[thirdparty/systemd.git] / src / core / namespace.h

/* SPDX-License-Identifier: LGPL-2.1+ */
#pragma once

/***
  This file is part of systemd.

  Copyright 2010 Lennart Poettering
  Copyright 2016 Djalal Harouni

  systemd is free software; you can redistribute it and/or modify it
  under the terms of the GNU Lesser General Public License as published by
  the Free Software Foundation; either version 2.1 of the License, or
  (at your option) any later version.

  systemd is distributed in the hope that it will be useful, but
  WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  Lesser General Public License for more details.

  You should have received a copy of the GNU Lesser General Public License
  along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/

typedef struct NamespaceInfo NamespaceInfo;
typedef struct BindMount BindMount;

#include <stdbool.h>

#include "dissect-image.h"
#include "macro.h"

typedef enum ProtectHome {
        PROTECT_HOME_NO,
        PROTECT_HOME_YES,
        PROTECT_HOME_READ_ONLY,
        _PROTECT_HOME_MAX,
        _PROTECT_HOME_INVALID = -1
} ProtectHome;

typedef enum NamespaceType {
        NAMESPACE_MOUNT,
        NAMESPACE_CGROUP,
        NAMESPACE_UTS,
        NAMESPACE_IPC,
        NAMESPACE_USER,
        NAMESPACE_PID,
        NAMESPACE_NET,
        _NAMESPACE_TYPE_MAX,
        _NAMESPACE_TYPE_INVALID = -1,
} NamespaceType;

typedef enum ProtectSystem {
        PROTECT_SYSTEM_NO,
        PROTECT_SYSTEM_YES,
        PROTECT_SYSTEM_FULL,
        PROTECT_SYSTEM_STRICT,
        _PROTECT_SYSTEM_MAX,
        _PROTECT_SYSTEM_INVALID = -1
} ProtectSystem;

struct NamespaceInfo {
        bool ignore_protect_paths:1;
        bool private_dev:1;
        bool protect_control_groups:1;
        bool protect_kernel_tunables:1;
        bool protect_kernel_modules:1;
        bool mount_apivfs:1;
};

struct BindMount {
        char *source;
        char *destination;
        bool read_only:1;
        bool recursive:1;
        bool ignore_enoent:1;
};

int setup_namespace(
                const char *root_directory,
                const char *root_image,
                const NamespaceInfo *ns_info,
                char **read_write_paths,
                char **read_only_paths,
                char **inaccessible_paths,
                char **empty_directories,
                const BindMount *bind_mounts,
                unsigned n_bind_mounts,
                const char *tmp_dir,
                const char *var_tmp_dir,
                ProtectHome protect_home,
                ProtectSystem protect_system,
                unsigned long mount_flags,
                DissectImageFlags dissected_image_flags);

int setup_tmp_dirs(
                const char *id,
                char **tmp_dir,
                char **var_tmp_dir);

int setup_netns(int netns_storage_socket[2]);

const char* protect_home_to_string(ProtectHome p) _const_;
ProtectHome protect_home_from_string(const char *s) _pure_;

const char* protect_system_to_string(ProtectSystem p) _const_;
ProtectSystem protect_system_from_string(const char *s) _pure_;

void bind_mount_free_many(BindMount *b, unsigned n);
int bind_mount_add(BindMount **b, unsigned *n, const BindMount *item);

const char* namespace_type_to_string(NamespaceType t) _const_;
NamespaceType namespace_type_from_string(const char *s) _pure_;

bool ns_type_supported(NamespaceType type);
Commit	Line	Data
53e1b683	1	/* SPDX-License-Identifier: LGPL-2.1+ */
c2f1db8f	2	#pragma once
15ae422b LP	3
	4	/***
	5	This file is part of systemd.
	6
	7	Copyright 2010 Lennart Poettering
c575770b	8	Copyright 2016 Djalal Harouni
15ae422b LP	9
15ae422b LP	10	systemd is free software; you can redistribute it and/or modify it
5430f7f2 LP	11	under the terms of the GNU Lesser General Public License as published by
5430f7f2 LP	12	the Free Software Foundation; either version 2.1 of the License, or
15ae422b LP	13	(at your option) any later version.
	14
	15	systemd is distributed in the hope that it will be useful, but
	16	WITHOUT ANY WARRANTY; without even the implied warranty of
	17	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
5430f7f2	18	Lesser General Public License for more details.
15ae422b	19
5430f7f2	20	You should have received a copy of the GNU Lesser General Public License
15ae422b LP	21	along with systemd; If not, see <http://www.gnu.org/licenses/>.
	22	***/
	23
bb0ff3fb	24	typedef struct NamespaceInfo NamespaceInfo;
d2d6c096	25	typedef struct BindMount BindMount;
c575770b	26
15ae422b LP	27	#include <stdbool.h>
15ae422b LP	28
915e6d16	29	#include "dissect-image.h"
417116f2 LP	30	#include "macro.h"
417116f2 LP	31
1b8689f9 LP	32	typedef enum ProtectHome {
	33	PROTECT_HOME_NO,
	34	PROTECT_HOME_YES,
	35	PROTECT_HOME_READ_ONLY,
	36	_PROTECT_HOME_MAX,
	37	_PROTECT_HOME_INVALID = -1
	38	} ProtectHome;
	39
6e2d7c4f MS	40	typedef enum NamespaceType {
	41	NAMESPACE_MOUNT,
	42	NAMESPACE_CGROUP,
	43	NAMESPACE_UTS,
	44	NAMESPACE_IPC,
	45	NAMESPACE_USER,
	46	NAMESPACE_PID,
	47	NAMESPACE_NET,
	48	_NAMESPACE_TYPE_MAX,
	49	_NAMESPACE_TYPE_INVALID = -1,
	50	} NamespaceType;
	51
1b8689f9 LP	52	typedef enum ProtectSystem {
	53	PROTECT_SYSTEM_NO,
	54	PROTECT_SYSTEM_YES,
	55	PROTECT_SYSTEM_FULL,
3f815163	56	PROTECT_SYSTEM_STRICT,
1b8689f9 LP	57	_PROTECT_SYSTEM_MAX,
	58	_PROTECT_SYSTEM_INVALID = -1
	59	} ProtectSystem;
417116f2	60
bb0ff3fb	61	struct NamespaceInfo {
af964954	62	bool ignore_protect_paths:1;
c575770b DH	63	bool private_dev:1;
	64	bool protect_control_groups:1;
	65	bool protect_kernel_tunables:1;
	66	bool protect_kernel_modules:1;
5d997827	67	bool mount_apivfs:1;
c575770b DH	68	};
c575770b DH	69
d2d6c096 LP	70	struct BindMount {
	71	char *source;
	72	char *destination;
	73	bool read_only:1;
	74	bool recursive:1;
	75	bool ignore_enoent:1;
	76	};
	77
	78	int setup_namespace(
	79	const char *root_directory,
915e6d16	80	const char *root_image,
bb0ff3fb	81	const NamespaceInfo *ns_info,
d2d6c096 LP	82	char **read_write_paths,
	83	char **read_only_paths,
	84	char **inaccessible_paths,
6c47cd7d	85	char **empty_directories,
d2d6c096 LP	86	const BindMount *bind_mounts,
	87	unsigned n_bind_mounts,
	88	const char *tmp_dir,
	89	const char *var_tmp_dir,
	90	ProtectHome protect_home,
	91	ProtectSystem protect_system,
915e6d16 LP	92	unsigned long mount_flags,
915e6d16 LP	93	DissectImageFlags dissected_image_flags);
d2d6c096 LP	94
	95	int setup_tmp_dirs(
	96	const char *id,
	97	char **tmp_dir,
	98	char **var_tmp_dir);
613b411c LP	99
613b411c LP	100	int setup_netns(int netns_storage_socket[2]);
417116f2	101
1b8689f9 LP	102	const char* protect_home_to_string(ProtectHome p) _const_;
	103	ProtectHome protect_home_from_string(const char *s) _pure_;
	104
	105	const char* protect_system_to_string(ProtectSystem p) _const_;
	106	ProtectSystem protect_system_from_string(const char *s) _pure_;
d2d6c096 LP	107
	108	void bind_mount_free_many(BindMount *b, unsigned n);
	109	int bind_mount_add(BindMount *b, unsigned n, const BindMount *item);
6e2d7c4f MS	110
	111	const char* namespace_type_to_string(NamespaceType t) _const_;
	112	NamespaceType namespace_type_from_string(const char *s) _pure_;
	113
	114	bool ns_type_supported(NamespaceType type);