projects / mirror_lxc.git / blame
| Commit | Line | Data |
|---|---|---|
| 5bb3ba8a DL |
1 | /* |
| 2 | * lxc: linux Container library | |
| 3 | * | |
| 4 | * (C) Copyright IBM Corp. 2007, 2009 | |
| 5 | * | |
| 6 | * Authors: | |
| 9afe19d6 | 7 | * Daniel Lezcano <daniel.lezcano at free.fr> |
| 5bb3ba8a DL |
8 | * |
| 9 | * This library is free software; you can redistribute it and/or | |
| 10 | * modify it under the terms of the GNU Lesser General Public | |
| 11 | * License as published by the Free Software Foundation; either | |
| 12 | * version 2.1 of the License, or (at your option) any later version. | |
| 13 | * | |
| 14 | * This library is distributed in the hope that it will be useful, | |
| 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
| 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |
| 17 | * Lesser General Public License for more details. | |
| 18 | * | |
| 19 | * You should have received a copy of the GNU Lesser General Public | |
| 20 | * License along with this library; if not, write to the Free Software | |
| 250b1eec | 21 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA |
| 5bb3ba8a DL |
22 | */ |
| 23 | ||
| 5bb3ba8a DL |
24 | #include <alloca.h> |
| 25 | #include <errno.h> | |
| a2028b8f | 26 | #include <fcntl.h> |
| 5bb3ba8a | 27 | #include <signal.h> |
| a2028b8f | 28 | #include <unistd.h> |
| 81c75799 | 29 | #include <sys/param.h> |
| 81c75799 | 30 | #include <sys/stat.h> |
| a2028b8f | 31 | #include <sys/types.h> |
| 5bb3ba8a | 32 | |
| 81c75799 | 33 | #include "log.h" |
| a2028b8f CB |
34 | #include "namespace.h" |
| 35 | #include "utils.h" | |
| 81c75799 | 36 | |
| 5bb3ba8a DL |
37 | lxc_log_define(lxc_namespace, lxc); |
| 38 | ||
| 39 | struct clone_arg { | |
| 40 | int (*fn)(void *); | |
| 41 | void *arg; | |
| 42 | }; | |
| 43 | ||
| 44 | static int do_clone(void *arg) | |
| 45 | { | |
| 46 | struct clone_arg *clone_arg = arg; | |
| 47 | return clone_arg->fn(clone_arg->arg); | |
| 48 | } | |
| 49 | ||
| 50 | pid_t lxc_clone(int (*fn)(void *), void *arg, int flags) | |
| 51 | { | |
| 52 | struct clone_arg clone_arg = { | |
| 53 | .fn = fn, | |
| 54 | .arg = arg, | |
| 55 | }; | |
| 56 | ||
| a2028b8f | 57 | size_t stack_size = lxc_getpagesize(); |
| 92c64f7e | 58 | void *stack = alloca(stack_size); |
| 5bb3ba8a DL |
59 | pid_t ret; |
| 60 | ||
| 246091b9 DL |
61 | #ifdef __ia64__ |
| 62 | ret = __clone2(do_clone, stack, | |
| 63 | stack_size, flags | SIGCHLD, &clone_arg); | |
| 64 | #else | |
| 92c64f7e | 65 | ret = clone(do_clone, stack + stack_size, flags | SIGCHLD, &clone_arg); |
| 246091b9 | 66 | #endif |
| 5bb3ba8a | 67 | if (ret < 0) |
| 9662e444 | 68 | ERROR("Failed to clone (%#x): %s.", flags, strerror(errno)); |
| 5bb3ba8a DL |
69 | |
| 70 | return ret; | |
| 71 | } | |
| 39a5d5fe | 72 | |
| 29ed9c13 CB |
73 | /* Leave the user namespace at the first position in the array of structs so |
| 74 | * that we always attach to it first when iterating over the struct and using | |
| 75 | * setns() to switch namespaces. This especially affects lxc_attach(): Suppose | |
| 76 | * you cloned a new user namespace and mount namespace as an unprivileged user | |
| 77 | * on the host and want to setns() to the mount namespace. This requires you to | |
| 78 | * attach to the user namespace first otherwise the kernel will fail this check: | |
| 79 | * | |
| 80 | * if (!ns_capable(mnt_ns->user_ns, CAP_SYS_ADMIN) || | |
| 81 | * !ns_capable(current_user_ns(), CAP_SYS_CHROOT) || | |
| 82 | * !ns_capable(current_user_ns(), CAP_SYS_ADMIN)) | |
| 83 | * return -EPERM; | |
| 84 | * | |
| 85 | * in | |
| 86 | * | |
| 87 | * linux/fs/namespace.c:mntns_install(). | |
| 88 | */ | |
| 9662e444 | 89 | const struct ns_info ns_info[LXC_NS_MAX] = { |
| 18b3b9c1 CB |
90 | [LXC_NS_USER] = { "user", CLONE_NEWUSER, "CLONE_NEWUSER", "LXC_USER_NS" }, |
| 91 | [LXC_NS_MNT] = { "mnt", CLONE_NEWNS, "CLONE_NEWNS", "LXC_MNT_NS" }, | |
| 92 | [LXC_NS_PID] = { "pid", CLONE_NEWPID, "CLONE_NEWPID", "LXC_PID_NS" }, | |
| 93 | [LXC_NS_UTS] = { "uts", CLONE_NEWUTS, "CLONE_NEWUTS", "LXC_UTS_NS" }, | |
| 94 | [LXC_NS_IPC] = { "ipc", CLONE_NEWIPC, "CLONE_NEWIPC", "LXC_IPC_NS" }, | |
| 95 | [LXC_NS_NET] = { "net", CLONE_NEWNET, "CLONE_NEWNET", "LXC_NET_NS" }, | |
| 96 | [LXC_NS_CGROUP] = { "cgroup", CLONE_NEWCGROUP, "CLONE_NEWCGROUP", "LXC_CGROUP_NS" } | |
| 39a5d5fe CS |
97 | }; |
| 98 | ||
| 28d9e29e | 99 | int lxc_namespace_2_cloneflag(const char *namespace) |
| 39a5d5fe | 100 | { |
| 9662e444 CB |
101 | int i; |
| 102 | for (i = 0; i < LXC_NS_MAX; i++) | |
| 103 | if (!strcasecmp(ns_info[i].proc_name, namespace)) | |
| 104 | return ns_info[i].clone_flag; | |
| 39a5d5fe | 105 | |
| 28d9e29e CB |
106 | ERROR("Invalid namespace name \"%s\"", namespace); |
| 107 | return -EINVAL; | |
| 108 | } | |
| 109 | ||
| 110 | int lxc_namespace_2_ns_idx(const char *namespace) | |
| 111 | { | |
| 112 | int i; | |
| 113 | for (i = 0; i < LXC_NS_MAX; i++) | |
| 114 | if (!strcmp(ns_info[i].proc_name, namespace)) | |
| 115 | return i; | |
| 116 | ||
| 117 | ERROR("Invalid namespace name \"%s\"", namespace); | |
| 118 | return -EINVAL; | |
| 39a5d5fe CS |
119 | } |
| 120 | ||
| 121 | int lxc_fill_namespace_flags(char *flaglist, int *flags) | |
| 122 | { | |
| 123 | char *token, *saveptr = NULL; | |
| 124 | int aflag; | |
| 125 | ||
| 126 | if (!flaglist) { | |
| 9662e444 | 127 | ERROR("At least one namespace is needed."); |
| 39a5d5fe CS |
128 | return -1; |
| 129 | } | |
| 130 | ||
| 131 | token = strtok_r(flaglist, "|", &saveptr); | |
| 132 | while (token) { | |
| 133 | ||
| 134 | aflag = lxc_namespace_2_cloneflag(token); | |
| 135 | if (aflag < 0) | |
| 136 | return -1; | |
| 137 | ||
| 138 | *flags |= aflag; | |
| 139 | ||
| 140 | token = strtok_r(NULL, "|", &saveptr); | |
| 141 | } | |
| 142 | return 0; | |
| 143 | } |