]>
Commit | Line | Data |
---|---|---|
cc73685d | 1 | /* SPDX-License-Identifier: LGPL-2.1+ */ |
1d52bdf7 | 2 | |
d38dd64a CB |
3 | #ifndef _GNU_SOURCE |
4 | #define _GNU_SOURCE 1 | |
5 | #endif | |
9d257a2a | 6 | #include <arpa/inet.h> |
8f3e280e CB |
7 | #include <dirent.h> |
8 | #include <errno.h> | |
9 | #include <fcntl.h> | |
10 | #include <grp.h> | |
11 | #include <inttypes.h> | |
12 | #include <libgen.h> | |
9d257a2a CB |
13 | #include <linux/loop.h> |
14 | #include <net/if.h> | |
15 | #include <netinet/in.h> | |
8f3e280e CB |
16 | #include <pwd.h> |
17 | #include <stdarg.h> | |
0ad19a3f | 18 | #include <stdio.h> |
0ad19a3f | 19 | #include <stdlib.h> |
0ad19a3f | 20 | #include <string.h> |
8f3e280e CB |
21 | #include <sys/mman.h> |
22 | #include <sys/mount.h> | |
23 | #include <sys/param.h> | |
24 | #include <sys/prctl.h> | |
6a49f05e | 25 | #include <sys/sendfile.h> |
8f3e280e | 26 | #include <sys/socket.h> |
9d257a2a | 27 | #include <sys/stat.h> |
2d76d1d7 | 28 | #include <sys/syscall.h> |
9d257a2a | 29 | #include <sys/sysmacros.h> |
97e9cfa0 | 30 | #include <sys/types.h> |
8f3e280e CB |
31 | #include <sys/utsname.h> |
32 | #include <sys/wait.h> | |
9d257a2a CB |
33 | #include <time.h> |
34 | #include <unistd.h> | |
1d52bdf7 | 35 | |
d38dd64a CB |
36 | #include "af_unix.h" |
37 | #include "caps.h" | |
38 | #include "cgroup.h" | |
bf651989 | 39 | #include "cgroup2_devices.h" |
d38dd64a CB |
40 | #include "conf.h" |
41 | #include "config.h" | |
42 | #include "confile.h" | |
43 | #include "confile_utils.h" | |
44 | #include "error.h" | |
45 | #include "log.h" | |
46 | #include "lsm/lsm.h" | |
47 | #include "lxclock.h" | |
48 | #include "lxcseccomp.h" | |
49 | #include "macro.h" | |
2f443e88 | 50 | #include "memory_utils.h" |
7f88a1a2 | 51 | #include "mount_utils.h" |
d38dd64a CB |
52 | #include "namespace.h" |
53 | #include "network.h" | |
54 | #include "parse.h" | |
f40988c7 | 55 | #include "process_utils.h" |
d38dd64a CB |
56 | #include "ringbuf.h" |
57 | #include "start.h" | |
58 | #include "storage.h" | |
59 | #include "storage/overlay.h" | |
6b3d24d7 | 60 | #include "syscall_wrappers.h" |
d38dd64a CB |
61 | #include "terminal.h" |
62 | #include "utils.h" | |
20502652 | 63 | #include "uuid.h" |
d38dd64a | 64 | |
af6824fc | 65 | #ifdef MAJOR_IN_MKDEV |
9d257a2a | 66 | #include <sys/mkdev.h> |
af6824fc | 67 | #endif |
af6824fc | 68 | |
614305f3 | 69 | #ifdef HAVE_STATVFS |
2938f7c8 | 70 | #include <sys/statvfs.h> |
614305f3 | 71 | #endif |
e827ff7e | 72 | |
35eb5cdc | 73 | #if HAVE_OPENPTY |
b0a33c1e | 74 | #include <pty.h> |
e827ff7e SG |
75 | #else |
76 | #include <../include/openpty.h> | |
77 | #endif | |
0ad19a3f | 78 | |
9d257a2a CB |
79 | #if HAVE_LIBCAP |
80 | #include <sys/capability.h> | |
81 | #endif | |
82 | ||
83 | #if HAVE_SYS_PERSONALITY_H | |
84 | #include <sys/personality.h> | |
85 | #endif | |
86 | ||
f1e05b90 DJ |
87 | #ifndef HAVE_STRLCAT |
88 | #include "include/strlcat.h" | |
89 | #endif | |
90 | ||
9d257a2a CB |
91 | #if IS_BIONIC |
92 | #include <../include/lxcmntent.h> | |
93 | #else | |
94 | #include <mntent.h> | |
95 | #endif | |
96 | ||
97 | #if !defined(HAVE_PRLIMIT) && defined(HAVE_PRLIMIT64) | |
98 | #include <../include/prlimit.h> | |
99 | #endif | |
100 | ||
ac2cecc4 | 101 | lxc_log_define(conf, lxc); |
e5bda9ee | 102 | |
0fd73091 CB |
103 | /* The lxc_conf of the container currently being worked on in an API call. |
104 | * This is used in the error calls. | |
105 | */ | |
106 | #ifdef HAVE_TLS | |
d7f19646 | 107 | thread_local struct lxc_conf *current_config; |
0fd73091 CB |
108 | #else |
109 | struct lxc_conf *current_config; | |
110 | #endif | |
8912711c | 111 | |
0fd73091 CB |
112 | char *lxchook_names[NUM_LXC_HOOKS] = { |
113 | "pre-start", | |
114 | "pre-mount", | |
115 | "mount", | |
116 | "autodev", | |
117 | "start", | |
118 | "stop", | |
119 | "post-stop", | |
120 | "clone", | |
121 | "destroy", | |
122 | "start-host" | |
123 | }; | |
72d0e1cb | 124 | |
998ac676 RT |
125 | struct mount_opt { |
126 | char *name; | |
127 | int clear; | |
128 | int flag; | |
129 | }; | |
130 | ||
81810dd1 DL |
131 | struct caps_opt { |
132 | char *name; | |
133 | int value; | |
134 | }; | |
135 | ||
c6d09e15 WB |
136 | struct limit_opt { |
137 | char *name; | |
138 | int value; | |
139 | }; | |
140 | ||
998ac676 | 141 | static struct mount_opt mount_opt[] = { |
470b359b CB |
142 | { "async", 1, MS_SYNCHRONOUS }, |
143 | { "atime", 1, MS_NOATIME }, | |
144 | { "bind", 0, MS_BIND }, | |
88d413d5 | 145 | { "defaults", 0, 0 }, |
88d413d5 | 146 | { "dev", 1, MS_NODEV }, |
470b359b | 147 | { "diratime", 1, MS_NODIRATIME }, |
88d413d5 | 148 | { "dirsync", 0, MS_DIRSYNC }, |
470b359b | 149 | { "exec", 1, MS_NOEXEC }, |
8912711c | 150 | { "lazytime", 0, MS_LAZYTIME }, |
88d413d5 | 151 | { "mand", 0, MS_MANDLOCK }, |
88d413d5 | 152 | { "noatime", 0, MS_NOATIME }, |
470b359b | 153 | { "nodev", 0, MS_NODEV }, |
88d413d5 | 154 | { "nodiratime", 0, MS_NODIRATIME }, |
470b359b CB |
155 | { "noexec", 0, MS_NOEXEC }, |
156 | { "nomand", 1, MS_MANDLOCK }, | |
157 | { "norelatime", 1, MS_RELATIME }, | |
158 | { "nostrictatime", 1, MS_STRICTATIME }, | |
159 | { "nosuid", 0, MS_NOSUID }, | |
88d413d5 SW |
160 | { "rbind", 0, MS_BIND|MS_REC }, |
161 | { "relatime", 0, MS_RELATIME }, | |
470b359b CB |
162 | { "remount", 0, MS_REMOUNT }, |
163 | { "ro", 0, MS_RDONLY }, | |
164 | { "rw", 1, MS_RDONLY }, | |
88d413d5 | 165 | { "strictatime", 0, MS_STRICTATIME }, |
470b359b CB |
166 | { "suid", 1, MS_NOSUID }, |
167 | { "sync", 0, MS_SYNCHRONOUS }, | |
88d413d5 | 168 | { NULL, 0, 0 }, |
998ac676 RT |
169 | }; |
170 | ||
d840039e | 171 | static struct mount_opt propagation_opt[] = { |
0fd73091 CB |
172 | { "private", 0, MS_PRIVATE }, |
173 | { "shared", 0, MS_SHARED }, | |
174 | { "slave", 0, MS_SLAVE }, | |
175 | { "unbindable", 0, MS_UNBINDABLE }, | |
176 | { "rprivate", 0, MS_PRIVATE|MS_REC }, | |
177 | { "rshared", 0, MS_SHARED|MS_REC }, | |
178 | { "rslave", 0, MS_SLAVE|MS_REC }, | |
179 | { "runbindable", 0, MS_UNBINDABLE|MS_REC }, | |
180 | { NULL, 0, 0 }, | |
d840039e YT |
181 | }; |
182 | ||
81810dd1 | 183 | static struct caps_opt caps_opt[] = { |
8560cd36 | 184 | #if HAVE_LIBCAP |
0fd73091 CB |
185 | { "chown", CAP_CHOWN }, |
186 | { "dac_override", CAP_DAC_OVERRIDE }, | |
187 | { "dac_read_search", CAP_DAC_READ_SEARCH }, | |
188 | { "fowner", CAP_FOWNER }, | |
189 | { "fsetid", CAP_FSETID }, | |
190 | { "kill", CAP_KILL }, | |
191 | { "setgid", CAP_SETGID }, | |
192 | { "setuid", CAP_SETUID }, | |
193 | { "setpcap", CAP_SETPCAP }, | |
194 | { "linux_immutable", CAP_LINUX_IMMUTABLE }, | |
195 | { "net_bind_service", CAP_NET_BIND_SERVICE }, | |
196 | { "net_broadcast", CAP_NET_BROADCAST }, | |
197 | { "net_admin", CAP_NET_ADMIN }, | |
198 | { "net_raw", CAP_NET_RAW }, | |
199 | { "ipc_lock", CAP_IPC_LOCK }, | |
200 | { "ipc_owner", CAP_IPC_OWNER }, | |
201 | { "sys_module", CAP_SYS_MODULE }, | |
202 | { "sys_rawio", CAP_SYS_RAWIO }, | |
203 | { "sys_chroot", CAP_SYS_CHROOT }, | |
204 | { "sys_ptrace", CAP_SYS_PTRACE }, | |
205 | { "sys_pacct", CAP_SYS_PACCT }, | |
206 | { "sys_admin", CAP_SYS_ADMIN }, | |
207 | { "sys_boot", CAP_SYS_BOOT }, | |
208 | { "sys_nice", CAP_SYS_NICE }, | |
209 | { "sys_resource", CAP_SYS_RESOURCE }, | |
210 | { "sys_time", CAP_SYS_TIME }, | |
211 | { "sys_tty_config", CAP_SYS_TTY_CONFIG }, | |
212 | { "mknod", CAP_MKNOD }, | |
213 | { "lease", CAP_LEASE }, | |
57b837e2 | 214 | #ifdef CAP_AUDIT_READ |
0fd73091 | 215 | { "audit_read", CAP_AUDIT_READ }, |
57b837e2 | 216 | #endif |
9527e566 | 217 | #ifdef CAP_AUDIT_WRITE |
0fd73091 | 218 | { "audit_write", CAP_AUDIT_WRITE }, |
9527e566 FW |
219 | #endif |
220 | #ifdef CAP_AUDIT_CONTROL | |
0fd73091 | 221 | { "audit_control", CAP_AUDIT_CONTROL }, |
9527e566 | 222 | #endif |
0fd73091 CB |
223 | { "setfcap", CAP_SETFCAP }, |
224 | { "mac_override", CAP_MAC_OVERRIDE }, | |
225 | { "mac_admin", CAP_MAC_ADMIN }, | |
5170c716 | 226 | #ifdef CAP_SYSLOG |
0fd73091 | 227 | { "syslog", CAP_SYSLOG }, |
5170c716 CS |
228 | #endif |
229 | #ifdef CAP_WAKE_ALARM | |
0fd73091 | 230 | { "wake_alarm", CAP_WAKE_ALARM }, |
5170c716 | 231 | #endif |
2b54359b | 232 | #ifdef CAP_BLOCK_SUSPEND |
0fd73091 | 233 | { "block_suspend", CAP_BLOCK_SUSPEND }, |
2b54359b | 234 | #endif |
495d2046 | 235 | #endif |
8560cd36 | 236 | }; |
81810dd1 | 237 | |
c6d09e15 WB |
238 | static struct limit_opt limit_opt[] = { |
239 | #ifdef RLIMIT_AS | |
240 | { "as", RLIMIT_AS }, | |
241 | #endif | |
242 | #ifdef RLIMIT_CORE | |
243 | { "core", RLIMIT_CORE }, | |
244 | #endif | |
245 | #ifdef RLIMIT_CPU | |
246 | { "cpu", RLIMIT_CPU }, | |
247 | #endif | |
248 | #ifdef RLIMIT_DATA | |
249 | { "data", RLIMIT_DATA }, | |
250 | #endif | |
251 | #ifdef RLIMIT_FSIZE | |
252 | { "fsize", RLIMIT_FSIZE }, | |
253 | #endif | |
254 | #ifdef RLIMIT_LOCKS | |
255 | { "locks", RLIMIT_LOCKS }, | |
256 | #endif | |
257 | #ifdef RLIMIT_MEMLOCK | |
258 | { "memlock", RLIMIT_MEMLOCK }, | |
259 | #endif | |
260 | #ifdef RLIMIT_MSGQUEUE | |
261 | { "msgqueue", RLIMIT_MSGQUEUE }, | |
262 | #endif | |
263 | #ifdef RLIMIT_NICE | |
264 | { "nice", RLIMIT_NICE }, | |
265 | #endif | |
266 | #ifdef RLIMIT_NOFILE | |
267 | { "nofile", RLIMIT_NOFILE }, | |
268 | #endif | |
269 | #ifdef RLIMIT_NPROC | |
270 | { "nproc", RLIMIT_NPROC }, | |
271 | #endif | |
272 | #ifdef RLIMIT_RSS | |
273 | { "rss", RLIMIT_RSS }, | |
274 | #endif | |
275 | #ifdef RLIMIT_RTPRIO | |
276 | { "rtprio", RLIMIT_RTPRIO }, | |
277 | #endif | |
278 | #ifdef RLIMIT_RTTIME | |
279 | { "rttime", RLIMIT_RTTIME }, | |
280 | #endif | |
281 | #ifdef RLIMIT_SIGPENDING | |
282 | { "sigpending", RLIMIT_SIGPENDING }, | |
283 | #endif | |
284 | #ifdef RLIMIT_STACK | |
285 | { "stack", RLIMIT_STACK }, | |
286 | #endif | |
287 | }; | |
288 | ||
91c3830e SH |
289 | static int run_buffer(char *buffer) |
290 | { | |
cc6a0e78 | 291 | __do_free char *output = NULL; |
55022530 | 292 | __do_lxc_pclose struct lxc_popen_FILE *f = NULL; |
ebf3a6af | 293 | int fd, ret; |
91c3830e | 294 | |
ebec9176 | 295 | f = lxc_popen(buffer); |
55022530 CB |
296 | if (!f) |
297 | return log_error_errno(-1, errno, "Failed to popen() %s", buffer); | |
91c3830e SH |
298 | |
299 | output = malloc(LXC_LOG_BUFFER_SIZE); | |
55022530 CB |
300 | if (!output) |
301 | return log_error_errno(-1, ENOMEM, "Failed to allocate memory for %s", buffer); | |
91c3830e | 302 | |
ebf3a6af | 303 | fd = fileno(f->f); |
55022530 CB |
304 | if (fd < 0) |
305 | return log_error_errno(-1, errno, "Failed to retrieve underlying file descriptor"); | |
ebf3a6af CB |
306 | |
307 | for (int i = 0; i < 10; i++) { | |
308 | ssize_t bytes_read; | |
309 | ||
310 | bytes_read = lxc_read_nointr(fd, output, LXC_LOG_BUFFER_SIZE - 1); | |
311 | if (bytes_read > 0) { | |
312 | output[bytes_read] = '\0'; | |
313 | DEBUG("Script %s produced output: %s", buffer, output); | |
314 | continue; | |
315 | } | |
316 | ||
317 | break; | |
318 | } | |
91c3830e | 319 | |
55022530 CB |
320 | ret = lxc_pclose(move_ptr(f)); |
321 | if (ret == -1) | |
322 | return log_error_errno(-1, errno, "Script exited with error"); | |
323 | else if (WIFEXITED(ret) && WEXITSTATUS(ret) != 0) | |
324 | return log_error(-1, "Script exited with status %d", WEXITSTATUS(ret)); | |
325 | else if (WIFSIGNALED(ret)) | |
326 | return log_error(-1, "Script terminated by signal %d", WTERMSIG(ret)); | |
91c3830e SH |
327 | |
328 | return 0; | |
329 | } | |
330 | ||
14a7b0f9 CB |
331 | int run_script_argv(const char *name, unsigned int hook_version, |
332 | const char *section, const char *script, | |
586b1ce7 | 333 | const char *hookname, char **argv) |
148e91f5 | 334 | { |
e1a94937 | 335 | __do_free char *buffer = NULL; |
3f60c2f7 | 336 | int buf_pos, i, ret; |
d08e5708 | 337 | size_t size = 0; |
148e91f5 | 338 | |
3f60c2f7 | 339 | if (hook_version == 0) |
55022530 CB |
340 | INFO("Executing script \"%s\" for container \"%s\", config section \"%s\"", |
341 | script, name, section); | |
3f60c2f7 CB |
342 | else |
343 | INFO("Executing script \"%s\" for container \"%s\"", script, name); | |
148e91f5 | 344 | |
586b1ce7 CB |
345 | for (i = 0; argv && argv[i]; i++) |
346 | size += strlen(argv[i]) + 1; | |
148e91f5 | 347 | |
6333c915 CB |
348 | size += STRLITERALLEN("exec"); |
349 | size++; | |
148e91f5 | 350 | size += strlen(script); |
3f60c2f7 CB |
351 | size++; |
352 | ||
148e91f5 | 353 | if (size > INT_MAX) |
3f60c2f7 | 354 | return -EFBIG; |
148e91f5 | 355 | |
3f60c2f7 | 356 | if (hook_version == 0) { |
d08e5708 CB |
357 | size += strlen(hookname); |
358 | size++; | |
359 | ||
360 | size += strlen(name); | |
361 | size++; | |
362 | ||
363 | size += strlen(section); | |
364 | size++; | |
365 | ||
366 | if (size > INT_MAX) | |
367 | return -EFBIG; | |
327cce76 | 368 | } |
3f60c2f7 | 369 | |
6f8d00d2 CB |
370 | buffer = malloc(size); |
371 | if (!buffer) | |
372 | return -ENOMEM; | |
373 | ||
327cce76 | 374 | if (hook_version == 0) |
3f60c2f7 | 375 | buf_pos = snprintf(buffer, size, "exec %s %s %s %s", script, name, section, hookname); |
327cce76 | 376 | else |
3f60c2f7 | 377 | buf_pos = snprintf(buffer, size, "exec %s", script); |
55022530 CB |
378 | if (buf_pos < 0 || (size_t)buf_pos >= size) |
379 | return log_error_errno(-1, errno, "Failed to create command line for script \"%s\"", script); | |
3f60c2f7 | 380 | |
327cce76 | 381 | if (hook_version == 1) { |
3f60c2f7 CB |
382 | ret = setenv("LXC_HOOK_TYPE", hookname, 1); |
383 | if (ret < 0) { | |
55022530 | 384 | return log_error_errno(-1, errno, "Failed to set environment variable: LXC_HOOK_TYPE=%s", hookname); |
3f60c2f7 | 385 | } |
90f20466 | 386 | TRACE("Set environment variable: LXC_HOOK_TYPE=%s", hookname); |
3f60c2f7 CB |
387 | |
388 | ret = setenv("LXC_HOOK_SECTION", section, 1); | |
55022530 CB |
389 | if (ret < 0) |
390 | return log_error_errno(-1, errno, "Failed to set environment variable: LXC_HOOK_SECTION=%s", section); | |
3f60c2f7 | 391 | TRACE("Set environment variable: LXC_HOOK_SECTION=%s", section); |
14a7b0f9 CB |
392 | |
393 | if (strcmp(section, "net") == 0) { | |
394 | char *parent; | |
395 | ||
586b1ce7 | 396 | if (!argv || !argv[0]) |
e1a94937 | 397 | return -1; |
14a7b0f9 | 398 | |
586b1ce7 | 399 | ret = setenv("LXC_NET_TYPE", argv[0], 1); |
55022530 CB |
400 | if (ret < 0) |
401 | return log_error_errno(-1, errno, "Failed to set environment variable: LXC_NET_TYPE=%s", argv[0]); | |
586b1ce7 | 402 | TRACE("Set environment variable: LXC_NET_TYPE=%s", argv[0]); |
14a7b0f9 | 403 | |
586b1ce7 | 404 | parent = argv[1] ? argv[1] : ""; |
14a7b0f9 | 405 | |
a8144263 | 406 | if (strcmp(argv[0], "macvlan") == 0) { |
14a7b0f9 | 407 | ret = setenv("LXC_NET_PARENT", parent, 1); |
55022530 CB |
408 | if (ret < 0) |
409 | return log_error_errno(-1, errno, "Failed to set environment variable: LXC_NET_PARENT=%s", parent); | |
14a7b0f9 | 410 | TRACE("Set environment variable: LXC_NET_PARENT=%s", parent); |
a8144263 | 411 | } else if (strcmp(argv[0], "phys") == 0) { |
14a7b0f9 | 412 | ret = setenv("LXC_NET_PARENT", parent, 1); |
55022530 CB |
413 | if (ret < 0) |
414 | return log_error_errno(-1, errno, "Failed to set environment variable: LXC_NET_PARENT=%s", parent); | |
14a7b0f9 | 415 | TRACE("Set environment variable: LXC_NET_PARENT=%s", parent); |
a8144263 | 416 | } else if (strcmp(argv[0], "veth") == 0) { |
586b1ce7 | 417 | char *peer = argv[2] ? argv[2] : ""; |
14a7b0f9 CB |
418 | |
419 | ret = setenv("LXC_NET_PEER", peer, 1); | |
55022530 CB |
420 | if (ret < 0) |
421 | return log_error_errno(-1, errno, "Failed to set environment variable: LXC_NET_PEER=%s", peer); | |
14a7b0f9 CB |
422 | TRACE("Set environment variable: LXC_NET_PEER=%s", peer); |
423 | ||
424 | ret = setenv("LXC_NET_PARENT", parent, 1); | |
55022530 CB |
425 | if (ret < 0) |
426 | return log_error_errno(-1, errno, "Failed to set environment variable: LXC_NET_PARENT=%s", parent); | |
14a7b0f9 CB |
427 | TRACE("Set environment variable: LXC_NET_PARENT=%s", parent); |
428 | } | |
429 | } | |
148e91f5 SH |
430 | } |
431 | ||
586b1ce7 | 432 | for (i = 0; argv && argv[i]; i++) { |
3f60c2f7 CB |
433 | size_t len = size - buf_pos; |
434 | ||
586b1ce7 | 435 | ret = snprintf(buffer + buf_pos, len, " %s", argv[i]); |
55022530 CB |
436 | if (ret < 0 || (size_t)ret >= len) |
437 | return log_error_errno(-1, errno, "Failed to create command line for script \"%s\"", script); | |
3f60c2f7 | 438 | buf_pos += ret; |
148e91f5 SH |
439 | } |
440 | ||
e1a94937 | 441 | return run_buffer(buffer); |
148e91f5 SH |
442 | } |
443 | ||
811ef482 | 444 | int run_script(const char *name, const char *section, const char *script, ...) |
e3b4c4c4 | 445 | { |
2f443e88 | 446 | __do_free char *buffer = NULL; |
abbfd20b | 447 | int ret; |
2f443e88 | 448 | char *p; |
abbfd20b | 449 | va_list ap; |
0fd73091 | 450 | size_t size = 0; |
751d9dcd | 451 | |
0fd73091 | 452 | INFO("Executing script \"%s\" for container \"%s\", config section \"%s\"", |
751d9dcd | 453 | script, name, section); |
e3b4c4c4 | 454 | |
abbfd20b DL |
455 | va_start(ap, script); |
456 | while ((p = va_arg(ap, char *))) | |
95642a10 | 457 | size += strlen(p) + 1; |
abbfd20b DL |
458 | va_end(ap); |
459 | ||
6333c915 | 460 | size += STRLITERALLEN("exec"); |
abbfd20b DL |
461 | size += strlen(script); |
462 | size += strlen(name); | |
463 | size += strlen(section); | |
6d1a5f93 | 464 | size += 4; |
abbfd20b | 465 | |
95642a10 MS |
466 | if (size > INT_MAX) |
467 | return -1; | |
468 | ||
2f443e88 | 469 | buffer = must_realloc(NULL, size); |
6d1a5f93 | 470 | ret = snprintf(buffer, size, "exec %s %s %s", script, name, section); |
0fd73091 | 471 | if (ret < 0 || ret >= size) |
9ba8130c | 472 | return -1; |
751d9dcd | 473 | |
abbfd20b | 474 | va_start(ap, script); |
9ba8130c | 475 | while ((p = va_arg(ap, char *))) { |
062b72c6 | 476 | int len = size - ret; |
9ba8130c SH |
477 | int rc; |
478 | rc = snprintf(buffer + ret, len, " %s", p); | |
7b5a2435 DJ |
479 | if (rc < 0 || rc >= len) { |
480 | va_end(ap); | |
9ba8130c | 481 | return -1; |
7b5a2435 | 482 | } |
9ba8130c SH |
483 | ret += rc; |
484 | } | |
abbfd20b | 485 | va_end(ap); |
751d9dcd | 486 | |
91c3830e | 487 | return run_buffer(buffer); |
e3b4c4c4 ST |
488 | } |
489 | ||
0fd73091 | 490 | /* pin_rootfs |
63fc76c3 | 491 | * if rootfs is a directory, then open ${rootfs}/.lxc-keep for writing for |
b7ed4bf0 CS |
492 | * the duration of the container run, to prevent the container from marking |
493 | * the underlying fs readonly on shutdown. unlink the file immediately so | |
63fc76c3 GJ |
494 | * no name pollution is happens. |
495 | * don't unlink on NFS to avoid random named stale handles. | |
0c547523 SH |
496 | * return -1 on error. |
497 | * return -2 if nothing needed to be pinned. | |
498 | * return an open fd (>=0) if we pinned it. | |
499 | */ | |
500 | int pin_rootfs(const char *rootfs) | |
501 | { | |
957c4704 | 502 | __do_free char *absrootfs = NULL; |
0fd73091 | 503 | int fd, ret; |
6b5a54cd | 504 | char absrootfspin[PATH_MAX]; |
0c547523 | 505 | struct stat s; |
63fc76c3 | 506 | struct statfs sfs; |
0c547523 | 507 | |
e99ee0de | 508 | if (rootfs == NULL || strlen(rootfs) == 0) |
0d03360a | 509 | return -2; |
e99ee0de | 510 | |
74e7b662 | 511 | absrootfs = realpath(rootfs, NULL); |
512 | if (!absrootfs) | |
9be53773 | 513 | return -2; |
0c547523 | 514 | |
0fd73091 | 515 | ret = stat(absrootfs, &s); |
957c4704 | 516 | if (ret < 0) |
0c547523 | 517 | return -1; |
0c547523 | 518 | |
957c4704 | 519 | if (!S_ISDIR(s.st_mode)) |
0c547523 SH |
520 | return -2; |
521 | ||
55022530 CB |
522 | ret = snprintf(absrootfspin, sizeof(absrootfspin), "%s/.lxc-keep", absrootfs); |
523 | if (ret < 0 || (size_t)ret >= sizeof(absrootfspin)) | |
0c547523 | 524 | return -1; |
0c547523 | 525 | |
55022530 | 526 | fd = open(absrootfspin, O_CREAT | O_RDWR, S_IWUSR | S_IRUSR | O_CLOEXEC); |
b7ed4bf0 CS |
527 | if (fd < 0) |
528 | return fd; | |
0fd73091 | 529 | |
205fc010 CB |
530 | ret = fstatfs (fd, &sfs); |
531 | if (ret < 0) | |
532 | return fd; | |
63fc76c3 | 533 | |
55022530 CB |
534 | if (sfs.f_type == NFS_SUPER_MAGIC) |
535 | return log_debug(fd, "Rootfs on NFS, not unlinking pin file \"%s\"", absrootfspin); | |
63fc76c3 | 536 | |
b7ed4bf0 | 537 | (void)unlink(absrootfspin); |
0fd73091 | 538 | |
0c547523 SH |
539 | return fd; |
540 | } | |
541 | ||
0fd73091 CB |
542 | /* If we are asking to remount something, make sure that any NOEXEC etc are |
543 | * honored. | |
e2a7e8dc | 544 | */ |
5ae72b98 | 545 | unsigned long add_required_remount_flags(const char *s, const char *d, |
5285689c | 546 | unsigned long flags) |
e2a7e8dc | 547 | { |
614305f3 | 548 | #ifdef HAVE_STATVFS |
0fd73091 | 549 | int ret; |
e2a7e8dc SH |
550 | struct statvfs sb; |
551 | unsigned long required_flags = 0; | |
552 | ||
e2a7e8dc SH |
553 | if (!s) |
554 | s = d; | |
555 | ||
556 | if (!s) | |
557 | return flags; | |
0fd73091 CB |
558 | |
559 | ret = statvfs(s, &sb); | |
560 | if (ret < 0) | |
e2a7e8dc SH |
561 | return flags; |
562 | ||
69eadddb CB |
563 | if (flags & MS_REMOUNT) { |
564 | if (sb.f_flag & MS_NOSUID) | |
565 | required_flags |= MS_NOSUID; | |
566 | if (sb.f_flag & MS_NODEV) | |
567 | required_flags |= MS_NODEV; | |
568 | if (sb.f_flag & MS_RDONLY) | |
569 | required_flags |= MS_RDONLY; | |
570 | if (sb.f_flag & MS_NOEXEC) | |
571 | required_flags |= MS_NOEXEC; | |
572 | } | |
573 | ||
574 | if (sb.f_flag & MS_NOATIME) | |
575 | required_flags |= MS_NOATIME; | |
576 | if (sb.f_flag & MS_NODIRATIME) | |
577 | required_flags |= MS_NODIRATIME; | |
578 | if (sb.f_flag & MS_LAZYTIME) | |
579 | required_flags |= MS_LAZYTIME; | |
580 | if (sb.f_flag & MS_RELATIME) | |
581 | required_flags |= MS_RELATIME; | |
582 | if (sb.f_flag & MS_STRICTATIME) | |
583 | required_flags |= MS_STRICTATIME; | |
e2a7e8dc SH |
584 | |
585 | return flags | required_flags; | |
614305f3 SH |
586 | #else |
587 | return flags; | |
588 | #endif | |
e2a7e8dc SH |
589 | } |
590 | ||
6b741397 CB |
591 | static int add_shmount_to_list(struct lxc_conf *conf) |
592 | { | |
6b5a54cd | 593 | char new_mount[PATH_MAX]; |
0d190408 | 594 | /* Offset for the leading '/' since the path_cont |
6b741397 CB |
595 | * is absolute inside the container. |
596 | */ | |
597 | int offset = 1, ret = -1; | |
0d190408 | 598 | |
6b741397 CB |
599 | ret = snprintf(new_mount, sizeof(new_mount), |
600 | "%s %s none bind,create=dir 0 0", conf->shmount.path_host, | |
601 | conf->shmount.path_cont + offset); | |
60534030 | 602 | if (ret < 0 || (size_t)ret >= sizeof(new_mount)) |
0d190408 LT |
603 | return -1; |
604 | ||
6b741397 | 605 | return add_elem_to_mount_list(new_mount, conf); |
0d190408 LT |
606 | } |
607 | ||
4fb3cba5 | 608 | static int lxc_mount_auto_mounts(struct lxc_conf *conf, int flags, struct lxc_handler *handler) |
368bbc02 | 609 | { |
0fd73091 | 610 | int i, r; |
b06b8511 CS |
611 | static struct { |
612 | int match_mask; | |
613 | int match_flag; | |
614 | const char *source; | |
615 | const char *destination; | |
616 | const char *fstype; | |
617 | unsigned long flags; | |
618 | const char *options; | |
619 | } default_mounts[] = { | |
0fd73091 CB |
620 | /* Read-only bind-mounting... In older kernels, doing that |
621 | * required to do one MS_BIND mount and then | |
622 | * MS_REMOUNT|MS_RDONLY the same one. According to mount(2) | |
623 | * manpage, MS_BIND honors MS_RDONLY from kernel 2.6.26 | |
624 | * onwards. However, this apparently does not work on kernel | |
625 | * 3.8. Unfortunately, on that very same kernel, doing the same | |
626 | * trick as above doesn't seem to work either, there one needs | |
627 | * to ALSO specify MS_BIND for the remount, otherwise the | |
628 | * entire fs is remounted read-only or the mount fails because | |
629 | * it's busy... MS_REMOUNT|MS_BIND|MS_RDONLY seems to work for | |
630 | * kernels as low as 2.6.32... | |
368bbc02 | 631 | */ |
0fd73091 | 632 | { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "proc", "%r/proc", "proc", MS_NODEV|MS_NOEXEC|MS_NOSUID, NULL }, |
592fd47a | 633 | /* proc/tty is used as a temporary placeholder for proc/sys/net which we'll move back in a few steps */ |
0fd73091 CB |
634 | { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "%r/proc/sys/net", "%r/proc/tty", NULL, MS_BIND, NULL }, |
635 | { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "%r/proc/sys", "%r/proc/sys", NULL, MS_BIND, NULL }, | |
636 | { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, NULL, "%r/proc/sys", NULL, MS_REMOUNT|MS_BIND|MS_RDONLY, NULL }, | |
637 | { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "%r/proc/tty", "%r/proc/sys/net", NULL, MS_MOVE, NULL }, | |
638 | { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "%r/proc/sysrq-trigger", "%r/proc/sysrq-trigger", NULL, MS_BIND, NULL }, | |
639 | { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, NULL, "%r/proc/sysrq-trigger", NULL, MS_REMOUNT|MS_BIND|MS_RDONLY, NULL }, | |
640 | { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_RW, "proc", "%r/proc", "proc", MS_NODEV|MS_NOEXEC|MS_NOSUID, NULL }, | |
641 | { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_RW, "sysfs", "%r/sys", "sysfs", 0, NULL }, | |
642 | { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_RO, "sysfs", "%r/sys", "sysfs", MS_RDONLY, NULL }, | |
643 | { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, "sysfs", "%r/sys", "sysfs", MS_NODEV|MS_NOEXEC|MS_NOSUID, NULL }, | |
d1c203f4 | 644 | { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, "%r/sys", "%r/sys", NULL, MS_BIND, NULL }, |
0fd73091 CB |
645 | { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, NULL, "%r/sys", NULL, MS_REMOUNT|MS_BIND|MS_RDONLY, NULL }, |
646 | { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, "sysfs", "%r/sys/devices/virtual/net", "sysfs", 0, NULL }, | |
647 | { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, "%r/sys/devices/virtual/net/devices/virtual/net", "%r/sys/devices/virtual/net", NULL, MS_BIND, NULL }, | |
648 | { LXC_AUTO_SYS_MASK, LXC_AUTO_SYS_MIXED, NULL, "%r/sys/devices/virtual/net", NULL, MS_REMOUNT|MS_BIND|MS_NOSUID|MS_NODEV|MS_NOEXEC, NULL }, | |
649 | { 0, 0, NULL, NULL, NULL, 0, NULL } | |
b06b8511 | 650 | }; |
368bbc02 | 651 | |
b06b8511 | 652 | for (i = 0; default_mounts[i].match_mask; i++) { |
8db92302 | 653 | __do_free char *destination = NULL, *source = NULL; |
0fd73091 CB |
654 | int saved_errno; |
655 | unsigned long mflags; | |
0fd73091 CB |
656 | if ((flags & default_mounts[i].match_mask) != default_mounts[i].match_flag) |
657 | continue; | |
658 | ||
659 | if (default_mounts[i].source) { | |
cc4fd506 | 660 | /* will act like strdup if %r is not present */ |
0fd73091 CB |
661 | source = lxc_string_replace("%r", conf->rootfs.path ? conf->rootfs.mount : "", default_mounts[i].source); |
662 | if (!source) | |
cc4fd506 | 663 | return -1; |
0fd73091 | 664 | } |
f24a52d5 | 665 | |
55022530 CB |
666 | if (!default_mounts[i].destination) |
667 | return log_error(-1, "BUG: auto mounts destination %d was NULL", i); | |
0fd73091 CB |
668 | |
669 | /* will act like strdup if %r is not present */ | |
670 | destination = lxc_string_replace("%r", conf->rootfs.path ? conf->rootfs.mount : "", default_mounts[i].destination); | |
55022530 | 671 | if (!destination) |
0fd73091 | 672 | return -1; |
0fd73091 CB |
673 | |
674 | mflags = add_required_remount_flags(source, destination, | |
675 | default_mounts[i].flags); | |
676 | r = safe_mount(source, destination, default_mounts[i].fstype, | |
677 | mflags, default_mounts[i].options, | |
678 | conf->rootfs.path ? conf->rootfs.mount : NULL); | |
679 | saved_errno = errno; | |
680 | if (r < 0 && errno == ENOENT) { | |
55022530 | 681 | INFO("Mount source or target for \"%s\" on \"%s\" does not exist. Skipping", source, destination); |
0fd73091 CB |
682 | r = 0; |
683 | } else if (r < 0) { | |
684 | SYSERROR("Failed to mount \"%s\" on \"%s\" with flags %lu", source, destination, mflags); | |
685 | } | |
686 | ||
0fd73091 CB |
687 | if (r < 0) { |
688 | errno = saved_errno; | |
689 | return -1; | |
368bbc02 | 690 | } |
368bbc02 CS |
691 | } |
692 | ||
b06b8511 | 693 | if (flags & LXC_AUTO_CGROUP_MASK) { |
0769b82a CS |
694 | int cg_flags; |
695 | ||
3f69fb12 | 696 | cg_flags = flags & (LXC_AUTO_CGROUP_MASK & ~LXC_AUTO_CGROUP_FORCE); |
0fd73091 CB |
697 | /* If the type of cgroup mount was not specified, it depends on |
698 | * the container's capabilities as to what makes sense: if we | |
699 | * have CAP_SYS_ADMIN, the read-only part can be remounted | |
700 | * read-write anyway, so we may as well default to read-write; | |
701 | * then the admin will not be given a false sense of security. | |
702 | * (And if they really want mixed r/o r/w, then they can | |
703 | * explicitly specify :mixed.) OTOH, if the container lacks | |
704 | * CAP_SYS_ADMIN, do only default to :mixed, because then the | |
705 | * container can't remount it read-write. | |
706 | */ | |
0769b82a CS |
707 | if (cg_flags == LXC_AUTO_CGROUP_NOSPEC || cg_flags == LXC_AUTO_CGROUP_FULL_NOSPEC) { |
708 | int has_sys_admin = 0; | |
b0ee5983 CB |
709 | |
710 | if (!lxc_list_empty(&conf->keepcaps)) | |
0769b82a | 711 | has_sys_admin = in_caplist(CAP_SYS_ADMIN, &conf->keepcaps); |
b0ee5983 | 712 | else |
0769b82a | 713 | has_sys_admin = !in_caplist(CAP_SYS_ADMIN, &conf->caps); |
b0ee5983 CB |
714 | |
715 | if (cg_flags == LXC_AUTO_CGROUP_NOSPEC) | |
0769b82a | 716 | cg_flags = has_sys_admin ? LXC_AUTO_CGROUP_RW : LXC_AUTO_CGROUP_MIXED; |
b0ee5983 | 717 | else |
0769b82a | 718 | cg_flags = has_sys_admin ? LXC_AUTO_CGROUP_FULL_RW : LXC_AUTO_CGROUP_FULL_MIXED; |
0769b82a | 719 | } |
0fd73091 | 720 | |
3f69fb12 | 721 | if (flags & LXC_AUTO_CGROUP_FORCE) |
0fd73091 CB |
722 | cg_flags |= LXC_AUTO_CGROUP_FORCE; |
723 | ||
2202afc9 CB |
724 | if (!handler->cgroup_ops->mount(handler->cgroup_ops, |
725 | handler, | |
726 | conf->rootfs.path ? conf->rootfs.mount : "", | |
55022530 CB |
727 | cg_flags)) |
728 | return log_error_errno(-1, errno, "Failed to mount \"/sys/fs/cgroup\""); | |
368bbc02 CS |
729 | } |
730 | ||
0d190408 LT |
731 | if (flags & LXC_AUTO_SHMOUNTS_MASK) { |
732 | int ret = add_shmount_to_list(conf); | |
55022530 CB |
733 | if (ret < 0) |
734 | return log_error(-1, "Failed to add shmount entry to container config"); | |
0d190408 LT |
735 | } |
736 | ||
368bbc02 | 737 | return 0; |
368bbc02 CS |
738 | } |
739 | ||
4e5440c6 | 740 | static int setup_utsname(struct utsname *utsname) |
0ad19a3f | 741 | { |
0fd73091 CB |
742 | int ret; |
743 | ||
4e5440c6 DL |
744 | if (!utsname) |
745 | return 0; | |
0ad19a3f | 746 | |
0fd73091 | 747 | ret = sethostname(utsname->nodename, strlen(utsname->nodename)); |
55022530 CB |
748 | if (ret < 0) |
749 | return log_error_errno(-1, errno, "Failed to set the hostname to \"%s\"", | |
750 | utsname->nodename); | |
0ad19a3f | 751 | |
0fd73091 | 752 | INFO("Set hostname to \"%s\"", utsname->nodename); |
cd54d859 | 753 | |
0ad19a3f | 754 | return 0; |
755 | } | |
756 | ||
69aa6655 DE |
757 | struct dev_symlinks { |
758 | const char *oldpath; | |
759 | const char *name; | |
760 | }; | |
761 | ||
762 | static const struct dev_symlinks dev_symlinks[] = { | |
0fd73091 CB |
763 | { "/proc/self/fd", "fd" }, |
764 | { "/proc/self/fd/0", "stdin" }, | |
765 | { "/proc/self/fd/1", "stdout" }, | |
766 | { "/proc/self/fd/2", "stderr" }, | |
69aa6655 DE |
767 | }; |
768 | ||
ed8704d0 | 769 | static int lxc_setup_dev_symlinks(const struct lxc_rootfs *rootfs) |
69aa6655 | 770 | { |
0fd73091 | 771 | int i, ret; |
6b5a54cd | 772 | char path[PATH_MAX]; |
09227be2 | 773 | struct stat s; |
69aa6655 | 774 | |
69aa6655 DE |
775 | for (i = 0; i < sizeof(dev_symlinks) / sizeof(dev_symlinks[0]); i++) { |
776 | const struct dev_symlinks *d = &dev_symlinks[i]; | |
0fd73091 CB |
777 | |
778 | ret = snprintf(path, sizeof(path), "%s/dev/%s", | |
779 | rootfs->path ? rootfs->mount : "", d->name); | |
55022530 | 780 | if (ret < 0 || (size_t)ret >= sizeof(path)) |
69aa6655 | 781 | return -1; |
09227be2 | 782 | |
0fd73091 CB |
783 | /* Stat the path first. If we don't get an error accept it as |
784 | * is and don't try to create it | |
09227be2 | 785 | */ |
0fd73091 CB |
786 | ret = stat(path, &s); |
787 | if (ret == 0) | |
09227be2 | 788 | continue; |
09227be2 | 789 | |
69aa6655 DE |
790 | ret = symlink(d->oldpath, path); |
791 | if (ret && errno != EEXIST) { | |
55022530 | 792 | if (errno == EROFS) |
0fd73091 | 793 | WARN("Failed to create \"%s\". Read-only filesystem", path); |
55022530 CB |
794 | else |
795 | return log_error_errno(-1, errno, "Failed to create \"%s\"", path); | |
69aa6655 DE |
796 | } |
797 | } | |
0fd73091 | 798 | |
69aa6655 DE |
799 | return 0; |
800 | } | |
801 | ||
2187efd3 | 802 | /* Build a space-separate list of ptys to pass to systemd. */ |
885766f5 | 803 | static bool append_ttyname(char **pp, char *name) |
b0a33c1e | 804 | { |
393903d1 | 805 | char *p; |
f1e05b90 | 806 | size_t size; |
393903d1 SH |
807 | |
808 | if (!*pp) { | |
809 | *pp = malloc(strlen(name) + strlen("container_ttys=") + 1); | |
810 | if (!*pp) | |
811 | return false; | |
0fd73091 | 812 | |
393903d1 SH |
813 | sprintf(*pp, "container_ttys=%s", name); |
814 | return true; | |
815 | } | |
0fd73091 | 816 | |
f1e05b90 DJ |
817 | size = strlen(*pp) + strlen(name) + 2; |
818 | p = realloc(*pp, size); | |
393903d1 SH |
819 | if (!p) |
820 | return false; | |
0fd73091 | 821 | |
393903d1 | 822 | *pp = p; |
f1e05b90 DJ |
823 | (void)strlcat(p, " ", size); |
824 | (void)strlcat(p, name, size); | |
0fd73091 | 825 | |
393903d1 SH |
826 | return true; |
827 | } | |
828 | ||
2187efd3 | 829 | static int lxc_setup_ttys(struct lxc_conf *conf) |
393903d1 | 830 | { |
9e1045e3 | 831 | int i, ret; |
0e4be3cf | 832 | const struct lxc_tty_info *ttys = &conf->ttys; |
885766f5 | 833 | char *ttydir = ttys->dir; |
6b5a54cd | 834 | char path[PATH_MAX], lxcpath[PATH_MAX]; |
b0a33c1e | 835 | |
e8bd4e43 | 836 | if (!conf->rootfs.path) |
bc9bd0e3 DL |
837 | return 0; |
838 | ||
885766f5 | 839 | for (i = 0; i < ttys->max; i++) { |
0e4be3cf | 840 | struct lxc_terminal_info *tty = &ttys->tty[i]; |
b0a33c1e | 841 | |
e8bd4e43 | 842 | ret = snprintf(path, sizeof(path), "/dev/tty%d", i + 1); |
73363c61 | 843 | if (ret < 0 || (size_t)ret >= sizeof(path)) |
7c6ef2a2 | 844 | return -1; |
9e1045e3 | 845 | |
7c6ef2a2 SH |
846 | if (ttydir) { |
847 | /* create dev/lxc/tty%d" */ | |
9e1045e3 CB |
848 | ret = snprintf(lxcpath, sizeof(lxcpath), |
849 | "/dev/%s/tty%d", ttydir, i + 1); | |
73363c61 | 850 | if (ret < 0 || (size_t)ret >= sizeof(lxcpath)) |
7c6ef2a2 | 851 | return -1; |
9e1045e3 | 852 | |
adc1c715 | 853 | ret = mknod(lxcpath, S_IFREG | 0000, 0); |
9e1045e3 | 854 | if (ret < 0 && errno != EEXIST) { |
73363c61 | 855 | SYSERROR("Failed to create \"%s\"", lxcpath); |
7c6ef2a2 SH |
856 | return -1; |
857 | } | |
9e1045e3 | 858 | |
7c6ef2a2 | 859 | ret = unlink(path); |
9e1045e3 | 860 | if (ret < 0 && errno != ENOENT) { |
73363c61 | 861 | SYSERROR("Failed to unlink \"%s\"", path); |
7c6ef2a2 SH |
862 | return -1; |
863 | } | |
b0a33c1e | 864 | |
2520facd | 865 | ret = mount(tty->name, lxcpath, "none", MS_BIND, 0); |
9e1045e3 | 866 | if (ret < 0) { |
55022530 | 867 | SYSWARN("Failed to bind mount \"%s\" onto \"%s\"", tty->name, lxcpath); |
7c6ef2a2 SH |
868 | continue; |
869 | } | |
55022530 | 870 | DEBUG("Bind mounted \"%s\" onto \"%s\"", tty->name, lxcpath); |
13954cce | 871 | |
9e1045e3 CB |
872 | ret = snprintf(lxcpath, sizeof(lxcpath), "%s/tty%d", |
873 | ttydir, i + 1); | |
73363c61 | 874 | if (ret < 0 || (size_t)ret >= sizeof(lxcpath)) |
9ba8130c | 875 | return -1; |
9e1045e3 | 876 | |
7c6ef2a2 | 877 | ret = symlink(lxcpath, path); |
55022530 CB |
878 | if (ret < 0) |
879 | return log_error_errno(-1, errno, "Failed to create symlink \"%s\" -> \"%s\"", path, lxcpath); | |
7c6ef2a2 | 880 | } else { |
9e1045e3 CB |
881 | /* If we populated /dev, then we need to create |
882 | * /dev/ttyN | |
883 | */ | |
d3ccc04e CB |
884 | ret = mknod(path, S_IFREG | 0000, 0); |
885 | if (ret < 0) /* this isn't fatal, continue */ | |
6d1400b5 | 886 | SYSERROR("Failed to create \"%s\"", path); |
9e1045e3 | 887 | |
2520facd | 888 | ret = mount(tty->name, path, "none", MS_BIND, 0); |
9e1045e3 | 889 | if (ret < 0) { |
2520facd | 890 | SYSERROR("Failed to mount '%s'->'%s'", tty->name, path); |
7c6ef2a2 SH |
891 | continue; |
892 | } | |
9e1045e3 | 893 | |
d3ccc04e | 894 | DEBUG("Bind mounted \"%s\" onto \"%s\"", tty->name, path); |
393903d1 | 895 | } |
9e1045e3 | 896 | |
55022530 CB |
897 | if (!append_ttyname(&conf->ttys.tty_names, tty->name)) |
898 | return log_error(-1, "Error setting up container_ttys string"); | |
b0a33c1e | 899 | } |
900 | ||
885766f5 | 901 | INFO("Finished setting up %zu /dev/tty<N> device(s)", ttys->max); |
b0a33c1e | 902 | return 0; |
903 | } | |
904 | ||
586a3fe8 CB |
905 | define_cleanup_function(struct lxc_tty_info *, lxc_delete_tty); |
906 | ||
59eac805 | 907 | static int lxc_allocate_ttys(struct lxc_conf *conf) |
2187efd3 | 908 | { |
586a3fe8 | 909 | struct lxc_terminal_info *tty_new = NULL; |
fca23691 | 910 | int ret; |
586a3fe8 | 911 | call_cleaner(lxc_delete_tty) struct lxc_tty_info *ttys = &conf->ttys; |
2187efd3 CB |
912 | |
913 | /* no tty in the configuration */ | |
885766f5 | 914 | if (ttys->max == 0) |
2187efd3 CB |
915 | return 0; |
916 | ||
55022530 CB |
917 | tty_new = malloc(sizeof(struct lxc_terminal_info) * ttys->max); |
918 | if (!tty_new) | |
2187efd3 | 919 | return -ENOMEM; |
55022530 | 920 | ttys->tty = tty_new; |
2187efd3 | 921 | |
55022530 | 922 | for (size_t i = 0; i < ttys->max; i++) { |
0e4be3cf | 923 | struct lxc_terminal_info *tty = &ttys->tty[i]; |
2187efd3 | 924 | |
36a94ce8 | 925 | tty->ptx = -EBADF; |
41808e20 CB |
926 | tty->pty = -EBADF; |
927 | ret = openpty(&tty->ptx, &tty->pty, NULL, NULL, NULL); | |
77a39805 | 928 | if (ret < 0) { |
885766f5 | 929 | ttys->max = i; |
55022530 | 930 | return log_error_errno(-ENOTTY, ENOTTY, "Failed to create tty %zu", i); |
2187efd3 CB |
931 | } |
932 | ||
41808e20 | 933 | ret = ttyname_r(tty->pty, tty->name, sizeof(tty->name)); |
77a39805 | 934 | if (ret < 0) { |
77a39805 | 935 | ttys->max = i; |
41808e20 | 936 | return log_error_errno(-ENOTTY, ENOTTY, "Failed to retrieve name of tty %zu pty", i); |
77a39805 CB |
937 | } |
938 | ||
41808e20 CB |
939 | DEBUG("Created tty \"%s\" with ptx fd %d and pty fd %d", |
940 | tty->name, tty->ptx, tty->pty); | |
2187efd3 CB |
941 | |
942 | /* Prevent leaking the file descriptors to the container */ | |
36a94ce8 | 943 | ret = fd_cloexec(tty->ptx, true); |
2187efd3 | 944 | if (ret < 0) |
36a94ce8 CB |
945 | SYSWARN("Failed to set FD_CLOEXEC flag on ptx fd %d of tty device \"%s\"", |
946 | tty->ptx, tty->name); | |
2187efd3 | 947 | |
41808e20 | 948 | ret = fd_cloexec(tty->pty, true); |
2187efd3 | 949 | if (ret < 0) |
41808e20 CB |
950 | SYSWARN("Failed to set FD_CLOEXEC flag on pty fd %d of tty device \"%s\"", |
951 | tty->pty, tty->name); | |
2187efd3 | 952 | |
7581d645 | 953 | tty->busy = -1; |
2187efd3 CB |
954 | } |
955 | ||
885766f5 | 956 | INFO("Finished creating %zu tty devices", ttys->max); |
586a3fe8 | 957 | move_ptr(ttys); |
2187efd3 CB |
958 | return 0; |
959 | } | |
960 | ||
0e4be3cf | 961 | void lxc_delete_tty(struct lxc_tty_info *ttys) |
2187efd3 | 962 | { |
386e6768 CB |
963 | if (!ttys->tty) |
964 | return; | |
965 | ||
55022530 | 966 | for (int i = 0; i < ttys->max; i++) { |
0e4be3cf | 967 | struct lxc_terminal_info *tty = &ttys->tty[i]; |
36a94ce8 | 968 | close_prot_errno_disarm(tty->ptx); |
41808e20 | 969 | close_prot_errno_disarm(tty->pty); |
2187efd3 CB |
970 | } |
971 | ||
55022530 | 972 | free_disarm(ttys->tty); |
2187efd3 CB |
973 | } |
974 | ||
975 | static int lxc_send_ttys_to_parent(struct lxc_handler *handler) | |
976 | { | |
977 | int i; | |
0fd73091 | 978 | int ret = -1; |
2187efd3 | 979 | struct lxc_conf *conf = handler->conf; |
0e4be3cf | 980 | struct lxc_tty_info *ttys = &conf->ttys; |
2187efd3 | 981 | int sock = handler->data_sock[0]; |
2187efd3 | 982 | |
885766f5 | 983 | if (ttys->max == 0) |
2187efd3 CB |
984 | return 0; |
985 | ||
885766f5 | 986 | for (i = 0; i < ttys->max; i++) { |
2187efd3 | 987 | int ttyfds[2]; |
0e4be3cf | 988 | struct lxc_terminal_info *tty = &ttys->tty[i]; |
2187efd3 | 989 | |
36a94ce8 | 990 | ttyfds[0] = tty->ptx; |
41808e20 | 991 | ttyfds[1] = tty->pty; |
2187efd3 CB |
992 | |
993 | ret = lxc_abstract_unix_send_fds(sock, ttyfds, 2, NULL, 0); | |
994 | if (ret < 0) | |
995 | break; | |
996 | ||
41808e20 CB |
997 | TRACE("Sent tty \"%s\" with ptx fd %d and pty fd %d to parent", |
998 | tty->name, tty->ptx, tty->pty); | |
2187efd3 CB |
999 | } |
1000 | ||
1001 | if (ret < 0) | |
6d1400b5 | 1002 | SYSERROR("Failed to send %zu ttys to parent", ttys->max); |
2187efd3 | 1003 | else |
885766f5 | 1004 | TRACE("Sent %zu ttys to parent", ttys->max); |
2187efd3 CB |
1005 | |
1006 | return ret; | |
1007 | } | |
1008 | ||
1009 | static int lxc_create_ttys(struct lxc_handler *handler) | |
1010 | { | |
1011 | int ret = -1; | |
1012 | struct lxc_conf *conf = handler->conf; | |
1013 | ||
663014ee | 1014 | ret = lxc_allocate_ttys(conf); |
2187efd3 CB |
1015 | if (ret < 0) { |
1016 | ERROR("Failed to allocate ttys"); | |
1017 | goto on_error; | |
1018 | } | |
1019 | ||
1020 | ret = lxc_send_ttys_to_parent(handler); | |
1021 | if (ret < 0) { | |
1022 | ERROR("Failed to send ttys to parent"); | |
1023 | goto on_error; | |
1024 | } | |
1025 | ||
1026 | if (!conf->is_execute) { | |
1027 | ret = lxc_setup_ttys(conf); | |
1028 | if (ret < 0) { | |
1029 | ERROR("Failed to setup ttys"); | |
1030 | goto on_error; | |
1031 | } | |
1032 | } | |
1033 | ||
885766f5 CB |
1034 | if (conf->ttys.tty_names) { |
1035 | ret = setenv("container_ttys", conf->ttys.tty_names, 1); | |
2187efd3 | 1036 | if (ret < 0) |
885766f5 | 1037 | SYSERROR("Failed to set \"container_ttys=%s\"", conf->ttys.tty_names); |
2187efd3 CB |
1038 | } |
1039 | ||
1040 | ret = 0; | |
1041 | ||
1042 | on_error: | |
0e4be3cf | 1043 | lxc_delete_tty(&conf->ttys); |
2187efd3 CB |
1044 | |
1045 | return ret; | |
1046 | } | |
1047 | ||
7133b912 CB |
1048 | /* Just create a path for /dev under $lxcpath/$name and in rootfs If we hit an |
1049 | * error, log it but don't fail yet. | |
91c3830e | 1050 | */ |
7133b912 | 1051 | static int mount_autodev(const char *name, const struct lxc_rootfs *rootfs, |
63012bdd | 1052 | int autodevtmpfssize, const char *lxcpath) |
91c3830e | 1053 | { |
2f443e88 | 1054 | __do_free char *path = NULL; |
91c3830e | 1055 | int ret; |
87da4ec3 | 1056 | size_t clen; |
87e0e273 | 1057 | mode_t cur_mask; |
63012bdd | 1058 | char mount_options[128]; |
91c3830e | 1059 | |
7133b912 | 1060 | INFO("Preparing \"/dev\""); |
bc6928ff | 1061 | |
14221cbb | 1062 | /* $(rootfs->mount) + "/dev/pts" + '\0' */ |
ec50007f | 1063 | clen = (rootfs->path ? strlen(rootfs->mount) : 0) + 9; |
2f443e88 | 1064 | path = must_realloc(NULL, clen); |
63012bdd CK |
1065 | sprintf(mount_options, "size=%d,mode=755", (autodevtmpfssize != 0) ? autodevtmpfssize : 500000); |
1066 | DEBUG("Using mount options: %s", mount_options); | |
bc6928ff | 1067 | |
ec50007f | 1068 | ret = snprintf(path, clen, "%s/dev", rootfs->path ? rootfs->mount : ""); |
7133b912 | 1069 | if (ret < 0 || (size_t)ret >= clen) |
91c3830e | 1070 | return -1; |
bc6928ff | 1071 | |
87e0e273 CB |
1072 | cur_mask = umask(S_IXUSR | S_IXGRP | S_IXOTH); |
1073 | ret = mkdir(path, S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH); | |
1074 | if (ret < 0 && errno != EEXIST) { | |
1075 | SYSERROR("Failed to create \"/dev\" directory"); | |
1076 | ret = -errno; | |
1077 | goto reset_umask; | |
bc6928ff | 1078 | } |
87da4ec3 | 1079 | |
63012bdd CK |
1080 | ret = safe_mount("none", path, "tmpfs", 0, mount_options, |
1081 | rootfs->path ? rootfs->mount : NULL ); | |
7133b912 CB |
1082 | if (ret < 0) { |
1083 | SYSERROR("Failed to mount tmpfs on \"%s\"", path); | |
87e0e273 | 1084 | goto reset_umask; |
91c3830e | 1085 | } |
87e0e273 | 1086 | TRACE("Mounted tmpfs on \"%s\"", path); |
87da4ec3 | 1087 | |
ec50007f | 1088 | ret = snprintf(path, clen, "%s/dev/pts", rootfs->path ? rootfs->mount : ""); |
87e0e273 CB |
1089 | if (ret < 0 || (size_t)ret >= clen) { |
1090 | ret = -1; | |
1091 | goto reset_umask; | |
1092 | } | |
87da4ec3 | 1093 | |
7133b912 | 1094 | /* If we are running on a devtmpfs mapping, dev/pts may already exist. |
bc6928ff MW |
1095 | * If not, then create it and exit if that fails... |
1096 | */ | |
87e0e273 CB |
1097 | ret = mkdir(path, S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH); |
1098 | if (ret < 0 && errno != EEXIST) { | |
1099 | SYSERROR("Failed to create directory \"%s\"", path); | |
1100 | ret = -errno; | |
1101 | goto reset_umask; | |
91c3830e SH |
1102 | } |
1103 | ||
87e0e273 CB |
1104 | ret = 0; |
1105 | ||
1106 | reset_umask: | |
1107 | (void)umask(cur_mask); | |
1108 | ||
7133b912 | 1109 | INFO("Prepared \"/dev\""); |
87e0e273 | 1110 | return ret; |
91c3830e SH |
1111 | } |
1112 | ||
5e73416f | 1113 | struct lxc_device_node { |
74a3920a | 1114 | const char *name; |
5e73416f CB |
1115 | const mode_t mode; |
1116 | const int maj; | |
1117 | const int min; | |
c6883f38 SH |
1118 | }; |
1119 | ||
5e73416f | 1120 | static const struct lxc_device_node lxc_devices[] = { |
06749971 | 1121 | { "full", S_IFCHR | S_IRWXU | S_IRWXG | S_IRWXO, 1, 7 }, |
5e73416f | 1122 | { "null", S_IFCHR | S_IRWXU | S_IRWXG | S_IRWXO, 1, 3 }, |
06749971 CB |
1123 | { "random", S_IFCHR | S_IRWXU | S_IRWXG | S_IRWXO, 1, 8 }, |
1124 | { "tty", S_IFCHR | S_IRWXU | S_IRWXG | S_IRWXO, 5, 0 }, | |
5e73416f CB |
1125 | { "urandom", S_IFCHR | S_IRWXU | S_IRWXG | S_IRWXO, 1, 9 }, |
1126 | { "zero", S_IFCHR | S_IRWXU | S_IRWXG | S_IRWXO, 1, 5 }, | |
c6883f38 SH |
1127 | }; |
1128 | ||
5067e4dd CB |
1129 | |
1130 | enum { | |
1131 | LXC_DEVNODE_BIND, | |
1132 | LXC_DEVNODE_MKNOD, | |
1133 | LXC_DEVNODE_PARTIAL, | |
1134 | LXC_DEVNODE_OPEN, | |
1135 | }; | |
1136 | ||
27245ff7 | 1137 | static int lxc_fill_autodev(const struct lxc_rootfs *rootfs) |
c6883f38 | 1138 | { |
5e73416f | 1139 | int i, ret; |
6b5a54cd | 1140 | char path[PATH_MAX]; |
3a32201c | 1141 | mode_t cmask; |
5067e4dd | 1142 | int use_mknod = LXC_DEVNODE_MKNOD; |
c6883f38 | 1143 | |
6b5a54cd | 1144 | ret = snprintf(path, PATH_MAX, "%s/dev", |
3999be0a | 1145 | rootfs->path ? rootfs->mount : ""); |
6b5a54cd | 1146 | if (ret < 0 || ret >= PATH_MAX) |
c6883f38 | 1147 | return -1; |
91c3830e | 1148 | |
0bbf8572 CB |
1149 | /* ignore, just don't try to fill in */ |
1150 | if (!dir_exists(path)) | |
9cb4d183 SH |
1151 | return 0; |
1152 | ||
3999be0a CB |
1153 | INFO("Populating \"/dev\""); |
1154 | ||
3a32201c | 1155 | cmask = umask(S_IXUSR | S_IXGRP | S_IXOTH); |
5e73416f | 1156 | for (i = 0; i < sizeof(lxc_devices) / sizeof(lxc_devices[0]); i++) { |
6b5a54cd | 1157 | char hostpath[PATH_MAX]; |
5e73416f | 1158 | const struct lxc_device_node *device = &lxc_devices[i]; |
0728ebf4 | 1159 | |
6b5a54cd | 1160 | ret = snprintf(path, PATH_MAX, "%s/dev/%s", |
5e73416f | 1161 | rootfs->path ? rootfs->mount : "", device->name); |
6b5a54cd | 1162 | if (ret < 0 || ret >= PATH_MAX) |
c6883f38 | 1163 | return -1; |
0bbf8572 | 1164 | |
5067e4dd | 1165 | if (use_mknod >= LXC_DEVNODE_MKNOD) { |
5e73416f CB |
1166 | ret = mknod(path, device->mode, makedev(device->maj, device->min)); |
1167 | if (ret == 0 || (ret < 0 && errno == EEXIST)) { | |
1168 | DEBUG("Created device node \"%s\"", path); | |
5067e4dd | 1169 | } else if (ret < 0) { |
55022530 CB |
1170 | if (errno != EPERM) |
1171 | return log_error_errno(-1, errno, "Failed to create device node \"%s\"", path); | |
0bbf8572 | 1172 | |
5067e4dd | 1173 | use_mknod = LXC_DEVNODE_BIND; |
9cb4d183 | 1174 | } |
3999be0a | 1175 | |
5067e4dd CB |
1176 | /* Device nodes are fully useable. */ |
1177 | if (use_mknod == LXC_DEVNODE_OPEN) | |
1178 | continue; | |
1179 | ||
1180 | if (use_mknod == LXC_DEVNODE_MKNOD) { | |
1181 | /* See | |
1182 | * - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=55956b59df336f6738da916dbb520b6e37df9fbd | |
1183 | * - https://lists.linuxfoundation.org/pipermail/containers/2018-June/039176.html | |
1184 | */ | |
1185 | ret = open(path, O_RDONLY | O_CLOEXEC); | |
1186 | if (ret >= 0) { | |
ae2a3d81 | 1187 | close_prot_errno_disarm(ret); |
5067e4dd CB |
1188 | /* Device nodes are fully useable. */ |
1189 | use_mknod = LXC_DEVNODE_OPEN; | |
1190 | continue; | |
1191 | } | |
1192 | ||
1193 | SYSTRACE("Failed to open \"%s\" device", path); | |
1194 | /* Device nodes are only partially useable. */ | |
1195 | use_mknod = LXC_DEVNODE_PARTIAL; | |
1196 | } | |
5e73416f CB |
1197 | } |
1198 | ||
5067e4dd CB |
1199 | if (use_mknod != LXC_DEVNODE_PARTIAL) { |
1200 | /* If we are dealing with partially functional device | |
1201 | * nodes the prio mknod() call will have created the | |
1202 | * device node so we can use it as a bind-mount target. | |
1203 | */ | |
1204 | ret = mknod(path, S_IFREG | 0000, 0); | |
55022530 CB |
1205 | if (ret < 0 && errno != EEXIST) |
1206 | return log_error_errno(-1, errno, "Failed to create file \"%s\"", path); | |
5e73416f CB |
1207 | } |
1208 | ||
1209 | /* Fallback to bind-mounting the device from the host. */ | |
6b5a54cd CB |
1210 | ret = snprintf(hostpath, PATH_MAX, "/dev/%s", device->name); |
1211 | if (ret < 0 || ret >= PATH_MAX) | |
5e73416f CB |
1212 | return -1; |
1213 | ||
1214 | ret = safe_mount(hostpath, path, 0, MS_BIND, NULL, | |
1215 | rootfs->path ? rootfs->mount : NULL); | |
55022530 CB |
1216 | if (ret < 0) |
1217 | return log_error_errno(-1, errno, "Failed to bind mount host device node \"%s\" onto \"%s\"", | |
1218 | hostpath, path); | |
1219 | DEBUG("Bind mounted host device node \"%s\" onto \"%s\"", hostpath, path); | |
c6883f38 | 1220 | } |
5e73416f | 1221 | (void)umask(cmask); |
c6883f38 | 1222 | |
3999be0a | 1223 | INFO("Populated \"/dev\""); |
c6883f38 SH |
1224 | return 0; |
1225 | } | |
1226 | ||
8ce1abc2 | 1227 | static int lxc_mount_rootfs(struct lxc_conf *conf) |
0ad19a3f | 1228 | { |
9aa76a17 | 1229 | int ret; |
10bc1861 | 1230 | struct lxc_storage *bdev; |
8ce1abc2 | 1231 | const struct lxc_rootfs *rootfs = &conf->rootfs; |
cc28d0b0 | 1232 | |
a0f379bf | 1233 | if (!rootfs->path) { |
0fd73091 | 1234 | ret = mount("", "/", NULL, MS_SLAVE | MS_REC, 0); |
55022530 | 1235 | if (ret < 0) |
9e61fb1f | 1236 | return log_error_errno(-1, errno, "Failed to recursively turn root mount tree into dependent mount"); |
0fd73091 | 1237 | |
c69bd12f | 1238 | return 0; |
a0f379bf | 1239 | } |
0ad19a3f | 1240 | |
0fd73091 | 1241 | ret = access(rootfs->mount, F_OK); |
55022530 CB |
1242 | if (ret != 0) |
1243 | return log_error_errno(-1, errno, "Failed to access to \"%s\". Check it is present", | |
1244 | rootfs->mount); | |
b1789442 | 1245 | |
8a388ed4 | 1246 | bdev = storage_init(conf); |
55022530 CB |
1247 | if (!bdev) |
1248 | return log_error(-1, "Failed to mount rootfs \"%s\" onto \"%s\" with options \"%s\"", | |
1249 | rootfs->path, rootfs->mount, | |
1250 | rootfs->options ? rootfs->options : "(null)"); | |
9aa76a17 CB |
1251 | |
1252 | ret = bdev->ops->mount(bdev); | |
10bc1861 | 1253 | storage_put(bdev); |
55022530 CB |
1254 | if (ret < 0) |
1255 | return log_error(-1, "Failed to mount rootfs \"%s\" onto \"%s\" with options \"%s\"", | |
1256 | rootfs->path, rootfs->mount, | |
1257 | rootfs->options ? rootfs->options : "(null)"); | |
0ad19a3f | 1258 | |
0fd73091 | 1259 | DEBUG("Mounted rootfs \"%s\" onto \"%s\" with options \"%s\"", |
91c3e281 CB |
1260 | rootfs->path, rootfs->mount, |
1261 | rootfs->options ? rootfs->options : "(null)"); | |
9aa76a17 | 1262 | |
ac778708 DL |
1263 | return 0; |
1264 | } | |
1265 | ||
59eac805 | 1266 | static int lxc_chroot(const struct lxc_rootfs *rootfs) |
91e93c71 | 1267 | { |
b8d88764 | 1268 | __do_free char *nroot = NULL; |
0fd73091 | 1269 | int i, ret; |
8ce1abc2 | 1270 | char *root = rootfs->mount; |
91e93c71 | 1271 | |
74e7b662 | 1272 | nroot = realpath(root, NULL); |
55022530 CB |
1273 | if (!nroot) |
1274 | return log_error_errno(-1, errno, "Failed to resolve \"%s\"", root); | |
91e93c71 | 1275 | |
0fd73091 | 1276 | ret = chdir("/"); |
b8d88764 | 1277 | if (ret < 0) |
0fd73091 | 1278 | return -1; |
91e93c71 | 1279 | |
0fd73091 CB |
1280 | /* We could use here MS_MOVE, but in userns this mount is locked and |
1281 | * can't be moved. | |
91e93c71 | 1282 | */ |
8ce1abc2 | 1283 | ret = mount(nroot, "/", NULL, MS_REC | MS_BIND, NULL); |
55022530 CB |
1284 | if (ret < 0) |
1285 | return log_error_errno(-1, errno, "Failed to mount \"%s\" onto \"/\" as MS_REC | MS_BIND", nroot); | |
91e93c71 | 1286 | |
0fd73091 | 1287 | ret = mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL); |
55022530 CB |
1288 | if (ret < 0) |
1289 | return log_error_errno(-1, errno, "Failed to remount \"/\""); | |
91e93c71 | 1290 | |
aa899945 | 1291 | /* The following code cleans up inherited mounts which are not required |
0fd73091 | 1292 | * for CT. |
91e93c71 AV |
1293 | * |
1294 | * The mountinfo file shows not all mounts, if a few points have been | |
1295 | * unmounted between read operations from the mountinfo. So we need to | |
1296 | * read mountinfo a few times. | |
1297 | * | |
7ded5fa7 | 1298 | * This loop can be skipped if a container uses userns, because all |
91e93c71 AV |
1299 | * inherited mounts are locked and we should live with all this trash. |
1300 | */ | |
0fd73091 | 1301 | for (;;) { |
4fdd1f72 | 1302 | __do_fclose FILE *f = NULL; |
f3d38164 CB |
1303 | __do_free char *line = NULL; |
1304 | char *slider1, *slider2; | |
91e93c71 | 1305 | int progress = 0; |
f3d38164 | 1306 | size_t len = 0; |
91e93c71 | 1307 | |
4110345b | 1308 | f = fopen("./proc/self/mountinfo", "re"); |
55022530 CB |
1309 | if (!f) |
1310 | return log_error_errno(-1, errno, "Failed to open \"/proc/self/mountinfo\""); | |
0fd73091 | 1311 | |
f3d38164 CB |
1312 | while (getline(&line, &len, f) > 0) { |
1313 | for (slider1 = line, i = 0; slider1 && i < 4; i++) | |
1314 | slider1 = strchr(slider1 + 1, ' '); | |
0fd73091 | 1315 | |
f3d38164 | 1316 | if (!slider1) |
91e93c71 | 1317 | continue; |
0fd73091 | 1318 | |
f3d38164 CB |
1319 | slider2 = strchr(slider1 + 1, ' '); |
1320 | if (!slider2) | |
91e93c71 AV |
1321 | continue; |
1322 | ||
f3d38164 CB |
1323 | *slider2 = '\0'; |
1324 | *slider1 = '.'; | |
91e93c71 | 1325 | |
f3d38164 | 1326 | if (strcmp(slider1 + 1, "/") == 0) |
91e93c71 | 1327 | continue; |
0fd73091 | 1328 | |
f3d38164 | 1329 | if (strcmp(slider1 + 1, "/proc") == 0) |
91e93c71 AV |
1330 | continue; |
1331 | ||
f3d38164 | 1332 | ret = umount2(slider1, MNT_DETACH); |
0fd73091 | 1333 | if (ret == 0) |
91e93c71 AV |
1334 | progress++; |
1335 | } | |
0fd73091 | 1336 | |
91e93c71 AV |
1337 | if (!progress) |
1338 | break; | |
1339 | } | |
1340 | ||
7ded5fa7 | 1341 | /* This also can be skipped if a container uses userns. */ |
0fd73091 | 1342 | (void)umount2("./proc", MNT_DETACH); |
91e93c71 AV |
1343 | |
1344 | /* It is weird, but chdir("..") moves us in a new root */ | |
0fd73091 | 1345 | ret = chdir(".."); |
55022530 CB |
1346 | if (ret < 0) |
1347 | return log_error_errno(-1, errno, "Failed to chdir(\"..\")"); | |
91e93c71 | 1348 | |
0fd73091 | 1349 | ret = chroot("."); |
55022530 CB |
1350 | if (ret < 0) |
1351 | return log_error_errno(-1, errno, "Failed to chroot(\".\")"); | |
91e93c71 AV |
1352 | |
1353 | return 0; | |
1354 | } | |
1355 | ||
8ce1abc2 CB |
1356 | /* (The following explanation is copied verbatim from the kernel.) |
1357 | * | |
1358 | * pivot_root Semantics: | |
1359 | * Moves the root file system of the current process to the directory put_old, | |
1360 | * makes new_root as the new root file system of the current process, and sets | |
1361 | * root/cwd of all processes which had them on the current root to new_root. | |
1362 | * | |
1363 | * Restrictions: | |
1364 | * The new_root and put_old must be directories, and must not be on the | |
1365 | * same file system as the current process root. The put_old must be | |
1366 | * underneath new_root, i.e. adding a non-zero number of /.. to the string | |
1367 | * pointed to by put_old must yield the same directory as new_root. No other | |
1368 | * file system may be mounted on put_old. After all, new_root is a mountpoint. | |
1369 | * | |
1370 | * Also, the current root cannot be on the 'rootfs' (initial ramfs) filesystem. | |
1371 | * See Documentation/filesystems/ramfs-rootfs-initramfs.txt for alternatives | |
1372 | * in this situation. | |
1373 | * | |
1374 | * Notes: | |
1375 | * - we don't move root/cwd if they are not at the root (reason: if something | |
1376 | * cared enough to change them, it's probably wrong to force them elsewhere) | |
1377 | * - it's okay to pick a root that isn't the root of a file system, e.g. | |
1378 | * /nfs/my_root where /nfs is the mount point. It must be a mountpoint, | |
1379 | * though, so you may need to say mount --bind /nfs/my_root /nfs/my_root | |
1380 | * first. | |
1381 | */ | |
1382 | static int lxc_pivot_root(const char *rootfs) | |
ac778708 | 1383 | { |
f62cf1d4 | 1384 | __do_close int oldroot = -EBADF, newroot = -EBADF; |
b0d7aac4 | 1385 | int ret; |
0fd73091 | 1386 | |
7806ebd7 | 1387 | oldroot = open("/", O_DIRECTORY | O_RDONLY | O_CLOEXEC); |
55022530 CB |
1388 | if (oldroot < 0) |
1389 | return log_error_errno(-1, errno, "Failed to open old root directory"); | |
ac778708 | 1390 | |
7806ebd7 | 1391 | newroot = open(rootfs, O_DIRECTORY | O_RDONLY | O_CLOEXEC); |
55022530 CB |
1392 | if (newroot < 0) |
1393 | return log_error_errno(-1, errno, "Failed to open new root directory"); | |
0fd73091 | 1394 | |
8ce1abc2 CB |
1395 | /* change into new root fs */ |
1396 | ret = fchdir(newroot); | |
55022530 CB |
1397 | if (ret < 0) |
1398 | return log_error_errno(-1, errno, "Failed to change to new rootfs \"%s\"", rootfs); | |
39c7b795 | 1399 | |
8ce1abc2 CB |
1400 | /* pivot_root into our new root fs */ |
1401 | ret = pivot_root(".", "."); | |
55022530 CB |
1402 | if (ret < 0) |
1403 | return log_error_errno(-1, errno, "Failed to pivot_root()"); | |
39c7b795 | 1404 | |
8ce1abc2 CB |
1405 | /* At this point the old-root is mounted on top of our new-root. To |
1406 | * unmounted it we must not be chdir'd into it, so escape back to | |
1407 | * old-root. | |
1408 | */ | |
1409 | ret = fchdir(oldroot); | |
55022530 CB |
1410 | if (ret < 0) |
1411 | return log_error_errno(-1, errno, "Failed to enter old root directory"); | |
c69bd12f | 1412 | |
9e61fb1f | 1413 | /* Make oldroot a depedent mount to make sure our umounts don't propagate to the |
8ce1abc2 CB |
1414 | * host. |
1415 | */ | |
1416 | ret = mount("", ".", "", MS_SLAVE | MS_REC, NULL); | |
55022530 | 1417 | if (ret < 0) |
9e61fb1f | 1418 | return log_error_errno(-1, errno, "Failed to recursively turn old root mount tree into dependent mount"); |
8ce1abc2 CB |
1419 | |
1420 | ret = umount2(".", MNT_DETACH); | |
55022530 CB |
1421 | if (ret < 0) |
1422 | return log_error_errno(-1, errno, "Failed to detach old root directory"); | |
8ce1abc2 CB |
1423 | |
1424 | ret = fchdir(newroot); | |
55022530 CB |
1425 | if (ret < 0) |
1426 | return log_error_errno(-1, errno, "Failed to re-enter new root directory"); | |
8ce1abc2 | 1427 | |
8ce1abc2 CB |
1428 | TRACE("pivot_root(\"%s\") successful", rootfs); |
1429 | ||
b0d7aac4 | 1430 | return 0; |
0ad19a3f | 1431 | } |
1432 | ||
8ce1abc2 CB |
1433 | static int lxc_setup_rootfs_switch_root(const struct lxc_rootfs *rootfs) |
1434 | { | |
55022530 CB |
1435 | if (!rootfs->path) |
1436 | return log_debug(0, "Container does not have a rootfs"); | |
8ce1abc2 CB |
1437 | |
1438 | if (detect_ramfs_rootfs()) | |
1439 | return lxc_chroot(rootfs); | |
1440 | ||
1441 | return lxc_pivot_root(rootfs->mount); | |
0ad19a3f | 1442 | } |
1443 | ||
7581a82f | 1444 | static const struct id_map *find_mapped_nsid_entry(const struct lxc_conf *conf, |
8ce1abc2 CB |
1445 | unsigned id, |
1446 | enum idtype idtype) | |
f4900711 CB |
1447 | { |
1448 | struct lxc_list *it; | |
1449 | struct id_map *map; | |
1450 | struct id_map *retmap = NULL; | |
1451 | ||
dcf0ffdf CB |
1452 | /* Shortcut for container's root mappings. */ |
1453 | if (id == 0) { | |
1454 | if (idtype == ID_TYPE_UID) | |
1455 | return conf->root_nsuid_map; | |
1456 | ||
1457 | if (idtype == ID_TYPE_GID) | |
1458 | return conf->root_nsgid_map; | |
1459 | } | |
1460 | ||
f4900711 CB |
1461 | lxc_list_for_each(it, &conf->id_map) { |
1462 | map = it->elem; | |
1463 | if (map->idtype != idtype) | |
1464 | continue; | |
1465 | ||
1466 | if (id >= map->nsid && id < map->nsid + map->range) { | |
1467 | retmap = map; | |
1468 | break; | |
1469 | } | |
1470 | } | |
1471 | ||
1472 | return retmap; | |
1473 | } | |
1474 | ||
f797f05e | 1475 | static int lxc_setup_devpts(struct lxc_handler *handler) |
3c26f34e | 1476 | { |
f797f05e | 1477 | __do_close int devpts_fd = -EBADF; |
70761e5e | 1478 | int ret; |
ce155c60 | 1479 | char **opts; |
9d28c4f9 | 1480 | char devpts_mntopts[256]; |
ce155c60 CB |
1481 | char *mntopt_sets[5]; |
1482 | char default_devpts_mntopts[256] = "gid=5,newinstance,ptmxmode=0666,mode=0620"; | |
f797f05e CB |
1483 | struct lxc_conf *conf = handler->conf; |
1484 | int sock = handler->data_sock[0]; | |
77890c6d | 1485 | |
55022530 CB |
1486 | if (conf->pty_max <= 0) |
1487 | return log_debug(0, "No new devpts instance will be mounted since no pts devices are requested"); | |
3c26f34e | 1488 | |
e528c735 CB |
1489 | ret = snprintf(devpts_mntopts, sizeof(devpts_mntopts), "%s,max=%zu", |
1490 | default_devpts_mntopts, conf->pty_max); | |
9d28c4f9 CB |
1491 | if (ret < 0 || (size_t)ret >= sizeof(devpts_mntopts)) |
1492 | return -1; | |
1493 | ||
29a7b484 | 1494 | (void)umount2("/dev/pts", MNT_DETACH); |
7e40254a | 1495 | |
70761e5e CB |
1496 | /* Create mountpoint for devpts instance. */ |
1497 | ret = mkdir("/dev/pts", 0755); | |
55022530 CB |
1498 | if (ret < 0 && errno != EEXIST) |
1499 | return log_error_errno(-1, errno, "Failed to create \"/dev/pts\" directory"); | |
3c26f34e | 1500 | |
ce155c60 CB |
1501 | /* gid=5 && max= */ |
1502 | mntopt_sets[0] = devpts_mntopts; | |
dfbd4730 | 1503 | |
ce155c60 | 1504 | /* !gid=5 && max= */ |
6333c915 | 1505 | mntopt_sets[1] = devpts_mntopts + STRLITERALLEN("gid=5") + 1; |
ce155c60 CB |
1506 | |
1507 | /* gid=5 && !max= */ | |
1508 | mntopt_sets[2] = default_devpts_mntopts; | |
1509 | ||
1510 | /* !gid=5 && !max= */ | |
6333c915 | 1511 | mntopt_sets[3] = default_devpts_mntopts + STRLITERALLEN("gid=5") + 1; |
ce155c60 CB |
1512 | |
1513 | /* end */ | |
1514 | mntopt_sets[4] = NULL; | |
1515 | ||
1516 | for (ret = -1, opts = mntopt_sets; opts && *opts; opts++) { | |
1517 | /* mount new devpts instance */ | |
1518 | ret = mount("devpts", "/dev/pts", "devpts", MS_NOSUID | MS_NOEXEC, *opts); | |
1519 | if (ret == 0) | |
1520 | break; | |
1521 | } | |
1522 | ||
55022530 CB |
1523 | if (ret < 0) |
1524 | return log_error_errno(-1, errno, "Failed to mount new devpts instance"); | |
ce155c60 | 1525 | DEBUG("Mount new devpts instance with options \"%s\"", *opts); |
70761e5e | 1526 | |
f797f05e CB |
1527 | devpts_fd = open_tree(-EBADF, "/dev/pts", OPEN_TREE_CLONE | OPEN_TREE_CLOEXEC | AT_EMPTY_PATH); |
1528 | if (devpts_fd < 0) { | |
1529 | TRACE("Failed to create detached devpts mount"); | |
1530 | ret = lxc_abstract_unix_send_fds(sock, NULL, 0, NULL, 0); | |
1531 | } else { | |
1532 | ret = lxc_abstract_unix_send_fds(sock, &devpts_fd, 1, NULL, 0); | |
1533 | } | |
1534 | if (ret < 0) | |
1535 | return log_error_errno(-1, errno, "Failed to send devpts fd to parent"); | |
1536 | ||
d5cb35d6 | 1537 | /* Remove any pre-existing /dev/ptmx file. */ |
b29e05d6 CB |
1538 | ret = remove("/dev/ptmx"); |
1539 | if (ret < 0) { | |
55022530 CB |
1540 | if (errno != ENOENT) |
1541 | return log_error_errno(-1, errno, "Failed to remove existing \"/dev/ptmx\" file"); | |
b29e05d6 | 1542 | } else { |
0fd73091 | 1543 | DEBUG("Removed existing \"/dev/ptmx\" file"); |
3c26f34e | 1544 | } |
1545 | ||
d5cb35d6 | 1546 | /* Create dummy /dev/ptmx file as bind mountpoint for /dev/pts/ptmx. */ |
3b7e332f | 1547 | ret = mknod("/dev/ptmx", S_IFREG | 0000, 0); |
55022530 CB |
1548 | if (ret < 0 && errno != EEXIST) |
1549 | return log_error_errno(-1, errno, "Failed to create dummy \"/dev/ptmx\" file as bind mount target"); | |
0fd73091 | 1550 | DEBUG("Created dummy \"/dev/ptmx\" file as bind mount target"); |
77890c6d | 1551 | |
d5cb35d6 | 1552 | /* Fallback option: create symlink /dev/ptmx -> /dev/pts/ptmx */ |
e87bd19c | 1553 | ret = mount("/dev/pts/ptmx", "/dev/ptmx", NULL, MS_BIND, NULL); |
55022530 CB |
1554 | if (!ret) |
1555 | return log_debug(0, "Bind mounted \"/dev/pts/ptmx\" to \"/dev/ptmx\""); | |
1556 | else | |
d5cb35d6 | 1557 | /* Fallthrough and try to create a symlink. */ |
0fd73091 | 1558 | ERROR("Failed to bind mount \"/dev/pts/ptmx\" to \"/dev/ptmx\""); |
d5cb35d6 CB |
1559 | |
1560 | /* Remove the dummy /dev/ptmx file we created above. */ | |
1561 | ret = remove("/dev/ptmx"); | |
55022530 CB |
1562 | if (ret < 0) |
1563 | return log_error_errno(-1, errno, "Failed to remove existing \"/dev/ptmx\""); | |
d5cb35d6 CB |
1564 | |
1565 | /* Fallback option: Create symlink /dev/ptmx -> /dev/pts/ptmx. */ | |
1566 | ret = symlink("/dev/pts/ptmx", "/dev/ptmx"); | |
55022530 CB |
1567 | if (ret < 0) |
1568 | return log_error_errno(-1, errno, "Failed to create symlink from \"/dev/ptmx\" to \"/dev/pts/ptmx\""); | |
0fd73091 | 1569 | DEBUG("Created symlink from \"/dev/ptmx\" to \"/dev/pts/ptmx\""); |
cd54d859 | 1570 | |
3c26f34e | 1571 | return 0; |
1572 | } | |
1573 | ||
cccc74b5 DL |
1574 | static int setup_personality(int persona) |
1575 | { | |
0fd73091 CB |
1576 | int ret; |
1577 | ||
1578 | #if HAVE_SYS_PERSONALITY_H | |
cccc74b5 DL |
1579 | if (persona == -1) |
1580 | return 0; | |
1581 | ||
0fd73091 | 1582 | ret = personality(persona); |
55022530 CB |
1583 | if (ret < 0) |
1584 | return log_error_errno(-1, errno, "Failed to set personality to \"0x%x\"", persona); | |
cccc74b5 | 1585 | |
0fd73091 CB |
1586 | INFO("Set personality to \"0x%x\"", persona); |
1587 | #endif | |
cccc74b5 DL |
1588 | |
1589 | return 0; | |
1590 | } | |
1591 | ||
efbfe93f CB |
1592 | static inline bool wants_console(const struct lxc_terminal *terminal) |
1593 | { | |
1594 | return !terminal->path || strcmp(terminal->path, "none"); | |
1595 | } | |
1596 | ||
3d7d929a | 1597 | static int lxc_setup_dev_console(const struct lxc_rootfs *rootfs, |
cf68ffd9 | 1598 | const struct lxc_terminal *console, |
41808e20 | 1599 | int pty_mnt_fd) |
6e590161 | 1600 | { |
882671aa | 1601 | int ret; |
6b5a54cd | 1602 | char path[PATH_MAX]; |
86530b0a | 1603 | char *rootfs_path = rootfs->path ? rootfs->mount : ""; |
52e35957 | 1604 | |
efbfe93f | 1605 | if (!wants_console(console)) |
8b1b1210 CB |
1606 | return 0; |
1607 | ||
86530b0a | 1608 | ret = snprintf(path, sizeof(path), "%s/dev/console", rootfs_path); |
3d7d929a | 1609 | if (ret < 0 || (size_t)ret >= sizeof(path)) |
7c6ef2a2 | 1610 | return -1; |
52e35957 | 1611 | |
cf68ffd9 CB |
1612 | /* |
1613 | * When we are asked to setup a console we remove any previous | |
8b1b1210 CB |
1614 | * /dev/console bind-mounts. |
1615 | */ | |
a7ba3c7f CB |
1616 | if (file_exists(path)) { |
1617 | ret = lxc_unstack_mountpoint(path, false); | |
55022530 CB |
1618 | if (ret < 0) |
1619 | return log_error_errno(-ret, errno, "Failed to unmount \"%s\"", path); | |
1620 | else | |
86530b0a | 1621 | DEBUG("Cleared all (%d) mounts from \"%s\"", ret, path); |
8b1b1210 CB |
1622 | } |
1623 | ||
cf68ffd9 CB |
1624 | /* |
1625 | * For unprivileged containers autodev or automounts will already have | |
8b1b1210 CB |
1626 | * taken care of creating /dev/console. |
1627 | */ | |
882671aa | 1628 | ret = mknod(path, S_IFREG | 0000, 0); |
55022530 CB |
1629 | if (ret < 0 && errno != EEXIST) |
1630 | return log_error_errno(-errno, errno, "Failed to create console"); | |
52e35957 | 1631 | |
41808e20 | 1632 | ret = fchmod(console->pty, S_IXUSR | S_IXGRP); |
55022530 CB |
1633 | if (ret < 0) |
1634 | return log_error_errno(-errno, errno, "Failed to set mode \"0%o\" to \"%s\"", S_IXUSR | S_IXGRP, console->name); | |
13954cce | 1635 | |
41808e20 CB |
1636 | if (pty_mnt_fd >= 0) { |
1637 | ret = move_mount(pty_mnt_fd, "", -EBADF, path, MOVE_MOUNT_F_EMPTY_PATH); | |
efbfe93f CB |
1638 | if (!ret) { |
1639 | DEBUG("Moved mount \"%s\" onto \"%s\"", console->name, path); | |
1640 | goto finish; | |
1641 | } | |
1642 | ||
1643 | if (ret && errno != ENOSYS) | |
1644 | return log_error_errno(-1, errno, | |
1645 | "Failed to mount %d(%s) on \"%s\"", | |
41808e20 | 1646 | pty_mnt_fd, console->name, path); |
efbfe93f CB |
1647 | } |
1648 | ||
1649 | ret = safe_mount(console->name, path, "none", MS_BIND, 0, rootfs_path); | |
55022530 | 1650 | if (ret < 0) |
41808e20 | 1651 | return log_error_errno(-1, errno, "Failed to mount %d(%s) on \"%s\"", pty_mnt_fd, console->name, path); |
6e590161 | 1652 | |
efbfe93f | 1653 | finish: |
41808e20 | 1654 | DEBUG("Mounted pty device %d(%s) onto \"%s\"", pty_mnt_fd, console->name, path); |
7c6ef2a2 SH |
1655 | return 0; |
1656 | } | |
1657 | ||
3d7d929a | 1658 | static int lxc_setup_ttydir_console(const struct lxc_rootfs *rootfs, |
dcad02f8 | 1659 | const struct lxc_terminal *console, |
41808e20 | 1660 | char *ttydir, int pty_mnt_fd) |
7c6ef2a2 | 1661 | { |
3b7e332f | 1662 | int ret; |
6b5a54cd | 1663 | char path[PATH_MAX], lxcpath[PATH_MAX]; |
86530b0a | 1664 | char *rootfs_path = rootfs->path ? rootfs->mount : ""; |
7c6ef2a2 | 1665 | |
efbfe93f | 1666 | if (!wants_console(console)) |
3dc035f1 L |
1667 | return 0; |
1668 | ||
7c6ef2a2 | 1669 | /* create rootfs/dev/<ttydir> directory */ |
86530b0a | 1670 | ret = snprintf(path, sizeof(path), "%s/dev/%s", rootfs_path, ttydir); |
3d7d929a | 1671 | if (ret < 0 || (size_t)ret >= sizeof(path)) |
7c6ef2a2 | 1672 | return -1; |
3d7d929a | 1673 | |
7c6ef2a2 | 1674 | ret = mkdir(path, 0755); |
55022530 CB |
1675 | if (ret && errno != EEXIST) |
1676 | return log_error_errno(-errno, errno, "Failed to create \"%s\"", path); | |
4742cd9a | 1677 | DEBUG("Created directory for console and tty devices at \"%s\"", path); |
7c6ef2a2 | 1678 | |
86530b0a | 1679 | ret = snprintf(lxcpath, sizeof(lxcpath), "%s/dev/%s/console", rootfs_path, ttydir); |
3d7d929a CB |
1680 | if (ret < 0 || (size_t)ret >= sizeof(lxcpath)) |
1681 | return -1; | |
1682 | ||
3b7e332f | 1683 | ret = mknod(lxcpath, S_IFREG | 0000, 0); |
55022530 CB |
1684 | if (ret < 0 && errno != EEXIST) |
1685 | return log_error_errno(-errno, errno, "Failed to create \"%s\"", lxcpath); | |
7c6ef2a2 | 1686 | |
86530b0a | 1687 | ret = snprintf(path, sizeof(path), "%s/dev/console", rootfs_path); |
3dc035f1 | 1688 | if (ret < 0 || (size_t)ret >= sizeof(path)) |
7c6ef2a2 | 1689 | return -1; |
2a12fefd | 1690 | |
3dc035f1 | 1691 | if (file_exists(path)) { |
a7ba3c7f | 1692 | ret = lxc_unstack_mountpoint(path, false); |
55022530 CB |
1693 | if (ret < 0) |
1694 | return log_error_errno(-ret, errno, "Failed to unmount \"%s\"", path); | |
1695 | else | |
86530b0a | 1696 | DEBUG("Cleared all (%d) mounts from \"%s\"", ret, path); |
3dc035f1 | 1697 | } |
2a12fefd | 1698 | |
3b7e332f | 1699 | ret = mknod(path, S_IFREG | 0000, 0); |
55022530 CB |
1700 | if (ret < 0 && errno != EEXIST) |
1701 | return log_error_errno(-errno, errno, "Failed to create console"); | |
7c6ef2a2 | 1702 | |
41808e20 | 1703 | ret = fchmod(console->pty, S_IXUSR | S_IXGRP); |
55022530 CB |
1704 | if (ret < 0) |
1705 | return log_error_errno(-errno, errno, "Failed to set mode \"0%o\" to \"%s\"", S_IXUSR | S_IXGRP, console->name); | |
2a12fefd | 1706 | |
3dc035f1 | 1707 | /* bind mount console->name to '/dev/<ttydir>/console' */ |
41808e20 CB |
1708 | if (pty_mnt_fd >= 0) { |
1709 | ret = move_mount(pty_mnt_fd, "", -EBADF, lxcpath, MOVE_MOUNT_F_EMPTY_PATH); | |
efbfe93f CB |
1710 | if (!ret) { |
1711 | DEBUG("Moved mount \"%s\" onto \"%s\"", console->name, lxcpath); | |
1712 | goto finish; | |
1713 | } | |
1714 | ||
1715 | if (ret && errno != ENOSYS) | |
1716 | return log_error_errno(-1, errno, | |
1717 | "Failed to mount %d(%s) on \"%s\"", | |
41808e20 | 1718 | pty_mnt_fd, console->name, lxcpath); |
efbfe93f CB |
1719 | } |
1720 | ||
1721 | ret = safe_mount(console->name, lxcpath, "none", MS_BIND, 0, rootfs_path); | |
55022530 | 1722 | if (ret < 0) |
41808e20 | 1723 | return log_error_errno(-1, errno, "Failed to mount %d(%s) on \"%s\"", pty_mnt_fd, console->name, lxcpath); |
86530b0a | 1724 | DEBUG("Mounted \"%s\" onto \"%s\"", console->name, lxcpath); |
3dc035f1 | 1725 | |
efbfe93f | 1726 | finish: |
3dc035f1 | 1727 | /* bind mount '/dev/<ttydir>/console' to '/dev/console' */ |
86530b0a | 1728 | ret = safe_mount(lxcpath, path, "none", MS_BIND, 0, rootfs_path); |
55022530 CB |
1729 | if (ret < 0) |
1730 | return log_error_errno(-1, errno, "Failed to mount \"%s\" on \"%s\"", console->name, lxcpath); | |
86530b0a | 1731 | DEBUG("Mounted \"%s\" onto \"%s\"", console->name, lxcpath); |
3dc035f1 | 1732 | |
86530b0a | 1733 | DEBUG("Console has been setup under \"%s\" and mounted to \"%s\"", lxcpath, path); |
6e590161 | 1734 | return 0; |
1735 | } | |
1736 | ||
3d7d929a | 1737 | static int lxc_setup_console(const struct lxc_rootfs *rootfs, |
cf68ffd9 | 1738 | const struct lxc_terminal *console, char *ttydir, |
41808e20 | 1739 | int pty_mnt_fd) |
7c6ef2a2 | 1740 | { |
3d7d929a | 1741 | |
7c6ef2a2 | 1742 | if (!ttydir) |
41808e20 | 1743 | return lxc_setup_dev_console(rootfs, console, pty_mnt_fd); |
7c6ef2a2 | 1744 | |
41808e20 | 1745 | return lxc_setup_ttydir_console(rootfs, console, ttydir, pty_mnt_fd); |
7c6ef2a2 SH |
1746 | } |
1747 | ||
a08bfbe3 | 1748 | static int parse_mntopt(char *opt, unsigned long *flags, char **data, size_t size) |
998ac676 | 1749 | { |
a08bfbe3 | 1750 | ssize_t ret; |
998ac676 | 1751 | |
85c2de39 MB |
1752 | /* If '=' is contained in opt, the option must go into data. */ |
1753 | if (!strchr(opt, '=')) { | |
a08bfbe3 CB |
1754 | /* |
1755 | * If opt is found in mount_opt, set or clear flags. | |
1756 | * Otherwise append it to data. | |
1757 | */ | |
85c2de39 | 1758 | size_t opt_len = strlen(opt); |
a08bfbe3 | 1759 | for (struct mount_opt *mo = &mount_opt[0]; mo->name != NULL; mo++) { |
85c2de39 | 1760 | size_t mo_name_len = strlen(mo->name); |
a08bfbe3 | 1761 | |
85c2de39 MB |
1762 | if (opt_len == mo_name_len && strncmp(opt, mo->name, mo_name_len) == 0) { |
1763 | if (mo->clear) | |
1764 | *flags &= ~mo->flag; | |
1765 | else | |
1766 | *flags |= mo->flag; | |
a08bfbe3 | 1767 | return 0; |
85c2de39 | 1768 | } |
998ac676 RT |
1769 | } |
1770 | } | |
1771 | ||
a08bfbe3 CB |
1772 | if (strlen(*data)) { |
1773 | ret = strlcat(*data, ",", size); | |
1774 | if (ret < 0) | |
1775 | return log_error_errno(ret, errno, "Failed to append \",\" to %s", *data); | |
1776 | } | |
1777 | ||
1778 | ret = strlcat(*data, opt, size); | |
1779 | if (ret < 0) | |
1780 | return log_error_errno(ret, errno, "Failed to append \"%s\" to %s", opt, *data); | |
efed99a4 | 1781 | |
a08bfbe3 | 1782 | return 0; |
998ac676 RT |
1783 | } |
1784 | ||
0fd73091 | 1785 | int parse_mntopts(const char *mntopts, unsigned long *mntflags, char **mntdata) |
998ac676 | 1786 | { |
a08bfbe3 CB |
1787 | __do_free char *mntopts_new = NULL, *mntopts_dup = NULL; |
1788 | char *mntopt_cur = NULL; | |
efed99a4 | 1789 | size_t size; |
998ac676 | 1790 | |
a08bfbe3 CB |
1791 | if (*mntdata || *mntflags) |
1792 | return ret_errno(EINVAL); | |
911324ef DL |
1793 | |
1794 | if (!mntopts) | |
998ac676 RT |
1795 | return 0; |
1796 | ||
a08bfbe3 CB |
1797 | mntopts_dup = strdup(mntopts); |
1798 | if (!mntopts_dup) | |
1799 | return ret_errno(ENOMEM); | |
998ac676 | 1800 | |
a08bfbe3 CB |
1801 | size = strlen(mntopts_dup) + 1; |
1802 | mntopts_new = zalloc(size); | |
1803 | if (!mntopts_new) | |
1804 | return ret_errno(ENOMEM); | |
998ac676 | 1805 | |
a08bfbe3 CB |
1806 | lxc_iterate_parts(mntopt_cur, mntopts_dup, ",") |
1807 | if (parse_mntopt(mntopt_cur, mntflags, &mntopts_new, size) < 0) | |
1808 | return ret_errno(EINVAL); | |
998ac676 | 1809 | |
a08bfbe3 CB |
1810 | if (*mntopts_new) |
1811 | *mntdata = move_ptr(mntopts_new); | |
998ac676 RT |
1812 | |
1813 | return 0; | |
1814 | } | |
1815 | ||
d840039e YT |
1816 | static void parse_propagationopt(char *opt, unsigned long *flags) |
1817 | { | |
1818 | struct mount_opt *mo; | |
1819 | ||
1820 | /* If opt is found in propagation_opt, set or clear flags. */ | |
d840039e | 1821 | for (mo = &propagation_opt[0]; mo->name != NULL; mo++) { |
0fd73091 CB |
1822 | if (strncmp(opt, mo->name, strlen(mo->name)) != 0) |
1823 | continue; | |
1824 | ||
1825 | if (mo->clear) | |
1826 | *flags &= ~mo->flag; | |
1827 | else | |
1828 | *flags |= mo->flag; | |
1829 | ||
1830 | return; | |
d840039e YT |
1831 | } |
1832 | } | |
1833 | ||
8ce1abc2 | 1834 | int parse_propagationopts(const char *mntopts, unsigned long *pflags) |
d840039e | 1835 | { |
dfd2e059 CB |
1836 | __do_free char *s = NULL; |
1837 | char *p; | |
d840039e YT |
1838 | |
1839 | if (!mntopts) | |
1840 | return 0; | |
1841 | ||
1842 | s = strdup(mntopts); | |
55022530 CB |
1843 | if (!s) |
1844 | return log_error_errno(-ENOMEM, errno, "Failed to allocate memory"); | |
d840039e | 1845 | |
0fd73091 | 1846 | *pflags = 0L; |
8db9d26f | 1847 | lxc_iterate_parts(p, s, ",") |
d840039e | 1848 | parse_propagationopt(p, pflags); |
0fd73091 | 1849 | |
d840039e YT |
1850 | return 0; |
1851 | } | |
1852 | ||
6fd5e769 SH |
1853 | static void null_endofword(char *word) |
1854 | { | |
1855 | while (*word && *word != ' ' && *word != '\t') | |
1856 | word++; | |
1857 | *word = '\0'; | |
1858 | } | |
1859 | ||
0fd73091 | 1860 | /* skip @nfields spaces in @src */ |
6fd5e769 SH |
1861 | static char *get_field(char *src, int nfields) |
1862 | { | |
6fd5e769 | 1863 | int i; |
0fd73091 | 1864 | char *p = src; |
6fd5e769 SH |
1865 | |
1866 | for (i = 0; i < nfields; i++) { | |
1867 | while (*p && *p != ' ' && *p != '\t') | |
1868 | p++; | |
0fd73091 | 1869 | |
6fd5e769 SH |
1870 | if (!*p) |
1871 | break; | |
0fd73091 | 1872 | |
6fd5e769 SH |
1873 | p++; |
1874 | } | |
0fd73091 | 1875 | |
6fd5e769 SH |
1876 | return p; |
1877 | } | |
1878 | ||
911324ef DL |
1879 | static int mount_entry(const char *fsname, const char *target, |
1880 | const char *fstype, unsigned long mountflags, | |
d840039e YT |
1881 | unsigned long pflags, const char *data, bool optional, |
1882 | bool dev, bool relative, const char *rootfs) | |
911324ef | 1883 | { |
0ac4b28a | 1884 | int ret; |
6b5a54cd | 1885 | char srcbuf[PATH_MAX]; |
181437fd | 1886 | const char *srcpath = fsname; |
614305f3 | 1887 | #ifdef HAVE_STATVFS |
2938f7c8 | 1888 | struct statvfs sb; |
614305f3 | 1889 | #endif |
2938f7c8 | 1890 | |
181437fd | 1891 | if (relative) { |
55022530 CB |
1892 | ret = snprintf(srcbuf, sizeof(srcbuf), "%s/%s", rootfs ? rootfs : "/", fsname ? fsname : ""); |
1893 | if (ret < 0 || ret >= sizeof(srcbuf)) | |
1894 | return log_error_errno(-1, errno, "source path is too long"); | |
181437fd YT |
1895 | srcpath = srcbuf; |
1896 | } | |
1897 | ||
1898 | ret = safe_mount(srcpath, target, fstype, mountflags & ~MS_REMOUNT, data, | |
0ac4b28a CB |
1899 | rootfs); |
1900 | if (ret < 0) { | |
55022530 CB |
1901 | if (optional) |
1902 | return log_info_errno(0, errno, "Failed to mount \"%s\" on \"%s\" (optional)", | |
1903 | srcpath ? srcpath : "(null)", target); | |
0ac4b28a | 1904 | |
55022530 CB |
1905 | return log_error_errno(-1, errno, "Failed to mount \"%s\" on \"%s\"", |
1906 | srcpath ? srcpath : "(null)", target); | |
911324ef DL |
1907 | } |
1908 | ||
1909 | if ((mountflags & MS_REMOUNT) || (mountflags & MS_BIND)) { | |
0ac4b28a | 1910 | |
55022530 CB |
1911 | DEBUG("Remounting \"%s\" on \"%s\" to respect bind or remount options", |
1912 | srcpath ? srcpath : "(none)", target ? target : "(none)"); | |
0ac4b28a | 1913 | |
614305f3 | 1914 | #ifdef HAVE_STATVFS |
181437fd | 1915 | if (srcpath && statvfs(srcpath, &sb) == 0) { |
94bef7e4 TA |
1916 | unsigned long required_flags = 0; |
1917 | ||
2938f7c8 SH |
1918 | if (sb.f_flag & MS_NOSUID) |
1919 | required_flags |= MS_NOSUID; | |
0ac4b28a | 1920 | |
ae7a770e | 1921 | if (sb.f_flag & MS_NODEV && !dev) |
2938f7c8 | 1922 | required_flags |= MS_NODEV; |
0ac4b28a | 1923 | |
2938f7c8 SH |
1924 | if (sb.f_flag & MS_RDONLY) |
1925 | required_flags |= MS_RDONLY; | |
0ac4b28a | 1926 | |
2938f7c8 SH |
1927 | if (sb.f_flag & MS_NOEXEC) |
1928 | required_flags |= MS_NOEXEC; | |
0ac4b28a | 1929 | |
55022530 CB |
1930 | DEBUG("Flags for \"%s\" were %lu, required extra flags are %lu", |
1931 | srcpath, sb.f_flag, required_flags); | |
0ac4b28a CB |
1932 | |
1933 | /* If this was a bind mount request, and required_flags | |
2938f7c8 | 1934 | * does not have any flags which are not already in |
0ac4b28a | 1935 | * mountflags, then skip the remount. |
2938f7c8 | 1936 | */ |
94bef7e4 TA |
1937 | if (!(mountflags & MS_REMOUNT) && |
1938 | (!(required_flags & ~mountflags) && !(mountflags & MS_RDONLY))) { | |
15f3e22b CB |
1939 | DEBUG("Mountflags already were %lu, skipping remount", mountflags); |
1940 | goto skipremount; | |
2938f7c8 | 1941 | } |
0ac4b28a | 1942 | |
2938f7c8 | 1943 | mountflags |= required_flags; |
6fd5e769 | 1944 | } |
614305f3 | 1945 | #endif |
911324ef | 1946 | |
181437fd | 1947 | ret = mount(srcpath, target, fstype, mountflags | MS_REMOUNT, data); |
0ac4b28a | 1948 | if (ret < 0) { |
55022530 CB |
1949 | if (optional) |
1950 | return log_info_errno(0, errno, "Failed to mount \"%s\" on \"%s\" (optional)", | |
1951 | srcpath ? srcpath : "(null)", | |
1952 | target); | |
1953 | ||
1954 | return log_error_errno(-1, errno, "Failed to mount \"%s\" on \"%s\"", | |
1955 | srcpath ? srcpath : "(null)", | |
1956 | target); | |
911324ef DL |
1957 | } |
1958 | } | |
1959 | ||
a3ed9b81 | 1960 | #ifdef HAVE_STATVFS |
1961 | skipremount: | |
1962 | #endif | |
d840039e YT |
1963 | if (pflags) { |
1964 | ret = mount(NULL, target, NULL, pflags, NULL); | |
1965 | if (ret < 0) { | |
55022530 CB |
1966 | if (optional) |
1967 | return log_info_errno(0, errno, "Failed to change mount propagation for \"%s\" (optional)", target); | |
1968 | else | |
1969 | return log_error_errno(-1, errno, "Failed to change mount propagation for \"%s\" (optional)", target); | |
d840039e YT |
1970 | } |
1971 | DEBUG("Changed mount propagation for \"%s\"", target); | |
1972 | } | |
1973 | ||
0103eb53 | 1974 | DEBUG("Mounted \"%s\" on \"%s\" with filesystem type \"%s\"", |
181437fd | 1975 | srcpath ? srcpath : "(null)", target, fstype); |
911324ef DL |
1976 | |
1977 | return 0; | |
1978 | } | |
1979 | ||
c5e30de4 | 1980 | /* Remove "optional", "create=dir", and "create=file" from mntopt */ |
4e4ca161 SH |
1981 | static void cull_mntent_opt(struct mntent *mntent) |
1982 | { | |
1983 | int i; | |
0fd73091 CB |
1984 | char *list[] = { |
1985 | "create=dir", | |
1986 | "create=file", | |
1987 | "optional", | |
1988 | "relative", | |
1989 | NULL | |
1990 | }; | |
c5e30de4 CB |
1991 | |
1992 | for (i = 0; list[i]; i++) { | |
1993 | char *p, *p2; | |
1994 | ||
1995 | p = strstr(mntent->mnt_opts, list[i]); | |
1996 | if (!p) | |
4e4ca161 | 1997 | continue; |
c5e30de4 | 1998 | |
4e4ca161 SH |
1999 | p2 = strchr(p, ','); |
2000 | if (!p2) { | |
2001 | /* no more mntopts, so just chop it here */ | |
2002 | *p = '\0'; | |
2003 | continue; | |
2004 | } | |
c5e30de4 CB |
2005 | |
2006 | memmove(p, p2 + 1, strlen(p2 + 1) + 1); | |
4e4ca161 SH |
2007 | } |
2008 | } | |
2009 | ||
4d5b72a1 | 2010 | static int mount_entry_create_dir_file(const struct mntent *mntent, |
749f98d9 CB |
2011 | const char *path, |
2012 | const struct lxc_rootfs *rootfs, | |
0fd73091 | 2013 | const char *lxc_name, const char *lxc_path) |
0ad19a3f | 2014 | { |
7a76eeaa | 2015 | __do_free char *p1 = NULL; |
3b7e332f | 2016 | int ret; |
7a76eeaa | 2017 | char *p2; |
911324ef | 2018 | |
12e6ab5d | 2019 | if (strncmp(mntent->mnt_type, "overlay", 7) == 0) { |
749f98d9 | 2020 | ret = ovl_mkdir(mntent, rootfs, lxc_name, lxc_path); |
12e6ab5d CB |
2021 | if (ret < 0) |
2022 | return -1; | |
2023 | } | |
6e46cc0d | 2024 | |
34cfffb3 | 2025 | if (hasmntopt(mntent, "create=dir")) { |
749f98d9 | 2026 | ret = mkdir_p(path, 0755); |
55022530 CB |
2027 | if (ret < 0 && errno != EEXIST) |
2028 | return log_error_errno(-1, errno, "Failed to create directory \"%s\"", path); | |
34cfffb3 SG |
2029 | } |
2030 | ||
0fd73091 CB |
2031 | if (!hasmntopt(mntent, "create=file")) |
2032 | return 0; | |
749f98d9 | 2033 | |
0fd73091 CB |
2034 | ret = access(path, F_OK); |
2035 | if (ret == 0) | |
2036 | return 0; | |
749f98d9 | 2037 | |
0fd73091 CB |
2038 | p1 = strdup(path); |
2039 | if (!p1) | |
2040 | return -1; | |
749f98d9 | 2041 | |
0fd73091 | 2042 | p2 = dirname(p1); |
749f98d9 | 2043 | |
0fd73091 | 2044 | ret = mkdir_p(p2, 0755); |
55022530 CB |
2045 | if (ret < 0 && errno != EEXIST) |
2046 | return log_error_errno(-1, errno, "Failed to create directory \"%s\"", path); | |
749f98d9 | 2047 | |
3b7e332f CB |
2048 | ret = mknod(path, S_IFREG | 0000, 0); |
2049 | if (ret < 0 && errno != EEXIST) | |
2050 | return -errno; | |
0fd73091 | 2051 | |
749f98d9 | 2052 | return 0; |
4d5b72a1 NC |
2053 | } |
2054 | ||
ec50007f CB |
2055 | /* rootfs, lxc_name, and lxc_path can be NULL when the container is created |
2056 | * without a rootfs. */ | |
db4aba38 | 2057 | static inline int mount_entry_on_generic(struct mntent *mntent, |
d8b712bc CB |
2058 | const char *path, |
2059 | const struct lxc_rootfs *rootfs, | |
2060 | const char *lxc_name, | |
2061 | const char *lxc_path) | |
4d5b72a1 | 2062 | { |
fd214f37 | 2063 | __do_free char *mntdata = NULL; |
a08bfbe3 CB |
2064 | unsigned long mntflags = 0, pflags = 0; |
2065 | char *rootfs_path = NULL; | |
d8b712bc | 2066 | int ret; |
181437fd | 2067 | bool dev, optional, relative; |
d8b712bc CB |
2068 | |
2069 | optional = hasmntopt(mntent, "optional") != NULL; | |
2070 | dev = hasmntopt(mntent, "dev") != NULL; | |
181437fd | 2071 | relative = hasmntopt(mntent, "relative") != NULL; |
d8b712bc | 2072 | |
ec50007f CB |
2073 | if (rootfs && rootfs->path) |
2074 | rootfs_path = rootfs->mount; | |
2075 | ||
d8b712bc CB |
2076 | ret = mount_entry_create_dir_file(mntent, path, rootfs, lxc_name, |
2077 | lxc_path); | |
2078 | if (ret < 0) { | |
2079 | if (optional) | |
2080 | return 0; | |
608e3567 | 2081 | |
d8b712bc CB |
2082 | return -1; |
2083 | } | |
4e4ca161 SH |
2084 | cull_mntent_opt(mntent); |
2085 | ||
d840039e YT |
2086 | ret = parse_propagationopts(mntent->mnt_opts, &pflags); |
2087 | if (ret < 0) | |
2088 | return -1; | |
2089 | ||
d8b712bc CB |
2090 | ret = parse_mntopts(mntent->mnt_opts, &mntflags, &mntdata); |
2091 | if (ret < 0) | |
a08bfbe3 | 2092 | return ret; |
a17b1e65 | 2093 | |
6e46cc0d | 2094 | ret = mount_entry(mntent->mnt_fsname, path, mntent->mnt_type, mntflags, |
d840039e | 2095 | pflags, mntdata, optional, dev, relative, rootfs_path); |
68c152ef | 2096 | |
911324ef DL |
2097 | return ret; |
2098 | } | |
2099 | ||
db4aba38 NC |
2100 | static inline int mount_entry_on_systemfs(struct mntent *mntent) |
2101 | { | |
1433c9f9 | 2102 | int ret; |
6b5a54cd | 2103 | char path[PATH_MAX]; |
1433c9f9 CB |
2104 | |
2105 | /* For containers created without a rootfs all mounts are treated as | |
07667a6a CB |
2106 | * absolute paths starting at / on the host. |
2107 | */ | |
1433c9f9 CB |
2108 | if (mntent->mnt_dir[0] != '/') |
2109 | ret = snprintf(path, sizeof(path), "/%s", mntent->mnt_dir); | |
2110 | else | |
2111 | ret = snprintf(path, sizeof(path), "%s", mntent->mnt_dir); | |
07667a6a | 2112 | if (ret < 0 || ret >= sizeof(path)) |
1433c9f9 | 2113 | return -1; |
1433c9f9 CB |
2114 | |
2115 | return mount_entry_on_generic(mntent, path, NULL, NULL, NULL); | |
db4aba38 NC |
2116 | } |
2117 | ||
4e4ca161 | 2118 | static int mount_entry_on_absolute_rootfs(struct mntent *mntent, |
80a881b2 | 2119 | const struct lxc_rootfs *rootfs, |
0a2dddd4 CB |
2120 | const char *lxc_name, |
2121 | const char *lxc_path) | |
911324ef | 2122 | { |
bdd2b34c | 2123 | int offset; |
013bd428 | 2124 | char *aux; |
67e571de | 2125 | const char *lxcpath; |
6b5a54cd | 2126 | char path[PATH_MAX]; |
bdd2b34c | 2127 | int ret = 0; |
0ad19a3f | 2128 | |
593e8478 | 2129 | lxcpath = lxc_global_config_value("lxc.lxcpath"); |
bdd2b34c | 2130 | if (!lxcpath) |
2a59a681 | 2131 | return -1; |
2a59a681 | 2132 | |
bdd2b34c CB |
2133 | /* If rootfs->path is a blockdev path, allow container fstab to use |
2134 | * <lxcpath>/<name>/rootfs" as the target prefix. | |
2135 | */ | |
6b5a54cd CB |
2136 | ret = snprintf(path, PATH_MAX, "%s/%s/rootfs", lxcpath, lxc_name); |
2137 | if (ret < 0 || ret >= PATH_MAX) | |
80a881b2 SH |
2138 | goto skipvarlib; |
2139 | ||
2140 | aux = strstr(mntent->mnt_dir, path); | |
2141 | if (aux) { | |
2142 | offset = strlen(path); | |
2143 | goto skipabs; | |
2144 | } | |
2145 | ||
2146 | skipvarlib: | |
013bd428 | 2147 | aux = strstr(mntent->mnt_dir, rootfs->path); |
55022530 CB |
2148 | if (!aux) |
2149 | return log_warn(ret, "Ignoring mount point \"%s\"", mntent->mnt_dir); | |
80a881b2 SH |
2150 | offset = strlen(rootfs->path); |
2151 | ||
2152 | skipabs: | |
6b5a54cd CB |
2153 | ret = snprintf(path, PATH_MAX, "%s/%s", rootfs->mount, aux + offset); |
2154 | if (ret < 0 || ret >= PATH_MAX) | |
a17b1e65 | 2155 | return -1; |
a17b1e65 | 2156 | |
0a2dddd4 | 2157 | return mount_entry_on_generic(mntent, path, rootfs, lxc_name, lxc_path); |
911324ef | 2158 | } |
d330fe7b | 2159 | |
4e4ca161 | 2160 | static int mount_entry_on_relative_rootfs(struct mntent *mntent, |
0a2dddd4 CB |
2161 | const struct lxc_rootfs *rootfs, |
2162 | const char *lxc_name, | |
2163 | const char *lxc_path) | |
911324ef | 2164 | { |
911324ef | 2165 | int ret; |
6b5a54cd | 2166 | char path[PATH_MAX]; |
d330fe7b | 2167 | |
34cfffb3 | 2168 | /* relative to root mount point */ |
6e46cc0d | 2169 | ret = snprintf(path, sizeof(path), "%s/%s", rootfs->mount, mntent->mnt_dir); |
0fd73091 | 2170 | if (ret < 0 || (size_t)ret >= sizeof(path)) |
9ba8130c | 2171 | return -1; |
911324ef | 2172 | |
0a2dddd4 | 2173 | return mount_entry_on_generic(mntent, path, rootfs, lxc_name, lxc_path); |
911324ef DL |
2174 | } |
2175 | ||
06749971 CB |
2176 | static int mount_file_entries(const struct lxc_conf *conf, |
2177 | const struct lxc_rootfs *rootfs, FILE *file, | |
1ae3c19f | 2178 | const char *lxc_name, const char *lxc_path) |
911324ef | 2179 | { |
9d03d857 | 2180 | char buf[PATH_MAX]; |
0fd73091 | 2181 | struct mntent mntent; |
e76b8764 | 2182 | |
aaf901be | 2183 | while (getmntent_r(file, &mntent, buf, sizeof(buf))) { |
9d03d857 CB |
2184 | int ret; |
2185 | ||
1ae3c19f CB |
2186 | if (!rootfs->path) |
2187 | ret = mount_entry_on_systemfs(&mntent); | |
2188 | else if (mntent.mnt_dir[0] != '/') | |
2189 | ret = mount_entry_on_relative_rootfs(&mntent, rootfs, | |
2190 | lxc_name, lxc_path); | |
2191 | else | |
2192 | ret = mount_entry_on_absolute_rootfs(&mntent, rootfs, | |
9d03d857 | 2193 | lxc_name, lxc_path); |
1ae3c19f CB |
2194 | if (ret < 0) |
2195 | return -1; | |
0ad19a3f | 2196 | } |
cd54d859 | 2197 | |
55022530 CB |
2198 | if (!feof(file) || ferror(file)) |
2199 | return log_error(-1, "Failed to parse mount entries"); | |
9d03d857 CB |
2200 | |
2201 | return 0; | |
e7938e9e MN |
2202 | } |
2203 | ||
55022530 CB |
2204 | static inline void __auto_endmntent__(FILE **f) |
2205 | { | |
2206 | if (*f) | |
2207 | endmntent(*f); | |
2208 | } | |
2209 | ||
2210 | #define __do_endmntent __attribute__((__cleanup__(__auto_endmntent__))) | |
2211 | ||
06749971 CB |
2212 | static int setup_mount(const struct lxc_conf *conf, |
2213 | const struct lxc_rootfs *rootfs, const char *fstab, | |
42dff448 | 2214 | const char *lxc_name, const char *lxc_path) |
e7938e9e | 2215 | { |
55022530 | 2216 | __do_endmntent FILE *f = NULL; |
e7938e9e MN |
2217 | int ret; |
2218 | ||
2219 | if (!fstab) | |
2220 | return 0; | |
2221 | ||
55022530 CB |
2222 | f = setmntent(fstab, "re"); |
2223 | if (!f) | |
2224 | return log_error_errno(-1, errno, "Failed to open \"%s\"", fstab); | |
e7938e9e | 2225 | |
06749971 | 2226 | ret = mount_file_entries(conf, rootfs, f, lxc_name, lxc_path); |
42dff448 CB |
2227 | if (ret < 0) |
2228 | ERROR("Failed to set up mount entries"); | |
e7938e9e | 2229 | |
0ad19a3f | 2230 | return ret; |
2231 | } | |
2232 | ||
1800f924 WB |
2233 | /* |
2234 | * In order for nested containers to be able to mount /proc and /sys they need | |
2235 | * to see a "pure" proc and sysfs mount points with nothing mounted on top | |
2236 | * (like lxcfs). | |
2237 | * For this we provide proc and sysfs in /dev/.lxc/{proc,sys} while using an | |
2238 | * apparmor rule to deny access to them. This is mostly for convenience: The | |
2239 | * container's root user can mount them anyway and thus has access to the two | |
2240 | * file systems. But a non-root user in the container should not be allowed to | |
2241 | * access them as a side effect without explicitly allowing it. | |
2242 | */ | |
2243 | static const char nesting_helpers[] = | |
dc691e34 CB |
2244 | "proc dev/.lxc/proc proc create=dir,optional 0 0\n" |
2245 | "sys dev/.lxc/sys sysfs create=dir,optional 0 0\n"; | |
1800f924 WB |
2246 | |
2247 | FILE *make_anonymous_mount_file(struct lxc_list *mount, | |
2248 | bool include_nesting_helpers) | |
e7938e9e | 2249 | { |
f62cf1d4 | 2250 | __do_close int fd = -EBADF; |
4110345b | 2251 | FILE *f; |
5ef5c9a3 | 2252 | int ret; |
e7938e9e | 2253 | char *mount_entry; |
5ef5c9a3 | 2254 | struct lxc_list *iterator; |
5ef5c9a3 | 2255 | |
0fd73091 | 2256 | fd = memfd_create(".lxc_mount_file", MFD_CLOEXEC); |
5ef5c9a3 | 2257 | if (fd < 0) { |
a324e7eb CB |
2258 | char template[] = P_tmpdir "/.lxc_mount_file_XXXXXX"; |
2259 | ||
5ef5c9a3 CB |
2260 | if (errno != ENOSYS) |
2261 | return NULL; | |
a324e7eb CB |
2262 | |
2263 | fd = lxc_make_tmpfile(template, true); | |
55022530 CB |
2264 | if (fd < 0) |
2265 | return log_error_errno(NULL, errno, "Could not create temporary mount file"); | |
0fd73091 | 2266 | |
6bd04140 | 2267 | TRACE("Created temporary mount file"); |
5ef5c9a3 | 2268 | } |
e7938e9e | 2269 | |
0fd73091 CB |
2270 | lxc_list_for_each (iterator, mount) { |
2271 | size_t len; | |
2272 | ||
e7938e9e | 2273 | mount_entry = iterator->elem; |
0fd73091 | 2274 | len = strlen(mount_entry); |
5ef5c9a3 | 2275 | |
489f39be | 2276 | ret = lxc_write_nointr(fd, mount_entry, len); |
0fd73091 | 2277 | if (ret != len) |
79bcf5ee | 2278 | return NULL; |
0fd73091 | 2279 | |
489f39be | 2280 | ret = lxc_write_nointr(fd, "\n", 1); |
0fd73091 | 2281 | if (ret != 1) |
79bcf5ee | 2282 | return NULL; |
e7938e9e MN |
2283 | } |
2284 | ||
1800f924 WB |
2285 | if (include_nesting_helpers) { |
2286 | ret = lxc_write_nointr(fd, nesting_helpers, | |
6333c915 CB |
2287 | STRARRAYLEN(nesting_helpers)); |
2288 | if (ret != STRARRAYLEN(nesting_helpers)) | |
79bcf5ee | 2289 | return NULL; |
1800f924 WB |
2290 | } |
2291 | ||
0fd73091 CB |
2292 | ret = lseek(fd, 0, SEEK_SET); |
2293 | if (ret < 0) | |
79bcf5ee | 2294 | return NULL; |
0fd73091 | 2295 | |
4110345b CB |
2296 | f = fdopen(fd, "re+"); |
2297 | if (f) | |
2298 | move_fd(fd); /* Transfer ownership of fd. */ | |
2299 | return f; | |
9fc7f8c0 TA |
2300 | } |
2301 | ||
06749971 CB |
2302 | static int setup_mount_entries(const struct lxc_conf *conf, |
2303 | const struct lxc_rootfs *rootfs, | |
5ef5c9a3 CB |
2304 | struct lxc_list *mount, const char *lxc_name, |
2305 | const char *lxc_path) | |
9fc7f8c0 | 2306 | { |
c85ced65 | 2307 | __do_fclose FILE *f = NULL; |
9fc7f8c0 | 2308 | |
1800f924 | 2309 | f = make_anonymous_mount_file(mount, conf->lsm_aa_allow_nesting); |
19b5d755 | 2310 | if (!f) |
9fc7f8c0 | 2311 | return -1; |
e7938e9e | 2312 | |
c85ced65 | 2313 | return mount_file_entries(conf, rootfs, f, lxc_name, lxc_path); |
e7938e9e MN |
2314 | } |
2315 | ||
bab88e68 CS |
2316 | static int parse_cap(const char *cap) |
2317 | { | |
84760c11 | 2318 | size_t i; |
2319 | int capid = -1; | |
0fd73091 CB |
2320 | size_t end = sizeof(caps_opt) / sizeof(caps_opt[0]); |
2321 | char *ptr = NULL; | |
bab88e68 | 2322 | |
0fd73091 | 2323 | if (strcmp(cap, "none") == 0) |
7035407c DE |
2324 | return -2; |
2325 | ||
8560cd36 | 2326 | for (i = 0; i < end; i++) { |
bab88e68 CS |
2327 | if (strcmp(cap, caps_opt[i].name)) |
2328 | continue; | |
2329 | ||
2330 | capid = caps_opt[i].value; | |
2331 | break; | |
2332 | } | |
2333 | ||
2334 | if (capid < 0) { | |
0fd73091 CB |
2335 | /* Try to see if it's numeric, so the user may specify |
2336 | * capabilities that the running kernel knows about but we | |
2337 | * don't | |
2338 | */ | |
bab88e68 CS |
2339 | errno = 0; |
2340 | capid = strtol(cap, &ptr, 10); | |
2341 | if (!ptr || *ptr != '\0' || errno != 0) | |
2342 | /* not a valid number */ | |
2343 | capid = -1; | |
2344 | else if (capid > lxc_caps_last_cap()) | |
2345 | /* we have a number but it's not a valid | |
2346 | * capability */ | |
2347 | capid = -1; | |
2348 | } | |
2349 | ||
2350 | return capid; | |
2351 | } | |
2352 | ||
0769b82a CS |
2353 | int in_caplist(int cap, struct lxc_list *caps) |
2354 | { | |
0769b82a | 2355 | int capid; |
0fd73091 | 2356 | struct lxc_list *iterator; |
0769b82a | 2357 | |
0fd73091 | 2358 | lxc_list_for_each (iterator, caps) { |
0769b82a CS |
2359 | capid = parse_cap(iterator->elem); |
2360 | if (capid == cap) | |
2361 | return 1; | |
2362 | } | |
2363 | ||
2364 | return 0; | |
2365 | } | |
2366 | ||
81810dd1 DL |
2367 | static int setup_caps(struct lxc_list *caps) |
2368 | { | |
bab88e68 | 2369 | int capid; |
0fd73091 CB |
2370 | char *drop_entry; |
2371 | struct lxc_list *iterator; | |
81810dd1 | 2372 | |
0fd73091 CB |
2373 | lxc_list_for_each (iterator, caps) { |
2374 | int ret; | |
81810dd1 DL |
2375 | |
2376 | drop_entry = iterator->elem; | |
2377 | ||
bab88e68 | 2378 | capid = parse_cap(drop_entry); |
55022530 CB |
2379 | if (capid < 0) |
2380 | return log_error(-1, "unknown capability %s", drop_entry); | |
81810dd1 | 2381 | |
b81689a1 CB |
2382 | ret = prctl(PR_CAPBSET_DROP, prctl_arg(capid), prctl_arg(0), |
2383 | prctl_arg(0), prctl_arg(0)); | |
55022530 CB |
2384 | if (ret < 0) |
2385 | return log_error_errno(-1, errno, "Failed to remove %s capability", drop_entry); | |
0fd73091 | 2386 | DEBUG("Dropped %s (%d) capability", drop_entry, capid); |
81810dd1 DL |
2387 | } |
2388 | ||
0fd73091 | 2389 | DEBUG("Capabilities have been setup"); |
1fb86a7c SH |
2390 | return 0; |
2391 | } | |
2392 | ||
2393 | static int dropcaps_except(struct lxc_list *caps) | |
2394 | { | |
2f443e88 | 2395 | __do_free int *caplist = NULL; |
0fd73091 | 2396 | int i, capid, numcaps; |
1fb86a7c | 2397 | char *keep_entry; |
0fd73091 | 2398 | struct lxc_list *iterator; |
1fb86a7c | 2399 | |
0fd73091 | 2400 | numcaps = lxc_caps_last_cap() + 1; |
2caf9a97 SH |
2401 | if (numcaps <= 0 || numcaps > 200) |
2402 | return -1; | |
0fd73091 | 2403 | TRACE("Found %d capabilities", numcaps); |
2caf9a97 | 2404 | |
1a0e70ac | 2405 | /* caplist[i] is 1 if we keep capability i */ |
2f443e88 | 2406 | caplist = must_realloc(NULL, numcaps * sizeof(int)); |
1fb86a7c SH |
2407 | memset(caplist, 0, numcaps * sizeof(int)); |
2408 | ||
0fd73091 | 2409 | lxc_list_for_each (iterator, caps) { |
1fb86a7c SH |
2410 | keep_entry = iterator->elem; |
2411 | ||
bab88e68 | 2412 | capid = parse_cap(keep_entry); |
7035407c DE |
2413 | if (capid == -2) |
2414 | continue; | |
2415 | ||
55022530 CB |
2416 | if (capid < 0) |
2417 | return log_error(-1, "Unknown capability %s", keep_entry); | |
1fb86a7c | 2418 | |
0fd73091 | 2419 | DEBUG("Keep capability %s (%d)", keep_entry, capid); |
1fb86a7c SH |
2420 | caplist[capid] = 1; |
2421 | } | |
0fd73091 CB |
2422 | |
2423 | for (i = 0; i < numcaps; i++) { | |
2424 | int ret; | |
2425 | ||
1fb86a7c SH |
2426 | if (caplist[i]) |
2427 | continue; | |
0fd73091 | 2428 | |
b81689a1 CB |
2429 | ret = prctl(PR_CAPBSET_DROP, prctl_arg(i), prctl_arg(0), |
2430 | prctl_arg(0), prctl_arg(0)); | |
55022530 CB |
2431 | if (ret < 0) |
2432 | return log_error_errno(-1, errno, "Failed to remove capability %d", i); | |
1fb86a7c SH |
2433 | } |
2434 | ||
0fd73091 | 2435 | DEBUG("Capabilities have been setup"); |
81810dd1 DL |
2436 | return 0; |
2437 | } | |
2438 | ||
0fd73091 CB |
2439 | static int parse_resource(const char *res) |
2440 | { | |
2441 | int ret; | |
c6d09e15 WB |
2442 | size_t i; |
2443 | int resid = -1; | |
2444 | ||
0fd73091 | 2445 | for (i = 0; i < sizeof(limit_opt) / sizeof(limit_opt[0]); ++i) |
c6d09e15 WB |
2446 | if (strcmp(res, limit_opt[i].name) == 0) |
2447 | return limit_opt[i].value; | |
c6d09e15 | 2448 | |
0fd73091 | 2449 | /* Try to see if it's numeric, so the user may specify |
c6d09e15 | 2450 | * resources that the running kernel knows about but |
0fd73091 CB |
2451 | * we don't. |
2452 | */ | |
2453 | ret = lxc_safe_int(res, &resid); | |
2454 | if (ret < 0) | |
2455 | return -1; | |
2456 | ||
2457 | return resid; | |
c6d09e15 WB |
2458 | } |
2459 | ||
0fd73091 CB |
2460 | int setup_resource_limits(struct lxc_list *limits, pid_t pid) |
2461 | { | |
2462 | int resid; | |
c6d09e15 WB |
2463 | struct lxc_list *it; |
2464 | struct lxc_limit *lim; | |
c6d09e15 | 2465 | |
0fd73091 | 2466 | lxc_list_for_each (it, limits) { |
c6d09e15 WB |
2467 | lim = it->elem; |
2468 | ||
2469 | resid = parse_resource(lim->resource); | |
55022530 CB |
2470 | if (resid < 0) |
2471 | return log_error(-1, "Unknown resource %s", lim->resource); | |
c6d09e15 | 2472 | |
f48b5fd8 | 2473 | #if HAVE_PRLIMIT || HAVE_PRLIMIT64 |
55022530 CB |
2474 | if (prlimit(pid, resid, &lim->limit, NULL) != 0) |
2475 | return log_error_errno(-1, errno, "Failed to set limit %s", lim->resource); | |
2de12765 CB |
2476 | |
2477 | TRACE("Setup \"%s\" limit", lim->resource); | |
f48b5fd8 | 2478 | #else |
55022530 | 2479 | return log_error(-1, "Cannot set limit \"%s\" as prlimit is missing", lim->resource); |
f48b5fd8 | 2480 | #endif |
c6d09e15 | 2481 | } |
0fd73091 | 2482 | |
c6d09e15 WB |
2483 | return 0; |
2484 | } | |
2485 | ||
7edd0540 L |
2486 | int setup_sysctl_parameters(struct lxc_list *sysctls) |
2487 | { | |
e6f76452 | 2488 | __do_free char *tmp = NULL; |
7edd0540 L |
2489 | struct lxc_list *it; |
2490 | struct lxc_sysctl *elem; | |
0fd73091 | 2491 | int ret = 0; |
6b5a54cd | 2492 | char filename[PATH_MAX] = {0}; |
7edd0540 | 2493 | |
0fd73091 | 2494 | lxc_list_for_each (it, sysctls) { |
7edd0540 L |
2495 | elem = it->elem; |
2496 | tmp = lxc_string_replace(".", "/", elem->key); | |
55022530 CB |
2497 | if (!tmp) |
2498 | return log_error(-1, "Failed to replace key %s", elem->key); | |
7edd0540 L |
2499 | |
2500 | ret = snprintf(filename, sizeof(filename), "/proc/sys/%s", tmp); | |
55022530 CB |
2501 | if (ret < 0 || (size_t)ret >= sizeof(filename)) |
2502 | return log_error(-1, "Error setting up sysctl parameters path"); | |
7edd0540 | 2503 | |
0fd73091 | 2504 | ret = lxc_write_to_file(filename, elem->value, |
7cea5905 | 2505 | strlen(elem->value), false, 0666); |
55022530 CB |
2506 | if (ret < 0) |
2507 | return log_error_errno(-1, errno, "Failed to setup sysctl parameters %s to %s", | |
2508 | elem->key, elem->value); | |
7edd0540 | 2509 | } |
0fd73091 | 2510 | |
7edd0540 L |
2511 | return 0; |
2512 | } | |
2513 | ||
61d7a733 YT |
2514 | int setup_proc_filesystem(struct lxc_list *procs, pid_t pid) |
2515 | { | |
0c669152 | 2516 | __do_free char *tmp = NULL; |
61d7a733 YT |
2517 | struct lxc_list *it; |
2518 | struct lxc_proc *elem; | |
0fd73091 | 2519 | int ret = 0; |
6b5a54cd | 2520 | char filename[PATH_MAX] = {0}; |
61d7a733 | 2521 | |
0fd73091 | 2522 | lxc_list_for_each (it, procs) { |
61d7a733 YT |
2523 | elem = it->elem; |
2524 | tmp = lxc_string_replace(".", "/", elem->filename); | |
55022530 CB |
2525 | if (!tmp) |
2526 | return log_error(-1, "Failed to replace key %s", elem->filename); | |
61d7a733 YT |
2527 | |
2528 | ret = snprintf(filename, sizeof(filename), "/proc/%d/%s", pid, tmp); | |
55022530 CB |
2529 | if (ret < 0 || (size_t)ret >= sizeof(filename)) |
2530 | return log_error(-1, "Error setting up proc filesystem path"); | |
61d7a733 | 2531 | |
0fd73091 | 2532 | ret = lxc_write_to_file(filename, elem->value, |
7cea5905 | 2533 | strlen(elem->value), false, 0666); |
55022530 CB |
2534 | if (ret < 0) |
2535 | return log_error_errno(-1, errno, "Failed to setup proc filesystem %s to %s", elem->filename, elem->value); | |
61d7a733 | 2536 | } |
0fd73091 | 2537 | |
61d7a733 YT |
2538 | return 0; |
2539 | } | |
2540 | ||
ae9242c8 SH |
2541 | static char *default_rootfs_mount = LXCROOTFSMOUNT; |
2542 | ||
7b379ab3 | 2543 | struct lxc_conf *lxc_conf_init(void) |
089cd8b8 | 2544 | { |
26ddeedd | 2545 | int i; |
0fd73091 | 2546 | struct lxc_conf *new; |
7b379ab3 | 2547 | |
13277ec4 | 2548 | new = malloc(sizeof(*new)); |
0fd73091 | 2549 | if (!new) |
7b379ab3 | 2550 | return NULL; |
7b379ab3 MN |
2551 | memset(new, 0, sizeof(*new)); |
2552 | ||
4b73005c | 2553 | new->loglevel = LXC_LOG_LEVEL_NOTSET; |
cccc74b5 | 2554 | new->personality = -1; |
124fa0a8 | 2555 | new->autodev = 1; |
3a784510 | 2556 | new->console.buffer_size = 0; |
596a818d DE |
2557 | new->console.log_path = NULL; |
2558 | new->console.log_fd = -1; | |
861813e5 | 2559 | new->console.log_size = 0; |
28a4b0e5 | 2560 | new->console.path = NULL; |
63376d7d | 2561 | new->console.peer = -1; |
fb87aa6a | 2562 | new->console.proxy.busy = -1; |
36a94ce8 | 2563 | new->console.proxy.ptx = -1; |
41808e20 | 2564 | new->console.proxy.pty = -1; |
36a94ce8 | 2565 | new->console.ptx = -1; |
41808e20 | 2566 | new->console.pty = -1; |
63376d7d | 2567 | new->console.name[0] = '\0'; |
732375f5 | 2568 | memset(&new->console.ringbuf, 0, sizeof(struct lxc_ringbuf)); |
d2e30e99 | 2569 | new->maincmd_fd = -1; |
258f8051 | 2570 | new->monitor_signal_pdeath = SIGKILL; |
76a26f55 | 2571 | new->nbd_idx = -1; |
54c30e29 | 2572 | new->rootfs.mount = strdup(default_rootfs_mount); |
53f3f048 | 2573 | if (!new->rootfs.mount) { |
53f3f048 SH |
2574 | free(new); |
2575 | return NULL; | |
2576 | } | |
6e54330c | 2577 | new->rootfs.managed = true; |
858377e4 | 2578 | new->logfd = -1; |
7b379ab3 | 2579 | lxc_list_init(&new->cgroup); |
54860ed0 | 2580 | lxc_list_init(&new->cgroup2); |
4bfb655e | 2581 | lxc_list_init(&new->devices); |
7b379ab3 MN |
2582 | lxc_list_init(&new->network); |
2583 | lxc_list_init(&new->mount_list); | |
81810dd1 | 2584 | lxc_list_init(&new->caps); |
1fb86a7c | 2585 | lxc_list_init(&new->keepcaps); |
f6d3e3e4 | 2586 | lxc_list_init(&new->id_map); |
46ad64ab CB |
2587 | new->root_nsuid_map = NULL; |
2588 | new->root_nsgid_map = NULL; | |
f979ac15 | 2589 | lxc_list_init(&new->includes); |
4184c3e1 | 2590 | lxc_list_init(&new->aliens); |
7c661726 | 2591 | lxc_list_init(&new->environment); |
c6d09e15 | 2592 | lxc_list_init(&new->limits); |
7edd0540 | 2593 | lxc_list_init(&new->sysctls); |
61d7a733 | 2594 | lxc_list_init(&new->procs); |
44ae0fb6 | 2595 | new->hooks_version = 0; |
28d9e29e | 2596 | for (i = 0; i < NUM_LXC_HOOKS; i++) |
26ddeedd | 2597 | lxc_list_init(&new->hooks[i]); |
ee1e7aa0 | 2598 | lxc_list_init(&new->groups); |
d39b10eb | 2599 | lxc_list_init(&new->state_clients); |
fe4de9a6 | 2600 | new->lsm_aa_profile = NULL; |
1800f924 | 2601 | lxc_list_init(&new->lsm_aa_raw); |
fe4de9a6 | 2602 | new->lsm_se_context = NULL; |
4fef78bc | 2603 | new->lsm_se_keyring_context = NULL; |
8f818a84 | 2604 | new->keyring_disable_session = false; |
7a0bcca3 | 2605 | new->tmp_umount_proc = false; |
7a41e857 LT |
2606 | new->tmp_umount_proc = 0; |
2607 | new->shmount.path_host = NULL; | |
2608 | new->shmount.path_cont = NULL; | |
7b379ab3 | 2609 | |
72bb04e4 PT |
2610 | /* if running in a new user namespace, init and COMMAND |
2611 | * default to running as UID/GID 0 when using lxc-execute */ | |
2612 | new->init_uid = 0; | |
2613 | new->init_gid = 0; | |
43654d34 | 2614 | memset(&new->cgroup_meta, 0, sizeof(struct lxc_cgroup)); |
b074bbf1 | 2615 | memset(&new->ns_share, 0, sizeof(char *) * LXC_NS_MAX); |
70fd7fc9 | 2616 | memset(&new->timens, 0, sizeof(struct timens_offsets)); |
c3e3c21a | 2617 | seccomp_conf_init(new); |
72bb04e4 | 2618 | |
7b379ab3 | 2619 | return new; |
089cd8b8 DL |
2620 | } |
2621 | ||
344c9d81 | 2622 | int write_id_mapping(enum idtype idtype, pid_t pid, const char *buf, |
a19b974f | 2623 | size_t buf_size) |
f6d3e3e4 | 2624 | { |
f62cf1d4 | 2625 | __do_close int fd = -EBADF; |
76bcd422 | 2626 | int ret; |
6b5a54cd | 2627 | char path[PATH_MAX]; |
f6d3e3e4 | 2628 | |
a19b974f | 2629 | if (geteuid() != 0 && idtype == ID_TYPE_GID) { |
f62cf1d4 | 2630 | __do_close int setgroups_fd = -EBADF; |
a19b974f | 2631 | |
6b5a54cd CB |
2632 | ret = snprintf(path, PATH_MAX, "/proc/%d/setgroups", pid); |
2633 | if (ret < 0 || ret >= PATH_MAX) | |
a19b974f | 2634 | return -E2BIG; |
a19b974f | 2635 | |
76bcd422 | 2636 | setgroups_fd = open(path, O_WRONLY); |
55022530 CB |
2637 | if (setgroups_fd < 0 && errno != ENOENT) |
2638 | return log_error_errno(-1, errno, "Failed to open \"%s\"", path); | |
a19b974f | 2639 | |
76bcd422 CB |
2640 | if (setgroups_fd >= 0) { |
2641 | ret = lxc_write_nointr(setgroups_fd, "deny\n", | |
2642 | STRLITERALLEN("deny\n")); | |
55022530 CB |
2643 | if (ret != STRLITERALLEN("deny\n")) |
2644 | return log_error_errno(-1, errno, "Failed to write \"deny\" to \"/proc/%d/setgroups\"", pid); | |
395b1a3e | 2645 | TRACE("Wrote \"deny\" to \"/proc/%d/setgroups\"", pid); |
a19b974f | 2646 | } |
a19b974f CB |
2647 | } |
2648 | ||
6b5a54cd | 2649 | ret = snprintf(path, PATH_MAX, "/proc/%d/%cid_map", pid, |
29053180 | 2650 | idtype == ID_TYPE_UID ? 'u' : 'g'); |
6b5a54cd | 2651 | if (ret < 0 || ret >= PATH_MAX) |
f6d3e3e4 | 2652 | return -E2BIG; |
29053180 | 2653 | |
55022530 CB |
2654 | fd = open(path, O_WRONLY | O_CLOEXEC); |
2655 | if (fd < 0) | |
2656 | return log_error_errno(-1, errno, "Failed to open \"%s\"", path); | |
29053180 | 2657 | |
29053180 | 2658 | ret = lxc_write_nointr(fd, buf, buf_size); |
55022530 CB |
2659 | if (ret != buf_size) |
2660 | return log_error_errno(-1, errno, "Failed to write %cid mapping to \"%s\"", | |
2661 | idtype == ID_TYPE_UID ? 'u' : 'g', path); | |
29053180 CB |
2662 | |
2663 | return 0; | |
f6d3e3e4 SH |
2664 | } |
2665 | ||
6e50e704 CB |
2666 | /* Check whether a binary exist and has either CAP_SETUID, CAP_SETGID or both. |
2667 | * | |
2668 | * @return 1 if functional binary was found | |
2669 | * @return 0 if binary exists but is lacking privilege | |
2670 | * @return -ENOENT if binary does not exist | |
2671 | * @return -EINVAL if cap to check is neither CAP_SETUID nor CAP_SETGID | |
6e50e704 | 2672 | */ |
df6a2945 CB |
2673 | static int idmaptool_on_path_and_privileged(const char *binary, cap_value_t cap) |
2674 | { | |
48411df2 | 2675 | __do_free char *path = NULL; |
df6a2945 CB |
2676 | int ret; |
2677 | struct stat st; | |
df6a2945 | 2678 | |
3275932b | 2679 | errno = EINVAL; |
6e50e704 | 2680 | if (cap != CAP_SETUID && cap != CAP_SETGID) |
3275932b | 2681 | return -1; |
6e50e704 | 2682 | |
3275932b | 2683 | errno = ENOENT; |
df6a2945 CB |
2684 | path = on_path(binary, NULL); |
2685 | if (!path) | |
3275932b | 2686 | return -1; |
df6a2945 CB |
2687 | |
2688 | ret = stat(path, &st); | |
3275932b CB |
2689 | if (ret < 0) |
2690 | return -1; | |
df6a2945 CB |
2691 | |
2692 | /* Check if the binary is setuid. */ | |
55022530 CB |
2693 | if (st.st_mode & S_ISUID) |
2694 | return log_debug(1, "The binary \"%s\" does have the setuid bit set", path); | |
df6a2945 | 2695 | |
0fd73091 | 2696 | #if HAVE_LIBCAP && LIBCAP_SUPPORTS_FILE_CAPABILITIES |
df6a2945 CB |
2697 | /* Check if it has the CAP_SETUID capability. */ |
2698 | if ((cap & CAP_SETUID) && | |
2699 | lxc_file_cap_is_set(path, CAP_SETUID, CAP_EFFECTIVE) && | |
55022530 CB |
2700 | lxc_file_cap_is_set(path, CAP_SETUID, CAP_PERMITTED)) |
2701 | return log_debug(1, "The binary \"%s\" has CAP_SETUID in its CAP_EFFECTIVE and CAP_PERMITTED sets", path); | |
df6a2945 CB |
2702 | |
2703 | /* Check if it has the CAP_SETGID capability. */ | |
2704 | if ((cap & CAP_SETGID) && | |
2705 | lxc_file_cap_is_set(path, CAP_SETGID, CAP_EFFECTIVE) && | |
55022530 CB |
2706 | lxc_file_cap_is_set(path, CAP_SETGID, CAP_PERMITTED)) |
2707 | return log_debug(1, "The binary \"%s\" has CAP_SETGID in its CAP_EFFECTIVE and CAP_PERMITTED sets", path); | |
0fd73091 | 2708 | #else |
69924fff CB |
2709 | /* If we cannot check for file capabilities we need to give the benefit |
2710 | * of the doubt. Otherwise we might fail even though all the necessary | |
2711 | * file capabilities are set. | |
2712 | */ | |
55022530 | 2713 | DEBUG("Cannot check for file capabilities as full capability support is missing. Manual intervention needed"); |
0fd73091 | 2714 | #endif |
df6a2945 | 2715 | |
3275932b | 2716 | return 1; |
df6a2945 CB |
2717 | } |
2718 | ||
59eac805 | 2719 | static int lxc_map_ids_exec_wrapper(void *args) |
986ef930 CB |
2720 | { |
2721 | execl("/bin/sh", "sh", "-c", (char *)args, (char *)NULL); | |
2722 | return -1; | |
2723 | } | |
2724 | ||
f6d3e3e4 SH |
2725 | int lxc_map_ids(struct lxc_list *idmap, pid_t pid) |
2726 | { | |
0fd73091 | 2727 | int fill, left; |
986ef930 | 2728 | char u_or_g; |
4bc3b759 | 2729 | char *pos; |
6b5a54cd | 2730 | char cmd_output[PATH_MAX]; |
0fd73091 CB |
2731 | struct id_map *map; |
2732 | struct lxc_list *iterator; | |
2733 | enum idtype type; | |
0fd73091 | 2734 | int ret = 0, gidmap = 0, uidmap = 0; |
c6ba8981 CB |
2735 | char mapbuf[STRLITERALLEN("new@idmap") + STRLITERALLEN(" ") + |
2736 | INTTYPE_TO_STRLEN(pid_t) + STRLITERALLEN(" ") + | |
2737 | LXC_IDMAPLEN] = {0}; | |
0fd73091 | 2738 | bool had_entry = false, use_shadow = false; |
c724025c JC |
2739 | int hostuid, hostgid; |
2740 | ||
2741 | hostuid = geteuid(); | |
2742 | hostgid = getegid(); | |
df6a2945 CB |
2743 | |
2744 | /* If new{g,u}idmap exists, that is, if shadow is handing out subuid | |
2745 | * ranges, then insist that root also reserve ranges in subuid. This | |
22038de5 SH |
2746 | * will protected it by preventing another user from being handed the |
2747 | * range by shadow. | |
2748 | */ | |
df6a2945 | 2749 | uidmap = idmaptool_on_path_and_privileged("newuidmap", CAP_SETUID); |
6e50e704 CB |
2750 | if (uidmap == -ENOENT) |
2751 | WARN("newuidmap binary is missing"); | |
2752 | else if (!uidmap) | |
2753 | WARN("newuidmap is lacking necessary privileges"); | |
2754 | ||
df6a2945 | 2755 | gidmap = idmaptool_on_path_and_privileged("newgidmap", CAP_SETGID); |
6e50e704 CB |
2756 | if (gidmap == -ENOENT) |
2757 | WARN("newgidmap binary is missing"); | |
2758 | else if (!gidmap) | |
2759 | WARN("newgidmap is lacking necessary privileges"); | |
2760 | ||
df6a2945 | 2761 | if (uidmap > 0 && gidmap > 0) { |
0fd73091 | 2762 | DEBUG("Functional newuidmap and newgidmap binary found"); |
4bc3b759 | 2763 | use_shadow = true; |
df6a2945 | 2764 | } else { |
99d43365 CB |
2765 | /* In case unprivileged users run application containers via |
2766 | * execute() or a start*() there are valid cases where they may | |
2767 | * only want to map their own {g,u}id. Let's not block them from | |
2768 | * doing so by requiring geteuid() == 0. | |
2769 | */ | |
2770 | DEBUG("No newuidmap and newgidmap binary found. Trying to " | |
c724025c JC |
2771 | "write directly with euid %d", hostuid); |
2772 | } | |
2773 | ||
2774 | /* Check if we really need to use newuidmap and newgidmap. | |
2775 | * If the user is only remapping his own {g,u}id, we don't need it. | |
2776 | */ | |
2777 | if (use_shadow && lxc_list_len(idmap) == 2) { | |
2778 | use_shadow = false; | |
2779 | lxc_list_for_each(iterator, idmap) { | |
2780 | map = iterator->elem; | |
2781 | if (map->idtype == ID_TYPE_UID && map->range == 1 && | |
2782 | map->nsid == hostuid && map->hostid == hostuid) | |
2783 | continue; | |
2784 | if (map->idtype == ID_TYPE_GID && map->range == 1 && | |
2785 | map->nsid == hostgid && map->hostid == hostgid) | |
2786 | continue; | |
2787 | use_shadow = true; | |
2788 | break; | |
2789 | } | |
0e6e3a41 | 2790 | } |
251d0d2a | 2791 | |
986ef930 CB |
2792 | for (type = ID_TYPE_UID, u_or_g = 'u'; type <= ID_TYPE_GID; |
2793 | type++, u_or_g = 'g') { | |
2794 | pos = mapbuf; | |
2795 | ||
0e6e3a41 | 2796 | if (use_shadow) |
986ef930 | 2797 | pos += sprintf(mapbuf, "new%cidmap %d", u_or_g, pid); |
4f7521b4 | 2798 | |
cf3ef16d | 2799 | lxc_list_for_each(iterator, idmap) { |
251d0d2a | 2800 | map = iterator->elem; |
cf3ef16d SH |
2801 | if (map->idtype != type) |
2802 | continue; | |
2803 | ||
4bc3b759 CB |
2804 | had_entry = true; |
2805 | ||
986ef930 | 2806 | left = LXC_IDMAPLEN - (pos - mapbuf); |
d1838f34 | 2807 | fill = snprintf(pos, left, "%s%lu %lu %lu%s", |
4bc3b759 CB |
2808 | use_shadow ? " " : "", map->nsid, |
2809 | map->hostid, map->range, | |
0e6e3a41 | 2810 | use_shadow ? "" : "\n"); |
55022530 CB |
2811 | /* |
2812 | * The kernel only takes <= 4k for writes to | |
2813 | * /proc/<pid>/{g,u}id_map | |
2814 | */ | |
2815 | if (fill <= 0 || fill >= left) | |
2816 | return log_error_errno(-1, errno, "Too many %cid mappings defined", u_or_g); | |
4bc3b759 | 2817 | |
cf3ef16d | 2818 | pos += fill; |
251d0d2a | 2819 | } |
cf3ef16d | 2820 | if (!had_entry) |
4f7521b4 | 2821 | continue; |
cf3ef16d | 2822 | |
d85813cd | 2823 | /* Try to catch the output of new{g,u}idmap to make debugging |
986ef930 CB |
2824 | * easier. |
2825 | */ | |
2826 | if (use_shadow) { | |
2827 | ret = run_command(cmd_output, sizeof(cmd_output), | |
2828 | lxc_map_ids_exec_wrapper, | |
2829 | (void *)mapbuf); | |
55022530 CB |
2830 | if (ret < 0) |
2831 | return log_error(-1, "new%cidmap failed to write mapping \"%s\": %s", u_or_g, cmd_output, mapbuf); | |
54fbbeb5 | 2832 | TRACE("new%cidmap wrote mapping \"%s\"", u_or_g, mapbuf); |
d1838f34 | 2833 | } else { |
986ef930 | 2834 | ret = write_id_mapping(type, pid, mapbuf, pos - mapbuf); |
55022530 CB |
2835 | if (ret < 0) |
2836 | return log_error(-1, "Failed to write mapping: %s", mapbuf); | |
54fbbeb5 | 2837 | TRACE("Wrote mapping \"%s\"", mapbuf); |
d1838f34 | 2838 | } |
986ef930 CB |
2839 | |
2840 | memset(mapbuf, 0, sizeof(mapbuf)); | |
f6d3e3e4 | 2841 | } |
251d0d2a | 2842 | |
986ef930 | 2843 | return 0; |
f6d3e3e4 SH |
2844 | } |
2845 | ||
234998b4 CB |
2846 | /* |
2847 | * Return the host uid/gid to which the container root is mapped in val. | |
0b3a6504 | 2848 | * Return true if id was found, false otherwise. |
cf3ef16d | 2849 | */ |
234998b4 | 2850 | static id_t get_mapped_rootid(const struct lxc_conf *conf, enum idtype idtype) |
cf3ef16d | 2851 | { |
4160c3a0 | 2852 | unsigned nsid; |
0fd73091 CB |
2853 | struct id_map *map; |
2854 | struct lxc_list *it; | |
4160c3a0 CB |
2855 | |
2856 | if (idtype == ID_TYPE_UID) | |
2857 | nsid = (conf->root_nsuid_map != NULL) ? 0 : conf->init_uid; | |
2858 | else | |
2859 | nsid = (conf->root_nsgid_map != NULL) ? 0 : conf->init_gid; | |
cf3ef16d | 2860 | |
0fd73091 | 2861 | lxc_list_for_each (it, &conf->id_map) { |
cf3ef16d | 2862 | map = it->elem; |
7b50c609 | 2863 | if (map->idtype != idtype) |
cf3ef16d | 2864 | continue; |
4160c3a0 | 2865 | if (map->nsid != nsid) |
cf3ef16d | 2866 | continue; |
234998b4 | 2867 | return map->hostid; |
cf3ef16d | 2868 | } |
4160c3a0 | 2869 | |
234998b4 CB |
2870 | if (idtype == ID_TYPE_UID) |
2871 | return LXC_INVALID_UID; | |
2872 | ||
2873 | return LXC_INVALID_GID; | |
cf3ef16d SH |
2874 | } |
2875 | ||
facdf925 | 2876 | int mapped_hostid(unsigned id, const struct lxc_conf *conf, enum idtype idtype) |
cf3ef16d | 2877 | { |
cf3ef16d | 2878 | struct id_map *map; |
0fd73091 CB |
2879 | struct lxc_list *it; |
2880 | ||
2881 | lxc_list_for_each (it, &conf->id_map) { | |
cf3ef16d | 2882 | map = it->elem; |
2133f58c | 2883 | if (map->idtype != idtype) |
cf3ef16d | 2884 | continue; |
0fd73091 | 2885 | |
cf3ef16d | 2886 | if (id >= map->hostid && id < map->hostid + map->range) |
57d116ab | 2887 | return (id - map->hostid) + map->nsid; |
cf3ef16d | 2888 | } |
0fd73091 | 2889 | |
57d116ab | 2890 | return -1; |
cf3ef16d SH |
2891 | } |
2892 | ||
7581a82f | 2893 | int find_unmapped_nsid(const struct lxc_conf *conf, enum idtype idtype) |
cf3ef16d | 2894 | { |
cf3ef16d | 2895 | struct id_map *map; |
0fd73091 | 2896 | struct lxc_list *it; |
2133f58c | 2897 | unsigned int freeid = 0; |
0fd73091 | 2898 | |
cf3ef16d | 2899 | again: |
0fd73091 | 2900 | lxc_list_for_each (it, &conf->id_map) { |
cf3ef16d | 2901 | map = it->elem; |
2133f58c | 2902 | if (map->idtype != idtype) |
cf3ef16d | 2903 | continue; |
0fd73091 | 2904 | |
cf3ef16d SH |
2905 | if (freeid >= map->nsid && freeid < map->nsid + map->range) { |
2906 | freeid = map->nsid + map->range; | |
2907 | goto again; | |
2908 | } | |
2909 | } | |
0fd73091 | 2910 | |
cf3ef16d SH |
2911 | return freeid; |
2912 | } | |
2913 | ||
943144d9 | 2914 | /* NOTE: Must not be called from inside the container namespace! */ |
59eac805 | 2915 | static int lxc_create_tmp_proc_mount(struct lxc_conf *conf) |
5112cd70 SH |
2916 | { |
2917 | int mounted; | |
2918 | ||
943144d9 | 2919 | mounted = lxc_mount_proc_if_needed(conf->rootfs.path ? conf->rootfs.mount : ""); |
5112cd70 | 2920 | if (mounted == -1) { |
0fd73091 | 2921 | SYSERROR("Failed to mount proc in the container"); |
01958b1f | 2922 | /* continue only if there is no rootfs */ |
943144d9 | 2923 | if (conf->rootfs.path) |
01958b1f | 2924 | return -1; |
5112cd70 | 2925 | } else if (mounted == 1) { |
7a0bcca3 | 2926 | conf->tmp_umount_proc = true; |
5112cd70 | 2927 | } |
943144d9 | 2928 | |
5112cd70 SH |
2929 | return 0; |
2930 | } | |
2931 | ||
2932 | void tmp_proc_unmount(struct lxc_conf *lxc_conf) | |
2933 | { | |
7a0bcca3 | 2934 | if (!lxc_conf->tmp_umount_proc) |
0fd73091 CB |
2935 | return; |
2936 | ||
7a0bcca3 CB |
2937 | (void)umount2("/proc", MNT_DETACH); |
2938 | lxc_conf->tmp_umount_proc = false; | |
5112cd70 SH |
2939 | } |
2940 | ||
9e61fb1f CB |
2941 | /* Walk /proc/mounts and change any shared entries to dependent mounts. */ |
2942 | void turn_into_dependent_mounts(void) | |
e995d7a2 | 2943 | { |
7969675f | 2944 | __do_free char *line = NULL; |
003be47b | 2945 | __do_fclose FILE *f = NULL; |
f62cf1d4 | 2946 | __do_close int memfd = -EBADF, mntinfo_fd = -EBADF; |
003be47b | 2947 | int ret; |
6a49f05e | 2948 | ssize_t copied; |
e995d7a2 SH |
2949 | size_t len = 0; |
2950 | ||
6a49f05e | 2951 | mntinfo_fd = open("/proc/self/mountinfo", O_RDONLY | O_CLOEXEC); |
fea3b91d DJ |
2952 | if (mntinfo_fd < 0) { |
2953 | SYSERROR("Failed to open \"/proc/self/mountinfo\""); | |
6a49f05e | 2954 | return; |
fea3b91d | 2955 | } |
6a49f05e CB |
2956 | |
2957 | memfd = memfd_create(".lxc_mountinfo", MFD_CLOEXEC); | |
2958 | if (memfd < 0) { | |
2959 | char template[] = P_tmpdir "/.lxc_mountinfo_XXXXXX"; | |
2960 | ||
2961 | if (errno != ENOSYS) { | |
fea3b91d | 2962 | SYSERROR("Failed to create temporary in-memory file"); |
6a49f05e CB |
2963 | return; |
2964 | } | |
2965 | ||
2966 | memfd = lxc_make_tmpfile(template, true); | |
fea3b91d | 2967 | if (memfd < 0) { |
fea3b91d DJ |
2968 | WARN("Failed to create temporary file"); |
2969 | return; | |
2970 | } | |
6a49f05e CB |
2971 | } |
2972 | ||
6a49f05e | 2973 | again: |
7c4d9466 | 2974 | copied = lxc_sendfile_nointr(memfd, mntinfo_fd, NULL, LXC_SENDFILE_MAX); |
6a49f05e CB |
2975 | if (copied < 0) { |
2976 | if (errno == EINTR) | |
2977 | goto again; | |
2978 | ||
fea3b91d | 2979 | SYSERROR("Failed to copy \"/proc/self/mountinfo\""); |
6a49f05e CB |
2980 | return; |
2981 | } | |
6a49f05e | 2982 | |
6a49f05e CB |
2983 | ret = lseek(memfd, 0, SEEK_SET); |
2984 | if (ret < 0) { | |
fea3b91d | 2985 | SYSERROR("Failed to reset file descriptor offset"); |
6a49f05e CB |
2986 | return; |
2987 | } | |
2988 | ||
4110345b | 2989 | f = fdopen(memfd, "re"); |
e995d7a2 | 2990 | if (!f) { |
003be47b | 2991 | SYSERROR("Failed to open copy of \"/proc/self/mountinfo\" to mark all shared. Continuing"); |
e995d7a2 SH |
2992 | return; |
2993 | } | |
2994 | ||
003be47b CB |
2995 | /* |
2996 | * After a successful fdopen() memfd will be closed when calling | |
2997 | * fclose(f). Calling close(memfd) afterwards is undefined. | |
2998 | */ | |
2999 | move_fd(memfd); | |
3000 | ||
e995d7a2 | 3001 | while (getline(&line, &len, f) != -1) { |
0fd73091 CB |
3002 | char *opts, *target; |
3003 | ||
e995d7a2 SH |
3004 | target = get_field(line, 4); |
3005 | if (!target) | |
3006 | continue; | |
0fd73091 | 3007 | |
e995d7a2 SH |
3008 | opts = get_field(target, 2); |
3009 | if (!opts) | |
3010 | continue; | |
0fd73091 | 3011 | |
e995d7a2 SH |
3012 | null_endofword(opts); |
3013 | if (!strstr(opts, "shared")) | |
3014 | continue; | |
0fd73091 | 3015 | |
e995d7a2 | 3016 | null_endofword(target); |
0fd73091 CB |
3017 | ret = mount(NULL, target, NULL, MS_SLAVE, NULL); |
3018 | if (ret < 0) { | |
9e61fb1f | 3019 | SYSERROR("Failed to recursively turn old root mount tree into dependent mount. Continuing..."); |
6a49f05e | 3020 | continue; |
e995d7a2 | 3021 | } |
9e61fb1f | 3022 | TRACE("Recursively turned old root mount tree into dependent mount"); |
e995d7a2 | 3023 | } |
9e61fb1f | 3024 | TRACE("Turned all mount table entries into dependent mount"); |
e995d7a2 SH |
3025 | } |
3026 | ||
794248d0 | 3027 | static int lxc_execute_bind_init(struct lxc_handler *handler) |
2322903b SH |
3028 | { |
3029 | int ret; | |
794248d0 CB |
3030 | char *p; |
3031 | char path[PATH_MAX], destpath[PATH_MAX]; | |
3032 | struct lxc_conf *conf = handler->conf; | |
9d9c111c SH |
3033 | |
3034 | /* If init exists in the container, don't bind mount a static one */ | |
3035 | p = choose_init(conf->rootfs.mount); | |
3036 | if (p) { | |
22f835ba | 3037 | __do_free char *old = p; |
41089848 TA |
3038 | |
3039 | p = strdup(old + strlen(conf->rootfs.mount)); | |
41089848 TA |
3040 | if (!p) |
3041 | return -ENOMEM; | |
3042 | ||
3043 | INFO("Found existing init at \"%s\"", p); | |
3044 | goto out; | |
9d9c111c | 3045 | } |
2322903b SH |
3046 | |
3047 | ret = snprintf(path, PATH_MAX, SBINDIR "/init.lxc.static"); | |
0fd73091 | 3048 | if (ret < 0 || ret >= PATH_MAX) |
8353b4c9 | 3049 | return -1; |
2322903b | 3050 | |
55022530 CB |
3051 | if (!file_exists(path)) |
3052 | return log_error_errno(-1, errno, "The file \"%s\" does not exist on host", path); | |
2322903b | 3053 | |
794248d0 | 3054 | ret = snprintf(destpath, PATH_MAX, "%s" P_tmpdir "%s", conf->rootfs.mount, "/.lxc-init"); |
0fd73091 | 3055 | if (ret < 0 || ret >= PATH_MAX) |
8353b4c9 | 3056 | return -1; |
2322903b SH |
3057 | |
3058 | if (!file_exists(destpath)) { | |
794248d0 | 3059 | ret = mknod(destpath, S_IFREG | 0000, 0); |
55022530 CB |
3060 | if (ret < 0 && errno != EEXIST) |
3061 | return log_error_errno(-1, errno, "Failed to create dummy \"%s\" file as bind mount target", destpath); | |
2322903b SH |
3062 | } |
3063 | ||
592fd47a | 3064 | ret = safe_mount(path, destpath, "none", MS_BIND, NULL, conf->rootfs.mount); |
55022530 CB |
3065 | if (ret < 0) |
3066 | return log_error_errno(-1, errno, "Failed to bind mount lxc.init.static into container"); | |
8353b4c9 | 3067 | |
794248d0 CB |
3068 | p = strdup(destpath + strlen(conf->rootfs.mount)); |
3069 | if (!p) | |
3070 | return -ENOMEM; | |
794248d0 | 3071 | |
8353b4c9 | 3072 | INFO("Bind mounted lxc.init.static into container at \"%s\"", path); |
41089848 | 3073 | out: |
4b5b3a2a | 3074 | ((struct execute_args *)handler->data)->init_fd = -1; |
41089848 | 3075 | ((struct execute_args *)handler->data)->init_path = p; |
8353b4c9 | 3076 | return 0; |
2322903b SH |
3077 | } |
3078 | ||
0fd73091 CB |
3079 | /* This does the work of remounting / if it is shared, calling the container |
3080 | * pre-mount hooks, and mounting the rootfs. | |
35120d9c | 3081 | */ |
8ce1abc2 CB |
3082 | int lxc_setup_rootfs_prepare_root(struct lxc_conf *conf, const char *name, |
3083 | const char *lxcpath) | |
0ad19a3f | 3084 | { |
0fd73091 CB |
3085 | int ret; |
3086 | ||
35120d9c | 3087 | if (conf->rootfs_setup) { |
35120d9c | 3088 | const char *path = conf->rootfs.mount; |
0fd73091 CB |
3089 | |
3090 | /* The rootfs was set up in another namespace. bind-mount it to | |
3091 | * give us a mount in our own ns so we can pivot_root to it | |
3092 | */ | |
3093 | ret = mount(path, path, "rootfs", MS_BIND, NULL); | |
55022530 CB |
3094 | if (ret < 0) |
3095 | return log_error(-1, "Failed to bind mount container / onto itself"); | |
0fd73091 | 3096 | |
55022530 | 3097 | return log_trace(0, "Bind mounted container / onto itself"); |
35120d9c | 3098 | } |
d4ef7c50 | 3099 | |
9e61fb1f | 3100 | turn_into_dependent_mounts(); |
e995d7a2 | 3101 | |
0fd73091 | 3102 | ret = run_lxc_hooks(name, "pre-mount", conf, NULL); |
55022530 CB |
3103 | if (ret < 0) |
3104 | return log_error(-1, "Failed to run pre-mount hooks"); | |
35120d9c | 3105 | |
8ce1abc2 | 3106 | ret = lxc_mount_rootfs(conf); |
55022530 CB |
3107 | if (ret < 0) |
3108 | return log_error(-1, "Failed to setup rootfs for"); | |
35120d9c SH |
3109 | |
3110 | conf->rootfs_setup = true; | |
3111 | return 0; | |
3112 | } | |
3113 | ||
1c1c7051 SH |
3114 | static bool verify_start_hooks(struct lxc_conf *conf) |
3115 | { | |
6b5a54cd | 3116 | char path[PATH_MAX]; |
0fd73091 CB |
3117 | struct lxc_list *it; |
3118 | ||
3119 | lxc_list_for_each (it, &conf->hooks[LXCHOOK_START]) { | |
1c1c7051 | 3120 | int ret; |
0fd73091 | 3121 | char *hookname = it->elem; |
1c1c7051 | 3122 | |
6b5a54cd | 3123 | ret = snprintf(path, PATH_MAX, "%s%s", |
0fd73091 CB |
3124 | conf->rootfs.path ? conf->rootfs.mount : "", |
3125 | hookname); | |
6b5a54cd | 3126 | if (ret < 0 || ret >= PATH_MAX) |
1c1c7051 | 3127 | return false; |
0fd73091 | 3128 | |
75193660 | 3129 | ret = access(path, X_OK); |
55022530 CB |
3130 | if (ret < 0) |
3131 | return log_error_errno(false, errno, "Start hook \"%s\" not found in container", hookname); | |
0fd73091 | 3132 | |
6a0c909a | 3133 | return true; |
1c1c7051 SH |
3134 | } |
3135 | ||
3136 | return true; | |
3137 | } | |
3138 | ||
4b5b3a2a TA |
3139 | static bool execveat_supported(void) |
3140 | { | |
f40988c7 | 3141 | execveat(-1, "", NULL, NULL, AT_EMPTY_PATH); |
4b5b3a2a TA |
3142 | if (errno == ENOSYS) |
3143 | return false; | |
3144 | ||
3145 | return true; | |
4b5b3a2a TA |
3146 | } |
3147 | ||
20502652 CB |
3148 | static int lxc_setup_boot_id(void) |
3149 | { | |
3150 | int ret; | |
3151 | const char *boot_id_path = "/proc/sys/kernel/random/boot_id"; | |
3152 | const char *mock_boot_id_path = "/dev/.lxc-boot-id"; | |
3153 | lxc_id128_t n; | |
3154 | ||
3155 | if (access(boot_id_path, F_OK)) | |
3156 | return 0; | |
3157 | ||
3158 | memset(&n, 0, sizeof(n)); | |
3159 | if (lxc_id128_randomize(&n)) { | |
3160 | SYSERROR("Failed to generate random data for uuid"); | |
3161 | return -1; | |
3162 | } | |
3163 | ||
3164 | ret = lxc_id128_write(mock_boot_id_path, n); | |
3165 | if (ret < 0) { | |
3166 | SYSERROR("Failed to write uuid to %s", mock_boot_id_path); | |
3167 | return -1; | |
3168 | } | |
3169 | ||
3170 | ret = chmod(mock_boot_id_path, 0444); | |
3171 | if (ret < 0) { | |
3172 | SYSERROR("Failed to chown %s", mock_boot_id_path); | |
3173 | (void)unlink(mock_boot_id_path); | |
3174 | return -1; | |
3175 | } | |
3176 | ||
3177 | ret = mount(mock_boot_id_path, boot_id_path, NULL, MS_BIND, NULL); | |
3178 | if (ret < 0) { | |
3179 | SYSERROR("Failed to mount %s to %s", mock_boot_id_path, | |
3180 | boot_id_path); | |
3181 | (void)unlink(mock_boot_id_path); | |
3182 | return -1; | |
3183 | } | |
3184 | ||
3185 | ret = mount(NULL, boot_id_path, NULL, | |
3186 | (MS_BIND | MS_REMOUNT | MS_RDONLY | MS_NOSUID | MS_NOEXEC | | |
3187 | MS_NODEV), | |
3188 | NULL); | |
3189 | if (ret < 0) { | |
3190 | SYSERROR("Failed to remount %s read-only", boot_id_path); | |
3191 | (void)unlink(mock_boot_id_path); | |
3192 | return -1; | |
3193 | } | |
3194 | ||
3195 | return 0; | |
3196 | } | |
3197 | ||
3b988b33 | 3198 | int lxc_setup(struct lxc_handler *handler) |
35120d9c | 3199 | { |
41808e20 | 3200 | __do_close int pty_mnt_fd = -EBADF; |
2187efd3 | 3201 | int ret; |
0fd73091 | 3202 | const char *lxcpath = handler->lxcpath, *name = handler->name; |
35120d9c | 3203 | struct lxc_conf *lxc_conf = handler->conf; |
4fef78bc | 3204 | char *keyring_context = NULL; |
35120d9c | 3205 | |
8ce1abc2 | 3206 | ret = lxc_setup_rootfs_prepare_root(lxc_conf, name, lxcpath); |
55022530 CB |
3207 | if (ret < 0) |
3208 | return log_error(-1, "Failed to setup rootfs"); | |
35120d9c | 3209 | |
b87ee312 | 3210 | if (handler->nsfd[LXC_NS_UTS] == -EBADF) { |
8353b4c9 | 3211 | ret = setup_utsname(lxc_conf->utsname); |
55022530 CB |
3212 | if (ret < 0) |
3213 | return log_error(-1, "Failed to setup the utsname %s", name); | |
0ad19a3f | 3214 | } |
3215 | ||
8f818a84 MB |
3216 | if (!lxc_conf->keyring_disable_session) { |
3217 | if (lxc_conf->lsm_se_keyring_context) { | |
3218 | keyring_context = lxc_conf->lsm_se_keyring_context; | |
3219 | } else if (lxc_conf->lsm_se_context) { | |
3220 | keyring_context = lxc_conf->lsm_se_context; | |
3221 | } | |
4fef78bc | 3222 | |
8f818a84 MB |
3223 | ret = lxc_setup_keyring(keyring_context); |
3224 | if (ret < 0) | |
3225 | return -1; | |
3226 | } | |
b25291da | 3227 | |
e389f2af CB |
3228 | if (handler->ns_clone_flags & CLONE_NEWNET) { |
3229 | ret = lxc_setup_network_in_child_namespaces(lxc_conf, | |
3230 | &lxc_conf->network); | |
55022530 CB |
3231 | if (ret < 0) |
3232 | return log_error(-1, "Failed to setup network"); | |
0ad19a3f | 3233 | |
e389f2af | 3234 | ret = lxc_network_send_name_and_ifindex_to_parent(handler); |
55022530 CB |
3235 | if (ret < 0) |
3236 | return log_error(-1, "Failed to send network device names and ifindices to parent"); | |
790255cf CB |
3237 | } |
3238 | ||
efbfe93f | 3239 | if (wants_console(&lxc_conf->console)) { |
41808e20 | 3240 | pty_mnt_fd = open_tree(-EBADF, lxc_conf->console.name, |
efbfe93f | 3241 | OPEN_TREE_CLONE | OPEN_TREE_CLOEXEC | AT_EMPTY_PATH); |
41808e20 | 3242 | if (pty_mnt_fd < 0) |
efbfe93f CB |
3243 | SYSTRACE("Failed to create detached mount for container's console \"%s\"", |
3244 | lxc_conf->console.name); | |
3245 | else | |
3246 | TRACE("Created detached mount for container's console \"%s\"", | |
3247 | lxc_conf->console.name); | |
3248 | } | |
cf68ffd9 | 3249 | |
bc6928ff | 3250 | if (lxc_conf->autodev > 0) { |
63012bdd | 3251 | ret = mount_autodev(name, &lxc_conf->rootfs, lxc_conf->autodevtmpfssize, lxcpath); |
55022530 CB |
3252 | if (ret < 0) |
3253 | return log_error(-1, "Failed to mount \"/dev\""); | |
c6883f38 SH |
3254 | } |
3255 | ||
8353b4c9 CB |
3256 | /* Do automatic mounts (mainly /proc and /sys), but exclude those that |
3257 | * need to wait until other stuff has finished. | |
368bbc02 | 3258 | */ |
8353b4c9 | 3259 | ret = lxc_mount_auto_mounts(lxc_conf, lxc_conf->auto_mounts & ~LXC_AUTO_CGROUP_MASK, handler); |
55022530 CB |
3260 | if (ret < 0) |
3261 | return log_error(-1, "Failed to setup first automatic mounts"); | |
368bbc02 | 3262 | |
8353b4c9 | 3263 | ret = setup_mount(lxc_conf, &lxc_conf->rootfs, lxc_conf->fstab, name, lxcpath); |
55022530 CB |
3264 | if (ret < 0) |
3265 | return log_error(-1, "Failed to setup mounts"); | |
576f946d | 3266 | |
c631115d FA |
3267 | if (!lxc_list_empty(&lxc_conf->mount_list)) { |
3268 | ret = setup_mount_entries(lxc_conf, &lxc_conf->rootfs, | |
3269 | &lxc_conf->mount_list, name, lxcpath); | |
55022530 CB |
3270 | if (ret < 0) |
3271 | return log_error(-1, "Failed to setup mount entries"); | |
c631115d FA |
3272 | } |
3273 | ||
8353b4c9 | 3274 | if (lxc_conf->is_execute) { |
4b5b3a2a TA |
3275 | if (execveat_supported()) { |
3276 | int fd; | |
3277 | char path[PATH_MAX]; | |
3278 | ||
3279 | ret = snprintf(path, PATH_MAX, SBINDIR "/init.lxc.static"); | |
55022530 CB |
3280 | if (ret < 0 || ret >= PATH_MAX) |
3281 | return log_error(-1, "Path to init.lxc.static too long"); | |
4b5b3a2a TA |
3282 | |
3283 | fd = open(path, O_PATH | O_CLOEXEC); | |
55022530 CB |
3284 | if (fd < 0) |
3285 | return log_error_errno(-1, errno, "Unable to open lxc.init.static"); | |
4b5b3a2a TA |
3286 | |
3287 | ((struct execute_args *)handler->data)->init_fd = fd; | |
3288 | ((struct execute_args *)handler->data)->init_path = NULL; | |
3289 | } else { | |
3290 | ret = lxc_execute_bind_init(handler); | |
55022530 CB |
3291 | if (ret < 0) |
3292 | return log_error(-1, "Failed to bind-mount the lxc init system"); | |
8353b4c9 CB |
3293 | } |
3294 | } | |
2322903b | 3295 | |
8353b4c9 CB |
3296 | /* Now mount only cgroups, if wanted. Before, /sys could not have been |
3297 | * mounted. It is guaranteed to be mounted now either through | |
3298 | * automatically or via fstab entries. | |
368bbc02 | 3299 | */ |
8353b4c9 | 3300 | ret = lxc_mount_auto_mounts(lxc_conf, lxc_conf->auto_mounts & LXC_AUTO_CGROUP_MASK, handler); |
55022530 CB |
3301 | if (ret < 0) |
3302 | return log_error(-1, "Failed to setup remaining automatic mounts"); | |
368bbc02 | 3303 | |
8353b4c9 | 3304 | ret = run_lxc_hooks(name, "mount", lxc_conf, NULL); |
55022530 CB |
3305 | if (ret < 0) |
3306 | return log_error(-1, "Failed to run mount hooks"); | |
773fb9ca | 3307 | |
bc6928ff | 3308 | if (lxc_conf->autodev > 0) { |
8353b4c9 | 3309 | ret = run_lxc_hooks(name, "autodev", lxc_conf, NULL); |
55022530 CB |
3310 | if (ret < 0) |
3311 | return log_error(-1, "Failed to run autodev hooks"); | |
06749971 | 3312 | |
8353b4c9 | 3313 | ret = lxc_fill_autodev(&lxc_conf->rootfs); |
55022530 CB |
3314 | if (ret < 0) |
3315 | return log_error(-1, "Failed to populate \"/dev\""); | |
91c3830e | 3316 | } |
368bbc02 | 3317 | |
75193660 | 3318 | /* Make sure any start hooks are in the container */ |
55022530 CB |
3319 | if (!verify_start_hooks(lxc_conf)) |
3320 | return log_error(-1, "Failed to verify start hooks"); | |
75193660 | 3321 | |
cf68ffd9 CB |
3322 | ret = lxc_create_tmp_proc_mount(lxc_conf); |
3323 | if (ret < 0) | |
3324 | return log_error(-1, "Failed to \"/proc\" LSMs"); | |
3325 | ||
ed8704d0 | 3326 | ret = lxc_setup_console(&lxc_conf->rootfs, &lxc_conf->console, |
41808e20 | 3327 | lxc_conf->ttys.dir, pty_mnt_fd); |
55022530 CB |
3328 | if (ret < 0) |
3329 | return log_error(-1, "Failed to setup console"); | |
6e590161 | 3330 | |
ed8704d0 | 3331 | ret = lxc_setup_dev_symlinks(&lxc_conf->rootfs); |
55022530 CB |
3332 | if (ret < 0) |
3333 | return log_error(-1, "Failed to setup \"/dev\" symlinks"); | |
69aa6655 | 3334 | |
8ce1abc2 | 3335 | ret = lxc_setup_rootfs_switch_root(&lxc_conf->rootfs); |
55022530 CB |
3336 | if (ret < 0) |
3337 | return log_error(-1, "Failed to pivot root into rootfs"); | |
ed502555 | 3338 | |
20502652 CB |
3339 | /* Setting the boot-id is best-effort for now. */ |
3340 | if (lxc_conf->autodev > 0) | |
3341 | (void)lxc_setup_boot_id(); | |
3342 | ||
f797f05e | 3343 | ret = lxc_setup_devpts(handler); |
55022530 CB |
3344 | if (ret < 0) |
3345 | return log_error(-1, "Failed to setup new devpts instance"); | |
3c26f34e | 3346 | |
2187efd3 CB |
3347 | ret = lxc_create_ttys(handler); |
3348 | if (ret < 0) | |
e8bd4e43 | 3349 | return -1; |
e8bd4e43 | 3350 | |
8353b4c9 | 3351 | ret = setup_personality(lxc_conf->personality); |
55022530 CB |
3352 | if (ret < 0) |
3353 | return log_error(-1, "Failed to set personality"); | |
cccc74b5 | 3354 | |
8353b4c9 CB |
3355 | /* Set sysctl value to a path under /proc/sys as determined from the |
3356 | * key. For e.g. net.ipv4.ip_forward translated to | |
3357 | * /proc/sys/net/ipv4/ip_forward. | |
7edd0540 L |
3358 | */ |
3359 | if (!lxc_list_empty(&lxc_conf->sysctls)) { | |
3360 | ret = setup_sysctl_parameters(&lxc_conf->sysctls); | |
55022530 CB |
3361 | if (ret < 0) |
3362 | return log_error(-1, "Failed to setup sysctl parameters"); | |
7edd0540 L |
3363 | } |
3364 | ||
97a8f74f | 3365 | if (!lxc_list_empty(&lxc_conf->keepcaps)) { |
55022530 CB |
3366 | if (!lxc_list_empty(&lxc_conf->caps)) |
3367 | return log_error(-1, "Container requests lxc.cap.drop and lxc.cap.keep: either use lxc.cap.drop or lxc.cap.keep, not both"); | |
8353b4c9 | 3368 | |
55022530 CB |
3369 | if (dropcaps_except(&lxc_conf->keepcaps)) |
3370 | return log_error(-1, "Failed to keep capabilities"); | |
97a8f74f | 3371 | } else if (setup_caps(&lxc_conf->caps)) { |
55022530 | 3372 | return log_error(-1, "Failed to drop capabilities"); |
81810dd1 DL |
3373 | } |
3374 | ||
8353b4c9 | 3375 | NOTICE("The container \"%s\" is set up", name); |
cd54d859 | 3376 | |
0ad19a3f | 3377 | return 0; |
3378 | } | |
26ddeedd | 3379 | |
3f60c2f7 | 3380 | int run_lxc_hooks(const char *name, char *hookname, struct lxc_conf *conf, |
14a7b0f9 | 3381 | char *argv[]) |
26ddeedd | 3382 | { |
26ddeedd | 3383 | struct lxc_list *it; |
3ea957c6 RK |
3384 | int which; |
3385 | ||
3386 | for (which = 0; which < NUM_LXC_HOOKS; which ++) { | |
3387 | if (strcmp(hookname, lxchook_names[which]) == 0) | |
3388 | break; | |
3389 | } | |
3390 | ||
3391 | if (which >= NUM_LXC_HOOKS) | |
26ddeedd | 3392 | return -1; |
3f60c2f7 | 3393 | |
0fd73091 | 3394 | lxc_list_for_each (it, &conf->hooks[which]) { |
26ddeedd | 3395 | int ret; |
3f60c2f7 CB |
3396 | char *hook = it->elem; |
3397 | ||
3398 | ret = run_script_argv(name, conf->hooks_version, "lxc", hook, | |
14a7b0f9 | 3399 | hookname, argv); |
3f60c2f7 CB |
3400 | if (ret < 0) |
3401 | return -1; | |
26ddeedd | 3402 | } |
3f60c2f7 | 3403 | |
26ddeedd SH |
3404 | return 0; |
3405 | } | |
72d0e1cb | 3406 | |
72d0e1cb SG |
3407 | int lxc_clear_config_caps(struct lxc_conf *c) |
3408 | { | |
1a0e70ac | 3409 | struct lxc_list *it, *next; |
72d0e1cb | 3410 | |
0fd73091 | 3411 | lxc_list_for_each_safe (it, &c->caps, next) { |
72d0e1cb SG |
3412 | lxc_list_del(it); |
3413 | free(it->elem); | |
3414 | free(it); | |
3415 | } | |
0fd73091 | 3416 | |
72d0e1cb SG |
3417 | return 0; |
3418 | } | |
3419 | ||
c7e345ae CB |
3420 | static int lxc_free_idmap(struct lxc_list *id_map) |
3421 | { | |
27c27d73 SH |
3422 | struct lxc_list *it, *next; |
3423 | ||
46bc6f2a | 3424 | lxc_list_for_each_safe(it, id_map, next) { |
27c27d73 SH |
3425 | lxc_list_del(it); |
3426 | free(it->elem); | |
3427 | free(it); | |
3428 | } | |
c7e345ae | 3429 | |
27c27d73 SH |
3430 | return 0; |
3431 | } | |
7e621263 CB |
3432 | |
3433 | static int __lxc_free_idmap(struct lxc_list *id_map) | |
3434 | { | |
3435 | lxc_free_idmap(id_map); | |
3436 | free(id_map); | |
3437 | return 0; | |
3438 | } | |
3439 | define_cleanup_function(struct lxc_list *, __lxc_free_idmap); | |
27c27d73 | 3440 | |
4355ab5f SH |
3441 | int lxc_clear_idmaps(struct lxc_conf *c) |
3442 | { | |
3443 | return lxc_free_idmap(&c->id_map); | |
3444 | } | |
3445 | ||
1fb86a7c SH |
3446 | int lxc_clear_config_keepcaps(struct lxc_conf *c) |
3447 | { | |
0fd73091 | 3448 | struct lxc_list *it, *next; |
1fb86a7c | 3449 | |
0fd73091 | 3450 | lxc_list_for_each_safe (it, &c->keepcaps, next) { |
1fb86a7c SH |
3451 | lxc_list_del(it); |
3452 | free(it->elem); | |
3453 | free(it); | |
3454 | } | |
0fd73091 | 3455 | |
1fb86a7c SH |
3456 | return 0; |
3457 | } | |
3458 | ||
a3ed9b81 | 3459 | int lxc_clear_namespace(struct lxc_conf *c) |
3460 | { | |
3461 | int i; | |
3462 | for (i = 0; i < LXC_NS_MAX; i++) { | |
3463 | free(c->ns_share[i]); | |
3464 | c->ns_share[i] = NULL; | |
3465 | } | |
3466 | return 0; | |
3467 | } | |
3468 | ||
54860ed0 | 3469 | int lxc_clear_cgroups(struct lxc_conf *c, const char *key, int version) |
72d0e1cb | 3470 | { |
54860ed0 | 3471 | char *global_token, *namespaced_token; |
ab1a6cac | 3472 | size_t namespaced_token_len; |
54860ed0 | 3473 | struct lxc_list *it, *next, *list; |
ab1a6cac | 3474 | const char *k = key; |
54860ed0 | 3475 | bool all = false; |
72d0e1cb | 3476 | |
54860ed0 CB |
3477 | if (version == CGROUP2_SUPER_MAGIC) { |
3478 | global_token = "lxc.cgroup2"; | |
3479 | namespaced_token = "lxc.cgroup2."; | |
6333c915 | 3480 | namespaced_token_len = STRLITERALLEN("lxc.cgroup2."); |
54860ed0 CB |
3481 | list = &c->cgroup2; |
3482 | } else if (version == CGROUP_SUPER_MAGIC) { | |
3483 | global_token = "lxc.cgroup"; | |
3484 | namespaced_token = "lxc.cgroup."; | |
6333c915 | 3485 | namespaced_token_len = STRLITERALLEN("lxc.cgroup."); |
54860ed0 CB |
3486 | list = &c->cgroup; |
3487 | } else { | |
ab1a6cac | 3488 | return -EINVAL; |
54860ed0 CB |
3489 | } |
3490 | ||
3491 | if (strcmp(key, global_token) == 0) | |
72d0e1cb | 3492 | all = true; |
6333c915 | 3493 | else if (strncmp(key, namespaced_token, namespaced_token_len) == 0) |
ab1a6cac | 3494 | k += namespaced_token_len; |
a6390f01 | 3495 | else |
ab1a6cac | 3496 | return -EINVAL; |
72d0e1cb | 3497 | |
0fd73091 | 3498 | lxc_list_for_each_safe (it, list, next) { |
72d0e1cb | 3499 | struct lxc_cgroup *cg = it->elem; |
54860ed0 | 3500 | |
72d0e1cb SG |
3501 | if (!all && strcmp(cg->subsystem, k) != 0) |
3502 | continue; | |
54860ed0 | 3503 | |
72d0e1cb SG |
3504 | lxc_list_del(it); |
3505 | free(cg->subsystem); | |
3506 | free(cg->value); | |
3507 | free(cg); | |
3508 | free(it); | |
3509 | } | |
e409b214 | 3510 | |
72d0e1cb SG |
3511 | return 0; |
3512 | } | |
3513 | ||
4bfb655e CB |
3514 | static void lxc_clear_devices(struct lxc_conf *conf) |
3515 | { | |
3516 | struct lxc_list *list = &conf->devices; | |
3517 | struct lxc_list *it, *next; | |
3518 | ||
3519 | lxc_list_for_each_safe(it, list, next) { | |
3520 | lxc_list_del(it); | |
3521 | free(it); | |
3522 | } | |
3523 | } | |
3524 | ||
c6d09e15 WB |
3525 | int lxc_clear_limits(struct lxc_conf *c, const char *key) |
3526 | { | |
3527 | struct lxc_list *it, *next; | |
c6d09e15 | 3528 | const char *k = NULL; |
0fd73091 | 3529 | bool all = false; |
c6d09e15 | 3530 | |
b668653c | 3531 | if (strcmp(key, "lxc.limit") == 0 || strcmp(key, "lxc.prlimit") == 0) |
c6d09e15 | 3532 | all = true; |
6333c915 CB |
3533 | else if (strncmp(key, "lxc.limit.", STRLITERALLEN("lxc.limit.")) == 0) |
3534 | k = key + STRLITERALLEN("lxc.limit."); | |
3535 | else if (strncmp(key, "lxc.prlimit.", STRLITERALLEN("lxc.prlimit.")) == 0) | |
3536 | k = key + STRLITERALLEN("lxc.prlimit."); | |
c6d09e15 WB |
3537 | else |
3538 | return -1; | |
3539 | ||
0fd73091 | 3540 | lxc_list_for_each_safe (it, &c->limits, next) { |
c6d09e15 | 3541 | struct lxc_limit *lim = it->elem; |
0fd73091 | 3542 | |
c6d09e15 WB |
3543 | if (!all && strcmp(lim->resource, k) != 0) |
3544 | continue; | |
0fd73091 | 3545 | |
c6d09e15 WB |
3546 | lxc_list_del(it); |
3547 | free(lim->resource); | |
3548 | free(lim); | |
3549 | free(it); | |
3550 | } | |
b668653c | 3551 | |
c6d09e15 WB |
3552 | return 0; |
3553 | } | |
3554 | ||
7edd0540 L |
3555 | int lxc_clear_sysctls(struct lxc_conf *c, const char *key) |
3556 | { | |
3557 | struct lxc_list *it, *next; | |
7edd0540 | 3558 | const char *k = NULL; |
0fd73091 | 3559 | bool all = false; |
7edd0540 L |
3560 | |
3561 | if (strcmp(key, "lxc.sysctl") == 0) | |
3562 | all = true; | |
6333c915 CB |
3563 | else if (strncmp(key, "lxc.sysctl.", STRLITERALLEN("lxc.sysctl.")) == 0) |
3564 | k = key + STRLITERALLEN("lxc.sysctl."); | |
7edd0540 L |
3565 | else |
3566 | return -1; | |
3567 | ||
0fd73091 | 3568 | lxc_list_for_each_safe (it, &c->sysctls, next) { |
7edd0540 | 3569 | struct lxc_sysctl *elem = it->elem; |
0fd73091 | 3570 | |
7edd0540 L |
3571 | if (!all && strcmp(elem->key, k) != 0) |
3572 | continue; | |
0fd73091 | 3573 | |
7edd0540 L |
3574 | lxc_list_del(it); |
3575 | free(elem->key); | |
3576 | free(elem->value); | |
3577 | free(elem); | |
3578 | free(it); | |
3579 | } | |
0fd73091 | 3580 | |
7edd0540 L |
3581 | return 0; |
3582 | } | |
3583 | ||
61d7a733 YT |
3584 | int lxc_clear_procs(struct lxc_conf *c, const char *key) |
3585 | { | |
0fd73091 | 3586 | struct lxc_list *it, *next; |
61d7a733 | 3587 | const char *k = NULL; |
0fd73091 | 3588 | bool all = false; |
61d7a733 YT |
3589 | |
3590 | if (strcmp(key, "lxc.proc") == 0) | |
3591 | all = true; | |
6333c915 CB |
3592 | else if (strncmp(key, "lxc.proc.", STRLITERALLEN("lxc.proc.")) == 0) |
3593 | k = key + STRLITERALLEN("lxc.proc."); | |
61d7a733 YT |
3594 | else |
3595 | return -1; | |
3596 | ||
0fd73091 | 3597 | lxc_list_for_each_safe (it, &c->procs, next) { |
61d7a733 | 3598 | struct lxc_proc *proc = it->elem; |
0fd73091 | 3599 | |
61d7a733 YT |
3600 | if (!all && strcmp(proc->filename, k) != 0) |
3601 | continue; | |
0fd73091 | 3602 | |
61d7a733 YT |
3603 | lxc_list_del(it); |
3604 | free(proc->filename); | |
3605 | free(proc->value); | |
3606 | free(proc); | |
3607 | free(it); | |
3608 | } | |
3609 | ||
3610 | return 0; | |
3611 | } | |
3612 | ||
ee1e7aa0 SG |
3613 | int lxc_clear_groups(struct lxc_conf *c) |
3614 | { | |
0fd73091 | 3615 | struct lxc_list *it, *next; |
ee1e7aa0 | 3616 | |
0fd73091 | 3617 | lxc_list_for_each_safe (it, &c->groups, next) { |
ee1e7aa0 SG |
3618 | lxc_list_del(it); |
3619 | free(it->elem); | |
3620 | free(it); | |
3621 | } | |
0fd73091 | 3622 | |
ee1e7aa0 SG |
3623 | return 0; |
3624 | } | |
3625 | ||
ab799c0b SG |
3626 | int lxc_clear_environment(struct lxc_conf *c) |
3627 | { | |
0fd73091 | 3628 | struct lxc_list *it, *next; |
ab799c0b | 3629 | |
0fd73091 | 3630 | lxc_list_for_each_safe (it, &c->environment, next) { |
ab799c0b SG |
3631 | lxc_list_del(it); |
3632 | free(it->elem); | |
3633 | free(it); | |
3634 | } | |
0fd73091 | 3635 | |
ab799c0b SG |
3636 | return 0; |
3637 | } | |
3638 | ||
72d0e1cb SG |
3639 | int lxc_clear_mount_entries(struct lxc_conf *c) |
3640 | { | |
0fd73091 | 3641 | struct lxc_list *it, *next; |
72d0e1cb | 3642 | |
0fd73091 | 3643 | lxc_list_for_each_safe (it, &c->mount_list, next) { |
72d0e1cb SG |
3644 | lxc_list_del(it); |
3645 | free(it->elem); | |
3646 | free(it); | |
3647 | } | |
0fd73091 | 3648 | |
72d0e1cb SG |
3649 | return 0; |
3650 | } | |
3651 | ||
b099e9e9 SH |
3652 | int lxc_clear_automounts(struct lxc_conf *c) |
3653 | { | |
3654 | c->auto_mounts = 0; | |
3655 | return 0; | |
3656 | } | |
3657 | ||
12a50cc6 | 3658 | int lxc_clear_hooks(struct lxc_conf *c, const char *key) |
72d0e1cb | 3659 | { |
72d0e1cb | 3660 | int i; |
0fd73091 CB |
3661 | struct lxc_list *it, *next; |
3662 | const char *k = NULL; | |
3663 | bool all = false, done = false; | |
72d0e1cb | 3664 | |
17ed13a3 SH |
3665 | if (strcmp(key, "lxc.hook") == 0) |
3666 | all = true; | |
6333c915 CB |
3667 | else if (strncmp(key, "lxc.hook.", STRLITERALLEN("lxc.hook.")) == 0) |
3668 | k = key + STRLITERALLEN("lxc.hook."); | |
a6390f01 WB |
3669 | else |
3670 | return -1; | |
17ed13a3 | 3671 | |
0fd73091 | 3672 | for (i = 0; i < NUM_LXC_HOOKS; i++) { |
17ed13a3 | 3673 | if (all || strcmp(k, lxchook_names[i]) == 0) { |
0fd73091 | 3674 | lxc_list_for_each_safe (it, &c->hooks[i], next) { |
17ed13a3 SH |
3675 | lxc_list_del(it); |
3676 | free(it->elem); | |
3677 | free(it); | |
3678 | } | |
0fd73091 | 3679 | |
17ed13a3 | 3680 | done = true; |
72d0e1cb SG |
3681 | } |
3682 | } | |
17ed13a3 | 3683 | |
55022530 CB |
3684 | if (!done) |
3685 | return log_error(-1, "Invalid hook key: %s", key); | |
0fd73091 | 3686 | |
72d0e1cb SG |
3687 | return 0; |
3688 | } | |
8eb5694b | 3689 | |
4184c3e1 SH |
3690 | static inline void lxc_clear_aliens(struct lxc_conf *conf) |
3691 | { | |
0fd73091 | 3692 | struct lxc_list *it, *next; |
4184c3e1 | 3693 | |
0fd73091 | 3694 | lxc_list_for_each_safe (it, &conf->aliens, next) { |
4184c3e1 SH |
3695 | lxc_list_del(it); |
3696 | free(it->elem); | |
3697 | free(it); | |
3698 | } | |
3699 | } | |
3700 | ||
c7b15d1e | 3701 | void lxc_clear_includes(struct lxc_conf *conf) |
f979ac15 | 3702 | { |
0fd73091 | 3703 | struct lxc_list *it, *next; |
f979ac15 | 3704 | |
0fd73091 | 3705 | lxc_list_for_each_safe (it, &conf->includes, next) { |
f979ac15 SH |
3706 | lxc_list_del(it); |
3707 | free(it->elem); | |
3708 | free(it); | |
3709 | } | |
3710 | } | |
3711 | ||
1800f924 WB |
3712 | int lxc_clear_apparmor_raw(struct lxc_conf *c) |
3713 | { | |
3714 | struct lxc_list *it, *next; | |
3715 | ||
3716 | lxc_list_for_each_safe (it, &c->lsm_aa_raw, next) { | |
3717 | lxc_list_del(it); | |
3718 | free(it->elem); | |
3719 | free(it); | |
3720 | } | |
3721 | ||
3722 | return 0; | |
3723 | } | |
3724 | ||
8eb5694b SH |
3725 | void lxc_conf_free(struct lxc_conf *conf) |
3726 | { | |
3727 | if (!conf) | |
3728 | return; | |
0fd73091 | 3729 | |
858377e4 SH |
3730 | if (current_config == conf) |
3731 | current_config = NULL; | |
aed105d5 | 3732 | lxc_terminal_conf_free(&conf->console); |
f10fad2f | 3733 | free(conf->rootfs.mount); |
b3b8c97f | 3734 | free(conf->rootfs.bdev_type); |
f10fad2f ME |
3735 | free(conf->rootfs.options); |
3736 | free(conf->rootfs.path); | |
9dd75981 | 3737 | free(conf->rootfs.data); |
f10fad2f | 3738 | free(conf->logfile); |
858377e4 SH |
3739 | if (conf->logfd != -1) |
3740 | close(conf->logfd); | |
f10fad2f | 3741 | free(conf->utsname); |
885766f5 CB |
3742 | free(conf->ttys.dir); |
3743 | free(conf->ttys.tty_names); | |
f10fad2f ME |
3744 | free(conf->fstab); |
3745 | free(conf->rcfile); | |
5cda27c1 | 3746 | free(conf->execute_cmd); |
f10fad2f | 3747 | free(conf->init_cmd); |
3c491553 | 3748 | free(conf->init_cwd); |
6b0d5538 | 3749 | free(conf->unexpanded_config); |
76d0127f | 3750 | free(conf->syslog); |
c302b476 | 3751 | lxc_free_networks(&conf->network); |
f10fad2f | 3752 | free(conf->lsm_aa_profile); |
1800f924 | 3753 | free(conf->lsm_aa_profile_computed); |
f10fad2f | 3754 | free(conf->lsm_se_context); |
c3e3c21a | 3755 | lxc_seccomp_free(&conf->seccomp); |
8eb5694b | 3756 | lxc_clear_config_caps(conf); |
1fb86a7c | 3757 | lxc_clear_config_keepcaps(conf); |
54860ed0 CB |
3758 | lxc_clear_cgroups(conf, "lxc.cgroup", CGROUP_SUPER_MAGIC); |
3759 | lxc_clear_cgroups(conf, "lxc.cgroup2", CGROUP2_SUPER_MAGIC); | |
4bfb655e | 3760 | lxc_clear_devices(conf); |
bf651989 | 3761 | lxc_clear_cgroup2_devices(conf); |
17ed13a3 | 3762 | lxc_clear_hooks(conf, "lxc.hook"); |
8eb5694b | 3763 | lxc_clear_mount_entries(conf); |
27c27d73 | 3764 | lxc_clear_idmaps(conf); |
ee1e7aa0 | 3765 | lxc_clear_groups(conf); |
f979ac15 | 3766 | lxc_clear_includes(conf); |
761d81ca | 3767 | lxc_clear_aliens(conf); |
ab799c0b | 3768 | lxc_clear_environment(conf); |
240d4b74 | 3769 | lxc_clear_limits(conf, "lxc.prlimit"); |
7edd0540 | 3770 | lxc_clear_sysctls(conf, "lxc.sysctl"); |
61d7a733 | 3771 | lxc_clear_procs(conf, "lxc.proc"); |
1800f924 | 3772 | lxc_clear_apparmor_raw(conf); |
a3ed9b81 | 3773 | lxc_clear_namespace(conf); |
43654d34 | 3774 | free(conf->cgroup_meta.dir); |
a900cbaf WB |
3775 | free(conf->cgroup_meta.monitor_dir); |
3776 | free(conf->cgroup_meta.container_dir); | |
3777 | free(conf->cgroup_meta.namespace_dir); | |
43654d34 | 3778 | free(conf->cgroup_meta.controllers); |
7a41e857 LT |
3779 | free(conf->shmount.path_host); |
3780 | free(conf->shmount.path_cont); | |
8eb5694b SH |
3781 | free(conf); |
3782 | } | |
4355ab5f SH |
3783 | |
3784 | struct userns_fn_data { | |
3785 | int (*fn)(void *); | |
c9b7c33e | 3786 | const char *fn_name; |
4355ab5f SH |
3787 | void *arg; |
3788 | int p[2]; | |
3789 | }; | |
3790 | ||
3791 | static int run_userns_fn(void *data) | |
3792 | { | |
766c5b6d | 3793 | struct userns_fn_data *d = data; |
adaffdd7 | 3794 | int ret; |
4355ab5f | 3795 | char c; |
4355ab5f | 3796 | |
766c5b6d | 3797 | close_prot_errno_disarm(d->p[1]); |
f8aa4bf3 | 3798 | |
766c5b6d CB |
3799 | /* |
3800 | * Wait for parent to finish establishing a new mapping in the user | |
f8aa4bf3 CB |
3801 | * namespace we are executing in. |
3802 | */ | |
adaffdd7 | 3803 | ret = lxc_read_nointr(d->p[0], &c, 1); |
766c5b6d | 3804 | close_prot_errno_disarm(d->p[0]); |
adaffdd7 CB |
3805 | if (ret != 1) |
3806 | return -1; | |
f8aa4bf3 | 3807 | |
c9b7c33e | 3808 | if (d->fn_name) |
adaffdd7 | 3809 | TRACE("Calling function \"%s\"", d->fn_name); |
0fd73091 | 3810 | |
f8aa4bf3 | 3811 | /* Call function to run. */ |
4355ab5f SH |
3812 | return d->fn(d->arg); |
3813 | } | |
3814 | ||
7581a82f | 3815 | static struct id_map *mapped_nsid_add(const struct lxc_conf *conf, unsigned id, |
db7cfe23 CB |
3816 | enum idtype idtype) |
3817 | { | |
5173b710 CB |
3818 | const struct id_map *map; |
3819 | struct id_map *retmap; | |
db7cfe23 CB |
3820 | |
3821 | map = find_mapped_nsid_entry(conf, id, idtype); | |
3822 | if (!map) | |
3823 | return NULL; | |
3824 | ||
3825 | retmap = malloc(sizeof(*retmap)); | |
3826 | if (!retmap) | |
3827 | return NULL; | |
3828 | ||
3829 | memcpy(retmap, map, sizeof(*retmap)); | |
3830 | return retmap; | |
3831 | } | |
3832 | ||
7581a82f | 3833 | static struct id_map *find_mapped_hostid_entry(const struct lxc_conf *conf, |
c4333195 | 3834 | unsigned id, enum idtype idtype) |
f8aa4bf3 | 3835 | { |
f8aa4bf3 | 3836 | struct id_map *map; |
0fd73091 | 3837 | struct lxc_list *it; |
f8aa4bf3 CB |
3838 | struct id_map *retmap = NULL; |
3839 | ||
0fd73091 | 3840 | lxc_list_for_each (it, &conf->id_map) { |
f8aa4bf3 CB |
3841 | map = it->elem; |
3842 | if (map->idtype != idtype) | |
3843 | continue; | |
3844 | ||
3845 | if (id >= map->hostid && id < map->hostid + map->range) { | |
3846 | retmap = map; | |
3847 | break; | |
3848 | } | |
3849 | } | |
3850 | ||
f8aa4bf3 CB |
3851 | return retmap; |
3852 | } | |
3853 | ||
0fd73091 | 3854 | /* Allocate a new {g,u}id mapping for the given {g,u}id. Re-use an already |
f8aa4bf3 | 3855 | * existing one or establish a new one. |
4355ab5f | 3856 | */ |
7581a82f | 3857 | static struct id_map *mapped_hostid_add(const struct lxc_conf *conf, uid_t id, |
0fd73091 | 3858 | enum idtype type) |
4355ab5f | 3859 | { |
55022530 | 3860 | __do_free struct id_map *entry = NULL; |
28a2d9e7 | 3861 | int hostid_mapped; |
55022530 | 3862 | struct id_map *tmp = NULL; |
c4333195 CB |
3863 | |
3864 | entry = malloc(sizeof(*entry)); | |
3865 | if (!entry) | |
3866 | return NULL; | |
f8aa4bf3 | 3867 | |
28a2d9e7 | 3868 | /* Reuse existing mapping. */ |
c4333195 | 3869 | tmp = find_mapped_hostid_entry(conf, id, type); |
1758c195 CB |
3870 | if (tmp) { |
3871 | memcpy(entry, tmp, sizeof(*entry)); | |
3872 | } else { | |
3873 | /* Find new mapping. */ | |
3874 | hostid_mapped = find_unmapped_nsid(conf, type); | |
3875 | if (hostid_mapped < 0) | |
3876 | return log_debug(NULL, "Failed to find free mapping for id %d", id); | |
3877 | ||
3878 | entry->idtype = type; | |
3879 | entry->nsid = hostid_mapped; | |
3880 | entry->hostid = (unsigned long)id; | |
3881 | entry->range = 1; | |
3882 | } | |
4355ab5f | 3883 | |
55022530 | 3884 | return move_ptr(entry); |
4355ab5f SH |
3885 | } |
3886 | ||
dbfcdf86 CB |
3887 | static struct lxc_list *get_minimal_idmap(const struct lxc_conf *conf, |
3888 | uid_t *resuid, gid_t *resgid) | |
4355ab5f | 3889 | { |
00d6cfe2 CB |
3890 | __do_free struct id_map *container_root_uid = NULL, |
3891 | *container_root_gid = NULL, | |
3892 | *host_uid_map = NULL, *host_gid_map = NULL; | |
3893 | __do_free struct lxc_list *idmap = NULL; | |
f8aa4bf3 | 3894 | uid_t euid, egid; |
4160c3a0 CB |
3895 | uid_t nsuid = (conf->root_nsuid_map != NULL) ? 0 : conf->init_uid; |
3896 | gid_t nsgid = (conf->root_nsgid_map != NULL) ? 0 : conf->init_gid; | |
00d6cfe2 | 3897 | struct lxc_list *tmplist = NULL; |
4355ab5f | 3898 | |
db7cfe23 | 3899 | /* Find container root mappings. */ |
4160c3a0 | 3900 | container_root_uid = mapped_nsid_add(conf, nsuid, ID_TYPE_UID); |
55022530 CB |
3901 | if (!container_root_uid) |
3902 | return log_debug(NULL, "Failed to find mapping for namespace uid %d", 0); | |
dcf0ffdf CB |
3903 | euid = geteuid(); |
3904 | if (euid >= container_root_uid->hostid && | |
3905 | euid < (container_root_uid->hostid + container_root_uid->range)) | |
2c996219 | 3906 | host_uid_map = move_ptr(container_root_uid); |
f8aa4bf3 | 3907 | |
4160c3a0 | 3908 | container_root_gid = mapped_nsid_add(conf, nsgid, ID_TYPE_GID); |
55022530 CB |
3909 | if (!container_root_gid) |
3910 | return log_debug(NULL, "Failed to find mapping for namespace gid %d", 0); | |
dcf0ffdf CB |
3911 | egid = getegid(); |
3912 | if (egid >= container_root_gid->hostid && | |
3913 | egid < (container_root_gid->hostid + container_root_gid->range)) | |
2c996219 | 3914 | host_gid_map = move_ptr(container_root_gid); |
f8aa4bf3 CB |
3915 | |
3916 | /* Check whether the {g,u}id of the user has a mapping. */ | |
954b7d9b | 3917 | if (!host_uid_map) |
c4333195 | 3918 | host_uid_map = mapped_hostid_add(conf, euid, ID_TYPE_UID); |
55022530 CB |
3919 | if (!host_uid_map) |
3920 | return log_debug(NULL, "Failed to find mapping for uid %d", euid); | |
f8aa4bf3 | 3921 | |
dcf0ffdf CB |
3922 | if (!host_gid_map) |
3923 | host_gid_map = mapped_hostid_add(conf, egid, ID_TYPE_GID); | |
55022530 CB |
3924 | if (!host_gid_map) |
3925 | return log_debug(NULL, "Failed to find mapping for gid %d", egid); | |
28a2d9e7 CB |
3926 | |
3927 | /* Allocate new {g,u}id map list. */ | |
3928 | idmap = malloc(sizeof(*idmap)); | |
3929 | if (!idmap) | |
00d6cfe2 | 3930 | return NULL; |
28a2d9e7 CB |
3931 | lxc_list_init(idmap); |
3932 | ||
f8aa4bf3 CB |
3933 | /* Add container root to the map. */ |
3934 | tmplist = malloc(sizeof(*tmplist)); | |
3935 | if (!tmplist) | |
00d6cfe2 | 3936 | return NULL; |
47649d5b CB |
3937 | /* idmap will now keep track of that memory. */ |
3938 | lxc_list_add_elem(tmplist, move_ptr(host_uid_map)); | |
f8aa4bf3 | 3939 | lxc_list_add_tail(idmap, tmplist); |
28a2d9e7 | 3940 | |
2c996219 | 3941 | if (container_root_uid) { |
28a2d9e7 CB |
3942 | /* Add container root to the map. */ |
3943 | tmplist = malloc(sizeof(*tmplist)); | |
3944 | if (!tmplist) | |
00d6cfe2 | 3945 | return NULL; |
47649d5b CB |
3946 | /* idmap will now keep track of that memory. */ |
3947 | lxc_list_add_elem(tmplist, move_ptr(container_root_uid)); | |
28a2d9e7 | 3948 | lxc_list_add_tail(idmap, tmplist); |
28a2d9e7 | 3949 | } |
f8aa4bf3 CB |
3950 | |
3951 | tmplist = malloc(sizeof(*tmplist)); | |
3952 | if (!tmplist) | |
00d6cfe2 | 3953 | return NULL; |
47649d5b CB |
3954 | /* idmap will now keep track of that memory. */ |
3955 | lxc_list_add_elem(tmplist, move_ptr(host_gid_map)); | |
f8aa4bf3 | 3956 | lxc_list_add_tail(idmap, tmplist); |
28a2d9e7 | 3957 | |
2c996219 | 3958 | if (container_root_gid) { |
28a2d9e7 CB |
3959 | tmplist = malloc(sizeof(*tmplist)); |
3960 | if (!tmplist) | |
00d6cfe2 | 3961 | return NULL; |
47649d5b CB |
3962 | /* idmap will now keep track of that memory. */ |
3963 | lxc_list_add_elem(tmplist, move_ptr(container_root_gid)); | |
28a2d9e7 | 3964 | lxc_list_add_tail(idmap, tmplist); |
28a2d9e7 | 3965 | } |
f8aa4bf3 | 3966 | |
dbfcdf86 CB |
3967 | TRACE("Allocated minimal idmapping for ns uid %d and ns gid %d", nsuid, nsgid); |
3968 | ||
3969 | if (resuid) | |
3970 | *resuid = nsuid; | |
3971 | if (resgid) | |
3972 | *resgid = nsgid; | |
00d6cfe2 | 3973 | return move_ptr(idmap); |
dcf0ffdf CB |
3974 | } |
3975 | ||
766c5b6d CB |
3976 | /* |
3977 | * Run a function in a new user namespace. | |
dcf0ffdf CB |
3978 | * The caller's euid/egid will be mapped if it is not already. |
3979 | * Afaict, userns_exec_1() is only used to operate based on privileges for the | |
3980 | * user's own {g,u}id on the host and for the container root's unmapped {g,u}id. | |
3981 | * This means we require only to establish a mapping from: | |
3982 | * - the container root {g,u}id as seen from the host > user's host {g,u}id | |
3983 | * - the container root -> some sub{g,u}id | |
915e3dbd | 3984 | * The former we add, if the user did not specify a mapping. The latter we |
6f3fd27f | 3985 | * retrieve from the container's configured {g,u}id mappings as it must have been |
dcf0ffdf CB |
3986 | * there to start the container in the first place. |
3987 | */ | |
7581a82f | 3988 | int userns_exec_1(const struct lxc_conf *conf, int (*fn)(void *), void *data, |
dcf0ffdf CB |
3989 | const char *fn_name) |
3990 | { | |
7e621263 | 3991 | call_cleaner(__lxc_free_idmap) struct lxc_list *idmap = NULL; |
0fd73091 CB |
3992 | int ret = -1, status = -1; |
3993 | char c = '1'; | |
46bc6f2a CB |
3994 | struct userns_fn_data d = { |
3995 | .arg = data, | |
3996 | .fn = fn, | |
3997 | .fn_name = fn_name, | |
3998 | }; | |
766c5b6d CB |
3999 | pid_t pid; |
4000 | int pipe_fds[2]; | |
dcf0ffdf | 4001 | |
2b2655a8 CB |
4002 | if (!conf) |
4003 | return -EINVAL; | |
4004 | ||
dbfcdf86 | 4005 | idmap = get_minimal_idmap(conf, NULL, NULL); |
dcf0ffdf | 4006 | if (!idmap) |
766c5b6d | 4007 | return ret_errno(ENOENT); |
dcf0ffdf | 4008 | |
766c5b6d CB |
4009 | ret = pipe2(pipe_fds, O_CLOEXEC); |
4010 | if (ret < 0) | |
4011 | return -errno; | |
4012 | ||
766c5b6d CB |
4013 | d.p[0] = pipe_fds[0]; |
4014 | d.p[1] = pipe_fds[1]; | |
dcf0ffdf CB |
4015 | |
4016 | /* Clone child in new user namespace. */ | |
a59440be | 4017 | pid = lxc_raw_clone_cb(run_userns_fn, &d, CLONE_NEWUSER, NULL); |
dcf0ffdf | 4018 | if (pid < 0) { |
0fd73091 | 4019 | ERROR("Failed to clone process in new user namespace"); |
dcf0ffdf CB |
4020 | goto on_error; |
4021 | } | |
4022 | ||
766c5b6d | 4023 | close_prot_errno_disarm(pipe_fds[0]); |
dcf0ffdf | 4024 | |
4b73005c CB |
4025 | if (lxc_log_get_level() == LXC_LOG_LEVEL_TRACE || |
4026 | conf->loglevel == LXC_LOG_LEVEL_TRACE) { | |
dcf0ffdf | 4027 | struct id_map *map; |
0fd73091 | 4028 | struct lxc_list *it; |
dcf0ffdf | 4029 | |
766c5b6d | 4030 | lxc_list_for_each(it, idmap) { |
f8aa4bf3 | 4031 | map = it->elem; |
766c5b6d CB |
4032 | TRACE("Establishing %cid mapping for \"%d\" in new user namespace: nsuid %lu - hostid %lu - range %lu", |
4033 | (map->idtype == ID_TYPE_UID) ? 'u' : 'g', pid, map->nsid, map->hostid, map->range); | |
f8aa4bf3 | 4034 | } |
4355ab5f SH |
4035 | } |
4036 | ||
f8aa4bf3 | 4037 | /* Set up {g,u}id mapping for user namespace of child process. */ |
4355ab5f | 4038 | ret = lxc_map_ids(idmap, pid); |
f8aa4bf3 | 4039 | if (ret < 0) { |
0fd73091 | 4040 | ERROR("Error setting up {g,u}id mappings for child process \"%d\"", pid); |
f8aa4bf3 | 4041 | goto on_error; |
4355ab5f SH |
4042 | } |
4043 | ||
f8aa4bf3 | 4044 | /* Tell child to proceed. */ |
766c5b6d | 4045 | if (lxc_write_nointr(pipe_fds[1], &c, 1) != 1) { |
dcf0ffdf | 4046 | SYSERROR("Failed telling child process \"%d\" to proceed", pid); |
f8aa4bf3 | 4047 | goto on_error; |
4355ab5f SH |
4048 | } |
4049 | ||
686dd5d1 | 4050 | on_error: |
766c5b6d CB |
4051 | close_prot_errno_disarm(pipe_fds[0]); |
4052 | close_prot_errno_disarm(pipe_fds[1]); | |
f8aa4bf3 | 4053 | |
ee1b16bc TA |
4054 | /* Wait for child to finish. */ |
4055 | if (pid > 0) | |
4056 | status = wait_for_pid(pid); | |
4057 | ||
686dd5d1 CB |
4058 | if (status < 0) |
4059 | ret = -1; | |
4060 | ||
f8aa4bf3 | 4061 | return ret; |
4355ab5f | 4062 | } |
97e9cfa0 | 4063 | |
d1783ef4 CB |
4064 | int userns_exec_minimal(const struct lxc_conf *conf, |
4065 | int (*fn_parent)(void *), void *fn_parent_data, | |
4066 | int (*fn_child)(void *), void *fn_child_data) | |
edf88289 | 4067 | { |
7e621263 | 4068 | call_cleaner(__lxc_free_idmap) struct lxc_list *idmap = NULL; |
dbfcdf86 CB |
4069 | uid_t resuid = LXC_INVALID_UID; |
4070 | gid_t resgid = LXC_INVALID_GID; | |
edf88289 | 4071 | char c = '1'; |
dbfcdf86 | 4072 | ssize_t ret; |
edf88289 CB |
4073 | pid_t pid; |
4074 | int sock_fds[2]; | |
4075 | ||
d1783ef4 | 4076 | if (!conf || !fn_child) |
dbfcdf86 | 4077 | return ret_errno(EINVAL); |
edf88289 | 4078 | |
dbfcdf86 | 4079 | idmap = get_minimal_idmap(conf, &resuid, &resgid); |
edf88289 CB |
4080 | if (!idmap) |
4081 | return ret_errno(ENOENT); | |
4082 | ||
4083 | ret = socketpair(PF_LOCAL, SOCK_STREAM | SOCK_CLOEXEC, 0, sock_fds); | |
4084 | if (ret < 0) | |
4085 | return -errno; | |
4086 | ||
4087 | pid = fork(); | |
4088 | if (pid < 0) { | |
dbfcdf86 | 4089 | SYSERROR("Failed to create new process"); |
edf88289 CB |
4090 | goto on_error; |
4091 | } | |
4092 | ||
4093 | if (pid == 0) { | |
4094 | close_prot_errno_disarm(sock_fds[1]); | |
4095 | ||
4096 | ret = unshare(CLONE_NEWUSER); | |
dbfcdf86 CB |
4097 | if (ret < 0) { |
4098 | SYSERROR("Failed to unshare new user namespace"); | |
edf88289 | 4099 | _exit(EXIT_FAILURE); |
dbfcdf86 | 4100 | } |
edf88289 | 4101 | |
dbfcdf86 CB |
4102 | ret = lxc_write_nointr(sock_fds[0], &c, 1); |
4103 | if (ret != 1) | |
edf88289 CB |
4104 | _exit(EXIT_FAILURE); |
4105 | ||
4106 | ret = lxc_read_nointr(sock_fds[0], &c, 1); | |
4107 | if (ret != 1) | |
4108 | _exit(EXIT_FAILURE); | |
4109 | ||
4110 | close_prot_errno_disarm(sock_fds[0]); | |
4111 | ||
4112 | if (!lxc_setgroups(0, NULL) && errno != EPERM) | |
4113 | _exit(EXIT_FAILURE); | |
4114 | ||
dbfcdf86 CB |
4115 | ret = setresgid(resgid, resgid, resgid); |
4116 | if (ret < 0) { | |
4117 | SYSERROR("Failed to setresgid(%d, %d, %d)", | |
4118 | resgid, resgid, resgid); | |
edf88289 | 4119 | _exit(EXIT_FAILURE); |
dbfcdf86 CB |
4120 | } |
4121 | ||
4122 | ret = setresuid(resuid, resuid, resuid); | |
4123 | if (ret < 0) { | |
4124 | SYSERROR("Failed to setresuid(%d, %d, %d)", | |
4125 | resuid, resuid, resuid); | |
4126 | _exit(EXIT_FAILURE); | |
4127 | } | |
edf88289 | 4128 | |
d1783ef4 | 4129 | ret = fn_child(fn_child_data); |
dbfcdf86 CB |
4130 | if (ret) { |
4131 | SYSERROR("Running function in new user namespace failed"); | |
edf88289 | 4132 | _exit(EXIT_FAILURE); |
dbfcdf86 | 4133 | } |
edf88289 CB |
4134 | |
4135 | _exit(EXIT_SUCCESS); | |
4136 | } | |
4137 | ||
4138 | close_prot_errno_disarm(sock_fds[0]); | |
4139 | ||
4140 | if (lxc_log_get_level() == LXC_LOG_LEVEL_TRACE || | |
4141 | conf->loglevel == LXC_LOG_LEVEL_TRACE) { | |
4142 | struct id_map *map; | |
4143 | struct lxc_list *it; | |
4144 | ||
4145 | lxc_list_for_each(it, idmap) { | |
4146 | map = it->elem; | |
4147 | TRACE("Establishing %cid mapping for \"%d\" in new user namespace: nsuid %lu - hostid %lu - range %lu", | |
4148 | (map->idtype == ID_TYPE_UID) ? 'u' : 'g', pid, map->nsid, map->hostid, map->range); | |
4149 | } | |
4150 | } | |
4151 | ||
4152 | ret = lxc_read_nointr(sock_fds[1], &c, 1); | |
4153 | if (ret != 1) { | |
4154 | SYSERROR("Failed waiting for child process %d\" to tell us to proceed", pid); | |
4155 | goto on_error; | |
4156 | } | |
4157 | ||
4158 | /* Set up {g,u}id mapping for user namespace of child process. */ | |
4159 | ret = lxc_map_ids(idmap, pid); | |
4160 | if (ret < 0) { | |
4161 | ERROR("Error setting up {g,u}id mappings for child process \"%d\"", pid); | |
4162 | goto on_error; | |
4163 | } | |
4164 | ||
4165 | /* Tell child to proceed. */ | |
4166 | ret = lxc_write_nointr(sock_fds[1], &c, 1); | |
4167 | if (ret != 1) { | |
4168 | SYSERROR("Failed telling child process \"%d\" to proceed", pid); | |
4169 | goto on_error; | |
4170 | } | |
4171 | ||
d1783ef4 CB |
4172 | if (fn_parent && fn_parent(fn_parent_data)) { |
4173 | SYSERROR("Running parent function failed"); | |
4174 | _exit(EXIT_FAILURE); | |
4175 | } | |
4176 | ||
edf88289 CB |
4177 | on_error: |
4178 | close_prot_errno_disarm(sock_fds[0]); | |
4179 | close_prot_errno_disarm(sock_fds[1]); | |
4180 | ||
4181 | /* Wait for child to finish. */ | |
dbfcdf86 CB |
4182 | if (pid < 0) |
4183 | return -1; | |
edf88289 | 4184 | |
dbfcdf86 | 4185 | return wait_for_pid(pid); |
edf88289 CB |
4186 | } |
4187 | ||
415a8851 CB |
4188 | int userns_exec_full(struct lxc_conf *conf, int (*fn)(void *), void *data, |
4189 | const char *fn_name) | |
4190 | { | |
4191 | pid_t pid; | |
4192 | uid_t euid, egid; | |
415a8851 CB |
4193 | int p[2]; |
4194 | struct id_map *map; | |
4195 | struct lxc_list *cur; | |
0fd73091 | 4196 | struct userns_fn_data d; |
415a8851 | 4197 | int ret = -1; |
0fd73091 | 4198 | char c = '1'; |
415a8851 CB |
4199 | struct lxc_list *idmap = NULL, *tmplist = NULL; |
4200 | struct id_map *container_root_uid = NULL, *container_root_gid = NULL, | |
4201 | *host_uid_map = NULL, *host_gid_map = NULL; | |
4202 | ||
2b2655a8 CB |
4203 | if (!conf) |
4204 | return -EINVAL; | |
4205 | ||
979f9e34 | 4206 | ret = pipe2(p, O_CLOEXEC); |
415a8851 CB |
4207 | if (ret < 0) { |
4208 | SYSERROR("opening pipe"); | |
4209 | return -1; | |
4210 | } | |
4211 | d.fn = fn; | |
4212 | d.fn_name = fn_name; | |
4213 | d.arg = data; | |
4214 | d.p[0] = p[0]; | |
4215 | d.p[1] = p[1]; | |
4216 | ||
4217 | /* Clone child in new user namespace. */ | |
33258b95 | 4218 | pid = lxc_clone(run_userns_fn, &d, CLONE_NEWUSER, NULL); |
415a8851 | 4219 | if (pid < 0) { |
0fd73091 | 4220 | ERROR("Failed to clone process in new user namespace"); |
415a8851 CB |
4221 | goto on_error; |
4222 | } | |
4223 | ||
4224 | close(p[0]); | |
4225 | p[0] = -1; | |
4226 | ||
4227 | euid = geteuid(); | |
4228 | egid = getegid(); | |
4229 | ||
4230 | /* Allocate new {g,u}id map list. */ | |
4231 | idmap = malloc(sizeof(*idmap)); | |
4232 | if (!idmap) | |
4233 | goto on_error; | |
4234 | lxc_list_init(idmap); | |
4235 | ||
4236 | /* Find container root. */ | |
0fd73091 | 4237 | lxc_list_for_each (cur, &conf->id_map) { |
415a8851 CB |
4238 | struct id_map *tmpmap; |
4239 | ||
4240 | tmplist = malloc(sizeof(*tmplist)); | |
4241 | if (!tmplist) | |
4242 | goto on_error; | |
4243 | ||
4244 | tmpmap = malloc(sizeof(*tmpmap)); | |
4245 | if (!tmpmap) { | |
4246 | free(tmplist); | |
4247 | goto on_error; | |
4248 | } | |
4249 | ||
4250 | memset(tmpmap, 0, sizeof(*tmpmap)); | |
4251 | memcpy(tmpmap, cur->elem, sizeof(*tmpmap)); | |
4252 | tmplist->elem = tmpmap; | |
4253 | ||
4254 | lxc_list_add_tail(idmap, tmplist); | |
4255 | ||
4256 | map = cur->elem; | |
4257 | ||
4258 | if (map->idtype == ID_TYPE_UID) | |
4259 | if (euid >= map->hostid && euid < map->hostid + map->range) | |
4260 | host_uid_map = map; | |
4261 | ||
4262 | if (map->idtype == ID_TYPE_GID) | |
4263 | if (egid >= map->hostid && egid < map->hostid + map->range) | |
4264 | host_gid_map = map; | |
4265 | ||
4266 | if (map->nsid != 0) | |
4267 | continue; | |
4268 | ||
4269 | if (map->idtype == ID_TYPE_UID) | |
4270 | if (container_root_uid == NULL) | |
4271 | container_root_uid = map; | |
4272 | ||
4273 | if (map->idtype == ID_TYPE_GID) | |
4274 | if (container_root_gid == NULL) | |
4275 | container_root_gid = map; | |
4276 | } | |
4277 | ||
4278 | if (!container_root_uid || !container_root_gid) { | |
4279 | ERROR("No mapping for container root found"); | |
4280 | goto on_error; | |
4281 | } | |
4282 | ||
4283 | /* Check whether the {g,u}id of the user has a mapping. */ | |
4284 | if (!host_uid_map) | |
c4333195 | 4285 | host_uid_map = mapped_hostid_add(conf, euid, ID_TYPE_UID); |
415a8851 CB |
4286 | else |
4287 | host_uid_map = container_root_uid; | |
4288 | ||
4289 | if (!host_gid_map) | |
c4333195 | 4290 | host_gid_map = mapped_hostid_add(conf, egid, ID_TYPE_GID); |
415a8851 CB |
4291 | else |
4292 | host_gid_map = container_root_gid; | |
4293 | ||
4294 | if (!host_uid_map) { | |
4295 | DEBUG("Failed to find mapping for uid %d", euid); | |
4296 | goto on_error; | |
4297 | } | |
4298 | ||
4299 | if (!host_gid_map) { | |
4300 | DEBUG("Failed to find mapping for gid %d", egid); | |
4301 | goto on_error; | |
4302 | } | |
4303 | ||
4304 | if (host_uid_map && (host_uid_map != container_root_uid)) { | |
4305 | /* Add container root to the map. */ | |
4306 | tmplist = malloc(sizeof(*tmplist)); | |
4307 | if (!tmplist) | |
4308 | goto on_error; | |
4309 | lxc_list_add_elem(tmplist, host_uid_map); | |
4310 | lxc_list_add_tail(idmap, tmplist); | |
4311 | } | |
4312 | /* idmap will now keep track of that memory. */ | |
4313 | host_uid_map = NULL; | |
4314 | ||
4315 | if (host_gid_map && (host_gid_map != container_root_gid)) { | |
4316 | tmplist = malloc(sizeof(*tmplist)); | |
4317 | if (!tmplist) | |
4318 | goto on_error; | |
4319 | lxc_list_add_elem(tmplist, host_gid_map); | |
4320 | lxc_list_add_tail(idmap, tmplist); | |
4321 | } | |
4322 | /* idmap will now keep track of that memory. */ | |
4323 | host_gid_map = NULL; | |
4324 | ||
4325 | if (lxc_log_get_level() == LXC_LOG_LEVEL_TRACE || | |
4326 | conf->loglevel == LXC_LOG_LEVEL_TRACE) { | |
0fd73091 | 4327 | lxc_list_for_each (cur, idmap) { |
415a8851 CB |
4328 | map = cur->elem; |
4329 | TRACE("establishing %cid mapping for \"%d\" in new " | |
4330 | "user namespace: nsuid %lu - hostid %lu - range " | |
4331 | "%lu", | |
4332 | (map->idtype == ID_TYPE_UID) ? 'u' : 'g', pid, | |
4333 | map->nsid, map->hostid, map->range); | |
4334 | } | |
4335 | } | |
4336 | ||
4337 | /* Set up {g,u}id mapping for user namespace of child process. */ | |
4338 | ret = lxc_map_ids(idmap, pid); | |
4339 | if (ret < 0) { | |
0fd73091 | 4340 | ERROR("error setting up {g,u}id mappings for child process \"%d\"", pid); |
415a8851 CB |
4341 | goto on_error; |
4342 | } | |
4343 | ||
4344 | /* Tell child to proceed. */ | |
489f39be | 4345 | if (lxc_write_nointr(p[1], &c, 1) != 1) { |
0fd73091 | 4346 | SYSERROR("Failed telling child process \"%d\" to proceed", pid); |
415a8851 CB |
4347 | goto on_error; |
4348 | } | |
4349 | ||
686dd5d1 | 4350 | on_error: |
ee1b16bc TA |
4351 | if (p[0] != -1) |
4352 | close(p[0]); | |
4353 | close(p[1]); | |
4354 | ||
415a8851 | 4355 | /* Wait for child to finish. */ |
686dd5d1 CB |
4356 | if (pid > 0) |
4357 | ret = wait_for_pid(pid); | |
415a8851 | 4358 | |
7e621263 CB |
4359 | if (idmap) |
4360 | __lxc_free_idmap(idmap); | |
80758b4b | 4361 | |
415a8851 CB |
4362 | if (host_uid_map && (host_uid_map != container_root_uid)) |
4363 | free(host_uid_map); | |
4364 | if (host_gid_map && (host_gid_map != container_root_gid)) | |
4365 | free(host_gid_map); | |
4366 | ||
415a8851 CB |
4367 | return ret; |
4368 | } | |
4369 | ||
234998b4 CB |
4370 | static int add_idmap_entry(struct lxc_list *idmap, enum idtype idtype, |
4371 | unsigned long nsid, unsigned long hostid, | |
4372 | unsigned long range) | |
4373 | { | |
4374 | __do_free struct id_map *new_idmap = NULL; | |
4375 | __do_free struct lxc_list *new_list = NULL; | |
4376 | ||
4377 | new_idmap = zalloc(sizeof(*new_idmap)); | |
4378 | if (!new_idmap) | |
4379 | return ret_errno(ENOMEM); | |
4380 | ||
4381 | new_idmap->idtype = idtype; | |
4382 | new_idmap->hostid = hostid; | |
4383 | new_idmap->nsid = nsid; | |
4384 | new_idmap->range = range; | |
4385 | ||
4386 | new_list = zalloc(sizeof(*new_list)); | |
4387 | if (!new_list) | |
4388 | return ret_errno(ENOMEM); | |
4389 | ||
4390 | new_list->elem = move_ptr(new_idmap); | |
4391 | lxc_list_add_tail(idmap, move_ptr(new_list)); | |
4392 | ||
4393 | INFO("Adding id map: type %c nsid %lu hostid %lu range %lu", | |
4394 | idtype == ID_TYPE_UID ? 'u' : 'g', nsid, hostid, range); | |
4395 | return 0; | |
4396 | } | |
4397 | ||
4398 | int userns_exec_mapped_root(const char *path, int path_fd, | |
4399 | const struct lxc_conf *conf) | |
4400 | { | |
7e621263 | 4401 | call_cleaner(__lxc_free_idmap) struct lxc_list *idmap = NULL; |
234998b4 CB |
4402 | __do_close int fd = -EBADF; |
4403 | int target_fd = -EBADF; | |
4404 | char c = '1'; | |
4405 | ssize_t ret; | |
4406 | pid_t pid; | |
4407 | int sock_fds[2]; | |
4408 | uid_t container_host_uid, hostuid; | |
4409 | gid_t container_host_gid, hostgid; | |
4410 | struct stat st; | |
4411 | ||
4412 | if (!conf || (!path && path_fd < 0)) | |
4413 | return ret_errno(EINVAL); | |
4414 | ||
4415 | if (!path) | |
4416 | path = "(null)"; | |
4417 | ||
4418 | container_host_uid = get_mapped_rootid(conf, ID_TYPE_UID); | |
4419 | if (!uid_valid(container_host_uid)) | |
4420 | return log_error(-1, "No uid mapping for container root"); | |
4421 | ||
4422 | container_host_gid = get_mapped_rootid(conf, ID_TYPE_GID); | |
4423 | if (!gid_valid(container_host_gid)) | |
4424 | return log_error(-1, "No gid mapping for container root"); | |
4425 | ||
cf68ffd9 | 4426 | if (path_fd < 0) { |
a72c68f7 | 4427 | fd = open(path, O_CLOEXEC | O_NOCTTY); |
234998b4 CB |
4428 | if (fd < 0) |
4429 | return log_error_errno(-errno, errno, "Failed to open \"%s\"", path); | |
4430 | target_fd = fd; | |
4431 | } else { | |
4432 | target_fd = path_fd; | |
4433 | } | |
4434 | ||
4435 | hostuid = geteuid(); | |
4436 | /* We are root so chown directly. */ | |
4437 | if (hostuid == 0) { | |
4438 | ret = fchown(target_fd, container_host_uid, container_host_gid); | |
4439 | if (ret) | |
4440 | return log_error_errno(-errno, errno, | |
4441 | "Failed to fchown(%d(%s), %d, %d)", | |
4442 | target_fd, path, container_host_uid, | |
4443 | container_host_gid); | |
4444 | return log_trace(0, "Chowned %d(%s) to uid %d and %d", target_fd, path, | |
4445 | container_host_uid, container_host_gid); | |
4446 | } | |
4447 | ||
4448 | /* The container's root host id matches */ | |
4449 | if (container_host_uid == hostuid) | |
4450 | return log_info(0, "Container root id is mapped to our uid"); | |
4451 | ||
4452 | /* Get the current ids of our target. */ | |
4453 | ret = fstat(target_fd, &st); | |
4454 | if (ret) | |
4455 | return log_error_errno(-errno, errno, "Failed to stat \"%s\"", path); | |
4456 | ||
4457 | hostgid = getegid(); | |
4458 | if (st.st_uid == hostuid && mapped_hostid(st.st_gid, conf, ID_TYPE_GID) < 0) { | |
4459 | ret = fchown(target_fd, -1, hostgid); | |
4460 | if (ret) | |
4461 | return log_error_errno(-errno, errno, | |
4462 | "Failed to fchown(%d(%s), -1, %d)", | |
4463 | target_fd, path, hostgid); | |
2e8013f9 | 4464 | TRACE("Chowned %d(%s) to -1:%d", target_fd, path, hostgid); |
234998b4 CB |
4465 | } |
4466 | ||
4467 | idmap = malloc(sizeof(*idmap)); | |
4468 | if (!idmap) | |
4469 | return -ENOMEM; | |
4470 | lxc_list_init(idmap); | |
4471 | ||
4472 | /* "u:0:rootuid:1" */ | |
4473 | ret = add_idmap_entry(idmap, ID_TYPE_UID, 0, container_host_uid, 1); | |
4474 | if (ret < 0) | |
4475 | return log_error_errno(ret, -ret, "Failed to add idmap entry"); | |
4476 | ||
4477 | /* "u:hostuid:hostuid:1" */ | |
4478 | ret = add_idmap_entry(idmap, ID_TYPE_UID, hostuid, hostuid, 1); | |
4479 | if (ret < 0) | |
4480 | return log_error_errno(ret, -ret, "Failed to add idmap entry"); | |
4481 | ||
4482 | /* "g:0:rootgid:1" */ | |
4483 | ret = add_idmap_entry(idmap, ID_TYPE_GID, 0, container_host_gid, 1); | |
4484 | if (ret < 0) | |
4485 | return log_error_errno(ret, -ret, "Failed to add idmap entry"); | |
4486 | ||
4487 | /* "g:hostgid:hostgid:1" */ | |
4488 | ret = add_idmap_entry(idmap, ID_TYPE_GID, hostgid, hostgid, 1); | |
4489 | if (ret < 0) | |
4490 | return log_error_errno(ret, -ret, "Failed to add idmap entry"); | |
4491 | ||
4492 | if (hostgid != st.st_gid) { | |
4493 | /* "g:pathgid:rootgid+pathgid:1" */ | |
4494 | ret = add_idmap_entry(idmap, ID_TYPE_GID, st.st_gid, | |
4495 | container_host_gid + (gid_t)st.st_gid, 1); | |
4496 | if (ret < 0) | |
4497 | return log_error_errno(ret, -ret, "Failed to add idmap entry"); | |
4498 | } | |
4499 | ||
4500 | ret = socketpair(PF_LOCAL, SOCK_STREAM | SOCK_CLOEXEC, 0, sock_fds); | |
4501 | if (ret < 0) | |
4502 | return -errno; | |
4503 | ||
4504 | pid = fork(); | |
4505 | if (pid < 0) { | |
4506 | SYSERROR("Failed to create new process"); | |
4507 | goto on_error; | |
4508 | } | |
4509 | ||
4510 | if (pid == 0) { | |
4511 | close_prot_errno_disarm(sock_fds[1]); | |
4512 | ||
4513 | ret = unshare(CLONE_NEWUSER); | |
4514 | if (ret < 0) { | |
4515 | SYSERROR("Failed to unshare new user namespace"); | |
4516 | _exit(EXIT_FAILURE); | |
4517 | } | |
4518 | ||
4519 | ret = lxc_write_nointr(sock_fds[0], &c, 1); | |
4520 | if (ret != 1) | |
4521 | _exit(EXIT_FAILURE); | |
4522 | ||
4523 | ret = lxc_read_nointr(sock_fds[0], &c, 1); | |
4524 | if (ret != 1) | |
4525 | _exit(EXIT_FAILURE); | |
4526 | ||
4527 | close_prot_errno_disarm(sock_fds[0]); | |
4528 | ||
4529 | if (!lxc_switch_uid_gid(0, 0)) | |
4530 | _exit(EXIT_FAILURE); | |
4531 | ||
4532 | if (!lxc_setgroups(0, NULL)) | |
4533 | _exit(EXIT_FAILURE); | |
4534 | ||
8053a085 | 4535 | ret = fchown(target_fd, 0, st.st_gid); |
234998b4 | 4536 | if (ret) { |
2e8013f9 | 4537 | SYSERROR("Failed to chown %d(%s) to -1:%d", target_fd, path, st.st_gid); |
234998b4 CB |
4538 | _exit(EXIT_FAILURE); |
4539 | } | |
4540 | ||
2e8013f9 | 4541 | TRACE("Chowned %d(%s) to 0:%d", target_fd, path, st.st_gid); |
234998b4 CB |
4542 | _exit(EXIT_SUCCESS); |
4543 | } | |
4544 | ||
4545 | close_prot_errno_disarm(sock_fds[0]); | |
4546 | ||
4547 | if (lxc_log_get_level() == LXC_LOG_LEVEL_TRACE || | |
4548 | conf->loglevel == LXC_LOG_LEVEL_TRACE) { | |
4549 | struct id_map *map; | |
4550 | struct lxc_list *it; | |
4551 | ||
4552 | lxc_list_for_each(it, idmap) { | |
4553 | map = it->elem; | |
4554 | TRACE("Establishing %cid mapping for \"%d\" in new user namespace: nsuid %lu - hostid %lu - range %lu", | |
4555 | (map->idtype == ID_TYPE_UID) ? 'u' : 'g', pid, map->nsid, map->hostid, map->range); | |
4556 | } | |
4557 | } | |
4558 | ||
4559 | ret = lxc_read_nointr(sock_fds[1], &c, 1); | |
4560 | if (ret != 1) { | |
4561 | SYSERROR("Failed waiting for child process %d\" to tell us to proceed", pid); | |
4562 | goto on_error; | |
4563 | } | |
4564 | ||
4565 | /* Set up {g,u}id mapping for user namespace of child process. */ | |
4566 | ret = lxc_map_ids(idmap, pid); | |
4567 | if (ret < 0) { | |
4568 | ERROR("Error setting up {g,u}id mappings for child process \"%d\"", pid); | |
4569 | goto on_error; | |
4570 | } | |
4571 | ||
4572 | /* Tell child to proceed. */ | |
4573 | ret = lxc_write_nointr(sock_fds[1], &c, 1); | |
4574 | if (ret != 1) { | |
4575 | SYSERROR("Failed telling child process \"%d\" to proceed", pid); | |
4576 | goto on_error; | |
4577 | } | |
4578 | ||
4579 | on_error: | |
4580 | close_prot_errno_disarm(sock_fds[0]); | |
4581 | close_prot_errno_disarm(sock_fds[1]); | |
4582 | ||
4583 | /* Wait for child to finish. */ | |
4584 | if (pid < 0) | |
4585 | return -1; | |
4586 | ||
4587 | return wait_for_pid(pid); | |
4588 | } | |
4589 | ||
a96a8e8c | 4590 | /* not thread-safe, do not use from api without first forking */ |
0fd73091 | 4591 | static char *getuname(void) |
97e9cfa0 | 4592 | { |
4f410b2a | 4593 | __do_free char *buf = NULL; |
cb7aa5e8 DJ |
4594 | struct passwd pwent; |
4595 | struct passwd *pwentp = NULL; | |
cb7aa5e8 DJ |
4596 | size_t bufsize; |
4597 | int ret; | |
97e9cfa0 | 4598 | |
cb7aa5e8 DJ |
4599 | bufsize = sysconf(_SC_GETPW_R_SIZE_MAX); |
4600 | if (bufsize == -1) | |
4601 | bufsize = 1024; | |
4602 | ||
4603 | buf = malloc(bufsize); | |
4604 | if (!buf) | |
97e9cfa0 SH |
4605 | return NULL; |
4606 | ||
cb7aa5e8 DJ |
4607 | ret = getpwuid_r(geteuid(), &pwent, buf, bufsize, &pwentp); |
4608 | if (!pwentp) { | |
4609 | if (ret == 0) | |
4610 | WARN("Could not find matched password record."); | |
4611 | ||
55022530 | 4612 | return log_error(NULL, "Failed to get password record - %u", geteuid()); |
cb7aa5e8 DJ |
4613 | } |
4614 | ||
4f410b2a | 4615 | return strdup(pwent.pw_name); |
97e9cfa0 SH |
4616 | } |
4617 | ||
a96a8e8c | 4618 | /* not thread-safe, do not use from api without first forking */ |
97e9cfa0 SH |
4619 | static char *getgname(void) |
4620 | { | |
4f410b2a | 4621 | __do_free char *buf = NULL; |
3de9fb4c DJ |
4622 | struct group grent; |
4623 | struct group *grentp = NULL; | |
3de9fb4c DJ |
4624 | size_t bufsize; |
4625 | int ret; | |
4626 | ||
4627 | bufsize = sysconf(_SC_GETGR_R_SIZE_MAX); | |
4628 | if (bufsize == -1) | |
4629 | bufsize = 1024; | |
4630 | ||
4631 | buf = malloc(bufsize); | |
4632 | if (!buf) | |
4633 | return NULL; | |
4634 | ||
4635 | ret = getgrgid_r(getegid(), &grent, buf, bufsize, &grentp); | |
4636 | if (!grentp) { | |
4637 | if (ret == 0) | |
4638 | WARN("Could not find matched group record"); | |
97e9cfa0 | 4639 | |
55022530 | 4640 | return log_error(NULL, "Failed to get group record - %u", getegid()); |
3de9fb4c DJ |
4641 | } |
4642 | ||
4f410b2a | 4643 | return strdup(grent.gr_name); |
97e9cfa0 SH |
4644 | } |
4645 | ||
a96a8e8c | 4646 | /* not thread-safe, do not use from api without first forking */ |
97e9cfa0 SH |
4647 | void suggest_default_idmap(void) |
4648 | { | |
3a6e3bf5 | 4649 | __do_free char *gname = NULL, *line = NULL, *uname = NULL; |
4aae564f | 4650 | __do_fclose FILE *subuid_f = NULL, *subgid_f = NULL; |
97e9cfa0 | 4651 | unsigned int uid = 0, urange = 0, gid = 0, grange = 0; |
97e9cfa0 SH |
4652 | size_t len = 0; |
4653 | ||
0fd73091 CB |
4654 | uname = getuname(); |
4655 | if (!uname) | |
97e9cfa0 SH |
4656 | return; |
4657 | ||
0fd73091 | 4658 | gname = getgname(); |
3a6e3bf5 | 4659 | if (!gname) |
97e9cfa0 | 4660 | return; |
97e9cfa0 | 4661 | |
4110345b | 4662 | subuid_f = fopen(subuidfile, "re"); |
4aae564f | 4663 | if (!subuid_f) { |
97e9cfa0 | 4664 | ERROR("Your system is not configured with subuids"); |
97e9cfa0 SH |
4665 | return; |
4666 | } | |
0fd73091 | 4667 | |
4aae564f | 4668 | while (getline(&line, &len, subuid_f) != -1) { |
0fd73091 | 4669 | char *p, *p2; |
b7930180 | 4670 | size_t no_newline = 0; |
0fd73091 CB |
4671 | |
4672 | p = strchr(line, ':'); | |
97e9cfa0 SH |
4673 | if (*line == '#') |
4674 | continue; | |
4675 | if (!p) | |
4676 | continue; | |
4677 | *p = '\0'; | |
4678 | p++; | |
0fd73091 | 4679 | |
97e9cfa0 SH |
4680 | if (strcmp(line, uname)) |
4681 | continue; | |
0fd73091 | 4682 | |
97e9cfa0 SH |
4683 | p2 = strchr(p, ':'); |
4684 | if (!p2) | |
4685 | continue; | |
4686 | *p2 = '\0'; | |
4687 | p2++; | |
4688 | if (!*p2) | |
4689 | continue; | |
b7930180 CB |
4690 | no_newline = strcspn(p2, "\n"); |
4691 | p2[no_newline] = '\0'; | |
4692 | ||
b7b2fde4 | 4693 | if (lxc_safe_uint(p, &uid) < 0) |
0fd73091 | 4694 | WARN("Could not parse UID"); |
b7b2fde4 | 4695 | if (lxc_safe_uint(p2, &urange) < 0) |
0fd73091 | 4696 | WARN("Could not parse UID range"); |
97e9cfa0 | 4697 | } |
97e9cfa0 | 4698 | |
4110345b | 4699 | subgid_f = fopen(subgidfile, "re"); |
4aae564f | 4700 | if (!subgid_f) { |
97e9cfa0 | 4701 | ERROR("Your system is not configured with subgids"); |
97e9cfa0 SH |
4702 | return; |
4703 | } | |
0fd73091 | 4704 | |
4aae564f | 4705 | while (getline(&line, &len, subgid_f) != -1) { |
0fd73091 | 4706 | char *p, *p2; |
b7930180 | 4707 | size_t no_newline = 0; |
0fd73091 CB |
4708 | |
4709 | p = strchr(line, ':'); | |
97e9cfa0 SH |
4710 | if (*line == '#') |
4711 | continue; | |
4712 | if (!p) | |
4713 | continue; | |
4714 | *p = '\0'; | |
4715 | p++; | |
0fd73091 | 4716 | |
97e9cfa0 SH |
4717 | if (strcmp(line, uname)) |
4718 | continue; | |
0fd73091 | 4719 | |
97e9cfa0 SH |
4720 | p2 = strchr(p, ':'); |
4721 | if (!p2) | |
4722 | continue; | |
4723 | *p2 = '\0'; | |
4724 | p2++; | |
4725 | if (!*p2) | |
4726 | continue; | |
b7930180 CB |
4727 | no_newline = strcspn(p2, "\n"); |
4728 | p2[no_newline] = '\0'; | |
4729 | ||
b7b2fde4 | 4730 | if (lxc_safe_uint(p, &gid) < 0) |
0fd73091 | 4731 | WARN("Could not parse GID"); |
b7b2fde4 | 4732 | if (lxc_safe_uint(p2, &grange) < 0) |
0fd73091 | 4733 | WARN("Could not parse GID range"); |
97e9cfa0 | 4734 | } |
97e9cfa0 | 4735 | |
97e9cfa0 SH |
4736 | if (!urange || !grange) { |
4737 | ERROR("You do not have subuids or subgids allocated"); | |
4738 | ERROR("Unprivileged containers require subuids and subgids"); | |
4739 | return; | |
4740 | } | |
4741 | ||
4742 | ERROR("You must either run as root, or define uid mappings"); | |
4743 | ERROR("To pass uid mappings to lxc-create, you could create"); | |
4744 | ERROR("~/.config/lxc/default.conf:"); | |
4745 | ERROR("lxc.include = %s", LXC_DEFAULT_CONFIG); | |
bdcbb6b3 CB |
4746 | ERROR("lxc.idmap = u 0 %u %u", uid, urange); |
4747 | ERROR("lxc.idmap = g 0 %u %u", gid, grange); | |
97e9cfa0 | 4748 | } |
aaf26830 | 4749 | |
a7307747 SH |
4750 | static void free_cgroup_settings(struct lxc_list *result) |
4751 | { | |
4752 | struct lxc_list *iterator, *next; | |
4753 | ||
0fd73091 | 4754 | lxc_list_for_each_safe (iterator, result, next) { |
a7307747 | 4755 | lxc_list_del(iterator); |
55022530 | 4756 | free_disarm(iterator); |
a7307747 | 4757 | } |
55022530 | 4758 | free_disarm(result); |
a7307747 SH |
4759 | } |
4760 | ||
0fd73091 | 4761 | /* Return the list of cgroup_settings sorted according to the following rules |
aaf26830 KT |
4762 | * 1. Put memory.limit_in_bytes before memory.memsw.limit_in_bytes |
4763 | */ | |
0fd73091 | 4764 | struct lxc_list *sort_cgroup_settings(struct lxc_list *cgroup_settings) |
aaf26830 KT |
4765 | { |
4766 | struct lxc_list *result; | |
aaf26830 | 4767 | struct lxc_cgroup *cg = NULL; |
0fd73091 | 4768 | struct lxc_list *it = NULL, *item = NULL, *memsw_limit = NULL; |
aaf26830 KT |
4769 | |
4770 | result = malloc(sizeof(*result)); | |
0fd73091 | 4771 | if (!result) |
fac7c663 | 4772 | return NULL; |
aaf26830 KT |
4773 | lxc_list_init(result); |
4774 | ||
0fd73091 CB |
4775 | /* Iterate over the cgroup settings and copy them to the output list. */ |
4776 | lxc_list_for_each (it, cgroup_settings) { | |
aaf26830 | 4777 | item = malloc(sizeof(*item)); |
fac7c663 | 4778 | if (!item) { |
a7307747 | 4779 | free_cgroup_settings(result); |
fac7c663 KT |
4780 | return NULL; |
4781 | } | |
0fd73091 | 4782 | |
aaf26830 KT |
4783 | item->elem = it->elem; |
4784 | cg = it->elem; | |
4785 | if (strcmp(cg->subsystem, "memory.memsw.limit_in_bytes") == 0) { | |
4786 | /* Store the memsw_limit location */ | |
4787 | memsw_limit = item; | |
0fd73091 CB |
4788 | } else if (strcmp(cg->subsystem, "memory.limit_in_bytes") == 0 && |
4789 | memsw_limit != NULL) { | |
4790 | /* lxc.cgroup.memory.memsw.limit_in_bytes is found | |
4791 | * before lxc.cgroup.memory.limit_in_bytes, swap these | |
4792 | * two items */ | |
aaf26830 KT |
4793 | item->elem = memsw_limit->elem; |
4794 | memsw_limit->elem = it->elem; | |
4795 | } | |
4796 | lxc_list_add_tail(result, item); | |
4797 | } | |
4798 | ||
4799 | return result; | |
a7307747 | 4800 | } |