]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/libsystemd/sd-bus/bus-container.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge pull request #1527 from keszybz/lz4
[thirdparty/systemd.git] / src / libsystemd / sd-bus / bus-container.c
1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
2
3 /***
4 This file is part of systemd.
5
6 Copyright 2013 Lennart Poettering
7
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
12
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
17
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
20 ***/
21
22 #include <unistd.h>
23 #include <fcntl.h>
24
25 #include "util.h"
26 #include "process-util.h"
27 #include "bus-internal.h"
28 #include "bus-socket.h"
29 #include "bus-container.h"
30
31 int bus_container_connect_socket(sd_bus *b) {
32 _cleanup_close_pair_ int pair[2] = { -1, -1 };
33 _cleanup_close_ int pidnsfd = -1, mntnsfd = -1, usernsfd = -1, rootfd = -1;
34 pid_t child;
35 siginfo_t si;
36 int r, error_buf = 0;
37 ssize_t n;
38
39 assert(b);
40 assert(b->input_fd < 0);
41 assert(b->output_fd < 0);
42 assert(b->nspid > 0 || b->machine);
43
44 if (b->nspid <= 0) {
45 r = container_get_leader(b->machine, &b->nspid);
46 if (r < 0)
47 return r;
48 }
49
50 r = namespace_open(b->nspid, &pidnsfd, &mntnsfd, NULL, &usernsfd, &rootfd);
51 if (r < 0)
52 return r;
53
54 b->input_fd = socket(b->sockaddr.sa.sa_family, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0);
55 if (b->input_fd < 0)
56 return -errno;
57
58 b->output_fd = b->input_fd;
59
60 bus_socket_setup(b);
61
62 if (socketpair(AF_UNIX, SOCK_SEQPACKET, 0, pair) < 0)
63 return -errno;
64
65 child = fork();
66 if (child < 0)
67 return -errno;
68
69 if (child == 0) {
70 pid_t grandchild;
71
72 pair[0] = safe_close(pair[0]);
73
74 r = namespace_enter(pidnsfd, mntnsfd, -1, usernsfd, rootfd);
75 if (r < 0)
76 _exit(EXIT_FAILURE);
77
78 /* We just changed PID namespace, however it will only
79 * take effect on the children we now fork. Hence,
80 * let's fork another time, and connect from this
81 * grandchild, so that SO_PEERCRED of our connection
82 * comes from a process from within the container, and
83 * not outside of it */
84
85 grandchild = fork();
86 if (grandchild < 0)
87 _exit(EXIT_FAILURE);
88
89 if (grandchild == 0) {
90
91 r = connect(b->input_fd, &b->sockaddr.sa, b->sockaddr_size);
92 if (r < 0) {
93 /* Try to send error up */
94 error_buf = errno;
95 (void) write(pair[1], &error_buf, sizeof(error_buf));
96 _exit(EXIT_FAILURE);
97 }
98
99 _exit(EXIT_SUCCESS);
100 }
101
102 r = wait_for_terminate(grandchild, &si);
103 if (r < 0)
104 _exit(EXIT_FAILURE);
105
106 if (si.si_code != CLD_EXITED)
107 _exit(EXIT_FAILURE);
108
109 _exit(si.si_status);
110 }
111
112 pair[1] = safe_close(pair[1]);
113
114 r = wait_for_terminate(child, &si);
115 if (r < 0)
116 return r;
117
118 n = read(pair[0], &error_buf, sizeof(error_buf));
119 if (n < 0)
120 return -errno;
121
122 if (n > 0) {
123 if (n != sizeof(error_buf))
124 return -EIO;
125
126 if (error_buf < 0)
127 return -EIO;
128
129 if (error_buf == EINPROGRESS)
130 return 1;
131
132 if (error_buf > 0)
133 return -error_buf;
134 }
135
136 if (si.si_code != CLD_EXITED)
137 return -EIO;
138
139 if (si.si_status != EXIT_SUCCESS)
140 return -EIO;
141
142 return bus_socket_start_auth(b);
143 }
144
145 int bus_container_connect_kernel(sd_bus *b) {
146 _cleanup_close_pair_ int pair[2] = { -1, -1 };
147 _cleanup_close_ int pidnsfd = -1, mntnsfd = -1, usernsfd = -1, rootfd = -1;
148 union {
149 struct cmsghdr cmsghdr;
150 uint8_t buf[CMSG_SPACE(sizeof(int))];
151 } control = {};
152 int error_buf = 0;
153 struct iovec iov = {
154 .iov_base = &error_buf,
155 .iov_len = sizeof(error_buf),
156 };
157 struct msghdr mh = {
158 .msg_control = &control,
159 .msg_controllen = sizeof(control),
160 .msg_iov = &iov,
161 .msg_iovlen = 1,
162 };
163 struct cmsghdr *cmsg;
164 pid_t child;
165 siginfo_t si;
166 int r, fd = -1;
167 ssize_t n;
168
169 assert(b);
170 assert(b->input_fd < 0);
171 assert(b->output_fd < 0);
172 assert(b->nspid > 0 || b->machine);
173
174 if (b->nspid <= 0) {
175 r = container_get_leader(b->machine, &b->nspid);
176 if (r < 0)
177 return r;
178 }
179
180 r = namespace_open(b->nspid, &pidnsfd, &mntnsfd, NULL, &usernsfd, &rootfd);
181 if (r < 0)
182 return r;
183
184 if (socketpair(AF_UNIX, SOCK_SEQPACKET, 0, pair) < 0)
185 return -errno;
186
187 child = fork();
188 if (child < 0)
189 return -errno;
190
191 if (child == 0) {
192 pid_t grandchild;
193
194 pair[0] = safe_close(pair[0]);
195
196 r = namespace_enter(pidnsfd, mntnsfd, -1, usernsfd, rootfd);
197 if (r < 0)
198 _exit(EXIT_FAILURE);
199
200 /* We just changed PID namespace, however it will only
201 * take effect on the children we now fork. Hence,
202 * let's fork another time, and connect from this
203 * grandchild, so that kdbus only sees the credentials
204 * of this process which comes from within the
205 * container, and not outside of it */
206
207 grandchild = fork();
208 if (grandchild < 0)
209 _exit(EXIT_FAILURE);
210
211 if (grandchild == 0) {
212 fd = open(b->kernel, O_RDWR|O_NOCTTY|O_CLOEXEC);
213 if (fd < 0) {
214 /* Try to send error up */
215 error_buf = errno;
216 (void) write(pair[1], &error_buf, sizeof(error_buf));
217 _exit(EXIT_FAILURE);
218 }
219
220 r = send_one_fd(pair[1], fd, 0);
221 if (r < 0)
222 _exit(EXIT_FAILURE);
223
224 _exit(EXIT_SUCCESS);
225 }
226
227 r = wait_for_terminate(grandchild, &si);
228 if (r < 0)
229 _exit(EXIT_FAILURE);
230
231 if (si.si_code != CLD_EXITED)
232 _exit(EXIT_FAILURE);
233
234 _exit(si.si_status);
235 }
236
237 pair[1] = safe_close(pair[1]);
238
239 r = wait_for_terminate(child, &si);
240 if (r < 0)
241 return r;
242
243 n = recvmsg(pair[0], &mh, MSG_NOSIGNAL|MSG_CMSG_CLOEXEC);
244 if (n < 0)
245 return -errno;
246
247 CMSG_FOREACH(cmsg, &mh) {
248 if (cmsg->cmsg_level == SOL_SOCKET && cmsg->cmsg_type == SCM_RIGHTS) {
249 int *fds;
250 unsigned n_fds;
251
252 assert(fd < 0);
253
254 fds = (int*) CMSG_DATA(cmsg);
255 n_fds = (cmsg->cmsg_len - CMSG_LEN(0)) / sizeof(int);
256
257 if (n_fds != 1) {
258 close_many(fds, n_fds);
259 return -EIO;
260 }
261
262 fd = fds[0];
263 }
264 }
265
266 /* If there's an fd passed, we are good. */
267 if (fd >= 0) {
268 b->input_fd = b->output_fd = fd;
269 return bus_kernel_take_fd(b);
270 }
271
272 /* If there's an error passed, use it */
273 if (n == sizeof(error_buf) && error_buf > 0)
274 return -error_buf;
275
276 /* Otherwise, we have no clue */
277 return -EIO;
278 }
Unnamed repository; edit this file 'description' to name the repository.