1 /* SPDX-License-Identifier: LGPL-2.1+ */
4 #include <linux/magic.h>
6 #include "alloc-util.h"
9 #include "format-util.h"
13 #include "mount-util.h"
14 #include "mountpoint-util.h"
15 #include "nspawn-mount.h"
16 #include "parse-util.h"
17 #include "path-util.h"
20 #include "sort-util.h"
21 #include "stat-util.h"
22 #include "string-util.h"
24 #include "tmpfile-util.h"
25 #include "user-util.h"
27 CustomMount
* custom_mount_add(CustomMount
**l
, size_t *n
, CustomMountType t
) {
33 assert(t
< _CUSTOM_MOUNT_TYPE_MAX
);
35 c
= reallocarray(*l
, *n
+ 1, sizeof(CustomMount
));
43 *ret
= (CustomMount
) { .type
= t
};
48 void custom_mount_free_all(CustomMount
*l
, size_t n
) {
51 for (i
= 0; i
< n
; i
++) {
52 CustomMount
*m
= l
+ i
;
59 (void) rm_rf(m
->work_dir
, REMOVE_ROOT
|REMOVE_PHYSICAL
);
63 if (m
->rm_rf_tmpdir
) {
64 (void) rm_rf(m
->rm_rf_tmpdir
, REMOVE_ROOT
|REMOVE_PHYSICAL
);
65 free(m
->rm_rf_tmpdir
);
69 free(m
->type_argument
);
75 static int custom_mount_compare(const CustomMount
*a
, const CustomMount
*b
) {
78 r
= path_compare(a
->destination
, b
->destination
);
82 return CMP(a
->type
, b
->type
);
85 static bool source_path_is_valid(const char *p
) {
91 return path_is_absolute(p
);
94 static char *resolve_source_path(const char *dest
, const char *source
) {
100 return path_join(dest
, source
+ 1);
102 return strdup(source
);
105 int custom_mount_prepare_all(const char *dest
, CustomMount
*l
, size_t n
) {
109 /* Prepare all custom mounts. This will make source we know all temporary directories. This is called in the
110 * parent process, so that we know the temporary directories to remove on exit before we fork off the
115 /* Order the custom mounts, and make sure we have a working directory */
116 typesafe_qsort(l
, n
, custom_mount_compare
);
118 for (i
= 0; i
< n
; i
++) {
119 CustomMount
*m
= l
+ i
;
121 /* /proc we mount in the inner child, i.e. when we acquired CLONE_NEWPID. All other mounts we mount
122 * already in the outer child, so that the mounts are already established before CLONE_NEWPID and in
123 * particular CLONE_NEWUSER. This also means any custom mounts below /proc also need to be mounted in
124 * the inner child, not the outer one. Determine this here. */
125 m
->in_userns
= path_startswith(m
->destination
, "/proc");
127 if (m
->type
== CUSTOM_MOUNT_BIND
) {
131 s
= resolve_source_path(dest
, m
->source
);
135 free_and_replace(m
->source
, s
);
137 /* No source specified? In that case, use a throw-away temporary directory in /var/tmp */
139 m
->rm_rf_tmpdir
= strdup("/var/tmp/nspawn-temp-XXXXXX");
140 if (!m
->rm_rf_tmpdir
)
143 if (!mkdtemp(m
->rm_rf_tmpdir
)) {
144 m
->rm_rf_tmpdir
= mfree(m
->rm_rf_tmpdir
);
145 return log_error_errno(errno
, "Failed to acquire temporary directory: %m");
148 m
->source
= path_join(m
->rm_rf_tmpdir
, "src");
152 if (mkdir(m
->source
, 0755) < 0)
153 return log_error_errno(errno
, "Failed to create %s: %m", m
->source
);
157 if (m
->type
== CUSTOM_MOUNT_OVERLAY
) {
160 STRV_FOREACH(j
, m
->lower
) {
163 s
= resolve_source_path(dest
, *j
);
167 free_and_replace(*j
, s
);
173 s
= resolve_source_path(dest
, m
->work_dir
);
177 free_and_replace(m
->work_dir
, s
);
181 r
= tempfn_random(m
->source
, NULL
, &m
->work_dir
);
183 return log_error_errno(r
, "Failed to acquire working directory: %m");
186 (void) mkdir_label(m
->work_dir
, 0700);
193 int bind_mount_parse(CustomMount
**l
, size_t *n
, const char *s
, bool read_only
) {
194 _cleanup_free_
char *source
= NULL
, *destination
= NULL
, *opts
= NULL
;
202 r
= extract_many_words(&p
, ":", EXTRACT_DONT_COALESCE_SEPARATORS
, &source
, &destination
, NULL
);
208 destination
= strdup(source
[0] == '+' ? source
+1 : source
);
212 if (r
== 2 && !isempty(p
)) {
219 source
= mfree(source
);
220 else if (!source_path_is_valid(source
))
223 if (!path_is_absolute(destination
))
226 m
= custom_mount_add(l
, n
, CUSTOM_MOUNT_BIND
);
230 m
->source
= TAKE_PTR(source
);
231 m
->destination
= TAKE_PTR(destination
);
232 m
->read_only
= read_only
;
233 m
->options
= TAKE_PTR(opts
);
238 int tmpfs_mount_parse(CustomMount
**l
, size_t *n
, const char *s
) {
239 _cleanup_free_
char *path
= NULL
, *opts
= NULL
;
248 r
= extract_first_word(&p
, &path
, ":", EXTRACT_DONT_COALESCE_SEPARATORS
);
255 opts
= strdup("mode=0755");
261 if (!path_is_absolute(path
))
264 m
= custom_mount_add(l
, n
, CUSTOM_MOUNT_TMPFS
);
268 m
->destination
= TAKE_PTR(path
);
269 m
->options
= TAKE_PTR(opts
);
274 int overlay_mount_parse(CustomMount
**l
, size_t *n
, const char *s
, bool read_only
) {
275 _cleanup_free_
char *upper
= NULL
, *destination
= NULL
;
276 _cleanup_strv_free_
char **lower
= NULL
;
280 k
= strv_split_extract(&lower
, s
, ":", EXTRACT_DONT_COALESCE_SEPARATORS
);
284 return -EADDRNOTAVAIL
;
286 /* If two parameters are specified, the first one is the lower, the second one the upper directory. And
287 * we'll also define the destination mount point the same as the upper. */
289 if (!source_path_is_valid(lower
[0]) ||
290 !source_path_is_valid(lower
[1]))
293 upper
= TAKE_PTR(lower
[1]);
295 destination
= strdup(upper
[0] == '+' ? upper
+1 : upper
); /* take the destination without "+" prefix */
301 /* If more than two parameters are specified, the last one is the destination, the second to last one
302 * the "upper", and all before that the "lower" directories. */
304 destination
= lower
[k
- 1];
305 upper
= TAKE_PTR(lower
[k
- 2]);
307 STRV_FOREACH(i
, lower
)
308 if (!source_path_is_valid(*i
))
311 /* If the upper directory is unspecified, then let's create it automatically as a throw-away directory
314 upper
= mfree(upper
);
315 else if (!source_path_is_valid(upper
))
318 if (!path_is_absolute(destination
))
322 m
= custom_mount_add(l
, n
, CUSTOM_MOUNT_OVERLAY
);
326 m
->destination
= TAKE_PTR(destination
);
327 m
->source
= TAKE_PTR(upper
);
328 m
->lower
= TAKE_PTR(lower
);
329 m
->read_only
= read_only
;
334 int inaccessible_mount_parse(CustomMount
**l
, size_t *n
, const char *s
) {
335 _cleanup_free_
char *path
= NULL
;
342 if (!path_is_absolute(s
))
349 m
= custom_mount_add(l
, n
, CUSTOM_MOUNT_INACCESSIBLE
);
353 m
->destination
= TAKE_PTR(path
);
357 int tmpfs_patch_options(
360 const char *selinux_apifs_context
,
365 if (uid_shift
!= UID_INVALID
) {
366 if (asprintf(&buf
, "%s%suid=" UID_FMT
",gid=" UID_FMT
,
367 strempty(options
), options
? "," : "",
368 uid_shift
, uid_shift
) < 0)
375 if (selinux_apifs_context
) {
378 t
= strjoin(strempty(options
), options
? "," : "",
379 "context=\"", selinux_apifs_context
, "\"");
388 if (!buf
&& options
) {
389 buf
= strdup(options
);
398 int mount_sysfs(const char *dest
, MountSettingsMask mount_settings
) {
399 const char *full
, *top
, *x
;
401 unsigned long extra_flags
= 0;
403 top
= prefix_roota(dest
, "/sys");
404 r
= path_is_fs_type(top
, SYSFS_MAGIC
);
406 return log_error_errno(r
, "Failed to determine filesystem type of %s: %m", top
);
407 /* /sys might already be mounted as sysfs by the outer child in the
408 * !netns case. In this case, it's all good. Don't touch it because we
409 * don't have the right to do so, see https://github.com/systemd/systemd/issues/1555.
414 full
= prefix_roota(top
, "/full");
416 (void) mkdir(full
, 0755);
418 if (mount_settings
& MOUNT_APPLY_APIVFS_RO
)
419 extra_flags
|= MS_RDONLY
;
421 r
= mount_verbose(LOG_ERR
, "sysfs", full
, "sysfs",
422 MS_NOSUID
|MS_NOEXEC
|MS_NODEV
|extra_flags
, NULL
);
426 FOREACH_STRING(x
, "block", "bus", "class", "dev", "devices", "kernel") {
427 _cleanup_free_
char *from
= NULL
, *to
= NULL
;
429 from
= path_join(full
, x
);
433 to
= path_join(top
, x
);
437 (void) mkdir(to
, 0755);
439 r
= mount_verbose(LOG_ERR
, from
, to
, NULL
, MS_BIND
, NULL
);
443 r
= mount_verbose(LOG_ERR
, NULL
, to
, NULL
,
444 MS_BIND
|MS_NOSUID
|MS_NOEXEC
|MS_NODEV
|MS_REMOUNT
|extra_flags
, NULL
);
449 r
= umount_verbose(full
);
454 return log_error_errno(errno
, "Failed to remove %s: %m", full
);
456 /* Create mountpoint for cgroups. Otherwise we are not allowed since we
457 * remount /sys read-only.
459 x
= prefix_roota(top
, "/fs/cgroup");
460 (void) mkdir_p(x
, 0755);
462 return mount_verbose(LOG_ERR
, NULL
, top
, NULL
,
463 MS_BIND
|MS_NOSUID
|MS_NOEXEC
|MS_NODEV
|MS_REMOUNT
|extra_flags
, NULL
);
466 static int mkdir_userns(const char *path
, mode_t mode
, uid_t uid_shift
) {
471 r
= mkdir_errno_wrapper(path
, mode
);
472 if (r
< 0 && r
!= -EEXIST
)
475 if (uid_shift
== UID_INVALID
)
478 if (lchown(path
, uid_shift
, uid_shift
) < 0)
484 static int mkdir_userns_p(const char *prefix
, const char *path
, mode_t mode
, uid_t uid_shift
) {
490 if (prefix
&& !path_startswith(path
, prefix
))
493 /* create every parent directory in the path, except the last component */
494 p
= path
+ strspn(path
, "/");
496 char t
[strlen(path
) + 1];
498 e
= p
+ strcspn(p
, "/");
499 p
= e
+ strspn(e
, "/");
501 /* Is this the last component? If so, then we're done */
505 memcpy(t
, path
, e
- path
);
508 if (prefix
&& path_startswith(prefix
, t
))
511 r
= mkdir_userns(t
, mode
, uid_shift
);
516 return mkdir_userns(path
, mode
, uid_shift
);
519 int mount_all(const char *dest
,
520 MountSettingsMask mount_settings
,
522 const char *selinux_apifs_context
) {
524 #define PROC_INACCESSIBLE_REG(path) \
525 { "/run/systemd/inaccessible/reg", (path), NULL, NULL, MS_BIND, \
526 MOUNT_IN_USERNS|MOUNT_APPLY_APIVFS_RO }, /* Bind mount first ... */ \
527 { NULL, (path), NULL, NULL, MS_BIND|MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REMOUNT, \
528 MOUNT_IN_USERNS|MOUNT_APPLY_APIVFS_RO } /* Then, make it r/o */
530 #define PROC_READ_ONLY(path) \
531 { (path), (path), NULL, NULL, MS_BIND, \
532 MOUNT_IN_USERNS|MOUNT_APPLY_APIVFS_RO }, /* Bind mount first ... */ \
533 { NULL, (path), NULL, NULL, MS_BIND|MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REMOUNT, \
534 MOUNT_IN_USERNS|MOUNT_APPLY_APIVFS_RO } /* Then, make it r/o */
536 typedef struct MountPoint
{
542 MountSettingsMask mount_settings
;
545 static const MountPoint mount_table
[] = {
546 /* First we list inner child mounts (i.e. mounts applied *after* entering user namespacing) */
547 { "proc", "/proc", "proc", NULL
, MS_NOSUID
|MS_NOEXEC
|MS_NODEV
,
548 MOUNT_FATAL
|MOUNT_IN_USERNS
},
550 { "/proc/sys", "/proc/sys", NULL
, NULL
, MS_BIND
,
551 MOUNT_FATAL
|MOUNT_IN_USERNS
|MOUNT_APPLY_APIVFS_RO
}, /* Bind mount first ... */
553 { "/proc/sys/net", "/proc/sys/net", NULL
, NULL
, MS_BIND
,
554 MOUNT_FATAL
|MOUNT_IN_USERNS
|MOUNT_APPLY_APIVFS_RO
|MOUNT_APPLY_APIVFS_NETNS
}, /* (except for this) */
556 { NULL
, "/proc/sys", NULL
, NULL
, MS_BIND
|MS_RDONLY
|MS_NOSUID
|MS_NOEXEC
|MS_NODEV
|MS_REMOUNT
,
557 MOUNT_FATAL
|MOUNT_IN_USERNS
|MOUNT_APPLY_APIVFS_RO
}, /* ... then, make it r/o */
559 /* Make these files inaccessible to container payloads: they potentially leak information about kernel
560 * internals or the host's execution environment to the container */
561 PROC_INACCESSIBLE_REG("/proc/kallsyms"),
562 PROC_INACCESSIBLE_REG("/proc/kcore"),
563 PROC_INACCESSIBLE_REG("/proc/keys"),
564 PROC_INACCESSIBLE_REG("/proc/sysrq-trigger"),
565 PROC_INACCESSIBLE_REG("/proc/timer_list"),
567 /* Make these directories read-only to container payloads: they show hardware information, and in some
568 * cases contain tunables the container really shouldn't have access to. */
569 PROC_READ_ONLY("/proc/acpi"),
570 PROC_READ_ONLY("/proc/apm"),
571 PROC_READ_ONLY("/proc/asound"),
572 PROC_READ_ONLY("/proc/bus"),
573 PROC_READ_ONLY("/proc/fs"),
574 PROC_READ_ONLY("/proc/irq"),
575 PROC_READ_ONLY("/proc/scsi"),
577 { "mqueue", "/dev/mqueue", "mqueue", NULL
, MS_NOSUID
|MS_NOEXEC
|MS_NODEV
,
580 /* Then we list outer child mounts (i.e. mounts applied *before* entering user namespacing) */
581 { "tmpfs", "/tmp", "tmpfs", "mode=1777", MS_NOSUID
|MS_NODEV
|MS_STRICTATIME
,
582 MOUNT_FATAL
|MOUNT_APPLY_TMPFS_TMP
},
583 { "tmpfs", "/sys", "tmpfs", "mode=555", MS_NOSUID
|MS_NOEXEC
|MS_NODEV
,
584 MOUNT_FATAL
|MOUNT_APPLY_APIVFS_NETNS
},
585 { "sysfs", "/sys", "sysfs", NULL
, MS_RDONLY
|MS_NOSUID
|MS_NOEXEC
|MS_NODEV
,
586 MOUNT_FATAL
|MOUNT_APPLY_APIVFS_RO
}, /* skipped if above was mounted */
587 { "sysfs", "/sys", "sysfs", NULL
, MS_NOSUID
|MS_NOEXEC
|MS_NODEV
,
588 MOUNT_FATAL
}, /* skipped if above was mounted */
589 { "tmpfs", "/dev", "tmpfs", "mode=755", MS_NOSUID
|MS_STRICTATIME
,
591 { "tmpfs", "/dev/shm", "tmpfs", "mode=1777", MS_NOSUID
|MS_NODEV
|MS_STRICTATIME
,
593 { "tmpfs", "/run", "tmpfs", "mode=755", MS_NOSUID
|MS_NODEV
|MS_STRICTATIME
,
597 { "/sys/fs/selinux", "/sys/fs/selinux", NULL
, NULL
, MS_BIND
,
598 0 }, /* Bind mount first */
599 { NULL
, "/sys/fs/selinux", NULL
, NULL
, MS_BIND
|MS_RDONLY
|MS_NOSUID
|MS_NOEXEC
|MS_NODEV
|MS_REMOUNT
,
600 0 }, /* Then, make it r/o */
604 bool use_userns
= (mount_settings
& MOUNT_USE_USERNS
);
605 bool netns
= (mount_settings
& MOUNT_APPLY_APIVFS_NETNS
);
606 bool ro
= (mount_settings
& MOUNT_APPLY_APIVFS_RO
);
607 bool in_userns
= (mount_settings
& MOUNT_IN_USERNS
);
608 bool tmpfs_tmp
= (mount_settings
& MOUNT_APPLY_TMPFS_TMP
);
612 for (k
= 0; k
< ELEMENTSOF(mount_table
); k
++) {
613 _cleanup_free_
char *where
= NULL
, *options
= NULL
;
615 bool fatal
= (mount_table
[k
].mount_settings
& MOUNT_FATAL
);
617 if (in_userns
!= (bool)(mount_table
[k
].mount_settings
& MOUNT_IN_USERNS
))
620 if (!netns
&& (bool)(mount_table
[k
].mount_settings
& MOUNT_APPLY_APIVFS_NETNS
))
623 if (!ro
&& (bool)(mount_table
[k
].mount_settings
& MOUNT_APPLY_APIVFS_RO
))
626 if (!tmpfs_tmp
&& (bool)(mount_table
[k
].mount_settings
& MOUNT_APPLY_TMPFS_TMP
))
629 r
= chase_symlinks(mount_table
[k
].where
, dest
, CHASE_NONEXISTENT
|CHASE_PREFIX_ROOT
, &where
, NULL
);
631 return log_error_errno(r
, "Failed to resolve %s/%s: %m", dest
, mount_table
[k
].where
);
633 /* Skip this entry if it is not a remount. */
634 if (mount_table
[k
].what
) {
635 r
= path_is_mount_point(where
, NULL
, 0);
636 if (r
< 0 && r
!= -ENOENT
)
637 return log_error_errno(r
, "Failed to detect whether %s is a mount point: %m", where
);
642 r
= mkdir_userns_p(dest
, where
, 0755, (use_userns
&& !in_userns
) ? uid_shift
: UID_INVALID
);
643 if (r
< 0 && r
!= -EEXIST
) {
644 if (fatal
&& r
!= -EROFS
)
645 return log_error_errno(r
, "Failed to create directory %s: %m", where
);
647 log_debug_errno(r
, "Failed to create directory %s: %m", where
);
648 /* If we failed mkdir() or chown() due to the root
649 * directory being read only, attempt to mount this fs
650 * anyway and let mount_verbose log any errors */
655 o
= mount_table
[k
].options
;
656 if (streq_ptr(mount_table
[k
].type
, "tmpfs")) {
657 r
= tmpfs_patch_options(o
, in_userns
? 0 : uid_shift
, selinux_apifs_context
, &options
);
664 r
= mount_verbose(fatal
? LOG_ERR
: LOG_DEBUG
,
668 mount_table
[k
].flags
,
677 static int parse_mount_bind_options(const char *options
, unsigned long *mount_flags
, char **mount_opts
) {
678 const char *p
= options
;
679 unsigned long flags
= *mount_flags
;
686 _cleanup_free_
char *word
= NULL
;
688 r
= extract_first_word(&p
, &word
, ",", 0);
690 return log_error_errno(r
, "Failed to extract mount option: %m");
694 if (streq(word
, "rbind"))
696 else if (streq(word
, "norbind"))
699 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
700 "Invalid bind mount option: %s",
705 *mount_flags
= flags
;
706 /* in the future mount_opts will hold string options for mount(2) */
712 static int mount_bind(const char *dest
, CustomMount
*m
) {
713 _cleanup_free_
char *mount_opts
= NULL
, *where
= NULL
;
714 unsigned long mount_flags
= MS_BIND
| MS_REC
;
715 struct stat source_st
, dest_st
;
722 r
= parse_mount_bind_options(m
->options
, &mount_flags
, &mount_opts
);
727 if (stat(m
->source
, &source_st
) < 0)
728 return log_error_errno(errno
, "Failed to stat %s: %m", m
->source
);
730 r
= chase_symlinks(m
->destination
, dest
, CHASE_PREFIX_ROOT
|CHASE_NONEXISTENT
, &where
, NULL
);
732 return log_error_errno(r
, "Failed to resolve %s/%s: %m", dest
, m
->destination
);
733 if (r
> 0) { /* Path exists already? */
735 if (stat(where
, &dest_st
) < 0)
736 return log_error_errno(errno
, "Failed to stat %s: %m", where
);
738 if (S_ISDIR(source_st
.st_mode
) && !S_ISDIR(dest_st
.st_mode
))
739 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
740 "Cannot bind mount directory %s on file %s.",
743 if (!S_ISDIR(source_st
.st_mode
) && S_ISDIR(dest_st
.st_mode
))
744 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
745 "Cannot bind mount file %s on directory %s.",
748 } else { /* Path doesn't exist yet? */
749 r
= mkdir_parents_label(where
, 0755);
751 return log_error_errno(r
, "Failed to make parents of %s: %m", where
);
753 /* Create the mount point. Any non-directory file can be
754 * mounted on any non-directory file (regular, fifo, socket,
757 if (S_ISDIR(source_st
.st_mode
))
758 r
= mkdir_label(where
, 0755);
762 return log_error_errno(r
, "Failed to create mount point %s: %m", where
);
765 r
= mount_verbose(LOG_ERR
, m
->source
, where
, NULL
, mount_flags
, mount_opts
);
770 r
= bind_remount_recursive(where
, MS_RDONLY
, MS_RDONLY
, NULL
);
772 return log_error_errno(r
, "Read-only bind mount failed: %m");
778 static int mount_tmpfs(const char *dest
, CustomMount
*m
, uid_t uid_shift
, const char *selinux_apifs_context
) {
781 _cleanup_free_
char *buf
= NULL
, *where
= NULL
;
787 r
= chase_symlinks(m
->destination
, dest
, CHASE_PREFIX_ROOT
|CHASE_NONEXISTENT
, &where
, NULL
);
789 return log_error_errno(r
, "Failed to resolve %s/%s: %m", dest
, m
->destination
);
790 if (r
== 0) { /* Doesn't exist yet? */
791 r
= mkdir_p_label(where
, 0755);
793 return log_error_errno(r
, "Creating mount point for tmpfs %s failed: %m", where
);
796 r
= tmpfs_patch_options(m
->options
, uid_shift
== 0 ? UID_INVALID
: uid_shift
, selinux_apifs_context
, &buf
);
799 options
= r
> 0 ? buf
: m
->options
;
801 return mount_verbose(LOG_ERR
, "tmpfs", where
, "tmpfs", MS_NODEV
|MS_STRICTATIME
, options
);
804 static char *joined_and_escaped_lower_dirs(char **lower
) {
805 _cleanup_strv_free_
char **sv
= NULL
;
807 sv
= strv_copy(lower
);
813 if (!strv_shell_escape(sv
, ",:"))
816 return strv_join(sv
, ":");
819 static int mount_overlay(const char *dest
, CustomMount
*m
) {
820 _cleanup_free_
char *lower
= NULL
, *where
= NULL
, *escaped_source
= NULL
;
827 r
= chase_symlinks(m
->destination
, dest
, CHASE_PREFIX_ROOT
|CHASE_NONEXISTENT
, &where
, NULL
);
829 return log_error_errno(r
, "Failed to resolve %s/%s: %m", dest
, m
->destination
);
830 if (r
== 0) { /* Doesn't exist yet? */
831 r
= mkdir_label(where
, 0755);
833 return log_error_errno(r
, "Creating mount point for overlay %s failed: %m", where
);
836 (void) mkdir_p_label(m
->source
, 0755);
838 lower
= joined_and_escaped_lower_dirs(m
->lower
);
842 escaped_source
= shell_escape(m
->source
, ",:");
847 options
= strjoina("lowerdir=", escaped_source
, ":", lower
);
849 _cleanup_free_
char *escaped_work_dir
= NULL
;
851 escaped_work_dir
= shell_escape(m
->work_dir
, ",:");
852 if (!escaped_work_dir
)
855 options
= strjoina("lowerdir=", lower
, ",upperdir=", escaped_source
, ",workdir=", escaped_work_dir
);
858 return mount_verbose(LOG_ERR
, "overlay", where
, "overlay", m
->read_only
? MS_RDONLY
: 0, options
);
861 static int mount_inaccessible(const char *dest
, CustomMount
*m
) {
862 _cleanup_free_
char *where
= NULL
;
870 r
= chase_symlinks_and_stat(m
->destination
, dest
, CHASE_PREFIX_ROOT
, &where
, &st
, NULL
);
872 log_full_errno(m
->graceful
? LOG_DEBUG
: LOG_ERR
, r
, "Failed to resolve %s/%s: %m", dest
, m
->destination
);
873 return m
->graceful
? 0 : r
;
876 assert_se(source
= mode_to_inaccessible_node(st
.st_mode
));
878 r
= mount_verbose(m
->graceful
? LOG_DEBUG
: LOG_ERR
, source
, where
, NULL
, MS_BIND
, NULL
);
880 return m
->graceful
? 0 : r
;
882 r
= mount_verbose(m
->graceful
? LOG_DEBUG
: LOG_ERR
, NULL
, where
, NULL
, MS_BIND
|MS_RDONLY
|MS_REMOUNT
, NULL
);
884 umount_verbose(where
);
885 return m
->graceful
? 0 : r
;
891 static int mount_arbitrary(const char *dest
, CustomMount
*m
) {
892 _cleanup_free_
char *where
= NULL
;
898 r
= chase_symlinks(m
->destination
, dest
, CHASE_PREFIX_ROOT
|CHASE_NONEXISTENT
, &where
, NULL
);
900 return log_error_errno(r
, "Failed to resolve %s/%s: %m", dest
, m
->destination
);
901 if (r
== 0) { /* Doesn't exist yet? */
902 r
= mkdir_p_label(where
, 0755);
904 return log_error_errno(r
, "Creating mount point for mount %s failed: %m", where
);
907 return mount_verbose(LOG_ERR
, m
->source
, where
, m
->type_argument
, 0, m
->options
);
912 CustomMount
*mounts
, size_t n
,
914 const char *selinux_apifs_context
,
915 MountSettingsMask mount_settings
) {
922 for (i
= 0; i
< n
; i
++) {
923 CustomMount
*m
= mounts
+ i
;
925 if ((mount_settings
& MOUNT_IN_USERNS
) != m
->in_userns
)
928 if (mount_settings
& MOUNT_ROOT_ONLY
&& !path_equal(m
->destination
, "/"))
931 if (mount_settings
& MOUNT_NON_ROOT_ONLY
&& path_equal(m
->destination
, "/"))
936 case CUSTOM_MOUNT_BIND
:
937 r
= mount_bind(dest
, m
);
940 case CUSTOM_MOUNT_TMPFS
:
941 r
= mount_tmpfs(dest
, m
, uid_shift
, selinux_apifs_context
);
944 case CUSTOM_MOUNT_OVERLAY
:
945 r
= mount_overlay(dest
, m
);
948 case CUSTOM_MOUNT_INACCESSIBLE
:
949 r
= mount_inaccessible(dest
, m
);
952 case CUSTOM_MOUNT_ARBITRARY
:
953 r
= mount_arbitrary(dest
, m
);
957 assert_not_reached("Unknown custom mount type");
967 static int setup_volatile_state(const char *directory
, uid_t uid_shift
, const char *selinux_apifs_context
) {
969 _cleanup_free_
char *buf
= NULL
;
970 const char *p
, *options
;
975 /* --volatile=state means we simply overmount /var with a tmpfs, and the rest read-only. */
977 r
= bind_remount_recursive(directory
, MS_RDONLY
, MS_RDONLY
, NULL
);
979 return log_error_errno(r
, "Failed to remount %s read-only: %m", directory
);
981 p
= prefix_roota(directory
, "/var");
983 if (r
< 0 && errno
!= EEXIST
)
984 return log_error_errno(errno
, "Failed to create %s: %m", directory
);
986 options
= "mode=755";
987 r
= tmpfs_patch_options(options
, uid_shift
== 0 ? UID_INVALID
: uid_shift
, selinux_apifs_context
, &buf
);
993 return mount_verbose(LOG_ERR
, "tmpfs", p
, "tmpfs", MS_STRICTATIME
, options
);
996 static int setup_volatile_yes(const char *directory
, uid_t uid_shift
, const char *selinux_apifs_context
) {
998 bool tmpfs_mounted
= false, bind_mounted
= false;
999 char template[] = "/tmp/nspawn-volatile-XXXXXX";
1000 _cleanup_free_
char *buf
= NULL
, *bindir
= NULL
;
1001 const char *f
, *t
, *options
;
1007 /* --volatile=yes means we mount a tmpfs to the root dir, and the original /usr to use inside it, and
1008 * that read-only. Before we start setting this up let's validate if the image has the /usr merge
1009 * implemented, and let's output a friendly log message if it hasn't. */
1011 bindir
= path_join(directory
, "/bin");
1014 if (lstat(bindir
, &st
) < 0) {
1015 if (errno
!= ENOENT
)
1016 return log_error_errno(errno
, "Failed to stat /bin directory below image: %m");
1018 /* ENOENT is fine, just means the image is probably just a naked /usr and we can create the
1020 } else if (S_ISDIR(st
.st_mode
))
1021 return log_error_errno(SYNTHETIC_ERRNO(EISDIR
),
1022 "Sorry, --volatile=yes mode is not supported with OS images that have not merged /bin/, /sbin/, /lib/, /lib64/ into /usr/. "
1023 "Please work with your distribution and help them adopt the merged /usr scheme.");
1024 else if (!S_ISLNK(st
.st_mode
))
1025 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
1026 "Error starting image: if --volatile=yes is used /bin must be a symlink (for merged /usr support) or non-existent (in which case a symlink is created automatically).");
1028 if (!mkdtemp(template))
1029 return log_error_errno(errno
, "Failed to create temporary directory: %m");
1031 options
= "mode=755";
1032 r
= tmpfs_patch_options(options
, uid_shift
== 0 ? UID_INVALID
: uid_shift
, selinux_apifs_context
, &buf
);
1038 r
= mount_verbose(LOG_ERR
, "tmpfs", template, "tmpfs", MS_STRICTATIME
, options
);
1042 tmpfs_mounted
= true;
1044 f
= prefix_roota(directory
, "/usr");
1045 t
= prefix_roota(template, "/usr");
1048 if (r
< 0 && errno
!= EEXIST
) {
1049 r
= log_error_errno(errno
, "Failed to create %s: %m", t
);
1053 r
= mount_verbose(LOG_ERR
, f
, t
, NULL
, MS_BIND
|MS_REC
, NULL
);
1057 bind_mounted
= true;
1059 r
= bind_remount_recursive(t
, MS_RDONLY
, MS_RDONLY
, NULL
);
1061 log_error_errno(r
, "Failed to remount %s read-only: %m", t
);
1065 r
= mount_verbose(LOG_ERR
, template, directory
, NULL
, MS_MOVE
, NULL
);
1069 (void) rmdir(template);
1075 (void) umount_verbose(t
);
1078 (void) umount_verbose(template);
1079 (void) rmdir(template);
1083 static int setup_volatile_overlay(const char *directory
, uid_t uid_shift
, const char *selinux_apifs_context
) {
1085 _cleanup_free_
char *buf
= NULL
, *escaped_directory
= NULL
, *escaped_upper
= NULL
, *escaped_work
= NULL
;
1086 char template[] = "/tmp/nspawn-volatile-XXXXXX";
1087 const char *upper
, *work
, *options
;
1088 bool tmpfs_mounted
= false;
1093 /* --volatile=overlay means we mount an overlayfs to the root dir. */
1095 if (!mkdtemp(template))
1096 return log_error_errno(errno
, "Failed to create temporary directory: %m");
1098 options
= "mode=755";
1099 r
= tmpfs_patch_options(options
, uid_shift
== 0 ? UID_INVALID
: uid_shift
, selinux_apifs_context
, &buf
);
1105 r
= mount_verbose(LOG_ERR
, "tmpfs", template, "tmpfs", MS_STRICTATIME
, options
);
1109 tmpfs_mounted
= true;
1111 upper
= strjoina(template, "/upper");
1112 work
= strjoina(template, "/work");
1114 if (mkdir(upper
, 0755) < 0) {
1115 r
= log_error_errno(errno
, "Failed to create %s: %m", upper
);
1118 if (mkdir(work
, 0755) < 0) {
1119 r
= log_error_errno(errno
, "Failed to create %s: %m", work
);
1123 /* And now, let's overmount the root dir with an overlayfs that uses the root dir as lower dir. It's kinda nice
1124 * that the kernel allows us to do that without going through some mount point rearrangements. */
1126 escaped_directory
= shell_escape(directory
, ",:");
1127 escaped_upper
= shell_escape(upper
, ",:");
1128 escaped_work
= shell_escape(work
, ",:");
1129 if (!escaped_directory
|| !escaped_upper
|| !escaped_work
) {
1134 options
= strjoina("lowerdir=", escaped_directory
, ",upperdir=", escaped_upper
, ",workdir=", escaped_work
);
1135 r
= mount_verbose(LOG_ERR
, "overlay", directory
, "overlay", 0, options
);
1139 (void) umount_verbose(template);
1141 (void) rmdir(template);
1145 int setup_volatile_mode(
1146 const char *directory
,
1149 const char *selinux_apifs_context
) {
1154 return setup_volatile_yes(directory
, uid_shift
, selinux_apifs_context
);
1156 case VOLATILE_STATE
:
1157 return setup_volatile_state(directory
, uid_shift
, selinux_apifs_context
);
1159 case VOLATILE_OVERLAY
:
1160 return setup_volatile_overlay(directory
, uid_shift
, selinux_apifs_context
);
1167 /* Expects *pivot_root_new and *pivot_root_old to be initialised to allocated memory or NULL. */
1168 int pivot_root_parse(char **pivot_root_new
, char **pivot_root_old
, const char *s
) {
1169 _cleanup_free_
char *root_new
= NULL
, *root_old
= NULL
;
1173 assert(pivot_root_new
);
1174 assert(pivot_root_old
);
1176 r
= extract_first_word(&p
, &root_new
, ":", EXTRACT_DONT_COALESCE_SEPARATORS
);
1185 root_old
= strdup(p
);
1190 if (!path_is_absolute(root_new
))
1192 if (root_old
&& !path_is_absolute(root_old
))
1195 free_and_replace(*pivot_root_new
, root_new
);
1196 free_and_replace(*pivot_root_old
, root_old
);
1201 int setup_pivot_root(const char *directory
, const char *pivot_root_new
, const char *pivot_root_old
) {
1202 _cleanup_free_
char *directory_pivot_root_new
= NULL
;
1203 _cleanup_free_
char *pivot_tmp_pivot_root_old
= NULL
;
1204 char pivot_tmp
[] = "/tmp/nspawn-pivot-XXXXXX";
1205 bool remove_pivot_tmp
= false;
1210 if (!pivot_root_new
)
1213 /* Pivot pivot_root_new to / and the existing / to pivot_root_old.
1214 * If pivot_root_old is NULL, the existing / disappears.
1215 * This requires a temporary directory, pivot_tmp, which is
1216 * not a child of either.
1218 * This is typically used for OSTree-style containers, where
1219 * the root partition contains several sysroots which could be
1220 * run. Normally, one would be chosen by the bootloader and
1221 * pivoted to / by initramfs.
1223 * For example, for an OSTree deployment, pivot_root_new
1224 * would be: /ostree/deploy/$os/deploy/$checksum. Note that this
1225 * code doesn’t do the /var mount which OSTree expects: use
1226 * --bind +/sysroot/ostree/deploy/$os/var:/var for that.
1228 * So in the OSTree case, we’ll end up with something like:
1229 * - directory = /tmp/nspawn-root-123456
1230 * - pivot_root_new = /ostree/deploy/os/deploy/123abc
1231 * - pivot_root_old = /sysroot
1232 * - directory_pivot_root_new =
1233 * /tmp/nspawn-root-123456/ostree/deploy/os/deploy/123abc
1234 * - pivot_tmp = /tmp/nspawn-pivot-123456
1235 * - pivot_tmp_pivot_root_old = /tmp/nspawn-pivot-123456/sysroot
1237 * Requires all file systems at directory and below to be mounted
1238 * MS_PRIVATE or MS_SLAVE so they can be moved.
1240 directory_pivot_root_new
= path_join(directory
, pivot_root_new
);
1241 if (!directory_pivot_root_new
)
1244 /* Remount directory_pivot_root_new to make it movable. */
1245 r
= mount_verbose(LOG_ERR
, directory_pivot_root_new
, directory_pivot_root_new
, NULL
, MS_BIND
, NULL
);
1249 if (pivot_root_old
) {
1250 if (!mkdtemp(pivot_tmp
)) {
1251 r
= log_error_errno(errno
, "Failed to create temporary directory: %m");
1255 remove_pivot_tmp
= true;
1256 pivot_tmp_pivot_root_old
= path_join(pivot_tmp
, pivot_root_old
);
1257 if (!pivot_tmp_pivot_root_old
) {
1262 r
= mount_verbose(LOG_ERR
, directory_pivot_root_new
, pivot_tmp
, NULL
, MS_MOVE
, NULL
);
1266 r
= mount_verbose(LOG_ERR
, directory
, pivot_tmp_pivot_root_old
, NULL
, MS_MOVE
, NULL
);
1270 r
= mount_verbose(LOG_ERR
, pivot_tmp
, directory
, NULL
, MS_MOVE
, NULL
);
1274 r
= mount_verbose(LOG_ERR
, directory_pivot_root_new
, directory
, NULL
, MS_MOVE
, NULL
);
1280 if (remove_pivot_tmp
)
1281 (void) rmdir(pivot_tmp
);