]> git.ipfire.org Git - thirdparty/systemd.git/blame - src/core/namespace.c
projects / thirdparty / systemd.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
service: add new RootImageOptions feature
[thirdparty/systemd.git] / src / core / namespace.c
CommitLineData
53e1b683 1/* SPDX-License-Identifier: LGPL-2.1+ */
15ae422b
LP		 2
3#include <errno.h>
e08f94ac 4#include <linux/loop.h>
07630cea 5#include <sched.h>
15ae422b 6#include <stdio.h>
07630cea 7#include <sys/mount.h>
07630cea 8#include <unistd.h>
25e870b5 9#include <linux/fs.h>
15ae422b 10
b5efdb8a 11#include "alloc-util.h"
10404d52 12#include "base-filesystem.h"
7f112f50 13#include "dev-setup.h"
3ffd4af2 14#include "fd-util.h"
e5f10caf 15#include "format-util.h"
d944dc95 16#include "fs-util.h"
e908468b 17#include "label.h"
915e6d16 18#include "loop-util.h"
07630cea 19#include "loopback-setup.h"
07630cea 20#include "mkdir.h"
4349cd7c 21#include "mount-util.h"
049af8ad 22#include "mountpoint-util.h"
0cb8e3d1 23#include "namespace-util.h"
3ffd4af2 24#include "namespace.h"
d8b4d14d 25#include "nulstr-util.h"
07630cea 26#include "path-util.h"
d7b8eec7 27#include "selinux-util.h"
2583fbea 28#include "socket-util.h"
760877e9 29#include "sort-util.h"
36ce7110 30#include "stat-util.h"
8b43440b 31#include "string-table.h"
07630cea
LP		 32#include "string-util.h"
33#include "strv.h"
a652f050 34#include "tmpfile-util.h"
affb60b1 35#include "umask-util.h"
ee104e11 36#include "user-util.h"
15ae422b 37
737ba3c8 38#define DEV_MOUNT_OPTIONS (MS_NOSUID|MS_STRICTATIME|MS_NOEXEC)
39
c17ec25e 40typedef enum MountMode {
15ae422b
LP		 41 /* This is ordered by priority! */
42 INACCESSIBLE,
d2d6c096
LP		 43 BIND_MOUNT,
44 BIND_MOUNT_RECURSIVE,
ac0930c8 45 PRIVATE_TMP,
56a13a49 46 PRIVATE_TMP_READONLY,
7f112f50 47 PRIVATE_DEV,
5d997827 48 BIND_DEV,
6c47cd7d 49 EMPTY_DIR,
5d997827
LP		 50 SYSFS,
51 PROCFS,
52 READONLY,
59eeb84b 53 READWRITE,
2abd4e38 54 TMPFS,
1e05071d 55 READWRITE_IMPLICIT, /* Should have the lowest priority. */
5beb8688 56 _MOUNT_MODE_MAX,
c17ec25e 57} MountMode;
15ae422b 58
34de407a 59typedef struct MountEntry {
5327c910 60 const char *path_const; /* Memory allocated on stack or static */
cfbeb4ef 61 MountMode mode:5;
5327c910
LP		 62 bool ignore:1; /* Ignore if path does not exist? */
63 bool has_prefix:1; /* Already is prefixed by the root dir? */
cfbeb4ef 64 bool read_only:1; /* Shall this mount point be read-only? */
9ce4e4b0 65 bool nosuid:1; /* Shall set MS_NOSUID on the mount itself */
088696fe 66 bool applied:1; /* Already applied */
55fe7432 67 char *path_malloc; /* Use this instead of 'path_const' if we had to allocate memory */
d2d6c096
LP		 68 const char *source_const; /* The source path, for bind mounts */
69 char *source_malloc;
2abd4e38
YW		 70 const char *options_const;/* Mount options for tmpfs */
71 char *options_malloc;
72 unsigned long flags; /* Mount flags used by EMPTY_DIR and TMPFS. Do not include MS_RDONLY here, but please use read_only. */
088696fe 73 unsigned n_followed;
34de407a 74} MountEntry;
15ae422b 75
5d997827 76/* If MountAPIVFS= is used, let's mount /sys and /proc into the it, but only as a fallback if the user hasn't mounted
3fe91079 77 * something there already. These mounts are hence overridden by any other explicitly configured mounts. */
5d997827
LP		 78static const MountEntry apivfs_table[] = {
79 { "/proc", PROCFS, false },
80 { "/dev", BIND_DEV, false },
81 { "/sys", SYSFS, false },
82};
f471b2af 83
11a30cec 84/* ProtectKernelTunables= option and the related filesystem APIs */
34de407a 85static const MountEntry protect_kernel_tunables_table[] = {
1e05071d
YW		 86 { "/proc/acpi", READONLY, true },
87 { "/proc/apm", READONLY, true }, /* Obsolete API, there's no point in permitting access to this, ever */
88 { "/proc/asound", READONLY, true },
89 { "/proc/bus", READONLY, true },
90 { "/proc/fs", READONLY, true },
91 { "/proc/irq", READONLY, true },
92 { "/proc/kallsyms", INACCESSIBLE, true },
93 { "/proc/kcore", INACCESSIBLE, true },
94 { "/proc/latency_stats", READONLY, true },
95 { "/proc/mtrr", READONLY, true },
96 { "/proc/scsi", READONLY, true },
97 { "/proc/sys", READONLY, false },
98 { "/proc/sysrq-trigger", READONLY, true },
99 { "/proc/timer_stats", READONLY, true },
100 { "/sys", READONLY, false },
101 { "/sys/fs/bpf", READONLY, true },
102 { "/sys/fs/cgroup", READWRITE_IMPLICIT, false }, /* READONLY is set by ProtectControlGroups= option */
103 { "/sys/fs/selinux", READWRITE_IMPLICIT, true },
104 { "/sys/kernel/debug", READONLY, true },
105 { "/sys/kernel/tracing", READONLY, true },
11a30cec
DH		 106};
107
c575770b 108/* ProtectKernelModules= option */
34de407a 109static const MountEntry protect_kernel_modules_table[] = {
349cc4a5 110#if HAVE_SPLIT_USR
c6232fb0 111 { "/lib/modules", INACCESSIBLE, true },
c575770b 112#endif
c6232fb0 113 { "/usr/lib/modules", INACCESSIBLE, true },
c575770b
DH		 114};
115
94a7b275
KK		 116/* ProtectKernelLogs= option */
117static const MountEntry protect_kernel_logs_table[] = {
118 { "/proc/kmsg", INACCESSIBLE, true },
119 { "/dev/kmsg", INACCESSIBLE, true },
120};
121
b6c432ca
DH		 122/*
123 * ProtectHome=read-only table, protect $HOME and $XDG_RUNTIME_DIR and rest of
124 * system should be protected by ProtectSystem=
125 */
34de407a 126static const MountEntry protect_home_read_only_table[] = {
c6232fb0
LP		 127 { "/home", READONLY, true },
128 { "/run/user", READONLY, true },
129 { "/root", READONLY, true },
b6c432ca
DH		 130};
131
e4da7d8c
YW		 132/* ProtectHome=tmpfs table */
133static const MountEntry protect_home_tmpfs_table[] = {
7d85383e
TM		 134 { "/home", TMPFS, true, .read_only = true, .options_const = "mode=0755" TMPFS_LIMITS_EMPTY_OR_ALMOST, .flags = MS_NODEV|MS_STRICTATIME },
135 { "/run/user", TMPFS, true, .read_only = true, .options_const = "mode=0755" TMPFS_LIMITS_EMPTY_OR_ALMOST, .flags = MS_NODEV|MS_STRICTATIME },
136 { "/root", TMPFS, true, .read_only = true, .options_const = "mode=0700" TMPFS_LIMITS_EMPTY_OR_ALMOST, .flags = MS_NODEV|MS_STRICTATIME },
e4da7d8c
YW		 137};
138
b6c432ca 139/* ProtectHome=yes table */
34de407a 140static const MountEntry protect_home_yes_table[] = {
c6232fb0
LP		 141 { "/home", INACCESSIBLE, true },
142 { "/run/user", INACCESSIBLE, true },
143 { "/root", INACCESSIBLE, true },
b6c432ca
DH		 144};
145
f471b2af 146/* ProtectSystem=yes table */
34de407a 147static const MountEntry protect_system_yes_table[] = {
c6232fb0
LP		 148 { "/usr", READONLY, false },
149 { "/boot", READONLY, true },
150 { "/efi", READONLY, true },
7486f305
AB		 151#if HAVE_SPLIT_USR
152 { "/lib", READONLY, true },
153 { "/lib64", READONLY, true },
154 { "/bin", READONLY, true },
671f0f8d 155# if HAVE_SPLIT_BIN
7486f305 156 { "/sbin", READONLY, true },
671f0f8d 157# endif
7486f305 158#endif
f471b2af
DH		 159};
160
161/* ProtectSystem=full includes ProtectSystem=yes */
34de407a 162static const MountEntry protect_system_full_table[] = {
c6232fb0
LP		 163 { "/usr", READONLY, false },
164 { "/boot", READONLY, true },
165 { "/efi", READONLY, true },
166 { "/etc", READONLY, false },
7486f305
AB		 167#if HAVE_SPLIT_USR
168 { "/lib", READONLY, true },
169 { "/lib64", READONLY, true },
170 { "/bin", READONLY, true },
671f0f8d 171# if HAVE_SPLIT_BIN
7486f305 172 { "/sbin", READONLY, true },
671f0f8d 173# endif
7486f305 174#endif
f471b2af
DH		 175};
176
177/*
178 * ProtectSystem=strict table. In this strict mode, we mount everything
179 * read-only, except for /proc, /dev, /sys which are the kernel API VFS,
180 * which are left writable, but PrivateDevices= + ProtectKernelTunables=
181 * protect those, and these options should be fully orthogonal.
182 * (And of course /home and friends are also left writable, as ProtectHome=
183 * shall manage those, orthogonally).
184 */
34de407a 185static const MountEntry protect_system_strict_table[] = {
1e05071d
YW		 186 { "/", READONLY, false },
187 { "/proc", READWRITE_IMPLICIT, false }, /* ProtectKernelTunables= */
188 { "/sys", READWRITE_IMPLICIT, false }, /* ProtectKernelTunables= */
189 { "/dev", READWRITE_IMPLICIT, false }, /* PrivateDevices= */
190 { "/home", READWRITE_IMPLICIT, true }, /* ProtectHome= */
191 { "/run/user", READWRITE_IMPLICIT, true }, /* ProtectHome= */
192 { "/root", READWRITE_IMPLICIT, true }, /* ProtectHome= */
f471b2af
DH		 193};
194
5beb8688
YW		 195static const char * const mount_mode_table[_MOUNT_MODE_MAX] = {
196 [INACCESSIBLE] = "inaccessible",
197 [BIND_MOUNT] = "bind",
198 [BIND_MOUNT_RECURSIVE] = "rbind",
199 [PRIVATE_TMP] = "private-tmp",
200 [PRIVATE_DEV] = "private-dev",
201 [BIND_DEV] = "bind-dev",
202 [EMPTY_DIR] = "empty",
203 [SYSFS] = "sysfs",
204 [PROCFS] = "procfs",
205 [READONLY] = "read-only",
206 [READWRITE] = "read-write",
207 [TMPFS] = "tmpfs",
208 [READWRITE_IMPLICIT] = "rw-implicit",
209};
210
211DEFINE_PRIVATE_STRING_TABLE_LOOKUP_TO_STRING(mount_mode, MountMode);
212
34de407a 213static const char *mount_entry_path(const MountEntry *p) {
f0a4feb0
DH		 214 assert(p);
215
5327c910
LP		 216 /* Returns the path of this bind mount. If the malloc()-allocated ->path_buffer field is set we return that,
217 * otherwise the stack/static ->path field is returned. */
f0a4feb0 218
5327c910 219 return p->path_malloc ?: p->path_const;
f0a4feb0
DH		 220}
221
34de407a 222static bool mount_entry_read_only(const MountEntry *p) {
cfbeb4ef
LP		 223 assert(p);
224
56a13a49 225 return p->read_only || IN_SET(p->mode, READONLY, INACCESSIBLE, PRIVATE_TMP_READONLY);
cfbeb4ef
LP		 226}
227
d2d6c096
LP		 228static const char *mount_entry_source(const MountEntry *p) {
229 assert(p);
230
231 return p->source_malloc ?: p->source_const;
232}
233
2abd4e38
YW		 234static const char *mount_entry_options(const MountEntry *p) {
235 assert(p);
236
237 return p->options_malloc ?: p->options_const;
238}
239
1eb7e08e
LP		 240static void mount_entry_done(MountEntry *p) {
241 assert(p);
242
243 p->path_malloc = mfree(p->path_malloc);
244 p->source_malloc = mfree(p->source_malloc);
2abd4e38 245 p->options_malloc = mfree(p->options_malloc);
1eb7e08e
LP		 246}
247
d18aff04 248static int append_access_mounts(MountEntry **p, char **strv, MountMode mode, bool forcibly_require_prefix) {
15ae422b
LP		 249 char **i;
250
613b411c
LP		 251 assert(p);
252
1e05071d 253 /* Adds a list of user-supplied READWRITE/READWRITE_IMPLICIT/READONLY/INACCESSIBLE entries */
5327c910 254
15ae422b 255 STRV_FOREACH(i, strv) {
5327c910
LP		 256 bool ignore = false, needs_prefix = false;
257 const char *e = *i;
15ae422b 258
5327c910
LP		 259 /* Look for any prefixes */
260 if (startswith(e, "-")) {
261 e++;
9c94d52e 262 ignore = true;
ea92ae33 263 }
5327c910
LP		 264 if (startswith(e, "+")) {
265 e++;
266 needs_prefix = true;
267 }
ea92ae33 268
baaa35ad
ZJS		 269 if (!path_is_absolute(e))
270 return log_debug_errno(SYNTHETIC_ERRNO(EINVAL),
271 "Path is not absolute: %s", e);
15ae422b 272
34de407a 273 *((*p)++) = (MountEntry) {
5327c910
LP		 274 .path_const = e,
275 .mode = mode,
276 .ignore = ignore,
d18aff04 277 .has_prefix = !needs_prefix && !forcibly_require_prefix,
5327c910 278 };
15ae422b
LP		 279 }
280
281 return 0;
282}
283
6c47cd7d
LP		 284static int append_empty_dir_mounts(MountEntry **p, char **strv) {
285 char **i;
286
287 assert(p);
288
289 /* Adds tmpfs mounts to provide readable but empty directories. This is primarily used to implement the
290 * "/private/" boundary directories for DynamicUser=1. */
291
292 STRV_FOREACH(i, strv) {
293
294 *((*p)++) = (MountEntry) {
295 .path_const = *i,
296 .mode = EMPTY_DIR,
297 .ignore = false,
6c47cd7d 298 .read_only = true,
7d85383e 299 .options_const = "mode=755" TMPFS_LIMITS_EMPTY_OR_ALMOST,
2abd4e38 300 .flags = MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME,
6c47cd7d
LP		 301 };
302 }
303
304 return 0;
305}
306
da6053d0
LP		 307static int append_bind_mounts(MountEntry **p, const BindMount *binds, size_t n) {
308 size_t i;
d2d6c096
LP		 309
310 assert(p);
311
312 for (i = 0; i < n; i++) {
313 const BindMount *b = binds + i;
314
315 *((*p)++) = (MountEntry) {
316 .path_const = b->destination,
317 .mode = b->recursive ? BIND_MOUNT_RECURSIVE : BIND_MOUNT,
318 .read_only = b->read_only,
9ce4e4b0 319 .nosuid = b->nosuid,
d2d6c096 320 .source_const = b->source,
4ca763a9 321 .ignore = b->ignore_enoent,
d2d6c096
LP		 322 };
323 }
324
325 return 0;
326}
327
da6053d0
LP		 328static int append_tmpfs_mounts(MountEntry **p, const TemporaryFileSystem *tmpfs, size_t n) {
329 size_t i;
2abd4e38
YW		 330 int r;
331
332 assert(p);
333
334 for (i = 0; i < n; i++) {
335 const TemporaryFileSystem *t = tmpfs + i;
336 _cleanup_free_ char *o = NULL, *str = NULL;
ad8e66dc 337 unsigned long flags;
2abd4e38
YW		 338 bool ro = false;
339
baaa35ad
ZJS		 340 if (!path_is_absolute(t->path))
341 return log_debug_errno(SYNTHETIC_ERRNO(EINVAL),
342 "Path is not absolute: %s",
343 t->path);
2abd4e38 344
7d85383e 345 str = strjoin("mode=0755" TMPFS_LIMITS_TEMPORARY_FS ",", t->options);
ad8e66dc
AJ		 346 if (!str)
347 return -ENOMEM;
2abd4e38 348
ad8e66dc
AJ		 349 r = mount_option_mangle(str, MS_NODEV|MS_STRICTATIME, &flags, &o);
350 if (r < 0)
351 return log_debug_errno(r, "Failed to parse mount option '%s': %m", str);
2abd4e38 352
ad8e66dc
AJ		 353 ro = flags & MS_RDONLY;
354 if (ro)
355 flags ^= MS_RDONLY;
2abd4e38
YW		 356
357 *((*p)++) = (MountEntry) {
358 .path_const = t->path,
359 .mode = TMPFS,
360 .read_only = ro,
ad8e66dc 361 .options_malloc = TAKE_PTR(o),
2abd4e38
YW		 362 .flags = flags,
363 };
2abd4e38
YW		 364 }
365
366 return 0;
367}
368
da6053d0
LP		 369static int append_static_mounts(MountEntry **p, const MountEntry *mounts, size_t n, bool ignore_protect) {
370 size_t i;
11a30cec
DH		 371
372 assert(p);
f471b2af 373 assert(mounts);
11a30cec 374
5327c910 375 /* Adds a list of static pre-defined entries */
f471b2af 376
5327c910 377 for (i = 0; i < n; i++)
34de407a
LP		 378 *((*p)++) = (MountEntry) {
379 .path_const = mount_entry_path(mounts+i),
5327c910
LP		 380 .mode = mounts[i].mode,
381 .ignore = mounts[i].ignore || ignore_protect,
382 };
f471b2af
DH		 383
384 return 0;
385}
386
34de407a 387static int append_protect_home(MountEntry **p, ProtectHome protect_home, bool ignore_protect) {
c575770b
DH		 388 assert(p);
389
5327c910 390 switch (protect_home) {
b6c432ca 391
5327c910 392 case PROTECT_HOME_NO:
b6c432ca
DH		 393 return 0;
394
b6c432ca 395 case PROTECT_HOME_READ_ONLY:
5327c910
LP		 396 return append_static_mounts(p, protect_home_read_only_table, ELEMENTSOF(protect_home_read_only_table), ignore_protect);
397
e4da7d8c
YW		 398 case PROTECT_HOME_TMPFS:
399 return append_static_mounts(p, protect_home_tmpfs_table, ELEMENTSOF(protect_home_tmpfs_table), ignore_protect);
400
b6c432ca 401 case PROTECT_HOME_YES:
5327c910
LP		 402 return append_static_mounts(p, protect_home_yes_table, ELEMENTSOF(protect_home_yes_table), ignore_protect);
403
b6c432ca 404 default:
5327c910 405 assert_not_reached("Unexpected ProtectHome= value");
b6c432ca 406 }
b6c432ca
DH		 407}
408
34de407a 409static int append_protect_system(MountEntry **p, ProtectSystem protect_system, bool ignore_protect) {
f471b2af
DH		 410 assert(p);
411
5327c910
LP		 412 switch (protect_system) {
413
414 case PROTECT_SYSTEM_NO:
f471b2af
DH		 415 return 0;
416
f471b2af 417 case PROTECT_SYSTEM_STRICT:
5327c910
LP		 418 return append_static_mounts(p, protect_system_strict_table, ELEMENTSOF(protect_system_strict_table), ignore_protect);
419
f471b2af 420 case PROTECT_SYSTEM_YES:
5327c910
LP		 421 return append_static_mounts(p, protect_system_yes_table, ELEMENTSOF(protect_system_yes_table), ignore_protect);
422
f471b2af 423 case PROTECT_SYSTEM_FULL:
5327c910
LP		 424 return append_static_mounts(p, protect_system_full_table, ELEMENTSOF(protect_system_full_table), ignore_protect);
425
f471b2af 426 default:
5327c910 427 assert_not_reached("Unexpected ProtectSystem= value");
f471b2af 428 }
11a30cec
DH		 429}
430
93bab288 431static int mount_path_compare(const MountEntry *a, const MountEntry *b) {
a0827e2b 432 int d;
15ae422b 433
6ee1a919 434 /* If the paths are not equal, then order prefixes first */
93bab288 435 d = path_compare(mount_entry_path(a), mount_entry_path(b));
6ee1a919
LP		 436 if (d != 0)
437 return d;
15ae422b 438
6ee1a919 439 /* If the paths are equal, check the mode */
93bab288 440 return CMP((int) a->mode, (int) b->mode);
15ae422b
LP		 441}
442
da6053d0
LP		 443static int prefix_where_needed(MountEntry *m, size_t n, const char *root_directory) {
444 size_t i;
5327c910 445
4a756839 446 /* Prefixes all paths in the bind mount table with the root directory if the entry needs that. */
5327c910
LP		 447
448 for (i = 0; i < n; i++) {
449 char *s;
450
451 if (m[i].has_prefix)
452 continue;
453
c6134d3e 454 s = path_join(root_directory, mount_entry_path(m+i));
5327c910
LP		 455 if (!s)
456 return -ENOMEM;
457
e282f51f 458 free_and_replace(m[i].path_malloc, s);
5327c910
LP		 459 m[i].has_prefix = true;
460 }
461
462 return 0;
463}
464
da6053d0 465static void drop_duplicates(MountEntry *m, size_t *n) {
34de407a 466 MountEntry *f, *t, *previous;
15ae422b 467
c17ec25e 468 assert(m);
15ae422b 469 assert(n);
15ae422b 470
fe3c2583
LP		 471 /* Drops duplicate entries. Expects that the array is properly ordered already. */
472
1d54cd5d 473 for (f = m, t = m, previous = NULL; f < m + *n; f++) {
15ae422b 474
fe3c2583 475 /* The first one wins (which is the one with the more restrictive mode), see mount_path_compare()
088696fe
LP		 476 * above. Note that we only drop duplicates that haven't been mounted yet. */
477 if (previous &&
478 path_equal(mount_entry_path(f), mount_entry_path(previous)) &&
479 !f->applied && !previous->applied) {
5beb8688 480 log_debug("%s (%s) is duplicate.", mount_entry_path(f), mount_mode_to_string(f->mode));
34de407a 481 previous->read_only = previous->read_only || mount_entry_read_only(f); /* Propagate the read-only flag to the remaining entry */
1eb7e08e 482 mount_entry_done(f);
15ae422b 483 continue;
fe3c2583 484 }
15ae422b 485
e2d7c1a0 486 *t = *f;
15ae422b 487 previous = t;
fe3c2583
LP		 488 t++;
489 }
490
491 *n = t - m;
492}
493
da6053d0 494static void drop_inaccessible(MountEntry *m, size_t *n) {
34de407a 495 MountEntry *f, *t;
fe3c2583
LP		 496 const char *clear = NULL;
497
498 assert(m);
499 assert(n);
500
501 /* Drops all entries obstructed by another entry further up the tree. Expects that the array is properly
502 * ordered already. */
503
1d54cd5d 504 for (f = m, t = m; f < m + *n; f++) {
fe3c2583
LP		 505
506 /* If we found a path set for INACCESSIBLE earlier, and this entry has it as prefix we should drop
507 * it, as inaccessible paths really should drop the entire subtree. */
34de407a
LP		 508 if (clear && path_startswith(mount_entry_path(f), clear)) {
509 log_debug("%s is masked by %s.", mount_entry_path(f), clear);
1eb7e08e 510 mount_entry_done(f);
fe3c2583
LP		 511 continue;
512 }
15ae422b 513
34de407a 514 clear = f->mode == INACCESSIBLE ? mount_entry_path(f) : NULL;
fe3c2583
LP		 515
516 *t = *f;
15ae422b
LP		 517 t++;
518 }
519
c17ec25e 520 *n = t - m;
15ae422b
LP		 521}
522
da6053d0 523static void drop_nop(MountEntry *m, size_t *n) {
34de407a 524 MountEntry *f, *t;
7648a565
LP		 525
526 assert(m);
527 assert(n);
528
529 /* Drops all entries which have an immediate parent that has the same type, as they are redundant. Assumes the
530 * list is ordered by prefixes. */
531
1d54cd5d 532 for (f = m, t = m; f < m + *n; f++) {
7648a565 533
1e05071d
YW		 534 /* Only suppress such subtrees for READONLY, READWRITE and READWRITE_IMPLICIT entries */
535 if (IN_SET(f->mode, READONLY, READWRITE, READWRITE_IMPLICIT)) {
34de407a 536 MountEntry *p;
7648a565
LP		 537 bool found = false;
538
539 /* Now let's find the first parent of the entry we are looking at. */
540 for (p = t-1; p >= m; p--) {
34de407a 541 if (path_startswith(mount_entry_path(f), mount_entry_path(p))) {
7648a565
LP		 542 found = true;
543 break;
544 }
545 }
546
547 /* We found it, let's see if it's the same mode, if so, we can drop this entry */
548 if (found && p->mode == f->mode) {
5beb8688
YW		 549 log_debug("%s (%s) is made redundant by %s (%s)",
550 mount_entry_path(f), mount_mode_to_string(f->mode),
551 mount_entry_path(p), mount_mode_to_string(p->mode));
1eb7e08e 552 mount_entry_done(f);
7648a565
LP		 553 continue;
554 }
555 }
556
557 *t = *f;
558 t++;
559 }
560
561 *n = t - m;
562}
563
da6053d0 564static void drop_outside_root(const char *root_directory, MountEntry *m, size_t *n) {
34de407a 565 MountEntry *f, *t;
cd2902c9
LP		 566
567 assert(m);
568 assert(n);
569
1d54cd5d 570 /* Nothing to do */
cd2902c9
LP		 571 if (!root_directory)
572 return;
573
574 /* Drops all mounts that are outside of the root directory. */
575
1d54cd5d 576 for (f = m, t = m; f < m + *n; f++) {
cd2902c9 577
34de407a
LP		 578 if (!path_startswith(mount_entry_path(f), root_directory)) {
579 log_debug("%s is outside of root directory.", mount_entry_path(f));
1eb7e08e 580 mount_entry_done(f);
cd2902c9
LP		 581 continue;
582 }
583
584 *t = *f;
585 t++;
586 }
587
588 *n = t - m;
589}
590
b2a60844
LP		 591static int clone_device_node(
592 const char *d,
593 const char *temporary_mount,
594 bool *make_devnode) {
595
596 _cleanup_free_ char *sl = NULL;
597 const char *dn, *bn, *t;
b5e99f23
ДГ		 598 struct stat st;
599 int r;
600
414b304b 601 if (stat(d, &st) < 0) {
b2a60844
LP		 602 if (errno == ENOENT) {
603 log_debug_errno(errno, "Device node '%s' to clone does not exist, ignoring.", d);
af984e13 604 return -ENXIO;
b2a60844
LP		 605 }
606
607 return log_debug_errno(errno, "Failed to stat() device node '%s' to clone, ignoring: %m", d);
b5e99f23
ДГ		 608 }
609
610 if (!S_ISBLK(st.st_mode) &&
baaa35ad
ZJS		 611 !S_ISCHR(st.st_mode))
612 return log_debug_errno(SYNTHETIC_ERRNO(EINVAL),
613 "Device node '%s' to clone is not a device node, ignoring.",
614 d);
b5e99f23 615
6f7f3a33 616 dn = strjoina(temporary_mount, d);
b5e99f23 617
b2a60844 618 /* First, try to create device node properly */
16498617
CB		 619 if (*make_devnode) {
620 mac_selinux_create_file_prepare(d, st.st_mode);
621 r = mknod(dn, st.st_mode, st.st_rdev);
622 mac_selinux_create_file_clear();
b2a60844
LP		 623 if (r >= 0)
624 goto add_symlink;
16498617
CB		 625 if (errno != EPERM)
626 return log_debug_errno(errno, "mknod failed for %s: %m", d);
627
b2a60844 628 /* This didn't work, let's not try this again for the next iterations. */
16498617
CB		 629 *make_devnode = false;
630 }
631
632 /* We're about to fallback to bind-mounting the device
1acf344d
CG		 633 * node. So create a dummy bind-mount target.
634 * Do not prepare device-node SELinux label (see issue 13762) */
16498617 635 r = mknod(dn, S_IFREG, 0);
16498617 636 if (r < 0 && errno != EEXIST)
b2a60844 637 return log_debug_errno(errno, "mknod() fallback failed for '%s': %m", d);
16498617
CB		 638
639 /* Fallback to bind-mounting:
640 * The assumption here is that all used device nodes carry standard
641 * properties. Specifically, the devices nodes we bind-mount should
642 * either be owned by root:root or root:tty (e.g. /dev/tty, /dev/ptmx)
643 * and should not carry ACLs. */
644 if (mount(d, dn, NULL, MS_BIND, NULL) < 0)
b2a60844
LP		 645 return log_debug_errno(errno, "Bind mounting failed for '%s': %m", d);
646
647add_symlink:
648 bn = path_startswith(d, "/dev/");
649 if (!bn)
650 return 0;
651
652 /* Create symlinks like /dev/char/1:9 → ../urandom */
cbc056c8
ZJS		 653 if (asprintf(&sl, "%s/dev/%s/%u:%u",
654 temporary_mount,
655 S_ISCHR(st.st_mode) ? "char" : "block",
656 major(st.st_rdev), minor(st.st_rdev)) < 0)
b2a60844
LP		 657 return log_oom();
658
659 (void) mkdir_parents(sl, 0755);
660
661 t = strjoina("../", bn);
b2a60844 662 if (symlink(t, sl) < 0)
2e4a4fae 663 log_debug_errno(errno, "Failed to symlink '%s' to '%s', ignoring: %m", t, sl);
b5e99f23 664
af984e13 665 return 0;
b5e99f23
ДГ		 666}
667
5d997827 668static int mount_private_dev(MountEntry *m) {
7f112f50
LP		 669 static const char devnodes[] =
670 "/dev/null\0"
671 "/dev/zero\0"
672 "/dev/full\0"
673 "/dev/random\0"
674 "/dev/urandom\0"
675 "/dev/tty\0";
676
2b85f4e1 677 char temporary_mount[] = "/tmp/namespace-dev-XXXXXX";
63cc4c31 678 const char *d, *dev = NULL, *devpts = NULL, *devshm = NULL, *devhugepages = NULL, *devmqueue = NULL, *devlog = NULL, *devptmx = NULL;
16498617 679 bool can_mknod = true;
7f112f50
LP		 680 _cleanup_umask_ mode_t u;
681 int r;
682
683 assert(m);
684
685 u = umask(0000);
686
2b85f4e1 687 if (!mkdtemp(temporary_mount))
2e4a4fae 688 return log_debug_errno(errno, "Failed to create temporary directory '%s': %m", temporary_mount);
2b85f4e1 689
63c372cb 690 dev = strjoina(temporary_mount, "/dev");
dc751688 691 (void) mkdir(dev, 0755);
7d85383e 692 if (mount("tmpfs", dev, "tmpfs", DEV_MOUNT_OPTIONS, "mode=755" TMPFS_LIMITS_DEV) < 0) {
2e4a4fae 693 r = log_debug_errno(errno, "Failed to mount tmpfs on '%s': %m", dev);
2b85f4e1
LP		 694 goto fail;
695 }
c3151977
TM		 696 r = label_fix_container(dev, "/dev", 0);
697 if (r < 0) {
698 log_debug_errno(errno, "Failed to fix label of '%s' as /dev: %m", dev);
699 goto fail;
700 }
2b85f4e1 701
63c372cb 702 devpts = strjoina(temporary_mount, "/dev/pts");
dc751688 703 (void) mkdir(devpts, 0755);
2b85f4e1 704 if (mount("/dev/pts", devpts, NULL, MS_BIND, NULL) < 0) {
2e4a4fae 705 r = log_debug_errno(errno, "Failed to bind mount /dev/pts on '%s': %m", devpts);
2b85f4e1
LP		 706 goto fail;
707 }
708
2e4a4fae
YW		 709 /* /dev/ptmx can either be a device node or a symlink to /dev/pts/ptmx.
710 * When /dev/ptmx a device node, /dev/pts/ptmx has 000 permissions making it inaccessible.
711 * Thus, in that case make a clone.
712 * In nspawn and other containers it will be a symlink, in that case make it a symlink. */
36ce7110 713 r = is_symlink("/dev/ptmx");
2e4a4fae
YW		 714 if (r < 0) {
715 log_debug_errno(r, "Failed to detect whether /dev/ptmx is a symlink or not: %m");
3164e3cb 716 goto fail;
2e4a4fae 717 } else if (r > 0) {
414b304b
ДГ		 718 devptmx = strjoina(temporary_mount, "/dev/ptmx");
719 if (symlink("pts/ptmx", devptmx) < 0) {
2e4a4fae 720 r = log_debug_errno(errno, "Failed to create a symlink '%s' to pts/ptmx: %m", devptmx);
414b304b
ДГ		 721 goto fail;
722 }
723 } else {
16498617 724 r = clone_device_node("/dev/ptmx", temporary_mount, &can_mknod);
152c475f
LP		 725 if (r < 0)
726 goto fail;
414b304b 727 }
e06b6479 728
63c372cb 729 devshm = strjoina(temporary_mount, "/dev/shm");
8d953682 730 (void) mkdir(devshm, 0755);
2b85f4e1
LP		 731 r = mount("/dev/shm", devshm, NULL, MS_BIND, NULL);
732 if (r < 0) {
2e4a4fae 733 r = log_debug_errno(errno, "Failed to bind mount /dev/shm on '%s': %m", devshm);
2b85f4e1
LP		 734 goto fail;
735 }
736
63c372cb 737 devmqueue = strjoina(temporary_mount, "/dev/mqueue");
dc751688 738 (void) mkdir(devmqueue, 0755);
2e4a4fae
YW		 739 if (mount("/dev/mqueue", devmqueue, NULL, MS_BIND, NULL) < 0)
740 log_debug_errno(errno, "Failed to bind mount /dev/mqueue on '%s', ignoring: %m", devmqueue);
2b85f4e1 741
63c372cb 742 devhugepages = strjoina(temporary_mount, "/dev/hugepages");
dc751688 743 (void) mkdir(devhugepages, 0755);
2e4a4fae
YW		 744 if (mount("/dev/hugepages", devhugepages, NULL, MS_BIND, NULL) < 0)
745 log_debug_errno(errno, "Failed to bind mount /dev/hugepages on '%s', ignoring: %m", devhugepages);
2b85f4e1 746
63c372cb 747 devlog = strjoina(temporary_mount, "/dev/log");
2e4a4fae
YW		 748 if (symlink("/run/systemd/journal/dev-log", devlog) < 0)
749 log_debug_errno(errno, "Failed to create a symlink '%s' to /run/systemd/journal/dev-log, ignoring: %m", devlog);
82d25240 750
7f112f50 751 NULSTR_FOREACH(d, devnodes) {
16498617 752 r = clone_device_node(d, temporary_mount, &can_mknod);
37b22b3b 753 /* ENXIO means the *source* is not a device file, skip creation in that case */
af984e13 754 if (r < 0 && r != -ENXIO)
2b85f4e1 755 goto fail;
7f112f50
LP		 756 }
757
2e4a4fae
YW		 758 r = dev_setup(temporary_mount, UID_INVALID, GID_INVALID);
759 if (r < 0)
105a1a36 760 log_debug_errno(r, "Failed to set up basic device tree at '%s', ignoring: %m", temporary_mount);
7f112f50 761
ee818b89
AC		 762 /* Create the /dev directory if missing. It is more likely to be
763 * missing when the service is started with RootDirectory. This is
764 * consistent with mount units creating the mount points when missing.
765 */
34de407a 766 (void) mkdir_p_label(mount_entry_path(m), 0755);
ee818b89 767
9e5f8252 768 /* Unmount everything in old /dev */
2e4a4fae
YW		 769 r = umount_recursive(mount_entry_path(m), 0);
770 if (r < 0)
771 log_debug_errno(r, "Failed to unmount directories below '%s', ignoring: %m", mount_entry_path(m));
772
34de407a 773 if (mount(dev, mount_entry_path(m), NULL, MS_MOVE, NULL) < 0) {
2e4a4fae 774 r = log_debug_errno(errno, "Failed to move mount point '%s' to '%s': %m", dev, mount_entry_path(m));
2b85f4e1
LP		 775 goto fail;
776 }
7f112f50 777
1019a48f
LP		 778 (void) rmdir(dev);
779 (void) rmdir(temporary_mount);
7f112f50 780
2b85f4e1 781 return 0;
7f112f50 782
2b85f4e1
LP		 783fail:
784 if (devpts)
1019a48f 785 (void) umount(devpts);
7f112f50 786
2b85f4e1 787 if (devshm)
1019a48f 788 (void) umount(devshm);
7f112f50 789
2b85f4e1 790 if (devhugepages)
1019a48f 791 (void) umount(devhugepages);
7f112f50 792
2b85f4e1 793 if (devmqueue)
1019a48f 794 (void) umount(devmqueue);
7f112f50 795
1019a48f
LP		 796 (void) umount(dev);
797 (void) rmdir(dev);
798 (void) rmdir(temporary_mount);
7f112f50 799
2b85f4e1 800 return r;
7f112f50
LP		 801}
802
2a2969fd 803static int mount_bind_dev(const MountEntry *m) {
5d997827
LP		 804 int r;
805
806 assert(m);
807
808 /* Implements the little brother of mount_private_dev(): simply bind mounts the host's /dev into the service's
809 * /dev. This is only used when RootDirectory= is set. */
810
645767d6
LP		 811 (void) mkdir_p_label(mount_entry_path(m), 0755);
812
5d997827
LP		 813 r = path_is_mount_point(mount_entry_path(m), NULL, 0);
814 if (r < 0)
815 return log_debug_errno(r, "Unable to determine whether /dev is already mounted: %m");
816 if (r > 0) /* make this a NOP if /dev is already a mount point */
817 return 0;
818
819 if (mount("/dev", mount_entry_path(m), NULL, MS_BIND|MS_REC, NULL) < 0)
820 return log_debug_errno(errno, "Failed to bind mount %s: %m", mount_entry_path(m));
821
822 return 1;
823}
824
2a2969fd 825static int mount_sysfs(const MountEntry *m) {
5d997827
LP		 826 int r;
827
828 assert(m);
829
645767d6
LP		 830 (void) mkdir_p_label(mount_entry_path(m), 0755);
831
5d997827
LP		 832 r = path_is_mount_point(mount_entry_path(m), NULL, 0);
833 if (r < 0)
834 return log_debug_errno(r, "Unable to determine whether /sys is already mounted: %m");
835 if (r > 0) /* make this a NOP if /sys is already a mount point */
836 return 0;
837
838 /* Bind mount the host's version so that we get all child mounts of it, too. */
839 if (mount("/sys", mount_entry_path(m), NULL, MS_BIND|MS_REC, NULL) < 0)
840 return log_debug_errno(errno, "Failed to mount %s: %m", mount_entry_path(m));
841
842 return 1;
843}
844
2a2969fd 845static int mount_procfs(const MountEntry *m) {
5d997827
LP		 846 int r;
847
848 assert(m);
849
645767d6
LP		 850 (void) mkdir_p_label(mount_entry_path(m), 0755);
851
5d997827
LP		 852 r = path_is_mount_point(mount_entry_path(m), NULL, 0);
853 if (r < 0)
854 return log_debug_errno(r, "Unable to determine whether /proc is already mounted: %m");
855 if (r > 0) /* make this a NOP if /proc is already a mount point */
856 return 0;
857
858 /* Mount a new instance, so that we get the one that matches our user namespace, if we are running in one */
859 if (mount("proc", mount_entry_path(m), "proc", MS_NOSUID|MS_NOEXEC|MS_NODEV, NULL) < 0)
860 return log_debug_errno(errno, "Failed to mount %s: %m", mount_entry_path(m));
861
862 return 1;
863}
864
2abd4e38 865static int mount_tmpfs(const MountEntry *m) {
abad72be
CG		 866 int r;
867 const char *entry_path = mount_entry_path(m);
868 const char *source_path = m->path_const;
869
6c47cd7d
LP		 870 assert(m);
871
2abd4e38 872 /* First, get rid of everything that is below if there is anything. Then, overmount with our new tmpfs */
6c47cd7d 873
abad72be
CG		 874 (void) mkdir_p_label(entry_path, 0755);
875 (void) umount_recursive(entry_path, 0);
6c47cd7d 876
abad72be
CG		 877 if (mount("tmpfs", entry_path, "tmpfs", m->flags, mount_entry_options(m)) < 0)
878 return log_debug_errno(errno, "Failed to mount %s: %m", entry_path);
879
880 r = label_fix_container(entry_path, source_path, 0);
881 if (r < 0)
f2df56bf 882 return log_debug_errno(r, "Failed to fix label of '%s' as '%s': %m", entry_path, source_path);
6c47cd7d
LP		 883
884 return 1;
885}
886
088696fe 887static int follow_symlink(
d2d6c096 888 const char *root_directory,
088696fe 889 MountEntry *m) {
d2d6c096 890
088696fe 891 _cleanup_free_ char *target = NULL;
8fceda93
LP		 892 int r;
893
088696fe
LP		 894 /* Let's chase symlinks, but only one step at a time. That's because depending where the symlink points we
895 * might need to change the order in which we mount stuff. Hence: let's normalize piecemeal, and do one step at
896 * a time by specifying CHASE_STEP. This function returns 0 if we resolved one step, and > 0 if we reached the
897 * end and already have a fully normalized name. */
8fceda93 898
a5648b80 899 r = chase_symlinks(mount_entry_path(m), root_directory, CHASE_STEP|CHASE_NONEXISTENT, &target, NULL);
088696fe
LP		 900 if (r < 0)
901 return log_debug_errno(r, "Failed to chase symlinks '%s': %m", mount_entry_path(m));
902 if (r > 0) /* Reached the end, nothing more to resolve */
903 return 1;
8fceda93 904
baaa35ad
ZJS		 905 if (m->n_followed >= CHASE_SYMLINKS_MAX) /* put a boundary on things */
906 return log_debug_errno(SYNTHETIC_ERRNO(ELOOP),
907 "Symlink loop on '%s'.",
908 mount_entry_path(m));
8fceda93 909
088696fe 910 log_debug("Followed mount entry path symlink %s → %s.", mount_entry_path(m), target);
8fceda93 911
088696fe
LP		 912 free_and_replace(m->path_malloc, target);
913 m->has_prefix = true;
8fceda93 914
088696fe
LP		 915 m->n_followed ++;
916
917 return 0;
8fceda93
LP		 918}
919
ac0930c8 920static int apply_mount(
8fceda93 921 const char *root_directory,
89bd586c 922 MountEntry *m) {
ac0930c8 923
e5f10caf 924 _cleanup_free_ char *inaccessible = NULL;
a227a4be 925 bool rbind = true, make = false;
15ae422b 926 const char *what;
15ae422b 927 int r;
15ae422b 928
c17ec25e 929 assert(m);
15ae422b 930
34de407a 931 log_debug("Applying namespace mount on %s", mount_entry_path(m));
fe3c2583 932
c17ec25e 933 switch (m->mode) {
15ae422b 934
160cfdbe 935 case INACCESSIBLE: {
e5f10caf
AZ		 936 _cleanup_free_ char *tmp = NULL;
937 const char *runtime_dir;
160cfdbe 938 struct stat target;
6d313367
LP		 939
940 /* First, get rid of everything that is below if there
941 * is anything... Then, overmount it with an
c4b41707 942 * inaccessible path. */
34de407a 943 (void) umount_recursive(mount_entry_path(m), 0);
6d313367 944
088696fe
LP		 945 if (lstat(mount_entry_path(m), &target) < 0) {
946 if (errno == ENOENT && m->ignore)
947 return 0;
948
cbc056c8
ZJS		 949 return log_debug_errno(errno, "Failed to lstat() %s to determine what to mount over it: %m",
950 mount_entry_path(m));
088696fe 951 }
15ae422b 952
e5f10caf 953 if (geteuid() == 0)
48b747fa 954 runtime_dir = "/run";
e5f10caf 955 else {
48b747fa
LP		 956 if (asprintf(&tmp, "/run/user/" UID_FMT, geteuid()) < 0)
957 return -ENOMEM;
e5f10caf
AZ		 958
959 runtime_dir = tmp;
960 }
961
962 r = mode_to_inaccessible_node(runtime_dir, target.st_mode, &inaccessible);
963 if (r < 0)
baaa35ad
ZJS		 964 return log_debug_errno(SYNTHETIC_ERRNO(ELOOP),
965 "File type not supported for inaccessible mounts. Note that symlinks are not allowed");
e5f10caf 966 what = inaccessible;
c4b41707 967 break;
160cfdbe 968 }
fe3c2583 969
15ae422b 970 case READONLY:
15ae422b 971 case READWRITE:
1e05071d 972 case READWRITE_IMPLICIT:
8fceda93 973 r = path_is_mount_point(mount_entry_path(m), root_directory, 0);
088696fe
LP		 974 if (r == -ENOENT && m->ignore)
975 return 0;
d944dc95 976 if (r < 0)
cbc056c8
ZJS		 977 return log_debug_errno(r, "Failed to determine whether %s is already a mount point: %m",
978 mount_entry_path(m));
979 if (r > 0) /* Nothing to do here, it is already a mount. We just later toggle the MS_RDONLY
980 * bit for the mount point if needed. */
6b7c9f8b 981 return 0;
6b7c9f8b 982 /* This isn't a mount point yet, let's make it one. */
34de407a 983 what = mount_entry_path(m);
6b7c9f8b 984 break;
15ae422b 985
d2d6c096
LP		 986 case BIND_MOUNT:
987 rbind = false;
d2d6c096 988
4831981d 989 _fallthrough_;
088696fe
LP		 990 case BIND_MOUNT_RECURSIVE: {
991 _cleanup_free_ char *chased = NULL;
5d997827 992
cbc056c8
ZJS		 993 /* Since mount() will always follow symlinks we chase the symlinks on our own first. Note
994 * that bind mount source paths are always relative to the host root, hence we pass NULL as
995 * root directory to chase_symlinks() here. */
088696fe 996
a5648b80 997 r = chase_symlinks(mount_entry_source(m), NULL, CHASE_TRAIL_SLASH, &chased, NULL);
088696fe
LP		 998 if (r == -ENOENT && m->ignore) {
999 log_debug_errno(r, "Path %s does not exist, ignoring.", mount_entry_source(m));
1000 return 0;
1001 }
1002 if (r < 0)
1003 return log_debug_errno(r, "Failed to follow symlinks on %s: %m", mount_entry_source(m));
1004
1005 log_debug("Followed source symlinks %s → %s.", mount_entry_source(m), chased);
1006
1007 free_and_replace(m->source_malloc, chased);
d2d6c096
LP		 1008
1009 what = mount_entry_source(m);
a227a4be 1010 make = true;
d2d6c096 1011 break;
088696fe 1012 }
d2d6c096 1013
6c47cd7d 1014 case EMPTY_DIR:
2abd4e38
YW		 1015 case TMPFS:
1016 return mount_tmpfs(m);
6c47cd7d 1017
ac0930c8 1018 case PRIVATE_TMP:
56a13a49 1019 case PRIVATE_TMP_READONLY:
89bd586c 1020 what = mount_entry_source(m);
a227a4be 1021 make = true;
15ae422b 1022 break;
e364ad06 1023
d6797c92 1024 case PRIVATE_DEV:
5d997827
LP		 1025 return mount_private_dev(m);
1026
1027 case BIND_DEV:
1028 return mount_bind_dev(m);
1029
1030 case SYSFS:
1031 return mount_sysfs(m);
1032
1033 case PROCFS:
1034 return mount_procfs(m);
d6797c92 1035
e364ad06
LP		 1036 default:
1037 assert_not_reached("Unknown mode");
15ae422b
LP		 1038 }
1039
ac0930c8 1040 assert(what);
15ae422b 1041
a227a4be
LP		 1042 if (mount(what, mount_entry_path(m), NULL, MS_BIND|(rbind ? MS_REC : 0), NULL) < 0) {
1043 bool try_again = false;
1044 r = -errno;
1045
1046 if (r == -ENOENT && make) {
1047 struct stat st;
1048
cbc056c8
ZJS		 1049 /* Hmm, either the source or the destination are missing. Let's see if we can create
1050 the destination, then try again. */
a227a4be 1051
e8717862 1052 if (stat(what, &st) < 0)
5dc60faa 1053 log_error_errno(errno, "Mount point source '%s' is not accessible: %m", what);
e8717862
LP		 1054 else {
1055 int q;
a227a4be
LP		 1056
1057 (void) mkdir_parents(mount_entry_path(m), 0755);
1058
1059 if (S_ISDIR(st.st_mode))
e8717862 1060 q = mkdir(mount_entry_path(m), 0755) < 0 ? -errno : 0;
a227a4be 1061 else
e8717862
LP		 1062 q = touch(mount_entry_path(m));
1063
1064 if (q < 0)
cbc056c8
ZJS		 1065 log_error_errno(q, "Failed to create destination mount point node '%s': %m",
1066 mount_entry_path(m));
e8717862
LP		 1067 else
1068 try_again = true;
a227a4be
LP		 1069 }
1070 }
1071
1072 if (try_again) {
1073 if (mount(what, mount_entry_path(m), NULL, MS_BIND|(rbind ? MS_REC : 0), NULL) < 0)
1074 r = -errno;
1075 else
1076 r = 0;
1077 }
1078
1079 if (r < 0)
5dc60faa 1080 return log_error_errno(r, "Failed to mount %s to %s: %m", what, mount_entry_path(m));
a227a4be 1081 }
6b7c9f8b 1082
34de407a 1083 log_debug("Successfully mounted %s to %s", what, mount_entry_path(m));
6b7c9f8b 1084 return 0;
ac0930c8 1085}
15ae422b 1086
6b000af4 1087static int make_read_only(const MountEntry *m, char **deny_list, FILE *proc_self_mountinfo) {
9ce4e4b0 1088 unsigned long new_flags = 0, flags_mask = 0;
763a260a 1089 bool submounts = false;
6b7c9f8b 1090 int r = 0;
15ae422b 1091
c17ec25e 1092 assert(m);
ac9de0b3 1093 assert(proc_self_mountinfo);
ac0930c8 1094
9ce4e4b0
LP		 1095 if (mount_entry_read_only(m) || m->mode == PRIVATE_DEV) {
1096 new_flags |= MS_RDONLY;
1097 flags_mask |= MS_RDONLY;
1098 }
1099
1100 if (m->nosuid) {
1101 new_flags |= MS_NOSUID;
1102 flags_mask |= MS_NOSUID;
1103 }
1104
1105 if (flags_mask == 0) /* No Change? */
6b7c9f8b
LP		 1106 return 0;
1107
9ce4e4b0
LP		 1108 /* We generally apply these changes recursively, except for /dev, and the cases we know there's
1109 * nothing further down. Set /dev readonly, but not submounts like /dev/shm. Also, we only set the
1110 * per-mount read-only flag. We can't set it on the superblock, if we are inside a user namespace
1111 * and running Linux <= 4.17. */
1112 submounts =
1113 mount_entry_read_only(m) &&
1114 !IN_SET(m->mode, EMPTY_DIR, TMPFS);
1115 if (submounts)
6b000af4 1116 r = bind_remount_recursive_with_mountinfo(mount_entry_path(m), new_flags, flags_mask, deny_list, proc_self_mountinfo);
9ce4e4b0 1117 else
7cce68e1 1118 r = bind_remount_one_with_mountinfo(mount_entry_path(m), new_flags, flags_mask, proc_self_mountinfo);
9ce4e4b0 1119
867189b5
LP		 1120 /* Not that we only turn on the MS_RDONLY flag here, we never turn it off. Something that was marked
1121 * read-only already stays this way. This improves compatibility with container managers, where we
1122 * won't attempt to undo read-only mounts already applied. */
ac0930c8 1123
8fceda93 1124 if (r == -ENOENT && m->ignore)
867189b5 1125 return 0;
763a260a 1126 if (r < 0)
9ce4e4b0 1127 return log_debug_errno(r, "Failed to re-mount '%s'%s: %m", mount_entry_path(m),
763a260a 1128 submounts ? " and its submounts" : "");
763a260a 1129 return 0;
d944dc95
LP		 1130}
1131
9b68367b 1132static bool namespace_info_mount_apivfs(const NamespaceInfo *ns_info) {
5d997827
LP		 1133 assert(ns_info);
1134
9c988f93
DH		 1135 /*
1136 * ProtectControlGroups= and ProtectKernelTunables= imply MountAPIVFS=,
1137 * since to protect the API VFS mounts, they need to be around in the
9b68367b 1138 * first place...
9c988f93 1139 */
5d997827 1140
9b68367b
YW		 1141 return ns_info->mount_apivfs ||
1142 ns_info->protect_control_groups ||
1143 ns_info->protect_kernel_tunables;
5d997827
LP		 1144}
1145
da6053d0 1146static size_t namespace_calculate_mounts(
bb0ff3fb 1147 const NamespaceInfo *ns_info,
2652c6c1
DH		 1148 char** read_write_paths,
1149 char** read_only_paths,
1150 char** inaccessible_paths,
6c47cd7d 1151 char** empty_directories,
da6053d0
LP		 1152 size_t n_bind_mounts,
1153 size_t n_temporary_filesystems,
2652c6c1
DH		 1154 const char* tmp_dir,
1155 const char* var_tmp_dir,
91dd5f7c 1156 const char* log_namespace,
2652c6c1
DH		 1157 ProtectHome protect_home,
1158 ProtectSystem protect_system) {
1159
da6053d0
LP		 1160 size_t protect_home_cnt;
1161 size_t protect_system_cnt =
f471b2af
DH		 1162 (protect_system == PROTECT_SYSTEM_STRICT ?
1163 ELEMENTSOF(protect_system_strict_table) :
1164 ((protect_system == PROTECT_SYSTEM_FULL) ?
1165 ELEMENTSOF(protect_system_full_table) :
1166 ((protect_system == PROTECT_SYSTEM_YES) ?
1167 ELEMENTSOF(protect_system_yes_table) : 0)));
1168
b6c432ca
DH		 1169 protect_home_cnt =
1170 (protect_home == PROTECT_HOME_YES ?
1171 ELEMENTSOF(protect_home_yes_table) :
1172 ((protect_home == PROTECT_HOME_READ_ONLY) ?
e4da7d8c
YW		 1173 ELEMENTSOF(protect_home_read_only_table) :
1174 ((protect_home == PROTECT_HOME_TMPFS) ?
1175 ELEMENTSOF(protect_home_tmpfs_table) : 0)));
b6c432ca 1176
2652c6c1
DH		 1177 return !!tmp_dir + !!var_tmp_dir +
1178 strv_length(read_write_paths) +
1179 strv_length(read_only_paths) +
1180 strv_length(inaccessible_paths) +
6c47cd7d 1181 strv_length(empty_directories) +
d2d6c096 1182 n_bind_mounts +
2abd4e38 1183 n_temporary_filesystems +
c575770b
DH		 1184 ns_info->private_dev +
1185 (ns_info->protect_kernel_tunables ? ELEMENTSOF(protect_kernel_tunables_table) : 0) +
c575770b 1186 (ns_info->protect_kernel_modules ? ELEMENTSOF(protect_kernel_modules_table) : 0) +
94a7b275
KK		 1187 (ns_info->protect_kernel_logs ? ELEMENTSOF(protect_kernel_logs_table) : 0) +
1188 (ns_info->protect_control_groups ? 1 : 0) +
5d997827 1189 protect_home_cnt + protect_system_cnt +
aecd5ac6 1190 (ns_info->protect_hostname ? 2 : 0) +
91dd5f7c
LP		 1191 (namespace_info_mount_apivfs(ns_info) ? ELEMENTSOF(apivfs_table) : 0) +
1192 !!log_namespace;
2652c6c1
DH		 1193}
1194
da6053d0 1195static void normalize_mounts(const char *root_directory, MountEntry *mounts, size_t *n_mounts) {
9b68367b 1196 assert(root_directory);
f8b64b57
LP		 1197 assert(n_mounts);
1198 assert(mounts || *n_mounts == 0);
1199
93bab288 1200 typesafe_qsort(mounts, *n_mounts, mount_path_compare);
f8b64b57
LP		 1201
1202 drop_duplicates(mounts, n_mounts);
1203 drop_outside_root(root_directory, mounts, n_mounts);
1204 drop_inaccessible(mounts, n_mounts);
1205 drop_nop(mounts, n_mounts);
1206}
1207
c8c535d5
LP		 1208static bool root_read_only(
1209 char **read_only_paths,
1210 ProtectSystem protect_system) {
1211
1212 /* Determine whether the root directory is going to be read-only given the configured settings. */
1213
1214 if (protect_system == PROTECT_SYSTEM_STRICT)
1215 return true;
1216
de46b2be 1217 if (prefixed_path_strv_contains(read_only_paths, "/"))
c8c535d5
LP		 1218 return true;
1219
1220 return false;
1221}
1222
1223static bool home_read_only(
1224 char** read_only_paths,
1225 char** inaccessible_paths,
1226 char** empty_directories,
1227 const BindMount *bind_mounts,
1228 size_t n_bind_mounts,
1229 const TemporaryFileSystem *temporary_filesystems,
1230 size_t n_temporary_filesystems,
1231 ProtectHome protect_home) {
1232
1233 size_t i;
1234
1235 /* Determine whether the /home directory is going to be read-only given the configured settings. Yes,
1236 * this is a bit sloppy, since we don't bother checking for cases where / is affected by multiple
1237 * settings. */
1238
1239 if (protect_home != PROTECT_HOME_NO)
1240 return true;
1241
de46b2be
TM		 1242 if (prefixed_path_strv_contains(read_only_paths, "/home") ||
1243 prefixed_path_strv_contains(inaccessible_paths, "/home") ||
1244 prefixed_path_strv_contains(empty_directories, "/home"))
c8c535d5
LP		 1245 return true;
1246
1247 for (i = 0; i < n_temporary_filesystems; i++)
1248 if (path_equal(temporary_filesystems[i].path, "/home"))
1249 return true;
1250
1251 /* If /home is overmounted with some dir from the host it's not writable. */
1252 for (i = 0; i < n_bind_mounts; i++)
1253 if (path_equal(bind_mounts[i].destination, "/home"))
1254 return true;
1255
1256 return false;
1257}
1258
613b411c 1259int setup_namespace(
ee818b89 1260 const char* root_directory,
915e6d16 1261 const char* root_image,
18d73705 1262 const MountOptions *root_image_options,
bb0ff3fb 1263 const NamespaceInfo *ns_info,
2a624c36
AP		 1264 char** read_write_paths,
1265 char** read_only_paths,
1266 char** inaccessible_paths,
6c47cd7d 1267 char** empty_directories,
d2d6c096 1268 const BindMount *bind_mounts,
da6053d0 1269 size_t n_bind_mounts,
2abd4e38 1270 const TemporaryFileSystem *temporary_filesystems,
da6053d0 1271 size_t n_temporary_filesystems,
a004cb4c
LP		 1272 const char* tmp_dir,
1273 const char* var_tmp_dir,
91dd5f7c 1274 const char *log_namespace,
1b8689f9
LP		 1275 ProtectHome protect_home,
1276 ProtectSystem protect_system,
915e6d16 1277 unsigned long mount_flags,
0389f4fa
LB		 1278 const void *root_hash,
1279 size_t root_hash_size,
1280 const char *root_hash_path,
d4d55b0d
LB		 1281 const void *root_hash_sig,
1282 size_t root_hash_sig_size,
1283 const char *root_hash_sig_path,
0389f4fa 1284 const char *root_verity,
7cc5ef5f
ZJS		 1285 DissectImageFlags dissect_image_flags,
1286 char **error_path) {
15ae422b 1287
915e6d16 1288 _cleanup_(loop_device_unrefp) LoopDevice *loop_device = NULL;
78ebe980 1289 _cleanup_(decrypted_image_unrefp) DecryptedImage *decrypted_image = NULL;
915e6d16 1290 _cleanup_(dissected_image_unrefp) DissectedImage *dissected_image = NULL;
0389f4fa 1291 _cleanup_free_ void *root_hash_decoded = NULL;
c2923fdc 1292 _cleanup_free_ char *verity_data = NULL, *hash_sig_path = NULL;
5f7a690a 1293 MountEntry *m = NULL, *mounts = NULL;
0389f4fa 1294 size_t n_mounts;
d18aff04 1295 bool require_prefix = false;
9b68367b 1296 const char *root;
c17ec25e 1297 int r = 0;
15ae422b 1298
915e6d16
LP		 1299 assert(ns_info);
1300
613b411c 1301 if (mount_flags == 0)
c17ec25e 1302 mount_flags = MS_SHARED;
ac0930c8 1303
915e6d16
LP		 1304 if (root_image) {
1305 dissect_image_flags |= DISSECT_IMAGE_REQUIRE_ROOT;
1306
c8c535d5
LP		 1307 /* Make the whole image read-only if we can determine that we only access it in a read-only fashion. */
1308 if (root_read_only(read_only_paths,
1309 protect_system) &&
1310 home_read_only(read_only_paths, inaccessible_paths, empty_directories,
1311 bind_mounts, n_bind_mounts, temporary_filesystems, n_temporary_filesystems,
1312 protect_home) &&
c9ef8573 1313 strv_isempty(read_write_paths))
915e6d16
LP		 1314 dissect_image_flags |= DISSECT_IMAGE_READ_ONLY;
1315
1316 r = loop_device_make_by_path(root_image,
b0a94268 1317 FLAGS_SET(dissect_image_flags, DISSECT_IMAGE_READ_ONLY) ? O_RDONLY : -1 /* < 0 means writable if possible, read-only as fallback */,
e08f94ac 1318 LO_FLAGS_PARTSCAN,
915e6d16
LP		 1319 &loop_device);
1320 if (r < 0)
763a260a 1321 return log_debug_errno(r, "Failed to create loop device for root image: %m");
915e6d16 1322
cbc056c8
ZJS		 1323 r = verity_metadata_load(root_image,
1324 root_hash_path,
1325 root_hash ? NULL : &root_hash_decoded,
1326 root_hash ? NULL : &root_hash_size,
1327 root_verity ? NULL : &verity_data,
1328 root_hash_sig || root_hash_sig_path ? NULL : &hash_sig_path);
78ebe980 1329 if (r < 0)
763a260a 1330 return log_debug_errno(r, "Failed to load root hash: %m");
0389f4fa 1331 dissect_image_flags |= root_verity || verity_data ? DISSECT_IMAGE_NO_PARTITION_TABLE : 0;
78ebe980 1332
cbc056c8
ZJS		 1333 r = dissect_image(loop_device->fd,
1334 root_hash ?: root_hash_decoded,
1335 root_hash_size,
1336 root_verity ?: verity_data,
18d73705 1337 root_image_options,
cbc056c8
ZJS		 1338 dissect_image_flags,
1339 &dissected_image);
78ebe980 1340 if (r < 0)
763a260a 1341 return log_debug_errno(r, "Failed to dissect image: %m");
78ebe980 1342
cbc056c8
ZJS		 1343 r = dissected_image_decrypt(dissected_image,
1344 NULL,
1345 root_hash ?: root_hash_decoded,
1346 root_hash_size,
1347 root_verity ?: verity_data,
1348 root_hash_sig_path ?: hash_sig_path,
1349 root_hash_sig,
1350 root_hash_sig_size,
1351 dissect_image_flags,
1352 &decrypted_image);
915e6d16 1353 if (r < 0)
763a260a 1354 return log_debug_errno(r, "Failed to decrypt dissected image: %m");
915e6d16
LP		 1355 }
1356
e908468b
LP		 1357 if (root_directory)
1358 root = root_directory;
0722b359
JS		 1359 else {
1360 /* Always create the mount namespace in a temporary directory, instead of operating
1361 * directly in the root. The temporary directory prevents any mounts from being
1362 * potentially obscured my other mounts we already applied.
1363 * We use the same mount point for all images, which is safe, since they all live
1364 * in their own namespaces after all, and hence won't see each other. */
e908468b
LP		 1365
1366 root = "/run/systemd/unit-root";
1367 (void) mkdir_label(root, 0700);
d18aff04 1368 require_prefix = true;
0722b359 1369 }
e908468b 1370
cfbeb4ef
LP		 1371 n_mounts = namespace_calculate_mounts(
1372 ns_info,
1373 read_write_paths,
1374 read_only_paths,
1375 inaccessible_paths,
6c47cd7d 1376 empty_directories,
f5c52a77 1377 n_bind_mounts,
2abd4e38 1378 n_temporary_filesystems,
cfbeb4ef 1379 tmp_dir, var_tmp_dir,
91dd5f7c 1380 log_namespace,
cfbeb4ef 1381 protect_home, protect_system);
613b411c 1382
f0a4feb0 1383 if (n_mounts > 0) {
5f7a690a
LP		 1384 m = mounts = new0(MountEntry, n_mounts);
1385 if (!mounts)
1386 return -ENOMEM;
1387
d18aff04 1388 r = append_access_mounts(&m, read_write_paths, READWRITE, require_prefix);
613b411c 1389 if (r < 0)
f0a4feb0 1390 goto finish;
613b411c 1391
d18aff04 1392 r = append_access_mounts(&m, read_only_paths, READONLY, require_prefix);
613b411c 1393 if (r < 0)
f0a4feb0 1394 goto finish;
613b411c 1395
d18aff04 1396 r = append_access_mounts(&m, inaccessible_paths, INACCESSIBLE, require_prefix);
613b411c 1397 if (r < 0)
f0a4feb0 1398 goto finish;
7ff7394d 1399
6c47cd7d
LP		 1400 r = append_empty_dir_mounts(&m, empty_directories);
1401 if (r < 0)
1402 goto finish;
1403
d2d6c096
LP		 1404 r = append_bind_mounts(&m, bind_mounts, n_bind_mounts);
1405 if (r < 0)
1406 goto finish;
1407
2abd4e38
YW		 1408 r = append_tmpfs_mounts(&m, temporary_filesystems, n_temporary_filesystems);
1409 if (r < 0)
1410 goto finish;
1411
613b411c 1412 if (tmp_dir) {
56a13a49
ZJS		 1413 bool ro = streq(tmp_dir, RUN_SYSTEMD_EMPTY);
1414
34de407a 1415 *(m++) = (MountEntry) {
5327c910 1416 .path_const = "/tmp",
56a13a49 1417 .mode = ro ? PRIVATE_TMP_READONLY : PRIVATE_TMP,
89bd586c 1418 .source_const = tmp_dir,
5327c910 1419 };
613b411c 1420 }
7ff7394d 1421
613b411c 1422 if (var_tmp_dir) {
56a13a49
ZJS		 1423 bool ro = streq(var_tmp_dir, RUN_SYSTEMD_EMPTY);
1424
34de407a 1425 *(m++) = (MountEntry) {
5327c910 1426 .path_const = "/var/tmp",
56a13a49 1427 .mode = ro ? PRIVATE_TMP_READONLY : PRIVATE_TMP,
89bd586c 1428 .source_const = var_tmp_dir,
5327c910 1429 };
7ff7394d 1430 }
ac0930c8 1431
c575770b 1432 if (ns_info->private_dev) {
34de407a 1433 *(m++) = (MountEntry) {
5327c910
LP		 1434 .path_const = "/dev",
1435 .mode = PRIVATE_DEV,
9ce4e4b0 1436 .flags = DEV_MOUNT_OPTIONS,
5327c910 1437 };
7f112f50
LP		 1438 }
1439
c575770b 1440 if (ns_info->protect_kernel_tunables) {
cbc056c8
ZJS		 1441 r = append_static_mounts(&m,
1442 protect_kernel_tunables_table,
1443 ELEMENTSOF(protect_kernel_tunables_table),
1444 ns_info->ignore_protect_paths);
c575770b 1445 if (r < 0)
f0a4feb0 1446 goto finish;
c575770b
DH		 1447 }
1448
1449 if (ns_info->protect_kernel_modules) {
cbc056c8
ZJS		 1450 r = append_static_mounts(&m,
1451 protect_kernel_modules_table,
1452 ELEMENTSOF(protect_kernel_modules_table),
1453 ns_info->ignore_protect_paths);
c575770b 1454 if (r < 0)
f0a4feb0 1455 goto finish;
c575770b 1456 }
59eeb84b 1457
94a7b275 1458 if (ns_info->protect_kernel_logs) {
cbc056c8
ZJS		 1459 r = append_static_mounts(&m,
1460 protect_kernel_logs_table,
1461 ELEMENTSOF(protect_kernel_logs_table),
1462 ns_info->ignore_protect_paths);
94a7b275
KK		 1463 if (r < 0)
1464 goto finish;
1465 }
1466
c575770b 1467 if (ns_info->protect_control_groups) {
34de407a 1468 *(m++) = (MountEntry) {
5327c910
LP		 1469 .path_const = "/sys/fs/cgroup",
1470 .mode = READONLY,
1471 };
59eeb84b
LP		 1472 }
1473
5327c910 1474 r = append_protect_home(&m, protect_home, ns_info->ignore_protect_paths);
b6c432ca 1475 if (r < 0)
f0a4feb0 1476 goto finish;
417116f2 1477
5327c910 1478 r = append_protect_system(&m, protect_system, false);
f471b2af 1479 if (r < 0)
f0a4feb0 1480 goto finish;
417116f2 1481
9b68367b 1482 if (namespace_info_mount_apivfs(ns_info)) {
cbc056c8
ZJS		 1483 r = append_static_mounts(&m,
1484 apivfs_table,
1485 ELEMENTSOF(apivfs_table),
1486 ns_info->ignore_protect_paths);
5d997827
LP		 1487 if (r < 0)
1488 goto finish;
1489 }
1490
aecd5ac6
TM		 1491 if (ns_info->protect_hostname) {
1492 *(m++) = (MountEntry) {
1493 .path_const = "/proc/sys/kernel/hostname",
1494 .mode = READONLY,
1495 };
1496 *(m++) = (MountEntry) {
1497 .path_const = "/proc/sys/kernel/domainname",
1498 .mode = READONLY,
1499 };
1500 }
1501
91dd5f7c
LP		 1502 if (log_namespace) {
1503 _cleanup_free_ char *q;
1504
1505 q = strjoin("/run/systemd/journal.", log_namespace);
1506 if (!q) {
1507 r = -ENOMEM;
1508 goto finish;
1509 }
1510
1511 *(m++) = (MountEntry) {
1512 .path_const = "/run/systemd/journal",
1513 .mode = BIND_MOUNT_RECURSIVE,
1514 .read_only = true,
1515 .source_malloc = TAKE_PTR(q),
1516 };
1517 }
1518
f0a4feb0 1519 assert(mounts + n_mounts == m);
ac0930c8 1520
5327c910 1521 /* Prepend the root directory where that's necessary */
e908468b 1522 r = prefix_where_needed(mounts, n_mounts, root);
5327c910
LP		 1523 if (r < 0)
1524 goto finish;
1525
839f1877 1526 normalize_mounts(root, mounts, &n_mounts);
15ae422b
LP		 1527 }
1528
1beab8b0
LP		 1529 /* All above is just preparation, figuring out what to do. Let's now actually start doing something. */
1530
d944dc95 1531 if (unshare(CLONE_NEWNS) < 0) {
763a260a 1532 r = log_debug_errno(errno, "Failed to unshare the mount namespace: %m");
1beab8b0 1533 if (IN_SET(r, -EACCES, -EPERM, -EOPNOTSUPP, -ENOSYS))
cbc056c8
ZJS		 1534 /* If the kernel doesn't support namespaces, or when there's a MAC or seccomp filter
1535 * in place that doesn't allow us to create namespaces (or a missing cap), then
1536 * propagate a recognizable error back, which the caller can use to detect this case
1537 * (and only this) and optionally continue without namespacing applied. */
1beab8b0
LP		 1538 r = -ENOANO;
1539
d944dc95
LP		 1540 goto finish;
1541 }
1e4e94c8 1542
9b68367b
YW		 1543 /* Remount / as SLAVE so that nothing now mounted in the namespace
1544 * shows up in the parent */
1545 if (mount(NULL, "/", NULL, MS_SLAVE|MS_REC, NULL) < 0) {
763a260a 1546 r = log_debug_errno(errno, "Failed to remount '/' as SLAVE: %m");
9b68367b 1547 goto finish;
ee818b89
AC		 1548 }
1549
915e6d16 1550 if (root_image) {
e908468b 1551 /* A root image is specified, mount it to the right place */
2d3a5a73 1552 r = dissected_image_mount(dissected_image, root, UID_INVALID, dissect_image_flags);
763a260a
YW		 1553 if (r < 0) {
1554 log_debug_errno(r, "Failed to mount root image: %m");
915e6d16 1555 goto finish;
763a260a 1556 }
915e6d16 1557
07ce7407
TM		 1558 if (decrypted_image) {
1559 r = decrypted_image_relinquish(decrypted_image);
763a260a
YW		 1560 if (r < 0) {
1561 log_debug_errno(r, "Failed to relinquish decrypted image: %m");
07ce7407 1562 goto finish;
763a260a 1563 }
07ce7407 1564 }
78ebe980 1565
915e6d16
LP		 1566 loop_device_relinquish(loop_device);
1567
1568 } else if (root_directory) {
1569
e908468b
LP		 1570 /* A root directory is specified. Turn its directory into bind mount, if it isn't one yet. */
1571 r = path_is_mount_point(root, NULL, AT_SYMLINK_FOLLOW);
763a260a
YW		 1572 if (r < 0) {
1573 log_debug_errno(r, "Failed to detect that %s is a mount point or not: %m", root);
d944dc95 1574 goto finish;
763a260a 1575 }
8f1ad200 1576 if (r == 0) {
e908468b 1577 if (mount(root, root, NULL, MS_BIND|MS_REC, NULL) < 0) {
763a260a 1578 r = log_debug_errno(errno, "Failed to bind mount '%s': %m", root);
8f1ad200
LP		 1579 goto finish;
1580 }
d944dc95 1581 }
e908468b 1582
9b68367b 1583 } else {
e908468b
LP		 1584
1585 /* Let's mount the main root directory to the root directory to use */
1586 if (mount("/", root, NULL, MS_BIND|MS_REC, NULL) < 0) {
763a260a 1587 r = log_debug_errno(errno, "Failed to bind mount '/' on '%s': %m", root);
e908468b
LP		 1588 goto finish;
1589 }
ee818b89 1590 }
c2c13f2d 1591
4e0c20de
LP		 1592 /* Try to set up the new root directory before mounting anything else there. */
1593 if (root_image || root_directory)
1594 (void) base_filesystem_create(root, UID_INVALID, GID_INVALID);
1595
f0a4feb0 1596 if (n_mounts > 0) {
ac9de0b3 1597 _cleanup_fclose_ FILE *proc_self_mountinfo = NULL;
6b000af4 1598 _cleanup_free_ char **deny_list = NULL;
da6053d0 1599 size_t j;
6b7c9f8b 1600
cbc056c8
ZJS		 1601 /* Open /proc/self/mountinfo now as it may become unavailable if we mount anything on top of
1602 * /proc. For example, this is the case with the option: 'InaccessiblePaths=/proc'. */
ac9de0b3
TR		 1603 proc_self_mountinfo = fopen("/proc/self/mountinfo", "re");
1604 if (!proc_self_mountinfo) {
763a260a 1605 r = log_debug_errno(errno, "Failed to open /proc/self/mountinfo: %m");
7cc5ef5f
ZJS		 1606 if (error_path)
1607 *error_path = strdup("/proc/self/mountinfo");
ac9de0b3
TR		 1608 goto finish;
1609 }
1610
088696fe
LP		 1611 /* First round, establish all mounts we need */
1612 for (;;) {
1613 bool again = false;
1614
1615 for (m = mounts; m < mounts + n_mounts; ++m) {
1616
1617 if (m->applied)
1618 continue;
1619
1620 r = follow_symlink(root, m);
7cc5ef5f
ZJS		 1621 if (r < 0) {
1622 if (error_path && mount_entry_path(m))
1623 *error_path = strdup(mount_entry_path(m));
088696fe 1624 goto finish;
7cc5ef5f 1625 }
088696fe 1626 if (r == 0) {
cbc056c8
ZJS		 1627 /* We hit a symlinked mount point. The entry got rewritten and might
1628 * point to a very different place now. Let's normalize the changed
1629 * list, and start from the beginning. After all to mount the entry
1630 * at the new location we might need some other mounts first */
088696fe
LP		 1631 again = true;
1632 break;
1633 }
1634
1635 r = apply_mount(root, m);
7cc5ef5f
ZJS		 1636 if (r < 0) {
1637 if (error_path && mount_entry_path(m))
1638 *error_path = strdup(mount_entry_path(m));
088696fe 1639 goto finish;
7cc5ef5f 1640 }
088696fe
LP		 1641
1642 m->applied = true;
1643 }
1644
1645 if (!again)
1646 break;
1647
839f1877 1648 normalize_mounts(root, mounts, &n_mounts);
c2c13f2d 1649 }
15ae422b 1650
6b000af4
LP		 1651 /* Create a deny list we can pass to bind_mount_recursive() */
1652 deny_list = new(char*, n_mounts+1);
1653 if (!deny_list) {
5f7a690a
LP		 1654 r = -ENOMEM;
1655 goto finish;
1656 }
f0a4feb0 1657 for (j = 0; j < n_mounts; j++)
6b000af4
LP		 1658 deny_list[j] = (char*) mount_entry_path(mounts+j);
1659 deny_list[j] = NULL;
6b7c9f8b
LP		 1660
1661 /* Second round, flip the ro bits if necessary. */
f0a4feb0 1662 for (m = mounts; m < mounts + n_mounts; ++m) {
6b000af4 1663 r = make_read_only(m, deny_list, proc_self_mountinfo);
7cc5ef5f
ZJS		 1664 if (r < 0) {
1665 if (error_path && mount_entry_path(m))
1666 *error_path = strdup(mount_entry_path(m));
d944dc95 1667 goto finish;
7cc5ef5f 1668 }
c2c13f2d 1669 }
15ae422b
LP		 1670 }
1671
9b68367b
YW		 1672 /* MS_MOVE does not work on MS_SHARED so the remount MS_SHARED will be done later */
1673 r = mount_move_root(root);
763a260a
YW		 1674 if (r < 0) {
1675 log_debug_errno(r, "Failed to mount root with MS_MOVE: %m");
9b68367b 1676 goto finish;
763a260a 1677 }
ee818b89 1678
55fe7432 1679 /* Remount / as the desired mode. Note that this will not
c2c13f2d
LP		 1680 * reestablish propagation from our side to the host, since
1681 * what's disconnected is disconnected. */
d944dc95 1682 if (mount(NULL, "/", NULL, mount_flags | MS_REC, NULL) < 0) {
763a260a 1683 r = log_debug_errno(errno, "Failed to remount '/' with desired mount flags: %m");
d944dc95
LP		 1684 goto finish;
1685 }
15ae422b 1686
d944dc95 1687 r = 0;
15ae422b 1688
d944dc95 1689finish:
0cd41757
LP		 1690 if (n_mounts > 0)
1691 for (m = mounts; m < mounts + n_mounts; m++)
1692 mount_entry_done(m);
613b411c 1693
5f7a690a
LP		 1694 free(mounts);
1695
613b411c
LP		 1696 return r;
1697}
1698
da6053d0
LP		 1699void bind_mount_free_many(BindMount *b, size_t n) {
1700 size_t i;
d2d6c096
LP		 1701
1702 assert(b || n == 0);
1703
1704 for (i = 0; i < n; i++) {
1705 free(b[i].source);
1706 free(b[i].destination);
1707 }
1708
1709 free(b);
1710}
1711
da6053d0 1712int bind_mount_add(BindMount **b, size_t *n, const BindMount *item) {
d2d6c096
LP		 1713 _cleanup_free_ char *s = NULL, *d = NULL;
1714 BindMount *c;
1715
1716 assert(b);
1717 assert(n);
1718 assert(item);
1719
1720 s = strdup(item->source);
1721 if (!s)
1722 return -ENOMEM;
1723
1724 d = strdup(item->destination);
1725 if (!d)
1726 return -ENOMEM;
1727
aa484f35 1728 c = reallocarray(*b, *n + 1, sizeof(BindMount));
d2d6c096
LP		 1729 if (!c)
1730 return -ENOMEM;
1731
1732 *b = c;
1733
1734 c[(*n) ++] = (BindMount) {
1cc6c93a
YW		 1735 .source = TAKE_PTR(s),
1736 .destination = TAKE_PTR(d),
d2d6c096 1737 .read_only = item->read_only,
9ce4e4b0 1738 .nosuid = item->nosuid,
d2d6c096
LP		 1739 .recursive = item->recursive,
1740 .ignore_enoent = item->ignore_enoent,
1741 };
1742
d2d6c096
LP		 1743 return 0;
1744}
1745
da6053d0
LP		 1746void temporary_filesystem_free_many(TemporaryFileSystem *t, size_t n) {
1747 size_t i;
2abd4e38
YW		 1748
1749 assert(t || n == 0);
1750
1751 for (i = 0; i < n; i++) {
1752 free(t[i].path);
1753 free(t[i].options);
1754 }
1755
1756 free(t);
1757}
1758
1759int temporary_filesystem_add(
1760 TemporaryFileSystem **t,
da6053d0 1761 size_t *n,
2abd4e38
YW		 1762 const char *path,
1763 const char *options) {
1764
1765 _cleanup_free_ char *p = NULL, *o = NULL;
1766 TemporaryFileSystem *c;
1767
1768 assert(t);
1769 assert(n);
1770 assert(path);
1771
1772 p = strdup(path);
1773 if (!p)
1774 return -ENOMEM;
1775
1776 if (!isempty(options)) {
1777 o = strdup(options);
1778 if (!o)
1779 return -ENOMEM;
1780 }
1781
aa484f35 1782 c = reallocarray(*t, *n + 1, sizeof(TemporaryFileSystem));
2abd4e38
YW		 1783 if (!c)
1784 return -ENOMEM;
1785
1786 *t = c;
1787
1788 c[(*n) ++] = (TemporaryFileSystem) {
1cc6c93a
YW		 1789 .path = TAKE_PTR(p),
1790 .options = TAKE_PTR(o),
2abd4e38
YW		 1791 };
1792
2abd4e38
YW		 1793 return 0;
1794}
1795
a652f050
JR		 1796static int make_tmp_prefix(const char *prefix) {
1797 _cleanup_free_ char *t = NULL;
1798 int r;
1799
1800 /* Don't do anything unless we know the dir is actually missing */
1801 r = access(prefix, F_OK);
1802 if (r >= 0)
1803 return 0;
1804 if (errno != ENOENT)
1805 return -errno;
1806
1807 r = mkdir_parents(prefix, 0755);
1808 if (r < 0)
1809 return r;
1810
1811 r = tempfn_random(prefix, NULL, &t);
1812 if (r < 0)
1813 return r;
1814
1815 if (mkdir(t, 0777) < 0)
1816 return -errno;
1817
1818 if (chmod(t, 01777) < 0) {
1819 r = -errno;
1820 (void) rmdir(t);
1821 return r;
1822 }
1823
1824 if (rename(t, prefix) < 0) {
1825 r = -errno;
1826 (void) rmdir(t);
1827 return r == -EEXIST ? 0 : r; /* it's fine if someone else created the dir by now */
1828 }
1829
1830 return 0;
1831
1832}
1833
56a13a49
ZJS		 1834static int make_tmp_subdir(const char *parent, char **ret) {
1835 _cleanup_free_ char *y = NULL;
1836
1837 RUN_WITH_UMASK(0000) {
1838 y = strjoin(parent, "/tmp");
1839 if (!y)
1840 return -ENOMEM;
1841
1842 if (mkdir(y, 0777 | S_ISVTX) < 0)
1843 return -errno;
1844 }
1845
1846 if (ret)
1847 *ret = TAKE_PTR(y);
1848 return 0;
1849}
1850
1851static int setup_one_tmp_dir(const char *id, const char *prefix, char **path, char **tmp_path) {
613b411c 1852 _cleanup_free_ char *x = NULL;
6b46ea73
LP		 1853 char bid[SD_ID128_STRING_MAX];
1854 sd_id128_t boot_id;
56a13a49 1855 bool rw = true;
6b46ea73 1856 int r;
613b411c
LP		 1857
1858 assert(id);
1859 assert(prefix);
1860 assert(path);
1861
6b46ea73
LP		 1862 /* We include the boot id in the directory so that after a
1863 * reboot we can easily identify obsolete directories. */
1864
1865 r = sd_id128_get_boot(&boot_id);
1866 if (r < 0)
1867 return r;
1868
605405c6 1869 x = strjoin(prefix, "/systemd-private-", sd_id128_to_string(boot_id, bid), "-", id, "-XXXXXX");
613b411c
LP		 1870 if (!x)
1871 return -ENOMEM;
1872
a652f050
JR		 1873 r = make_tmp_prefix(prefix);
1874 if (r < 0)
1875 return r;
1876
613b411c 1877 RUN_WITH_UMASK(0077)
56a13a49
ZJS		 1878 if (!mkdtemp(x)) {
1879 if (errno == EROFS || ERRNO_IS_DISK_SPACE(errno))
1880 rw = false;
1881 else
1882 return -errno;
1883 }
613b411c 1884
56a13a49
ZJS		 1885 if (rw) {
1886 r = make_tmp_subdir(x, tmp_path);
1887 if (r < 0)
1888 return r;
1889 } else {
1890 /* Trouble: we failed to create the directory. Instead of failing, let's simulate /tmp being
1891 * read-only. This way the service will get the EROFS result as if it was writing to the real
1892 * file system. */
1893 r = mkdir_p(RUN_SYSTEMD_EMPTY, 0500);
1894 if (r < 0)
1895 return r;
613b411c 1896
56a13a49
ZJS		 1897 x = strdup(RUN_SYSTEMD_EMPTY);
1898 if (!x)
1899 return -ENOMEM;
c17ec25e 1900 }
15ae422b 1901
1cc6c93a 1902 *path = TAKE_PTR(x);
613b411c
LP		 1903 return 0;
1904}
1905
1906int setup_tmp_dirs(const char *id, char **tmp_dir, char **var_tmp_dir) {
56a13a49
ZJS		 1907 _cleanup_(namespace_cleanup_tmpdirp) char *a = NULL;
1908 _cleanup_(rmdir_and_freep) char *a_tmp = NULL;
1909 char *b;
613b411c
LP		 1910 int r;
1911
1912 assert(id);
1913 assert(tmp_dir);
1914 assert(var_tmp_dir);
1915
56a13a49 1916 r = setup_one_tmp_dir(id, "/tmp", &a, &a_tmp);
613b411c
LP		 1917 if (r < 0)
1918 return r;
1919
56a13a49
ZJS		 1920 r = setup_one_tmp_dir(id, "/var/tmp", &b, NULL);
1921 if (r < 0)
613b411c 1922 return r;
613b411c 1923
56a13a49
ZJS		 1924 a_tmp = mfree(a_tmp); /* avoid rmdir */
1925 *tmp_dir = TAKE_PTR(a);
1926 *var_tmp_dir = TAKE_PTR(b);
613b411c
LP		 1927
1928 return 0;
1929}
1930
2caa38e9 1931int setup_netns(const int netns_storage_socket[static 2]) {
613b411c 1932 _cleanup_close_ int netns = -1;
3ee897d6 1933 int r, q;
613b411c
LP		 1934
1935 assert(netns_storage_socket);
1936 assert(netns_storage_socket[0] >= 0);
1937 assert(netns_storage_socket[1] >= 0);
1938
1939 /* We use the passed socketpair as a storage buffer for our
76cd584b
LP		 1940 * namespace reference fd. Whatever process runs this first
1941 * shall create a new namespace, all others should just join
1942 * it. To serialize that we use a file lock on the socket
1943 * pair.
613b411c
LP		 1944 *
1945 * It's a bit crazy, but hey, works great! */
1946
1947 if (lockf(netns_storage_socket[0], F_LOCK, 0) < 0)
1948 return -errno;
1949
3ee897d6
LP		 1950 netns = receive_one_fd(netns_storage_socket[0], MSG_DONTWAIT);
1951 if (netns == -EAGAIN) {
44ffcbae 1952 /* Nothing stored yet, so let's create a new namespace. */
613b411c
LP		 1953
1954 if (unshare(CLONE_NEWNET) < 0) {
1955 r = -errno;
1956 goto fail;
1957 }
1958
44ffcbae 1959 (void) loopback_setup();
613b411c
LP		 1960
1961 netns = open("/proc/self/ns/net", O_RDONLY|O_CLOEXEC|O_NOCTTY);
1962 if (netns < 0) {
1963 r = -errno;
1964 goto fail;
1965 }
1966
1967 r = 1;
613b411c 1968
3ee897d6
LP		 1969 } else if (netns < 0) {
1970 r = netns;
1971 goto fail;
613b411c 1972
3ee897d6
LP		 1973 } else {
1974 /* Yay, found something, so let's join the namespace */
613b411c
LP		 1975 if (setns(netns, CLONE_NEWNET) < 0) {
1976 r = -errno;
1977 goto fail;
1978 }
1979
1980 r = 0;
1981 }
1982
3ee897d6
LP		 1983 q = send_one_fd(netns_storage_socket[1], netns, MSG_DONTWAIT);
1984 if (q < 0) {
1985 r = q;
613b411c
LP		 1986 goto fail;
1987 }
1988
1989fail:
fe048ce5 1990 (void) lockf(netns_storage_socket[0], F_ULOCK, 0);
15ae422b
LP		 1991 return r;
1992}
417116f2 1993
2caa38e9 1994int open_netns_path(const int netns_storage_socket[static 2], const char *path) {
51af7fb2
LP		 1995 _cleanup_close_ int netns = -1;
1996 int q, r;
1997
1998 assert(netns_storage_socket);
1999 assert(netns_storage_socket[0] >= 0);
2000 assert(netns_storage_socket[1] >= 0);
2001 assert(path);
2002
2003 /* If the storage socket doesn't contain a netns fd yet, open one via the file system and store it in
2004 * it. This is supposed to be called ahead of time, i.e. before setup_netns() which will allocate a
2005 * new anonymous netns if needed. */
2006
2007 if (lockf(netns_storage_socket[0], F_LOCK, 0) < 0)
2008 return -errno;
2009
2010 netns = receive_one_fd(netns_storage_socket[0], MSG_DONTWAIT);
2011 if (netns == -EAGAIN) {
2012 /* Nothing stored yet. Open the file from the file system. */
2013
2014 netns = open(path, O_RDONLY|O_NOCTTY|O_CLOEXEC);
2015 if (netns < 0) {
2016 r = -errno;
2017 goto fail;
2018 }
2019
2020 r = fd_is_network_ns(netns);
2021 if (r == 0) { /* Not a netns? Refuse early. */
2022 r = -EINVAL;
2023 goto fail;
2024 }
2025 if (r < 0 && r != -EUCLEAN) /* EUCLEAN: we don't know */
2026 goto fail;
2027
2028 r = 1;
2029
2030 } else if (netns < 0) {
2031 r = netns;
2032 goto fail;
2033 } else
2034 r = 0; /* Already allocated */
2035
2036 q = send_one_fd(netns_storage_socket[1], netns, MSG_DONTWAIT);
2037 if (q < 0) {
2038 r = q;
2039 goto fail;
2040 }
2041
2042fail:
2043 (void) lockf(netns_storage_socket[0], F_ULOCK, 0);
2044 return r;
2045}
2046
6e2d7c4f
MS		 2047bool ns_type_supported(NamespaceType type) {
2048 const char *t, *ns_proc;
2049
0fa5b831
LP		 2050 t = namespace_type_to_string(type);
2051 if (!t) /* Don't know how to translate this? Then it's not supported */
6e2d7c4f
MS		 2052 return false;
2053
6e2d7c4f 2054 ns_proc = strjoina("/proc/self/ns/", t);
6e2d7c4f
MS		 2055 return access(ns_proc, F_OK) == 0;
2056}
2057
1b8689f9 2058static const char *const protect_home_table[_PROTECT_HOME_MAX] = {
cbc056c8
ZJS		 2059 [PROTECT_HOME_NO] = "no",
2060 [PROTECT_HOME_YES] = "yes",
1b8689f9 2061 [PROTECT_HOME_READ_ONLY] = "read-only",
cbc056c8 2062 [PROTECT_HOME_TMPFS] = "tmpfs",
417116f2
LP		 2063};
2064
1e8c7bd5 2065DEFINE_STRING_TABLE_LOOKUP_WITH_BOOLEAN(protect_home, ProtectHome, PROTECT_HOME_YES);
5e1c6154 2066
1b8689f9 2067static const char *const protect_system_table[_PROTECT_SYSTEM_MAX] = {
cbc056c8
ZJS		 2068 [PROTECT_SYSTEM_NO] = "no",
2069 [PROTECT_SYSTEM_YES] = "yes",
2070 [PROTECT_SYSTEM_FULL] = "full",
3f815163 2071 [PROTECT_SYSTEM_STRICT] = "strict",
1b8689f9
LP		 2072};
2073
1e8c7bd5 2074DEFINE_STRING_TABLE_LOOKUP_WITH_BOOLEAN(protect_system, ProtectSystem, PROTECT_SYSTEM_YES);
03c791aa 2075
6e2d7c4f 2076static const char* const namespace_type_table[] = {
cbc056c8 2077 [NAMESPACE_MOUNT] = "mnt",
6e2d7c4f 2078 [NAMESPACE_CGROUP] = "cgroup",
cbc056c8
ZJS		 2079 [NAMESPACE_UTS] = "uts",
2080 [NAMESPACE_IPC] = "ipc",
2081 [NAMESPACE_USER] = "user",
2082 [NAMESPACE_PID] = "pid",
2083 [NAMESPACE_NET] = "net",
6e2d7c4f
MS		 2084};
2085
2086DEFINE_STRING_TABLE_LOOKUP(namespace_type, NamespaceType);
Unnamed repository; edit this file 'description' to name the repository.