 /* SET_FLAG(arg_mount_settings, MOUNT_PRIVILEGED, arg_privileged); */
1637 SET_FLAG(arg_mount_settings, MOUNT_PRIVILEGED, arg_userns_mode != USER_NAMESPACE_MANAGED);
1638
1639 SET_FLAG(arg_mount_settings, MOUNT_USE_USERNS, arg_userns_mode != USER_NAMESPACE_NO);
1640
1641 if (arg_private_network)
1642 SET_FLAG(arg_mount_settings, MOUNT_APPLY_APIVFS_NETNS, arg_private_network);
1643
1644 if (!arg_privileged && arg_userns_mode != USER_NAMESPACE_MANAGED)
1645 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Unprivileged operation requires managed user namespaces, as otherwise no UID range can be acquired.");
1646
1647 if (arg_userns_mode == USER_NAMESPACE_MANAGED && !arg_private_network)
1648 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Managed user namespace operation requires private networking, as otherwise /sys/ may not be mounted.");
1649
1650 if (!(arg_clone_ns_flags & CLONE_NEWPID) ||
1651 !(arg_clone_ns_flags & CLONE_NEWUTS)) {
1652 arg_register = false;
1653 if (arg_start_mode != START_PID1)
1654 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "--boot cannot be used without namespacing.");
1655 }
1656
1657 if (arg_userns_ownership < 0)
1658 arg_userns_ownership =
1659 IN_SET(arg_userns_mode, USER_NAMESPACE_PICK, USER_NAMESPACE_MANAGED) ? USER_NAMESPACE_OWNERSHIP_AUTO : USER_NAMESPACE_OWNERSHIP_OFF;
1660
1661 if (arg_start_mode == START_BOOT && arg_kill_signal <= 0)
1662 arg_kill_signal = SIGRTMIN+3;
1663
1664 if (arg_volatile_mode != VOLATILE_NO) /* Make sure all file systems contained in the image are mounted read-only if we are in volatile mode */
1665 arg_read_only = true;
1666
1667 if (has_custom_root_mount(arg_custom_mounts, arg_n_custom_mounts))
1668 arg_read_only = true;
1669
1670 if (arg_directory && arg_image)
1671 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "--directory= and --image= may not be combined.");
1672
1673 if (arg_template && arg_image)
1674 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "--template= and --image= may not be combined.");
1675
1676 if (arg_template && !(arg_directory || arg_machine))
1677 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "--template= needs --directory= or --machine=.");
1678
1679 if (arg_ephemeral && arg_template)
1680 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "--ephemeral and --template= may not be combined.");
1681
1682 /* Permit --ephemeral with --link-journal=try-* to satisfy principle of the least astonishment
1683 * (by common sense, "try" means "do not fail if not possible") */
1684 if (arg_ephemeral && !IN_SET(arg_link_journal, LINK_NO, LINK_AUTO) && !arg_link_journal_try)
1685 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "--ephemeral and --link-journal={host,guest} may not be combined.");
1686
1687 if (arg_userns_mode != USER_NAMESPACE_NO && !userns_supported())
1688 return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "--private-users= is not supported, kernel compiled without user namespace support.");
1689
1690 if (arg_userns_ownership == USER_NAMESPACE_OWNERSHIP_CHOWN && arg_read_only)
1691 return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
1692 "--read-only and --private-users-ownership=chown may not be combined.");
1693
1694 /* We don't support --private-users-ownership=chown together with any of the volatile modes since we
1695 * couldn't change the read-only part of the tree (i.e. /usr) anyway, or because it would trigger a
1696 * massive copy-up (in case of overlay) making the entire exercise pointless. */
1697 if (arg_userns_ownership == USER_NAMESPACE_OWNERSHIP_CHOWN && arg_volatile_mode != VOLATILE_NO)
1698 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "--volatile= and --private-users-ownership=chown may not be combined.");
1699
1700 /* If --network-namespace-path is given with any other network-related option (except --private-network),
1701 * we need to error out, to avoid conflicts between different network options. */
1702 if (arg_network_namespace_path &&
1703 (arg_network_interfaces || arg_network_macvlan ||
1704 arg_network_ipvlan || arg_network_veth_extra ||
1705 arg_network_bridge || arg_network_zone ||
1706 arg_network_veth))
1707 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "--network-namespace-path= cannot be combined with other network options.");
1708
1709 if (arg_network_bridge && arg_network_zone)
1710 return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
1711 "--network-bridge= and --network-zone= may not be combined.");
1712
1713 if (arg_userns_mode != USER_NAMESPACE_NO && (arg_mount_settings & MOUNT_APPLY_APIVFS_NETNS) && !arg_private_network)
1714 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Invalid namespacing settings. Mounting sysfs with --private-users requires --private-network.");
1715
1716 if (arg_userns_mode != USER_NAMESPACE_NO && !(arg_mount_settings & MOUNT_APPLY_APIVFS_RO))
1717 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Cannot combine --private-users with read-write API VFS mounts.");
1718
1719 if (arg_expose_ports && !arg_private_network)
1720 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Cannot use --port= without private networking.");
1721
1722 if (arg_caps_ambient) {
1723 if (arg_caps_ambient == UINT64_MAX)
1724 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "AmbientCapability= does not support the value all.");
1725
1726 if ((arg_caps_ambient & arg_caps_retain) != arg_caps_ambient)
1727 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "AmbientCapability= setting is not fully covered by Capability= setting.");
1728
1729 if (arg_start_mode == START_BOOT)
1730 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "AmbientCapability= setting is not useful for boot mode.");
1731 }
1732
1733 /* Drop duplicate --bind-user= entries */
1734 strv_uniq(arg_bind_user);
1735
1736 if (arg_bind_user_shell && strv_isempty(arg_bind_user))
1737 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Cannot use --bind-user-shell= without --bind-user=");
1738
1739 r = custom_mount_check_all();
1740 if (r < 0)
1741 return r;
1742
1743 return 0;
1744 }
1745
1746 static int verify_network_interfaces_initialized(void) {
1747 int r;
1748 r = test_network_interfaces_initialized(arg_network_interfaces);
1749 if (r < 0)
1750 return r;
1751
1752 r = test_network_interfaces_initialized(arg_network_macvlan);
1753 if (r < 0)
1754 return r;
1755
1756 r = test_network_interfaces_initialized(arg_network_ipvlan);
1757 if (r < 0)
1758 return r;
1759
1760 return 0;
1761 }
1762
1763 static int in_child_chown(void) {
1764 /* Returns true when chown()ing inodes we create inside the outer child is required. Basically, we
1765 * need the chowning when we implement userns ourselves. If userns is off we don#t need to chown(),
1766 * obviously. And if we are in managed mode we already entered the userns, and hence don#t need to
1767 * manually chown either. */
1768 return IN_SET(arg_userns_mode, USER_NAMESPACE_PICK, USER_NAMESPACE_FIXED);
1769 }
1770
1771 static int userns_chown_at(int fd, const char *fname, uid_t uid, gid_t gid, int flags) {
1772 assert(fd >= 0 || fd == AT_FDCWD);
1773
1774 if (!in_child_chown())
1775 return 0;
1776
1777 if (uid == UID_INVALID && gid == GID_INVALID)
1778 return 0;
1779
1780 if (uid != UID_INVALID) {
1781 uid += arg_uid_shift;
1782
1783 if (uid < arg_uid_shift || uid >= arg_uid_shift + arg_uid_range)
1784 return -EOVERFLOW;
1785 }
1786
1787 if (gid != GID_INVALID) {
1788 gid += (gid_t) arg_uid_shift;
1789
1790 if (gid < (gid_t) arg_uid_shift || gid >= (gid_t) (arg_uid_shift + arg_uid_range))
1791 return -EOVERFLOW;
1792 }
1793
1794 return RET_NERRNO(fchownat(fd, strempty(fname), uid, gid, flags));
1795 }
1796
1797 int userns_lchown(const char *path, uid_t uid, gid_t gid) {
1798 return userns_chown_at(AT_FDCWD, path, uid, gid, AT_SYMLINK_NOFOLLOW);
1799 }
1800
1801 int userns_mkdir(const char *root, const char *path, mode_t mode, uid_t uid, gid_t gid) {
1802 int r;
1803
1804 assert(path);
1805
1806 _cleanup_close_ int parent_fd = -EBADF;
1807 _cleanup_free_ char *dname = NULL;
1808 r = chase(path, root, CHASE_PARENT|CHASE_PREFIX_ROOT|CHASE_EXTRACT_FILENAME, &dname, &parent_fd);
1809 if (r < 0)
1810 return r;
1811
1812 _cleanup_close_ int dir_fd = open_mkdir_at(parent_fd, dname, O_EXCL|O_CLOEXEC, mode);
1813 if (dir_fd == -EEXIST)
1814 return 0;
1815 if (dir_fd < 0)
1816 return dir_fd;
1817
1818 return userns_chown_at(dir_fd, /* fname= */ NULL, uid, gid, AT_SYMLINK_NOFOLLOW|AT_EMPTY_PATH);
1819 }
1820
1821 static const char *timezone_from_path(const char *path) {
1822 return PATH_STARTSWITH_SET(
1823 path,
1824 "../usr/share/zoneinfo/",
1825 "/usr/share/zoneinfo/");
1826 }
1827
1828 static bool etc_writable(void) {
1829 return !arg_read_only || IN_SET(arg_volatile_mode, VOLATILE_YES, VOLATILE_OVERLAY);
1830 }
1831
1832 static int setup_timezone(const char *dest) {
1833 _cleanup_free_ char *p = NULL, *etc = NULL;
1834 const char *where, *check;
1835 TimezoneMode m;
1836 int r;
1837
1838 assert(dest);
1839
1840 if (IN_SET(arg_timezone, TIMEZONE_AUTO, TIMEZONE_SYMLINK)) {
1841 r = readlink_malloc("/etc/localtime", &p);
1842 if (r == -ENOENT && arg_timezone == TIMEZONE_AUTO)
1843 m = etc_writable() ? TIMEZONE_DELETE : TIMEZONE_OFF;
1844 else if (r == -EINVAL && arg_timezone == TIMEZONE_AUTO) /* regular file? */
1845 m = etc_writable() ? TIMEZONE_COPY : TIMEZONE_BIND;
1846 else if (r < 0) {
1847 log_warning_errno(r, "Failed to read host's /etc/localtime symlink, not updating container timezone: %m");
1848 /* To handle warning, delete /etc/localtime and replace it with a symbolic link to a time zone data
1849 * file.
1850 *
1851 * Example:
1852 * ln -s /usr/share/zoneinfo/UTC /etc/localtime
1853 */
1854 return 0;
1855 } else if (arg_timezone == TIMEZONE_AUTO)
1856 m = etc_writable() ? TIMEZONE_SYMLINK : TIMEZONE_BIND;
1857 else
1858 m = arg_timezone;
1859 } else
1860 m = arg_timezone;
1861
1862 if (m == TIMEZONE_OFF)
1863 return 0;
1864
1865 r = chase("/etc", dest, CHASE_PREFIX_ROOT, &etc, NULL);
1866 if (r < 0) {
1867 log_warning_errno(r, "Failed to resolve /etc path in container, ignoring: %m");
1868 return 0;
1869 }
1870
1871 where = strjoina(etc, "/localtime");
1872
1873 switch (m) {
1874
1875 case TIMEZONE_DELETE:
1876 if (unlink(where) < 0)
1877 log_full_errno(errno == ENOENT ? LOG_DEBUG : LOG_WARNING, errno, "Failed to remove '%s', ignoring: %m", where);
1878
1879 return 0;
1880
1881 case TIMEZONE_SYMLINK: {
1882 _cleanup_free_ char *q = NULL;
1883 const char *z, *what;
1884
1885 z = timezone_from_path(p);
1886 if (!z) {
1887 log_warning("/etc/localtime does not point into /usr/share/zoneinfo/, not updating container timezone.");
1888 return 0;
1889 }
1890
1891 r = readlink_malloc(where, &q);
1892 if (r >= 0 && streq_ptr(timezone_from_path(q), z))
1893 return 0; /* Already pointing to the right place? Then do nothing .. */
1894
1895 check = strjoina(dest, "/usr/share/zoneinfo/", z);
1896 r = chase(check, dest, 0, NULL, NULL);
1897 if (r < 0)
1898 log_debug_errno(r, "Timezone %s does not exist (or is not accessible) in container, not creating symlink: %m", z);
1899 else {
1900 if (unlink(where) < 0 && errno != ENOENT) {
1901 log_full_errno(ERRNO_IS_FS_WRITE_REFUSED(errno) ? LOG_DEBUG : LOG_WARNING, /* Don't complain on read-only images */
1902 errno, "Failed to remove existing timezone info %s in container, ignoring: %m", where);
1903 return 0;
1904 }
1905
1906 what = strjoina("../usr/share/zoneinfo/", z);
1907 if (symlink(what, where) < 0) {
1908 log_full_errno(ERRNO_IS_FS_WRITE_REFUSED(errno) ? LOG_DEBUG : LOG_WARNING,
1909 errno, "Failed to correct timezone of container, ignoring: %m");
1910 return 0;
1911 }
1912
1913 break;
1914 }
1915
1916 _fallthrough_;
1917 }
1918
1919 case TIMEZONE_BIND: {
1920 _cleanup_free_ char *resolved = NULL;
1921 int found;
1922
1923 found = chase(where, dest, CHASE_NONEXISTENT, &resolved, NULL);
1924 if (found < 0) {
1925 log_warning_errno(found, "Failed to resolve /etc/localtime path in container, ignoring: %m");
1926 return 0;
1927 }
1928
1929 if (found == 0) /* missing? */
1930 (void) touch(resolved);
1931
1932 r = mount_nofollow_verbose(LOG_WARNING, "/etc/localtime", resolved, NULL, MS_BIND, NULL);
1933 if (r >= 0)
1934 return mount_nofollow_verbose(LOG_ERR, NULL, resolved, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY|MS_NOSUID|MS_NODEV, NULL);
1935
1936 _fallthrough_;
1937 }
1938
1939 case TIMEZONE_COPY:
1940 /* If mounting failed, try to copy */
1941 r = copy_file_atomic("/etc/localtime", where, 0644, COPY_REFLINK|COPY_REPLACE);
1942 if (r < 0) {
1943 log_full_errno(ERRNO_IS_NEG_FS_WRITE_REFUSED(r) ? LOG_DEBUG : LOG_WARNING, r,
1944 "Failed to copy /etc/localtime to %s, ignoring: %m", where);
1945 return 0;
1946 }
1947
1948 break;
1949
1950 default:
1951 assert_not_reached();
1952 }
1953
1954 /* Fix permissions of the symlink or file copy we just created */
1955 r = userns_lchown(where, 0, 0);
1956 if (r < 0)
1957 log_warning_errno(r, "Failed to chown /etc/localtime, ignoring: %m");
1958
1959 return 0;
1960 }
1961
1962 static int have_resolv_conf(const char *path) {
1963 assert(path);
1964
1965 if (access(path, F_OK) < 0) {
1966 if (errno == ENOENT)
1967 return 0;
1968
1969 return log_debug_errno(errno, "Failed to determine whether '%s' is available: %m", path);
1970 }
1971
1972 return 1;
1973 }
1974
1975 static int resolved_listening(void) {
1976 _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
1977 _cleanup_(sd_bus_flush_close_unrefp) sd_bus *bus = NULL;
1978 _cleanup_free_ char *dns_stub_listener_mode = NULL;
1979 int r;
1980
1981 /* Check if resolved is listening */
1982
1983 r = sd_bus_open_system(&bus);
1984 if (r < 0)
1985 return log_debug_errno(r, "Failed to open system bus: %m");
1986
1987 r = bus_name_has_owner(bus, "org.freedesktop.resolve1", NULL);
1988 if (r < 0)
1989 return log_debug_errno(r, "Failed to check whether the 'org.freedesktop.resolve1' bus name is taken: %m");
1990 if (r == 0)
1991 return 0;
1992
1993 r = bus_get_property_string(bus, bus_resolve_mgr, "DNSStubListener", &error, &dns_stub_listener_mode);
1994 if (r < 0)
1995 return log_debug_errno(r, "Failed to query DNSStubListener property: %s", bus_error_message(&error, r));
1996
1997 return STR_IN_SET(dns_stub_listener_mode, "udp", "yes");
1998 }
1999
2000 static int setup_resolv_conf(const char *dest) {
2001 _cleanup_free_ char *etc = NULL;
2002 const char *where, *what;
2003 ResolvConfMode m;
2004 int r;
2005
2006 assert(dest);
2007
2008 if (arg_resolv_conf == RESOLV_CONF_AUTO) {
2009 if (arg_private_network)
2010 m = RESOLV_CONF_OFF;
2011 else if (have_resolv_conf(PRIVATE_STUB_RESOLV_CONF) > 0 && resolved_listening() > 0)
2012 m = etc_writable() ? RESOLV_CONF_COPY_STUB : RESOLV_CONF_BIND_STUB;
2013 else if (have_resolv_conf("/etc/resolv.conf") > 0)
2014 m = etc_writable() ? RESOLV_CONF_COPY_HOST : RESOLV_CONF_BIND_HOST;
2015 else
2016 m = etc_writable() ? RESOLV_CONF_DELETE : RESOLV_CONF_OFF;
2017
2018 } else
2019 m = arg_resolv_conf;
2020
2021 if (m == RESOLV_CONF_OFF)
2022 return 0;
2023
2024 r = chase("/etc", dest, CHASE_PREFIX_ROOT, &etc, NULL);
2025 if (r < 0) {
2026 log_warning_errno(r, "Failed to resolve /etc path in container, ignoring: %m");
2027 return 0;
2028 }
2029
2030 where = strjoina(etc, "/resolv.conf");
2031
2032 if (m == RESOLV_CONF_DELETE) {
2033 if (unlink(where) < 0)
2034 log_full_errno(errno == ENOENT ? LOG_DEBUG : LOG_WARNING, errno, "Failed to remove '%s', ignoring: %m", where);
2035
2036 return 0;
2037 }
2038
2039 if (IN_SET(m, RESOLV_CONF_BIND_STATIC, RESOLV_CONF_REPLACE_STATIC, RESOLV_CONF_COPY_STATIC))
2040 what = PRIVATE_STATIC_RESOLV_CONF;
2041 else if (IN_SET(m, RESOLV_CONF_BIND_UPLINK, RESOLV_CONF_REPLACE_UPLINK, RESOLV_CONF_COPY_UPLINK))
2042 what = PRIVATE_UPLINK_RESOLV_CONF;
2043 else if (IN_SET(m, RESOLV_CONF_BIND_STUB, RESOLV_CONF_REPLACE_STUB, RESOLV_CONF_COPY_STUB))
2044 what = PRIVATE_STUB_RESOLV_CONF;
2045 else
2046 what = "/etc/resolv.conf";
2047
2048 if (IN_SET(m, RESOLV_CONF_BIND_HOST, RESOLV_CONF_BIND_STATIC, RESOLV_CONF_BIND_UPLINK, RESOLV_CONF_BIND_STUB)) {
2049 _cleanup_free_ char *resolved = NULL;
2050 int found;
2051
2052 found = chase(where, dest, CHASE_NONEXISTENT|CHASE_NOFOLLOW, &resolved, NULL);
2053 if (found < 0) {
2054 log_warning_errno(found, "Failed to resolve /etc/resolv.conf path in container, ignoring: %m");
2055 return 0;
2056 }
2057
2058 if (found == 0) /* missing? */
2059 (void) touch(resolved);
2060
2061 r = mount_nofollow_verbose(LOG_WARNING, what, resolved, NULL, MS_BIND, NULL);
2062 if (r >= 0)
2063 return mount_nofollow_verbose(LOG_ERR, NULL, resolved, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY|MS_NOSUID|MS_NODEV, NULL);
2064
2065 /* If that didn't work, let's copy the file */
2066 }
2067
2068 if (IN_SET(m, RESOLV_CONF_REPLACE_HOST, RESOLV_CONF_REPLACE_STATIC, RESOLV_CONF_REPLACE_UPLINK, RESOLV_CONF_REPLACE_STUB))
2069 r = copy_file_atomic(what, where, 0644, COPY_REFLINK|COPY_REPLACE);
2070 else
2071 r = copy_file(what, where, O_TRUNC|O_NOFOLLOW, 0644, COPY_REFLINK);
2072 if (r < 0) {
2073 /* If the file already exists as symlink, let's suppress the warning, under the assumption that
2074 * resolved or something similar runs inside and the symlink points there.
2075 *
2076 * If the disk image is read-only, there's also no point in complaining.
2077 */
2078 log_full_errno(!IN_SET(RESOLV_CONF_COPY_HOST, RESOLV_CONF_COPY_STATIC, RESOLV_CONF_COPY_UPLINK, RESOLV_CONF_COPY_STUB) &&
2079 (r == -ELOOP || ERRNO_IS_NEG_FS_WRITE_REFUSED(r)) ? LOG_DEBUG : LOG_WARNING, r,
2080 "Failed to copy /etc/resolv.conf to %s, ignoring: %m", where);
2081 return 0;
2082 }
2083
2084 r = userns_lchown(where, 0, 0);
2085 if (r < 0)
2086 log_warning_errno(r, "Failed to chown /etc/resolv.conf, ignoring: %m");
2087
2088 return 0;
2089 }
2090
2091 static int setup_boot_id(void) {
2092 _cleanup_(unlink_and_freep) char *from = NULL;
2093 _cleanup_free_ char *path = NULL;
2094 sd_id128_t rnd = SD_ID128_NULL;
2095 const char *to;
2096 int r;
2097
2098 /* Generate a new randomized boot ID, so that each boot-up of the container gets a new one */
2099
2100 r = tempfn_random_child("/run", "proc-sys-kernel-random-boot-id", &path);
2101 if (r < 0)
2102 return log_error_errno(r, "Failed to generate random boot ID path: %m");
2103
2104 r = sd_id128_randomize(&rnd);
2105 if (r < 0)
2106 return log_error_errno(r, "Failed to generate random boot id: %m");
2107
2108 r = id128_write(path, ID128_FORMAT_UUID, rnd);
2109 if (r < 0)
2110 return log_error_errno(r, "Failed to write boot id: %m");
2111
2112 from = TAKE_PTR(path);
2113 to = "/proc/sys/kernel/random/boot_id";
2114
2115 r = mount_nofollow_verbose(LOG_ERR, from, to, NULL, MS_BIND, NULL);
2116 if (r < 0)
2117 return r;
2118
2119 return mount_nofollow_verbose(LOG_ERR, NULL, to, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV, NULL);
2120 }
2121
2122 static int bind_mount_devnode(const char *from, const char *to) {
2123 int r;
2124
2125 assert(from);
2126 assert(to);
2127
2128 r = touch(to);
2129 if (r < 0)
2130 return log_debug_errno(r, "Failed to touch %s: %m", to);
2131
2132 r = mount_nofollow_verbose(LOG_DEBUG, from, to, NULL, MS_BIND, NULL);
2133 if (r < 0) {
2134 (void) unlink(to);
2135 return log_error_errno(r, "Failed to bind mount %s to %s: %m", from, to);
2136 }
2137
2138 return 0;
2139 }
2140
2141 static int copy_devnode_one(const char *dest, const char *node, bool check) {
2142 int r;
2143
2144 assert(dest);
2145 assert(!isempty(node));
2146
2147 BLOCK_WITH_UMASK(0000);
2148
2149 _cleanup_free_ char *from = path_join("/dev/", node);
2150 if (!from)
2151 return log_oom();
2152
2153 if (check) {
2154 /* If 'check' is true, create /dev/fuse only when it is accessible. The check is necessary,
2155 * as some custom service units that invoke systemd-nspawn may enable DevicePolicy= without
2156 * DeviceAllow= for the device node. */
2157 _cleanup_close_ int fd = open(from, O_CLOEXEC|O_RDWR);
2158 if (fd < 0) {
2159 log_debug_errno(errno,
2160 "Failed to open %s, skipping creation of the device node in the container, ignoring: %m",
2161 from);
2162 return 0;
2163 }
2164 }
2165
2166 _cleanup_free_ char *to = path_join(dest, from);
2167 if (!to)
2168 return log_oom();
2169
2170 struct stat st;
2171 if (stat(from, &st) < 0) {
2172 if (errno != ENOENT)
2173 return log_error_errno(errno, "Failed to stat %s: %m", from);
2174
2175 log_debug_errno(errno, "Device node %s does not exist, ignoring.", from);
2176 return 0;
2177 }
2178 if (!S_ISCHR(st.st_mode) && !S_ISBLK(st.st_mode))
2179 return log_error_errno(SYNTHETIC_ERRNO(ESTALE), "%s is not a device node.", from);
2180
2181 /* Create the parent directory of the device node. Here, we assume that the path has at most one
2182 * subdirectory under /dev/, e.g. /dev/net/tun. */
2183 _cleanup_free_ char *parent = NULL;
2184 r = path_extract_directory(from, &parent);
2185 if (r < 0)
2186 return log_error_errno(r, "Failed to extract directory from %s: %m", from);
2187 r = userns_mkdir(dest, parent, 0755, 0, 0);
2188 if (r < 0)
2189 return log_error_errno(r, "Failed to create directory %s: %m", parent);
2190
2191 r = RET_NERRNO(mknod(to, st.st_mode, st.st_rdev));
2192 if (r < 0) {
2193 /* Explicitly warn the user when /dev/ is already populated. */
2194 if (r == -EEXIST)
2195 log_notice("%s/dev/ is pre-mounted and pre-populated. If a pre-mounted /dev/ is provided it needs to be an unpopulated file system.", dest);
2196
2197 /* If arg_uid_shift != 0, then we cannot fall back to use bind mount. */
2198 if (!(arg_userns_mode == USER_NAMESPACE_NO ||
2199 (arg_userns_mode == USER_NAMESPACE_FIXED && arg_uid_shift == 0))) {
2200
2201 if (arg_userns_mode != USER_NAMESPACE_MANAGED || !ERRNO_IS_NEG_PRIVILEGE(r))
2202 return log_error_errno(r, "Failed to mknod(%s): %m", to);
2203
2204 log_debug_errno(r, "Failed to create device node '%s' and running in managed mode, resorting to bind mount: %m", to);
2205 }
2206
2207 /* Some systems abusively restrict mknod but allow bind mounts. */
2208 if (bind_mount_devnode(from, to) < 0)
2209 /* use the original error code. */
2210 return log_error_errno(r, "Both mknod() and bind mount %s failed: %m", to);
2211 } else {
2212 /* mknod() succeeds, chown() it if necessary. */
2213 r = userns_lchown(to, 0, 0);
2214 if (r < 0)
2215 return log_error_errno(r, "chown() of device node %s failed: %m", to);
2216 }
2217
2218 _cleanup_free_ char *dn = path_join("/dev", S_ISCHR(st.st_mode) ? "char" : "block");
2219 if (!dn)
2220 return log_oom();
2221
2222 r = userns_mkdir(dest, dn, 0755, 0, 0);
2223 if (r < 0)
2224 return log_error_errno(r, "Failed to create '%s': %m", dn);
2225
2226 _cleanup_free_ char *sl = NULL;
2227 if (asprintf(&sl, "%s/" DEVNUM_FORMAT_STR, dn, DEVNUM_FORMAT_VAL(st.st_rdev)) < 0)
2228 return log_oom();
2229
2230 _cleanup_free_ char *prefixed = path_join(dest, sl);
2231 if (!prefixed)
2232 return log_oom();
2233
2234 _cleanup_free_ char *t = path_join("..", node);
2235 if (!t)
2236 return log_oom();
2237
2238 if (symlink(t, prefixed) < 0)
2239 log_debug_errno(errno, "Failed to symlink '%s' to '%s', ignoring: %m", t, prefixed);
2240
2241 return 0;
2242 }
2243
2244 static int copy_devnodes(const char *dest) {
2245 int r = 0;
2246
2247 assert(dest);
2248
2249 /* Required basic device nodes. */
2250 FOREACH_STRING(node, "null", "zero", "full", "random", "urandom", "tty") {
2251 r = copy_devnode_one(dest, node, /* check = */ false);
2252 if (r < 0)
2253 return r;
2254 }
2255
2256 /* Optional device nodes. */
2257 FOREACH_STRING(node, "fuse", "net/tun") {
2258 r = copy_devnode_one(dest, node, /* check = */ true);
2259 if (r < 0)
2260 return r;
2261 }
2262
2263 return 0;
2264 }
2265
2266 static int make_extra_nodes(const char *dest) {
2267 int r;
2268
2269 BLOCK_WITH_UMASK(0000);
2270
2271 FOREACH_ARRAY(node, arg_extra_nodes, arg_n_extra_nodes) {
2272 _cleanup_free_ char *path = NULL;
2273
2274 path = path_join(dest, node->path);
2275 if (!path)
2276 return log_oom();
2277
2278 dev_t dev = S_ISCHR(node->mode) || S_ISBLK(node->mode) ? makedev(node->major, node->minor) : 0;
2279 if (mknod(path, node->mode, dev) < 0)
2280 return log_error_errno(errno, "Failed to create device node '%s': %m", path);
2281
2282 r = chmod_and_chown(path, node->mode, node->uid, node->gid);
2283 if (r < 0)
2284 return log_error_errno(r, "Failed to adjust device node ownership of '%s': %m", path);
2285 }
2286
2287 return 0;
2288 }
2289
2290 static int setup_pts(const char *dest, uid_t chown_uid) {
2291 _cleanup_free_ char *options = NULL;
2292 int r;
2293
2294 #if HAVE_SELINUX
2295 if (arg_selinux_apifs_context)
2296 (void) asprintf(&options,
2297 "newinstance,ptmxmode=0666,mode=" STRINGIFY(TTY_MODE) ",gid=" GID_FMT ",context=\"%s\"",
2298 chown_uid + TTY_GID,
2299 arg_selinux_apifs_context);
2300 else
2301 #endif
2302 (void) asprintf(&options,
2303 "newinstance,ptmxmode=0666,mode=" STRINGIFY(TTY_MODE) ",gid=" GID_FMT,
2304 chown_uid + TTY_GID);
2305
2306 if (!options)
2307 return log_oom();
2308
2309 /* Mount /dev/pts itself */
2310 _cleanup_free_ char *p = path_join(dest, "/dev/pts");
2311 if (!p)
2312 return log_oom();
2313
2314 r = RET_NERRNO(mkdir(p, 0755));
2315 if (r < 0)
2316 return log_error_errno(r, "Failed to create /dev/pts: %m");
2317
2318 r = mount_nofollow_verbose(LOG_ERR, "devpts", p, "devpts", MS_NOSUID|MS_NOEXEC, options);
2319 if (r < 0)
2320 return r;
2321 r = userns_lchown(p, 0, 0);
2322 if (r < 0)
2323 return log_error_errno(r, "Failed to chown /dev/pts: %m");
2324
2325 /* Create /dev/ptmx symlink */
2326 free(p);
2327 p = path_join(dest, "/dev/ptmx");
2328 if (!p)
2329 return log_oom();
2330
2331 if (symlink("pts/ptmx", p) < 0)
2332 return log_error_errno(errno, "Failed to create /dev/ptmx symlink: %m");
2333 r = userns_lchown(p, 0, 0);
2334 if (r < 0)
2335 return log_error_errno(r, "Failed to chown /dev/ptmx: %m");
2336
2337 /* And fix /dev/pts/ptmx ownership */
2338 free(p);
2339 p = path_join(dest, "/dev/pts/ptmx");
2340 if (!p)
2341 return log_oom();
2342
2343 r = userns_lchown(p, 0, 0);
2344 if (r < 0)
2345 return log_error_errno(r, "Failed to chown /dev/pts/ptmx: %m");
2346
2347 return 0;
2348 }
2349
2350 static int setup_stdio_as_dev_console(void) {
2351 _cleanup_close_ int terminal = -EBADF;
2352 int r;
2353
2354 /* We open the TTY in O_NOCTTY mode, so that we do not become controller yet. We'll do that later
2355 * explicitly, if we are configured to. */
2356 terminal = open_terminal("/dev/console", O_RDWR|O_NOCTTY);
2357 if (terminal < 0)
2358 return log_error_errno(terminal, "Failed to open console: %m");
2359
2360 /* Make sure we can continue logging to the original stderr, even if
2361 * stderr points elsewhere now */
2362 r = log_dup_console();
2363 if (r < 0)
2364 return log_error_errno(r, "Failed to duplicate stderr: %m");
2365
2366 /* invalidates 'terminal' on success and failure */
2367 r = rearrange_stdio(terminal, terminal, terminal);
2368 TAKE_FD(terminal);
2369 if (r < 0)
2370 return log_error_errno(r, "Failed to move console to stdin/stdout/stderr: %m");
2371
2372 return 0;
2373 }
2374
2375 static int setup_dev_console(const char *console) {
2376 _cleanup_free_ char *p = NULL;
2377 int r;
2378
2379 /* Create /dev/console symlink */
2380 r = path_make_relative("/dev", console, &p);
2381 if (r < 0)
2382 return log_error_errno(r, "Failed to create relative path: %m");
2383
2384 if (symlink(p, "/dev/console") < 0)
2385 return log_error_errno(errno, "Failed to create /dev/console symlink: %m");
2386
2387 return 0;
2388 }
2389
2390 static int setup_keyring(void) {
2391 key_serial_t keyring;
2392
2393 /* Allocate a new session keyring for the container. This makes sure the keyring of the session
2394 * systemd-nspawn was invoked from doesn't leak into the container. Note that by default we block
2395 * keyctl() and request_key() anyway via seccomp so doing this operation isn't strictly necessary,
2396 * but in case people explicitly allow-list these system calls let's make sure we don't leak anything
2397 * into the container. */
2398
2399 keyring = keyctl(KEYCTL_JOIN_SESSION_KEYRING, 0, 0, 0, 0);
2400 if (keyring == -1) {
2401 if (errno == ENOSYS)
2402 log_debug_errno(errno, "Kernel keyring not supported, ignoring.");
2403 else if (ERRNO_IS_PRIVILEGE(errno))
2404 log_debug_errno(errno, "Kernel keyring access prohibited, ignoring.");
2405 else
2406 return log_error_errno(errno, "Setting up kernel keyring failed: %m");
2407 }
2408
2409 return 0;
2410 }
2411
2412 int make_run_host(const char *root) {
2413 int r;
2414
2415 assert(root);
2416
2417 r = userns_mkdir(root, "/run/host", 0755, 0, 0);
2418 if (r < 0)
2419 return log_error_errno(r, "Failed to create /run/host/: %m");
2420
2421 return 0;
2422 }
2423
2424 static int setup_credentials(const char *root) {
2425 bool world_readable = false;
2426 int r;
2427
2428 if (arg_credentials.n_credentials == 0)
2429 return 0;
2430
2431 /* If starting a single-process container as a non-root user, the uid will only be resolved after we
2432 * are inside the inner child, when credential directories and files are already read-only, so they
2433 * are unusable as the single process won't have access to them. We also don't have access to the
2434 * uid that will actually be used from here, as we are setting credentials up from the outer child.
2435 * In order to make them usable as requested by the configuration, make them world readable in that
2436 * case, as by definition there are no other processes in that case besides the one being started,
2437 * which is being configured to be able to access credentials, and any of its children which will
2438 * inherit its privileges anyway. To ensure this, also enforce (and document) that
2439 * --no-new-privileges is necessary for this combination to work. */
2440 if (arg_no_new_privileges && !isempty(arg_user) && !STR_IN_SET(arg_user, "root", "0") &&
2441 arg_start_mode == START_PID1)
2442 world_readable = true;
2443
2444 r = make_run_host(root);
2445 if (r < 0)
2446 return r;
2447
2448 r = userns_mkdir(root, "/run/host/credentials", world_readable ? 0777 : 0700, 0, 0);
2449 if (r < 0)
2450 return log_error_errno(r, "Failed to create /run/host/credentials: %m");
2451
2452 _cleanup_free_ char *q = path_join(root, "/run/host/credentials");
2453 if (!q)
2454 return log_oom();
2455
2456 r = mount_nofollow_verbose(LOG_ERR, NULL, q, "ramfs", MS_NOSUID|MS_NOEXEC|MS_NODEV, "mode=0700");
2457 if (r < 0)
2458 return r;
2459
2460 FOREACH_ARRAY(cred, arg_credentials.credentials, arg_credentials.n_credentials) {
2461 _cleanup_free_ char *j = NULL;
2462 _cleanup_close_ int fd = -EBADF;
2463
2464 j = path_join(q, cred->id);
2465 if (!j)
2466 return log_oom();
2467
2468 fd = open(j, O_CREAT|O_EXCL|O_WRONLY|O_CLOEXEC|O_NOFOLLOW, world_readable ? 0666 : 0600);
2469 if (fd < 0)
2470 return log_error_errno(errno, "Failed to create credential file %s: %m", j);
2471
2472 r = loop_write(fd, cred->data, cred->size);
2473 if (r < 0)
2474 return log_error_errno(r, "Failed to write credential to file %s: %m", j);
2475
2476 if (fchmod(fd, world_readable ? 0444 : 0400) < 0)
2477 return log_error_errno(errno, "Failed to adjust access mode of %s: %m", j);
2478
2479 if (in_child_chown())
2480 if (fchown(fd, arg_uid_shift, arg_uid_shift) < 0)
2481 return log_error_errno(errno, "Failed to adjust ownership of %s: %m", j);
2482 }
2483
2484 if (chmod(q, world_readable ? 0555 : 0500) < 0)
2485 return log_error_errno(errno, "Failed to adjust access mode of %s: %m", q);
2486
2487 r = userns_lchown(q, 0, 0);
2488 if (r < 0)
2489 return r;
2490
2491 /* Make both mount and superblock read-only now */
2492 r = mount_nofollow_verbose(LOG_ERR, NULL, q, NULL, MS_REMOUNT|MS_BIND|MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV, NULL);
2493 if (r < 0)
2494 return r;
2495
2496 return mount_nofollow_verbose(LOG_ERR, NULL, q, NULL, MS_REMOUNT|MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV, "mode=0500");
2497 }
2498
2499 static int setup_kmsg(int fd_inner_socket) {
2500 _cleanup_(unlink_and_freep) char *from = NULL;
2501 _cleanup_free_ char *fifo = NULL;
2502 _cleanup_close_ int fd = -EBADF;
2503 int r;
2504
2505 assert(fd_inner_socket >= 0);
2506
2507 BLOCK_WITH_UMASK(0000);
2508
2509 /* We create the kmsg FIFO as a temporary file in /run, but immediately delete it after bind mounting it to
2510 * /proc/kmsg. While FIFOs on the reading side behave very similar to /proc/kmsg, their writing side behaves
2511 * differently from /dev/kmsg in that writing blocks when nothing is reading. In order to avoid any problems
2512 * with containers deadlocking due to this we simply make /dev/kmsg unavailable to the container. */
2513
2514 r = tempfn_random_child("/run", "proc-kmsg", &fifo);
2515 if (r < 0)
2516 return log_error_errno(r, "Failed to generate kmsg path: %m");
2517
2518 if (mkfifo(fifo, 0600) < 0)
2519 return log_error_errno(errno, "mkfifo() for /run/kmsg failed: %m");
2520
2521 from = TAKE_PTR(fifo);
2522
2523 r = mount_nofollow_verbose(LOG_ERR, from, "/proc/kmsg", NULL, MS_BIND, NULL);
2524 if (r < 0)
2525 return r;
2526
2527 fd = open(from, O_RDWR|O_NONBLOCK|O_CLOEXEC);
2528 if (fd < 0)
2529 return log_error_errno(errno, "Failed to open fifo: %m");
2530
2531 /* Store away the fd in the socket, so that it stays open as long as we run the child */
2532 r = send_one_fd(fd_inner_socket, fd, 0);
2533 if (r < 0)
2534 return log_error_errno(r, "Failed to send FIFO fd: %m");
2535
2536 return 0;
2537 }
2538
2539 struct ExposeArgs {
2540 union in_addr_union address4;
2541 union in_addr_union address6;
2542 struct FirewallContext *fw_ctx;
2543 };
2544
2545 static int on_address_change(sd_netlink *rtnl, sd_netlink_message *m, void *userdata) {
2546 struct ExposeArgs *args = ASSERT_PTR(userdata);
2547
2548 assert(rtnl);
2549 assert(m);
2550
2551 (void) expose_port_execute(rtnl, &args->fw_ctx, arg_expose_ports, AF_INET, &args->address4);
2552 (void) expose_port_execute(rtnl, &args->fw_ctx, arg_expose_ports, AF_INET6, &args->address6);
2553 return 0;
2554 }
2555
2556 static int setup_hostname(void) {
2557 int r;
2558
2559 if ((arg_clone_ns_flags & CLONE_NEWUTS) == 0)
2560 return 0;
2561
2562 r = sethostname_idempotent(arg_hostname ?: arg_machine);
2563 if (r < 0)
2564 return log_error_errno(r, "Failed to set hostname: %m");
2565
2566 return 0;
2567 }
2568
2569 static int setup_journal(const char *directory) {
2570 _cleanup_free_ char *d = NULL;
2571 sd_id128_t this_id;
2572 bool try;
2573 int r;
2574
2575 /* Don't link journals in ephemeral mode */
2576 if (arg_ephemeral)
2577 return 0;
2578
2579 if (arg_link_journal == LINK_NO)
2580 return 0;
2581
2582 try = arg_link_journal_try || arg_link_journal == LINK_AUTO;
2583
2584 r = sd_id128_get_machine(&this_id);
2585 if (r < 0)
2586 return log_error_errno(r, "Failed to retrieve machine ID: %m");
2587
2588 if (sd_id128_equal(arg_uuid, this_id)) {
2589 log_full(try ? LOG_WARNING : LOG_ERR,
2590 "Host and machine ids are equal (%s): refusing to link journals", SD_ID128_TO_STRING(arg_uuid));
2591 if (try)
2592 return 0;
2593 return -EEXIST;
2594 }
2595
2596 FOREACH_STRING(dirname, "/var", "/var/log", "/var/log/journal") {
2597 r = userns_mkdir(directory, dirname, 0755, 0, 0);
2598 if (r < 0) {
2599 bool ignore = r == -EROFS && try;
2600 log_full_errno(ignore ? LOG_DEBUG : LOG_ERR, r,
2601 "Failed to create %s%s: %m", dirname, ignore ? ", ignoring" : "");
2602 return ignore ? 0 : r;
2603 }
2604 }
2605
2606 _cleanup_free_ char *p = path_join("/var/log/journal/", SD_ID128_TO_STRING(arg_uuid));
2607 if (!p)
2608 return log_oom();
2609
2610 _cleanup_free_ char *q = path_join(directory, p);
2611 if (!q)
2612 return log_oom();
2613
2614 if (path_is_mount_point(p) > 0) {
2615 if (try)
2616 return 0;
2617
2618 return log_error_errno(SYNTHETIC_ERRNO(EEXIST),
2619 "%s: already a mount point, refusing to use for journal", p);
2620 }
2621
2622 if (path_is_mount_point(q) > 0) {
2623 if (try)
2624 return 0;
2625
2626 return log_error_errno(SYNTHETIC_ERRNO(EEXIST),
2627 "%s: already a mount point, refusing to use for journal", q);
2628 }
2629
2630 r = readlink_and_make_absolute(p, &d);
2631 if (r >= 0) {
2632 if (IN_SET(arg_link_journal, LINK_GUEST, LINK_AUTO) &&
2633 path_equal(d, q)) {
2634
2635 r = userns_mkdir(directory, p, 0755, 0, 0);
2636 if (r < 0)
2637 log_warning_errno(r, "Failed to create directory %s: %m", q);
2638 return 0;
2639 }
2640
2641 if (unlink(p) < 0)
2642 return log_error_errno(errno, "Failed to remove symlink %s: %m", p);
2643 } else if (r == -EINVAL) {
2644
2645 if (arg_link_journal == LINK_GUEST &&
2646 rmdir(p) < 0) {
2647
2648 if (errno == ENOTDIR) {
2649 log_error("%s already exists and is neither a symlink nor a directory", p);
2650 return r;
2651 } else
2652 return log_error_errno(errno, "Failed to remove %s: %m", p);
2653 }
2654 } else if (r != -ENOENT)
2655 return log_error_errno(r, "readlink(%s) failed: %m", p);
2656
2657 if (arg_link_journal == LINK_GUEST) {
2658
2659 if (symlink(q, p) < 0) {
2660 if (try) {
2661 log_debug_errno(errno, "Failed to symlink %s to %s, skipping journal setup: %m", q, p);
2662 return 0;
2663 } else
2664 return log_error_errno(errno, "Failed to symlink %s to %s: %m", q, p);
2665 }
2666
2667 r = userns_mkdir(directory, p, 0755, 0, 0);
2668 if (r < 0)
2669 log_warning_errno(r, "Failed to create directory %s: %m", q);
2670 return 0;
2671 }
2672
2673 if (arg_link_journal == LINK_HOST) {
2674 /* don't create parents here — if the host doesn't have
2675 * permanent journal set up, don't force it here */
2676
2677 r = RET_NERRNO(mkdir(p, 0755));
2678 if (r < 0 && r != -EEXIST) {
2679 if (try) {
2680 log_debug_errno(r, "Failed to create %s, skipping journal setup: %m", p);
2681 return 0;
2682 } else
2683 return log_error_errno(r, "Failed to create %s: %m", p);
2684 }
2685
2686 } else if (access(p, F_OK) < 0)
2687 return 0;
2688
2689 if (dir_is_empty(q, /* ignore_hidden_or_backup= */ false) == 0)
2690 log_warning("%s is not empty, proceeding anyway.", q);
2691
2692 r = userns_mkdir(directory, p, 0755, 0, 0);
2693 if (r < 0)
2694 return log_error_errno(r, "Failed to create %s: %m", q);
2695
2696 r = mount_nofollow_verbose(LOG_DEBUG, p, q, NULL, MS_BIND, NULL);
2697 if (r < 0)
2698 return log_error_errno(r, "Failed to bind mount journal from host into guest: %m");
2699
2700 return 0;
2701 }
2702
2703 static int drop_capabilities(uid_t uid) {
2704 CapabilityQuintet q;
2705
2706 /* Let's initialize all five capability sets to something valid. If the quintet was configured via
2707 * OCI use that, but fill in missing bits. If it wasn't then derive the quintet in full from
2708 * arg_caps_retain. */
2709
2710 if (capability_quintet_is_set(&arg_full_capabilities)) {
2711 q = arg_full_capabilities;
2712
2713 if (q.bounding == UINT64_MAX)
2714 q.bounding = uid == 0 ? arg_caps_retain : 0;
2715
2716 if (q.effective == UINT64_MAX)
2717 q.effective = uid == 0 ? q.bounding : 0;
2718
2719 if (q.inheritable == UINT64_MAX)
2720 q.inheritable = uid == 0 ? q.bounding : arg_caps_ambient;
2721
2722 if (q.permitted == UINT64_MAX)
2723 q.permitted = uid == 0 ? q.bounding : arg_caps_ambient;
2724
2725 if (q.ambient == UINT64_MAX)
2726 q.ambient = arg_caps_ambient;
2727
2728 if (capability_quintet_mangle(&q))
2729 return log_error_errno(SYNTHETIC_ERRNO(EPERM), "Cannot set capabilities that are not in the current bounding set.");
2730
2731 } else {
2732 q = (CapabilityQuintet) {
2733 .bounding = arg_caps_retain,
2734 .effective = uid == 0 ? arg_caps_retain : 0,
2735 .inheritable = uid == 0 ? arg_caps_retain : arg_caps_ambient,
2736 .permitted = uid == 0 ? arg_caps_retain : arg_caps_ambient,
2737 .ambient = arg_caps_ambient,
2738 };
2739
2740 /* If we're not using OCI, proceed with mangled capabilities (so we don't error out)
2741 * in order to maintain the same behavior as systemd < 242. */
2742 if (capability_quintet_mangle(&q))
2743 log_full(arg_quiet ? LOG_DEBUG : LOG_WARNING,
2744 "Some capabilities will not be set because they are not in the current bounding set.");
2745
2746 }
2747
2748 return capability_quintet_enforce(&q);
2749 }
2750
2751 static int reset_audit_loginuid(void) {
2752 _cleanup_free_ char *p = NULL;
2753 int r;
2754
2755 if ((arg_clone_ns_flags & CLONE_NEWPID) == 0)
2756 return 0;
2757
2758 /* if we are in managed userns mode, then we are already in our userns, hence we cannot reset the
2759 * loginuid anyway, hence don't bother */
2760 if (arg_userns_mode == USER_NAMESPACE_MANAGED)
2761 return 0;
2762
2763 r = read_virtual_file("/proc/self/loginuid", SIZE_MAX, &p, /* ret_size= */ NULL);
2764 if (r == -ENOENT)
2765 return 0;
2766 if (r < 0)
2767 return log_error_errno(r, "Failed to read /proc/self/loginuid: %m");
2768
2769 /* Already reset? */
2770 if (streq(p, "4294967295"))
2771 return 0;
2772
2773 r = write_string_file("/proc/self/loginuid", "4294967295", WRITE_STRING_FILE_DISABLE_BUFFER);
2774 if (r < 0) {
2775 log_error_errno(r,
2776 "Failed to reset audit login UID. This probably means that your kernel is too\n"
2777 "old and you have audit enabled. Note that the auditing subsystem is known to\n"
2778 "be incompatible with containers on old kernels. Please make sure to upgrade\n"
2779 "your kernel or to off auditing with 'audit=0' on the kernel command line before\n"
2780 "using systemd-nspawn. Sleeping for 5s... (%m)");
2781
2782 sleep(5);
2783 }
2784
2785 return 0;
2786 }
2787
2788 static int mount_tunnel_dig(const char *root) {
2789 int r;
2790
2791 if (arg_userns_mode == USER_NAMESPACE_MANAGED) {
2792 log_debug("Not digging mount tunnel, because running in managed user namespace mode.");
2793 return 0;
2794 }
2795
2796 (void) mkdir_p("/run/systemd/nspawn/", 0755);
2797 (void) mkdir_p("/run/systemd/nspawn/propagate", 0600);
2798 _cleanup_free_ char *p = path_join("/run/systemd/nspawn/propagate/", arg_machine);
2799 if (!p)
2800 return log_oom();
2801
2802 (void) mkdir_p(p, 0600);
2803
2804 r = make_run_host(root);
2805 if (r < 0)
2806 return r;
2807
2808 r = userns_mkdir(root, NSPAWN_MOUNT_TUNNEL, 0600, 0, 0);
2809 if (r < 0)
2810 return log_error_errno(r, "Failed to create "NSPAWN_MOUNT_TUNNEL": %m");
2811
2812 _cleanup_free_ char *q = path_join(root, NSPAWN_MOUNT_TUNNEL);
2813 if (!q)
2814 return log_oom();
2815
2816 r = mount_nofollow_verbose(LOG_ERR, p, q, NULL, MS_BIND, NULL);
2817 if (r < 0)
2818 return r;
2819
2820 r = mount_nofollow_verbose(LOG_ERR, NULL, q, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY, NULL);
2821 if (r < 0)
2822 return r;
2823
2824 return 0;
2825 }
2826
2827 static int mount_tunnel_open(void) {
2828 int r;
2829
2830 if (arg_userns_mode == USER_NAMESPACE_MANAGED) {
2831 log_debug("Not opening up mount tunnel, because running in managed user namespace mode.");
2832 return 0;
2833 }
2834
2835 r = mount_follow_verbose(LOG_ERR, NULL, NSPAWN_MOUNT_TUNNEL, NULL, MS_SLAVE, NULL);
2836 if (r < 0)
2837 return r;
2838
2839 return 0;
2840 }
2841
2842 static int setup_machine_id(const char *directory) {
2843 int r;
2844
2845 /* If the UUID in the container is already set, then that's what counts, and we use. If it isn't set, and the
2846 * caller passed --uuid=, then we'll pass it in the $container_uuid env var to PID 1 of the container. The
2847 * assumption is that PID 1 will then write it to /etc/machine-id to make it persistent. If --uuid= is not
2848 * passed we generate a random UUID, and pass it via $container_uuid. In effect this means that /etc/machine-id
2849 * in the container and our idea of the container UUID will always be in sync (at least if PID 1 in the
2850 * container behaves nicely). */
2851
2852 r = id128_get_machine(directory, &arg_uuid);
2853 if (ERRNO_IS_NEG_MACHINE_ID_UNSET(r)) {
2854 /* If the file is missing, empty, or uninitialized, we don't mind */
2855 if (sd_id128_is_null(arg_uuid)) {
2856 r = sd_id128_randomize(&arg_uuid);
2857 if (r < 0)
2858 return log_error_errno(r, "Failed to acquire randomized machine UUID: %m");
2859 }
2860 } else if (r < 0)
2861 return log_error_errno(r, "Failed to read machine ID from container image: %m");
2862
2863 return 0;
2864 }
2865
2866 static int recursive_chown(const char *directory, uid_t shift, uid_t range) {
2867 int r;
2868
2869 assert(directory);
2870
2871 if (arg_userns_mode == USER_NAMESPACE_NO || arg_userns_ownership != USER_NAMESPACE_OWNERSHIP_CHOWN)
2872 return 0;
2873
2874 r = path_patch_uid(directory, arg_uid_shift, arg_uid_range);
2875 if (r == -EOPNOTSUPP)
2876 return log_error_errno(r, "Automatic UID/GID adjusting is only supported for UID/GID ranges starting at multiples of 2^16 with a range of 2^16.");
2877 if (r == -EBADE)
2878 return log_error_errno(r, "Upper 16 bits of root directory UID and GID do not match.");
2879 if (r < 0)
2880 return log_error_errno(r, "Failed to adjust UID/GID shift of OS tree: %m");
2881 if (r == 0)
2882 log_debug("Root directory of image is already owned by the right UID/GID range, skipping recursive chown operation.");
2883 else
2884 log_debug("Patched directory tree to match UID/GID range.");
2885
2886 return r;
2887 }
2888
2889 /*
2890 * Return values:
2891 * < 0 : wait_for_terminate() failed to get the state of the
2892 * container, the container was terminated by a signal, or
2893 * failed for an unknown reason. No change is made to the
2894 * container argument.
2895 * > 0 : The program executed in the container terminated with an
2896 * error. The exit code of the program executed in the
2897 * container is returned. The container argument has been set
2898 * to CONTAINER_TERMINATED.
2899 * 0 : The container is being rebooted, has been shut down or exited
2900 * successfully. The container argument has been set to either
2901 * CONTAINER_TERMINATED or CONTAINER_REBOOTED.
2902 *
2903 * That is, success is indicated by a return value of zero, and an
2904 * error is indicated by a non-zero value.
2905 */
2906 static int wait_for_container(PidRef *pid, ContainerStatus *container) {
2907 siginfo_t status;
2908 int r;
2909
2910 assert(pidref_is_set(pid));
2911
2912 r = pidref_wait_for_terminate(pid, &status);
2913 if (r < 0)
2914 return log_warning_errno(r, "Failed to wait for container: %m");
2915
2916 pidref_done(pid);
2917
2918 switch (status.si_code) {
2919
2920 case CLD_EXITED:
2921 if (status.si_status == 0)
2922 log_full(arg_quiet ? LOG_DEBUG : LOG_INFO, "Container %s exited successfully.", arg_machine);
2923 else
2924 log_full(arg_quiet ? LOG_DEBUG : LOG_INFO, "Container %s failed with error code %i.", arg_machine, status.si_status);
2925
2926 *container = CONTAINER_TERMINATED;
2927 return status.si_status;
2928
2929 case CLD_KILLED:
2930 if (status.si_status == SIGINT) {
2931 log_full(arg_quiet ? LOG_DEBUG : LOG_INFO, "Container %s has been shut down.", arg_machine);
2932 *container = CONTAINER_TERMINATED;
2933 return 0;
2934
2935 } else if (status.si_status == SIGHUP) {
2936 log_full(arg_quiet ? LOG_DEBUG : LOG_INFO, "Container %s is being rebooted.", arg_machine);
2937 *container = CONTAINER_REBOOTED;
2938 return 0;
2939 }
2940
2941 _fallthrough_;
2942 case CLD_DUMPED:
2943 return log_error_errno(SYNTHETIC_ERRNO(EIO),
2944 "Container %s terminated by signal %s.", arg_machine, signal_to_string(status.si_status));
2945
2946 default:
2947 return log_error_errno(SYNTHETIC_ERRNO(EIO),
2948 "Container %s failed due to unknown reason.", arg_machine);
2949 }
2950 }
2951
2952 static int on_orderly_shutdown(sd_event_source *s, const struct signalfd_siginfo *si, void *userdata) {
2953 PidRef *pid = ASSERT_PTR(userdata);
2954
2955 assert(si);
2956
2957 if (pidref_is_set(pid))
2958 if (pidref_kill(pid, arg_kill_signal) >= 0) {
2959 log_info("Trying to halt container by sending %s to container PID 1. Send SIGTERM again to trigger immediate termination.",
2960 signal_to_string(si->ssi_signo));
2961 sd_event_source_set_userdata(s, NULL);
2962 sd_notify(/* unset_environment= */ false, NOTIFY_STOPPING_MESSAGE);
2963 return 0;
2964 }
2965
2966 log_debug("Got %s, exiting.", signal_to_string(si->ssi_signo));
2967
2968 sd_event_exit(sd_event_source_get_event(s), 0);
2969 return 0;
2970 }
2971
2972 static int on_sigchld(sd_event_source *s, const struct signalfd_siginfo *ssi, void *userdata) {
2973
2974 assert(s);
2975 assert(ssi);
2976
2977 PidRef *pid = ASSERT_PTR(userdata);
2978 for (;;) {
2979 siginfo_t si = {};
2980
2981 if (waitid(P_ALL, 0, &si, WNOHANG|WNOWAIT|WEXITED) < 0)
2982 return log_error_errno(errno, "Failed to waitid(): %m");
2983 if (si.si_pid == 0) /* No pending children. */
2984 break;
2985 if (si.si_pid == pid->pid) {
2986 /* The main process we care for has exited. Return from
2987 * signal handler but leave the zombie. */
2988 sd_event_exit(sd_event_source_get_event(s), 0);
2989 break;
2990 }
2991
2992 /* Reap all other children. */
2993 (void) waitid(P_PID, si.si_pid, &si, WNOHANG|WEXITED);
2994 }
2995
2996 return 0;
2997 }
2998
2999 static int on_request_stop(sd_bus_message *m, void *userdata, sd_bus_error *error) {
3000 PidRef *pid = ASSERT_PTR(userdata);
3001
3002 assert(m);
3003
3004 if (arg_kill_signal > 0) {
3005 log_info("Container termination requested. Attempting to halt container.");
3006 (void) pidref_kill(pid, arg_kill_signal);
3007 } else {
3008 log_info("Container termination requested. Exiting.");
3009 sd_event_exit(sd_bus_get_event(sd_bus_message_get_bus(m)), 0);
3010 }
3011
3012 return 0;
3013 }
3014
3015 static int pick_paths(void) {
3016 int r;
3017
3018 if (arg_directory) {
3019 _cleanup_(pick_result_done) PickResult result = PICK_RESULT_NULL;
3020 PickFilter filter = pick_filter_image_dir;
3021
3022 filter.architecture = arg_architecture;
3023
3024 r = path_pick_update_warn(
3025 &arg_directory,
3026 &filter,
3027 PICK_ARCHITECTURE|PICK_TRIES,
3028 &result);
3029 if (r < 0) {
3030 /* Accept ENOENT here so that the --template= logic can work */
3031 if (r != -ENOENT)
3032 return r;
3033 } else
3034 arg_architecture = result.architecture;
3035 }
3036
3037 if (arg_image) {
3038 _cleanup_(pick_result_done) PickResult result = PICK_RESULT_NULL;
3039 PickFilter filter = pick_filter_image_raw;
3040
3041 filter.architecture = arg_architecture;
3042
3043 r = path_pick_update_warn(
3044 &arg_image,
3045 &filter,
3046 PICK_ARCHITECTURE|PICK_TRIES,
3047 &result);
3048 if (r < 0)
3049 return r;
3050
3051 arg_architecture = result.architecture;
3052 }
3053
3054 if (arg_template) {
3055 _cleanup_(pick_result_done) PickResult result = PICK_RESULT_NULL;
3056 PickFilter filter = pick_filter_image_dir;
3057
3058 filter.architecture = arg_architecture;
3059
3060 r = path_pick_update_warn(
3061 &arg_template,
3062 &filter,
3063 PICK_ARCHITECTURE,
3064 &result);
3065 if (r < 0)
3066 return r;
3067
3068 arg_architecture = result.architecture;
3069 }
3070
3071 return 0;
3072 }
3073
3074 static int determine_names(void) {
3075 int r;
3076
3077 if (arg_template && !arg_directory && arg_machine) {
3078
3079 /* If --template= was specified then we should not search for a machine, but instead create a
3080 * new one in /var/lib/machine. */
3081
3082 arg_directory = path_join("/var/lib/machines", arg_machine);
3083 if (!arg_directory)
3084 return log_oom();
3085 }
3086
3087 if (!arg_image && !arg_directory) {
3088 if (arg_machine) {
3089 _cleanup_(image_unrefp) Image *i = NULL;
3090
3091 r = image_find(arg_privileged ? RUNTIME_SCOPE_SYSTEM : RUNTIME_SCOPE_USER,
3092 IMAGE_MACHINE, arg_machine, NULL, &i);
3093 if (r == -ENOENT)
3094 return log_error_errno(r, "No image for machine '%s'.", arg_machine);
3095 if (r < 0)
3096 return log_error_errno(r, "Failed to find image for machine '%s': %m", arg_machine);
3097
3098 if (IN_SET(i->type, IMAGE_RAW, IMAGE_BLOCK))
3099 r = free_and_strdup(&arg_image, i->path);
3100 else
3101 r = free_and_strdup(&arg_directory, i->path);
3102 if (r < 0)
3103 return log_oom();
3104
3105 if (!arg_ephemeral)
3106 arg_read_only = arg_read_only || i->read_only;
3107 } else {
3108 r = safe_getcwd(&arg_directory);
3109 if (r < 0)
3110 return log_error_errno(r, "Failed to determine current directory: %m");
3111 }
3112
3113 if (!arg_directory && !arg_image)
3114 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to determine path, please use -D or -i.");
3115 }
3116
3117 if (!arg_machine) {
3118 if (arg_directory && path_equal(arg_directory, "/")) {
3119 arg_machine = gethostname_malloc();
3120 if (!arg_machine)
3121 return log_oom();
3122 } else if (arg_image) {
3123 char *e;
3124
3125 r = path_extract_filename(arg_image, &arg_machine);
3126 if (r < 0)
3127 return log_error_errno(r, "Failed to extract file name from '%s': %m", arg_image);
3128
3129 /* Truncate suffix if there is one */
3130 e = endswith(arg_machine, ".raw");
3131 if (e)
3132 *e = 0;
3133 } else {
3134 r = path_extract_filename(arg_directory, &arg_machine);
3135 if (r < 0)
3136 return log_error_errno(r, "Failed to extract file name from '%s': %m", arg_directory);
3137 }
3138
3139 hostname_cleanup(arg_machine);
3140 if (!hostname_is_valid(arg_machine, 0))
3141 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to determine machine name automatically, please use -M.");
3142
3143 /* Copy the machine name before the random suffix is added below, otherwise we won't be able
3144 * to match fixed config file names. */
3145 arg_settings_filename = strjoin(arg_machine, ".nspawn");
3146 if (!arg_settings_filename)
3147 return log_oom();
3148
3149 /* Add a random suffix when this is an ephemeral machine, so that we can run many
3150 * instances at once without manually having to specify -M each time. */
3151 if (arg_ephemeral)
3152 if (strextendf(&arg_machine, "-%016" PRIx64, random_u64()) < 0)
3153 return log_oom();
3154 } else {
3155 arg_settings_filename = strjoin(arg_machine, ".nspawn");
3156 if (!arg_settings_filename)
3157 return log_oom();
3158 }
3159
3160 return 0;
3161 }
3162
3163 static int chase_and_update(char **p, unsigned flags) {
3164 char *chased;
3165 int r;
3166
3167 assert(p);
3168
3169 if (!*p)
3170 return 0;
3171
3172 r = chase(*p, NULL, flags, &chased, NULL);
3173 if (r < 0)
3174 return log_error_errno(r, "Failed to resolve path %s: %m", *p);
3175
3176 return free_and_replace(*p, chased);
3177 }
3178
3179 static int determine_uid_shift(const char *directory) {
3180 assert(directory);
3181
3182 if (arg_userns_mode == USER_NAMESPACE_MANAGED) {
3183 /* In managed mode we should already know the UID shift */
3184 assert(uid_is_valid(arg_uid_shift));
3185 return 0;
3186 }
3187
3188 if (arg_userns_mode == USER_NAMESPACE_NO) {
3189 arg_uid_shift = 0;
3190 return 0;
3191 }
3192
3193 if (arg_uid_shift == UID_INVALID) {
3194 struct stat st;
3195
3196 /* Read the UID shift off the image. Maybe we can reuse this to avoid chowning. */
3197
3198 if (stat(directory, &st) < 0)
3199 return log_error_errno(errno, "Failed to determine UID base of %s: %m", directory);
3200
3201 arg_uid_shift = st.st_uid & UINT32_C(0xffff0000);
3202
3203 if (arg_uid_shift != (st.st_gid & UINT32_C(0xffff0000)))
3204 return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
3205 "UID and GID base of %s don't match.", directory);
3206
3207 arg_uid_range = UINT32_C(0x10000);
3208
3209 if (arg_uid_shift != 0) {
3210 /* If the image is shifted already, then we'll fall back to classic chowning, for
3211 * compatibility (and simplicity), or refuse if mapping is explicitly requested. */
3212
3213 if (arg_userns_ownership == USER_NAMESPACE_OWNERSHIP_AUTO) {
3214 log_debug("UID base of %s is non-zero, not using UID mapping.", directory);
3215 arg_userns_ownership = USER_NAMESPACE_OWNERSHIP_CHOWN;
3216 } else if (arg_userns_ownership == USER_NAMESPACE_OWNERSHIP_MAP)
3217 return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
3218 "UID base of %s is not zero, UID mapping not supported.", directory);
3219 }
3220 }
3221
3222 if (!userns_shift_range_valid(arg_uid_shift, arg_uid_range))
3223 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "UID base too high for UID range.");
3224
3225 return 0;
3226 }
3227
3228 static unsigned long effective_clone_ns_flags(void) {
3229 unsigned long flags = arg_clone_ns_flags;
3230
3231 if (arg_private_network)
3232 flags |= CLONE_NEWNET;
3233 if (arg_use_cgns)
3234 flags |= CLONE_NEWCGROUP;
3235 if (arg_userns_mode != USER_NAMESPACE_NO)
3236 flags |= CLONE_NEWUSER;
3237
3238 return flags;
3239 }
3240
3241 static int patch_sysctl(void) {
3242
3243 /* This table is inspired by runc's sysctl() function */
3244 static const struct {
3245 const char *key;
3246 bool prefix;
3247 unsigned long clone_flags;
3248 } safe_sysctl[] = {
3249 { "kernel.hostname", false, CLONE_NEWUTS },
3250 { "kernel.domainname", false, CLONE_NEWUTS },
3251 { "kernel.msgmax", false, CLONE_NEWIPC },
3252 { "kernel.msgmnb", false, CLONE_NEWIPC },
3253 { "kernel.msgmni", false, CLONE_NEWIPC },
3254 { "kernel.sem", false, CLONE_NEWIPC },
3255 { "kernel.shmall", false, CLONE_NEWIPC },
3256 { "kernel.shmmax", false, CLONE_NEWIPC },
3257 { "kernel.shmmni", false, CLONE_NEWIPC },
3258 { "fs.mqueue.", true, CLONE_NEWIPC },
3259 { "net.", true, CLONE_NEWNET },
3260 };
3261
3262 unsigned long flags;
3263 int r;
3264
3265 flags = effective_clone_ns_flags();
3266
3267 STRV_FOREACH_PAIR(k, v, arg_sysctl) {
3268 bool good = false;
3269
3270 FOREACH_ELEMENT(i, safe_sysctl) {
3271 if (!FLAGS_SET(flags, i->clone_flags))
3272 continue;
3273
3274 if (i->prefix)
3275 good = startswith(*k, i->key);
3276 else
3277 good = streq(*k, i->key);
3278
3279 if (good)
3280 break;
3281 }
3282
3283 if (!good)
3284 return log_error_errno(SYNTHETIC_ERRNO(EPERM), "Refusing to write to sysctl '%s', as it is not safe in the selected namespaces.", *k);
3285
3286 r = sysctl_write(*k, *v);
3287 if (r < 0)
3288 return log_error_errno(r, "Failed to write sysctl '%s': %m", *k);
3289 }
3290
3291 return 0;
3292 }
3293
3294 static int inner_child(
3295 Barrier *barrier,
3296 int fd_inner_socket,
3297 FDSet *fds,
3298 char **os_release_pairs) {
3299
3300 _cleanup_free_ char *home = NULL;
3301 size_t n_env = 1;
3302 char *envp[] = {
3303 (char*) "PATH=" DEFAULT_PATH_COMPAT,
3304 NULL, /* container */
3305 NULL, /* TERM */
3306 NULL, /* COLORTERM */
3307 NULL, /* NO_COLOR */
3308 NULL, /* HOME */
3309 NULL, /* USER */
3310 NULL, /* LOGNAME */
3311 NULL, /* container_uuid */
3312 NULL, /* LISTEN_FDS */
3313 NULL, /* LISTEN_PID */
3314 NULL, /* NOTIFY_SOCKET */
3315 NULL, /* CREDENTIALS_DIRECTORY */
3316 NULL, /* LANG */
3317 NULL
3318 };
3319 const char *exec_target;
3320 _cleanup_strv_free_ char **env_use = NULL;
3321 int r, which_failed;
3322
3323 /* This is the "inner" child process, i.e. the one forked off by the "outer" child process, which is the one
3324 * the container manager itself forked off. At the time of clone() it gained its own CLONE_NEWNS, CLONE_NEWPID,
3325 * CLONE_NEWUTS, CLONE_NEWIPC, CLONE_NEWUSER namespaces. Note that it has its own CLONE_NEWNS namespace,
3326 * separate from the CLONE_NEWNS created for the "outer" child, and also separate from the host's CLONE_NEWNS
3327 * namespace. The reason for having two levels of CLONE_NEWNS namespaces is that the "inner" one is owned by
3328 * the CLONE_NEWUSER namespace of the container, while the "outer" one is owned by the host's CLONE_NEWUSER
3329 * namespace.
3330 *
3331 * Note at this point we have no CLONE_NEWNET namespace yet. We'll acquire that one later through
3332 * unshare(). See below. */
3333
3334 assert(barrier);
3335 assert(fd_inner_socket >= 0);
3336
3337 log_debug("Inner child is initializing.");
3338
3339 if (arg_userns_mode != USER_NAMESPACE_NO) {
3340 /* Tell the parent, that it now can write the UID map. */
3341 (void) barrier_place(barrier); /* #1 */
3342
3343 /* Wait until the parent wrote the UID map */
3344 if (!barrier_place_and_sync(barrier)) /* #2 */
3345 return log_error_errno(SYNTHETIC_ERRNO(ESRCH), "Parent died too early");
3346
3347 /* Become the new root user inside our namespace */
3348 r = reset_uid_gid();
3349 if (r < 0)
3350 return log_error_errno(r, "Couldn't become new root: %m");
3351
3352 /* Creating a new user namespace means all MS_SHARED mounts become MS_SLAVE. Let's put them
3353 * back to MS_SHARED here, since that's what we want as defaults. (This will not reconnect
3354 * propagation, but simply create new peer groups for all our mounts). */
3355 r = mount_follow_verbose(LOG_ERR, NULL, "/", NULL, MS_SHARED|MS_REC, NULL);
3356 if (r < 0)
3357 return r;
3358 }
3359
3360 r = mount_all(/* dest= */ NULL,
3361 arg_mount_settings | MOUNT_IN_USERNS,
3362 arg_uid_shift,
3363 arg_selinux_apifs_context);
3364 if (r < 0)
3365 return r;
3366
3367 if (!arg_network_namespace_path && arg_private_network) {
3368 _cleanup_close_ int netns_fd = -EBADF;
3369
3370 if (arg_userns_mode != USER_NAMESPACE_MANAGED)
3371 if (unshare(CLONE_NEWNET) < 0)
3372 return log_error_errno(errno, "Failed to unshare network namespace: %m");
3373
3374 netns_fd = namespace_open_by_type(NAMESPACE_NET);
3375 if (netns_fd < 0)
3376 return log_error_errno(netns_fd, "Failed to open newly allocate network namespace: %m");
3377
3378 r = send_one_fd(fd_inner_socket, netns_fd, 0);
3379 if (r < 0)
3380 return log_error_errno(r, "Failed to send network namespace to supervisor: %m");
3381
3382 /* Tell the parent that it can setup network interfaces. */
3383 (void) barrier_place(barrier); /* #3 */
3384 }
3385
3386 if (arg_userns_mode != USER_NAMESPACE_MANAGED) {
3387 r = mount_sysfs(NULL, arg_mount_settings | MOUNT_IN_USERNS);
3388 if (r < 0)
3389 return r;
3390 }
3391
3392 /* Wait until we are cgroup-ified, so that we can mount the right cgroup path writable */
3393 if (!barrier_place_and_sync(barrier)) /* #4 */
3394 return log_error_errno(SYNTHETIC_ERRNO(ESRCH),
3395 "Parent died too early");
3396
3397 if (arg_use_cgns) {
3398 r = unshare(CLONE_NEWCGROUP);
3399 if (r < 0)
3400 return log_error_errno(errno, "Failed to unshare cgroup namespace: %m");
3401
3402 r = mount_cgroups(/* dest = */ NULL, /* accept_existing = */ false);
3403 } else
3404 r = bind_mount_cgroup_hierarchy();
3405 if (r < 0)
3406 return r;
3407
3408 r = setup_boot_id();
3409 if (r < 0)
3410 return r;
3411
3412 r = setup_kmsg(fd_inner_socket);
3413 if (r < 0)
3414 return r;
3415
3416 r = mount_custom(
3417 "/",
3418 arg_custom_mounts,
3419 arg_n_custom_mounts,
3420 0,
3421 0,
3422 arg_selinux_apifs_context,
3423 MOUNT_NON_ROOT_ONLY | MOUNT_IN_USERNS);
3424 if (r < 0)
3425 return r;
3426
3427 if (setsid() < 0)
3428 return log_error_errno(errno, "setsid() failed: %m");
3429
3430 if (arg_private_network)
3431 (void) loopback_setup();
3432
3433 if (arg_expose_ports) {
3434 r = expose_port_send_rtnl(fd_inner_socket);
3435 if (r < 0)
3436 return r;
3437 }
3438
3439 if (arg_console_mode != CONSOLE_PIPE) {
3440 _cleanup_close_ int master = -EBADF;
3441 _cleanup_free_ char *console = NULL;
3442
3443 /* Allocate a pty and make it available as /dev/console. */
3444 master = openpt_allocate(O_RDWR|O_NONBLOCK, &console);
3445 if (master < 0)
3446 return log_error_errno(master, "Failed to allocate a pty: %m");
3447
3448 r = setup_dev_console(console);
3449 if (r < 0)
3450 return log_error_errno(r, "Failed to set up /dev/console: %m");
3451
3452 r = send_one_fd(fd_inner_socket, master, 0);
3453 if (r < 0)
3454 return log_error_errno(r, "Failed to send master fd: %m");
3455
3456 r = setup_stdio_as_dev_console();
3457 if (r < 0)
3458 return r;
3459 }
3460
3461 r = patch_sysctl();
3462 if (r < 0)
3463 return r;
3464
3465 if (arg_oom_score_adjust_set) {
3466 r = set_oom_score_adjust(arg_oom_score_adjust);
3467 if (r < 0)
3468 return log_error_errno(r, "Failed to adjust OOM score: %m");
3469 }
3470
3471 if (arg_cpu_set.set)
3472 if (sched_setaffinity(0, arg_cpu_set.allocated, arg_cpu_set.set) < 0)
3473 return log_error_errno(errno, "Failed to set CPU affinity: %m");
3474
3475 (void) setup_hostname();
3476
3477 if (arg_personality != PERSONALITY_INVALID) {
3478 r = safe_personality(arg_personality);
3479 if (r < 0)
3480 return log_error_errno(r, "personality() failed: %m");
3481 #ifdef ARCHITECTURE_SECONDARY
3482 } else if (arg_architecture == ARCHITECTURE_SECONDARY) {
3483 r = safe_personality(PER_LINUX32);
3484 if (r < 0)
3485 return log_error_errno(r, "personality() failed: %m");
3486 #endif
3487 } else if (!arg_quiet && arg_architecture >= 0 && arg_architecture != native_architecture())
3488 log_notice("Selected architecture '%s' not supported natively on the local CPU, assuming "
3489 "invocation with qemu userspace emulator (or equivalent) in effect.",
3490 architecture_to_string(arg_architecture));
3491
3492 r = setrlimit_closest_all((const struct rlimit *const*) arg_rlimit, &which_failed);
3493 if (r < 0)
3494 return log_error_errno(r, "Failed to apply resource limit RLIMIT_%s: %m", rlimit_to_string(which_failed));
3495
3496 #if HAVE_SECCOMP
3497 if (arg_seccomp) {
3498
3499 if (is_seccomp_available()) {
3500 r = seccomp_load(arg_seccomp);
3501 if (ERRNO_IS_NEG_SECCOMP_FATAL(r))
3502 return log_error_errno(r, "Failed to install seccomp filter: %m");
3503 if (r < 0)
3504 log_debug_errno(r, "Failed to install seccomp filter: %m");
3505 }
3506 } else
3507 #endif
3508 {
3509 r = setup_seccomp(arg_caps_retain, arg_syscall_allow_list, arg_syscall_deny_list);
3510 if (r < 0)
3511 return r;
3512 }
3513
3514 if (arg_suppress_sync) {
3515 #if HAVE_SECCOMP
3516 r = seccomp_suppress_sync();
3517 if (r < 0)
3518 log_debug_errno(r, "Failed to install sync() suppression seccomp filter, ignoring: %m");
3519 #else
3520 log_debug("systemd is built without SECCOMP support. Ignoring --suppress-sync= command line option and SuppressSync= setting.");
3521 #endif
3522 }
3523
3524 #if HAVE_SELINUX
3525 if (arg_selinux_context)
3526 if (setexeccon(arg_selinux_context) < 0)
3527 return log_error_errno(errno, "setexeccon(\"%s\") failed: %m", arg_selinux_context);
3528 #endif
3529
3530 /* Make sure we keep the caps across the uid/gid dropping, so that we can retain some selected caps
3531 * if we need to later on. */
3532 if (prctl(PR_SET_KEEPCAPS, 1) < 0)
3533 return log_error_errno(errno, "Failed to set PR_SET_KEEPCAPS: %m");
3534
3535 if (uid_is_valid(arg_uid) || gid_is_valid(arg_gid))
3536 r = change_uid_gid_raw(arg_uid, arg_gid, arg_supplementary_gids, arg_n_supplementary_gids, arg_console_mode != CONSOLE_PIPE);
3537 else
3538 r = change_uid_gid(arg_user, arg_console_mode != CONSOLE_PIPE, &home);
3539 if (r < 0)
3540 return r;
3541
3542 r = drop_capabilities(getuid());
3543 if (r < 0)
3544 return log_error_errno(r, "Dropping capabilities failed: %m");
3545
3546 if (arg_no_new_privileges)
3547 if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0)
3548 return log_error_errno(errno, "Failed to disable new privileges: %m");
3549
3550 /* LXC sets container=lxc, so follow the scheme here */
3551 envp[n_env++] = strjoina("container=", arg_container_service_name);
3552
3553 /* Propagate $TERM & Co. unless we are invoked in pipe mode and stdin/stdout/stderr don't refer to a TTY */
3554 if (arg_console_mode != CONSOLE_PIPE || on_tty()) {
3555 FOREACH_STRING(v, "TERM=", "COLORTERM=", "NO_COLOR=") {
3556 char *t = strv_find_prefix(environ, v);
3557 if (!t)
3558 continue;
3559
3560 envp[n_env++] = t;
3561 }
3562 } else
3563 envp[n_env++] = (char*) "TERM=dumb";
3564
3565 if (home || !uid_is_valid(arg_uid) || arg_uid == 0)
3566 if (asprintf(envp + n_env++, "HOME=%s", home ?: "/root") < 0)
3567 return log_oom();
3568
3569 if (arg_user || !uid_is_valid(arg_uid) || arg_uid == 0)
3570 if (asprintf(envp + n_env++, "USER=%s", arg_user ?: "root") < 0 ||
3571 asprintf(envp + n_env++, "LOGNAME=%s", arg_user ?: "root") < 0)
3572 return log_oom();
3573
3574 assert(!sd_id128_is_null(arg_uuid));
3575
3576 if (asprintf(envp + n_env++, "container_uuid=%s", SD_ID128_TO_UUID_STRING(arg_uuid)) < 0)
3577 return log_oom();
3578
3579 if (!fdset_isempty(fds)) {
3580 r = fdset_cloexec(fds, false);
3581 if (r < 0)
3582 return log_error_errno(r, "Failed to unset O_CLOEXEC for file descriptors.");
3583
3584 if ((asprintf(envp + n_env++, "LISTEN_FDS=%u", fdset_size(fds)) < 0) ||
3585 (asprintf(envp + n_env++, "LISTEN_PID=1") < 0))
3586 return log_oom();
3587 }
3588 if (asprintf(envp + n_env++, "NOTIFY_SOCKET=%s", NSPAWN_NOTIFY_SOCKET_PATH) < 0)
3589 return log_oom();
3590
3591 if (arg_credentials.n_credentials > 0) {
3592 envp[n_env] = strdup("CREDENTIALS_DIRECTORY=/run/host/credentials");
3593 if (!envp[n_env])
3594 return log_oom();
3595 n_env++;
3596 }
3597
3598 if (arg_start_mode != START_BOOT) {
3599 envp[n_env] = strdup("LANG=" SYSTEMD_NSPAWN_LOCALE);
3600 if (!envp[n_env])
3601 return log_oom();
3602 n_env++;
3603 }
3604
3605 env_use = strv_env_merge(envp, os_release_pairs, arg_setenv);
3606 if (!env_use)
3607 return log_oom();
3608
3609 /* Let the parent know that we are ready and wait until the parent is ready with the setup, too... */
3610 if (!barrier_place_and_sync(barrier)) /* #5 */
3611 return log_error_errno(SYNTHETIC_ERRNO(ESRCH), "Parent died too early");
3612
3613 /* Note, this should be done this late (💣 and not moved earlier! 💣), so that all namespacing
3614 * changes are already in effect by now, so that any resolved paths here definitely reference
3615 * resources inside the container, and not outside of them. */
3616 if (arg_chdir)
3617 if (chdir(arg_chdir) < 0)
3618 return log_error_errno(errno, "Failed to change to specified working directory %s: %m", arg_chdir);
3619
3620 if (arg_start_mode == START_PID2) {
3621 r = stub_pid1(arg_uuid);
3622 if (r < 0)
3623 return r;
3624 }
3625
3626 if (arg_console_mode != CONSOLE_PIPE) {
3627 /* So far our pty wasn't controlled by any process. Finally, it's time to change that, if we
3628 * are configured for that. Acquire it as controlling tty. */
3629 if (ioctl(STDIN_FILENO, TIOCSCTTY) < 0)
3630 return log_error_errno(errno, "Failed to acquire controlling TTY: %m");
3631 }
3632
3633 log_debug("Inner child finished, invoking payload.");
3634
3635 /* Now, explicitly close the log, so that we then can close all remaining fds. Closing the log explicitly first
3636 * has the benefit that the logging subsystem knows about it, and is thus ready to be reopened should we need
3637 * it again. Note that the other fds closed here are at least the locking and barrier fds. */
3638 log_close();
3639 log_set_open_when_needed(true);
3640 log_settle_target();
3641
3642 (void) fdset_close_others(fds);
3643
3644 if (arg_start_mode == START_BOOT) {
3645 char **a;
3646 size_t m;
3647
3648 /* Automatically search for the init system */
3649
3650 m = strv_length(arg_parameters);
3651 a = newa(char*, m + 2);
3652 memcpy_safe(a + 1, arg_parameters, m * sizeof(char*));
3653 a[1 + m] = NULL;
3654
3655 FOREACH_STRING(init,
3656 "/usr/lib/systemd/systemd",
3657 "/lib/systemd/systemd",
3658 "/sbin/init") {
3659 a[0] = (char*) init;
3660 execve(a[0], a, env_use);
3661 }
3662
3663 exec_target = "/usr/lib/systemd/systemd, /lib/systemd/systemd, /sbin/init";
3664 } else if (!strv_isempty(arg_parameters)) {
3665 const char *dollar_path;
3666
3667 exec_target = arg_parameters[0];
3668
3669 /* Use the user supplied search $PATH if there is one, or DEFAULT_PATH_COMPAT if not to search the
3670 * binary. */
3671 dollar_path = strv_env_get(env_use, "PATH");
3672 if (dollar_path) {
3673 if (setenv("PATH", dollar_path, 1) < 0)
3674 return log_error_errno(errno, "Failed to update $PATH: %m");
3675 }
3676
3677 execvpe(arg_parameters[0], arg_parameters, env_use);
3678 } else {
3679 if (!arg_chdir)
3680 /* If we cannot change the directory, we'll end up in /, that is expected. */
3681 (void) chdir(home ?: "/root");
3682
3683 execle(DEFAULT_USER_SHELL, "-" DEFAULT_USER_SHELL_NAME, NULL, env_use);
3684 if (!streq(DEFAULT_USER_SHELL, "/bin/bash"))
3685 execle("/bin/bash", "-bash", NULL, env_use);
3686 if (!streq(DEFAULT_USER_SHELL, "/bin/sh"))
3687 execle("/bin/sh", "-sh", NULL, env_use);
3688
3689 exec_target = DEFAULT_USER_SHELL ", /bin/bash, /bin/sh";
3690 }
3691
3692 return log_error_errno(errno, "execv(%s) failed: %m", exec_target);
3693 }
3694
3695 static int setup_notify_child(const void *directory) {
3696 _cleanup_close_ int fd = -EBADF;
3697 _cleanup_free_ char *j = NULL;
3698 union sockaddr_union sa = {
3699 .un.sun_family = AF_UNIX,
3700 };
3701 int r;
3702
3703 fd = socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0);
3704 if (fd < 0)
3705 return log_error_errno(errno, "Failed to allocate notification socket: %m");
3706
3707 if (directory) {
3708 j = path_join(directory, NSPAWN_NOTIFY_SOCKET_PATH);
3709 if (!j)
3710 return log_oom();
3711 }
3712
3713 r = sockaddr_un_set_path(&sa.un, j ?: NSPAWN_NOTIFY_SOCKET_PATH);
3714 if (r < 0)
3715 return log_error_errno(r, "Failed to set AF_UNIX path to %s: %m", j ?: NSPAWN_NOTIFY_SOCKET_PATH);
3716
3717 (void) mkdir_parents(sa.un.sun_path, 0755);
3718 (void) sockaddr_un_unlink(&sa.un);
3719
3720 WITH_UMASK(0577) { /* only set "w" bit, which is all that's necessary for connecting from the container */
3721 r = bind(fd, &sa.sa, sockaddr_un_len(&sa.un));
3722 if (r < 0)
3723 return log_error_errno(errno, "bind(" NSPAWN_NOTIFY_SOCKET_PATH ") failed: %m");
3724 }
3725
3726 r = userns_lchown(sa.un.sun_path, 0, 0);
3727 if (r < 0)
3728 return log_error_errno(r, "Failed to chown " NSPAWN_NOTIFY_SOCKET_PATH ": %m");
3729
3730 r = setsockopt_int(fd, SOL_SOCKET, SO_PASSCRED, true);
3731 if (r < 0)
3732 return log_error_errno(r, "Failed to enable SO_PASSCRED: %m");
3733
3734 r = setsockopt_int(fd, SOL_SOCKET, SO_PASSPIDFD, true);
3735 if (r < 0)
3736 log_debug_errno(r, "Failed to enable SO_PASSPIDFD, ignoring: %m");
3737
3738 r = setsockopt_int(fd, SOL_SOCKET, SO_PASSRIGHTS, false);
3739 if (r < 0)
3740 log_debug_errno(r, "Failed to turn off SO_PASSRIGHTS, ignoring: %m");
3741
3742 return TAKE_FD(fd);
3743 }
3744
3745 static int setup_unix_export_dir_outside(char **ret) {
3746 int r;
3747
3748 assert(ret);
3749
3750 if (arg_userns_mode == USER_NAMESPACE_MANAGED) {
3751 log_debug("Not digging socket tunnel, because running in managed user namespace mode.");
3752 return 0;
3753 }
3754
3755 _cleanup_free_ char *p = NULL;
3756 p = path_join("/run/systemd/nspawn/unix-export", arg_machine);
3757 if (!p)
3758 return log_oom();
3759
3760 r = path_is_mount_point(p);
3761 if (r > 0)
3762 return log_error_errno(SYNTHETIC_ERRNO(EEXIST), "Mount point '%s' exists already, refusing.", p);
3763 if (r < 0 && r != -ENOENT)
3764 return log_error_errno(r, "Failed to detect if '%s' is a mount point: %m", p);
3765
3766 r = mkdir_p(p, 0755);
3767 if (r < 0)
3768 return log_error_errno(r, "Failed to create '%s': %m", p);
3769
3770 _cleanup_(rmdir_and_freep) char *q = TAKE_PTR(p);
3771
3772 /* Mount the "unix export" directory really tiny, just 64 inodes. We mark the superblock writable
3773 * (since the container shall bind sockets into it). */
3774 r = mount_nofollow_verbose(
3775 LOG_ERR,
3776 "tmpfs",
3777 q,
3778 "tmpfs",
3779 MS_NODEV|MS_NOEXEC|MS_NOSUID|ms_nosymfollow_supported(),
3780 "size=4M,nr_inodes=64,mode=0755");
3781 if (r < 0)
3782 return r;
3783
3784 _cleanup_(umount_and_rmdir_and_freep) char *w = TAKE_PTR(q);
3785
3786 /* After creating the superblock we change the bind mount to be read-only. This means that the fs
3787 * itself is writable, but not through the mount accessible from the host. */
3788 r = mount_nofollow_verbose(
3789 LOG_ERR,
3790 /* what= */ NULL,
3791 w,
3792 /* fstype= */ NULL,
3793 MS_BIND|MS_REMOUNT|MS_RDONLY|MS_NODEV|MS_NOEXEC|MS_NOSUID|ms_nosymfollow_supported(),
3794 /* options= */ NULL);
3795 if (r < 0)
3796 return r;
3797
3798 *ret = TAKE_PTR(w);
3799 return 0;
3800 }
3801
3802 static int setup_unix_export_host_inside(const char *directory, const char *unix_export_path) {
3803 int r;
3804
3805 assert(directory);
3806
3807 if (arg_userns_mode == USER_NAMESPACE_MANAGED)
3808 return 0;
3809
3810 assert(unix_export_path);
3811
3812 r = make_run_host(directory);
3813 if (r < 0)
3814 return r;
3815
3816 _cleanup_free_ char *p = path_join(directory, "run/host/unix-export");
3817 if (!p)
3818 return log_oom();
3819
3820 if (mkdir(p, 0755) < 0)
3821 return log_error_errno(errno, "Failed to create '%s': %m", p);
3822
3823 r = mount_nofollow_verbose(
3824 LOG_ERR,
3825 unix_export_path,
3826 p,
3827 /* fstype= */ NULL,
3828 MS_BIND,
3829 /* options= */ NULL);
3830 if (r < 0)
3831 return r;
3832
3833 r = mount_nofollow_verbose(
3834 LOG_ERR,
3835 /* what= */ NULL,
3836 p,
3837 /* fstype= */ NULL,
3838 MS_BIND|MS_REMOUNT|MS_NODEV|MS_NOEXEC|MS_NOSUID|ms_nosymfollow_supported(),
3839 /* options= */ NULL);
3840 if (r < 0)
3841 return r;
3842
3843 r = userns_lchown(p, 0, 0);
3844 if (r < 0)
3845 return log_error_errno(r, "Failed to chown '%s': %m", p);
3846
3847 return 0;
3848 }
3849
3850 static DissectImageFlags determine_dissect_image_flags(void) {
3851 return
3852 DISSECT_IMAGE_GENERIC_ROOT |
3853 DISSECT_IMAGE_REQUIRE_ROOT |
3854 DISSECT_IMAGE_RELAX_VAR_CHECK |
3855 DISSECT_IMAGE_USR_NO_ROOT |
3856 DISSECT_IMAGE_DISCARD_ON_LOOP |
3857 DISSECT_IMAGE_ADD_PARTITION_DEVICES |
3858 DISSECT_IMAGE_PIN_PARTITION_DEVICES |
3859 (arg_read_only ? DISSECT_IMAGE_READ_ONLY : DISSECT_IMAGE_FSCK|DISSECT_IMAGE_GROWFS) |
3860 DISSECT_IMAGE_ALLOW_USERSPACE_VERITY |
3861 (arg_console_mode == CONSOLE_INTERACTIVE && arg_ask_password ? DISSECT_IMAGE_ALLOW_INTERACTIVE_AUTH : 0) |
3862 ((arg_userns_ownership == USER_NAMESPACE_OWNERSHIP_FOREIGN) ? DISSECT_IMAGE_FOREIGN_UID :
3863 (arg_userns_ownership != USER_NAMESPACE_OWNERSHIP_AUTO) ? DISSECT_IMAGE_IDENTITY_UID : 0);
3864 }
3865
3866 static int outer_child(
3867 Barrier *barrier,
3868 const char *directory,
3869 int mount_fd,
3870 DissectedImage *dissected_image,
3871 int fd_outer_socket,
3872 int fd_inner_socket,
3873 FDSet *fds,
3874 int netns_fd,
3875 const char *unix_export_path) {
3876
3877 _cleanup_strv_free_ char **os_release_pairs = NULL;
3878 bool idmap = false;
3879 ssize_t l;
3880 int r;
3881
3882 /* This is the "outer" child process, i.e the one forked off by the container manager itself. Its
3883 * namespace situation is:
3884 *
3885 * - CLONE_NEWUSER : if not in USER_NAMESPACE_MANAGED mode: still in the host's
3886 * if USER_NAMESPACE_MANAGED mode: already has its own (created by nsresource_allocate_userns()->setns(userns_fd))
3887 * - CLONE_NEWNS : already has its own (created by clone() if not USER_NAMESPACE_MANAGED, or unshare() otherwise)
3888 * - CLONE_NEWPID : still in the host's
3889 * - CLONE_NEWUTS : still in the host's
3890 * - CLONE_NEWIPC : still in the host's
3891 * - CLONE_NEWNET : still in the host's
3892 *
3893 * After it completed a number of initializations a second child (the "inner" one) is forked off it,
3894 * and it exits. */
3895
3896 assert(barrier);
3897 assert(directory);
3898 assert(fd_outer_socket >= 0);
3899 assert(fd_inner_socket >= 0);
3900
3901 log_debug("Outer child is initializing.");
3902
3903 r = load_os_release_pairs_with_prefix("/", "container_host_", &os_release_pairs);
3904 if (r < 0)
3905 log_debug_errno(r, "Failed to read os-release from host for container, ignoring: %m");
3906
3907 if (prctl(PR_SET_PDEATHSIG, SIGKILL) < 0)
3908 return log_error_errno(errno, "PR_SET_PDEATHSIG failed: %m");
3909
3910 r = reset_audit_loginuid();
3911 if (r < 0)
3912 return r;
3913
3914 /* Mark everything as slave, so that we still receive mounts from the real root, but don't propagate
3915 * mounts to the real root. */
3916 r = mount_follow_verbose(LOG_ERR, NULL, "/", NULL, MS_SLAVE|MS_REC, NULL);
3917 if (r < 0)
3918 return r;
3919
3920 /* Put the root dir into the target directory now. One of three mechanisms is provided: either we
3921 * have a single mount fd (typically unprivileged --directory= mode) or we have a fully dissected
3922 * image (--image= mode), or we have a regular path. */
3923 if (mount_fd >= 0) {
3924 assert(arg_directory);
3925 assert(!arg_image);
3926
3927 if (move_mount(mount_fd, "", AT_FDCWD, directory, MOVE_MOUNT_F_EMPTY_PATH) < 0)
3928 return log_error_errno(errno, "Failed to attach root directory: %m");
3929
3930 mount_fd = safe_close(mount_fd);
3931 log_debug("Successfully attached root directory to '%s'.", directory);
3932
3933 } else if (dissected_image) {
3934 assert(!arg_directory);
3935 assert(arg_image);
3936
3937 /* If we are operating on a disk image, then mount its root directory now, but leave out the
3938 * rest. We can read the UID shift from it if we need to. Further down we'll mount the rest,
3939 * but then with the uid shift known. That way we can mount VFAT file systems shifted to the
3940 * right place right away. This makes sure ESP partitions and userns are compatible. */
3941
3942 r = dissected_image_mount_and_warn(
3943 dissected_image,
3944 directory,
3945 arg_uid_shift,
3946 arg_uid_range,
3947 /* userns_fd= */ -EBADF,
3948 determine_dissect_image_flags()|
3949 DISSECT_IMAGE_MOUNT_ROOT_ONLY|
3950 (arg_start_mode == START_BOOT ? DISSECT_IMAGE_VALIDATE_OS : 0));
3951 if (r < 0)
3952 return r;
3953 } else {
3954 assert(arg_directory);
3955 assert(!arg_image);
3956
3957 r = mount_nofollow_verbose(LOG_ERR, arg_directory, directory, /* fstype= */ NULL, MS_BIND|MS_REC, /* options= */ NULL);
3958 if (r < 0)
3959 return r;
3960 }
3961
3962 r = determine_uid_shift(directory);
3963 if (r < 0)
3964 return r;
3965
3966 /* If we do userns on our own, we need to chown() all files ourselves before. Otherwise, if userns is
3967 * off or we are in managed mode we already have the userns applied, hence don't need to chown
3968 * anything */
3969 uid_t chown_uid, chown_range;
3970 if (in_child_chown()) {
3971 chown_uid = arg_uid_shift;
3972 chown_range = arg_uid_range;
3973 } else {
3974 chown_uid = 0;
3975 chown_range = UINT32_C(0x10000);
3976 }
3977
3978 if (arg_userns_mode != USER_NAMESPACE_NO) {
3979 _cleanup_close_ int mntns_fd = -EBADF;
3980
3981 mntns_fd = namespace_open_by_type(NAMESPACE_MOUNT);
3982 if (mntns_fd < 0)
3983 return log_error_errno(mntns_fd, "Failed to pin outer mount namespace: %m");
3984
3985 l = send_one_fd(fd_outer_socket, mntns_fd, 0);
3986 if (l < 0)
3987 return log_error_errno(l, "Failed to send outer mount namespace fd: %m");
3988 mntns_fd = safe_close(mntns_fd);
3989
3990 /* Let the parent know which UID shift we read from the image */
3991 l = send(fd_outer_socket, &arg_uid_shift, sizeof(arg_uid_shift), MSG_NOSIGNAL);
3992 if (l < 0)
3993 return log_error_errno(errno, "Failed to send UID shift: %m");
3994 if (l != sizeof(arg_uid_shift))
3995 return log_error_errno(SYNTHETIC_ERRNO(EIO),
3996 "Short write while sending UID shift.");
3997
3998 if (arg_userns_mode == USER_NAMESPACE_PICK) {
3999 /* When we are supposed to pick the UID shift, the parent will check now whether the
4000 * UID shift we just read from the image is available. If yes, it will send the UID
4001 * shift back to us, if not it will pick a different one, and send it back to us. */
4002
4003 l = recv(fd_outer_socket, &arg_uid_shift, sizeof(arg_uid_shift), 0);
4004 if (l < 0)
4005 return log_error_errno(errno, "Failed to recv UID shift: %m");
4006 if (l != sizeof(arg_uid_shift))
4007 return log_error_errno(SYNTHETIC_ERRNO(EIO),
4008 "Short read while receiving UID shift.");
4009
4010 if (in_child_chown())
4011 chown_uid = arg_uid_shift;
4012 }
4013
4014 log_full(arg_quiet ? LOG_DEBUG : LOG_INFO,
4015 "Selected user namespace base " UID_FMT " and range " UID_FMT ".", arg_uid_shift, arg_uid_range);
4016 }
4017
4018 /* So the whole tree is now MS_SLAVE, i.e. we'll still receive mount/umount events from the host
4019 * mount namespace. For the directory we are going to run our container let's turn this off, so that
4020 * we'll live in our own little world from now on, and propagation from the host may only happen via
4021 * the mount tunnel dir, or not at all. */
4022 r = mount_follow_verbose(LOG_ERR, NULL, directory, NULL, MS_PRIVATE|MS_REC, NULL);
4023 if (r < 0)
4024 return r;
4025
4026 r = setup_pivot_root(
4027 directory,
4028 arg_pivot_root_new,
4029 arg_pivot_root_old);
4030 if (r < 0)
4031 return r;
4032
4033 r = setup_volatile_mode(
4034 directory,
4035 arg_volatile_mode,
4036 chown_uid,
4037 arg_selinux_apifs_context);
4038 if (r < 0)
4039 return r;
4040
4041 _cleanup_(machine_bind_user_context_freep) MachineBindUserContext *bind_user_context = NULL;
4042 r = machine_bind_user_prepare(
4043 directory,
4044 arg_bind_user,
4045 arg_bind_user_shell,
4046 arg_bind_user_shell_copy,
4047 &bind_user_context);
4048 if (r < 0)
4049 return r;
4050
4051 if (bind_user_context)
4052 FOREACH_ARRAY(bind_user, bind_user_context->data, bind_user_context->n_data) {
4053 _cleanup_free_ char *sm = strdup(user_record_home_directory(bind_user->host_user));
4054 if (!sm)
4055 return log_oom();
4056
4057 _cleanup_free_ char *sd = strdup(user_record_home_directory(bind_user->payload_user));
4058 if (!sd)
4059 return log_oom();
4060
4061 if (!GREEDY_REALLOC(arg_custom_mounts, arg_n_custom_mounts + 1))
4062 return log_oom();
4063
4064 char *options = strdup("owneridmap");
4065 if (!options)
4066 return log_oom();
4067
4068 arg_custom_mounts[arg_n_custom_mounts++] = (CustomMount) {
4069 .type = CUSTOM_MOUNT_BIND,
4070 .source = TAKE_PTR(sm),
4071 .destination = TAKE_PTR(sd),
4072 .options = TAKE_PTR(options),
4073 .destination_uid = bind_user->payload_user->uid,
4074 };
4075 }
4076
4077 r = mount_custom(
4078 directory,
4079 arg_custom_mounts,
4080 arg_n_custom_mounts,
4081 chown_uid,
4082 chown_range,
4083 arg_selinux_apifs_context,
4084 MOUNT_ROOT_ONLY);
4085 if (r < 0)
4086 return r;
4087
4088 if (!IN_SET(arg_userns_mode, USER_NAMESPACE_NO, USER_NAMESPACE_MANAGED) &&
4089 IN_SET(arg_userns_ownership, USER_NAMESPACE_OWNERSHIP_MAP, USER_NAMESPACE_OWNERSHIP_FOREIGN, USER_NAMESPACE_OWNERSHIP_AUTO) &&
4090 chown_uid != 0) {
4091 _cleanup_strv_free_ char **dirs = NULL;
4092 RemountIdmapping mapping;
4093
4094 switch (arg_userns_ownership) {
4095 case USER_NAMESPACE_OWNERSHIP_MAP:
4096 mapping = REMOUNT_IDMAPPING_HOST_ROOT;
4097 break;
4098
4099 case USER_NAMESPACE_OWNERSHIP_FOREIGN:
4100 mapping = REMOUNT_IDMAPPING_FOREIGN_WITH_HOST_ROOT;
4101 break;
4102
4103 case USER_NAMESPACE_OWNERSHIP_AUTO: {
4104 struct stat st;
4105
4106 if (lstat(directory, &st) < 0)
4107 return log_error_errno(errno, "Failed to stat() container root directory '%s': %m", directory);
4108
4109 r = stat_verify_directory(&st);
4110 if (r < 0)
4111 return log_error_errno(r, "Container root directory '%s' is not a directory: %m", directory);
4112
4113 mapping = uid_is_foreign(st.st_uid) ?
4114 REMOUNT_IDMAPPING_FOREIGN_WITH_HOST_ROOT :
4115 REMOUNT_IDMAPPING_HOST_ROOT;
4116 break;
4117 }
4118
4119 default:
4120 assert_not_reached();
4121 }
4122
4123 if (arg_volatile_mode != VOLATILE_YES) {
4124 r = strv_extend(&dirs, directory);
4125 if (r < 0)
4126 return log_oom();
4127 }
4128
4129 if ((dissected_image && dissected_image->partitions[PARTITION_USR].found) ||
4130 arg_volatile_mode == VOLATILE_YES) {
4131 char *s = path_join(directory, "/usr");
4132 if (!s)
4133 return log_oom();
4134
4135 r = strv_consume(&dirs, s);
4136 if (r < 0)
4137 return log_oom();
4138 }
4139
4140 r = remount_idmap(
4141 dirs,
4142 chown_uid,
4143 chown_range,
4144 /* host_owner= */ UID_INVALID,
4145 /* dest_owner= */ UID_INVALID,
4146 mapping);
4147 if (r == -EINVAL || ERRNO_IS_NEG_NOT_SUPPORTED(r)) {
4148 /* This might fail because the kernel or file system doesn't support idmapping. We
4149 * can't really distinguish this nicely, nor do we have any guarantees about the
4150 * error codes we see, could be EOPNOTSUPP or EINVAL. */
4151 if (arg_userns_ownership != USER_NAMESPACE_OWNERSHIP_AUTO)
4152 return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
4153 "ID mapped mounts are apparently not available, sorry.");
4154
4155 log_debug("ID mapped mounts are apparently not available on this kernel or for the selected file system, reverting to recursive chown()ing.");
4156 arg_userns_ownership = USER_NAMESPACE_OWNERSHIP_CHOWN;
4157 } else if (r < 0)
4158 return log_error_errno(r, "Failed to set up ID mapped mounts: %m");
4159 else {
4160 log_debug("ID mapped mounts available, making use of them.");
4161 idmap = true;
4162 }
4163 }
4164
4165 r = setup_volatile_mode_after_remount_idmap(
4166 directory,
4167 arg_volatile_mode,
4168 chown_uid,
4169 arg_selinux_apifs_context);
4170 if (r < 0)
4171 return r;
4172
4173 if (dissected_image) {
4174 /* Now we know the uid shift, let's now mount everything else that might be in the image. */
4175 r = dissected_image_mount_and_warn(
4176 dissected_image,
4177 directory,
4178 chown_uid,
4179 chown_range,
4180 /* userns_fd= */ -EBADF,
4181 determine_dissect_image_flags()|
4182 DISSECT_IMAGE_MOUNT_NON_ROOT_ONLY|
4183 (idmap ? DISSECT_IMAGE_MOUNT_IDMAPPED : 0));
4184 if (r < 0)
4185 return r;
4186 }
4187
4188 r = recursive_chown(directory, chown_uid, chown_range);
4189 if (r < 0)
4190 return r;
4191
4192 r = base_filesystem_create(directory, chown_uid, (gid_t) chown_uid);
4193 if (r < 0)
4194 return r;
4195
4196 if (arg_read_only && arg_volatile_mode == VOLATILE_NO &&
4197 !has_custom_root_mount(arg_custom_mounts, arg_n_custom_mounts)) {
4198 r = bind_remount_recursive(directory, MS_RDONLY, MS_RDONLY, NULL);
4199 if (r < 0)
4200 return log_error_errno(r, "Failed to make tree read-only: %m");
4201 }
4202
4203 r = mount_all(directory,
4204 arg_mount_settings,
4205 chown_uid,
4206 arg_selinux_apifs_context);
4207 if (r < 0)
4208 return r;
4209
4210 r = copy_devnodes(directory);
4211 if (r < 0)
4212 return r;
4213
4214 r = make_extra_nodes(directory);
4215 if (r < 0)
4216 return r;
4217
4218 (void) dev_setup(directory, chown_uid, chown_uid);
4219
4220 _cleanup_free_ char *p = path_join(directory, "/run/host");
4221 if (!p)
4222 return log_oom();
4223
4224 (void) make_inaccessible_nodes(p, chown_uid, chown_uid);
4225
4226 r = setup_unix_export_host_inside(directory, unix_export_path);
4227 if (r < 0)
4228 return r;
4229
4230 r = setup_pts(directory, chown_uid);
4231 if (r < 0)
4232 return r;
4233
4234 r = mount_tunnel_dig(directory);
4235 if (r < 0)
4236 return r;
4237
4238 r = setup_keyring();
4239 if (r < 0)
4240 return r;
4241
4242 r = setup_credentials(directory);
4243 if (r < 0)
4244 return r;
4245
4246 r = bind_user_setup(bind_user_context, directory);
4247 if (r < 0)
4248 return r;
4249
4250 r = mount_custom(
4251 directory,
4252 arg_custom_mounts,
4253 arg_n_custom_mounts,
4254 chown_uid,
4255 chown_range,
4256 arg_selinux_apifs_context,
4257 MOUNT_NON_ROOT_ONLY);
4258 if (r < 0)
4259 return r;
4260
4261 r = setup_timezone(directory);
4262 if (r < 0)
4263 return r;
4264
4265 r = setup_resolv_conf(directory);
4266 if (r < 0)
4267 return r;
4268
4269 r = setup_machine_id(directory);
4270 if (r < 0)
4271 return r;
4272
4273 r = setup_journal(directory);
4274 if (r < 0)
4275 return r;
4276
4277 /* The same stuff as the $container env var, but nicely readable for the entire payload */
4278 free(p);
4279 p = path_join(directory, "/run/host/container-manager");
4280 if (!p)
4281 return log_oom();
4282
4283 (void) write_string_file(p, arg_container_service_name, WRITE_STRING_FILE_CREATE|WRITE_STRING_FILE_MODE_0444);
4284
4285 /* The same stuff as the $container_uuid env var */
4286 free(p);
4287 p = path_join(directory, "/run/host/container-uuid");
4288 if (!p)
4289 return log_oom();
4290
4291 (void) write_string_filef(p, WRITE_STRING_FILE_CREATE|WRITE_STRING_FILE_MODE_0444, SD_ID128_UUID_FORMAT_STR, SD_ID128_FORMAT_VAL(arg_uuid));
4292
4293 if (!arg_use_cgns) {
4294 r = mount_cgroups(directory, /* accept_existing = */ true);
4295 if (r < 0)
4296 return r;
4297 }
4298
4299 /* We have different codepaths here for privileged and non-privileged mode. In privileged mode we'll
4300 * now switch into the target directory, and then do the final setup from there. If a user namespace
4301 * is then allocated for the container, the root mount and everything else will be out of reach for
4302 * it. For unprivileged containers we cannot do that however, since we couldn't mount a sysfs and
4303 * procfs then anymore, since that only works if there's an unobstructed instance currently
4304 * visible. Hence there we do it the other way round: we first allocate a new set of namespaces
4305 * (and fork for it) for which we then mount sysfs/procfs, and only then switch root. */
4306
4307 _cleanup_close_ int notify_fd = -EBADF;
4308 if (arg_userns_mode != USER_NAMESPACE_MANAGED) {
4309 /* Mark everything as shared so our mounts get propagated down. This is required to make new
4310 * bind mounts available in systemd services inside the container that create a new mount
4311 * namespace. See https://github.com/systemd/systemd/issues/3860 Further submounts (such as
4312 * /dev/) done after this will inherit the shared propagation mode.
4313 *
4314 * IMPORTANT: Do not overmount the root directory anymore from now on to enable moving the root
4315 * directory mount to root later on.
4316 * https://github.com/systemd/systemd/issues/3847#issuecomment-562735251
4317 */
4318 r = mount_switch_root(directory, MS_SHARED);
4319 if (r < 0)
4320 return log_error_errno(r, "Failed to move root directory: %m");
4321
4322 /* We finished setting up the rootfs which is a shared mount. The mount tunnel needs to be a
4323 * dependent mount otherwise we can't MS_MOVE mounts that were propagated from the host into
4324 * the container. */
4325 r = mount_tunnel_open();
4326 if (r < 0)
4327 return r;
4328
4329 if (arg_userns_mode != USER_NAMESPACE_NO) {
4330 /* In order to mount procfs and sysfs in an unprivileged container the kernel
4331 * requires that a fully visible instance is already present in the target mount
4332 * namespace. Mount one here so the inner child can mount its own instances. Later
4333 * we umount the temporary instances created here before we actually exec the
4334 * payload. Since the rootfs is shared the umount will propagate into the container.
4335 * Note, the inner child wouldn't be able to unmount the instances on its own since
4336 * it doesn't own the originating mount namespace. IOW, the outer child needs to do
4337 * this. */
4338 r = pin_fully_visible_api_fs();
4339 if (r < 0)
4340 return r;
4341 }
4342
4343 notify_fd = setup_notify_child(NULL);
4344 } else
4345 notify_fd = setup_notify_child(directory);
4346 if (notify_fd < 0)
4347 return notify_fd;
4348
4349 pid_t pid = raw_clone(SIGCHLD|CLONE_NEWNS|
4350 arg_clone_ns_flags |
4351 (IN_SET(arg_userns_mode, USER_NAMESPACE_FIXED, USER_NAMESPACE_PICK) ? CLONE_NEWUSER : 0) |
4352 ((arg_private_network && arg_userns_mode == USER_NAMESPACE_MANAGED) ? CLONE_NEWNET : 0));
4353 if (pid < 0)
4354 return log_error_errno(errno, "Failed to fork inner child: %m");
4355 if (pid == 0) {
4356 fd_outer_socket = safe_close(fd_outer_socket);
4357
4358 /* The inner child has all namespaces that are requested, so that we all are owned by the
4359 * user if user namespaces are turned on. */
4360
4361 if (arg_network_namespace_path) {
4362 r = namespace_enter(/* pidns_fd = */ -EBADF,
4363 /* mntns_fd = */ -EBADF,
4364 netns_fd,
4365 /* userns_fd = */ -EBADF,
4366 /* root_fd = */ -EBADF);
4367 if (r < 0)
4368 return log_error_errno(r, "Failed to join network namespace: %m");
4369 }
4370
4371 if (arg_userns_mode == USER_NAMESPACE_MANAGED) {
4372 /* In managed usernamespace operation, sysfs + procfs are special, we'll have to
4373 * mount them inside the inner namespaces, but before we switch root. Hence do so
4374 * here. */
4375 _cleanup_free_ char *j = path_join(directory, "/proc");
4376 if (!j)
4377 return log_oom();
4378
4379 r = mount_follow_verbose(LOG_ERR, "proc", j, "proc", MS_NOSUID|MS_NOEXEC|MS_NODEV, NULL);
4380 if (r < 0)
4381 return r;
4382
4383 r = mount_sysfs(directory, arg_mount_settings);
4384 if (r < 0)
4385 return r;
4386
4387 r = mount_switch_root(directory, MS_SHARED);
4388 if (r < 0)
4389 return log_error_errno(r, "Failed to move root directory: %m");
4390 }
4391
4392 r = inner_child(barrier, fd_inner_socket, fds, os_release_pairs);
4393 if (r < 0)
4394 _exit(EXIT_FAILURE);
4395
4396 _exit(EXIT_SUCCESS);
4397 }
4398
4399 l = send(fd_outer_socket, &pid, sizeof(pid), MSG_NOSIGNAL);
4400 if (l < 0)
4401 return log_error_errno(errno, "Failed to send PID: %m");
4402 if (l != sizeof(pid))
4403 return log_error_errno(SYNTHETIC_ERRNO(EIO),
4404 "Short write while sending PID.");
4405
4406 l = send(fd_outer_socket, &arg_uuid, sizeof(arg_uuid), MSG_NOSIGNAL);
4407 if (l < 0)
4408 return log_error_errno(errno, "Failed to send machine ID: %m");
4409 if (l != sizeof(arg_uuid))
4410 return log_error_errno(SYNTHETIC_ERRNO(EIO),
4411 "Short write while sending machine ID.");
4412
4413 l = send_one_fd(fd_outer_socket, notify_fd, 0);
4414 if (l < 0)
4415 return log_error_errno(l, "Failed to send notify fd: %m");
4416
4417 fd_outer_socket = safe_close(fd_outer_socket);
4418 fd_inner_socket = safe_close(fd_inner_socket);
4419 netns_fd = safe_close(netns_fd);
4420
4421 return 0;
4422 }
4423
4424 static int uid_shift_pick(uid_t *shift, LockFile *ret_lock_file) {
4425 bool tried_hashed = false;
4426 unsigned n_tries = 100;
4427 uid_t candidate;
4428 int r;
4429
4430 assert(shift);
4431 assert(ret_lock_file);
4432 assert(arg_userns_mode == USER_NAMESPACE_PICK);
4433 assert(arg_uid_range == 0x10000U);
4434
4435 candidate = *shift;
4436
4437 (void) mkdir("/run/systemd/nspawn-uid", 0755);
4438
4439 for (;;) {
4440 char lock_path[STRLEN("/run/systemd/nspawn-uid/") + DECIMAL_STR_MAX(uid_t) + 1];
4441 _cleanup_(release_lock_file) LockFile lf = LOCK_FILE_INIT;
4442
4443 if (--n_tries <= 0)
4444 return -EBUSY;
4445
4446 if (candidate < CONTAINER_UID_BASE_MIN || candidate > CONTAINER_UID_BASE_MAX)
4447 goto next;
4448 if ((candidate & UINT32_C(0xFFFF)) != 0)
4449 goto next;
4450
4451 xsprintf(lock_path, "/run/systemd/nspawn-uid/" UID_FMT, candidate);
4452 r = make_lock_file(lock_path, LOCK_EX|LOCK_NB, &lf);
4453 if (r == -EBUSY) /* Range already taken by another nspawn instance */
4454 goto next;
4455 if (r < 0)
4456 return r;
4457
4458 /* Make some superficial checks whether the range is currently known in the user database */
4459 if (getpwuid_malloc(candidate, /* ret= */ NULL) >= 0)
4460 goto next;
4461 if (getpwuid_malloc(candidate + UINT32_C(0xFFFE), /* ret= */ NULL) >= 0)
4462 goto next;
4463 if (getgrgid_malloc(candidate, /* ret= */ NULL) >= 0)
4464 goto next;
4465 if (getgrgid_malloc(candidate + UINT32_C(0xFFFE), /* ret= */ NULL) >= 0)
4466 goto next;
4467
4468 *ret_lock_file = lf;
4469 lf = (struct LockFile) LOCK_FILE_INIT;
4470 *shift = candidate;
4471 return 0;
4472
4473 next:
4474 if (arg_machine && !tried_hashed) {
4475 /* Try to hash the base from the container name */
4476
4477 static const uint8_t hash_key[] = {
4478 0xe1, 0x56, 0xe0, 0xf0, 0x4a, 0xf0, 0x41, 0xaf,
4479 0x96, 0x41, 0xcf, 0x41, 0x33, 0x94, 0xff, 0x72
4480 };
4481
4482 candidate = (uid_t) siphash24(arg_machine, strlen(arg_machine), hash_key);
4483
4484 tried_hashed = true;
4485 } else
4486 random_bytes(&candidate, sizeof(candidate));
4487
4488 candidate = (candidate % (CONTAINER_UID_BASE_MAX - CONTAINER_UID_BASE_MIN)) + CONTAINER_UID_BASE_MIN;
4489 candidate &= (uid_t) UINT32_C(0xFFFF0000);
4490 }
4491 }
4492
4493 static int setup_uid_map(
4494 const PidRef *pid,
4495 const uid_t bind_user_uid[],
4496 size_t n_bind_user_uid) {
4497
4498 char uid_map[STRLEN("/proc//uid_map") + DECIMAL_STR_MAX(uid_t) + 1];
4499 _cleanup_free_ char *s = NULL;
4500 int r;
4501
4502 assert(pidref_is_set(pid));
4503 assert(pid->pid > 1);
4504
4505 if (asprintf(&s, "0 " UID_FMT " " UID_FMT "\n", arg_uid_shift, arg_uid_range) < 0)
4506 return log_oom();
4507
4508 xsprintf(uid_map, "/proc/" PID_FMT "/uid_map", pid->pid);
4509 r = write_string_file(uid_map, s, WRITE_STRING_FILE_DISABLE_BUFFER);
4510 if (r < 0)
4511 return log_error_errno(r, "Failed to write UID map: %m");
4512
4513 xsprintf(uid_map, "/proc/" PID_FMT "/gid_map", pid->pid);
4514 r = write_string_file(uid_map, s, WRITE_STRING_FILE_DISABLE_BUFFER);
4515 if (r < 0)
4516 return log_error_errno(r, "Failed to write GID map: %m");
4517
4518 return 0;
4519 }
4520
4521 static int nspawn_dispatch_notify_fd(sd_event_source *source, int fd, uint32_t revents, void *userdata) {
4522 PidRef *inner_child_pid = ASSERT_PTR(userdata);
4523 int r;
4524
4525 assert(userdata);
4526
4527 _cleanup_(pidref_done) PidRef sender_pid = PIDREF_NULL;
4528 _cleanup_strv_free_ char **tags = NULL;
4529 r = notify_recv_strv(fd, &tags, /* ret_ucred= */ NULL, &sender_pid);
4530 if (r == -EAGAIN)
4531 return 0;
4532 if (r < 0)
4533 return r;
4534
4535 if (!pidref_equal(&sender_pid, inner_child_pid)) {
4536 log_debug("Received notify message from process that is not the payload's PID 1. Ignoring.");
4537 return 0;
4538 }
4539
4540 if (DEBUG_LOGGING) {
4541 _cleanup_free_ char *joined = strv_join(tags, " ");
4542
4543 if (joined) {
4544 _cleanup_free_ char *j = cescape(joined);
4545 free_and_replace(joined, j);
4546 }
4547
4548 log_debug("Got sd_notify() message: %s", strnull(joined));
4549 }
4550
4551 char *status = strv_find_startswith(tags, "STATUS=");
4552 if (status)
4553 (void) sd_notifyf(/* unset_environment= */ false, "STATUS=Container running: %s", status);
4554
4555 if (strv_contains(tags, "READY=1")) {
4556 r = sd_notify(/* unset_environment= */ false, "READY=1\n");
4557 if (r < 0)
4558 log_warning_errno(r, "Failed to send readiness notification, ignoring: %m");
4559
4560 if (!status)
4561 (void) sd_notifyf(/* unset_environment= */ false, "STATUS=Container running.");
4562 }
4563
4564 return 0;
4565 }
4566
4567 static int setup_notify_parent(sd_event *event, int fd, PidRef *inner_child_pid, sd_event_source **notify_event_source) {
4568 int r;
4569
4570 if (fd < 0)
4571 return 0;
4572
4573 r = sd_event_add_io(event, notify_event_source, fd, EPOLLIN, nspawn_dispatch_notify_fd, inner_child_pid);
4574 if (r < 0)
4575 return log_error_errno(r, "Failed to allocate notify event source: %m");
4576
4577 (void) sd_event_source_set_description(*notify_event_source, "nspawn-notify");
4578
4579 return 0;
4580 }
4581
4582 static int ptyfwd_hotkey(PTYForward *f, char c, void *userdata) {
4583 PidRef *pid = ASSERT_PTR(userdata);
4584 const char *word;
4585 int sig = 0, r;
4586
4587 assert(f);
4588
4589 switch (c) {
4590 case 'p':
4591 sig = SIGRTMIN+4;
4592 word = "power off";
4593 break;
4594
4595 case 'r':
4596 sig = SIGRTMIN+5;
4597 word = "reboot";
4598 break;
4599
4600 default:
4601 log_info("Unknown hotkey sequence ^]^]%c, ignoring.", c);
4602 return 0;
4603 }
4604
4605 r = pidref_kill(pid, sig);
4606 if (r < 0)
4607 log_error_errno(r, "Failed to send %s (%s request) to PID 1 of container: %m", signal_to_string(sig), word);
4608 else
4609 log_info("Sent %s (%s request) to PID 1 of container.", signal_to_string(sig), word);
4610
4611 return 0;
4612 }
4613
4614 static int merge_settings(Settings *settings, const char *path) {
4615 int rl;
4616
4617 assert(settings);
4618 assert(path);
4619
4620 /* Copy over bits from the settings, unless they have been explicitly masked by command line switches. Note
4621 * that this steals the fields of the Settings* structure, and hence modifies it. */
4622
4623 if ((arg_settings_mask & SETTING_START_MODE) == 0 &&
4624 settings->start_mode >= 0) {
4625 arg_start_mode = settings->start_mode;
4626 strv_free_and_replace(arg_parameters, settings->parameters);
4627 }
4628
4629 if ((arg_settings_mask & SETTING_EPHEMERAL) == 0 &&
4630 settings->ephemeral >= 0)
4631 arg_ephemeral = settings->ephemeral;
4632
4633 if ((arg_settings_mask & SETTING_DIRECTORY) == 0 &&
4634 settings->root) {
4635
4636 if (!arg_settings_trusted)
4637 log_warning("Ignoring root directory setting, file %s is not trusted.", path);
4638 else
4639 free_and_replace(arg_directory, settings->root);
4640 }
4641
4642 if ((arg_settings_mask & SETTING_PIVOT_ROOT) == 0 &&
4643 settings->pivot_root_new) {
4644 free_and_replace(arg_pivot_root_new, settings->pivot_root_new);
4645 free_and_replace(arg_pivot_root_old, settings->pivot_root_old);
4646 }
4647
4648 if ((arg_settings_mask & SETTING_WORKING_DIRECTORY) == 0 &&
4649 settings->working_directory)
4650 free_and_replace(arg_chdir, settings->working_directory);
4651
4652 if ((arg_settings_mask & SETTING_ENVIRONMENT) == 0 &&
4653 settings->environment)
4654 strv_free_and_replace(arg_setenv, settings->environment);
4655
4656 if ((arg_settings_mask & SETTING_USER) == 0) {
4657
4658 if (settings->user)
4659 free_and_replace(arg_user, settings->user);
4660
4661 if (uid_is_valid(settings->uid))
4662 arg_uid = settings->uid;
4663 if (gid_is_valid(settings->gid))
4664 arg_gid = settings->gid;
4665 if (settings->n_supplementary_gids > 0) {
4666 free_and_replace(arg_supplementary_gids, settings->supplementary_gids);
4667 arg_n_supplementary_gids = settings->n_supplementary_gids;
4668 }
4669 }
4670
4671 if ((arg_settings_mask & SETTING_CAPABILITY) == 0) {
4672 uint64_t plus, minus;
4673 uint64_t network_minus = 0;
4674 uint64_t ambient;
4675
4676 /* Note that we copy both the simple plus/minus caps here, and the full quintet from the
4677 * Settings structure */
4678
4679 plus = settings->capability;
4680 minus = settings->drop_capability;
4681
4682 if ((arg_settings_mask & SETTING_NETWORK) == 0 &&
4683 settings_network_configured(settings)) {
4684 if (settings_private_network(settings))
4685 plus |= UINT64_C(1) << CAP_NET_ADMIN;
4686 else
4687 network_minus |= UINT64_C(1) << CAP_NET_ADMIN;
4688 }
4689
4690 if (!arg_settings_trusted && plus != 0) {
4691 if (settings->capability != 0)
4692 log_warning("Ignoring Capability= setting, file %s is not trusted.", path);
4693 } else {
4694 arg_caps_retain &= ~network_minus;
4695 arg_caps_retain |= plus;
4696 }
4697
4698 arg_caps_retain &= ~minus;
4699
4700 /* Copy the full capabilities over too */
4701 if (capability_quintet_is_set(&settings->full_capabilities)) {
4702 if (!arg_settings_trusted)
4703 log_warning("Ignoring capability settings, file %s is not trusted.", path);
4704 else
4705 arg_full_capabilities = settings->full_capabilities;
4706 }
4707
4708 ambient = settings->ambient_capability;
4709 if (!arg_settings_trusted && ambient != 0)
4710 log_warning("Ignoring AmbientCapability= setting, file %s is not trusted.", path);
4711 else
4712 arg_caps_ambient |= ambient;
4713 }
4714
4715 if ((arg_settings_mask & SETTING_KILL_SIGNAL) == 0 &&
4716 settings->kill_signal > 0)
4717 arg_kill_signal = settings->kill_signal;
4718
4719 if ((arg_settings_mask & SETTING_PERSONALITY) == 0 &&
4720 settings->personality != PERSONALITY_INVALID)
4721 arg_personality = settings->personality;
4722
4723 if ((arg_settings_mask & SETTING_MACHINE_ID) == 0 &&
4724 !sd_id128_is_null(settings->machine_id)) {
4725
4726 if (!arg_settings_trusted)
4727 log_warning("Ignoring MachineID= setting, file %s is not trusted.", path);
4728 else
4729 arg_uuid = settings->machine_id;
4730 }
4731
4732 if ((arg_settings_mask & SETTING_READ_ONLY) == 0 &&
4733 settings->read_only >= 0)
4734 arg_read_only = settings->read_only;
4735
4736 if ((arg_settings_mask & SETTING_VOLATILE_MODE) == 0 &&
4737 settings->volatile_mode != _VOLATILE_MODE_INVALID)
4738 arg_volatile_mode = settings->volatile_mode;
4739
4740 if ((arg_settings_mask & SETTING_CUSTOM_MOUNTS) == 0 &&
4741 settings->n_custom_mounts > 0) {
4742
4743 if (!arg_settings_trusted)
4744 log_warning("Ignoring TemporaryFileSystem=, Bind= and BindReadOnly= settings, file %s is not trusted.", path);
4745 else {
4746 custom_mount_free_all(arg_custom_mounts, arg_n_custom_mounts);
4747 arg_custom_mounts = TAKE_PTR(settings->custom_mounts);
4748 arg_n_custom_mounts = settings->n_custom_mounts;
4749 settings->n_custom_mounts = 0;
4750 }
4751 }
4752
4753 if ((arg_settings_mask & SETTING_NETWORK) == 0 &&
4754 settings_network_configured(settings)) {
4755
4756 if (!arg_settings_trusted)
4757 log_warning("Ignoring network settings, file %s is not trusted.", path);
4758 else {
4759 arg_network_veth = settings_network_veth(settings);
4760 arg_private_network = settings_private_network(settings);
4761
4762 strv_free_and_replace(arg_network_interfaces, settings->network_interfaces);
4763 strv_free_and_replace(arg_network_macvlan, settings->network_macvlan);
4764 strv_free_and_replace(arg_network_ipvlan, settings->network_ipvlan);
4765 strv_free_and_replace(arg_network_veth_extra, settings->network_veth_extra);
4766
4767 free_and_replace(arg_network_bridge, settings->network_bridge);
4768 free_and_replace(arg_network_zone, settings->network_zone);
4769
4770 free_and_replace(arg_network_namespace_path, settings->network_namespace_path);
4771 }
4772 }
4773
4774 if ((arg_settings_mask & SETTING_EXPOSE_PORTS) == 0 &&
4775 settings->expose_ports) {
4776
4777 if (!arg_settings_trusted)
4778 log_warning("Ignoring Port= setting, file %s is not trusted.", path);
4779 else {
4780 expose_port_free_all(arg_expose_ports);
4781 arg_expose_ports = TAKE_PTR(settings->expose_ports);
4782 }
4783 }
4784
4785 if ((arg_settings_mask & SETTING_USERNS) == 0 &&
4786 settings->userns_mode != _USER_NAMESPACE_MODE_INVALID) {
4787
4788 if (!arg_settings_trusted)
4789 log_warning("Ignoring PrivateUsers= and PrivateUsersChown= settings, file %s is not trusted.", path);
4790 else {
4791 arg_userns_mode = settings->userns_mode;
4792 arg_uid_shift = settings->uid_shift;
4793 arg_uid_range = settings->uid_range;
4794 arg_userns_ownership = settings->userns_ownership;
4795 }
4796 }
4797
4798 if ((arg_settings_mask & SETTING_BIND_USER) == 0 &&
4799 !strv_isempty(settings->bind_user))
4800 strv_free_and_replace(arg_bind_user, settings->bind_user);
4801
4802 if (!FLAGS_SET(arg_settings_mask, SETTING_BIND_USER_SHELL) &&
4803 settings->bind_user_shell_set) {
4804 free_and_replace(arg_bind_user_shell, settings->bind_user_shell);
4805 arg_bind_user_shell_copy = settings->bind_user_shell_copy;
4806 }
4807
4808 if ((arg_settings_mask & SETTING_NOTIFY_READY) == 0 &&
4809 settings->notify_ready >= 0)
4810 arg_notify_ready = settings->notify_ready;
4811
4812 if ((arg_settings_mask & SETTING_SYSCALL_FILTER) == 0) {
4813
4814 if (!strv_isempty(settings->syscall_allow_list) || !strv_isempty(settings->syscall_deny_list)) {
4815 if (!arg_settings_trusted && !strv_isempty(settings->syscall_allow_list))
4816 log_warning("Ignoring SystemCallFilter= settings, file %s is not trusted.", path);
4817 else {
4818 strv_free_and_replace(arg_syscall_allow_list, settings->syscall_allow_list);
4819 strv_free_and_replace(arg_syscall_deny_list, settings->syscall_deny_list);
4820 }
4821 }
4822
4823 #if HAVE_SECCOMP
4824 if (settings->seccomp) {
4825 if (!arg_settings_trusted)
4826 log_warning("Ignoring SECCOMP filter, file %s is not trusted.", path);
4827 else {
4828 seccomp_release(arg_seccomp);
4829 arg_seccomp = TAKE_PTR(settings->seccomp);
4830 }
4831 }
4832 #endif
4833 }
4834
4835 for (rl = 0; rl < _RLIMIT_MAX; rl++) {
4836 if ((arg_settings_mask & (SETTING_RLIMIT_FIRST << rl)))
4837 continue;
4838
4839 if (!settings->rlimit[rl])
4840 continue;
4841
4842 if (!arg_settings_trusted) {
4843 log_warning("Ignoring Limit%s= setting, file '%s' is not trusted.", rlimit_to_string(rl), path);
4844 continue;
4845 }
4846
4847 free_and_replace(arg_rlimit[rl], settings->rlimit[rl]);
4848 }
4849
4850 if ((arg_settings_mask & SETTING_HOSTNAME) == 0 &&
4851 settings->hostname)
4852 free_and_replace(arg_hostname, settings->hostname);
4853
4854 if ((arg_settings_mask & SETTING_NO_NEW_PRIVILEGES) == 0 &&
4855 settings->no_new_privileges >= 0)
4856 arg_no_new_privileges = settings->no_new_privileges;
4857
4858 if ((arg_settings_mask & SETTING_OOM_SCORE_ADJUST) == 0 &&
4859 settings->oom_score_adjust_set) {
4860
4861 if (!arg_settings_trusted)
4862 log_warning("Ignoring OOMScoreAdjust= setting, file '%s' is not trusted.", path);
4863 else {
4864 arg_oom_score_adjust = settings->oom_score_adjust;
4865 arg_oom_score_adjust_set = true;
4866 }
4867 }
4868
4869 if ((arg_settings_mask & SETTING_CPU_AFFINITY) == 0 &&
4870 settings->cpu_set.set) {
4871
4872 if (!arg_settings_trusted)
4873 log_warning("Ignoring CPUAffinity= setting, file '%s' is not trusted.", path);
4874 else
4875 cpu_set_done_and_replace(arg_cpu_set, settings->cpu_set);
4876 }
4877
4878 if ((arg_settings_mask & SETTING_RESOLV_CONF) == 0 &&
4879 settings->resolv_conf != _RESOLV_CONF_MODE_INVALID)
4880 arg_resolv_conf = settings->resolv_conf;
4881
4882 if ((arg_settings_mask & SETTING_LINK_JOURNAL) == 0 &&
4883 settings->link_journal != _LINK_JOURNAL_INVALID) {
4884
4885 if (!arg_settings_trusted)
4886 log_warning("Ignoring journal link setting, file '%s' is not trusted.", path);
4887 else {
4888 arg_link_journal = settings->link_journal;
4889 arg_link_journal_try = settings->link_journal_try;
4890 }
4891 }
4892
4893 if ((arg_settings_mask & SETTING_TIMEZONE) == 0 &&
4894 settings->timezone != _TIMEZONE_MODE_INVALID)
4895 arg_timezone = settings->timezone;
4896
4897 if ((arg_settings_mask & SETTING_SLICE) == 0 &&
4898 settings->slice) {
4899
4900 if (!arg_settings_trusted)
4901 log_warning("Ignoring slice setting, file '%s' is not trusted.", path);
4902 else
4903 free_and_replace(arg_slice, settings->slice);
4904 }
4905
4906 if ((arg_settings_mask & SETTING_USE_CGNS) == 0 &&
4907 settings->use_cgns >= 0) {
4908
4909 if (!arg_settings_trusted)
4910 log_warning("Ignoring cgroup namespace setting, file '%s' is not trusted.", path);
4911 else
4912 arg_use_cgns = settings->use_cgns;
4913 }
4914
4915 if ((arg_settings_mask & SETTING_CLONE_NS_FLAGS) == 0 &&
4916 settings->clone_ns_flags != ULONG_MAX) {
4917
4918 if (!arg_settings_trusted)
4919 log_warning("Ignoring namespace setting, file '%s' is not trusted.", path);
4920 else
4921 arg_clone_ns_flags = settings->clone_ns_flags;
4922 }
4923
4924 if ((arg_settings_mask & SETTING_CONSOLE_MODE) == 0 &&
4925 settings->console_mode >= 0) {
4926
4927 if (!arg_settings_trusted)
4928 log_warning("Ignoring console mode setting, file '%s' is not trusted.", path);
4929 else
4930 arg_console_mode = settings->console_mode;
4931 }
4932
4933 if ((arg_settings_mask & SETTING_SUPPRESS_SYNC) == 0 &&
4934 settings->suppress_sync >= 0)
4935 arg_suppress_sync = settings->suppress_sync;
4936
4937 /* The following properties can only be set through the OCI settings logic, not from the command line, hence we
4938 * don't consult arg_settings_mask for them. */
4939
4940 sd_bus_message_unref(arg_property_message);
4941 arg_property_message = TAKE_PTR(settings->properties);
4942
4943 arg_console_width = settings->console_width;
4944 arg_console_height = settings->console_height;
4945
4946 device_node_array_free(arg_extra_nodes, arg_n_extra_nodes);
4947 arg_extra_nodes = TAKE_PTR(settings->extra_nodes);
4948 arg_n_extra_nodes = settings->n_extra_nodes;
4949 settings->n_extra_nodes = 0;
4950
4951 return 0;
4952 }
4953
4954 static int load_settings(void) {
4955 _cleanup_(settings_freep) Settings *settings = NULL;
4956 _cleanup_fclose_ FILE *f = NULL;
4957 _cleanup_free_ char *p = NULL;
4958 int r;
4959
4960 if (arg_oci_bundle)
4961 return 0;
4962
4963 /* If all settings are masked, there's no point in looking for
4964 * the settings file */
4965 if (FLAGS_SET(arg_settings_mask, _SETTINGS_MASK_ALL))
4966 return 0;
4967
4968 /* We first look in the admin's directories in /etc and /run */
4969 if (arg_privileged)
4970 FOREACH_STRING(i, "/etc/systemd/nspawn", "/run/systemd/nspawn") {
4971 _cleanup_free_ char *j = NULL;
4972
4973 j = path_join(i, arg_settings_filename);
4974 if (!j)
4975 return log_oom();
4976
4977 f = fopen(j, "re");
4978 if (f) {
4979 p = TAKE_PTR(j);
4980
4981 /* By default, we trust configuration from /etc and /run */
4982 if (arg_settings_trusted < 0)
4983 arg_settings_trusted = true;
4984
4985 break;
4986 }
4987
4988 if (errno != ENOENT)
4989 return log_error_errno(errno, "Failed to open %s: %m", j);
4990 }
4991
4992 if (!f) {
4993 /* After that, let's look for a file next to the
4994 * actual image we shall boot. */
4995
4996 if (arg_image) {
4997 r = file_in_same_dir(arg_image, arg_settings_filename, &p);
4998 if (r < 0)
4999 return log_error_errno(r, "Failed to generate settings path from image path: %m");
5000 } else if (arg_directory) {
5001 r = file_in_same_dir(arg_directory, arg_settings_filename, &p);
5002 if (r < 0 && r != -EADDRNOTAVAIL) /* if directory is root fs, don't complain */
5003 return log_error_errno(r, "Failed to generate settings path from directory path: %m");
5004 }
5005
5006 if (p) {
5007 f = fopen(p, "re");
5008 if (!f && errno != ENOENT)
5009 return log_error_errno(errno, "Failed to open %s: %m", p);
5010
5011 /* By default, we do not trust configuration from /var/lib/machines */
5012 if (arg_settings_trusted < 0)
5013 arg_settings_trusted = false;
5014 }
5015 }
5016
5017 if (!f)
5018 return 0;
5019
5020 log_debug("Settings are trusted: %s", yes_no(arg_settings_trusted));
5021
5022 r = settings_load(f, p, &settings);
5023 if (r < 0)
5024 return r;
5025
5026 return merge_settings(settings, p);
5027 }
5028
5029 static int load_oci_bundle(void) {
5030 _cleanup_(settings_freep) Settings *settings = NULL;
5031 int r;
5032
5033 if (!arg_oci_bundle)
5034 return 0;
5035
5036 /* By default let's trust OCI bundles */
5037 if (arg_settings_trusted < 0)
5038 arg_settings_trusted = true;
5039
5040 r = oci_load(NULL, arg_oci_bundle, &settings);
5041 if (r < 0)
5042 return r;
5043
5044 return merge_settings(settings, arg_oci_bundle);
5045 }
5046
5047 static int run_container(
5048 const char *directory,
5049 int mount_fd,
5050 DissectedImage *dissected_image,
5051 int userns_fd,
5052 FDSet *fds,
5053 char veth_name[IFNAMSIZ],
5054 bool *veth_created,
5055 struct ExposeArgs *expose_args,
5056 int *master,
5057 PidRef *pid,
5058 int *ret) {
5059
5060 _cleanup_(release_lock_file) LockFile uid_shift_lock = LOCK_FILE_INIT;
5061 _cleanup_close_ int etc_passwd_lock = -EBADF;
5062 _cleanup_close_pair_ int
5063 fd_inner_socket_pair[2] = EBADF_PAIR,
5064 fd_outer_socket_pair[2] = EBADF_PAIR;
5065
5066 _cleanup_close_ int notify_socket = -EBADF, mntns_fd = -EBADF, fd_kmsg_fifo = -EBADF;
5067 _cleanup_(barrier_destroy) Barrier barrier = BARRIER_NULL;
5068 _cleanup_(sd_event_source_unrefp) sd_event_source *notify_event_source = NULL;
5069 _cleanup_(umount_and_rmdir_and_freep) char *unix_export_host_dir = NULL;
5070 _cleanup_(sd_event_unrefp) sd_event *event = NULL;
5071 _cleanup_(pty_forward_freep) PTYForward *forward = NULL;
5072 _cleanup_(sd_netlink_unrefp) sd_netlink *rtnl = NULL;
5073 _cleanup_free_ uid_t *bind_user_uid = NULL;
5074 size_t n_bind_user_uid = 0;
5075 ContainerStatus container_status = 0;
5076 int ifi = 0, r;
5077 ssize_t l;
5078 sigset_t mask_chld;
5079 _cleanup_close_ int child_netns_fd = -EBADF;
5080
5081 assert_se(sigemptyset(&mask_chld) == 0);
5082 assert_se(sigaddset(&mask_chld, SIGCHLD) == 0);
5083
5084 /* Set up the unix export host directory on the host first */
5085 r = setup_unix_export_dir_outside(&unix_export_host_dir);
5086 if (r < 0)
5087 return r;
5088
5089 if (arg_userns_mode == USER_NAMESPACE_PICK) {
5090 /* When we shall pick the UID/GID range, let's first lock /etc/passwd, so that we can safely
5091 * check with getpwuid() if the specific user already exists. Note that /etc might be
5092 * read-only, in which case this will fail with EROFS. But that's really OK, as in that case we
5093 * can be reasonably sure that no users are going to be added. Note that getpwuid() checks are
5094 * really just an extra safety net. We kinda assume that the UID range we allocate from is
5095 * really ours. */
5096
5097 etc_passwd_lock = take_etc_passwd_lock(NULL);
5098 if (etc_passwd_lock < 0 && etc_passwd_lock != -EROFS)
5099 return log_error_errno(etc_passwd_lock, "Failed to take /etc/passwd lock: %m");
5100 }
5101
5102 r = barrier_create(&barrier);
5103 if (r < 0)
5104 return log_error_errno(r, "Cannot initialize IPC barrier: %m");
5105
5106 if (socketpair(AF_UNIX, SOCK_SEQPACKET|SOCK_CLOEXEC, 0, fd_inner_socket_pair) < 0)
5107 return log_error_errno(errno, "Failed to create inner socket pair: %m");
5108
5109 if (socketpair(AF_UNIX, SOCK_SEQPACKET|SOCK_CLOEXEC, 0, fd_outer_socket_pair) < 0)
5110 return log_error_errno(errno, "Failed to create outer socket pair: %m");
5111
5112 /* Child can be killed before execv(), so handle SIGCHLD in order to interrupt
5113 * parent's blocking calls and give it a chance to call wait() and terminate. */
5114 r = sigprocmask(SIG_UNBLOCK, &mask_chld, NULL);
5115 if (r < 0)
5116 return log_error_errno(errno, "Failed to change the signal mask: %m");
5117
5118 r = sigaction(SIGCHLD, &sigaction_nop_nocldstop, NULL);
5119 if (r < 0)
5120 return log_error_errno(errno, "Failed to install SIGCHLD handler: %m");
5121
5122 if (arg_network_namespace_path) {
5123 child_netns_fd = open(arg_network_namespace_path, O_RDONLY|O_NOCTTY|O_CLOEXEC);
5124 if (child_netns_fd < 0)
5125 return log_error_errno(errno, "Cannot open file %s: %m", arg_network_namespace_path);
5126
5127 r = fd_is_namespace(child_netns_fd, NAMESPACE_NET);
5128 if (r < 0)
5129 return log_error_errno(r, "Failed to check %s fs type: %m", arg_network_namespace_path);
5130 if (r == 0)
5131 return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
5132 "Path %s doesn't refer to a network namespace, refusing.", arg_network_namespace_path);
5133 }
5134
5135 bool in_child;
5136 if (arg_userns_mode != USER_NAMESPACE_MANAGED) {
5137 assert(userns_fd < 0);
5138 /* If we have no user namespace then we'll clone and create a new mount namespace right-away. */
5139
5140 pid_t _pid = raw_clone(SIGCHLD|CLONE_NEWNS);
5141 if (_pid < 0)
5142 return log_error_errno(errno, "clone() failed%s: %m",
5143 errno == EINVAL ?
5144 ", do you have namespace support enabled in your kernel? (You need UTS, IPC, PID and NET namespacing built in)" : "");
5145 if (_pid != 0) {
5146 r = pidref_set_pid(pid, _pid);
5147 if (r < 0)
5148 return log_error_errno(r, "Failed to allocate pidfd: %m");
5149 }
5150
5151 in_child = _pid == 0;
5152 } else {
5153 assert(userns_fd >= 0);
5154 /* If we have a user namespace then we'll clone() first, and then join the user namespace,
5155 * and then open the mount namespace, so that it is owned by the user namespace */
5156
5157 pid_t _pid = raw_clone(SIGCHLD);
5158 if (_pid < 0)
5159 return log_error_errno(errno, "clone() failed: %m");
5160
5161 if (_pid != 0) {
5162 r = pidref_set_pid(pid, _pid);
5163 if (r < 0)
5164 return log_error_errno(r, "Failed to allocate pidfd: %m");
5165 }
5166
5167 in_child = _pid == 0;
5168 if (in_child) {
5169 if (setns(userns_fd, CLONE_NEWUSER) < 0) {
5170 log_error_errno(errno, "Failed to join allocate user namespace: %m");
5171 _exit(EXIT_FAILURE);
5172 }
5173
5174 r = reset_uid_gid();
5175 if (r < 0) {
5176 log_error_errno(r, "Failed to reset UID/GID to root: %m");
5177 _exit(EXIT_FAILURE);
5178 }
5179
5180 if (unshare(CLONE_NEWNS) < 0) {
5181 log_error_errno(errno, "Failed to unshare file system namespace: %m");
5182 _exit(EXIT_FAILURE);
5183 }
5184 }
5185 }
5186
5187 if (in_child) {
5188 /* The outer child only has a file system namespace. */
5189 barrier_set_role(&barrier, BARRIER_CHILD);
5190
5191 fd_inner_socket_pair[0] = safe_close(fd_inner_socket_pair[0]);
5192 fd_outer_socket_pair[0] = safe_close(fd_outer_socket_pair[0]);
5193
5194 (void) reset_all_signal_handlers();
5195 (void) reset_signal_mask();
5196
5197 r = outer_child(&barrier,
5198 directory,
5199 mount_fd,
5200 dissected_image,
5201 fd_outer_socket_pair[1],
5202 fd_inner_socket_pair[1],
5203 fds,
5204 child_netns_fd,
5205 unix_export_host_dir);
5206 if (r < 0)
5207 _exit(EXIT_FAILURE);
5208
5209 _exit(EXIT_SUCCESS);
5210 }
5211
5212 barrier_set_role(&barrier, BARRIER_PARENT);
5213
5214 fdset_close(fds, /* async= */ false);
5215
5216 fd_inner_socket_pair[1] = safe_close(fd_inner_socket_pair[1]);
5217 fd_outer_socket_pair[1] = safe_close(fd_outer_socket_pair[1]);
5218
5219 if (arg_userns_mode != USER_NAMESPACE_NO) {
5220 mntns_fd = receive_one_fd(fd_outer_socket_pair[0], 0);
5221 if (mntns_fd < 0)
5222 return log_error_errno(mntns_fd, "Failed to receive mount namespace fd from outer child: %m");
5223
5224 /* The child just let us know the UID shift it might have read from the image. */
5225 l = recv(fd_outer_socket_pair[0], &arg_uid_shift, sizeof arg_uid_shift, 0);
5226 if (l < 0)
5227 return log_error_errno(errno, "Failed to read UID shift: %m");
5228 if (l != sizeof arg_uid_shift)
5229 return log_error_errno(SYNTHETIC_ERRNO(EIO), "Short read while reading UID shift.");
5230
5231 if (arg_userns_mode == USER_NAMESPACE_PICK) {
5232 /* If we are supposed to pick the UID shift, let's try to use the shift read from the
5233 * image, but if that's already in use, pick a new one, and report back to the child,
5234 * which one we now picked. */
5235
5236 r = uid_shift_pick(&arg_uid_shift, &uid_shift_lock);
5237 if (r < 0)
5238 return log_error_errno(r, "Failed to pick suitable UID/GID range: %m");
5239
5240 l = send(fd_outer_socket_pair[0], &arg_uid_shift, sizeof arg_uid_shift, MSG_NOSIGNAL);
5241 if (l < 0)
5242 return log_error_errno(errno, "Failed to send UID shift: %m");
5243 if (l != sizeof arg_uid_shift)
5244 return log_error_errno(SYNTHETIC_ERRNO(EIO), "Short write while writing UID shift.");
5245 }
5246 }
5247
5248 /* Wait for the outer child. */
5249 r = pidref_wait_for_terminate_and_check("(sd-namespace)", pid, WAIT_LOG_ABNORMAL);
5250 if (r < 0)
5251 return r;
5252 pidref_done(pid);
5253 if (r != EXIT_SUCCESS)
5254 return -EIO;
5255
5256 /* And now retrieve the PID of the inner child. */
5257 pid_t _pid;
5258 l = recv(fd_outer_socket_pair[0], &_pid, sizeof _pid, 0);
5259 if (l < 0)
5260 return log_error_errno(errno, "Failed to read inner child PID: %m");
5261 if (l != sizeof _pid)
5262 return log_error_errno(SYNTHETIC_ERRNO(EIO), "Short read while reading inner child PID.");
5263
5264 r = pidref_set_pid(pid, _pid);
5265 if (r < 0)
5266 return log_error_errno(r, "Failed to allocate pidfd: %m");
5267
5268 /* We also retrieve container UUID in case it was generated by outer child */
5269 l = recv(fd_outer_socket_pair[0], &arg_uuid, sizeof arg_uuid, 0);
5270 if (l < 0)
5271 return log_error_errno(errno, "Failed to read container machine ID: %m");
5272 if (l != sizeof(arg_uuid))
5273 return log_error_errno(SYNTHETIC_ERRNO(EIO), "Short read while reading container machined ID.");
5274
5275 /* We also retrieve the socket used for notifications generated by outer child */
5276 notify_socket = receive_one_fd(fd_outer_socket_pair[0], 0);
5277 if (notify_socket < 0)
5278 return log_error_errno(notify_socket,
5279 "Failed to receive notification socket from the outer child: %m");
5280
5281 log_debug("Init process invoked as PID "PID_FMT, pid->pid);
5282
5283 if (arg_userns_mode != USER_NAMESPACE_NO) {
5284 if (!barrier_place_and_sync(&barrier)) /* #1 */
5285 return log_error_errno(SYNTHETIC_ERRNO(ESRCH), "Child died too early.");
5286
5287 if (arg_userns_mode != USER_NAMESPACE_MANAGED) {
5288 r = setup_uid_map(pid, bind_user_uid, n_bind_user_uid);
5289 if (r < 0)
5290 return r;
5291 }
5292
5293 (void) barrier_place(&barrier); /* #2 */
5294 }
5295
5296 if (arg_private_network) {
5297 if (!arg_network_namespace_path) {
5298 /* Wait until the child has unshared its network namespace. */
5299 if (!barrier_place_and_sync(&barrier)) /* #3 */
5300 return log_error_errno(SYNTHETIC_ERRNO(ESRCH), "Child died too early");
5301
5302 /* Make sure we have an open file descriptor to the child's network namespace so it
5303 * stays alive even if the child exits. */
5304 assert(child_netns_fd < 0);
5305 child_netns_fd = receive_one_fd(fd_inner_socket_pair[0], 0);
5306 if (child_netns_fd < 0)
5307 return log_error_errno(r, "Failed to receive child network namespace: %m");
5308 }
5309
5310 r = move_network_interfaces(child_netns_fd, arg_network_interfaces);
5311 if (r < 0)
5312 return r;
5313
5314 if (arg_network_veth) {
5315 if (arg_userns_mode != USER_NAMESPACE_MANAGED) {
5316 r = setup_veth(arg_machine, pid, veth_name,
5317 arg_network_bridge || arg_network_zone, &arg_network_provided_mac);
5318 if (r < 0)
5319 return r;
5320 else if (r > 0)
5321 ifi = r;
5322 } else {
5323 _cleanup_free_ char *host_ifname = NULL;
5324
5325 r = nsresource_add_netif_veth(userns_fd, child_netns_fd, /* namespace_ifname= */ NULL, &host_ifname, /* ret_namespace_ifname= */ NULL);
5326 if (r < 0)
5327 return log_error_errno(r, "Failed to add network interface to container: %m");
5328
5329 ifi = if_nametoindex(host_ifname);
5330 if (ifi == 0)
5331 return log_error_errno(errno, "Failed to resolve interface '%s': %m", host_ifname);
5332
5333 if (strlen(host_ifname) >= IFNAMSIZ)
5334 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Host interface name too long?");
5335
5336 strcpy(veth_name, host_ifname);
5337 }
5338
5339 if (arg_network_bridge) {
5340 /* Add the interface to a bridge */
5341 r = setup_bridge(veth_name, arg_network_bridge, false);
5342 if (r < 0)
5343 return r;
5344 if (r > 0)
5345 ifi = r;
5346 } else if (arg_network_zone) {
5347 /* Add the interface to a bridge, possibly creating it */
5348 r = setup_bridge(veth_name, arg_network_zone, true);
5349 if (r < 0)
5350 return r;
5351 if (r > 0)
5352 ifi = r;
5353 }
5354 }
5355
5356 r = setup_veth_extra(arg_machine, pid, arg_network_veth_extra);
5357 if (r < 0)
5358 return r;
5359
5360 /* We created the primary and extra veth links now; let's remember this, so that we know to
5361 remove them later on. Note that we don't bother with removing veth links that were created
5362 here when their setup failed half-way, because in that case the kernel should be able to
5363 remove them on its own, since they cannot be referenced by anything yet. */
5364 *veth_created = true;
5365
5366 r = setup_macvlan(arg_machine, pid, arg_network_macvlan);
5367 if (r < 0)
5368 return r;
5369
5370 r = setup_ipvlan(arg_machine, pid, arg_network_ipvlan);
5371 if (r < 0)
5372 return r;
5373 }
5374
5375 /* Registration always happens on the system bus */
5376 _cleanup_(sd_bus_flush_close_unrefp) sd_bus *system_bus = NULL;
5377 if (arg_register || arg_privileged) {
5378 r = sd_bus_default_system(&system_bus);
5379 if (r < 0)
5380 return log_error_errno(r, "Failed to open system bus: %m");
5381
5382 r = sd_bus_set_close_on_exit(system_bus, false);
5383 if (r < 0)
5384 return log_error_errno(r, "Failed to disable close-on-exit behaviour: %m");
5385
5386 (void) sd_bus_set_allow_interactive_authorization(system_bus, arg_ask_password);
5387 }
5388
5389 /* Scope allocation happens on the user bus if we are unpriv, otherwise system bus. */
5390 _cleanup_(sd_bus_flush_close_unrefp) sd_bus *user_bus = NULL;
5391 _cleanup_(sd_bus_unrefp) sd_bus *runtime_bus = NULL;
5392 if (arg_privileged)
5393 runtime_bus = sd_bus_ref(system_bus);
5394 else {
5395 r = sd_bus_default_user(&user_bus);
5396 if (r < 0)
5397 return log_error_errno(r, "Failed to open user bus: %m");
5398
5399 r = sd_bus_set_close_on_exit(user_bus, false);
5400 if (r < 0)
5401 return log_error_errno(r, "Failed to disable close-on-exit behaviour: %m");
5402
5403 runtime_bus = sd_bus_ref(user_bus);
5404 }
5405
5406 if (!arg_keep_unit) {
5407 /* When a new scope is created for this container, then we'll be registered as its controller, in which
5408 * case PID 1 will send us a friendly RequestStop signal, when it is asked to terminate the
5409 * scope. Let's hook into that, and cleanly shut down the container, and print a friendly message. */
5410
5411 r = sd_bus_match_signal_async(
5412 runtime_bus,
5413 /* ret= */ NULL,
5414 "org.freedesktop.systemd1",
5415 /* path= */ NULL,
5416 "org.freedesktop.systemd1.Scope",
5417 "RequestStop",
5418 on_request_stop,
5419 /* install_callback= */ NULL,
5420 pid);
5421 if (r < 0)
5422 return log_error_errno(r, "Failed to request RequestStop match: %m");
5423 }
5424
5425 if (arg_keep_unit) {
5426 /* If we are not supposed to allocate a unit, then let's move the process now, so that we can
5427 * register things while being in the right cgroup location already. Otherwise, let's move
5428 * the process later, once we have unit and hence cgroup. */
5429 r = create_subcgroup(
5430 pid,
5431 arg_keep_unit,
5432 arg_uid_shift,
5433 userns_fd,
5434 arg_userns_mode);
5435 if (r < 0)
5436 return r;
5437 }
5438
5439 bool scope_allocated = false;
5440 if (!arg_keep_unit && (!arg_register || !arg_privileged)) {
5441 AllocateScopeFlags flags = ALLOCATE_SCOPE_ALLOW_PIDFD;
5442 r = allocate_scope(
5443 runtime_bus,
5444 arg_machine,
5445 pid,
5446 arg_slice,
5447 arg_custom_mounts, arg_n_custom_mounts,
5448 arg_kill_signal,
5449 arg_property,
5450 arg_property_message,
5451 arg_start_mode,
5452 flags);
5453 if (r < 0)
5454 return r;
5455
5456 scope_allocated = true;
5457 }
5458
5459 bool registered = false;
5460 if (arg_register) {
5461 RegisterMachineFlags flags = 0;
5462 SET_FLAG(flags, REGISTER_MACHINE_KEEP_UNIT, arg_keep_unit || !arg_privileged);
5463 r = register_machine(
5464 system_bus,
5465 arg_machine,
5466 pid,
5467 arg_directory,
5468 arg_uuid,
5469 ifi,
5470 arg_slice,
5471 arg_custom_mounts, arg_n_custom_mounts,
5472 arg_kill_signal,
5473 arg_property,
5474 arg_property_message,
5475 arg_container_service_name,
5476 arg_start_mode,
5477 flags);
5478 if (r < 0)
5479 return r;
5480
5481 registered = true;
5482 }
5483
5484 if (arg_keep_unit && (arg_slice || arg_property))
5485 log_notice("Machine and scope registration turned off, --slice= and --property= settings will have no effect.");
5486
5487 if (!arg_keep_unit) {
5488 r = create_subcgroup(
5489 pid,
5490 arg_keep_unit,
5491 arg_uid_shift,
5492 userns_fd,
5493 arg_userns_mode);
5494 if (r < 0)
5495 return r;
5496 }
5497
5498 /* Notify the child that the parent is ready with all its setup (including cgroup-ification), and
5499 * that the child can now hand over control to the code to run inside the container. */
5500 (void) barrier_place(&barrier); /* #4 */
5501
5502 /* Block SIGCHLD here, before notifying child.
5503 * process_pty() will handle it with the other signals. */
5504 assert_se(sigprocmask(SIG_BLOCK, &mask_chld, NULL) >= 0);
5505
5506 /* Reset signal to default */
5507 r = default_signals(SIGCHLD);
5508 if (r < 0)
5509 return log_error_errno(r, "Failed to reset SIGCHLD: %m");
5510
5511 r = sd_event_new(&event);
5512 if (r < 0)
5513 return log_error_errno(r, "Failed to get default event source: %m");
5514
5515 (void) sd_event_set_watchdog(event, true);
5516
5517 if (system_bus) {
5518 r = sd_bus_attach_event(system_bus, event, 0);
5519 if (r < 0)
5520 return log_error_errno(r, "Failed to attach system bus to event loop: %m");
5521 }
5522
5523 if (user_bus) {
5524 r = sd_bus_attach_event(user_bus, event, 0);
5525 if (r < 0)
5526 return log_error_errno(r, "Failed to attach user bus to event loop: %m");
5527 }
5528
5529 r = setup_notify_parent(event, notify_socket, pid, &notify_event_source);
5530 if (r < 0)
5531 return r;
5532
5533 /* Wait that the child is completely ready now, and has mounted their own copies of procfs and so on,
5534 * before we take the fully visible instances away. */
5535 if (!barrier_sync(&barrier)) /* #5.1 */
5536 return log_error_errno(SYNTHETIC_ERRNO(ESRCH), "Child died too early.");
5537
5538 if (!IN_SET(arg_userns_mode, USER_NAMESPACE_NO, USER_NAMESPACE_MANAGED)) {
5539 r = wipe_fully_visible_api_fs(mntns_fd);
5540 if (r < 0)
5541 return r;
5542 mntns_fd = safe_close(mntns_fd);
5543 }
5544
5545 /* And now let the child know that we completed removing the procfs instances, and it can start the
5546 * payload. */
5547 if (!barrier_place(&barrier)) /* #5.2 */
5548 return log_error_errno(SYNTHETIC_ERRNO(ESRCH), "Child died too early.");
5549
5550 /* At this point we have made use of the UID we picked, and thus nss-systemd/systemd-machined.service
5551 * will make them appear in getpwuid(), thus we can release the /etc/passwd lock. */
5552 etc_passwd_lock = safe_close(etc_passwd_lock);
5553
5554 (void) sd_notifyf(/* unset_environment= */ false,
5555 "STATUS=Container started.\n"
5556 "X_NSPAWN_LEADER_PID=" PID_FMT, pid->pid);
5557 if (!arg_notify_ready) {
5558 r = sd_notify(/* unset_environment= */ false, "READY=1\n");
5559 if (r < 0)
5560 log_warning_errno(r, "Failed to send readiness notification, ignoring: %m");
5561 }
5562
5563 /* All operations that might need Polkit authorizations (i.e. userns registration, mounts, and
5564 * machine registration are complete now, get rid of the agent again, so that we retain exclusive
5565 * control of the TTY from now on. */
5566 polkit_agent_close();
5567
5568 /* Note: we do not use SD_EVENT_SIGNAL_PROCMASK or sd_event_set_signal_exit(), since we want the
5569 * signals to be block continuously, even if we destroy the event loop and allocate a new one on
5570 * container reboot. */
5571
5572 if (arg_kill_signal > 0) {
5573 /* Try to kill the init system on SIGINT or SIGTERM */
5574 (void) sd_event_add_signal(event, NULL, SIGINT, on_orderly_shutdown, pid);
5575 (void) sd_event_add_signal(event, NULL, SIGTERM, on_orderly_shutdown, pid);
5576 } else {
5577 /* Immediately exit */
5578 (void) sd_event_add_signal(event, NULL, SIGINT, NULL, NULL);
5579 (void) sd_event_add_signal(event, NULL, SIGTERM, NULL, NULL);
5580 }
5581
5582 (void) sd_event_add_signal(event, NULL, SIGRTMIN+18, sigrtmin18_handler, NULL);
5583
5584 r = sd_event_add_memory_pressure(event, NULL, NULL, NULL);
5585 if (r < 0)
5586 log_debug_errno(r, "Failed allocate memory pressure event source, ignoring: %m");
5587
5588 /* Exit when the child exits */
5589 (void) sd_event_add_signal(event, NULL, SIGCHLD, on_sigchld, pid);
5590
5591 /* Retrieve the kmsg fifo allocated by inner child */
5592 fd_kmsg_fifo = receive_one_fd(fd_inner_socket_pair[0], 0);
5593 if (fd_kmsg_fifo < 0)
5594 return log_error_errno(fd_kmsg_fifo, "Failed to receive kmsg fifo from inner child: %m");
5595
5596 if (arg_expose_ports) {
5597 r = expose_port_watch_rtnl(event, fd_inner_socket_pair[0], on_address_change, expose_args, &rtnl);
5598 if (r < 0)
5599 return r;
5600
5601 (void) expose_port_execute(rtnl, &expose_args->fw_ctx, arg_expose_ports, AF_INET, &expose_args->address4);
5602 (void) expose_port_execute(rtnl, &expose_args->fw_ctx, arg_expose_ports, AF_INET6, &expose_args->address6);
5603 }
5604
5605 _cleanup_(osc_context_closep) sd_id128_t osc_context_id = SD_ID128_NULL;
5606 if (IN_SET(arg_console_mode, CONSOLE_INTERACTIVE, CONSOLE_READ_ONLY) && !terminal_is_dumb()) {
5607 r = osc_context_open_container(arg_machine, /* ret_seq= */ NULL, &osc_context_id);
5608 if (r < 0)
5609 return r;
5610 }
5611
5612 if (arg_console_mode != CONSOLE_PIPE) {
5613 _cleanup_close_ int fd = -EBADF;
5614 PTYForwardFlags flags = 0;
5615
5616 /* Retrieve the master pty allocated by inner child */
5617 fd = receive_one_fd(fd_inner_socket_pair[0], 0);
5618 if (fd < 0)
5619 return log_error_errno(fd, "Failed to receive master pty from the inner child: %m");
5620
5621 switch (arg_console_mode) {
5622
5623 case CONSOLE_READ_ONLY:
5624 flags |= PTY_FORWARD_READ_ONLY;
5625
5626 _fallthrough_;
5627
5628 case CONSOLE_INTERACTIVE:
5629 flags |= PTY_FORWARD_IGNORE_VHANGUP;
5630
5631 r = pty_forward_new(event, fd, flags, &forward);
5632 if (r < 0)
5633 return log_error_errno(r, "Failed to create PTY forwarder: %m");
5634
5635 if (arg_console_width != UINT_MAX || arg_console_height != UINT_MAX)
5636 (void) pty_forward_set_width_height(
5637 forward,
5638 arg_console_width,
5639 arg_console_height);
5640
5641 if (!arg_background && shall_tint_background()) {
5642 _cleanup_free_ char *bg = NULL;
5643
5644 r = terminal_tint_color(220 /* blue */, &bg);
5645 if (r < 0)
5646 log_debug_errno(r, "Failed to determine terminal background color, not tinting.");
5647 else
5648 (void) pty_forward_set_background_color(forward, bg);
5649 } else if (!isempty(arg_background))
5650 (void) pty_forward_set_background_color(forward, arg_background);
5651
5652 (void) pty_forward_set_window_title(forward, GLYPH_BLUE_CIRCLE, /* hostname = */ NULL,
5653 STRV_MAKE("Container", arg_machine));
5654
5655 pty_forward_set_hotkey_handler(forward, ptyfwd_hotkey, pid);
5656 break;
5657
5658 default:
5659 assert(arg_console_mode == CONSOLE_PASSIVE);
5660 }
5661
5662 *master = TAKE_FD(fd);
5663 }
5664
5665 fd_inner_socket_pair[0] = safe_close(fd_inner_socket_pair[0]);
5666
5667 r = sd_event_loop(event);
5668 if (r < 0)
5669 return log_error_errno(r, "Failed to run event loop: %m");
5670
5671 /* Kill if it is not dead yet anyway */
5672 if (scope_allocated)
5673 terminate_scope(runtime_bus, arg_machine);
5674
5675 /* Normally redundant, but better safe than sorry */
5676 (void) pidref_kill(pid, SIGKILL);
5677
5678 fd_kmsg_fifo = safe_close(fd_kmsg_fifo);
5679
5680 if (arg_private_network && arg_userns_mode != USER_NAMESPACE_MANAGED) {
5681 r = move_back_network_interfaces(child_netns_fd, arg_network_interfaces);
5682 if (r < 0)
5683 return r;
5684
5685 r = remove_macvlan(child_netns_fd, arg_network_macvlan);
5686 if (r < 0)
5687 return r;
5688 }
5689
5690 r = wait_for_container(pid, &container_status);
5691
5692 /* Tell machined that we are gone. */
5693 if (registered)
5694 (void) unregister_machine(system_bus, arg_machine);
5695
5696 if (r < 0)
5697 /* We failed to wait for the container, or the container exited abnormally. */
5698 return r;
5699 if (r > 0 || container_status == CONTAINER_TERMINATED) {
5700 /* r > 0 → The container exited with a non-zero status.
5701 * As a special case, we need to replace 133 with a different value,
5702 * because 133 is special-cased in the service file to reboot the container.
5703 * otherwise → The container exited with zero status and a reboot was not requested.
5704 */
5705 if (r == EXIT_FORCE_RESTART)
5706 r = EXIT_FAILURE; /* replace 133 with the general failure code */
5707 *ret = r;
5708 return 0; /* finito */
5709 }
5710
5711 /* CONTAINER_REBOOTED, loop again */
5712
5713 if (arg_keep_unit) {
5714 /* Special handling if we are running as a service: instead of simply
5715 * restarting the machine we want to restart the entire service, so let's
5716 * inform systemd about this with the special exit code 133. The service
5717 * file uses RestartForceExitStatus=133 so that this results in a full
5718 * nspawn restart. This is necessary since we might have cgroup parameters
5719 * set we want to have flushed out. */
5720 *ret = EXIT_FORCE_RESTART;
5721 return 0; /* finito */
5722 }
5723
5724 expose_port_flush(&expose_args->fw_ctx, arg_expose_ports, AF_INET, &expose_args->address4);
5725 expose_port_flush(&expose_args->fw_ctx, arg_expose_ports, AF_INET6, &expose_args->address6);
5726
5727 (void) remove_veth_links(veth_name, arg_network_veth_extra);
5728 *veth_created = false;
5729 return 1; /* loop again */
5730 }
5731
5732 static int initialize_rlimits(void) {
5733 /* The default resource limits the kernel passes to PID 1, as per kernel 5.16. Let's pass our container payload
5734 * the same values as the kernel originally passed to PID 1, in order to minimize differences between host and
5735 * container execution environments. */
5736
5737 static const struct rlimit kernel_defaults[_RLIMIT_MAX] = {
5738 [RLIMIT_AS] = { RLIM_INFINITY, RLIM_INFINITY },
5739 [RLIMIT_CORE] = { 0, RLIM_INFINITY },
5740 [RLIMIT_CPU] = { RLIM_INFINITY, RLIM_INFINITY },
5741 [RLIMIT_DATA] = { RLIM_INFINITY, RLIM_INFINITY },
5742 [RLIMIT_FSIZE] = { RLIM_INFINITY, RLIM_INFINITY },
5743 [RLIMIT_LOCKS] = { RLIM_INFINITY, RLIM_INFINITY },
5744 [RLIMIT_MEMLOCK] = { DEFAULT_RLIMIT_MEMLOCK, DEFAULT_RLIMIT_MEMLOCK },
5745 [RLIMIT_MSGQUEUE] = { 819200, 819200 },
5746 [RLIMIT_NICE] = { 0, 0 },
5747 [RLIMIT_NOFILE] = { 1024, 4096 },
5748 [RLIMIT_RSS] = { RLIM_INFINITY, RLIM_INFINITY },
5749 [RLIMIT_RTPRIO] = { 0, 0 },
5750 [RLIMIT_RTTIME] = { RLIM_INFINITY, RLIM_INFINITY },
5751 [RLIMIT_STACK] = { 8388608, RLIM_INFINITY },
5752
5753 /* The kernel scales the default for RLIMIT_NPROC and RLIMIT_SIGPENDING based on the system's amount of
5754 * RAM. To provide best compatibility we'll read these limits off PID 1 instead of hardcoding them
5755 * here. This is safe as we know that PID 1 doesn't change these two limits and thus the original
5756 * kernel's initialization should still be valid during runtime — at least if PID 1 is systemd. Note
5757 * that PID 1 changes a number of other resource limits during early initialization which is why we
5758 * don't read the other limits from PID 1 but prefer the static table above. */
5759 };
5760
5761 int rl, r;
5762
5763 for (rl = 0; rl < _RLIMIT_MAX; rl++) {
5764 /* Let's only fill in what the user hasn't explicitly configured anyway */
5765 if ((arg_settings_mask & (SETTING_RLIMIT_FIRST << rl)) == 0) {
5766 const struct rlimit *v;
5767 struct rlimit buffer;
5768
5769 if (IN_SET(rl, RLIMIT_NPROC, RLIMIT_SIGPENDING)) {
5770 /* For these two let's read the limits off PID 1. See above for an explanation. */
5771
5772 r = pid_getrlimit(1, rl, &buffer);
5773 if (r < 0)
5774 return log_error_errno(r, "Failed to read resource limit RLIMIT_%s of PID 1: %m", rlimit_to_string(rl));
5775
5776 v = &buffer;
5777 } else if (rl == RLIMIT_NOFILE) {
5778 /* We nowadays bump RLIMIT_NOFILE's hard limit early in PID 1 for all
5779 * userspace. Given that nspawn containers are often run without our PID 1,
5780 * let's grant the containers a raised RLIMIT_NOFILE hard limit by default,
5781 * so that container userspace gets similar resources as host userspace
5782 * gets. */
5783 buffer = kernel_defaults[rl];
5784 buffer.rlim_max = MIN((rlim_t) read_nr_open(), (rlim_t) HIGH_RLIMIT_NOFILE);
5785 v = &buffer;
5786 } else
5787 v = kernel_defaults + rl;
5788
5789 arg_rlimit[rl] = newdup(struct rlimit, v, 1);
5790 if (!arg_rlimit[rl])
5791 return log_oom();
5792 }
5793
5794 if (DEBUG_LOGGING) {
5795 _cleanup_free_ char *k = NULL;
5796
5797 (void) rlimit_format(arg_rlimit[rl], &k);
5798 log_debug("Setting RLIMIT_%s to %s.", rlimit_to_string(rl), k);
5799 }
5800 }
5801
5802 return 0;
5803 }
5804
5805 static int cant_be_in_netns(void) {
5806 _cleanup_close_ int fd = -EBADF;
5807 struct ucred ucred;
5808 int r;
5809
5810 /* Check if we are in the same netns as udev. If we aren't, then device monitoring (and thus waiting
5811 * for loopback block devices) won't work, and we will hang. Detect this case and exit early with a
5812 * nice message. */
5813
5814 if (!arg_image) /* only matters if --image= us used, i.e. we actually need to use loopback devices */
5815 return 0;
5816
5817 fd = socket(AF_UNIX, SOCK_SEQPACKET|SOCK_NONBLOCK|SOCK_CLOEXEC, 0);
5818 if (fd < 0)
5819 return log_error_errno(errno, "Failed to allocate udev control socket: %m");
5820
5821 r = connect_unix_path(fd, AT_FDCWD, "/run/udev/control");
5822 if (r == -ENOENT || ERRNO_IS_NEG_DISCONNECT(r))
5823 return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
5824 "Sorry, but --image= requires access to the host's /run/ hierarchy, since we need access to udev.");
5825 if (ERRNO_IS_NEG_PRIVILEGE(r)) {
5826 log_debug_errno(r, "Can't connect to udev control socket, assuming we are in same netns.");
5827 return 0;
5828 }
5829 if (r < 0)
5830 return log_error_errno(r, "Failed to connect socket to udev control socket: %m");
5831
5832 r = getpeercred(fd, &ucred);
5833 if (r < 0)
5834 return log_error_errno(r, "Failed to determine peer of udev control socket: %m");
5835
5836 r = in_same_namespace(ucred.pid, 0, NAMESPACE_NET);
5837 if (r < 0)
5838 return log_error_errno(r, "Failed to determine network namespace of udev: %m");
5839 if (r == 0)
5840 return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
5841 "Sorry, but --image= is only supported in the main network namespace, since we need access to udev/AF_NETLINK.");
5842 return 0;
5843 }
5844
5845 static void initialize_defaults(void) {
5846 arg_privileged = getuid() == 0;
5847
5848 /* If running unprivileged default to systemd-nsresourced operation */
5849 arg_userns_mode = arg_privileged ? USER_NAMESPACE_NO : USER_NAMESPACE_MANAGED;
5850
5851 /* Imply private networking for unprivileged operation, since kernel otherwise refuses mounting sysfs */
5852 arg_private_network = !arg_privileged;
5853 }
5854
5855 static void cleanup_propagation_and_export_directories(void) {
5856 const char *p;
5857
5858 if (!arg_machine || !arg_privileged)
5859 return;
5860
5861 p = strjoina("/run/systemd/nspawn/propagate/", arg_machine);
5862 (void) rm_rf(p, REMOVE_ROOT);
5863
5864 p = strjoina("/run/systemd/nspawn/unix-export/", arg_machine);
5865 (void) umount2(p, MNT_DETACH|UMOUNT_NOFOLLOW);
5866 (void) rmdir(p);
5867 }
5868
5869 static int do_cleanup(void) {
5870 int r;
5871
5872 if (arg_ephemeral)
5873 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Cannot specify --ephemeral with --cleanup.");
5874
5875 r = determine_names();
5876 if (r < 0)
5877 return r;
5878
5879 cleanup_propagation_and_export_directories();
5880 return 0;
5881 }
5882
5883 static int run(int argc, char *argv[]) {
5884 bool remove_directory = false, remove_image = false, veth_created = false;
5885 _cleanup_close_ int master = -EBADF, userns_fd = -EBADF, mount_fd = -EBADF;
5886 _cleanup_fdset_free_ FDSet *fds = NULL;
5887 int r, ret = EXIT_SUCCESS;
5888 char veth_name[IFNAMSIZ] = "";
5889 struct ExposeArgs expose_args = {};
5890 _cleanup_(release_lock_file) LockFile tree_global_lock = LOCK_FILE_INIT, tree_local_lock = LOCK_FILE_INIT;
5891 _cleanup_(rmdir_and_freep) char *rootdir = NULL;
5892 _cleanup_(loop_device_unrefp) LoopDevice *loop = NULL;
5893 _cleanup_(dissected_image_unrefp) DissectedImage *dissected_image = NULL;
5894 _cleanup_(fw_ctx_freep) FirewallContext *fw_ctx = NULL;
5895 _cleanup_(pidref_done) PidRef pid = PIDREF_NULL;
5896
5897 log_setup();
5898
5899 initialize_defaults();
5900
5901 r = parse_argv(argc, argv);
5902 if (r <= 0)
5903 goto finish;
5904
5905 if (arg_cleanup)
5906 return do_cleanup();
5907
5908 r = cg_has_legacy();
5909 if (r < 0)
5910 goto finish;
5911 if (r > 0) {
5912 r = log_error_errno(SYNTHETIC_ERRNO(EPROTO),
5913 "Detected host uses legacy cgroup v1 hierarchy, refusing.");
5914 goto finish;
5915 }
5916
5917 r = cant_be_in_netns();
5918 if (r < 0)
5919 goto finish;
5920
5921 r = initialize_rlimits();
5922 if (r < 0)
5923 goto finish;
5924
5925 r = load_oci_bundle();
5926 if (r < 0)
5927 goto finish;
5928
5929 r = pick_paths();
5930 if (r < 0)
5931 goto finish;
5932
5933 r = determine_names();
5934 if (r < 0)
5935 goto finish;
5936
5937 r = load_settings();
5938 if (r < 0)
5939 goto finish;
5940
5941 /* If we're not unsharing the network namespace and are unsharing the user namespace, we won't have
5942 * permissions to bind ports in the container, so let's drop the CAP_NET_BIND_SERVICE capability to
5943 * indicate that. */
5944 if (!arg_private_network && arg_userns_mode != USER_NAMESPACE_NO && arg_uid_shift > 0)
5945 arg_caps_retain &= ~(UINT64_C(1) << CAP_NET_BIND_SERVICE);
5946
5947 r = verify_arguments();
5948 if (r < 0)
5949 goto finish;
5950
5951 r = resolve_network_interface_names(arg_network_interfaces);
5952 if (r < 0)
5953 goto finish;
5954
5955 r = verify_network_interfaces_initialized();
5956 if (r < 0)
5957 goto finish;
5958
5959 /* Ignore SIGPIPE here, because we use splice() on the ptyfwd stuff and that will generate SIGPIPE if
5960 * the result is closed. Note that the container payload child will reset signal mask+handler anyway,
5961 * so just turning this off here means we only turn it off in nspawn itself, not any children. */
5962 (void) ignore_signals(SIGPIPE);
5963
5964 r = fdset_new_listen_fds(&fds, /* unset = */ false);
5965 if (r < 0) {
5966 log_error_errno(r, "Failed to collect file descriptors: %m");
5967 goto finish;
5968 }
5969
5970 /* The "default" umask. This is appropriate for most file and directory
5971 * operations performed by nspawn, and is the umask that will be used for
5972 * the child. Functions like copy_devnodes() change the umask temporarily. */
5973 umask(0022);
5974
5975 if (arg_console_mode < 0)
5976 arg_console_mode = isatty_safe(STDIN_FILENO) && isatty_safe(STDOUT_FILENO) ?
5977 CONSOLE_INTERACTIVE : CONSOLE_READ_ONLY;
5978
5979 if (arg_console_mode == CONSOLE_PIPE) /* if we pass STDERR on to the container, don't add our own logs into it too */
5980 arg_quiet = true;
5981
5982 polkit_agent_open();
5983
5984 if (arg_userns_mode == USER_NAMESPACE_MANAGED) {
5985 /* Let's allocate a 64K userns first, if managed mode is chosen */
5986
5987 _cleanup_free_ char *userns_name = NULL;
5988 if (asprintf(&userns_name, "nspawn-" PID_FMT "-%s", getpid_cached(), arg_machine) < 0) {
5989 r = log_oom();
5990 goto finish;
5991 }
5992
5993 userns_fd = nsresource_allocate_userns(userns_name, UINT64_C(0x10000));
5994 if (userns_fd < 0) {
5995 r = log_error_errno(userns_fd, "Failed to allocate user namespace with 64K users: %m");
5996 goto finish;
5997 }
5998
5999 r = userns_get_base_uid(userns_fd, &arg_uid_shift, /* ret_gid= */ NULL);
6000 if (r < 0) {
6001 log_error_errno(r, "Failed to determine UID shift from userns: %m");
6002 goto finish;
6003 }
6004
6005 arg_uid_range = UINT32_C(0x10000);
6006 }
6007
6008 if (arg_directory) {
6009 assert(!arg_image);
6010
6011 /* Safety precaution: let's not allow running images from the live host OS image, as long as
6012 * /var from the host will propagate into container dynamically (because bad things happen if
6013 * two systems write to the same /var). Let's allow it for the special cases where /var is
6014 * either copied (i.e. --ephemeral) or replaced (i.e. --volatile=yes|state). */
6015 if (path_equal(arg_directory, "/") && !(arg_ephemeral || IN_SET(arg_volatile_mode, VOLATILE_YES, VOLATILE_STATE))) {
6016 r = log_error_errno(SYNTHETIC_ERRNO(EINVAL),
6017 "Spawning container on root directory is not supported. Consider using --ephemeral, --volatile=yes or --volatile=state.");
6018 goto finish;
6019 }
6020
6021 if (arg_ephemeral) {
6022 _cleanup_free_ char *np = NULL;
6023
6024 r = chase_and_update(&arg_directory, 0);
6025 if (r < 0)
6026 goto finish;
6027
6028 /* If the specified path is a mount point we generate the new snapshot immediately
6029 * inside it under a random name. However if the specified is not a mount point we
6030 * create the new snapshot in the parent directory, just next to it. */
6031 r = path_is_mount_point(arg_directory);
6032 if (r < 0) {
6033 log_error_errno(r, "Failed to determine whether directory %s is mount point: %m", arg_directory);
6034 goto finish;
6035 }
6036 if (r > 0)
6037 r = tempfn_random_child(arg_directory, "machine.", &np);
6038 else
6039 r = tempfn_random(arg_directory, "machine.", &np);
6040 if (r < 0) {
6041 log_error_errno(r, "Failed to generate name for directory snapshot: %m");
6042 goto finish;
6043 }
6044
6045 /* We take an exclusive lock on this image, since it's our private, ephemeral copy
6046 * only owned by us and no one else. */
6047 r = image_path_lock(
6048 np,
6049 LOCK_EX|LOCK_NB,
6050 arg_privileged ? &tree_global_lock : NULL,
6051 &tree_local_lock);
6052 if (r < 0) {
6053 log_error_errno(r, "Failed to lock %s: %m", np);
6054 goto finish;
6055 }
6056
6057 {
6058 BLOCK_SIGNALS(SIGINT);
6059 r = btrfs_subvol_snapshot_at(AT_FDCWD, arg_directory, AT_FDCWD, np,
6060 (arg_read_only ? BTRFS_SNAPSHOT_READ_ONLY : 0) |
6061 BTRFS_SNAPSHOT_FALLBACK_COPY |
6062 BTRFS_SNAPSHOT_FALLBACK_DIRECTORY |
6063 BTRFS_SNAPSHOT_RECURSIVE |
6064 BTRFS_SNAPSHOT_QUOTA |
6065 BTRFS_SNAPSHOT_SIGINT);
6066 }
6067 if (r == -EINTR) {
6068 log_error_errno(r, "Interrupted while copying file system tree to %s, removed again.", np);
6069 goto finish;
6070 }
6071 if (r < 0) {
6072 log_error_errno(r, "Failed to create snapshot %s from %s: %m", np, arg_directory);
6073 goto finish;
6074 }
6075
6076 free_and_replace(arg_directory, np);
6077 remove_directory = true;
6078 } else {
6079 r = chase_and_update(&arg_directory, arg_template ? CHASE_NONEXISTENT : 0);
6080 if (r < 0)
6081 goto finish;
6082
6083 r = image_path_lock(
6084 arg_directory,
6085 (arg_read_only ? LOCK_SH : LOCK_EX) | LOCK_NB,
6086 arg_privileged ? &tree_global_lock : NULL,
6087 &tree_local_lock);
6088 if (r == -EBUSY) {
6089 log_error_errno(r, "Directory tree %s is currently busy.", arg_directory);
6090 goto finish;
6091 }
6092 if (r < 0) {
6093 log_error_errno(r, "Failed to lock %s: %m", arg_directory);
6094 goto finish;
6095 }
6096
6097 if (arg_template) {
6098 r = chase_and_update(&arg_template, 0);
6099 if (r < 0)
6100 goto finish;
6101
6102 {
6103 BLOCK_SIGNALS(SIGINT);
6104 r = btrfs_subvol_snapshot_at(AT_FDCWD, arg_template, AT_FDCWD, arg_directory,
6105 (arg_read_only ? BTRFS_SNAPSHOT_READ_ONLY : 0) |
6106 BTRFS_SNAPSHOT_FALLBACK_COPY |
6107 BTRFS_SNAPSHOT_FALLBACK_DIRECTORY |
6108 BTRFS_SNAPSHOT_FALLBACK_IMMUTABLE |
6109 BTRFS_SNAPSHOT_RECURSIVE |
6110 BTRFS_SNAPSHOT_QUOTA |
6111 BTRFS_SNAPSHOT_SIGINT);
6112 }
6113 if (r == -EEXIST)
6114 log_full(arg_quiet ? LOG_DEBUG : LOG_INFO,
6115 "Directory %s already exists, not populating from template %s.", arg_directory, arg_template);
6116 else if (r == -EINTR) {
6117 log_error_errno(r, "Interrupted while copying file system tree to %s, removed again.", arg_directory);
6118 goto finish;
6119 } else if (r < 0) {
6120 log_error_errno(r, "Couldn't create snapshot %s from %s: %m", arg_directory, arg_template);
6121 goto finish;
6122 } else
6123 log_full(arg_quiet ? LOG_DEBUG : LOG_INFO,
6124 "Populated %s from template %s.", arg_directory, arg_template);
6125 }
6126 }
6127
6128 if (arg_start_mode == START_BOOT) {
6129 _cleanup_free_ char *b = NULL;
6130 const char *p;
6131 int check_os_release, is_os_tree;
6132
6133 if (arg_pivot_root_new) {
6134 b = path_join(arg_directory, arg_pivot_root_new);
6135 if (!b) {
6136 r = log_oom();
6137 goto finish;
6138 }
6139
6140 p = b;
6141 } else
6142 p = arg_directory;
6143
6144 check_os_release = getenv_bool("SYSTEMD_NSPAWN_CHECK_OS_RELEASE");
6145 if (check_os_release < 0 && check_os_release != -ENXIO) {
6146 r = log_error_errno(check_os_release, "Failed to parse $SYSTEMD_NSPAWN_CHECK_OS_RELEASE: %m");
6147 goto finish;
6148 }
6149
6150 is_os_tree = path_is_os_tree(p);
6151 if (is_os_tree == 0 && check_os_release == 0)
6152 log_debug("Directory %s is missing an os-release file, continuing anyway.", p);
6153 else if (is_os_tree <= 0) {
6154 r = log_error_errno(SYNTHETIC_ERRNO(EINVAL),
6155 "Directory %s doesn't look like an OS root directory (os-release file is missing). Refusing.", p);
6156 goto finish;
6157 }
6158 } else {
6159 _cleanup_free_ char *p = NULL;
6160
6161 if (arg_pivot_root_new)
6162 p = path_join(arg_directory, arg_pivot_root_new, "/usr/");
6163 else
6164 p = path_join(arg_directory, "/usr/");
6165 if (!p) {
6166 r = log_oom();
6167 goto finish;
6168 }
6169
6170 r = access_nofollow(p, F_OK);
6171 if (r == -ENOENT) {
6172 log_error_errno(r, "Directory %s doesn't look like it has an OS tree (/usr/ directory is missing). Refusing.", arg_directory);
6173 goto finish;
6174 } else if (r < 0) {
6175 log_error_errno(r, "Unable to determine if %s looks like it has an OS tree (i.e. whether /usr/ exists): %m", arg_directory);
6176 goto finish;
6177 }
6178 }
6179
6180 if (arg_userns_mode == USER_NAMESPACE_MANAGED) {
6181 r = mountfsd_mount_directory(
6182 arg_directory,
6183 userns_fd,
6184 determine_dissect_image_flags(),
6185 &mount_fd);
6186 if (r < 0)
6187 goto finish;
6188 }
6189 } else {
6190 DissectImageFlags dissect_image_flags =
6191 determine_dissect_image_flags();
6192
6193 assert(arg_image);
6194 assert(!arg_template);
6195
6196 r = chase_and_update(&arg_image, 0);
6197 if (r < 0)
6198 goto finish;
6199
6200 if (arg_ephemeral) {
6201 _cleanup_free_ char *np = NULL;
6202
6203 r = tempfn_random(arg_image, "machine.", &np);
6204 if (r < 0) {
6205 log_error_errno(r, "Failed to generate name for image snapshot: %m");
6206 goto finish;
6207 }
6208
6209 /* Always take an exclusive lock on our own ephemeral copy. */
6210 r = image_path_lock(
6211 np,
6212 LOCK_EX|LOCK_NB,
6213 arg_privileged ? &tree_global_lock : NULL,
6214 &tree_local_lock);
6215 if (r < 0) {
6216 log_error_errno(r, "Failed to create image lock: %m");
6217 goto finish;
6218 }
6219
6220 {
6221 BLOCK_SIGNALS(SIGINT);
6222 r = copy_file(arg_image, np, O_EXCL, arg_read_only ? 0400 : 0600,
6223 COPY_REFLINK|COPY_CRTIME|COPY_SIGINT|COPY_NOCOW_AFTER);
6224 }
6225 if (r == -EINTR) {
6226 log_error_errno(r, "Interrupted while copying image file to %s, removed again.", np);
6227 goto finish;
6228 }
6229 if (r < 0) {
6230 r = log_error_errno(r, "Failed to copy image file: %m");
6231 goto finish;
6232 }
6233
6234 free_and_replace(arg_image, np);
6235 remove_image = true;
6236 } else {
6237 r = image_path_lock(
6238 arg_image,
6239 (arg_read_only ? LOCK_SH : LOCK_EX) | LOCK_NB,
6240 arg_privileged ? &tree_global_lock : NULL,
6241 &tree_local_lock);
6242 if (r == -EBUSY) {
6243 log_error_errno(r, "Disk image %s is currently busy.", arg_image);
6244 goto finish;
6245 }
6246 if (r < 0) {
6247 log_error_errno(r, "Failed to create image lock: %m");
6248 goto finish;
6249 }
6250
6251 r = verity_settings_load(
6252 &arg_verity_settings,
6253 arg_image, NULL, NULL);
6254 if (r < 0) {
6255 log_error_errno(r, "Failed to read verity artefacts for %s: %m", arg_image);
6256 goto finish;
6257 }
6258
6259 if (arg_verity_settings.data_path)
6260 dissect_image_flags |= DISSECT_IMAGE_NO_PARTITION_TABLE;
6261 }
6262
6263 if (arg_userns_mode != USER_NAMESPACE_MANAGED) {
6264 r = loop_device_make_by_path(
6265 arg_image,
6266 arg_read_only ? O_RDONLY : O_RDWR,
6267 /* sector_size= */ UINT32_MAX,
6268 FLAGS_SET(dissect_image_flags, DISSECT_IMAGE_NO_PARTITION_TABLE) ? 0 : LO_FLAGS_PARTSCAN,
6269 LOCK_SH,
6270 &loop);
6271 if (r < 0) {
6272 log_error_errno(r, "Failed to set up loopback block device: %m");
6273 goto finish;
6274 }
6275
6276 r = dissect_loop_device_and_warn(
6277 loop,
6278 &arg_verity_settings,
6279 /* mount_options= */ NULL,
6280 arg_image_policy ?: &image_policy_container,
6281 /* image_filter= */ NULL,
6282 dissect_image_flags,
6283 &dissected_image);
6284 if (r == -ENOPKG) {
6285 /* dissected_image_and_warn() already printed a brief error message. Extend on that with more details */
6286 log_notice("Note that the disk image needs to\n"
6287 " a) either contain only a single MBR partition of type 0x83 that is marked bootable\n"
6288 " b) or contain a single GPT partition of type 0FC63DAF-8483-4772-8E79-3D69D8477DE4\n"
6289 " c) or follow https://uapi-group.org/specifications/specs/discoverable_partitions_specification\n"
6290 " d) or contain a file system without a partition table\n"
6291 "in order to be bootable with systemd-nspawn.");
6292 goto finish;
6293 }
6294 if (r < 0)
6295 goto finish;
6296
6297 r = dissected_image_load_verity_sig_partition(
6298 dissected_image,
6299 loop->fd,
6300 &arg_verity_settings);
6301 if (r < 0) {
6302 log_error_errno(r, "Failed to load Verity signature partition: %m");
6303 goto finish;
6304 }
6305
6306 r = dissected_image_guess_verity_roothash(
6307 dissected_image,
6308 &arg_verity_settings);
6309 if (r < 0) {
6310 log_error_errno(r, "Failed to guess Verity root hash: %m");
6311 goto finish;
6312 }
6313
6314 if (dissected_image->has_verity && !arg_verity_settings.root_hash)
6315 log_notice("Note: image %s contains verity information, but no root hash specified and no embedded "
6316 "root hash signature found! Proceeding without integrity checking.", arg_image);
6317
6318 r = dissected_image_decrypt_interactively(
6319 dissected_image,
6320 NULL,
6321 &arg_verity_settings,
6322 dissect_image_flags);
6323 if (r < 0)
6324 goto finish;
6325 } else {
6326 r = mountfsd_mount_image(
6327 arg_image,
6328 userns_fd,
6329 arg_image_policy,
6330 dissect_image_flags,
6331 &dissected_image);
6332 if (r < 0)
6333 goto finish;
6334 }
6335
6336 /* Now that we mounted the image, let's try to remove it again, if it is ephemeral */
6337 if (remove_image && unlink(arg_image) >= 0)
6338 remove_image = false;
6339
6340 if (arg_architecture < 0)
6341 arg_architecture = dissected_image_architecture(dissected_image);
6342 }
6343
6344 /* Create a temporary place to mount stuff. */
6345 r = mkdtemp_malloc("/tmp/nspawn-root-XXXXXX", &rootdir);
6346 if (r < 0) {
6347 log_error_errno(r, "Failed to create temporary directory: %m");
6348 goto finish;
6349 }
6350
6351 r = custom_mount_prepare_all(rootdir, arg_custom_mounts, arg_n_custom_mounts);
6352 if (r < 0)
6353 goto finish;
6354
6355 if (!arg_quiet) {
6356 const char *t = arg_image ?: arg_directory;
6357 _cleanup_free_ char *u = NULL;
6358 (void) terminal_urlify_path(t, t, &u);
6359
6360 log_info("%s %sSpawning container %s on %s.%s",
6361 glyph(GLYPH_LIGHT_SHADE), ansi_grey(), arg_machine, u ?: t, ansi_normal());
6362
6363 if (arg_console_mode == CONSOLE_INTERACTIVE)
6364 log_info("%s %sPress %sCtrl-]%s three times within 1s to kill container; two times followed by %sr%s\n"
6365 "%s %sto reboot container; two times followed by %sp%s to poweroff container.%s",
6366 glyph(GLYPH_LIGHT_SHADE), ansi_grey(), ansi_highlight(), ansi_grey(), ansi_highlight(), ansi_normal(),
6367 glyph(GLYPH_LIGHT_SHADE), ansi_grey(), ansi_highlight(), ansi_grey(), ansi_normal());
6368 }
6369
6370 assert_se(sigprocmask_many(SIG_BLOCK, NULL, SIGCHLD, SIGWINCH, SIGTERM, SIGINT, SIGRTMIN+18) >= 0);
6371
6372 r = make_reaper_process(true);
6373 if (r < 0) {
6374 log_error_errno(r, "Failed to become subreaper: %m");
6375 goto finish;
6376 }
6377
6378 if (arg_expose_ports) {
6379 r = fw_ctx_new(&fw_ctx);
6380 if (r < 0) {
6381 log_error_errno(r, "Cannot expose configured ports, firewall initialization failed: %m");
6382 goto finish;
6383 }
6384 expose_args.fw_ctx = fw_ctx;
6385 }
6386
6387 for (;;) {
6388 r = run_container(
6389 rootdir,
6390 mount_fd,
6391 dissected_image,
6392 userns_fd,
6393 fds,
6394 veth_name, &veth_created,
6395 &expose_args, &master,
6396 &pid, &ret);
6397 if (r <= 0)
6398 break;
6399 }
6400
6401 finish:
6402 (void) sd_notify(false,
6403 r == 0 && ret == EXIT_FORCE_RESTART ? "STOPPING=1\nSTATUS=Restarting..." :
6404 "STOPPING=1\nSTATUS=Terminating...");
6405
6406 if (pidref_is_set(&pid))
6407 (void) pidref_kill(&pid, SIGKILL);
6408
6409 /* Try to flush whatever is still queued in the pty */
6410 if (master >= 0) {
6411 (void) copy_bytes(master, STDOUT_FILENO, UINT64_MAX, 0);
6412 master = safe_close(master);
6413 }
6414
6415 if (pidref_is_set(&pid)) {
6416 (void) pidref_wait_for_terminate(&pid, NULL);
6417 pidref_done(&pid);
6418 }
6419
6420 pager_close();
6421
6422 if (remove_directory && arg_directory) {
6423 int k;
6424
6425 k = rm_rf(arg_directory, REMOVE_ROOT|REMOVE_PHYSICAL|REMOVE_SUBVOLUME);
6426 if (k < 0)
6427 log_warning_errno(k, "Cannot remove '%s', ignoring: %m", arg_directory);
6428 }
6429
6430 if (remove_image && arg_image) {
6431 if (unlink(arg_image) < 0)
6432 log_warning_errno(errno, "Can't remove image file '%s', ignoring: %m", arg_image);
6433 }
6434
6435 if (arg_machine && arg_userns_mode != USER_NAMESPACE_MANAGED) {
6436 const char *p;
6437
6438 p = strjoina("/run/systemd/nspawn/propagate/", arg_machine);
6439 (void) rm_rf(p, REMOVE_ROOT);
6440
6441 p = strjoina("/run/systemd/nspawn/unix-export/", arg_machine);
6442 (void) umount2(p, MNT_DETACH|UMOUNT_NOFOLLOW);
6443 (void) rmdir(p);
6444 }
6445
6446 cleanup_propagation_and_export_directories();
6447
6448 expose_port_flush(&fw_ctx, arg_expose_ports, AF_INET, &expose_args.address4);
6449 expose_port_flush(&fw_ctx, arg_expose_ports, AF_INET6, &expose_args.address6);
6450
6451 if (arg_userns_mode != USER_NAMESPACE_MANAGED) {
6452 if (veth_created)
6453 (void) remove_veth_links(veth_name, arg_network_veth_extra);
6454 (void) remove_bridge(arg_network_zone);
6455 }
6456
6457 custom_mount_free_all(arg_custom_mounts, arg_n_custom_mounts);
6458 expose_port_free_all(arg_expose_ports);
6459 rlimit_free_all(arg_rlimit);
6460 device_node_array_free(arg_extra_nodes, arg_n_extra_nodes);
6461
6462 if (r < 0)
6463 return r;
6464
6465 return ret;
6466 }
6467
6468 DEFINE_MAIN_FUNCTION_WITH_POSITIVE_FAILURE(run);
Unnamed repository; edit this file 'description' to name the repository.