[thirdparty/systemd.git] / src / libsystemd / sd-bus / bus-container.c

/* SPDX-License-Identifier: LGPL-2.1+ */
/***
  This file is part of systemd.

  Copyright 2013 Lennart Poettering

  systemd is free software; you can redistribute it and/or modify it
  under the terms of the GNU Lesser General Public License as published by
  the Free Software Foundation; either version 2.1 of the License, or
  (at your option) any later version.

  systemd is distributed in the hope that it will be useful, but
  WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  Lesser General Public License for more details.

  You should have received a copy of the GNU Lesser General Public License
  along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/

#include <fcntl.h>
#include <unistd.h>

#include "bus-container.h"
#include "bus-internal.h"
#include "bus-socket.h"
#include "fd-util.h"
#include "process-util.h"
#include "util.h"

int bus_container_connect_socket(sd_bus *b) {
        _cleanup_close_pair_ int pair[2] = { -1, -1 };
        _cleanup_close_ int pidnsfd = -1, mntnsfd = -1, usernsfd = -1, rootfd = -1;
        pid_t child;
        siginfo_t si;
        int r, error_buf = 0;
        ssize_t n;

        assert(b);
        assert(b->input_fd < 0);
        assert(b->output_fd < 0);
        assert(b->nspid > 0 || b->machine);

        if (b->nspid <= 0) {
                r = container_get_leader(b->machine, &b->nspid);
                if (r < 0)
                        return r;
        }

        r = namespace_open(b->nspid, &pidnsfd, &mntnsfd, NULL, &usernsfd, &rootfd);
        if (r < 0)
                return r;

        b->input_fd = socket(b->sockaddr.sa.sa_family, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0);
        if (b->input_fd < 0)
                return -errno;

        b->output_fd = b->input_fd;

        bus_socket_setup(b);

        if (socketpair(AF_UNIX, SOCK_SEQPACKET, 0, pair) < 0)
                return -errno;

        child = fork();
        if (child < 0)
                return -errno;

        if (child == 0) {
                pid_t grandchild;

                pair[0] = safe_close(pair[0]);

                r = namespace_enter(pidnsfd, mntnsfd, -1, usernsfd, rootfd);
                if (r < 0)
                        _exit(EXIT_FAILURE);

                /* We just changed PID namespace, however it will only
                 * take effect on the children we now fork. Hence,
                 * let's fork another time, and connect from this
                 * grandchild, so that SO_PEERCRED of our connection
                 * comes from a process from within the container, and
                 * not outside of it */

                grandchild = fork();
                if (grandchild < 0)
                        _exit(EXIT_FAILURE);

                if (grandchild == 0) {

                        r = connect(b->input_fd, &b->sockaddr.sa, b->sockaddr_size);
                        if (r < 0) {
                                /* Try to send error up */
                                error_buf = errno;
                                (void) write(pair[1], &error_buf, sizeof(error_buf));
                                _exit(EXIT_FAILURE);
                        }

                        _exit(EXIT_SUCCESS);
                }

                r = wait_for_terminate(grandchild, &si);
                if (r < 0)
                        _exit(EXIT_FAILURE);

                if (si.si_code != CLD_EXITED)
                        _exit(EXIT_FAILURE);

                _exit(si.si_status);
        }

        pair[1] = safe_close(pair[1]);

        r = wait_for_terminate(child, &si);
        if (r < 0)
                return r;

        n = read(pair[0], &error_buf, sizeof(error_buf));
        if (n < 0)
                return -errno;

        if (n > 0) {
                if (n != sizeof(error_buf))
                        return -EIO;

                if (error_buf < 0)
                        return -EIO;

                if (error_buf == EINPROGRESS)
                        return 1;

                if (error_buf > 0)
                        return -error_buf;
        }

        if (si.si_code != CLD_EXITED)
                return -EIO;

        if (si.si_status != EXIT_SUCCESS)
                return -EIO;

        return bus_socket_start_auth(b);
}
Commit	Line	Data
53e1b683	1	/* SPDX-License-Identifier: LGPL-2.1+ */
a7893c6b LP	2	/***
	3	This file is part of systemd.
	4
	5	Copyright 2013 Lennart Poettering
	6
	7	systemd is free software; you can redistribute it and/or modify it
	8	under the terms of the GNU Lesser General Public License as published by
	9	the Free Software Foundation; either version 2.1 of the License, or
	10	(at your option) any later version.
	11
	12	systemd is distributed in the hope that it will be useful, but
	13	WITHOUT ANY WARRANTY; without even the implied warranty of
	14	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	15	Lesser General Public License for more details.
	16
	17	You should have received a copy of the GNU Lesser General Public License
	18	along with systemd; If not, see <http://www.gnu.org/licenses/>.
	19	***/
	20
a7893c6b	21	#include <fcntl.h>
cf0fbc49	22	#include <unistd.h>
a7893c6b	23
3ffd4af2	24	#include "bus-container.h"
a7893c6b LP	25	#include "bus-internal.h"
a7893c6b LP	26	#include "bus-socket.h"
3ffd4af2 LP	27	#include "fd-util.h"
	28	#include "process-util.h"
	29	#include "util.h"
a7893c6b	30
bc9fd78c	31	int bus_container_connect_socket(sd_bus *b) {
2b7d6d33	32	_cleanup_close_pair_ int pair[2] = { -1, -1 };
671c3419	33	_cleanup_close_ int pidnsfd = -1, mntnsfd = -1, usernsfd = -1, rootfd = -1;
ee502e0c	34	pid_t child;
bc9fd78c	35	siginfo_t si;
2b7d6d33 LP	36	int r, error_buf = 0;
2b7d6d33 LP	37	ssize_t n;
a7893c6b LP	38
	39	assert(b);
	40	assert(b->input_fd < 0);
	41	assert(b->output_fd < 0);
ee502e0c	42	assert(b->nspid > 0 \|\| b->machine);
a7893c6b	43
ee502e0c LP	44	if (b->nspid <= 0) {
	45	r = container_get_leader(b->machine, &b->nspid);
	46	if (r < 0)
	47	return r;
	48	}
a7893c6b	49
671c3419	50	r = namespace_open(b->nspid, &pidnsfd, &mntnsfd, NULL, &usernsfd, &rootfd);
a7893c6b LP	51	if (r < 0)
a7893c6b LP	52	return r;
a7893c6b LP	53
	54	b->input_fd = socket(b->sockaddr.sa.sa_family, SOCK_STREAM\|SOCK_CLOEXEC\|SOCK_NONBLOCK, 0);
	55	if (b->input_fd < 0)
	56	return -errno;
	57
	58	b->output_fd = b->input_fd;
	59
8f04d2eb	60	bus_socket_setup(b);
a7893c6b	61
2b7d6d33 LP	62	if (socketpair(AF_UNIX, SOCK_SEQPACKET, 0, pair) < 0)
	63	return -errno;
	64
a7893c6b LP	65	child = fork();
	66	if (child < 0)
	67	return -errno;
	68
	69	if (child == 0) {
5d6cf65f	70	pid_t grandchild;
a7893c6b	71
2b7d6d33 LP	72	pair[0] = safe_close(pair[0]);
2b7d6d33 LP	73
671c3419	74	r = namespace_enter(pidnsfd, mntnsfd, -1, usernsfd, rootfd);
bc9fd78c	75	if (r < 0)
2b7d6d33	76	_exit(EXIT_FAILURE);
a7893c6b	77
5d6cf65f LP	78	/* We just changed PID namespace, however it will only
	79	* take effect on the children we now fork. Hence,
	80	* let's fork another time, and connect from this
	81	* grandchild, so that SO_PEERCRED of our connection
	82	* comes from a process from within the container, and
	83	* not outside of it */
a7893c6b	84
5d6cf65f LP	85	grandchild = fork();
5d6cf65f LP	86	if (grandchild < 0)
2b7d6d33	87	_exit(EXIT_FAILURE);
5d6cf65f LP	88
	89	if (grandchild == 0) {
	90
	91	r = connect(b->input_fd, &b->sockaddr.sa, b->sockaddr_size);
	92	if (r < 0) {
2b7d6d33 LP	93	/* Try to send error up */
	94	error_buf = errno;
	95	(void) write(pair[1], &error_buf, sizeof(error_buf));
	96	_exit(EXIT_FAILURE);
5d6cf65f LP	97	}
	98
	99	_exit(EXIT_SUCCESS);
a7893c6b LP	100	}
a7893c6b LP	101
5d6cf65f LP	102	r = wait_for_terminate(grandchild, &si);
5d6cf65f LP	103	if (r < 0)
2b7d6d33	104	_exit(EXIT_FAILURE);
5d6cf65f LP	105
5d6cf65f LP	106	if (si.si_code != CLD_EXITED)
2b7d6d33	107	_exit(EXIT_FAILURE);
5d6cf65f LP	108
5d6cf65f LP	109	_exit(si.si_status);
a7893c6b LP	110	}
a7893c6b LP	111
2b7d6d33 LP	112	pair[1] = safe_close(pair[1]);
2b7d6d33 LP	113
a7893c6b LP	114	r = wait_for_terminate(child, &si);
	115	if (r < 0)
	116	return r;
	117
2b7d6d33 LP	118	n = read(pair[0], &error_buf, sizeof(error_buf));
	119	if (n < 0)
	120	return -errno;
	121
	122	if (n > 0) {
	123	if (n != sizeof(error_buf))
	124	return -EIO;
	125
	126	if (error_buf < 0)
	127	return -EIO;
	128
	129	if (error_buf == EINPROGRESS)
	130	return 1;
	131
	132	if (error_buf > 0)
	133	return -error_buf;
	134	}
	135
a7893c6b LP	136	if (si.si_code != CLD_EXITED)
	137	return -EIO;
	138
bc9fd78c	139	if (si.si_status != EXIT_SUCCESS)
a7893c6b LP	140	return -EIO;
	141
	142	return bus_socket_start_auth(b);
	143	}