]>
Commit | Line | Data |
---|---|---|
15ae422b LP |
1 | /*-*- Mode: C; c-basic-offset: 8 -*-*/ |
2 | ||
3 | /*** | |
4 | This file is part of systemd. | |
5 | ||
6 | Copyright 2010 Lennart Poettering | |
7 | ||
8 | systemd is free software; you can redistribute it and/or modify it | |
9 | under the terms of the GNU General Public License as published by | |
10 | the Free Software Foundation; either version 2 of the License, or | |
11 | (at your option) any later version. | |
12 | ||
13 | systemd is distributed in the hope that it will be useful, but | |
14 | WITHOUT ANY WARRANTY; without even the implied warranty of | |
15 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |
16 | General Public License for more details. | |
17 | ||
18 | You should have received a copy of the GNU General Public License | |
19 | along with systemd; If not, see <http://www.gnu.org/licenses/>. | |
20 | ***/ | |
21 | ||
22 | #include <errno.h> | |
23 | #include <sys/mount.h> | |
24 | #include <string.h> | |
25 | #include <stdio.h> | |
26 | #include <unistd.h> | |
27 | #include <sys/stat.h> | |
28 | #include <sys/types.h> | |
29 | #include <sched.h> | |
30 | #include <sys/syscall.h> | |
31 | #include <limits.h> | |
25e870b5 | 32 | #include <linux/fs.h> |
15ae422b LP |
33 | |
34 | #include "strv.h" | |
35 | #include "util.h" | |
36 | #include "namespace.h" | |
37 | #include "missing.h" | |
38 | ||
39 | typedef enum PathMode { | |
40 | /* This is ordered by priority! */ | |
41 | INACCESSIBLE, | |
42 | READONLY, | |
43 | PRIVATE, | |
44 | READWRITE | |
45 | } PathMode; | |
46 | ||
47 | typedef struct Path { | |
48 | const char *path; | |
49 | PathMode mode; | |
50 | } Path; | |
51 | ||
52 | static int append_paths(Path **p, char **strv, PathMode mode) { | |
53 | char **i; | |
54 | ||
55 | STRV_FOREACH(i, strv) { | |
56 | ||
57 | if (!path_is_absolute(*i)) | |
58 | return -EINVAL; | |
59 | ||
60 | (*p)->path = *i; | |
61 | (*p)->mode = mode; | |
62 | (*p)++; | |
63 | } | |
64 | ||
65 | return 0; | |
66 | } | |
67 | ||
68 | static int path_compare(const void *a, const void *b) { | |
69 | const Path *p = a, *q = b; | |
70 | ||
71 | if (path_equal(p->path, q->path)) { | |
72 | ||
73 | /* If the paths are equal, check the mode */ | |
74 | if (p->mode < q->mode) | |
75 | return -1; | |
76 | ||
77 | if (p->mode > q->mode) | |
78 | return 1; | |
79 | ||
80 | return 0; | |
81 | } | |
82 | ||
83 | /* If the paths are not equal, then order prefixes first */ | |
84 | if (path_startswith(p->path, q->path)) | |
85 | return 1; | |
86 | ||
87 | if (path_startswith(q->path, p->path)) | |
88 | return -1; | |
89 | ||
90 | return 0; | |
91 | } | |
92 | ||
93 | static void drop_duplicates(Path *p, unsigned *n, bool *need_inaccessible, bool *need_private) { | |
94 | Path *f, *t, *previous; | |
95 | ||
96 | assert(p); | |
97 | assert(n); | |
98 | assert(need_inaccessible); | |
99 | assert(need_private); | |
100 | ||
101 | for (f = p, t = p, previous = NULL; f < p+*n; f++) { | |
102 | ||
103 | if (previous && path_equal(f->path, previous->path)) | |
104 | continue; | |
105 | ||
106 | t->path = f->path; | |
107 | t->mode = f->mode; | |
108 | ||
109 | if (t->mode == PRIVATE) | |
110 | *need_private = true; | |
111 | ||
112 | if (t->mode == INACCESSIBLE) | |
113 | *need_inaccessible = true; | |
114 | ||
115 | previous = t; | |
116 | ||
117 | t++; | |
118 | } | |
119 | ||
120 | *n = t - p; | |
121 | } | |
122 | ||
123 | static int apply_mount(Path *p, const char *root_dir, const char *inaccessible_dir, const char *private_dir, unsigned long flags) { | |
124 | const char *what; | |
125 | char *where; | |
126 | int r; | |
15ae422b LP |
127 | |
128 | assert(p); | |
129 | assert(root_dir); | |
130 | assert(inaccessible_dir); | |
131 | assert(private_dir); | |
132 | ||
133 | if (!(where = strappend(root_dir, p->path))) | |
134 | return -ENOMEM; | |
135 | ||
136 | switch (p->mode) { | |
137 | ||
138 | case INACCESSIBLE: | |
139 | what = inaccessible_dir; | |
5dcfe57b | 140 | flags |= MS_RDONLY; |
15ae422b LP |
141 | break; |
142 | ||
143 | case READONLY: | |
5dcfe57b | 144 | flags |= MS_RDONLY; |
15ae422b LP |
145 | /* Fall through */ |
146 | ||
147 | case READWRITE: | |
148 | what = p->path; | |
149 | break; | |
150 | ||
151 | case PRIVATE: | |
152 | what = private_dir; | |
153 | break; | |
154 | } | |
155 | ||
156 | if ((r = mount(what, where, NULL, MS_BIND|MS_REC, NULL)) >= 0) { | |
157 | log_debug("Successfully mounted %s to %s", what, where); | |
158 | ||
159 | /* The bind mount will always inherit the original | |
160 | * flags. If we want to set any flag we need | |
161 | * to do so in a second indepdant step. */ | |
162 | if (flags) | |
5dcfe57b | 163 | r = mount(NULL, where, NULL, MS_REMOUNT|MS_BIND|MS_REC|flags, NULL); |
15ae422b LP |
164 | |
165 | /* Avoid expontial growth of trees */ | |
166 | if (r >= 0 && path_equal(p->path, "/")) | |
5dcfe57b | 167 | r = mount(NULL, where, NULL, MS_REMOUNT|MS_BIND|MS_UNBINDABLE|flags, NULL); |
15ae422b LP |
168 | |
169 | if (r < 0) { | |
170 | r = -errno; | |
171 | umount2(where, MNT_DETACH); | |
172 | } | |
173 | } | |
174 | ||
175 | free(where); | |
176 | return r; | |
177 | } | |
178 | ||
179 | int setup_namespace( | |
180 | char **writable, | |
181 | char **readable, | |
182 | char **inaccessible, | |
183 | bool private_tmp, | |
184 | unsigned long flags) { | |
185 | ||
186 | char | |
187 | tmp_dir[] = "/tmp/systemd-namespace-XXXXXX", | |
188 | root_dir[] = "/tmp/systemd-namespace-XXXXXX/root", | |
189 | old_root_dir[] = "/tmp/systemd-namespace-XXXXXX/root/tmp/old-root-XXXXXX", | |
190 | inaccessible_dir[] = "/tmp/systemd-namespace-XXXXXX/inaccessible", | |
191 | private_dir[] = "/tmp/systemd-namespace-XXXXXX/private"; | |
192 | ||
193 | Path *paths, *p; | |
194 | unsigned n; | |
195 | bool need_private = false, need_inaccessible = false; | |
196 | bool remove_tmp = false, remove_root = false, remove_old_root = false, remove_inaccessible = false, remove_private = false; | |
197 | int r; | |
198 | const char *t; | |
199 | ||
200 | n = | |
201 | strv_length(writable) + | |
202 | strv_length(readable) + | |
203 | strv_length(inaccessible) + | |
204 | (private_tmp ? 2 : 1); | |
205 | ||
206 | if (!(paths = new(Path, n))) | |
207 | return -ENOMEM; | |
208 | ||
209 | p = paths; | |
210 | if ((r = append_paths(&p, writable, READWRITE)) < 0 || | |
211 | (r = append_paths(&p, readable, READONLY)) < 0 || | |
212 | (r = append_paths(&p, inaccessible, INACCESSIBLE)) < 0) | |
213 | goto fail; | |
214 | ||
215 | if (private_tmp) { | |
216 | p->path = "/tmp"; | |
217 | p->mode = PRIVATE; | |
218 | p++; | |
219 | } | |
220 | ||
221 | p->path = "/"; | |
222 | p->mode = READWRITE; | |
223 | p++; | |
224 | ||
225 | assert(paths + n == p); | |
226 | ||
227 | qsort(paths, n, sizeof(Path), path_compare); | |
228 | drop_duplicates(paths, &n, &need_inaccessible, &need_private); | |
229 | ||
230 | if (!mkdtemp(tmp_dir)) { | |
231 | r = -errno; | |
232 | goto fail; | |
233 | } | |
234 | remove_tmp = true; | |
235 | ||
236 | memcpy(root_dir, tmp_dir, sizeof(tmp_dir)-1); | |
237 | if (mkdir(root_dir, 0777) < 0) { | |
238 | r = -errno; | |
239 | goto fail; | |
240 | } | |
241 | remove_root = true; | |
242 | ||
243 | if (need_inaccessible) { | |
244 | memcpy(inaccessible_dir, tmp_dir, sizeof(tmp_dir)-1); | |
245 | if (mkdir(inaccessible_dir, 0) < 0) { | |
246 | r = -errno; | |
247 | goto fail; | |
248 | } | |
249 | remove_inaccessible = true; | |
250 | } | |
251 | ||
252 | if (need_private) { | |
253 | memcpy(private_dir, tmp_dir, sizeof(tmp_dir)-1); | |
254 | if (mkdir(private_dir, 0777 + S_ISVTX) < 0) { | |
255 | r = -errno; | |
256 | goto fail; | |
257 | } | |
258 | remove_private = true; | |
259 | } | |
260 | ||
261 | if (unshare(CLONE_NEWNS) < 0) { | |
262 | r = -errno; | |
263 | goto fail; | |
264 | } | |
265 | ||
266 | /* We assume that by default mount events from us won't be | |
267 | * propagated to the root namespace. */ | |
268 | ||
269 | for (p = paths; p < paths + n; p++) | |
270 | if ((r = apply_mount(p, root_dir, inaccessible_dir, private_dir, flags)) < 0) | |
271 | goto undo_mounts; | |
272 | ||
273 | memcpy(old_root_dir, tmp_dir, sizeof(tmp_dir)-1); | |
274 | if (!mkdtemp(old_root_dir)) { | |
275 | r = -errno; | |
276 | goto undo_mounts; | |
277 | } | |
278 | remove_old_root = true; | |
279 | ||
280 | if (chdir(root_dir) < 0) { | |
281 | r = -errno; | |
282 | goto undo_mounts; | |
283 | } | |
284 | ||
285 | if (pivot_root(root_dir, old_root_dir) < 0) { | |
286 | r = -errno; | |
287 | goto undo_mounts; | |
288 | } | |
289 | ||
290 | t = old_root_dir + sizeof(root_dir) - 1; | |
291 | if (umount2(t, MNT_DETACH) < 0) | |
292 | /* At this point it's too late to turn anything back, | |
293 | * since we are already in the new root. */ | |
294 | return -errno; | |
295 | ||
296 | if (rmdir(t) < 0) | |
297 | return -errno; | |
298 | ||
299 | return 0; | |
300 | ||
301 | undo_mounts: | |
302 | ||
303 | for (p--; p >= paths; p--) { | |
304 | char full_path[PATH_MAX]; | |
305 | ||
306 | snprintf(full_path, sizeof(full_path), "%s%s", root_dir, p->path); | |
307 | char_array_0(full_path); | |
308 | ||
309 | umount2(full_path, MNT_DETACH); | |
310 | } | |
311 | ||
312 | fail: | |
313 | if (remove_old_root) | |
314 | rmdir(old_root_dir); | |
315 | ||
316 | if (remove_inaccessible) | |
317 | rmdir(inaccessible_dir); | |
318 | ||
319 | if (remove_private) | |
320 | rmdir(private_dir); | |
321 | ||
322 | if (remove_root) | |
323 | rmdir(root_dir); | |
324 | ||
325 | if (remove_tmp) | |
326 | rmdir(tmp_dir); | |
327 | ||
328 | free(paths); | |
329 | ||
330 | return r; | |
331 | } |