src/core/namespace.h

   1 /* SPDX-License-Identifier: LGPL-2.1+ */
   2 #pragma once
   3
   4 /***
   5   Copyright © 2016 Djalal Harouni
   6 ***/
   7
   8 typedef struct NamespaceInfo NamespaceInfo;
   9 typedef struct BindMount BindMount;
  10 typedef struct TemporaryFileSystem TemporaryFileSystem;
  11
  12 #include <stdbool.h>
  13
  14 #include "dissect-image.h"
  15 #include "fs-util.h"
  16 #include "macro.h"
  17 #include "string-util.h"
  18
  19 typedef enum ProtectHome {
  20         PROTECT_HOME_NO,
  21         PROTECT_HOME_YES,
  22         PROTECT_HOME_READ_ONLY,
  23         PROTECT_HOME_TMPFS,
  24         _PROTECT_HOME_MAX,
  25         _PROTECT_HOME_INVALID = -1
  26 } ProtectHome;
  27
  28 typedef enum NamespaceType {
  29         NAMESPACE_MOUNT,
  30         NAMESPACE_CGROUP,
  31         NAMESPACE_UTS,
  32         NAMESPACE_IPC,
  33         NAMESPACE_USER,
  34         NAMESPACE_PID,
  35         NAMESPACE_NET,
  36         _NAMESPACE_TYPE_MAX,
  37         _NAMESPACE_TYPE_INVALID = -1,
  38 } NamespaceType;
  39
  40 typedef enum ProtectSystem {
  41         PROTECT_SYSTEM_NO,
  42         PROTECT_SYSTEM_YES,
  43         PROTECT_SYSTEM_FULL,
  44         PROTECT_SYSTEM_STRICT,
  45         _PROTECT_SYSTEM_MAX,
  46         _PROTECT_SYSTEM_INVALID = -1
  47 } ProtectSystem;
  48
  49 struct NamespaceInfo {
  50         bool ignore_protect_paths:1;
  51         bool private_dev:1;
  52         bool private_mounts:1;
  53         bool protect_control_groups:1;
  54         bool protect_kernel_tunables:1;
  55         bool protect_kernel_modules:1;
  56         bool protect_kernel_logs:1;
  57         bool mount_apivfs:1;
  58         bool protect_hostname:1;
  59 };
  60
  61 struct BindMount {
  62         char *source;
  63         char *destination;
  64         bool read_only:1;
  65         bool nosuid:1;
  66         bool recursive:1;
  67         bool ignore_enoent:1;
  68 };
  69
  70 struct TemporaryFileSystem {
  71         char *path;
  72         char *options;
  73 };
  74
  75 int setup_namespace(
  76                 const char *root_directory,
  77                 const char *root_image,
  78                 const MountOptions *root_image_options,
  79                 const NamespaceInfo *ns_info,
  80                 char **read_write_paths,
  81                 char **read_only_paths,
  82                 char **inaccessible_paths,
  83                 char **empty_directories,
  84                 const BindMount *bind_mounts,
  85                 size_t n_bind_mounts,
  86                 const TemporaryFileSystem *temporary_filesystems,
  87                 size_t n_temporary_filesystems,
  88                 const char *tmp_dir,
  89                 const char *var_tmp_dir,
  90                 const char *log_namespace,
  91                 ProtectHome protect_home,
  92                 ProtectSystem protect_system,
  93                 unsigned long mount_flags,
  94                 const void *root_hash,
  95                 size_t root_hash_size,
  96                 const char *root_hash_path,
  97                 const void *root_hash_sig,
  98                 size_t root_hash_sig_size,
  99                 const char *root_hash_sig_path,
 100                 const char *root_verity,
 101                 DissectImageFlags dissected_image_flags,
 102                 char **error_path);
 103
 104 #define RUN_SYSTEMD_EMPTY "/run/systemd/empty"
 105
 106 static inline void namespace_cleanup_tmpdir(char *p) {
 107         PROTECT_ERRNO;
 108         if (!streq_ptr(p, RUN_SYSTEMD_EMPTY))
 109                 (void) rmdir(p);
 110         free(p);
 111 }
 112 DEFINE_TRIVIAL_CLEANUP_FUNC(char*, namespace_cleanup_tmpdir);
 113
 114 int setup_tmp_dirs(
 115                 const char *id,
 116                 char **tmp_dir,
 117                 char **var_tmp_dir);
 118
 119 int setup_netns(const int netns_storage_socket[static 2]);
 120 int open_netns_path(const int netns_storage_socket[static 2], const char *path);
 121
 122 const char* protect_home_to_string(ProtectHome p) _const_;
 123 ProtectHome protect_home_from_string(const char *s) _pure_;
 124
 125 const char* protect_system_to_string(ProtectSystem p) _const_;
 126 ProtectSystem protect_system_from_string(const char *s) _pure_;
 127
 128 void bind_mount_free_many(BindMount *b, size_t n);
 129 int bind_mount_add(BindMount **b, size_t *n, const BindMount *item);
 130
 131 void temporary_filesystem_free_many(TemporaryFileSystem *t, size_t n);
 132 int temporary_filesystem_add(TemporaryFileSystem **t, size_t *n,
 133                              const char *path, const char *options);
 134
 135 const char* namespace_type_to_string(NamespaceType t) _const_;
 136 NamespaceType namespace_type_from_string(const char *s) _pure_;
 137
 138 bool ns_type_supported(NamespaceType type);