]>
Commit | Line | Data |
---|---|---|
15ae422b LP |
1 | /*-*- Mode: C; c-basic-offset: 8 -*-*/ |
2 | ||
3 | /*** | |
4 | This file is part of systemd. | |
5 | ||
6 | Copyright 2010 Lennart Poettering | |
7 | ||
8 | systemd is free software; you can redistribute it and/or modify it | |
9 | under the terms of the GNU General Public License as published by | |
10 | the Free Software Foundation; either version 2 of the License, or | |
11 | (at your option) any later version. | |
12 | ||
13 | systemd is distributed in the hope that it will be useful, but | |
14 | WITHOUT ANY WARRANTY; without even the implied warranty of | |
15 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |
16 | General Public License for more details. | |
17 | ||
18 | You should have received a copy of the GNU General Public License | |
19 | along with systemd; If not, see <http://www.gnu.org/licenses/>. | |
20 | ***/ | |
21 | ||
22 | #include <errno.h> | |
23 | #include <sys/mount.h> | |
24 | #include <string.h> | |
25 | #include <stdio.h> | |
26 | #include <unistd.h> | |
27 | #include <sys/stat.h> | |
28 | #include <sys/types.h> | |
29 | #include <sched.h> | |
30 | #include <sys/syscall.h> | |
31 | #include <limits.h> | |
32 | ||
33 | #include "strv.h" | |
34 | #include "util.h" | |
35 | #include "namespace.h" | |
36 | #include "missing.h" | |
37 | ||
38 | typedef enum PathMode { | |
39 | /* This is ordered by priority! */ | |
40 | INACCESSIBLE, | |
41 | READONLY, | |
42 | PRIVATE, | |
43 | READWRITE | |
44 | } PathMode; | |
45 | ||
46 | typedef struct Path { | |
47 | const char *path; | |
48 | PathMode mode; | |
49 | } Path; | |
50 | ||
51 | static int append_paths(Path **p, char **strv, PathMode mode) { | |
52 | char **i; | |
53 | ||
54 | STRV_FOREACH(i, strv) { | |
55 | ||
56 | if (!path_is_absolute(*i)) | |
57 | return -EINVAL; | |
58 | ||
59 | (*p)->path = *i; | |
60 | (*p)->mode = mode; | |
61 | (*p)++; | |
62 | } | |
63 | ||
64 | return 0; | |
65 | } | |
66 | ||
67 | static int path_compare(const void *a, const void *b) { | |
68 | const Path *p = a, *q = b; | |
69 | ||
70 | if (path_equal(p->path, q->path)) { | |
71 | ||
72 | /* If the paths are equal, check the mode */ | |
73 | if (p->mode < q->mode) | |
74 | return -1; | |
75 | ||
76 | if (p->mode > q->mode) | |
77 | return 1; | |
78 | ||
79 | return 0; | |
80 | } | |
81 | ||
82 | /* If the paths are not equal, then order prefixes first */ | |
83 | if (path_startswith(p->path, q->path)) | |
84 | return 1; | |
85 | ||
86 | if (path_startswith(q->path, p->path)) | |
87 | return -1; | |
88 | ||
89 | return 0; | |
90 | } | |
91 | ||
92 | static void drop_duplicates(Path *p, unsigned *n, bool *need_inaccessible, bool *need_private) { | |
93 | Path *f, *t, *previous; | |
94 | ||
95 | assert(p); | |
96 | assert(n); | |
97 | assert(need_inaccessible); | |
98 | assert(need_private); | |
99 | ||
100 | for (f = p, t = p, previous = NULL; f < p+*n; f++) { | |
101 | ||
102 | if (previous && path_equal(f->path, previous->path)) | |
103 | continue; | |
104 | ||
105 | t->path = f->path; | |
106 | t->mode = f->mode; | |
107 | ||
108 | if (t->mode == PRIVATE) | |
109 | *need_private = true; | |
110 | ||
111 | if (t->mode == INACCESSIBLE) | |
112 | *need_inaccessible = true; | |
113 | ||
114 | previous = t; | |
115 | ||
116 | t++; | |
117 | } | |
118 | ||
119 | *n = t - p; | |
120 | } | |
121 | ||
122 | static int apply_mount(Path *p, const char *root_dir, const char *inaccessible_dir, const char *private_dir, unsigned long flags) { | |
123 | const char *what; | |
124 | char *where; | |
125 | int r; | |
126 | bool read_only = false; | |
127 | ||
128 | assert(p); | |
129 | assert(root_dir); | |
130 | assert(inaccessible_dir); | |
131 | assert(private_dir); | |
132 | ||
133 | if (!(where = strappend(root_dir, p->path))) | |
134 | return -ENOMEM; | |
135 | ||
136 | switch (p->mode) { | |
137 | ||
138 | case INACCESSIBLE: | |
139 | what = inaccessible_dir; | |
140 | read_only = true; | |
141 | break; | |
142 | ||
143 | case READONLY: | |
144 | read_only = true; | |
145 | /* Fall through */ | |
146 | ||
147 | case READWRITE: | |
148 | what = p->path; | |
149 | break; | |
150 | ||
151 | case PRIVATE: | |
152 | what = private_dir; | |
153 | break; | |
154 | } | |
155 | ||
156 | if ((r = mount(what, where, NULL, MS_BIND|MS_REC, NULL)) >= 0) { | |
157 | log_debug("Successfully mounted %s to %s", what, where); | |
158 | ||
159 | /* The bind mount will always inherit the original | |
160 | * flags. If we want to set any flag we need | |
161 | * to do so in a second indepdant step. */ | |
162 | if (flags) | |
163 | r = mount(NULL, where, NULL, MS_REMOUNT|MS_REC|flags, NULL); | |
164 | ||
165 | /* Avoid expontial growth of trees */ | |
166 | if (r >= 0 && path_equal(p->path, "/")) | |
167 | r = mount(NULL, where, NULL, MS_REMOUNT|MS_UNBINDABLE, NULL); | |
168 | ||
169 | if (r >= 0 && read_only) | |
170 | r = mount(NULL, where, NULL, MS_REMOUNT|MS_RDONLY, NULL); | |
171 | ||
172 | if (r < 0) { | |
173 | r = -errno; | |
174 | umount2(where, MNT_DETACH); | |
175 | } | |
176 | } | |
177 | ||
178 | free(where); | |
179 | return r; | |
180 | } | |
181 | ||
182 | int setup_namespace( | |
183 | char **writable, | |
184 | char **readable, | |
185 | char **inaccessible, | |
186 | bool private_tmp, | |
187 | unsigned long flags) { | |
188 | ||
189 | char | |
190 | tmp_dir[] = "/tmp/systemd-namespace-XXXXXX", | |
191 | root_dir[] = "/tmp/systemd-namespace-XXXXXX/root", | |
192 | old_root_dir[] = "/tmp/systemd-namespace-XXXXXX/root/tmp/old-root-XXXXXX", | |
193 | inaccessible_dir[] = "/tmp/systemd-namespace-XXXXXX/inaccessible", | |
194 | private_dir[] = "/tmp/systemd-namespace-XXXXXX/private"; | |
195 | ||
196 | Path *paths, *p; | |
197 | unsigned n; | |
198 | bool need_private = false, need_inaccessible = false; | |
199 | bool remove_tmp = false, remove_root = false, remove_old_root = false, remove_inaccessible = false, remove_private = false; | |
200 | int r; | |
201 | const char *t; | |
202 | ||
203 | n = | |
204 | strv_length(writable) + | |
205 | strv_length(readable) + | |
206 | strv_length(inaccessible) + | |
207 | (private_tmp ? 2 : 1); | |
208 | ||
209 | if (!(paths = new(Path, n))) | |
210 | return -ENOMEM; | |
211 | ||
212 | p = paths; | |
213 | if ((r = append_paths(&p, writable, READWRITE)) < 0 || | |
214 | (r = append_paths(&p, readable, READONLY)) < 0 || | |
215 | (r = append_paths(&p, inaccessible, INACCESSIBLE)) < 0) | |
216 | goto fail; | |
217 | ||
218 | if (private_tmp) { | |
219 | p->path = "/tmp"; | |
220 | p->mode = PRIVATE; | |
221 | p++; | |
222 | } | |
223 | ||
224 | p->path = "/"; | |
225 | p->mode = READWRITE; | |
226 | p++; | |
227 | ||
228 | assert(paths + n == p); | |
229 | ||
230 | qsort(paths, n, sizeof(Path), path_compare); | |
231 | drop_duplicates(paths, &n, &need_inaccessible, &need_private); | |
232 | ||
233 | if (!mkdtemp(tmp_dir)) { | |
234 | r = -errno; | |
235 | goto fail; | |
236 | } | |
237 | remove_tmp = true; | |
238 | ||
239 | memcpy(root_dir, tmp_dir, sizeof(tmp_dir)-1); | |
240 | if (mkdir(root_dir, 0777) < 0) { | |
241 | r = -errno; | |
242 | goto fail; | |
243 | } | |
244 | remove_root = true; | |
245 | ||
246 | if (need_inaccessible) { | |
247 | memcpy(inaccessible_dir, tmp_dir, sizeof(tmp_dir)-1); | |
248 | if (mkdir(inaccessible_dir, 0) < 0) { | |
249 | r = -errno; | |
250 | goto fail; | |
251 | } | |
252 | remove_inaccessible = true; | |
253 | } | |
254 | ||
255 | if (need_private) { | |
256 | memcpy(private_dir, tmp_dir, sizeof(tmp_dir)-1); | |
257 | if (mkdir(private_dir, 0777 + S_ISVTX) < 0) { | |
258 | r = -errno; | |
259 | goto fail; | |
260 | } | |
261 | remove_private = true; | |
262 | } | |
263 | ||
264 | if (unshare(CLONE_NEWNS) < 0) { | |
265 | r = -errno; | |
266 | goto fail; | |
267 | } | |
268 | ||
269 | /* We assume that by default mount events from us won't be | |
270 | * propagated to the root namespace. */ | |
271 | ||
272 | for (p = paths; p < paths + n; p++) | |
273 | if ((r = apply_mount(p, root_dir, inaccessible_dir, private_dir, flags)) < 0) | |
274 | goto undo_mounts; | |
275 | ||
276 | memcpy(old_root_dir, tmp_dir, sizeof(tmp_dir)-1); | |
277 | if (!mkdtemp(old_root_dir)) { | |
278 | r = -errno; | |
279 | goto undo_mounts; | |
280 | } | |
281 | remove_old_root = true; | |
282 | ||
283 | if (chdir(root_dir) < 0) { | |
284 | r = -errno; | |
285 | goto undo_mounts; | |
286 | } | |
287 | ||
288 | if (pivot_root(root_dir, old_root_dir) < 0) { | |
289 | r = -errno; | |
290 | goto undo_mounts; | |
291 | } | |
292 | ||
293 | t = old_root_dir + sizeof(root_dir) - 1; | |
294 | if (umount2(t, MNT_DETACH) < 0) | |
295 | /* At this point it's too late to turn anything back, | |
296 | * since we are already in the new root. */ | |
297 | return -errno; | |
298 | ||
299 | if (rmdir(t) < 0) | |
300 | return -errno; | |
301 | ||
302 | return 0; | |
303 | ||
304 | undo_mounts: | |
305 | ||
306 | for (p--; p >= paths; p--) { | |
307 | char full_path[PATH_MAX]; | |
308 | ||
309 | snprintf(full_path, sizeof(full_path), "%s%s", root_dir, p->path); | |
310 | char_array_0(full_path); | |
311 | ||
312 | umount2(full_path, MNT_DETACH); | |
313 | } | |
314 | ||
315 | fail: | |
316 | if (remove_old_root) | |
317 | rmdir(old_root_dir); | |
318 | ||
319 | if (remove_inaccessible) | |
320 | rmdir(inaccessible_dir); | |
321 | ||
322 | if (remove_private) | |
323 | rmdir(private_dir); | |
324 | ||
325 | if (remove_root) | |
326 | rmdir(root_dir); | |
327 | ||
328 | if (remove_tmp) | |
329 | rmdir(tmp_dir); | |
330 | ||
331 | free(paths); | |
332 | ||
333 | return r; | |
334 | } |