]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/core/namespace.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
doc,core: Read{Write,Only}Paths= and InaccessiblePaths=
[thirdparty/systemd.git] / src / core / namespace.c
1 /***
2 This file is part of systemd.
3
4 Copyright 2010 Lennart Poettering
5
6 systemd is free software; you can redistribute it and/or modify it
7 under the terms of the GNU Lesser General Public License as published by
8 the Free Software Foundation; either version 2.1 of the License, or
9 (at your option) any later version.
10
11 systemd is distributed in the hope that it will be useful, but
12 WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 Lesser General Public License for more details.
15
16 You should have received a copy of the GNU Lesser General Public License
17 along with systemd; If not, see <http://www.gnu.org/licenses/>.
18 ***/
19
20 #include <errno.h>
21 #include <sched.h>
22 #include <stdio.h>
23 #include <string.h>
24 #include <sys/mount.h>
25 #include <sys/stat.h>
26 #include <unistd.h>
27 #include <linux/fs.h>
28
29 #include "alloc-util.h"
30 #include "dev-setup.h"
31 #include "fd-util.h"
32 #include "loopback-setup.h"
33 #include "missing.h"
34 #include "mkdir.h"
35 #include "mount-util.h"
36 #include "namespace.h"
37 #include "path-util.h"
38 #include "selinux-util.h"
39 #include "socket-util.h"
40 #include "string-table.h"
41 #include "string-util.h"
42 #include "strv.h"
43 #include "umask-util.h"
44 #include "user-util.h"
45 #include "util.h"
46
47 #define DEV_MOUNT_OPTIONS (MS_NOSUID|MS_STRICTATIME|MS_NOEXEC)
48
49 typedef enum MountMode {
50 /* This is ordered by priority! */
51 INACCESSIBLE,
52 READONLY,
53 PRIVATE_TMP,
54 PRIVATE_VAR_TMP,
55 PRIVATE_DEV,
56 READWRITE
57 } MountMode;
58
59 typedef struct BindMount {
60 const char *path;
61 MountMode mode;
62 bool done;
63 bool ignore;
64 } BindMount;
65
66 static int append_mounts(BindMount **p, char **strv, MountMode mode) {
67 char **i;
68
69 assert(p);
70
71 STRV_FOREACH(i, strv) {
72
73 (*p)->ignore = false;
74 (*p)->done = false;
75
76 if ((mode == INACCESSIBLE || mode == READONLY || mode == READWRITE) && (*i)[0] == '-') {
77 (*p)->ignore = true;
78 (*i)++;
79 }
80
81 if (!path_is_absolute(*i))
82 return -EINVAL;
83
84 (*p)->path = *i;
85 (*p)->mode = mode;
86 (*p)++;
87 }
88
89 return 0;
90 }
91
92 static int mount_path_compare(const void *a, const void *b) {
93 const BindMount *p = a, *q = b;
94 int d;
95
96 d = path_compare(p->path, q->path);
97
98 if (d == 0) {
99 /* If the paths are equal, check the mode */
100 if (p->mode < q->mode)
101 return -1;
102
103 if (p->mode > q->mode)
104 return 1;
105
106 return 0;
107 }
108
109 /* If the paths are not equal, then order prefixes first */
110 return d;
111 }
112
113 static void drop_duplicates(BindMount *m, unsigned *n) {
114 BindMount *f, *t, *previous;
115
116 assert(m);
117 assert(n);
118
119 for (f = m, t = m, previous = NULL; f < m+*n; f++) {
120
121 /* The first one wins */
122 if (previous && path_equal(f->path, previous->path))
123 continue;
124
125 *t = *f;
126
127 previous = t;
128
129 t++;
130 }
131
132 *n = t - m;
133 }
134
135 static int mount_dev(BindMount *m) {
136 static const char devnodes[] =
137 "/dev/null\0"
138 "/dev/zero\0"
139 "/dev/full\0"
140 "/dev/random\0"
141 "/dev/urandom\0"
142 "/dev/tty\0";
143
144 char temporary_mount[] = "/tmp/namespace-dev-XXXXXX";
145 const char *d, *dev = NULL, *devpts = NULL, *devshm = NULL, *devhugepages = NULL, *devmqueue = NULL, *devlog = NULL, *devptmx = NULL;
146 _cleanup_umask_ mode_t u;
147 int r;
148
149 assert(m);
150
151 u = umask(0000);
152
153 if (!mkdtemp(temporary_mount))
154 return -errno;
155
156 dev = strjoina(temporary_mount, "/dev");
157 (void) mkdir(dev, 0755);
158 if (mount("tmpfs", dev, "tmpfs", DEV_MOUNT_OPTIONS, "mode=755") < 0) {
159 r = -errno;
160 goto fail;
161 }
162
163 devpts = strjoina(temporary_mount, "/dev/pts");
164 (void) mkdir(devpts, 0755);
165 if (mount("/dev/pts", devpts, NULL, MS_BIND, NULL) < 0) {
166 r = -errno;
167 goto fail;
168 }
169
170 devptmx = strjoina(temporary_mount, "/dev/ptmx");
171 if (symlink("pts/ptmx", devptmx) < 0) {
172 r = -errno;
173 goto fail;
174 }
175
176 devshm = strjoina(temporary_mount, "/dev/shm");
177 (void) mkdir(devshm, 01777);
178 r = mount("/dev/shm", devshm, NULL, MS_BIND, NULL);
179 if (r < 0) {
180 r = -errno;
181 goto fail;
182 }
183
184 devmqueue = strjoina(temporary_mount, "/dev/mqueue");
185 (void) mkdir(devmqueue, 0755);
186 (void) mount("/dev/mqueue", devmqueue, NULL, MS_BIND, NULL);
187
188 devhugepages = strjoina(temporary_mount, "/dev/hugepages");
189 (void) mkdir(devhugepages, 0755);
190 (void) mount("/dev/hugepages", devhugepages, NULL, MS_BIND, NULL);
191
192 devlog = strjoina(temporary_mount, "/dev/log");
193 (void) symlink("/run/systemd/journal/dev-log", devlog);
194
195 NULSTR_FOREACH(d, devnodes) {
196 _cleanup_free_ char *dn = NULL;
197 struct stat st;
198
199 r = stat(d, &st);
200 if (r < 0) {
201
202 if (errno == ENOENT)
203 continue;
204
205 r = -errno;
206 goto fail;
207 }
208
209 if (!S_ISBLK(st.st_mode) &&
210 !S_ISCHR(st.st_mode)) {
211 r = -EINVAL;
212 goto fail;
213 }
214
215 if (st.st_rdev == 0)
216 continue;
217
218 dn = strappend(temporary_mount, d);
219 if (!dn) {
220 r = -ENOMEM;
221 goto fail;
222 }
223
224 mac_selinux_create_file_prepare(d, st.st_mode);
225 r = mknod(dn, st.st_mode, st.st_rdev);
226 mac_selinux_create_file_clear();
227
228 if (r < 0) {
229 r = -errno;
230 goto fail;
231 }
232 }
233
234 dev_setup(temporary_mount, UID_INVALID, GID_INVALID);
235
236 /* Create the /dev directory if missing. It is more likely to be
237 * missing when the service is started with RootDirectory. This is
238 * consistent with mount units creating the mount points when missing.
239 */
240 (void) mkdir_p_label(m->path, 0755);
241
242 /* Unmount everything in old /dev */
243 umount_recursive(m->path, 0);
244 if (mount(dev, m->path, NULL, MS_MOVE, NULL) < 0) {
245 r = -errno;
246 goto fail;
247 }
248
249 rmdir(dev);
250 rmdir(temporary_mount);
251
252 return 0;
253
254 fail:
255 if (devpts)
256 umount(devpts);
257
258 if (devshm)
259 umount(devshm);
260
261 if (devhugepages)
262 umount(devhugepages);
263
264 if (devmqueue)
265 umount(devmqueue);
266
267 umount(dev);
268 rmdir(dev);
269 rmdir(temporary_mount);
270
271 return r;
272 }
273
274 static int apply_mount(
275 BindMount *m,
276 const char *tmp_dir,
277 const char *var_tmp_dir) {
278
279 const char *what;
280 int r;
281 struct stat target;
282
283 assert(m);
284
285 switch (m->mode) {
286
287 case INACCESSIBLE:
288
289 /* First, get rid of everything that is below if there
290 * is anything... Then, overmount it with an
291 * inaccessible path. */
292 umount_recursive(m->path, 0);
293
294 r = lstat(m->path, &target);
295 if (r != 0) {
296 if (m->ignore && errno == ENOENT)
297 return 0;
298 return -errno;
299 }
300
301 what = mode_to_inaccessible_node(target.st_mode);
302 if (what == NULL) {
303 log_debug("File type not supported. Note that symlinks are not allowed");
304 return -ELOOP;
305 }
306 break;
307 case READONLY:
308 case READWRITE:
309 /* Nothing to mount here, we just later toggle the
310 * MS_RDONLY bit for the mount point */
311 return 0;
312
313 case PRIVATE_TMP:
314 what = tmp_dir;
315 break;
316
317 case PRIVATE_VAR_TMP:
318 what = var_tmp_dir;
319 break;
320
321 case PRIVATE_DEV:
322 return mount_dev(m);
323
324 default:
325 assert_not_reached("Unknown mode");
326 }
327
328 assert(what);
329
330 r = mount(what, m->path, NULL, MS_BIND|MS_REC, NULL);
331 if (r >= 0) {
332 log_debug("Successfully mounted %s to %s", what, m->path);
333 return r;
334 }
335 else {
336 if (m->ignore && errno == ENOENT)
337 return 0;
338 log_debug("Failed mounting %s to %s: %s", what, m->path, strerror(errno));
339 return -errno;
340 }
341 }
342
343 static int make_read_only(BindMount *m) {
344 int r;
345
346 assert(m);
347
348 if (IN_SET(m->mode, INACCESSIBLE, READONLY))
349 r = bind_remount_recursive(m->path, true);
350 else if (IN_SET(m->mode, READWRITE, PRIVATE_TMP, PRIVATE_VAR_TMP, PRIVATE_DEV)) {
351 r = bind_remount_recursive(m->path, false);
352 if (r == 0 && m->mode == PRIVATE_DEV) /* can be readonly but the submounts can't*/
353 r = mount(NULL, m->path, NULL, MS_REMOUNT|DEV_MOUNT_OPTIONS|MS_RDONLY, NULL);
354 } else
355 r = 0;
356
357 if (m->ignore && r == -ENOENT)
358 return 0;
359
360 return r;
361 }
362
363 int setup_namespace(
364 const char* root_directory,
365 char** read_write_paths,
366 char** read_only_paths,
367 char** inaccessible_paths,
368 const char* tmp_dir,
369 const char* var_tmp_dir,
370 bool private_dev,
371 ProtectHome protect_home,
372 ProtectSystem protect_system,
373 unsigned long mount_flags) {
374
375 BindMount *m, *mounts = NULL;
376 unsigned n;
377 int r = 0;
378
379 if (mount_flags == 0)
380 mount_flags = MS_SHARED;
381
382 if (unshare(CLONE_NEWNS) < 0)
383 return -errno;
384
385 n = !!tmp_dir + !!var_tmp_dir +
386 strv_length(read_write_paths) +
387 strv_length(read_only_paths) +
388 strv_length(inaccessible_paths) +
389 private_dev +
390 (protect_home != PROTECT_HOME_NO ? 3 : 0) +
391 (protect_system != PROTECT_SYSTEM_NO ? 2 : 0) +
392 (protect_system == PROTECT_SYSTEM_FULL ? 1 : 0);
393
394 if (n > 0) {
395 m = mounts = (BindMount *) alloca0(n * sizeof(BindMount));
396 r = append_mounts(&m, read_write_paths, READWRITE);
397 if (r < 0)
398 return r;
399
400 r = append_mounts(&m, read_only_paths, READONLY);
401 if (r < 0)
402 return r;
403
404 r = append_mounts(&m, inaccessible_paths, INACCESSIBLE);
405 if (r < 0)
406 return r;
407
408 if (tmp_dir) {
409 m->path = prefix_roota(root_directory, "/tmp");
410 m->mode = PRIVATE_TMP;
411 m++;
412 }
413
414 if (var_tmp_dir) {
415 m->path = prefix_roota(root_directory, "/var/tmp");
416 m->mode = PRIVATE_VAR_TMP;
417 m++;
418 }
419
420 if (private_dev) {
421 m->path = prefix_roota(root_directory, "/dev");
422 m->mode = PRIVATE_DEV;
423 m++;
424 }
425
426 if (protect_home != PROTECT_HOME_NO) {
427 const char *home_dir, *run_user_dir, *root_dir;
428
429 home_dir = prefix_roota(root_directory, "/home");
430 home_dir = strjoina("-", home_dir);
431 run_user_dir = prefix_roota(root_directory, "/run/user");
432 run_user_dir = strjoina("-", run_user_dir);
433 root_dir = prefix_roota(root_directory, "/root");
434 root_dir = strjoina("-", root_dir);
435
436 r = append_mounts(&m, STRV_MAKE(home_dir, run_user_dir, root_dir),
437 protect_home == PROTECT_HOME_READ_ONLY ? READONLY : INACCESSIBLE);
438 if (r < 0)
439 return r;
440 }
441
442 if (protect_system != PROTECT_SYSTEM_NO) {
443 const char *usr_dir, *boot_dir, *etc_dir;
444
445 usr_dir = prefix_roota(root_directory, "/usr");
446 boot_dir = prefix_roota(root_directory, "/boot");
447 boot_dir = strjoina("-", boot_dir);
448 etc_dir = prefix_roota(root_directory, "/etc");
449
450 r = append_mounts(&m, protect_system == PROTECT_SYSTEM_FULL
451 ? STRV_MAKE(usr_dir, boot_dir, etc_dir)
452 : STRV_MAKE(usr_dir, boot_dir), READONLY);
453 if (r < 0)
454 return r;
455 }
456
457 assert(mounts + n == m);
458
459 qsort(mounts, n, sizeof(BindMount), mount_path_compare);
460 drop_duplicates(mounts, &n);
461 }
462
463 if (n > 0 || root_directory) {
464 /* Remount / as SLAVE so that nothing now mounted in the namespace
465 shows up in the parent */
466 if (mount(NULL, "/", NULL, MS_SLAVE|MS_REC, NULL) < 0)
467 return -errno;
468 }
469
470 if (root_directory) {
471 /* Turn directory into bind mount */
472 if (mount(root_directory, root_directory, NULL, MS_BIND|MS_REC, NULL) < 0)
473 return -errno;
474 }
475
476 if (n > 0) {
477 for (m = mounts; m < mounts + n; ++m) {
478 r = apply_mount(m, tmp_dir, var_tmp_dir);
479 if (r < 0)
480 goto fail;
481 }
482
483 for (m = mounts; m < mounts + n; ++m) {
484 r = make_read_only(m);
485 if (r < 0)
486 goto fail;
487 }
488 }
489
490 if (root_directory) {
491 /* MS_MOVE does not work on MS_SHARED so the remount MS_SHARED will be done later */
492 r = mount_move_root(root_directory);
493
494 /* at this point, we cannot rollback */
495 if (r < 0)
496 return r;
497 }
498
499 /* Remount / as the desired mode. Not that this will not
500 * reestablish propagation from our side to the host, since
501 * what's disconnected is disconnected. */
502 if (mount(NULL, "/", NULL, mount_flags | MS_REC, NULL) < 0)
503 /* at this point, we cannot rollback */
504 return -errno;
505
506 return 0;
507
508 fail:
509 if (n > 0) {
510 for (m = mounts; m < mounts + n; ++m)
511 if (m->done)
512 (void) umount2(m->path, MNT_DETACH);
513 }
514
515 return r;
516 }
517
518 static int setup_one_tmp_dir(const char *id, const char *prefix, char **path) {
519 _cleanup_free_ char *x = NULL;
520 char bid[SD_ID128_STRING_MAX];
521 sd_id128_t boot_id;
522 int r;
523
524 assert(id);
525 assert(prefix);
526 assert(path);
527
528 /* We include the boot id in the directory so that after a
529 * reboot we can easily identify obsolete directories. */
530
531 r = sd_id128_get_boot(&boot_id);
532 if (r < 0)
533 return r;
534
535 x = strjoin(prefix, "/systemd-private-", sd_id128_to_string(boot_id, bid), "-", id, "-XXXXXX", NULL);
536 if (!x)
537 return -ENOMEM;
538
539 RUN_WITH_UMASK(0077)
540 if (!mkdtemp(x))
541 return -errno;
542
543 RUN_WITH_UMASK(0000) {
544 char *y;
545
546 y = strjoina(x, "/tmp");
547
548 if (mkdir(y, 0777 | S_ISVTX) < 0)
549 return -errno;
550 }
551
552 *path = x;
553 x = NULL;
554
555 return 0;
556 }
557
558 int setup_tmp_dirs(const char *id, char **tmp_dir, char **var_tmp_dir) {
559 char *a, *b;
560 int r;
561
562 assert(id);
563 assert(tmp_dir);
564 assert(var_tmp_dir);
565
566 r = setup_one_tmp_dir(id, "/tmp", &a);
567 if (r < 0)
568 return r;
569
570 r = setup_one_tmp_dir(id, "/var/tmp", &b);
571 if (r < 0) {
572 char *t;
573
574 t = strjoina(a, "/tmp");
575 rmdir(t);
576 rmdir(a);
577
578 free(a);
579 return r;
580 }
581
582 *tmp_dir = a;
583 *var_tmp_dir = b;
584
585 return 0;
586 }
587
588 int setup_netns(int netns_storage_socket[2]) {
589 _cleanup_close_ int netns = -1;
590 int r, q;
591
592 assert(netns_storage_socket);
593 assert(netns_storage_socket[0] >= 0);
594 assert(netns_storage_socket[1] >= 0);
595
596 /* We use the passed socketpair as a storage buffer for our
597 * namespace reference fd. Whatever process runs this first
598 * shall create a new namespace, all others should just join
599 * it. To serialize that we use a file lock on the socket
600 * pair.
601 *
602 * It's a bit crazy, but hey, works great! */
603
604 if (lockf(netns_storage_socket[0], F_LOCK, 0) < 0)
605 return -errno;
606
607 netns = receive_one_fd(netns_storage_socket[0], MSG_DONTWAIT);
608 if (netns == -EAGAIN) {
609 /* Nothing stored yet, so let's create a new namespace */
610
611 if (unshare(CLONE_NEWNET) < 0) {
612 r = -errno;
613 goto fail;
614 }
615
616 loopback_setup();
617
618 netns = open("/proc/self/ns/net", O_RDONLY|O_CLOEXEC|O_NOCTTY);
619 if (netns < 0) {
620 r = -errno;
621 goto fail;
622 }
623
624 r = 1;
625
626 } else if (netns < 0) {
627 r = netns;
628 goto fail;
629
630 } else {
631 /* Yay, found something, so let's join the namespace */
632 if (setns(netns, CLONE_NEWNET) < 0) {
633 r = -errno;
634 goto fail;
635 }
636
637 r = 0;
638 }
639
640 q = send_one_fd(netns_storage_socket[1], netns, MSG_DONTWAIT);
641 if (q < 0) {
642 r = q;
643 goto fail;
644 }
645
646 fail:
647 lockf(netns_storage_socket[0], F_ULOCK, 0);
648 return r;
649 }
650
651 static const char *const protect_home_table[_PROTECT_HOME_MAX] = {
652 [PROTECT_HOME_NO] = "no",
653 [PROTECT_HOME_YES] = "yes",
654 [PROTECT_HOME_READ_ONLY] = "read-only",
655 };
656
657 DEFINE_STRING_TABLE_LOOKUP(protect_home, ProtectHome);
658
659 static const char *const protect_system_table[_PROTECT_SYSTEM_MAX] = {
660 [PROTECT_SYSTEM_NO] = "no",
661 [PROTECT_SYSTEM_YES] = "yes",
662 [PROTECT_SYSTEM_FULL] = "full",
663 };
664
665 DEFINE_STRING_TABLE_LOOKUP(protect_system, ProtectSystem);
Unnamed repository; edit this file 'description' to name the repository.