[thirdparty/systemd.git] / src / core / namespace.c

/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/

/***
  This file is part of systemd.

  Copyright 2010 Lennart Poettering

  systemd is free software; you can redistribute it and/or modify it
  under the terms of the GNU Lesser General Public License as published by
  the Free Software Foundation; either version 2.1 of the License, or
  (at your option) any later version.

  systemd is distributed in the hope that it will be useful, but
  WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  Lesser General Public License for more details.

  You should have received a copy of the GNU Lesser General Public License
  along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/

#include <errno.h>
#include <sched.h>
#include <stdio.h>
#include <string.h>
#include <sys/mount.h>
#include <sys/stat.h>
#include <unistd.h>
#include <linux/fs.h>

#include "dev-setup.h"
#include "loopback-setup.h"
#include "missing.h"
#include "mkdir.h"
#include "path-util.h"
#include "selinux-util.h"
#include "string-util.h"
#include "strv.h"
#include "util.h"
#include "namespace.h"

typedef enum MountMode {
        /* This is ordered by priority! */
        INACCESSIBLE,
        READONLY,
        PRIVATE_TMP,
        PRIVATE_VAR_TMP,
        PRIVATE_DEV,
        PRIVATE_BUS_ENDPOINT,
        READWRITE
} MountMode;

typedef struct BindMount {
        const char *path;
        MountMode mode;
        bool done;
        bool ignore;
} BindMount;

static int append_mounts(BindMount **p, char **strv, MountMode mode) {
        char **i;

        assert(p);

        STRV_FOREACH(i, strv) {

                (*p)->ignore = false;
                (*p)->done = false;

                if ((mode == INACCESSIBLE || mode == READONLY || mode == READWRITE) && (*i)[0] == '-') {
                        (*p)->ignore = true;
                        (*i)++;
                }

                if (!path_is_absolute(*i))
                        return -EINVAL;

                (*p)->path = *i;
                (*p)->mode = mode;
                (*p)++;
        }

        return 0;
}

static int mount_path_compare(const void *a, const void *b) {
        const BindMount *p = a, *q = b;
        int d;

        d = path_compare(p->path, q->path);

        if (d == 0) {
                /* If the paths are equal, check the mode */
                if (p->mode < q->mode)
                        return -1;

                if (p->mode > q->mode)
                        return 1;

                return 0;
        }

        /* If the paths are not equal, then order prefixes first */
        return d;
}

static void drop_duplicates(BindMount *m, unsigned *n) {
        BindMount *f, *t, *previous;

        assert(m);
        assert(n);

        for (f = m, t = m, previous = NULL; f < m+*n; f++) {

                /* The first one wins */
                if (previous && path_equal(f->path, previous->path))
                        continue;

                *t = *f;

                previous = t;

                t++;
        }

        *n = t - m;
}

static int mount_dev(BindMount *m) {
        static const char devnodes[] =
                "/dev/null\0"
                "/dev/zero\0"
                "/dev/full\0"
                "/dev/random\0"
                "/dev/urandom\0"
                "/dev/tty\0";

        char temporary_mount[] = "/tmp/namespace-dev-XXXXXX";
        const char *d, *dev = NULL, *devpts = NULL, *devshm = NULL, *devhugepages = NULL, *devmqueue = NULL, *devlog = NULL, *devptmx = NULL;
        _cleanup_umask_ mode_t u;
        int r;

        assert(m);

        u = umask(0000);

        if (!mkdtemp(temporary_mount))
                return -errno;

        dev = strjoina(temporary_mount, "/dev");
        (void) mkdir(dev, 0755);
        if (mount("tmpfs", dev, "tmpfs", MS_NOSUID|MS_STRICTATIME, "mode=755") < 0) {
                r = -errno;
                goto fail;
        }

        devpts = strjoina(temporary_mount, "/dev/pts");
        (void) mkdir(devpts, 0755);
        if (mount("/dev/pts", devpts, NULL, MS_BIND, NULL) < 0) {
                r = -errno;
                goto fail;
        }

        devptmx = strjoina(temporary_mount, "/dev/ptmx");
        if (symlink("pts/ptmx", devptmx) < 0) {
                r = -errno;
                goto fail;
        }

        devshm = strjoina(temporary_mount, "/dev/shm");
        (void) mkdir(devshm, 01777);
        r = mount("/dev/shm", devshm, NULL, MS_BIND, NULL);
        if (r < 0) {
                r = -errno;
                goto fail;
        }

        devmqueue = strjoina(temporary_mount, "/dev/mqueue");
        (void) mkdir(devmqueue, 0755);
        (void) mount("/dev/mqueue", devmqueue, NULL, MS_BIND, NULL);

        devhugepages = strjoina(temporary_mount, "/dev/hugepages");
        (void) mkdir(devhugepages, 0755);
        (void) mount("/dev/hugepages", devhugepages, NULL, MS_BIND, NULL);

        devlog = strjoina(temporary_mount, "/dev/log");
        (void) symlink("/run/systemd/journal/dev-log", devlog);

        NULSTR_FOREACH(d, devnodes) {
                _cleanup_free_ char *dn = NULL;
                struct stat st;

                r = stat(d, &st);
                if (r < 0) {

                        if (errno == ENOENT)
                                continue;

                        r = -errno;
                        goto fail;
                }

                if (!S_ISBLK(st.st_mode) &&
                    !S_ISCHR(st.st_mode)) {
                        r = -EINVAL;
                        goto fail;
                }

                if (st.st_rdev == 0)
                        continue;

                dn = strappend(temporary_mount, d);
                if (!dn) {
                        r = -ENOMEM;
                        goto fail;
                }

                mac_selinux_create_file_prepare(d, st.st_mode);
                r = mknod(dn, st.st_mode, st.st_rdev);
                mac_selinux_create_file_clear();

                if (r < 0) {
                        r = -errno;
                        goto fail;
                }
        }

        dev_setup(temporary_mount, UID_INVALID, GID_INVALID);

        /* Create the /dev directory if missing. It is more likely to be
         * missing when the service is started with RootDirectory. This is
         * consistent with mount units creating the mount points when missing.
         */
        (void) mkdir_p_label(m->path, 0755);

        if (mount(dev, m->path, NULL, MS_MOVE, NULL) < 0) {
                r = -errno;
                goto fail;
        }

        rmdir(dev);
        rmdir(temporary_mount);

        return 0;

fail:
        if (devpts)
                umount(devpts);

        if (devshm)
                umount(devshm);

        if (devhugepages)
                umount(devhugepages);

        if (devmqueue)
                umount(devmqueue);

        umount(dev);
        rmdir(dev);
        rmdir(temporary_mount);

        return r;
}

static int mount_kdbus(BindMount *m) {

        char temporary_mount[] = "/tmp/kdbus-dev-XXXXXX";
        _cleanup_free_ char *basepath = NULL;
        _cleanup_umask_ mode_t u;
        char *busnode = NULL, *root;
        struct stat st;
        int r;

        assert(m);

        u = umask(0000);

        if (!mkdtemp(temporary_mount))
                return log_error_errno(errno, "Failed create temp dir: %m");

        root = strjoina(temporary_mount, "/kdbus");
        (void) mkdir(root, 0755);
        if (mount("tmpfs", root, "tmpfs", MS_NOSUID|MS_STRICTATIME, "mode=777") < 0) {
                r = -errno;
                goto fail;
        }

        /* create a new /dev/null dev node copy so we have some fodder to
         * bind-mount the custom endpoint over. */
        if (stat("/dev/null", &st) < 0) {
                r = log_error_errno(errno, "Failed to stat /dev/null: %m");
                goto fail;
        }

        busnode = strjoina(root, "/bus");
        if (mknod(busnode, (st.st_mode & ~07777) | 0600, st.st_rdev) < 0) {
                r = log_error_errno(errno, "mknod() for %s failed: %m",
                                    busnode);
                goto fail;
        }

        r = mount(m->path, busnode, NULL, MS_BIND, NULL);
        if (r < 0) {
                r = log_error_errno(errno, "bind mount of %s failed: %m",
                                    m->path);
                goto fail;
        }

        basepath = dirname_malloc(m->path);
        if (!basepath) {
                r = -ENOMEM;
                goto fail;
        }

        if (mount(root, basepath, NULL, MS_MOVE, NULL) < 0) {
                r = log_error_errno(errno, "bind mount of %s failed: %m",
                                    basepath);
                goto fail;
        }

        rmdir(temporary_mount);
        return 0;

fail:
        if (busnode) {
                umount(busnode);
                unlink(busnode);
        }

        umount(root);
        rmdir(root);
        rmdir(temporary_mount);

        return r;
}

static int apply_mount(
                BindMount *m,
                const char *tmp_dir,
                const char *var_tmp_dir) {

        const char *what;
        int r;

        assert(m);

        switch (m->mode) {

        case INACCESSIBLE:

                /* First, get rid of everything that is below if there
                 * is anything... Then, overmount it with an
                 * inaccessible directory. */
                umount_recursive(m->path, 0);

                what = "/run/systemd/inaccessible";
                break;

        case READONLY:
        case READWRITE:
                /* Nothing to mount here, we just later toggle the
                 * MS_RDONLY bit for the mount point */
                return 0;

        case PRIVATE_TMP:
                what = tmp_dir;
                break;

        case PRIVATE_VAR_TMP:
                what = var_tmp_dir;
                break;

        case PRIVATE_DEV:
                return mount_dev(m);

        case PRIVATE_BUS_ENDPOINT:
                return mount_kdbus(m);

        default:
                assert_not_reached("Unknown mode");
        }

        assert(what);

        r = mount(what, m->path, NULL, MS_BIND|MS_REC, NULL);
        if (r >= 0)
                log_debug("Successfully mounted %s to %s", what, m->path);
        else if (m->ignore && errno == ENOENT)
                return 0;

        return r;
}

static int make_read_only(BindMount *m) {
        int r;

        assert(m);

        if (IN_SET(m->mode, INACCESSIBLE, READONLY))
                r = bind_remount_recursive(m->path, true);
        else if (IN_SET(m->mode, READWRITE, PRIVATE_TMP, PRIVATE_VAR_TMP, PRIVATE_DEV))
                r = bind_remount_recursive(m->path, false);
        else
                r = 0;

        if (m->ignore && r == -ENOENT)
                return 0;

        return r;
}

int setup_namespace(
                const char* root_directory,
                char** read_write_dirs,
                char** read_only_dirs,
                char** inaccessible_dirs,
                const char* tmp_dir,
                const char* var_tmp_dir,
                const char* bus_endpoint_path,
                bool private_dev,
                ProtectHome protect_home,
                ProtectSystem protect_system,
                unsigned long mount_flags) {

        BindMount *m, *mounts = NULL;
        unsigned n;
        int r = 0;

        if (mount_flags == 0)
                mount_flags = MS_SHARED;

        if (unshare(CLONE_NEWNS) < 0)
                return -errno;

        n = !!tmp_dir + !!var_tmp_dir + !!bus_endpoint_path +
                strv_length(read_write_dirs) +
                strv_length(read_only_dirs) +
                strv_length(inaccessible_dirs) +
                private_dev +
                (protect_home != PROTECT_HOME_NO ? 3 : 0) +
                (protect_system != PROTECT_SYSTEM_NO ? 2 : 0) +
                (protect_system == PROTECT_SYSTEM_FULL ? 1 : 0);

        if (n > 0) {
                m = mounts = (BindMount *) alloca0(n * sizeof(BindMount));
                r = append_mounts(&m, read_write_dirs, READWRITE);
                if (r < 0)
                        return r;

                r = append_mounts(&m, read_only_dirs, READONLY);
                if (r < 0)
                        return r;

                r = append_mounts(&m, inaccessible_dirs, INACCESSIBLE);
                if (r < 0)
                        return r;

                if (tmp_dir) {
                        m->path = prefix_roota(root_directory, "/tmp");
                        m->mode = PRIVATE_TMP;
                        m++;
                }

                if (var_tmp_dir) {
                        m->path = prefix_roota(root_directory, "/var/tmp");
                        m->mode = PRIVATE_VAR_TMP;
                        m++;
                }

                if (private_dev) {
                        m->path = prefix_roota(root_directory, "/dev");
                        m->mode = PRIVATE_DEV;
                        m++;
                }

                if (bus_endpoint_path) {
                        m->path = prefix_roota(root_directory, bus_endpoint_path);
                        m->mode = PRIVATE_BUS_ENDPOINT;
                        m++;
                }

                if (protect_home != PROTECT_HOME_NO) {
                        const char *home_dir, *run_user_dir, *root_dir;

                        home_dir = prefix_roota(root_directory, "/home");
                        home_dir = strjoina("-", home_dir);
                        run_user_dir = prefix_roota(root_directory, "/run/user");
                        run_user_dir = strjoina("-", run_user_dir);
                        root_dir = prefix_roota(root_directory, "/root");
                        root_dir = strjoina("-", root_dir);

                        r = append_mounts(&m, STRV_MAKE(home_dir, run_user_dir, root_dir),
                                protect_home == PROTECT_HOME_READ_ONLY ? READONLY : INACCESSIBLE);
                        if (r < 0)
                                return r;
                }

                if (protect_system != PROTECT_SYSTEM_NO) {
                        const char *usr_dir, *boot_dir, *etc_dir;

                        usr_dir = prefix_roota(root_directory, "/usr");
                        boot_dir = prefix_roota(root_directory, "/boot");
                        boot_dir = strjoina("-", boot_dir);
                        etc_dir = prefix_roota(root_directory, "/etc");

                        r = append_mounts(&m, protect_system == PROTECT_SYSTEM_FULL
                                ? STRV_MAKE(usr_dir, boot_dir, etc_dir)
                                : STRV_MAKE(usr_dir, boot_dir), READONLY);
                        if (r < 0)
                                return r;
                }

                assert(mounts + n == m);

                qsort(mounts, n, sizeof(BindMount), mount_path_compare);
                drop_duplicates(mounts, &n);
        }

        if (n > 0 || root_directory) {
                /* Remount / as SLAVE so that nothing now mounted in the namespace
                   shows up in the parent */
                if (mount(NULL, "/", NULL, MS_SLAVE|MS_REC, NULL) < 0)
                        return -errno;
        }

        if (root_directory) {
                /* Turn directory into bind mount */
                if (mount(root_directory, root_directory, NULL, MS_BIND|MS_REC, NULL) < 0)
                        return -errno;
        }

        if (n > 0) {
                for (m = mounts; m < mounts + n; ++m) {
                        r = apply_mount(m, tmp_dir, var_tmp_dir);
                        if (r < 0)
                                goto fail;
                }

                for (m = mounts; m < mounts + n; ++m) {
                        r = make_read_only(m);
                        if (r < 0)
                                goto fail;
                }
        }

        if (root_directory) {
                /* MS_MOVE does not work on MS_SHARED so the remount MS_SHARED will be done later */
                r = mount_move_root(root_directory);

                /* at this point, we cannot rollback */
                if (r < 0)
                        return r;
        }

        /* Remount / as the desired mode. Not that this will not
         * reestablish propagation from our side to the host, since
         * what's disconnected is disconnected. */
        if (mount(NULL, "/", NULL, mount_flags | MS_REC, NULL) < 0)
                /* at this point, we cannot rollback */
                return -errno;

        return 0;

fail:
        if (n > 0) {
                for (m = mounts; m < mounts + n; ++m)
                        if (m->done)
                                (void) umount2(m->path, MNT_DETACH);
        }

        return r;
}

static int setup_one_tmp_dir(const char *id, const char *prefix, char **path) {
        _cleanup_free_ char *x = NULL;
        char bid[SD_ID128_STRING_MAX];
        sd_id128_t boot_id;
        int r;

        assert(id);
        assert(prefix);
        assert(path);

        /* We include the boot id in the directory so that after a
         * reboot we can easily identify obsolete directories. */

        r = sd_id128_get_boot(&boot_id);
        if (r < 0)
                return r;

        x = strjoin(prefix, "/systemd-private-", sd_id128_to_string(boot_id, bid), "-", id, "-XXXXXX", NULL);
        if (!x)
                return -ENOMEM;

        RUN_WITH_UMASK(0077)
                if (!mkdtemp(x))
                        return -errno;

        RUN_WITH_UMASK(0000) {
                char *y;

                y = strjoina(x, "/tmp");

                if (mkdir(y, 0777 | S_ISVTX) < 0)
                        return -errno;
        }

        *path = x;
        x = NULL;

        return 0;
}

int setup_tmp_dirs(const char *id, char **tmp_dir, char **var_tmp_dir) {
        char *a, *b;
        int r;

        assert(id);
        assert(tmp_dir);
        assert(var_tmp_dir);

        r = setup_one_tmp_dir(id, "/tmp", &a);
        if (r < 0)
                return r;

        r = setup_one_tmp_dir(id, "/var/tmp", &b);
        if (r < 0) {
                char *t;

                t = strjoina(a, "/tmp");
                rmdir(t);
                rmdir(a);

                free(a);
                return r;
        }

        *tmp_dir = a;
        *var_tmp_dir = b;

        return 0;
}

int setup_netns(int netns_storage_socket[2]) {
        _cleanup_close_ int netns = -1;
        int r, q;

        assert(netns_storage_socket);
        assert(netns_storage_socket[0] >= 0);
        assert(netns_storage_socket[1] >= 0);

        /* We use the passed socketpair as a storage buffer for our
         * namespace reference fd. Whatever process runs this first
         * shall create a new namespace, all others should just join
         * it. To serialize that we use a file lock on the socket
         * pair.
         *
         * It's a bit crazy, but hey, works great! */

        if (lockf(netns_storage_socket[0], F_LOCK, 0) < 0)
                return -errno;

        netns = receive_one_fd(netns_storage_socket[0], MSG_DONTWAIT);
        if (netns == -EAGAIN) {
                /* Nothing stored yet, so let's create a new namespace */

                if (unshare(CLONE_NEWNET) < 0) {
                        r = -errno;
                        goto fail;
                }

                loopback_setup();

                netns = open("/proc/self/ns/net", O_RDONLY|O_CLOEXEC|O_NOCTTY);
                if (netns < 0) {
                        r = -errno;
                        goto fail;
                }

                r = 1;

        } else if (netns < 0) {
                r = netns;
                goto fail;

        } else {
                /* Yay, found something, so let's join the namespace */
                if (setns(netns, CLONE_NEWNET) < 0) {
                        r = -errno;
                        goto fail;
                }

                r = 0;
        }

        q = send_one_fd(netns_storage_socket[1], netns, MSG_DONTWAIT);
        if (q < 0) {
                r = q;
                goto fail;
        }

fail:
        lockf(netns_storage_socket[0], F_ULOCK, 0);
        return r;
}

static const char *const protect_home_table[_PROTECT_HOME_MAX] = {
        [PROTECT_HOME_NO] = "no",
        [PROTECT_HOME_YES] = "yes",
        [PROTECT_HOME_READ_ONLY] = "read-only",
};

DEFINE_STRING_TABLE_LOOKUP(protect_home, ProtectHome);

static const char *const protect_system_table[_PROTECT_SYSTEM_MAX] = {
        [PROTECT_SYSTEM_NO] = "no",
        [PROTECT_SYSTEM_YES] = "yes",
        [PROTECT_SYSTEM_FULL] = "full",
};

DEFINE_STRING_TABLE_LOOKUP(protect_system, ProtectSystem);
Commit	Line	Data
d6c9574f	1	/-- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil --/
15ae422b LP	2
	3	/***
	4	This file is part of systemd.
	5
	6	Copyright 2010 Lennart Poettering
	7
	8	systemd is free software; you can redistribute it and/or modify it
5430f7f2 LP	9	under the terms of the GNU Lesser General Public License as published by
5430f7f2 LP	10	the Free Software Foundation; either version 2.1 of the License, or
15ae422b LP	11	(at your option) any later version.
	12
	13	systemd is distributed in the hope that it will be useful, but
	14	WITHOUT ANY WARRANTY; without even the implied warranty of
	15	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
5430f7f2	16	Lesser General Public License for more details.
15ae422b	17
5430f7f2	18	You should have received a copy of the GNU Lesser General Public License
15ae422b LP	19	along with systemd; If not, see <http://www.gnu.org/licenses/>.
	20	***/
	21
	22	#include <errno.h>
07630cea	23	#include <sched.h>
15ae422b	24	#include <stdio.h>
07630cea LP	25	#include <string.h>
07630cea LP	26	#include <sys/mount.h>
15ae422b	27	#include <sys/stat.h>
07630cea	28	#include <unistd.h>
25e870b5	29	#include <linux/fs.h>
15ae422b	30
7f112f50	31	#include "dev-setup.h"
07630cea LP	32	#include "loopback-setup.h"
	33	#include "missing.h"
	34	#include "mkdir.h"
	35	#include "path-util.h"
d7b8eec7	36	#include "selinux-util.h"
07630cea LP	37	#include "string-util.h"
	38	#include "strv.h"
	39	#include "util.h"
d7b8eec7	40	#include "namespace.h"
15ae422b	41
c17ec25e	42	typedef enum MountMode {
15ae422b LP	43	/* This is ordered by priority! */
	44	INACCESSIBLE,
	45	READONLY,
ac0930c8 LP	46	PRIVATE_TMP,
ac0930c8 LP	47	PRIVATE_VAR_TMP,
7f112f50	48	PRIVATE_DEV,
a610cc4f	49	PRIVATE_BUS_ENDPOINT,
15ae422b	50	READWRITE
c17ec25e	51	} MountMode;
15ae422b	52
c17ec25e	53	typedef struct BindMount {
15ae422b	54	const char *path;
c17ec25e	55	MountMode mode;
ac0930c8	56	bool done;
ea92ae33	57	bool ignore;
c17ec25e	58	} BindMount;
15ae422b	59
c17ec25e	60	static int append_mounts(BindMount p, char strv, MountMode mode) {
15ae422b LP	61	char **i;
15ae422b LP	62
613b411c LP	63	assert(p);
613b411c LP	64
15ae422b LP	65	STRV_FOREACH(i, strv) {
15ae422b LP	66
ea92ae33	67	(*p)->ignore = false;
002b2268	68	(*p)->done = false;
ea92ae33	69
94828d2d	70	if ((mode == INACCESSIBLE \|\| mode == READONLY \|\| mode == READWRITE) && (*i)[0] == '-') {
ea92ae33 MW	71	(*p)->ignore = true;
	72	(*i)++;
	73	}
	74
15ae422b LP	75	if (!path_is_absolute(*i))
	76	return -EINVAL;
	77
	78	(p)->path = i;
	79	(*p)->mode = mode;
	80	(*p)++;
	81	}
	82
	83	return 0;
	84	}
	85
c17ec25e MS	86	static int mount_path_compare(const void a, const void b) {
c17ec25e MS	87	const BindMount p = a, q = b;
a0827e2b	88	int d;
15ae422b	89
a0827e2b	90	d = path_compare(p->path, q->path);
15ae422b	91
5a8af538	92	if (d == 0) {
15ae422b LP	93	/* If the paths are equal, check the mode */
	94	if (p->mode < q->mode)
	95	return -1;
	96
	97	if (p->mode > q->mode)
	98	return 1;
	99
	100	return 0;
	101	}
	102
	103	/* If the paths are not equal, then order prefixes first */
a0827e2b	104	return d;
15ae422b LP	105	}
15ae422b LP	106
c17ec25e MS	107	static void drop_duplicates(BindMount m, unsigned n) {
c17ec25e MS	108	BindMount f, t, *previous;
15ae422b	109
c17ec25e	110	assert(m);
15ae422b	111	assert(n);
15ae422b	112
c17ec25e	113	for (f = m, t = m, previous = NULL; f < m+*n; f++) {
15ae422b	114
ac0930c8	115	/* The first one wins */
15ae422b LP	116	if (previous && path_equal(f->path, previous->path))
	117	continue;
	118
e2d7c1a0	119	t = f;
15ae422b	120
15ae422b LP	121	previous = t;
	122
	123	t++;
	124	}
	125
c17ec25e	126	*n = t - m;
15ae422b LP	127	}
15ae422b LP	128
7f112f50 LP	129	static int mount_dev(BindMount *m) {
	130	static const char devnodes[] =
	131	"/dev/null\0"
	132	"/dev/zero\0"
	133	"/dev/full\0"
	134	"/dev/random\0"
	135	"/dev/urandom\0"
	136	"/dev/tty\0";
	137
2b85f4e1	138	char temporary_mount[] = "/tmp/namespace-dev-XXXXXX";
63cc4c31	139	const char d, dev = NULL, devpts = NULL, devshm = NULL, devhugepages = NULL, devmqueue = NULL, devlog = NULL, devptmx = NULL;
7f112f50 LP	140	_cleanup_umask_ mode_t u;
	141	int r;
	142
	143	assert(m);
	144
	145	u = umask(0000);
	146
2b85f4e1 LP	147	if (!mkdtemp(temporary_mount))
	148	return -errno;
	149
63c372cb	150	dev = strjoina(temporary_mount, "/dev");
dc751688	151	(void) mkdir(dev, 0755);
2b85f4e1 LP	152	if (mount("tmpfs", dev, "tmpfs", MS_NOSUID\|MS_STRICTATIME, "mode=755") < 0) {
	153	r = -errno;
	154	goto fail;
	155	}
	156
63c372cb	157	devpts = strjoina(temporary_mount, "/dev/pts");
dc751688	158	(void) mkdir(devpts, 0755);
2b85f4e1 LP	159	if (mount("/dev/pts", devpts, NULL, MS_BIND, NULL) < 0) {
	160	r = -errno;
	161	goto fail;
	162	}
	163
63c372cb	164	devptmx = strjoina(temporary_mount, "/dev/ptmx");
3164e3cb ZJS	165	if (symlink("pts/ptmx", devptmx) < 0) {
	166	r = -errno;
	167	goto fail;
	168	}
e06b6479	169
63c372cb	170	devshm = strjoina(temporary_mount, "/dev/shm");
dc751688	171	(void) mkdir(devshm, 01777);
2b85f4e1 LP	172	r = mount("/dev/shm", devshm, NULL, MS_BIND, NULL);
	173	if (r < 0) {
	174	r = -errno;
	175	goto fail;
	176	}
	177
63c372cb	178	devmqueue = strjoina(temporary_mount, "/dev/mqueue");
dc751688	179	(void) mkdir(devmqueue, 0755);
3164e3cb	180	(void) mount("/dev/mqueue", devmqueue, NULL, MS_BIND, NULL);
2b85f4e1	181
63c372cb	182	devhugepages = strjoina(temporary_mount, "/dev/hugepages");
dc751688	183	(void) mkdir(devhugepages, 0755);
3164e3cb	184	(void) mount("/dev/hugepages", devhugepages, NULL, MS_BIND, NULL);
2b85f4e1	185
63c372cb	186	devlog = strjoina(temporary_mount, "/dev/log");
3164e3cb	187	(void) symlink("/run/systemd/journal/dev-log", devlog);
82d25240	188
7f112f50	189	NULSTR_FOREACH(d, devnodes) {
2b85f4e1 LP	190	_cleanup_free_ char *dn = NULL;
	191	struct stat st;
	192
	193	r = stat(d, &st);
7f112f50	194	if (r < 0) {
2b85f4e1 LP	195
	196	if (errno == ENOENT)
	197	continue;
	198
	199	r = -errno;
	200	goto fail;
7f112f50 LP	201	}
7f112f50 LP	202
2b85f4e1 LP	203	if (!S_ISBLK(st.st_mode) &&
	204	!S_ISCHR(st.st_mode)) {
	205	r = -EINVAL;
	206	goto fail;
	207	}
	208
	209	if (st.st_rdev == 0)
	210	continue;
	211
	212	dn = strappend(temporary_mount, d);
	213	if (!dn) {
	214	r = -ENOMEM;
	215	goto fail;
	216	}
	217
ecabcf8b	218	mac_selinux_create_file_prepare(d, st.st_mode);
2b85f4e1	219	r = mknod(dn, st.st_mode, st.st_rdev);
ecabcf8b	220	mac_selinux_create_file_clear();
dd078a1e	221
2b85f4e1 LP	222	if (r < 0) {
	223	r = -errno;
	224	goto fail;
	225	}
7f112f50 LP	226	}
7f112f50 LP	227
03cfe0d5	228	dev_setup(temporary_mount, UID_INVALID, GID_INVALID);
7f112f50	229
ee818b89 AC	230	/* Create the /dev directory if missing. It is more likely to be
	231	* missing when the service is started with RootDirectory. This is
	232	* consistent with mount units creating the mount points when missing.
	233	*/
	234	(void) mkdir_p_label(m->path, 0755);
	235
	236	if (mount(dev, m->path, NULL, MS_MOVE, NULL) < 0) {
2b85f4e1 LP	237	r = -errno;
	238	goto fail;
	239	}
7f112f50	240
2b85f4e1 LP	241	rmdir(dev);
2b85f4e1 LP	242	rmdir(temporary_mount);
7f112f50	243
2b85f4e1	244	return 0;
7f112f50	245
2b85f4e1 LP	246	fail:
	247	if (devpts)
	248	umount(devpts);
7f112f50	249
2b85f4e1 LP	250	if (devshm)
2b85f4e1 LP	251	umount(devshm);
7f112f50	252
2b85f4e1 LP	253	if (devhugepages)
2b85f4e1 LP	254	umount(devhugepages);
7f112f50	255
2b85f4e1 LP	256	if (devmqueue)
2b85f4e1 LP	257	umount(devmqueue);
7f112f50	258
d267c5aa ZJS	259	umount(dev);
d267c5aa ZJS	260	rmdir(dev);
2b85f4e1	261	rmdir(temporary_mount);
7f112f50	262
2b85f4e1	263	return r;
7f112f50 LP	264	}
7f112f50 LP	265
a610cc4f DM	266	static int mount_kdbus(BindMount *m) {
	267
	268	char temporary_mount[] = "/tmp/kdbus-dev-XXXXXX";
	269	_cleanup_free_ char *basepath = NULL;
	270	_cleanup_umask_ mode_t u;
120d578e	271	char busnode = NULL, root;
a610cc4f DM	272	struct stat st;
	273	int r;
	274
	275	assert(m);
	276
	277	u = umask(0000);
	278
4a62c710 MS	279	if (!mkdtemp(temporary_mount))
4a62c710 MS	280	return log_error_errno(errno, "Failed create temp dir: %m");
a610cc4f	281
63c372cb	282	root = strjoina(temporary_mount, "/kdbus");
dc751688	283	(void) mkdir(root, 0755);
a610cc4f DM	284	if (mount("tmpfs", root, "tmpfs", MS_NOSUID\|MS_STRICTATIME, "mode=777") < 0) {
	285	r = -errno;
	286	goto fail;
	287	}
	288
	289	/* create a new /dev/null dev node copy so we have some fodder to
	290	* bind-mount the custom endpoint over. */
	291	if (stat("/dev/null", &st) < 0) {
76ef789d	292	r = log_error_errno(errno, "Failed to stat /dev/null: %m");
a610cc4f DM	293	goto fail;
	294	}
	295
63c372cb	296	busnode = strjoina(root, "/bus");
a610cc4f	297	if (mknod(busnode, (st.st_mode & ~07777) \| 0600, st.st_rdev) < 0) {
94c156cd LP	298	r = log_error_errno(errno, "mknod() for %s failed: %m",
94c156cd LP	299	busnode);
a610cc4f DM	300	goto fail;
	301	}
	302
4543768d	303	r = mount(m->path, busnode, NULL, MS_BIND, NULL);
a610cc4f	304	if (r < 0) {
94c156cd LP	305	r = log_error_errno(errno, "bind mount of %s failed: %m",
94c156cd LP	306	m->path);
a610cc4f DM	307	goto fail;
	308	}
	309
	310	basepath = dirname_malloc(m->path);
	311	if (!basepath) {
	312	r = -ENOMEM;
	313	goto fail;
	314	}
	315
	316	if (mount(root, basepath, NULL, MS_MOVE, NULL) < 0) {
94c156cd LP	317	r = log_error_errno(errno, "bind mount of %s failed: %m",
94c156cd LP	318	basepath);
a610cc4f DM	319	goto fail;
	320	}
	321
	322	rmdir(temporary_mount);
	323	return 0;
	324
	325	fail:
	326	if (busnode) {
	327	umount(busnode);
	328	unlink(busnode);
	329	}
	330
1775f1eb ZJS	331	umount(root);
1775f1eb ZJS	332	rmdir(root);
a610cc4f DM	333	rmdir(temporary_mount);
	334
	335	return r;
	336	}
	337
ac0930c8	338	static int apply_mount(
c17ec25e	339	BindMount *m,
ac0930c8	340	const char *tmp_dir,
c17ec25e	341	const char *var_tmp_dir) {
ac0930c8	342
15ae422b	343	const char *what;
15ae422b	344	int r;
15ae422b	345
c17ec25e	346	assert(m);
15ae422b	347
c17ec25e	348	switch (m->mode) {
15ae422b LP	349
15ae422b LP	350	case INACCESSIBLE:
6d313367 LP	351
	352	/* First, get rid of everything that is below if there
	353	* is anything... Then, overmount it with an
	354	* inaccessible directory. */
	355	umount_recursive(m->path, 0);
	356
c17ec25e	357	what = "/run/systemd/inaccessible";
15ae422b LP	358	break;
	359
	360	case READONLY:
15ae422b	361	case READWRITE:
d6797c92 LP	362	/* Nothing to mount here, we just later toggle the
	363	* MS_RDONLY bit for the mount point */
	364	return 0;
15ae422b	365
ac0930c8 LP	366	case PRIVATE_TMP:
	367	what = tmp_dir;
	368	break;
	369
	370	case PRIVATE_VAR_TMP:
	371	what = var_tmp_dir;
15ae422b	372	break;
e364ad06	373
d6797c92 LP	374	case PRIVATE_DEV:
	375	return mount_dev(m);
	376
a610cc4f DM	377	case PRIVATE_BUS_ENDPOINT:
	378	return mount_kdbus(m);
	379
e364ad06 LP	380	default:
e364ad06 LP	381	assert_not_reached("Unknown mode");
15ae422b LP	382	}
15ae422b LP	383
ac0930c8	384	assert(what);
15ae422b	385
c17ec25e	386	r = mount(what, m->path, NULL, MS_BIND\|MS_REC, NULL);
ac0930c8	387	if (r >= 0)
c17ec25e	388	log_debug("Successfully mounted %s to %s", what, m->path);
ea92ae33	389	else if (m->ignore && errno == ENOENT)
d6797c92	390	return 0;
15ae422b	391
ac0930c8 LP	392	return r;
ac0930c8 LP	393	}
15ae422b	394
c17ec25e	395	static int make_read_only(BindMount *m) {
ac0930c8	396	int r;
15ae422b	397
c17ec25e	398	assert(m);
ac0930c8	399
d6797c92 LP	400	if (IN_SET(m->mode, INACCESSIBLE, READONLY))
d6797c92 LP	401	r = bind_remount_recursive(m->path, true);
664064d6	402	else if (IN_SET(m->mode, READWRITE, PRIVATE_TMP, PRIVATE_VAR_TMP, PRIVATE_DEV))
d6797c92 LP	403	r = bind_remount_recursive(m->path, false);
	404	else
	405	r = 0;
ac0930c8	406
d6797c92 LP	407	if (m->ignore && r == -ENOENT)
d6797c92 LP	408	return 0;
ac0930c8	409
d6797c92	410	return r;
15ae422b LP	411	}
15ae422b LP	412
613b411c	413	int setup_namespace(
ee818b89	414	const char* root_directory,
613b411c LP	415	char** read_write_dirs,
	416	char** read_only_dirs,
	417	char** inaccessible_dirs,
a004cb4c LP	418	const char* tmp_dir,
	419	const char* var_tmp_dir,
	420	const char* bus_endpoint_path,
7f112f50	421	bool private_dev,
1b8689f9 LP	422	ProtectHome protect_home,
1b8689f9 LP	423	ProtectSystem protect_system,
e6547662	424	unsigned long mount_flags) {
15ae422b	425
7ff7394d	426	BindMount m, mounts = NULL;
613b411c	427	unsigned n;
c17ec25e	428	int r = 0;
15ae422b	429
613b411c	430	if (mount_flags == 0)
c17ec25e	431	mount_flags = MS_SHARED;
ac0930c8	432
d5a3f0ea ZJS	433	if (unshare(CLONE_NEWNS) < 0)
d5a3f0ea ZJS	434	return -errno;
15ae422b	435
a610cc4f	436	n = !!tmp_dir + !!var_tmp_dir + !!bus_endpoint_path +
613b411c LP	437	strv_length(read_write_dirs) +
613b411c LP	438	strv_length(read_only_dirs) +
7f112f50	439	strv_length(inaccessible_dirs) +
417116f2	440	private_dev +
c8835999	441	(protect_home != PROTECT_HOME_NO ? 3 : 0) +
051be1f7	442	(protect_system != PROTECT_SYSTEM_NO ? 2 : 0) +
1b8689f9	443	(protect_system == PROTECT_SYSTEM_FULL ? 1 : 0);
613b411c LP	444
613b411c LP	445	if (n > 0) {
002b2268	446	m = mounts = (BindMount ) alloca0(n sizeof(BindMount));
613b411c LP	447	r = append_mounts(&m, read_write_dirs, READWRITE);
	448	if (r < 0)
	449	return r;
	450
	451	r = append_mounts(&m, read_only_dirs, READONLY);
	452	if (r < 0)
	453	return r;
	454
	455	r = append_mounts(&m, inaccessible_dirs, INACCESSIBLE);
	456	if (r < 0)
7ff7394d ZJS	457	return r;
7ff7394d ZJS	458
613b411c	459	if (tmp_dir) {
ee818b89	460	m->path = prefix_roota(root_directory, "/tmp");
7ff7394d ZJS	461	m->mode = PRIVATE_TMP;
7ff7394d ZJS	462	m++;
613b411c	463	}
7ff7394d	464
613b411c	465	if (var_tmp_dir) {
ee818b89	466	m->path = prefix_roota(root_directory, "/var/tmp");
7ff7394d ZJS	467	m->mode = PRIVATE_VAR_TMP;
	468	m++;
	469	}
ac0930c8	470
7f112f50	471	if (private_dev) {
ee818b89	472	m->path = prefix_roota(root_directory, "/dev");
7f112f50 LP	473	m->mode = PRIVATE_DEV;
	474	m++;
	475	}
	476
a610cc4f	477	if (bus_endpoint_path) {
ee818b89	478	m->path = prefix_roota(root_directory, bus_endpoint_path);
a610cc4f DM	479	m->mode = PRIVATE_BUS_ENDPOINT;
	480	m++;
	481	}
	482
1b8689f9	483	if (protect_home != PROTECT_HOME_NO) {
ee818b89 AC	484	const char home_dir, run_user_dir, *root_dir;
	485
	486	home_dir = prefix_roota(root_directory, "/home");
	487	home_dir = strjoina("-", home_dir);
	488	run_user_dir = prefix_roota(root_directory, "/run/user");
	489	run_user_dir = strjoina("-", run_user_dir);
	490	root_dir = prefix_roota(root_directory, "/root");
	491	root_dir = strjoina("-", root_dir);
	492
	493	r = append_mounts(&m, STRV_MAKE(home_dir, run_user_dir, root_dir),
	494	protect_home == PROTECT_HOME_READ_ONLY ? READONLY : INACCESSIBLE);
417116f2 LP	495	if (r < 0)
	496	return r;
	497	}
	498
1b8689f9	499	if (protect_system != PROTECT_SYSTEM_NO) {
ee818b89 AC	500	const char usr_dir, boot_dir, *etc_dir;
ee818b89 AC	501
d38e01dc	502	usr_dir = prefix_roota(root_directory, "/usr");
ee818b89 AC	503	boot_dir = prefix_roota(root_directory, "/boot");
	504	boot_dir = strjoina("-", boot_dir);
	505	etc_dir = prefix_roota(root_directory, "/etc");
	506
	507	r = append_mounts(&m, protect_system == PROTECT_SYSTEM_FULL
	508	? STRV_MAKE(usr_dir, boot_dir, etc_dir)
	509	: STRV_MAKE(usr_dir, boot_dir), READONLY);
417116f2 LP	510	if (r < 0)
	511	return r;
	512	}
	513
7ff7394d	514	assert(mounts + n == m);
ac0930c8	515
7ff7394d ZJS	516	qsort(mounts, n, sizeof(BindMount), mount_path_compare);
7ff7394d ZJS	517	drop_duplicates(mounts, &n);
15ae422b LP	518	}
15ae422b LP	519
ee818b89	520	if (n > 0 \|\| root_directory) {
c2c13f2d LP	521	/* Remount / as SLAVE so that nothing now mounted in the namespace
	522	shows up in the parent */
	523	if (mount(NULL, "/", NULL, MS_SLAVE\|MS_REC, NULL) < 0)
	524	return -errno;
ee818b89 AC	525	}
	526
	527	if (root_directory) {
	528	/* Turn directory into bind mount */
	529	if (mount(root_directory, root_directory, NULL, MS_BIND\|MS_REC, NULL) < 0)
	530	return -errno;
	531	}
c2c13f2d	532
ee818b89	533	if (n > 0) {
c2c13f2d LP	534	for (m = mounts; m < mounts + n; ++m) {
	535	r = apply_mount(m, tmp_dir, var_tmp_dir);
	536	if (r < 0)
	537	goto fail;
	538	}
15ae422b	539
c2c13f2d LP	540	for (m = mounts; m < mounts + n; ++m) {
	541	r = make_read_only(m);
	542	if (r < 0)
	543	goto fail;
	544	}
15ae422b LP	545	}
15ae422b LP	546
ee818b89 AC	547	if (root_directory) {
	548	/* MS_MOVE does not work on MS_SHARED so the remount MS_SHARED will be done later */
	549	r = mount_move_root(root_directory);
	550
	551	/* at this point, we cannot rollback */
	552	if (r < 0)
	553	return r;
	554	}
	555
c2c13f2d LP	556	/* Remount / as the desired mode. Not that this will not
	557	* reestablish propagation from our side to the host, since
	558	* what's disconnected is disconnected. */
1f6b4113	559	if (mount(NULL, "/", NULL, mount_flags \| MS_REC, NULL) < 0)
ee818b89 AC	560	/* at this point, we cannot rollback */
ee818b89 AC	561	return -errno;
15ae422b	562
15ae422b LP	563	return 0;
15ae422b LP	564
613b411c	565	fail:
c2c13f2d LP	566	if (n > 0) {
	567	for (m = mounts; m < mounts + n; ++m)
	568	if (m->done)
42b1b990	569	(void) umount2(m->path, MNT_DETACH);
c2c13f2d	570	}
613b411c LP	571
	572	return r;
	573	}
	574
	575	static int setup_one_tmp_dir(const char id, const char prefix, char **path) {
	576	_cleanup_free_ char *x = NULL;
6b46ea73 LP	577	char bid[SD_ID128_STRING_MAX];
	578	sd_id128_t boot_id;
	579	int r;
613b411c LP	580
	581	assert(id);
	582	assert(prefix);
	583	assert(path);
	584
6b46ea73 LP	585	/* We include the boot id in the directory so that after a
	586	* reboot we can easily identify obsolete directories. */
	587
	588	r = sd_id128_get_boot(&boot_id);
	589	if (r < 0)
	590	return r;
	591
	592	x = strjoin(prefix, "/systemd-private-", sd_id128_to_string(boot_id, bid), "-", id, "-XXXXXX", NULL);
613b411c LP	593	if (!x)
	594	return -ENOMEM;
	595
	596	RUN_WITH_UMASK(0077)
	597	if (!mkdtemp(x))
	598	return -errno;
	599
	600	RUN_WITH_UMASK(0000) {
	601	char *y;
	602
63c372cb	603	y = strjoina(x, "/tmp");
613b411c LP	604
	605	if (mkdir(y, 0777 \| S_ISVTX) < 0)
	606	return -errno;
c17ec25e	607	}
15ae422b	608
613b411c LP	609	*path = x;
	610	x = NULL;
	611
	612	return 0;
	613	}
	614
	615	int setup_tmp_dirs(const char id, char tmp_dir, char *var_tmp_dir) {
	616	char a, b;
	617	int r;
	618
	619	assert(id);
	620	assert(tmp_dir);
	621	assert(var_tmp_dir);
	622
	623	r = setup_one_tmp_dir(id, "/tmp", &a);
	624	if (r < 0)
	625	return r;
	626
	627	r = setup_one_tmp_dir(id, "/var/tmp", &b);
	628	if (r < 0) {
	629	char *t;
	630
63c372cb	631	t = strjoina(a, "/tmp");
613b411c LP	632	rmdir(t);
	633	rmdir(a);
	634
	635	free(a);
	636	return r;
	637	}
	638
	639	*tmp_dir = a;
	640	*var_tmp_dir = b;
	641
	642	return 0;
	643	}
	644
	645	int setup_netns(int netns_storage_socket[2]) {
	646	_cleanup_close_ int netns = -1;
3ee897d6	647	int r, q;
613b411c LP	648
	649	assert(netns_storage_socket);
	650	assert(netns_storage_socket[0] >= 0);
	651	assert(netns_storage_socket[1] >= 0);
	652
	653	/* We use the passed socketpair as a storage buffer for our
76cd584b LP	654	* namespace reference fd. Whatever process runs this first
	655	* shall create a new namespace, all others should just join
	656	* it. To serialize that we use a file lock on the socket
	657	* pair.
613b411c LP	658	*
	659	* It's a bit crazy, but hey, works great! */
	660
	661	if (lockf(netns_storage_socket[0], F_LOCK, 0) < 0)
	662	return -errno;
	663
3ee897d6 LP	664	netns = receive_one_fd(netns_storage_socket[0], MSG_DONTWAIT);
3ee897d6 LP	665	if (netns == -EAGAIN) {
613b411c LP	666	/* Nothing stored yet, so let's create a new namespace */
	667
	668	if (unshare(CLONE_NEWNET) < 0) {
	669	r = -errno;
	670	goto fail;
	671	}
	672
	673	loopback_setup();
	674
	675	netns = open("/proc/self/ns/net", O_RDONLY\|O_CLOEXEC\|O_NOCTTY);
	676	if (netns < 0) {
	677	r = -errno;
	678	goto fail;
	679	}
	680
	681	r = 1;
613b411c	682
3ee897d6 LP	683	} else if (netns < 0) {
	684	r = netns;
	685	goto fail;
613b411c	686
3ee897d6 LP	687	} else {
3ee897d6 LP	688	/* Yay, found something, so let's join the namespace */
613b411c LP	689	if (setns(netns, CLONE_NEWNET) < 0) {
	690	r = -errno;
	691	goto fail;
	692	}
	693
	694	r = 0;
	695	}
	696
3ee897d6 LP	697	q = send_one_fd(netns_storage_socket[1], netns, MSG_DONTWAIT);
	698	if (q < 0) {
	699	r = q;
613b411c LP	700	goto fail;
	701	}
	702
	703	fail:
	704	lockf(netns_storage_socket[0], F_ULOCK, 0);
15ae422b LP	705	return r;
15ae422b LP	706	}
417116f2	707
1b8689f9 LP	708	static const char *const protect_home_table[_PROTECT_HOME_MAX] = {
	709	[PROTECT_HOME_NO] = "no",
	710	[PROTECT_HOME_YES] = "yes",
	711	[PROTECT_HOME_READ_ONLY] = "read-only",
417116f2 LP	712	};
417116f2 LP	713
1b8689f9 LP	714	DEFINE_STRING_TABLE_LOOKUP(protect_home, ProtectHome);
	715
	716	static const char *const protect_system_table[_PROTECT_SYSTEM_MAX] = {
	717	[PROTECT_SYSTEM_NO] = "no",
	718	[PROTECT_SYSTEM_YES] = "yes",
	719	[PROTECT_SYSTEM_FULL] = "full",
	720	};
	721
	722	DEFINE_STRING_TABLE_LOOKUP(protect_system, ProtectSystem);