[thirdparty/systemd.git] / src / core / namespace.c

/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/

/***
  This file is part of systemd.

  Copyright 2010 Lennart Poettering

  systemd is free software; you can redistribute it and/or modify it
  under the terms of the GNU Lesser General Public License as published by
  the Free Software Foundation; either version 2.1 of the License, or
  (at your option) any later version.

  systemd is distributed in the hope that it will be useful, but
  WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  Lesser General Public License for more details.

  You should have received a copy of the GNU Lesser General Public License
  along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/

#include <errno.h>
#include <sys/mount.h>
#include <string.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sched.h>
#include <sys/syscall.h>
#include <limits.h>
#include <linux/fs.h>

#include "strv.h"
#include "util.h"
#include "path-util.h"
#include "namespace.h"
#include "missing.h"

typedef enum PathMode {
        /* This is ordered by priority! */
        INACCESSIBLE,
        READONLY,
        PRIVATE,
        READWRITE
} PathMode;

typedef struct Path {
        const char *path;
        PathMode mode;
} Path;

static int append_paths(Path **p, char **strv, PathMode mode) {
        char **i;

        STRV_FOREACH(i, strv) {

                if (!path_is_absolute(*i))
                        return -EINVAL;

                (*p)->path = *i;
                (*p)->mode = mode;
                (*p)++;
        }

        return 0;
}

static int path_compare(const void *a, const void *b) {
        const Path *p = a, *q = b;

        if (path_equal(p->path, q->path)) {

                /* If the paths are equal, check the mode */
                if (p->mode < q->mode)
                        return -1;

                if (p->mode > q->mode)
                        return 1;

                return 0;
        }

        /* If the paths are not equal, then order prefixes first */
        if (path_startswith(p->path, q->path))
                return 1;

        if (path_startswith(q->path, p->path))
                return -1;

        return 0;
}

static void drop_duplicates(Path *p, unsigned *n, bool *need_inaccessible, bool *need_private) {
        Path *f, *t, *previous;

        assert(p);
        assert(n);
        assert(need_inaccessible);
        assert(need_private);

        for (f = p, t = p, previous = NULL; f < p+*n; f++) {

                if (previous && path_equal(f->path, previous->path))
                        continue;

                t->path = f->path;
                t->mode = f->mode;

                if (t->mode == PRIVATE)
                        *need_private = true;

                if (t->mode == INACCESSIBLE)
                        *need_inaccessible = true;

                previous = t;

                t++;
        }

        *n = t - p;
}

static int apply_mount(Path *p, const char *root_dir, const char *inaccessible_dir, const char *private_dir, unsigned long flags) {
        const char *what;
        char *where;
        int r;

        assert(p);
        assert(root_dir);
        assert(inaccessible_dir);
        assert(private_dir);

        if (!(where = strappend(root_dir, p->path)))
                return -ENOMEM;

        switch (p->mode) {

        case INACCESSIBLE:
                what = inaccessible_dir;
                flags |= MS_RDONLY;
                break;

        case READONLY:
                flags |= MS_RDONLY;
                /* Fall through */

        case READWRITE:
                what = p->path;
                break;

        case PRIVATE:
                what = private_dir;
                break;

        default:
                assert_not_reached("Unknown mode");
        }

        if ((r = mount(what, where, NULL, MS_BIND|MS_REC, NULL)) >= 0) {
                log_debug("Successfully mounted %s to %s", what, where);

                /* The bind mount will always inherit the original
                 * flags. If we want to set any flag we need
                 * to do so in a second independent step. */
                if (flags)
                        r = mount(NULL, where, NULL, MS_REMOUNT|MS_BIND|MS_REC|flags, NULL);

                /* Avoid exponential growth of trees */
                if (r >= 0 && path_equal(p->path, "/"))
                        r = mount(NULL, where, NULL, MS_REMOUNT|MS_BIND|flags, NULL);

                if (r < 0) {
                        r = -errno;
                        umount2(where, MNT_DETACH);
                }
        }

        free(where);
        return r;
}

int setup_namespace(
                char **writable,
                char **readable,
                char **inaccessible,
                bool private_tmp,
                unsigned long flags) {

        char
                tmp_dir[] = "/tmp/systemd-namespace-XXXXXX",
                root_dir[] = "/tmp/systemd-namespace-XXXXXX/root",
                old_root_dir[] = "/tmp/systemd-namespace-XXXXXX/root/tmp/old-root-XXXXXX",
                inaccessible_dir[] = "/tmp/systemd-namespace-XXXXXX/inaccessible",
                private_dir[] = "/tmp/systemd-namespace-XXXXXX/private";

        Path *paths, *p;
        unsigned n;
        bool need_private = false, need_inaccessible = false;
        bool remove_tmp = false, remove_root = false, remove_old_root = false, remove_inaccessible = false, remove_private = false;
        int r;
        const char *t;

        n =
                strv_length(writable) +
                strv_length(readable) +
                strv_length(inaccessible) +
                (private_tmp ? 2 : 1);

        if (!(paths = new(Path, n)))
                return -ENOMEM;

        p = paths;
        if ((r = append_paths(&p, writable, READWRITE)) < 0 ||
            (r = append_paths(&p, readable, READONLY)) < 0 ||
            (r = append_paths(&p, inaccessible, INACCESSIBLE)) < 0)
                goto fail;

        if (private_tmp) {
                p->path = "/tmp";
                p->mode = PRIVATE;
                p++;
        }

        p->path = "/";
        p->mode = READWRITE;
        p++;

        assert(paths + n == p);

        qsort(paths, n, sizeof(Path), path_compare);
        drop_duplicates(paths, &n, &need_inaccessible, &need_private);

        if (!mkdtemp(tmp_dir)) {
                r = -errno;
                goto fail;
        }
        remove_tmp = true;

        memcpy(root_dir, tmp_dir, sizeof(tmp_dir)-1);
        if (mkdir(root_dir, 0777) < 0) {
                r = -errno;
                goto fail;
        }
        remove_root = true;

        if (need_inaccessible) {
                memcpy(inaccessible_dir, tmp_dir, sizeof(tmp_dir)-1);
                if (mkdir(inaccessible_dir, 0) < 0) {
                        r = -errno;
                        goto fail;
                }
                remove_inaccessible = true;
        }

        if (need_private) {
                mode_t u;

                memcpy(private_dir, tmp_dir, sizeof(tmp_dir)-1);

                u = umask(0000);
                if (mkdir(private_dir, 0777 + S_ISVTX) < 0) {
                        umask(u);

                        r = -errno;
                        goto fail;
                }

                umask(u);
                remove_private = true;
        }

        if (unshare(CLONE_NEWNS) < 0) {
                r = -errno;
                goto fail;
        }

        /* Remount / as SLAVE so that nothing mounted in the namespace
           shows up in the parent */
        if (mount(NULL, "/", NULL, MS_SLAVE|MS_REC, NULL) < 0) {
                r = -errno;
                goto fail;
        }

        for (p = paths; p < paths + n; p++)
                if ((r = apply_mount(p, root_dir, inaccessible_dir, private_dir, flags)) < 0)
                        goto undo_mounts;

        memcpy(old_root_dir, tmp_dir, sizeof(tmp_dir)-1);
        if (!mkdtemp(old_root_dir)) {
                r = -errno;
                goto undo_mounts;
        }
        remove_old_root = true;

        if (chdir(root_dir) < 0) {
                r = -errno;
                goto undo_mounts;
        }

        if (pivot_root(root_dir, old_root_dir) < 0) {
                r = -errno;
                goto undo_mounts;
        }

        t = old_root_dir + sizeof(root_dir) - 1;
        if (umount2(t, MNT_DETACH) < 0)
                /* At this point it's too late to turn anything back,
                 * since we are already in the new root. */
                return -errno;

        if (rmdir(t) < 0)
                return -errno;

        return 0;

undo_mounts:

        for (p--; p >= paths; p--) {
                char full_path[PATH_MAX];

                snprintf(full_path, sizeof(full_path), "%s%s", root_dir, p->path);
                char_array_0(full_path);

                umount2(full_path, MNT_DETACH);
        }

fail:
        if (remove_old_root)
                rmdir(old_root_dir);

        if (remove_inaccessible)
                rmdir(inaccessible_dir);

        if (remove_private)
                rmdir(private_dir);

        if (remove_root)
                rmdir(root_dir);

        if (remove_tmp)
                rmdir(tmp_dir);

             free(paths);

        return r;
}
Commit	Line	Data
d6c9574f	1	/-- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil --/
15ae422b LP	2
	3	/***
	4	This file is part of systemd.
	5
	6	Copyright 2010 Lennart Poettering
	7
	8	systemd is free software; you can redistribute it and/or modify it
5430f7f2 LP	9	under the terms of the GNU Lesser General Public License as published by
5430f7f2 LP	10	the Free Software Foundation; either version 2.1 of the License, or
15ae422b LP	11	(at your option) any later version.
	12
	13	systemd is distributed in the hope that it will be useful, but
	14	WITHOUT ANY WARRANTY; without even the implied warranty of
	15	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
5430f7f2	16	Lesser General Public License for more details.
15ae422b	17
5430f7f2	18	You should have received a copy of the GNU Lesser General Public License
15ae422b LP	19	along with systemd; If not, see <http://www.gnu.org/licenses/>.
	20	***/
	21
	22	#include <errno.h>
	23	#include <sys/mount.h>
	24	#include <string.h>
	25	#include <stdio.h>
	26	#include <unistd.h>
	27	#include <sys/stat.h>
	28	#include <sys/types.h>
	29	#include <sched.h>
	30	#include <sys/syscall.h>
	31	#include <limits.h>
25e870b5	32	#include <linux/fs.h>
15ae422b LP	33
	34	#include "strv.h"
	35	#include "util.h"
9eb977db	36	#include "path-util.h"
15ae422b LP	37	#include "namespace.h"
	38	#include "missing.h"
	39
	40	typedef enum PathMode {
	41	/* This is ordered by priority! */
	42	INACCESSIBLE,
	43	READONLY,
	44	PRIVATE,
	45	READWRITE
	46	} PathMode;
	47
	48	typedef struct Path {
	49	const char *path;
	50	PathMode mode;
	51	} Path;
	52
	53	static int append_paths(Path p, char strv, PathMode mode) {
	54	char **i;
	55
	56	STRV_FOREACH(i, strv) {
	57
	58	if (!path_is_absolute(*i))
	59	return -EINVAL;
	60
	61	(p)->path = i;
	62	(*p)->mode = mode;
	63	(*p)++;
	64	}
	65
	66	return 0;
	67	}
	68
	69	static int path_compare(const void a, const void b) {
	70	const Path p = a, q = b;
	71
	72	if (path_equal(p->path, q->path)) {
	73
	74	/* If the paths are equal, check the mode */
	75	if (p->mode < q->mode)
	76	return -1;
	77
	78	if (p->mode > q->mode)
	79	return 1;
	80
	81	return 0;
	82	}
	83
	84	/* If the paths are not equal, then order prefixes first */
	85	if (path_startswith(p->path, q->path))
	86	return 1;
	87
	88	if (path_startswith(q->path, p->path))
	89	return -1;
	90
	91	return 0;
	92	}
	93
	94	static void drop_duplicates(Path p, unsigned n, bool need_inaccessible, bool need_private) {
	95	Path f, t, *previous;
	96
	97	assert(p);
	98	assert(n);
	99	assert(need_inaccessible);
	100	assert(need_private);
101
102	for (f = p, t = p, previous = NULL; f < p+*n; f++) {
103
104	if (previous && path_equal(f->path, previous->path))
105	continue;
106
107	t->path = f->path;
108	t->mode = f->mode;
109
110	if (t->mode == PRIVATE)
111	*need_private = true;
112
113	if (t->mode == INACCESSIBLE)
114	*need_inaccessible = true;
115
116	previous = t;
117
118	t++;
119	}
120
121	*n = t - p;
122	}
123
124	static int apply_mount(Path p, const char root_dir, const char inaccessible_dir, const char private_dir, unsigned long flags) {
125	const char *what;
126	char *where;
127	int r;
15ae422b LP	128
	129	assert(p);
	130	assert(root_dir);
	131	assert(inaccessible_dir);
	132	assert(private_dir);
	133
	134	if (!(where = strappend(root_dir, p->path)))
	135	return -ENOMEM;
	136
	137	switch (p->mode) {
	138
	139	case INACCESSIBLE:
	140	what = inaccessible_dir;
5dcfe57b	141	flags \|= MS_RDONLY;
15ae422b LP	142	break;
	143
	144	case READONLY:
5dcfe57b	145	flags \|= MS_RDONLY;
15ae422b LP	146	/* Fall through */
	147
	148	case READWRITE:
	149	what = p->path;
	150	break;
	151
	152	case PRIVATE:
	153	what = private_dir;
	154	break;
e364ad06 LP	155
	156	default:
	157	assert_not_reached("Unknown mode");
15ae422b LP	158	}
	159
	160	if ((r = mount(what, where, NULL, MS_BIND\|MS_REC, NULL)) >= 0) {
	161	log_debug("Successfully mounted %s to %s", what, where);
	162
	163	/* The bind mount will always inherit the original
	164	* flags. If we want to set any flag we need
35b8ca3a	165	* to do so in a second independent step. */
15ae422b	166	if (flags)
5dcfe57b	167	r = mount(NULL, where, NULL, MS_REMOUNT\|MS_BIND\|MS_REC\|flags, NULL);
15ae422b	168
35b8ca3a	169	/* Avoid exponential growth of trees */
15ae422b	170	if (r >= 0 && path_equal(p->path, "/"))
4d46fec5	171	r = mount(NULL, where, NULL, MS_REMOUNT\|MS_BIND\|flags, NULL);
15ae422b LP	172
	173	if (r < 0) {
	174	r = -errno;
	175	umount2(where, MNT_DETACH);
	176	}
	177	}
	178
	179	free(where);
	180	return r;
	181	}
	182
	183	int setup_namespace(
	184	char **writable,
	185	char **readable,
	186	char **inaccessible,
	187	bool private_tmp,
	188	unsigned long flags) {
	189
	190	char
	191	tmp_dir[] = "/tmp/systemd-namespace-XXXXXX",
	192	root_dir[] = "/tmp/systemd-namespace-XXXXXX/root",
	193	old_root_dir[] = "/tmp/systemd-namespace-XXXXXX/root/tmp/old-root-XXXXXX",
	194	inaccessible_dir[] = "/tmp/systemd-namespace-XXXXXX/inaccessible",
	195	private_dir[] = "/tmp/systemd-namespace-XXXXXX/private";
	196
	197	Path paths, p;
	198	unsigned n;
	199	bool need_private = false, need_inaccessible = false;
	200	bool remove_tmp = false, remove_root = false, remove_old_root = false, remove_inaccessible = false, remove_private = false;
	201	int r;
	202	const char *t;
	203
	204	n =
	205	strv_length(writable) +
	206	strv_length(readable) +
	207	strv_length(inaccessible) +
	208	(private_tmp ? 2 : 1);
	209
	210	if (!(paths = new(Path, n)))
	211	return -ENOMEM;
	212
	213	p = paths;
	214	if ((r = append_paths(&p, writable, READWRITE)) < 0 \|\|
	215	(r = append_paths(&p, readable, READONLY)) < 0 \|\|
	216	(r = append_paths(&p, inaccessible, INACCESSIBLE)) < 0)
	217	goto fail;
	218
	219	if (private_tmp) {
	220	p->path = "/tmp";
	221	p->mode = PRIVATE;
	222	p++;
	223	}
	224
	225	p->path = "/";
	226	p->mode = READWRITE;
	227	p++;
	228
	229	assert(paths + n == p);
	230
	231	qsort(paths, n, sizeof(Path), path_compare);
	232	drop_duplicates(paths, &n, &need_inaccessible, &need_private);
	233
	234	if (!mkdtemp(tmp_dir)) {
	235	r = -errno;
236	goto fail;
237	}
238	remove_tmp = true;
239
240	memcpy(root_dir, tmp_dir, sizeof(tmp_dir)-1);
241	if (mkdir(root_dir, 0777) < 0) {
242	r = -errno;
243	goto fail;
244	}
245	remove_root = true;
246
247	if (need_inaccessible) {
248	memcpy(inaccessible_dir, tmp_dir, sizeof(tmp_dir)-1);
249	if (mkdir(inaccessible_dir, 0) < 0) {
250	r = -errno;
251	goto fail;
252	}
253	remove_inaccessible = true;
254	}
255
256	if (need_private) {
21d279cf LP	257	mode_t u;
21d279cf LP	258
15ae422b	259	memcpy(private_dir, tmp_dir, sizeof(tmp_dir)-1);
21d279cf LP	260
21d279cf LP	261	u = umask(0000);
15ae422b	262	if (mkdir(private_dir, 0777 + S_ISVTX) < 0) {
21d279cf LP	263	umask(u);
21d279cf LP	264
15ae422b LP	265	r = -errno;
	266	goto fail;
	267	}
21d279cf LP	268
21d279cf LP	269	umask(u);
15ae422b LP	270	remove_private = true;
	271	}
	272
	273	if (unshare(CLONE_NEWNS) < 0) {
	274	r = -errno;
	275	goto fail;
	276	}
	277
dc4b0200 DW	278	/* Remount / as SLAVE so that nothing mounted in the namespace
	279	shows up in the parent */
	280	if (mount(NULL, "/", NULL, MS_SLAVE\|MS_REC, NULL) < 0) {
	281	r = -errno;
	282	goto fail;
	283	}
15ae422b LP	284
	285	for (p = paths; p < paths + n; p++)
	286	if ((r = apply_mount(p, root_dir, inaccessible_dir, private_dir, flags)) < 0)
	287	goto undo_mounts;
	288
	289	memcpy(old_root_dir, tmp_dir, sizeof(tmp_dir)-1);
	290	if (!mkdtemp(old_root_dir)) {
	291	r = -errno;
	292	goto undo_mounts;
	293	}
	294	remove_old_root = true;
	295
	296	if (chdir(root_dir) < 0) {
	297	r = -errno;
	298	goto undo_mounts;
	299	}
	300
	301	if (pivot_root(root_dir, old_root_dir) < 0) {
	302	r = -errno;
	303	goto undo_mounts;
	304	}
	305
	306	t = old_root_dir + sizeof(root_dir) - 1;
	307	if (umount2(t, MNT_DETACH) < 0)
	308	/* At this point it's too late to turn anything back,
	309	* since we are already in the new root. */
	310	return -errno;
	311
	312	if (rmdir(t) < 0)
	313	return -errno;
	314
	315	return 0;
	316
	317	undo_mounts:
	318
	319	for (p--; p >= paths; p--) {
	320	char full_path[PATH_MAX];
	321
	322	snprintf(full_path, sizeof(full_path), "%s%s", root_dir, p->path);
	323	char_array_0(full_path);
	324
	325	umount2(full_path, MNT_DETACH);
	326	}
	327
	328	fail:
	329	if (remove_old_root)
	330	rmdir(old_root_dir);
	331
	332	if (remove_inaccessible)
	333	rmdir(inaccessible_dir);
	334
	335	if (remove_private)
	336	rmdir(private_dir);
	337
	338	if (remove_root)
	339	rmdir(root_dir);
	340
	341	if (remove_tmp)
	342	rmdir(tmp_dir);
	343
	344	free(paths);
	345
	346	return r;
	347	}