src/core/namespace.h

   1 /* SPDX-License-Identifier: LGPL-2.1+ */
   2 #pragma once
   3
   4 /***
   5   Copyright © 2016 Djalal Harouni
   6 ***/
   7
   8 typedef struct NamespaceInfo NamespaceInfo;
   9 typedef struct BindMount BindMount;
  10 typedef struct TemporaryFileSystem TemporaryFileSystem;
  11
  12 #include <stdbool.h>
  13
  14 #include "dissect-image.h"
  15 #include "macro.h"
  16
  17 typedef enum ProtectHome {
  18         PROTECT_HOME_NO,
  19         PROTECT_HOME_YES,
  20         PROTECT_HOME_READ_ONLY,
  21         PROTECT_HOME_TMPFS,
  22         _PROTECT_HOME_MAX,
  23         _PROTECT_HOME_INVALID = -1
  24 } ProtectHome;
  25
  26 typedef enum NamespaceType {
  27         NAMESPACE_MOUNT,
  28         NAMESPACE_CGROUP,
  29         NAMESPACE_UTS,
  30         NAMESPACE_IPC,
  31         NAMESPACE_USER,
  32         NAMESPACE_PID,
  33         NAMESPACE_NET,
  34         _NAMESPACE_TYPE_MAX,
  35         _NAMESPACE_TYPE_INVALID = -1,
  36 } NamespaceType;
  37
  38 typedef enum ProtectSystem {
  39         PROTECT_SYSTEM_NO,
  40         PROTECT_SYSTEM_YES,
  41         PROTECT_SYSTEM_FULL,
  42         PROTECT_SYSTEM_STRICT,
  43         _PROTECT_SYSTEM_MAX,
  44         _PROTECT_SYSTEM_INVALID = -1
  45 } ProtectSystem;
  46
  47 struct NamespaceInfo {
  48         bool ignore_protect_paths:1;
  49         bool private_dev:1;
  50         bool private_mounts:1;
  51         bool protect_control_groups:1;
  52         bool protect_kernel_tunables:1;
  53         bool protect_kernel_modules:1;
  54         bool mount_apivfs:1;
  55 };
  56
  57 struct BindMount {
  58         char *source;
  59         char *destination;
  60         bool read_only:1;
  61         bool recursive:1;
  62         bool ignore_enoent:1;
  63 };
  64
  65 struct TemporaryFileSystem {
  66         char *path;
  67         char *options;
  68 };
  69
  70 int setup_namespace(
  71                 const char *root_directory,
  72                 const char *root_image,
  73                 const NamespaceInfo *ns_info,
  74                 char **read_write_paths,
  75                 char **read_only_paths,
  76                 char **inaccessible_paths,
  77                 char **empty_directories,
  78                 const BindMount *bind_mounts,
  79                 size_t n_bind_mounts,
  80                 const TemporaryFileSystem *temporary_filesystems,
  81                 size_t n_temporary_filesystems,
  82                 const char *tmp_dir,
  83                 const char *var_tmp_dir,
  84                 ProtectHome protect_home,
  85                 ProtectSystem protect_system,
  86                 unsigned long mount_flags,
  87                 DissectImageFlags dissected_image_flags);
  88
  89 int setup_tmp_dirs(
  90                 const char *id,
  91                 char **tmp_dir,
  92                 char **var_tmp_dir);
  93
  94 int setup_netns(int netns_storage_socket[2]);
  95
  96 const char* protect_home_to_string(ProtectHome p) _const_;
  97 ProtectHome protect_home_from_string(const char *s) _pure_;
  98
  99 const char* protect_system_to_string(ProtectSystem p) _const_;
 100 ProtectSystem protect_system_from_string(const char *s) _pure_;
 101
 102 void bind_mount_free_many(BindMount *b, size_t n);
 103 int bind_mount_add(BindMount **b, size_t *n, const BindMount *item);
 104
 105 void temporary_filesystem_free_many(TemporaryFileSystem *t, size_t n);
 106 int temporary_filesystem_add(TemporaryFileSystem **t, size_t *n,
 107                              const char *path, const char *options);
 108
 109 const char* namespace_type_to_string(NamespaceType t) _const_;
 110 NamespaceType namespace_type_from_string(const char *s) _pure_;
 111
 112 bool ns_type_supported(NamespaceType type);