]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/nss-mymachines/nss-mymachines.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
tree-wide: do not assign values if not used
[thirdparty/systemd.git] / src / nss-mymachines / nss-mymachines.c
1 /* SPDX-License-Identifier: LGPL-2.1+ */
2
3 #include <netdb.h>
4 #include <nss.h>
5
6 #include "sd-bus.h"
7 #include "sd-login.h"
8
9 #include "alloc-util.h"
10 #include "bus-common-errors.h"
11 #include "env-util.h"
12 #include "hostname-util.h"
13 #include "in-addr-util.h"
14 #include "macro.h"
15 #include "nss-util.h"
16 #include "signal-util.h"
17 #include "string-util.h"
18 #include "user-util.h"
19 #include "util.h"
20
21 NSS_GETHOSTBYNAME_PROTOTYPES(mymachines);
22 NSS_GETPW_PROTOTYPES(mymachines);
23 NSS_GETGR_PROTOTYPES(mymachines);
24
25 #define HOST_UID_LIMIT ((uid_t) UINT32_C(0x10000))
26 #define HOST_GID_LIMIT ((gid_t) UINT32_C(0x10000))
27
28 static int count_addresses(sd_bus_message *m, int af, unsigned *ret) {
29 unsigned c = 0;
30 int r;
31
32 assert(m);
33 assert(ret);
34
35 while ((r = sd_bus_message_enter_container(m, 'r', "iay")) > 0) {
36 int family;
37
38 r = sd_bus_message_read(m, "i", &family);
39 if (r < 0)
40 return r;
41
42 r = sd_bus_message_skip(m, "ay");
43 if (r < 0)
44 return r;
45
46 r = sd_bus_message_exit_container(m);
47 if (r < 0)
48 return r;
49
50 if (af != AF_UNSPEC && family != af)
51 continue;
52
53 c++;
54 }
55 if (r < 0)
56 return r;
57
58 r = sd_bus_message_rewind(m, false);
59 if (r < 0)
60 return r;
61
62 *ret = c;
63 return 0;
64 }
65
66 enum nss_status _nss_mymachines_gethostbyname4_r(
67 const char *name,
68 struct gaih_addrtuple **pat,
69 char *buffer, size_t buflen,
70 int *errnop, int *h_errnop,
71 int32_t *ttlp) {
72
73 struct gaih_addrtuple *r_tuple, *r_tuple_first = NULL;
74 _cleanup_(sd_bus_message_unrefp) sd_bus_message* reply = NULL;
75 _cleanup_(sd_bus_flush_close_unrefp) sd_bus *bus = NULL;
76 _cleanup_free_ int *ifindices = NULL;
77 _cleanup_free_ char *class = NULL;
78 size_t l, ms, idx;
79 unsigned i = 0, c = 0;
80 char *r_name;
81 int n_ifindices, r;
82
83 BLOCK_SIGNALS(NSS_SIGNALS_BLOCK);
84
85 assert(name);
86 assert(pat);
87 assert(buffer);
88 assert(errnop);
89 assert(h_errnop);
90
91 r = sd_machine_get_class(name, &class);
92 if (r < 0)
93 goto fail;
94 if (!streq(class, "container")) {
95 r = -ENOTTY;
96 goto fail;
97 }
98
99 n_ifindices = sd_machine_get_ifindices(name, &ifindices);
100 if (n_ifindices < 0) {
101 r = n_ifindices;
102 goto fail;
103 }
104
105 r = sd_bus_open_system(&bus);
106 if (r < 0)
107 goto fail;
108
109 r = sd_bus_call_method(bus,
110 "org.freedesktop.machine1",
111 "/org/freedesktop/machine1",
112 "org.freedesktop.machine1.Manager",
113 "GetMachineAddresses",
114 NULL,
115 &reply,
116 "s", name);
117 if (r < 0)
118 goto fail;
119
120 r = sd_bus_message_enter_container(reply, 'a', "(iay)");
121 if (r < 0)
122 goto fail;
123
124 r = count_addresses(reply, AF_UNSPEC, &c);
125 if (r < 0)
126 goto fail;
127
128 if (c <= 0) {
129 *errnop = ESRCH;
130 *h_errnop = HOST_NOT_FOUND;
131 return NSS_STATUS_NOTFOUND;
132 }
133
134 l = strlen(name);
135 ms = ALIGN(l+1) + ALIGN(sizeof(struct gaih_addrtuple)) * c;
136 if (buflen < ms) {
137 *errnop = ERANGE;
138 *h_errnop = NETDB_INTERNAL;
139 return NSS_STATUS_TRYAGAIN;
140 }
141
142 /* First, append name */
143 r_name = buffer;
144 memcpy(r_name, name, l+1);
145 idx = ALIGN(l+1);
146
147 /* Second, append addresses */
148 r_tuple_first = (struct gaih_addrtuple*) (buffer + idx);
149 while ((r = sd_bus_message_enter_container(reply, 'r', "iay")) > 0) {
150 int family;
151 const void *a;
152 size_t sz;
153
154 r = sd_bus_message_read(reply, "i", &family);
155 if (r < 0)
156 goto fail;
157
158 r = sd_bus_message_read_array(reply, 'y', &a, &sz);
159 if (r < 0)
160 goto fail;
161
162 r = sd_bus_message_exit_container(reply);
163 if (r < 0)
164 goto fail;
165
166 if (!IN_SET(family, AF_INET, AF_INET6)) {
167 r = -EAFNOSUPPORT;
168 goto fail;
169 }
170
171 if (sz != FAMILY_ADDRESS_SIZE(family)) {
172 r = -EINVAL;
173 goto fail;
174 }
175
176 r_tuple = (struct gaih_addrtuple*) (buffer + idx);
177 r_tuple->next = i == c-1 ? NULL : (struct gaih_addrtuple*) ((char*) r_tuple + ALIGN(sizeof(struct gaih_addrtuple)));
178 r_tuple->name = r_name;
179 r_tuple->family = family;
180 r_tuple->scopeid = n_ifindices == 1 ? ifindices[0] : 0;
181 memcpy(r_tuple->addr, a, sz);
182
183 idx += ALIGN(sizeof(struct gaih_addrtuple));
184 i++;
185 }
186
187 assert(i == c);
188
189 r = sd_bus_message_exit_container(reply);
190 if (r < 0)
191 goto fail;
192
193 assert(idx == ms);
194
195 if (*pat)
196 **pat = *r_tuple_first;
197 else
198 *pat = r_tuple_first;
199
200 if (ttlp)
201 *ttlp = 0;
202
203 /* Explicitly reset all error variables */
204 *errnop = 0;
205 *h_errnop = NETDB_SUCCESS;
206 h_errno = 0;
207
208 return NSS_STATUS_SUCCESS;
209
210 fail:
211 *errnop = -r;
212 *h_errnop = NO_DATA;
213 return NSS_STATUS_UNAVAIL;
214 }
215
216 enum nss_status _nss_mymachines_gethostbyname3_r(
217 const char *name,
218 int af,
219 struct hostent *result,
220 char *buffer, size_t buflen,
221 int *errnop, int *h_errnop,
222 int32_t *ttlp,
223 char **canonp) {
224
225 _cleanup_(sd_bus_message_unrefp) sd_bus_message* reply = NULL;
226 _cleanup_(sd_bus_flush_close_unrefp) sd_bus *bus = NULL;
227 _cleanup_free_ char *class = NULL;
228 unsigned c = 0, i = 0;
229 char *r_name, *r_aliases, *r_addr, *r_addr_list;
230 size_t l, idx, ms, alen;
231 int r;
232
233 BLOCK_SIGNALS(NSS_SIGNALS_BLOCK);
234
235 assert(name);
236 assert(result);
237 assert(buffer);
238 assert(errnop);
239 assert(h_errnop);
240
241 if (af == AF_UNSPEC)
242 af = AF_INET;
243
244 if (af != AF_INET && af != AF_INET6) {
245 r = -EAFNOSUPPORT;
246 goto fail;
247 }
248
249 r = sd_machine_get_class(name, &class);
250 if (r < 0)
251 goto fail;
252 if (!streq(class, "container")) {
253 r = -ENOTTY;
254 goto fail;
255 }
256
257 r = sd_bus_open_system(&bus);
258 if (r < 0)
259 goto fail;
260
261 r = sd_bus_call_method(bus,
262 "org.freedesktop.machine1",
263 "/org/freedesktop/machine1",
264 "org.freedesktop.machine1.Manager",
265 "GetMachineAddresses",
266 NULL,
267 &reply,
268 "s", name);
269 if (r < 0)
270 goto fail;
271
272 r = sd_bus_message_enter_container(reply, 'a', "(iay)");
273 if (r < 0)
274 goto fail;
275
276 r = count_addresses(reply, af, &c);
277 if (r < 0)
278 goto fail;
279
280 if (c <= 0) {
281 *errnop = ENOENT;
282 *h_errnop = HOST_NOT_FOUND;
283 return NSS_STATUS_NOTFOUND;
284 }
285
286 alen = FAMILY_ADDRESS_SIZE(af);
287 l = strlen(name);
288
289 ms = ALIGN(l+1) + c * ALIGN(alen) + (c+2) * sizeof(char*);
290
291 if (buflen < ms) {
292 *errnop = ERANGE;
293 *h_errnop = NETDB_INTERNAL;
294 return NSS_STATUS_TRYAGAIN;
295 }
296
297 /* First, append name */
298 r_name = buffer;
299 memcpy(r_name, name, l+1);
300 idx = ALIGN(l+1);
301
302 /* Second, create aliases array */
303 r_aliases = buffer + idx;
304 ((char**) r_aliases)[0] = NULL;
305 idx += sizeof(char*);
306
307 /* Third, append addresses */
308 r_addr = buffer + idx;
309 while ((r = sd_bus_message_enter_container(reply, 'r', "iay")) > 0) {
310 int family;
311 const void *a;
312 size_t sz;
313
314 r = sd_bus_message_read(reply, "i", &family);
315 if (r < 0)
316 goto fail;
317
318 r = sd_bus_message_read_array(reply, 'y', &a, &sz);
319 if (r < 0)
320 goto fail;
321
322 r = sd_bus_message_exit_container(reply);
323 if (r < 0)
324 goto fail;
325
326 if (family != af)
327 continue;
328
329 if (sz != alen) {
330 r = -EINVAL;
331 goto fail;
332 }
333
334 memcpy(r_addr + i*ALIGN(alen), a, alen);
335 i++;
336 }
337
338 assert(i == c);
339 idx += c * ALIGN(alen);
340
341 r = sd_bus_message_exit_container(reply);
342 if (r < 0)
343 goto fail;
344
345 /* Third, append address pointer array */
346 r_addr_list = buffer + idx;
347 for (i = 0; i < c; i++)
348 ((char**) r_addr_list)[i] = r_addr + i*ALIGN(alen);
349
350 ((char**) r_addr_list)[i] = NULL;
351 idx += (c+1) * sizeof(char*);
352
353 assert(idx == ms);
354
355 result->h_name = r_name;
356 result->h_aliases = (char**) r_aliases;
357 result->h_addrtype = af;
358 result->h_length = alen;
359 result->h_addr_list = (char**) r_addr_list;
360
361 if (ttlp)
362 *ttlp = 0;
363
364 if (canonp)
365 *canonp = r_name;
366
367 /* Explicitly reset all error variables */
368 *errnop = 0;
369 *h_errnop = NETDB_SUCCESS;
370 h_errno = 0;
371
372 return NSS_STATUS_SUCCESS;
373
374 fail:
375 *errnop = -r;
376 *h_errnop = NO_DATA;
377 return NSS_STATUS_UNAVAIL;
378 }
379
380 NSS_GETHOSTBYNAME_FALLBACKS(mymachines);
381
382 enum nss_status _nss_mymachines_getpwnam_r(
383 const char *name,
384 struct passwd *pwd,
385 char *buffer, size_t buflen,
386 int *errnop) {
387
388 _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
389 _cleanup_(sd_bus_message_unrefp) sd_bus_message* reply = NULL;
390 _cleanup_(sd_bus_flush_close_unrefp) sd_bus *bus = NULL;
391 const char *p, *e, *machine;
392 uint32_t mapped;
393 uid_t uid;
394 size_t l;
395 int r;
396
397 BLOCK_SIGNALS(NSS_SIGNALS_BLOCK);
398
399 assert(name);
400 assert(pwd);
401
402 p = startswith(name, "vu-");
403 if (!p)
404 goto not_found;
405
406 e = strrchr(p, '-');
407 if (!e || e == p)
408 goto not_found;
409
410 if (e - p > HOST_NAME_MAX - 1) /* -1 for the last dash */
411 goto not_found;
412
413 r = parse_uid(e + 1, &uid);
414 if (r < 0)
415 goto not_found;
416
417 machine = strndupa(p, e - p);
418 if (!machine_name_is_valid(machine))
419 goto not_found;
420
421 if (getenv_bool_secure("SYSTEMD_NSS_BYPASS_BUS") > 0)
422 /* Make sure we can't deadlock if we are invoked by dbus-daemon. This way, it won't be able to resolve
423 * these UIDs, but that should be unproblematic as containers should never be able to connect to a bus
424 * running on the host. */
425 goto not_found;
426
427 r = sd_bus_open_system(&bus);
428 if (r < 0)
429 goto fail;
430
431 r = sd_bus_call_method(bus,
432 "org.freedesktop.machine1",
433 "/org/freedesktop/machine1",
434 "org.freedesktop.machine1.Manager",
435 "MapFromMachineUser",
436 &error,
437 &reply,
438 "su",
439 machine, (uint32_t) uid);
440 if (r < 0) {
441 if (sd_bus_error_has_name(&error, BUS_ERROR_NO_SUCH_USER_MAPPING))
442 goto not_found;
443
444 goto fail;
445 }
446
447 r = sd_bus_message_read(reply, "u", &mapped);
448 if (r < 0)
449 goto fail;
450
451 /* Refuse to work if the mapped address is in the host UID range, or if there was no mapping at all. */
452 if (mapped < HOST_UID_LIMIT || mapped == uid)
453 goto not_found;
454
455 l = strlen(name);
456 if (buflen < l+1) {
457 *errnop = ERANGE;
458 return NSS_STATUS_TRYAGAIN;
459 }
460
461 memcpy(buffer, name, l+1);
462
463 pwd->pw_name = buffer;
464 pwd->pw_uid = mapped;
465 pwd->pw_gid = GID_NOBODY;
466 pwd->pw_gecos = buffer;
467 pwd->pw_passwd = (char*) "*"; /* locked */
468 pwd->pw_dir = (char*) "/";
469 pwd->pw_shell = (char*) "/sbin/nologin";
470
471 *errnop = 0;
472 return NSS_STATUS_SUCCESS;
473
474 not_found:
475 *errnop = 0;
476 return NSS_STATUS_NOTFOUND;
477
478 fail:
479 *errnop = -r;
480 return NSS_STATUS_UNAVAIL;
481 }
482
483 enum nss_status _nss_mymachines_getpwuid_r(
484 uid_t uid,
485 struct passwd *pwd,
486 char *buffer, size_t buflen,
487 int *errnop) {
488
489 _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
490 _cleanup_(sd_bus_message_unrefp) sd_bus_message* reply = NULL;
491 _cleanup_(sd_bus_flush_close_unrefp) sd_bus *bus = NULL;
492 const char *machine;
493 uint32_t mapped;
494 int r;
495
496 BLOCK_SIGNALS(NSS_SIGNALS_BLOCK);
497
498 if (!uid_is_valid(uid))
499 goto not_found;
500
501 /* We consider all uids < 65536 host uids */
502 if (uid < HOST_UID_LIMIT)
503 goto not_found;
504
505 if (getenv_bool_secure("SYSTEMD_NSS_BYPASS_BUS") > 0)
506 goto not_found;
507
508 r = sd_bus_open_system(&bus);
509 if (r < 0)
510 goto fail;
511
512 r = sd_bus_call_method(bus,
513 "org.freedesktop.machine1",
514 "/org/freedesktop/machine1",
515 "org.freedesktop.machine1.Manager",
516 "MapToMachineUser",
517 &error,
518 &reply,
519 "u",
520 (uint32_t) uid);
521 if (r < 0) {
522 if (sd_bus_error_has_name(&error, BUS_ERROR_NO_SUCH_USER_MAPPING))
523 goto not_found;
524
525 goto fail;
526 }
527
528 r = sd_bus_message_read(reply, "sou", &machine, NULL, &mapped);
529 if (r < 0)
530 goto fail;
531
532 if (mapped == uid)
533 goto not_found;
534
535 if (snprintf(buffer, buflen, "vu-%s-" UID_FMT, machine, (uid_t) mapped) >= (int) buflen) {
536 *errnop = ERANGE;
537 return NSS_STATUS_TRYAGAIN;
538 }
539
540 pwd->pw_name = buffer;
541 pwd->pw_uid = uid;
542 pwd->pw_gid = GID_NOBODY;
543 pwd->pw_gecos = buffer;
544 pwd->pw_passwd = (char*) "*"; /* locked */
545 pwd->pw_dir = (char*) "/";
546 pwd->pw_shell = (char*) "/sbin/nologin";
547
548 *errnop = 0;
549 return NSS_STATUS_SUCCESS;
550
551 not_found:
552 *errnop = 0;
553 return NSS_STATUS_NOTFOUND;
554
555 fail:
556 *errnop = -r;
557 return NSS_STATUS_UNAVAIL;
558 }
559
560 #pragma GCC diagnostic ignored "-Wsizeof-pointer-memaccess"
561
562 enum nss_status _nss_mymachines_getgrnam_r(
563 const char *name,
564 struct group *gr,
565 char *buffer, size_t buflen,
566 int *errnop) {
567
568 _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
569 _cleanup_(sd_bus_message_unrefp) sd_bus_message* reply = NULL;
570 _cleanup_(sd_bus_flush_close_unrefp) sd_bus *bus = NULL;
571 const char *p, *e, *machine;
572 uint32_t mapped;
573 uid_t gid;
574 size_t l;
575 int r;
576
577 BLOCK_SIGNALS(NSS_SIGNALS_BLOCK);
578
579 assert(name);
580 assert(gr);
581
582 p = startswith(name, "vg-");
583 if (!p)
584 goto not_found;
585
586 e = strrchr(p, '-');
587 if (!e || e == p)
588 goto not_found;
589
590 if (e - p > HOST_NAME_MAX - 1) /* -1 for the last dash */
591 goto not_found;
592
593 r = parse_gid(e + 1, &gid);
594 if (r < 0)
595 goto not_found;
596
597 machine = strndupa(p, e - p);
598 if (!machine_name_is_valid(machine))
599 goto not_found;
600
601 if (getenv_bool_secure("SYSTEMD_NSS_BYPASS_BUS") > 0)
602 goto not_found;
603
604 r = sd_bus_open_system(&bus);
605 if (r < 0)
606 goto fail;
607
608 r = sd_bus_call_method(bus,
609 "org.freedesktop.machine1",
610 "/org/freedesktop/machine1",
611 "org.freedesktop.machine1.Manager",
612 "MapFromMachineGroup",
613 &error,
614 &reply,
615 "su",
616 machine, (uint32_t) gid);
617 if (r < 0) {
618 if (sd_bus_error_has_name(&error, BUS_ERROR_NO_SUCH_GROUP_MAPPING))
619 goto not_found;
620
621 goto fail;
622 }
623
624 r = sd_bus_message_read(reply, "u", &mapped);
625 if (r < 0)
626 goto fail;
627
628 if (mapped < HOST_GID_LIMIT || mapped == gid)
629 goto not_found;
630
631 l = sizeof(char*) + strlen(name) + 1;
632 if (buflen < l) {
633 *errnop = ERANGE;
634 return NSS_STATUS_TRYAGAIN;
635 }
636
637 memzero(buffer, sizeof(char*));
638 strcpy(buffer + sizeof(char*), name);
639
640 gr->gr_name = buffer + sizeof(char*);
641 gr->gr_gid = mapped;
642 gr->gr_passwd = (char*) "*"; /* locked */
643 gr->gr_mem = (char**) buffer;
644
645 *errnop = 0;
646 return NSS_STATUS_SUCCESS;
647
648 not_found:
649 *errnop = 0;
650 return NSS_STATUS_NOTFOUND;
651
652 fail:
653 *errnop = -r;
654 return NSS_STATUS_UNAVAIL;
655 }
656
657 enum nss_status _nss_mymachines_getgrgid_r(
658 gid_t gid,
659 struct group *gr,
660 char *buffer, size_t buflen,
661 int *errnop) {
662
663 _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
664 _cleanup_(sd_bus_message_unrefp) sd_bus_message* reply = NULL;
665 _cleanup_(sd_bus_flush_close_unrefp) sd_bus *bus = NULL;
666 const char *machine;
667 uint32_t mapped;
668 int r;
669
670 BLOCK_SIGNALS(NSS_SIGNALS_BLOCK);
671
672 if (!gid_is_valid(gid))
673 goto not_found;
674
675 /* We consider all gids < 65536 host gids */
676 if (gid < HOST_GID_LIMIT)
677 goto not_found;
678
679 if (getenv_bool_secure("SYSTEMD_NSS_BYPASS_BUS") > 0)
680 goto not_found;
681
682 r = sd_bus_open_system(&bus);
683 if (r < 0)
684 goto fail;
685
686 r = sd_bus_call_method(bus,
687 "org.freedesktop.machine1",
688 "/org/freedesktop/machine1",
689 "org.freedesktop.machine1.Manager",
690 "MapToMachineGroup",
691 &error,
692 &reply,
693 "u",
694 (uint32_t) gid);
695 if (r < 0) {
696 if (sd_bus_error_has_name(&error, BUS_ERROR_NO_SUCH_GROUP_MAPPING))
697 goto not_found;
698
699 goto fail;
700 }
701
702 r = sd_bus_message_read(reply, "sou", &machine, NULL, &mapped);
703 if (r < 0)
704 goto fail;
705
706 if (mapped == gid)
707 goto not_found;
708
709 if (buflen < sizeof(char*) + 1) {
710 *errnop = ERANGE;
711 return NSS_STATUS_TRYAGAIN;
712 }
713
714 memzero(buffer, sizeof(char*));
715 if (snprintf(buffer + sizeof(char*), buflen - sizeof(char*), "vg-%s-" GID_FMT, machine, (gid_t) mapped) >= (int) buflen) {
716 *errnop = ERANGE;
717 return NSS_STATUS_TRYAGAIN;
718 }
719
720 gr->gr_name = buffer + sizeof(char*);
721 gr->gr_gid = gid;
722 gr->gr_passwd = (char*) "*"; /* locked */
723 gr->gr_mem = (char**) buffer;
724
725 *errnop = 0;
726 return NSS_STATUS_SUCCESS;
727
728 not_found:
729 *errnop = 0;
730 return NSS_STATUS_NOTFOUND;
731
732 fail:
733 *errnop = -r;
734 return NSS_STATUS_UNAVAIL;
735 }
Unnamed repository; edit this file 'description' to name the repository.