[thirdparty/systemd.git] / src / core / namespace.c

/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/

/***
  This file is part of systemd.

  Copyright 2010 Lennart Poettering

  systemd is free software; you can redistribute it and/or modify it
  under the terms of the GNU Lesser General Public License as published by
  the Free Software Foundation; either version 2.1 of the License, or
  (at your option) any later version.

  systemd is distributed in the hope that it will be useful, but
  WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  Lesser General Public License for more details.

  You should have received a copy of the GNU Lesser General Public License
  along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/

#include <errno.h>
#include <sys/mount.h>
#include <string.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sched.h>
#include <sys/syscall.h>
#include <limits.h>
#include <linux/fs.h>

#include "strv.h"
#include "util.h"
#include "path-util.h"
#include "namespace.h"
#include "missing.h"

typedef enum PathMode {
        /* This is ordered by priority! */
        INACCESSIBLE,
        READONLY,
        PRIVATE,
        READWRITE
} PathMode;

typedef struct Path {
        const char *path;
        PathMode mode;
} Path;

static int append_paths(Path **p, char **strv, PathMode mode) {
        char **i;

        STRV_FOREACH(i, strv) {

                if (!path_is_absolute(*i))
                        return -EINVAL;

                (*p)->path = *i;
                (*p)->mode = mode;
                (*p)++;
        }

        return 0;
}

static int path_compare(const void *a, const void *b) {
        const Path *p = a, *q = b;

        if (path_equal(p->path, q->path)) {

                /* If the paths are equal, check the mode */
                if (p->mode < q->mode)
                        return -1;

                if (p->mode > q->mode)
                        return 1;

                return 0;
        }

        /* If the paths are not equal, then order prefixes first */
        if (path_startswith(p->path, q->path))
                return 1;

        if (path_startswith(q->path, p->path))
                return -1;

        return 0;
}

static void drop_duplicates(Path *p, unsigned *n, bool *need_inaccessible, bool *need_private) {
        Path *f, *t, *previous;

        assert(p);
        assert(n);
        assert(need_inaccessible);
        assert(need_private);

        for (f = p, t = p, previous = NULL; f < p+*n; f++) {

                if (previous && path_equal(f->path, previous->path))
                        continue;

                t->path = f->path;
                t->mode = f->mode;

                if (t->mode == PRIVATE)
                        *need_private = true;

                if (t->mode == INACCESSIBLE)
                        *need_inaccessible = true;

                previous = t;

                t++;
        }

        *n = t - p;
}

static int apply_mount(Path *p, const char *root_dir, const char *inaccessible_dir, const char *private_dir, unsigned long flags) {
        const char *what;
        char *where;
        int r;

        assert(p);
        assert(root_dir);
        assert(inaccessible_dir);
        assert(private_dir);

        where = strappend(root_dir, p->path);
        if (!where)
                return -ENOMEM;

        switch (p->mode) {

        case INACCESSIBLE:
                what = inaccessible_dir;
                flags |= MS_RDONLY;
                break;

        case READONLY:
                flags |= MS_RDONLY;
                /* Fall through */

        case READWRITE:
                what = p->path;
                break;

        case PRIVATE:
                what = private_dir;
                break;

        default:
                assert_not_reached("Unknown mode");
        }

        r = mount(what, where, NULL, MS_BIND|MS_REC, NULL);
        if (r >= 0) {
                log_debug("Successfully mounted %s to %s", what, where);

                /* The bind mount will always inherit the original
                 * flags. If we want to set any flag we need
                 * to do so in a second independent step. */
                if (flags)
                        r = mount(NULL, where, NULL, MS_REMOUNT|MS_BIND|MS_REC|flags, NULL);

                /* Avoid exponential growth of trees */
                if (r >= 0 && path_equal(p->path, "/"))
                        r = mount(NULL, where, NULL, MS_REMOUNT|MS_BIND|flags, NULL);

                if (r < 0) {
                        r = -errno;
                        umount2(where, MNT_DETACH);
                }
        }

        free(where);
        return r;
}

int setup_namespace(
                char **writable,
                char **readable,
                char **inaccessible,
                bool private_tmp,
                unsigned long flags) {

        char
                tmp_dir[] = "/tmp/systemd-namespace-XXXXXX",
                root_dir[] = "/tmp/systemd-namespace-XXXXXX/root",
                old_root_dir[] = "/tmp/systemd-namespace-XXXXXX/root/tmp/old-root-XXXXXX",
                inaccessible_dir[] = "/tmp/systemd-namespace-XXXXXX/inaccessible",
                private_dir[] = "/tmp/systemd-namespace-XXXXXX/private";

        Path *paths, *p;
        unsigned n;
        bool need_private = false, need_inaccessible = false;
        bool remove_tmp = false, remove_root = false, remove_old_root = false, remove_inaccessible = false, remove_private = false;
        int r;
        const char *t;

        n =
                strv_length(writable) +
                strv_length(readable) +
                strv_length(inaccessible) +
                (private_tmp ? 3 : 1);

        paths = new(Path, n);
        if (!paths)
                return -ENOMEM;

        p = paths;
        if ((r = append_paths(&p, writable, READWRITE)) < 0 ||
            (r = append_paths(&p, readable, READONLY)) < 0 ||
            (r = append_paths(&p, inaccessible, INACCESSIBLE)) < 0)
                goto fail;

        if (private_tmp) {
                p->path = "/tmp";
                p->mode = PRIVATE;
                p++;

                p->path = "/var/tmp";
                p->mode = PRIVATE;
                p++;
        }

        p->path = "/";
        p->mode = READWRITE;
        p++;

        assert(paths + n == p);

        qsort(paths, n, sizeof(Path), path_compare);
        drop_duplicates(paths, &n, &need_inaccessible, &need_private);

        if (!mkdtemp(tmp_dir)) {
                r = -errno;
                goto fail;
        }
        remove_tmp = true;

        memcpy(root_dir, tmp_dir, sizeof(tmp_dir)-1);
        if (mkdir(root_dir, 0777) < 0) {
                r = -errno;
                goto fail;
        }
        remove_root = true;

        if (need_inaccessible) {
                memcpy(inaccessible_dir, tmp_dir, sizeof(tmp_dir)-1);
                if (mkdir(inaccessible_dir, 0) < 0) {
                        r = -errno;
                        goto fail;
                }
                remove_inaccessible = true;
        }

        if (need_private) {
                mode_t u;

                memcpy(private_dir, tmp_dir, sizeof(tmp_dir)-1);

                u = umask(0000);
                if (mkdir(private_dir, 0777 + S_ISVTX) < 0) {
                        umask(u);

                        r = -errno;
                        goto fail;
                }

                umask(u);
                remove_private = true;
        }

        if (unshare(CLONE_NEWNS) < 0) {
                r = -errno;
                goto fail;
        }

        /* Remount / as SLAVE so that nothing mounted in the namespace
           shows up in the parent */
        if (mount(NULL, "/", NULL, MS_SLAVE|MS_REC, NULL) < 0) {
                r = -errno;
                goto fail;
        }

        for (p = paths; p < paths + n; p++) {
                r = apply_mount(p, root_dir, inaccessible_dir, private_dir, flags);
                if (r < 0)
                        goto undo_mounts;
        }

        memcpy(old_root_dir, tmp_dir, sizeof(tmp_dir)-1);
        if (!mkdtemp(old_root_dir)) {
                r = -errno;
                goto undo_mounts;
        }
        remove_old_root = true;

        if (chdir(root_dir) < 0) {
                r = -errno;
                goto undo_mounts;
        }

        if (pivot_root(root_dir, old_root_dir) < 0) {
                r = -errno;
                goto undo_mounts;
        }

        t = old_root_dir + sizeof(root_dir) - 1;
        if (umount2(t, MNT_DETACH) < 0)
                /* At this point it's too late to turn anything back,
                 * since we are already in the new root. */
                return -errno;

        if (rmdir(t) < 0)
                return -errno;

        return 0;

undo_mounts:

        for (p--; p >= paths; p--) {
                char full_path[PATH_MAX];

                snprintf(full_path, sizeof(full_path), "%s%s", root_dir, p->path);
                char_array_0(full_path);

                umount2(full_path, MNT_DETACH);
        }

fail:
        if (remove_old_root)
                rmdir(old_root_dir);

        if (remove_inaccessible)
                rmdir(inaccessible_dir);

        if (remove_private)
                rmdir(private_dir);

        if (remove_root)
                rmdir(root_dir);

        if (remove_tmp)
                rmdir(tmp_dir);

        free(paths);

        return r;
}
Commit	Line	Data
d6c9574f	1	/-- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil --/
15ae422b LP	2
	3	/***
	4	This file is part of systemd.
	5
	6	Copyright 2010 Lennart Poettering
	7
	8	systemd is free software; you can redistribute it and/or modify it
5430f7f2 LP	9	under the terms of the GNU Lesser General Public License as published by
5430f7f2 LP	10	the Free Software Foundation; either version 2.1 of the License, or
15ae422b LP	11	(at your option) any later version.
	12
	13	systemd is distributed in the hope that it will be useful, but
	14	WITHOUT ANY WARRANTY; without even the implied warranty of
	15	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
5430f7f2	16	Lesser General Public License for more details.
15ae422b	17
5430f7f2	18	You should have received a copy of the GNU Lesser General Public License
15ae422b LP	19	along with systemd; If not, see <http://www.gnu.org/licenses/>.
	20	***/
	21
	22	#include <errno.h>
	23	#include <sys/mount.h>
	24	#include <string.h>
	25	#include <stdio.h>
	26	#include <unistd.h>
	27	#include <sys/stat.h>
	28	#include <sys/types.h>
	29	#include <sched.h>
	30	#include <sys/syscall.h>
	31	#include <limits.h>
25e870b5	32	#include <linux/fs.h>
15ae422b LP	33
	34	#include "strv.h"
	35	#include "util.h"
9eb977db	36	#include "path-util.h"
15ae422b LP	37	#include "namespace.h"
	38	#include "missing.h"
	39
	40	typedef enum PathMode {
	41	/* This is ordered by priority! */
	42	INACCESSIBLE,
	43	READONLY,
	44	PRIVATE,
	45	READWRITE
	46	} PathMode;
	47
	48	typedef struct Path {
	49	const char *path;
	50	PathMode mode;
	51	} Path;
	52
	53	static int append_paths(Path p, char strv, PathMode mode) {
	54	char **i;
	55
	56	STRV_FOREACH(i, strv) {
	57
	58	if (!path_is_absolute(*i))
	59	return -EINVAL;
	60
	61	(p)->path = i;
	62	(*p)->mode = mode;
	63	(*p)++;
	64	}
	65
	66	return 0;
	67	}
	68
	69	static int path_compare(const void a, const void b) {
	70	const Path p = a, q = b;
	71
	72	if (path_equal(p->path, q->path)) {
	73
	74	/* If the paths are equal, check the mode */
	75	if (p->mode < q->mode)
	76	return -1;
	77
	78	if (p->mode > q->mode)
	79	return 1;
	80
	81	return 0;
	82	}
	83
	84	/* If the paths are not equal, then order prefixes first */
	85	if (path_startswith(p->path, q->path))
	86	return 1;
	87
	88	if (path_startswith(q->path, p->path))
	89	return -1;
	90
	91	return 0;
	92	}
	93
	94	static void drop_duplicates(Path p, unsigned n, bool need_inaccessible, bool need_private) {
	95	Path f, t, *previous;
	96
	97	assert(p);
	98	assert(n);
	99	assert(need_inaccessible);
	100	assert(need_private);
101
102	for (f = p, t = p, previous = NULL; f < p+*n; f++) {
103
104	if (previous && path_equal(f->path, previous->path))
105	continue;
106
107	t->path = f->path;
108	t->mode = f->mode;
109
110	if (t->mode == PRIVATE)
111	*need_private = true;
112
113	if (t->mode == INACCESSIBLE)
114	*need_inaccessible = true;
115
116	previous = t;
117
118	t++;
119	}
120
121	*n = t - p;
122	}
123
124	static int apply_mount(Path p, const char root_dir, const char inaccessible_dir, const char private_dir, unsigned long flags) {
125	const char *what;
126	char *where;
127	int r;
15ae422b LP	128
	129	assert(p);
	130	assert(root_dir);
	131	assert(inaccessible_dir);
	132	assert(private_dir);
	133
c1d70f7c LP	134	where = strappend(root_dir, p->path);
c1d70f7c LP	135	if (!where)
15ae422b LP	136	return -ENOMEM;
	137
	138	switch (p->mode) {
	139
	140	case INACCESSIBLE:
	141	what = inaccessible_dir;
5dcfe57b	142	flags \|= MS_RDONLY;
15ae422b LP	143	break;
	144
	145	case READONLY:
5dcfe57b	146	flags \|= MS_RDONLY;
15ae422b LP	147	/* Fall through */
	148
	149	case READWRITE:
	150	what = p->path;
	151	break;
	152
	153	case PRIVATE:
	154	what = private_dir;
	155	break;
e364ad06 LP	156
	157	default:
	158	assert_not_reached("Unknown mode");
15ae422b LP	159	}
15ae422b LP	160
c1d70f7c LP	161	r = mount(what, where, NULL, MS_BIND\|MS_REC, NULL);
c1d70f7c LP	162	if (r >= 0) {
15ae422b LP	163	log_debug("Successfully mounted %s to %s", what, where);
	164
	165	/* The bind mount will always inherit the original
	166	* flags. If we want to set any flag we need
35b8ca3a	167	* to do so in a second independent step. */
15ae422b	168	if (flags)
5dcfe57b	169	r = mount(NULL, where, NULL, MS_REMOUNT\|MS_BIND\|MS_REC\|flags, NULL);
15ae422b	170
35b8ca3a	171	/* Avoid exponential growth of trees */
15ae422b	172	if (r >= 0 && path_equal(p->path, "/"))
4d46fec5	173	r = mount(NULL, where, NULL, MS_REMOUNT\|MS_BIND\|flags, NULL);
15ae422b LP	174
	175	if (r < 0) {
	176	r = -errno;
	177	umount2(where, MNT_DETACH);
	178	}
	179	}
	180
	181	free(where);
	182	return r;
	183	}
	184
	185	int setup_namespace(
	186	char **writable,
	187	char **readable,
	188	char **inaccessible,
	189	bool private_tmp,
	190	unsigned long flags) {
	191
	192	char
	193	tmp_dir[] = "/tmp/systemd-namespace-XXXXXX",
	194	root_dir[] = "/tmp/systemd-namespace-XXXXXX/root",
	195	old_root_dir[] = "/tmp/systemd-namespace-XXXXXX/root/tmp/old-root-XXXXXX",
	196	inaccessible_dir[] = "/tmp/systemd-namespace-XXXXXX/inaccessible",
	197	private_dir[] = "/tmp/systemd-namespace-XXXXXX/private";
	198
	199	Path paths, p;
	200	unsigned n;
	201	bool need_private = false, need_inaccessible = false;
	202	bool remove_tmp = false, remove_root = false, remove_old_root = false, remove_inaccessible = false, remove_private = false;
	203	int r;
	204	const char *t;
	205
	206	n =
	207	strv_length(writable) +
	208	strv_length(readable) +
	209	strv_length(inaccessible) +
c1d70f7c	210	(private_tmp ? 3 : 1);
15ae422b	211
c1d70f7c LP	212	paths = new(Path, n);
c1d70f7c LP	213	if (!paths)
15ae422b LP	214	return -ENOMEM;
	215
	216	p = paths;
	217	if ((r = append_paths(&p, writable, READWRITE)) < 0 \|\|
	218	(r = append_paths(&p, readable, READONLY)) < 0 \|\|
	219	(r = append_paths(&p, inaccessible, INACCESSIBLE)) < 0)
	220	goto fail;
	221
	222	if (private_tmp) {
	223	p->path = "/tmp";
	224	p->mode = PRIVATE;
	225	p++;
c1d70f7c LP	226
	227	p->path = "/var/tmp";
	228	p->mode = PRIVATE;
	229	p++;
15ae422b LP	230	}
	231
	232	p->path = "/";
	233	p->mode = READWRITE;
	234	p++;
	235
	236	assert(paths + n == p);
	237
	238	qsort(paths, n, sizeof(Path), path_compare);
	239	drop_duplicates(paths, &n, &need_inaccessible, &need_private);
	240
	241	if (!mkdtemp(tmp_dir)) {
	242	r = -errno;
	243	goto fail;
	244	}
	245	remove_tmp = true;
	246
	247	memcpy(root_dir, tmp_dir, sizeof(tmp_dir)-1);
	248	if (mkdir(root_dir, 0777) < 0) {
	249	r = -errno;
	250	goto fail;
	251	}
	252	remove_root = true;
	253
	254	if (need_inaccessible) {
	255	memcpy(inaccessible_dir, tmp_dir, sizeof(tmp_dir)-1);
	256	if (mkdir(inaccessible_dir, 0) < 0) {
	257	r = -errno;
	258	goto fail;
	259	}
	260	remove_inaccessible = true;
	261	}
	262
	263	if (need_private) {
21d279cf LP	264	mode_t u;
21d279cf LP	265
15ae422b	266	memcpy(private_dir, tmp_dir, sizeof(tmp_dir)-1);
21d279cf LP	267
21d279cf LP	268	u = umask(0000);
15ae422b	269	if (mkdir(private_dir, 0777 + S_ISVTX) < 0) {
21d279cf LP	270	umask(u);
21d279cf LP	271
15ae422b LP	272	r = -errno;
	273	goto fail;
	274	}
21d279cf LP	275
21d279cf LP	276	umask(u);
15ae422b LP	277	remove_private = true;
	278	}
	279
	280	if (unshare(CLONE_NEWNS) < 0) {
	281	r = -errno;
	282	goto fail;
	283	}
	284
dc4b0200 DW	285	/* Remount / as SLAVE so that nothing mounted in the namespace
	286	shows up in the parent */
	287	if (mount(NULL, "/", NULL, MS_SLAVE\|MS_REC, NULL) < 0) {
	288	r = -errno;
	289	goto fail;
	290	}
15ae422b	291
c1d70f7c LP	292	for (p = paths; p < paths + n; p++) {
	293	r = apply_mount(p, root_dir, inaccessible_dir, private_dir, flags);
	294	if (r < 0)
15ae422b	295	goto undo_mounts;
c1d70f7c	296	}
15ae422b LP	297
	298	memcpy(old_root_dir, tmp_dir, sizeof(tmp_dir)-1);
	299	if (!mkdtemp(old_root_dir)) {
	300	r = -errno;
	301	goto undo_mounts;
	302	}
	303	remove_old_root = true;
	304
	305	if (chdir(root_dir) < 0) {
	306	r = -errno;
	307	goto undo_mounts;
	308	}
	309
	310	if (pivot_root(root_dir, old_root_dir) < 0) {
	311	r = -errno;
	312	goto undo_mounts;
	313	}
	314
	315	t = old_root_dir + sizeof(root_dir) - 1;
	316	if (umount2(t, MNT_DETACH) < 0)
	317	/* At this point it's too late to turn anything back,
	318	* since we are already in the new root. */
	319	return -errno;
	320
	321	if (rmdir(t) < 0)
	322	return -errno;
	323
	324	return 0;
	325
	326	undo_mounts:
	327
	328	for (p--; p >= paths; p--) {
	329	char full_path[PATH_MAX];
	330
	331	snprintf(full_path, sizeof(full_path), "%s%s", root_dir, p->path);
	332	char_array_0(full_path);
	333
	334	umount2(full_path, MNT_DETACH);
	335	}
	336
	337	fail:
	338	if (remove_old_root)
	339	rmdir(old_root_dir);
	340
	341	if (remove_inaccessible)
	342	rmdir(inaccessible_dir);
	343
	344	if (remove_private)
	345	rmdir(private_dir);
	346
	347	if (remove_root)
	348	rmdir(root_dir);
	349
	350	if (remove_tmp)
	351	rmdir(tmp_dir);
	352
c1d70f7c	353	free(paths);
15ae422b LP	354
	355	return r;
	356	}