]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/shared/nsflags.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
core: add new RestrictNamespaces= unit file setting
[thirdparty/systemd.git] / src / shared / nsflags.c
1 /***
2 This file is part of systemd.
3
4 Copyright 2016 Lennart Poettering
5
6 systemd is free software; you can redistribute it and/or modify it
7 under the terms of the GNU Lesser General Public License as published by
8 the Free Software Foundation; either version 2.1 of the License, or
9 (at your option) any later version.
10
11 systemd is distributed in the hope that it will be useful, but
12 WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 Lesser General Public License for more details.
15
16 You should have received a copy of the GNU Lesser General Public License
17 along with systemd; If not, see <http://www.gnu.org/licenses/>.
18 ***/
19
20 #include <sched.h>
21
22 #include "alloc-util.h"
23 #include "extract-word.h"
24 #include "nsflags.h"
25 #include "seccomp-util.h"
26 #include "string-util.h"
27
28 const struct namespace_flag_map namespace_flag_map[] = {
29 { CLONE_NEWCGROUP, "cgroup" },
30 { CLONE_NEWIPC, "ipc" },
31 { CLONE_NEWNET, "net" },
32 /* So, the mount namespace flag is called CLONE_NEWNS for historical reasons. Let's expose it here under a more
33 * explanatory name: "mnt". This is in-line with how the kernel exposes namespaces in /proc/$PID/ns. */
34 { CLONE_NEWNS, "mnt" },
35 { CLONE_NEWPID, "pid" },
36 { CLONE_NEWUSER, "user" },
37 { CLONE_NEWUTS, "uts" },
38 {}
39 };
40
41 const char* namespace_flag_to_string(unsigned long flag) {
42 unsigned i;
43
44 flag &= NAMESPACE_FLAGS_ALL;
45
46 for (i = 0; namespace_flag_map[i].name; i++)
47 if (flag == namespace_flag_map[i].flag)
48 return namespace_flag_map[i].name;
49
50 return NULL; /* either unknown namespace flag, or a combination of many. This call supports neither. */
51 }
52
53 unsigned long namespace_flag_from_string(const char *name) {
54 unsigned i;
55
56 if (isempty(name))
57 return 0;
58
59 for (i = 0; namespace_flag_map[i].name; i++)
60 if (streq(name, namespace_flag_map[i].name))
61 return namespace_flag_map[i].flag;
62
63 return 0;
64 }
65
66 int namespace_flag_from_string_many(const char *name, unsigned long *ret) {
67 unsigned long flags = 0;
68 int r;
69
70 assert_se(ret);
71
72 if (!name) {
73 *ret = 0;
74 return 0;
75 }
76
77 for (;;) {
78 _cleanup_free_ char *word = NULL;
79 unsigned long f;
80
81 r = extract_first_word(&name, &word, NULL, 0);
82 if (r < 0)
83 return r;
84 if (r == 0)
85 break;
86
87 f = namespace_flag_from_string(word);
88 if (f == 0)
89 return -EINVAL;
90
91 flags |= f;
92 }
93
94 *ret = flags;
95 return 0;
96 }
97
98 int namespace_flag_to_string_many(unsigned long flags, char **ret) {
99 _cleanup_free_ char *s = NULL;
100 unsigned i;
101
102 for (i = 0; namespace_flag_map[i].name; i++) {
103 if ((flags & namespace_flag_map[i].flag) != namespace_flag_map[i].flag)
104 continue;
105
106 if (!s) {
107 s = strdup(namespace_flag_map[i].name);
108 if (!s)
109 return -ENOMEM;
110 } else {
111 if (!strextend(&s, " ", namespace_flag_map[i].name, NULL))
112 return -ENOMEM;
113 }
114 }
115
116 if (!s) {
117 s = strdup("");
118 if (!s)
119 return -ENOMEM;
120 }
121
122 *ret = s;
123 s = NULL;
124
125 return 0;
126 }
Unnamed repository; edit this file 'description' to name the repository.