1 /* SPDX-License-Identifier: LGPL-2.1+ */
13 #include <linux/loop.h>
15 #include <netinet/in.h>
22 #include <sys/mount.h>
23 #include <sys/param.h>
24 #include <sys/prctl.h>
25 #include <sys/sendfile.h>
26 #include <sys/socket.h>
28 #include <sys/syscall.h>
29 #include <sys/sysmacros.h>
30 #include <sys/types.h>
31 #include <sys/utsname.h>
38 #include "cgroups/cgroup.h"
42 #include "confile_utils.h"
47 #include "lxcseccomp.h"
49 #include "memory_utils.h"
50 #include "mount_utils.h"
51 #include "namespace.h"
54 #include "process_utils.h"
57 #include "storage/storage.h"
58 #include "storage/overlay.h"
59 #include "syscall_wrappers.h"
65 #include <sys/mkdev.h>
69 #include <sys/statvfs.h>
75 #include <../include/openpty.h>
79 #include <sys/capability.h>
82 #if HAVE_SYS_PERSONALITY_H
83 #include <sys/personality.h>
87 #include "include/strlcat.h"
91 #include <../include/lxcmntent.h>
96 #if !defined(HAVE_PRLIMIT) && defined(HAVE_PRLIMIT64)
97 #include <../include/prlimit.h>
100 lxc_log_define(conf
, lxc
);
102 /* The lxc_conf of the container currently being worked on in an API call.
103 * This is used in the error calls.
106 thread_local
struct lxc_conf
*current_config
;
108 struct lxc_conf
*current_config
;
111 char *lxchook_names
[NUM_LXC_HOOKS
] = {
140 static struct mount_opt mount_opt
[] = {
141 { "async", 1, MS_SYNCHRONOUS
},
142 { "atime", 1, MS_NOATIME
},
143 { "bind", 0, MS_BIND
},
144 { "defaults", 0, 0 },
145 { "dev", 1, MS_NODEV
},
146 { "diratime", 1, MS_NODIRATIME
},
147 { "dirsync", 0, MS_DIRSYNC
},
148 { "exec", 1, MS_NOEXEC
},
149 { "lazytime", 0, MS_LAZYTIME
},
150 { "mand", 0, MS_MANDLOCK
},
151 { "noatime", 0, MS_NOATIME
},
152 { "nodev", 0, MS_NODEV
},
153 { "nodiratime", 0, MS_NODIRATIME
},
154 { "noexec", 0, MS_NOEXEC
},
155 { "nomand", 1, MS_MANDLOCK
},
156 { "norelatime", 1, MS_RELATIME
},
157 { "nostrictatime", 1, MS_STRICTATIME
},
158 { "nosuid", 0, MS_NOSUID
},
159 { "rbind", 0, MS_BIND
|MS_REC
},
160 { "relatime", 0, MS_RELATIME
},
161 { "remount", 0, MS_REMOUNT
},
162 { "ro", 0, MS_RDONLY
},
163 { "rw", 1, MS_RDONLY
},
164 { "strictatime", 0, MS_STRICTATIME
},
165 { "suid", 1, MS_NOSUID
},
166 { "sync", 0, MS_SYNCHRONOUS
},
170 static struct mount_opt propagation_opt
[] = {
171 { "private", 0, MS_PRIVATE
},
172 { "shared", 0, MS_SHARED
},
173 { "slave", 0, MS_SLAVE
},
174 { "unbindable", 0, MS_UNBINDABLE
},
175 { "rprivate", 0, MS_PRIVATE
|MS_REC
},
176 { "rshared", 0, MS_SHARED
|MS_REC
},
177 { "rslave", 0, MS_SLAVE
|MS_REC
},
178 { "runbindable", 0, MS_UNBINDABLE
|MS_REC
},
182 static struct caps_opt caps_opt
[] = {
184 { "chown", CAP_CHOWN
},
185 { "dac_override", CAP_DAC_OVERRIDE
},
186 { "dac_read_search", CAP_DAC_READ_SEARCH
},
187 { "fowner", CAP_FOWNER
},
188 { "fsetid", CAP_FSETID
},
189 { "kill", CAP_KILL
},
190 { "setgid", CAP_SETGID
},
191 { "setuid", CAP_SETUID
},
192 { "setpcap", CAP_SETPCAP
},
193 { "linux_immutable", CAP_LINUX_IMMUTABLE
},
194 { "net_bind_service", CAP_NET_BIND_SERVICE
},
195 { "net_broadcast", CAP_NET_BROADCAST
},
196 { "net_admin", CAP_NET_ADMIN
},
197 { "net_raw", CAP_NET_RAW
},
198 { "ipc_lock", CAP_IPC_LOCK
},
199 { "ipc_owner", CAP_IPC_OWNER
},
200 { "sys_module", CAP_SYS_MODULE
},
201 { "sys_rawio", CAP_SYS_RAWIO
},
202 { "sys_chroot", CAP_SYS_CHROOT
},
203 { "sys_ptrace", CAP_SYS_PTRACE
},
204 { "sys_pacct", CAP_SYS_PACCT
},
205 { "sys_admin", CAP_SYS_ADMIN
},
206 { "sys_boot", CAP_SYS_BOOT
},
207 { "sys_nice", CAP_SYS_NICE
},
208 { "sys_resource", CAP_SYS_RESOURCE
},
209 { "sys_time", CAP_SYS_TIME
},
210 { "sys_tty_config", CAP_SYS_TTY_CONFIG
},
211 { "mknod", CAP_MKNOD
},
212 { "lease", CAP_LEASE
},
213 { "audit_write", CAP_AUDIT_WRITE
},
214 { "audit_control", CAP_AUDIT_CONTROL
},
215 { "setfcap", CAP_SETFCAP
},
216 { "mac_override", CAP_MAC_OVERRIDE
},
217 { "mac_admin", CAP_MAC_ADMIN
},
218 { "syslog", CAP_SYSLOG
},
219 { "wake_alarm", CAP_WAKE_ALARM
},
220 { "block_suspend", CAP_BLOCK_SUSPEND
},
221 { "audit_read", CAP_AUDIT_READ
},
222 { "perfmon", CAP_PERFMON
},
224 { "checkpoint_restore", CAP_CHECKPOINT_RESTORE
},
228 static struct limit_opt limit_opt
[] = {
233 { "core", RLIMIT_CORE
},
236 { "cpu", RLIMIT_CPU
},
239 { "data", RLIMIT_DATA
},
242 { "fsize", RLIMIT_FSIZE
},
245 { "locks", RLIMIT_LOCKS
},
247 #ifdef RLIMIT_MEMLOCK
248 { "memlock", RLIMIT_MEMLOCK
},
250 #ifdef RLIMIT_MSGQUEUE
251 { "msgqueue", RLIMIT_MSGQUEUE
},
254 { "nice", RLIMIT_NICE
},
257 { "nofile", RLIMIT_NOFILE
},
260 { "nproc", RLIMIT_NPROC
},
263 { "rss", RLIMIT_RSS
},
266 { "rtprio", RLIMIT_RTPRIO
},
269 { "rttime", RLIMIT_RTTIME
},
271 #ifdef RLIMIT_SIGPENDING
272 { "sigpending", RLIMIT_SIGPENDING
},
275 { "stack", RLIMIT_STACK
},
279 static int run_buffer(char *buffer
)
281 __do_free
char *output
= NULL
;
282 __do_lxc_pclose
struct lxc_popen_FILE
*f
= NULL
;
285 f
= lxc_popen(buffer
);
287 return log_error_errno(-1, errno
, "Failed to popen() %s", buffer
);
289 output
= malloc(LXC_LOG_BUFFER_SIZE
);
291 return log_error_errno(-1, ENOMEM
, "Failed to allocate memory for %s", buffer
);
295 return log_error_errno(-1, errno
, "Failed to retrieve underlying file descriptor");
297 for (int i
= 0; i
< 10; i
++) {
300 bytes_read
= lxc_read_nointr(fd
, output
, LXC_LOG_BUFFER_SIZE
- 1);
301 if (bytes_read
> 0) {
302 output
[bytes_read
] = '\0';
303 DEBUG("Script %s produced output: %s", buffer
, output
);
310 ret
= lxc_pclose(move_ptr(f
));
312 return log_error_errno(-1, errno
, "Script exited with error");
313 else if (WIFEXITED(ret
) && WEXITSTATUS(ret
) != 0)
314 return log_error(-1, "Script exited with status %d", WEXITSTATUS(ret
));
315 else if (WIFSIGNALED(ret
))
316 return log_error(-1, "Script terminated by signal %d", WTERMSIG(ret
));
321 int run_script_argv(const char *name
, unsigned int hook_version
,
322 const char *section
, const char *script
,
323 const char *hookname
, char **argv
)
325 __do_free
char *buffer
= NULL
;
329 if (hook_version
== 0)
330 INFO("Executing script \"%s\" for container \"%s\", config section \"%s\"",
331 script
, name
, section
);
333 INFO("Executing script \"%s\" for container \"%s\"", script
, name
);
335 for (i
= 0; argv
&& argv
[i
]; i
++)
336 size
+= strlen(argv
[i
]) + 1;
338 size
+= STRLITERALLEN("exec");
340 size
+= strlen(script
);
346 if (hook_version
== 0) {
347 size
+= strlen(hookname
);
350 size
+= strlen(name
);
353 size
+= strlen(section
);
360 buffer
= malloc(size
);
364 if (hook_version
== 0)
365 buf_pos
= snprintf(buffer
, size
, "exec %s %s %s %s", script
, name
, section
, hookname
);
367 buf_pos
= snprintf(buffer
, size
, "exec %s", script
);
368 if (buf_pos
< 0 || (size_t)buf_pos
>= size
)
369 return log_error_errno(-1, errno
, "Failed to create command line for script \"%s\"", script
);
371 if (hook_version
== 1) {
372 ret
= setenv("LXC_HOOK_TYPE", hookname
, 1);
374 return log_error_errno(-1, errno
, "Failed to set environment variable: LXC_HOOK_TYPE=%s", hookname
);
376 TRACE("Set environment variable: LXC_HOOK_TYPE=%s", hookname
);
378 ret
= setenv("LXC_HOOK_SECTION", section
, 1);
380 return log_error_errno(-1, errno
, "Failed to set environment variable: LXC_HOOK_SECTION=%s", section
);
381 TRACE("Set environment variable: LXC_HOOK_SECTION=%s", section
);
383 if (strcmp(section
, "net") == 0) {
386 if (!argv
|| !argv
[0])
389 ret
= setenv("LXC_NET_TYPE", argv
[0], 1);
391 return log_error_errno(-1, errno
, "Failed to set environment variable: LXC_NET_TYPE=%s", argv
[0]);
392 TRACE("Set environment variable: LXC_NET_TYPE=%s", argv
[0]);
394 parent
= argv
[1] ? argv
[1] : "";
396 if (strcmp(argv
[0], "macvlan") == 0) {
397 ret
= setenv("LXC_NET_PARENT", parent
, 1);
399 return log_error_errno(-1, errno
, "Failed to set environment variable: LXC_NET_PARENT=%s", parent
);
400 TRACE("Set environment variable: LXC_NET_PARENT=%s", parent
);
401 } else if (strcmp(argv
[0], "phys") == 0) {
402 ret
= setenv("LXC_NET_PARENT", parent
, 1);
404 return log_error_errno(-1, errno
, "Failed to set environment variable: LXC_NET_PARENT=%s", parent
);
405 TRACE("Set environment variable: LXC_NET_PARENT=%s", parent
);
406 } else if (strcmp(argv
[0], "veth") == 0) {
407 char *peer
= argv
[2] ? argv
[2] : "";
409 ret
= setenv("LXC_NET_PEER", peer
, 1);
411 return log_error_errno(-1, errno
, "Failed to set environment variable: LXC_NET_PEER=%s", peer
);
412 TRACE("Set environment variable: LXC_NET_PEER=%s", peer
);
414 ret
= setenv("LXC_NET_PARENT", parent
, 1);
416 return log_error_errno(-1, errno
, "Failed to set environment variable: LXC_NET_PARENT=%s", parent
);
417 TRACE("Set environment variable: LXC_NET_PARENT=%s", parent
);
422 for (i
= 0; argv
&& argv
[i
]; i
++) {
423 size_t len
= size
- buf_pos
;
425 ret
= snprintf(buffer
+ buf_pos
, len
, " %s", argv
[i
]);
426 if (ret
< 0 || (size_t)ret
>= len
)
427 return log_error_errno(-1, errno
, "Failed to create command line for script \"%s\"", script
);
431 return run_buffer(buffer
);
434 int run_script(const char *name
, const char *section
, const char *script
, ...)
436 __do_free
char *buffer
= NULL
;
442 INFO("Executing script \"%s\" for container \"%s\", config section \"%s\"",
443 script
, name
, section
);
445 va_start(ap
, script
);
446 while ((p
= va_arg(ap
, char *)))
447 size
+= strlen(p
) + 1;
450 size
+= STRLITERALLEN("exec");
451 size
+= strlen(script
);
452 size
+= strlen(name
);
453 size
+= strlen(section
);
459 buffer
= must_realloc(NULL
, size
);
460 ret
= snprintf(buffer
, size
, "exec %s %s %s", script
, name
, section
);
461 if (ret
< 0 || ret
>= size
)
464 va_start(ap
, script
);
465 while ((p
= va_arg(ap
, char *))) {
466 int len
= size
- ret
;
468 rc
= snprintf(buffer
+ ret
, len
, " %s", p
);
469 if (rc
< 0 || rc
>= len
) {
477 return run_buffer(buffer
);
481 * if rootfs is a directory, then open ${rootfs}/.lxc-keep for writing for
482 * the duration of the container run, to prevent the container from marking
483 * the underlying fs readonly on shutdown. unlink the file immediately so
484 * no name pollution is happens.
485 * don't unlink on NFS to avoid random named stale handles.
486 * return -1 on error.
487 * return -2 if nothing needed to be pinned.
488 * return an open fd (>=0) if we pinned it.
490 int pin_rootfs(const char *rootfs
)
492 __do_free
char *absrootfs
= NULL
;
494 char absrootfspin
[PATH_MAX
];
498 if (rootfs
== NULL
|| strlen(rootfs
) == 0)
501 absrootfs
= realpath(rootfs
, NULL
);
505 ret
= stat(absrootfs
, &s
);
509 if (!S_ISDIR(s
.st_mode
))
512 ret
= snprintf(absrootfspin
, sizeof(absrootfspin
), "%s/.lxc-keep", absrootfs
);
513 if (ret
< 0 || (size_t)ret
>= sizeof(absrootfspin
))
516 fd
= open(absrootfspin
, O_CREAT
| O_RDWR
, S_IWUSR
| S_IRUSR
| O_CLOEXEC
);
520 ret
= fstatfs (fd
, &sfs
);
524 if (sfs
.f_type
== NFS_SUPER_MAGIC
)
525 return log_debug(fd
, "Rootfs on NFS, not unlinking pin file \"%s\"", absrootfspin
);
527 (void)unlink(absrootfspin
);
532 /* If we are asking to remount something, make sure that any NOEXEC etc are
535 unsigned long add_required_remount_flags(const char *s
, const char *d
,
541 unsigned long required_flags
= 0;
549 ret
= statvfs(s
, &sb
);
553 if (flags
& MS_REMOUNT
) {
554 if (sb
.f_flag
& MS_NOSUID
)
555 required_flags
|= MS_NOSUID
;
556 if (sb
.f_flag
& MS_NODEV
)
557 required_flags
|= MS_NODEV
;
558 if (sb
.f_flag
& MS_RDONLY
)
559 required_flags
|= MS_RDONLY
;
560 if (sb
.f_flag
& MS_NOEXEC
)
561 required_flags
|= MS_NOEXEC
;
564 if (sb
.f_flag
& MS_NOATIME
)
565 required_flags
|= MS_NOATIME
;
566 if (sb
.f_flag
& MS_NODIRATIME
)
567 required_flags
|= MS_NODIRATIME
;
568 if (sb
.f_flag
& MS_LAZYTIME
)
569 required_flags
|= MS_LAZYTIME
;
570 if (sb
.f_flag
& MS_RELATIME
)
571 required_flags
|= MS_RELATIME
;
572 if (sb
.f_flag
& MS_STRICTATIME
)
573 required_flags
|= MS_STRICTATIME
;
575 return flags
| required_flags
;
581 static int add_shmount_to_list(struct lxc_conf
*conf
)
583 char new_mount
[PATH_MAX
];
584 /* Offset for the leading '/' since the path_cont
585 * is absolute inside the container.
587 int offset
= 1, ret
= -1;
589 ret
= snprintf(new_mount
, sizeof(new_mount
),
590 "%s %s none bind,create=dir 0 0", conf
->shmount
.path_host
,
591 conf
->shmount
.path_cont
+ offset
);
592 if (ret
< 0 || (size_t)ret
>= sizeof(new_mount
))
595 return add_elem_to_mount_list(new_mount
, conf
);
598 static int lxc_mount_auto_mounts(struct lxc_conf
*conf
, int flags
, struct lxc_handler
*handler
)
605 const char *destination
;
609 bool requires_cap_net_admin
;
610 } default_mounts
[] = {
611 /* Read-only bind-mounting... In older kernels, doing that
612 * required to do one MS_BIND mount and then
613 * MS_REMOUNT|MS_RDONLY the same one. According to mount(2)
614 * manpage, MS_BIND honors MS_RDONLY from kernel 2.6.26
615 * onwards. However, this apparently does not work on kernel
616 * 3.8. Unfortunately, on that very same kernel, doing the same
617 * trick as above doesn't seem to work either, there one needs
618 * to ALSO specify MS_BIND for the remount, otherwise the
619 * entire fs is remounted read-only or the mount fails because
620 * it's busy... MS_REMOUNT|MS_BIND|MS_RDONLY seems to work for
621 * kernels as low as 2.6.32...
623 { LXC_AUTO_PROC_MASK
, LXC_AUTO_PROC_MIXED
, "proc", "%r/proc", "proc", MS_NODEV
|MS_NOEXEC
|MS_NOSUID
, NULL
, false },
624 /* proc/tty is used as a temporary placeholder for proc/sys/net which we'll move back in a few steps */
625 { LXC_AUTO_PROC_MASK
, LXC_AUTO_PROC_MIXED
, "%r/proc/sys/net", "%r/proc/tty", NULL
, MS_BIND
, NULL
, true },
626 { LXC_AUTO_PROC_MASK
, LXC_AUTO_PROC_MIXED
, "%r/proc/sys", "%r/proc/sys", NULL
, MS_BIND
, NULL
, false },
627 { LXC_AUTO_PROC_MASK
, LXC_AUTO_PROC_MIXED
, NULL
, "%r/proc/sys", NULL
, MS_REMOUNT
|MS_BIND
|MS_RDONLY
, NULL
, false },
628 { LXC_AUTO_PROC_MASK
, LXC_AUTO_PROC_MIXED
, "%r/proc/tty", "%r/proc/sys/net", NULL
, MS_MOVE
, NULL
, true },
629 { LXC_AUTO_PROC_MASK
, LXC_AUTO_PROC_MIXED
, "%r/proc/sysrq-trigger", "%r/proc/sysrq-trigger", NULL
, MS_BIND
, NULL
, false },
630 { LXC_AUTO_PROC_MASK
, LXC_AUTO_PROC_MIXED
, NULL
, "%r/proc/sysrq-trigger", NULL
, MS_REMOUNT
|MS_BIND
|MS_RDONLY
, NULL
, false },
631 { LXC_AUTO_PROC_MASK
, LXC_AUTO_PROC_RW
, "proc", "%r/proc", "proc", MS_NODEV
|MS_NOEXEC
|MS_NOSUID
, NULL
, false },
632 { LXC_AUTO_SYS_MASK
, LXC_AUTO_SYS_RW
, "sysfs", "%r/sys", "sysfs", 0, NULL
, false },
633 { LXC_AUTO_SYS_MASK
, LXC_AUTO_SYS_RO
, "sysfs", "%r/sys", "sysfs", MS_RDONLY
, NULL
, false },
634 { LXC_AUTO_SYS_MASK
, LXC_AUTO_SYS_MIXED
, "sysfs", "%r/sys", "sysfs", MS_NODEV
|MS_NOEXEC
|MS_NOSUID
, NULL
, false },
635 { LXC_AUTO_SYS_MASK
, LXC_AUTO_SYS_MIXED
, "%r/sys", "%r/sys", NULL
, MS_BIND
, NULL
, false },
636 { LXC_AUTO_SYS_MASK
, LXC_AUTO_SYS_MIXED
, NULL
, "%r/sys", NULL
, MS_REMOUNT
|MS_BIND
|MS_RDONLY
, NULL
, false },
637 { LXC_AUTO_SYS_MASK
, LXC_AUTO_SYS_MIXED
, "sysfs", "%r/sys/devices/virtual/net", "sysfs", 0, NULL
, false },
638 { LXC_AUTO_SYS_MASK
, LXC_AUTO_SYS_MIXED
, "%r/sys/devices/virtual/net/devices/virtual/net", "%r/sys/devices/virtual/net", NULL
, MS_BIND
, NULL
, false },
639 { LXC_AUTO_SYS_MASK
, LXC_AUTO_SYS_MIXED
, NULL
, "%r/sys/devices/virtual/net", NULL
, MS_REMOUNT
|MS_BIND
|MS_NOSUID
|MS_NODEV
|MS_NOEXEC
, NULL
, false },
640 { 0, 0, NULL
, NULL
, NULL
, 0, NULL
, false }
642 struct lxc_rootfs
*rootfs
= &conf
->rootfs
;
643 bool has_cap_net_admin
;
645 if (flags
& LXC_AUTO_PROC_MASK
) {
646 ret
= mkdirat(rootfs
->mntpt_fd
, "proc" , S_IRWXU
| S_IRGRP
| S_IXGRP
| S_IROTH
| S_IXOTH
);
647 if (ret
< 0 && errno
!= EEXIST
)
648 return log_error_errno(-errno
, errno
,
649 "Failed to create proc mountpoint under %d", rootfs
->mntpt_fd
);
652 if (flags
& LXC_AUTO_SYS_MASK
) {
653 ret
= mkdirat(rootfs
->mntpt_fd
, "sys" , S_IRWXU
| S_IRGRP
| S_IXGRP
| S_IROTH
| S_IXOTH
);
654 if (ret
< 0 && errno
!= EEXIST
)
655 return log_error_errno(-errno
, errno
,
656 "Failed to create sysfs mountpoint under %d", rootfs
->mntpt_fd
);
659 has_cap_net_admin
= lxc_wants_cap(CAP_NET_ADMIN
, conf
);
660 for (i
= 0; default_mounts
[i
].match_mask
; i
++) {
661 __do_free
char *destination
= NULL
, *source
= NULL
;
663 unsigned long mflags
;
664 if ((flags
& default_mounts
[i
].match_mask
) != default_mounts
[i
].match_flag
)
667 if (default_mounts
[i
].source
) {
668 /* will act like strdup if %r is not present */
669 source
= lxc_string_replace("%r", rootfs
->path
? rootfs
->mount
: "", default_mounts
[i
].source
);
674 if (!default_mounts
[i
].destination
)
675 return log_error(-1, "BUG: auto mounts destination %d was NULL", i
);
677 if (!has_cap_net_admin
&& default_mounts
[i
].requires_cap_net_admin
) {
678 TRACE("Container does not have CAP_NET_ADMIN. Skipping \"%s\" mount", default_mounts
[i
].source
?: "(null)");
682 /* will act like strdup if %r is not present */
683 destination
= lxc_string_replace("%r", rootfs
->path
? rootfs
->mount
: "", default_mounts
[i
].destination
);
687 mflags
= add_required_remount_flags(source
, destination
,
688 default_mounts
[i
].flags
);
689 ret
= safe_mount(source
, destination
, default_mounts
[i
].fstype
,
690 mflags
, default_mounts
[i
].options
,
691 rootfs
->path
? rootfs
->mount
: NULL
);
693 if (ret
< 0 && errno
== ENOENT
) {
694 INFO("Mount source or target for \"%s\" on \"%s\" does not exist. Skipping", source
, destination
);
696 } else if (ret
< 0) {
697 SYSERROR("Failed to mount \"%s\" on \"%s\" with flags %lu", source
, destination
, mflags
);
706 if (flags
& LXC_AUTO_CGROUP_MASK
) {
709 cg_flags
= flags
& (LXC_AUTO_CGROUP_MASK
& ~LXC_AUTO_CGROUP_FORCE
);
710 /* If the type of cgroup mount was not specified, it depends on
711 * the container's capabilities as to what makes sense: if we
712 * have CAP_SYS_ADMIN, the read-only part can be remounted
713 * read-write anyway, so we may as well default to read-write;
714 * then the admin will not be given a false sense of security.
715 * (And if they really want mixed r/o r/w, then they can
716 * explicitly specify :mixed.) OTOH, if the container lacks
717 * CAP_SYS_ADMIN, do only default to :mixed, because then the
718 * container can't remount it read-write.
720 if (cg_flags
== LXC_AUTO_CGROUP_NOSPEC
|| cg_flags
== LXC_AUTO_CGROUP_FULL_NOSPEC
) {
721 int has_sys_admin
= 0;
723 if (!lxc_list_empty(&conf
->keepcaps
))
724 has_sys_admin
= in_caplist(CAP_SYS_ADMIN
, &conf
->keepcaps
);
726 has_sys_admin
= !in_caplist(CAP_SYS_ADMIN
, &conf
->caps
);
728 if (cg_flags
== LXC_AUTO_CGROUP_NOSPEC
)
729 cg_flags
= has_sys_admin
? LXC_AUTO_CGROUP_RW
: LXC_AUTO_CGROUP_MIXED
;
731 cg_flags
= has_sys_admin
? LXC_AUTO_CGROUP_FULL_RW
: LXC_AUTO_CGROUP_FULL_MIXED
;
734 if (flags
& LXC_AUTO_CGROUP_FORCE
)
735 cg_flags
|= LXC_AUTO_CGROUP_FORCE
;
737 if (!handler
->cgroup_ops
->mount(handler
->cgroup_ops
,
739 rootfs
->path
? rootfs
->mount
: "",
741 return log_error_errno(-1, errno
, "Failed to mount \"/sys/fs/cgroup\"");
744 if (flags
& LXC_AUTO_SHMOUNTS_MASK
) {
745 ret
= add_shmount_to_list(conf
);
747 return log_error(-1, "Failed to add shmount entry to container config");
753 static int setup_utsname(struct utsname
*utsname
)
760 ret
= sethostname(utsname
->nodename
, strlen(utsname
->nodename
));
762 return log_error_errno(-1, errno
, "Failed to set the hostname to \"%s\"",
765 INFO("Set hostname to \"%s\"", utsname
->nodename
);
770 struct dev_symlinks
{
775 static const struct dev_symlinks dev_symlinks
[] = {
776 { "/proc/self/fd", "fd" },
777 { "/proc/self/fd/0", "stdin" },
778 { "/proc/self/fd/1", "stdout" },
779 { "/proc/self/fd/2", "stderr" },
782 static int lxc_setup_dev_symlinks(const struct lxc_rootfs
*rootfs
)
788 for (i
= 0; i
< sizeof(dev_symlinks
) / sizeof(dev_symlinks
[0]); i
++) {
789 const struct dev_symlinks
*d
= &dev_symlinks
[i
];
791 ret
= snprintf(path
, sizeof(path
), "%s/dev/%s",
792 rootfs
->path
? rootfs
->mount
: "", d
->name
);
793 if (ret
< 0 || (size_t)ret
>= sizeof(path
))
796 /* Stat the path first. If we don't get an error accept it as
797 * is and don't try to create it
799 ret
= stat(path
, &s
);
803 ret
= symlink(d
->oldpath
, path
);
804 if (ret
&& errno
!= EEXIST
) {
806 WARN("Failed to create \"%s\". Read-only filesystem", path
);
808 return log_error_errno(-1, errno
, "Failed to create \"%s\"", path
);
815 /* Build a space-separate list of ptys to pass to systemd. */
816 static bool append_ttyname(char **pp
, char *name
)
822 *pp
= malloc(strlen(name
) + strlen("container_ttys=") + 1);
826 sprintf(*pp
, "container_ttys=%s", name
);
830 size
= strlen(*pp
) + strlen(name
) + 2;
831 p
= realloc(*pp
, size
);
836 (void)strlcat(p
, " ", size
);
837 (void)strlcat(p
, name
, size
);
842 static int lxc_setup_ttys(struct lxc_conf
*conf
)
845 const struct lxc_tty_info
*ttys
= &conf
->ttys
;
846 char *ttydir
= ttys
->dir
;
847 char path
[PATH_MAX
], lxcpath
[PATH_MAX
];
849 if (!conf
->rootfs
.path
)
852 for (i
= 0; i
< ttys
->max
; i
++) {
853 struct lxc_terminal_info
*tty
= &ttys
->tty
[i
];
855 ret
= snprintf(path
, sizeof(path
), "/dev/tty%d", i
+ 1);
856 if (ret
< 0 || (size_t)ret
>= sizeof(path
))
860 /* create dev/lxc/tty%d" */
861 ret
= snprintf(lxcpath
, sizeof(lxcpath
),
862 "/dev/%s/tty%d", ttydir
, i
+ 1);
863 if (ret
< 0 || (size_t)ret
>= sizeof(lxcpath
))
866 ret
= mknod(lxcpath
, S_IFREG
| 0000, 0);
867 if (ret
< 0 && errno
!= EEXIST
) {
868 SYSERROR("Failed to create \"%s\"", lxcpath
);
873 if (ret
< 0 && errno
!= ENOENT
) {
874 SYSERROR("Failed to unlink \"%s\"", path
);
878 ret
= mount(tty
->name
, lxcpath
, "none", MS_BIND
, 0);
880 SYSWARN("Failed to bind mount \"%s\" onto \"%s\"", tty
->name
, lxcpath
);
883 DEBUG("Bind mounted \"%s\" onto \"%s\"", tty
->name
, lxcpath
);
885 ret
= snprintf(lxcpath
, sizeof(lxcpath
), "%s/tty%d",
887 if (ret
< 0 || (size_t)ret
>= sizeof(lxcpath
))
890 ret
= symlink(lxcpath
, path
);
892 return log_error_errno(-1, errno
, "Failed to create symlink \"%s\" -> \"%s\"", path
, lxcpath
);
894 /* If we populated /dev, then we need to create
897 ret
= mknod(path
, S_IFREG
| 0000, 0);
898 if (ret
< 0) /* this isn't fatal, continue */
899 SYSERROR("Failed to create \"%s\"", path
);
901 ret
= mount(tty
->name
, path
, "none", MS_BIND
, 0);
903 SYSERROR("Failed to mount '%s'->'%s'", tty
->name
, path
);
907 DEBUG("Bind mounted \"%s\" onto \"%s\"", tty
->name
, path
);
910 if (!append_ttyname(&conf
->ttys
.tty_names
, tty
->name
))
911 return log_error(-1, "Error setting up container_ttys string");
914 INFO("Finished setting up %zu /dev/tty<N> device(s)", ttys
->max
);
918 define_cleanup_function(struct lxc_tty_info
*, lxc_delete_tty
);
920 static int lxc_allocate_ttys(struct lxc_conf
*conf
)
922 struct lxc_terminal_info
*tty_new
= NULL
;
924 call_cleaner(lxc_delete_tty
) struct lxc_tty_info
*ttys
= &conf
->ttys
;
926 /* no tty in the configuration */
930 tty_new
= malloc(sizeof(struct lxc_terminal_info
) * ttys
->max
);
935 for (size_t i
= 0; i
< ttys
->max
; i
++) {
936 struct lxc_terminal_info
*tty
= &ttys
->tty
[i
];
940 ret
= openpty(&tty
->ptx
, &tty
->pty
, NULL
, NULL
, NULL
);
943 return log_error_errno(-ENOTTY
, ENOTTY
, "Failed to create tty %zu", i
);
946 ret
= ttyname_r(tty
->pty
, tty
->name
, sizeof(tty
->name
));
949 return log_error_errno(-ENOTTY
, ENOTTY
, "Failed to retrieve name of tty %zu pty", i
);
952 DEBUG("Created tty \"%s\" with ptx fd %d and pty fd %d",
953 tty
->name
, tty
->ptx
, tty
->pty
);
955 /* Prevent leaking the file descriptors to the container */
956 ret
= fd_cloexec(tty
->ptx
, true);
958 SYSWARN("Failed to set FD_CLOEXEC flag on ptx fd %d of tty device \"%s\"",
959 tty
->ptx
, tty
->name
);
961 ret
= fd_cloexec(tty
->pty
, true);
963 SYSWARN("Failed to set FD_CLOEXEC flag on pty fd %d of tty device \"%s\"",
964 tty
->pty
, tty
->name
);
969 INFO("Finished creating %zu tty devices", ttys
->max
);
974 void lxc_delete_tty(struct lxc_tty_info
*ttys
)
979 for (int i
= 0; i
< ttys
->max
; i
++) {
980 struct lxc_terminal_info
*tty
= &ttys
->tty
[i
];
981 close_prot_errno_disarm(tty
->ptx
);
982 close_prot_errno_disarm(tty
->pty
);
985 free_disarm(ttys
->tty
);
988 static int lxc_send_ttys_to_parent(struct lxc_handler
*handler
)
992 struct lxc_conf
*conf
= handler
->conf
;
993 struct lxc_tty_info
*ttys
= &conf
->ttys
;
994 int sock
= handler
->data_sock
[0];
999 for (i
= 0; i
< ttys
->max
; i
++) {
1001 struct lxc_terminal_info
*tty
= &ttys
->tty
[i
];
1003 ttyfds
[0] = tty
->ptx
;
1004 ttyfds
[1] = tty
->pty
;
1006 ret
= lxc_abstract_unix_send_fds(sock
, ttyfds
, 2, NULL
, 0);
1010 TRACE("Sent tty \"%s\" with ptx fd %d and pty fd %d to parent",
1011 tty
->name
, tty
->ptx
, tty
->pty
);
1015 SYSERROR("Failed to send %zu ttys to parent", ttys
->max
);
1017 TRACE("Sent %zu ttys to parent", ttys
->max
);
1022 static int lxc_create_ttys(struct lxc_handler
*handler
)
1025 struct lxc_conf
*conf
= handler
->conf
;
1027 ret
= lxc_allocate_ttys(conf
);
1029 ERROR("Failed to allocate ttys");
1033 ret
= lxc_send_ttys_to_parent(handler
);
1035 ERROR("Failed to send ttys to parent");
1039 if (!conf
->is_execute
) {
1040 ret
= lxc_setup_ttys(conf
);
1042 ERROR("Failed to setup ttys");
1047 if (conf
->ttys
.tty_names
) {
1048 ret
= setenv("container_ttys", conf
->ttys
.tty_names
, 1);
1050 SYSERROR("Failed to set \"container_ttys=%s\"", conf
->ttys
.tty_names
);
1056 lxc_delete_tty(&conf
->ttys
);
1061 /* Just create a path for /dev under $lxcpath/$name and in rootfs If we hit an
1062 * error, log it but don't fail yet.
1064 static int mount_autodev(const char *name
, const struct lxc_rootfs
*rootfs
,
1065 int autodevtmpfssize
, const char *lxcpath
)
1067 const char *path
= rootfs
->path
? rootfs
->mount
: NULL
;
1070 char mount_options
[128];
1072 INFO("Preparing \"/dev\"");
1074 sprintf(mount_options
, "size=%d,mode=755", (autodevtmpfssize
!= 0) ? autodevtmpfssize
: 500000);
1075 DEBUG("Using mount options: %s", mount_options
);
1077 cur_mask
= umask(S_IXUSR
| S_IXGRP
| S_IXOTH
);
1078 ret
= mkdirat(rootfs
->mntpt_fd
, "dev" , S_IRWXU
| S_IRGRP
| S_IXGRP
| S_IROTH
| S_IXOTH
);
1079 if (ret
< 0 && errno
!= EEXIST
) {
1080 SYSERROR("Failed to create \"/dev\" directory");
1085 ret
= safe_mount_beneath_at(rootfs
->mntpt_fd
, "none", "dev", "tmpfs", 0, mount_options
);
1087 __do_free
char *fallback_path
= NULL
;
1089 if (errno
!= ENOSYS
) {
1090 SYSERROR("Failed to mount tmpfs on \"%s\"", path
);
1095 fallback_path
= must_make_path(path
, "/dev", NULL
);
1096 ret
= safe_mount("none", fallback_path
, "tmpfs", 0, mount_options
, path
);
1098 ret
= safe_mount("none", "dev", "tmpfs", 0, mount_options
, NULL
);
1101 SYSERROR("Failed to mount tmpfs on \"%s\"", path
);
1105 TRACE("Mounted tmpfs on \"%s\"", path
);
1107 /* If we are running on a devtmpfs mapping, dev/pts may already exist.
1108 * If not, then create it and exit if that fails...
1110 ret
= mkdirat(rootfs
->mntpt_fd
, "dev/pts", S_IRWXU
| S_IRGRP
| S_IXGRP
| S_IROTH
| S_IXOTH
);
1111 if (ret
< 0 && errno
!= EEXIST
) {
1112 SYSERROR("Failed to create directory \"%s\"", path
);
1120 (void)umask(cur_mask
);
1122 INFO("Prepared \"/dev\"");
1126 struct lxc_device_node
{
1133 static const struct lxc_device_node lxc_devices
[] = {
1134 { "full", S_IFCHR
| S_IRWXU
| S_IRWXG
| S_IRWXO
, 1, 7 },
1135 { "null", S_IFCHR
| S_IRWXU
| S_IRWXG
| S_IRWXO
, 1, 3 },
1136 { "random", S_IFCHR
| S_IRWXU
| S_IRWXG
| S_IRWXO
, 1, 8 },
1137 { "tty", S_IFCHR
| S_IRWXU
| S_IRWXG
| S_IRWXO
, 5, 0 },
1138 { "urandom", S_IFCHR
| S_IRWXU
| S_IRWXG
| S_IRWXO
, 1, 9 },
1139 { "zero", S_IFCHR
| S_IRWXU
| S_IRWXG
| S_IRWXO
, 1, 5 },
1146 LXC_DEVNODE_PARTIAL
,
1150 static int lxc_fill_autodev(const struct lxc_rootfs
*rootfs
)
1152 __do_close
int dev_dir_fd
= -EBADF
;
1155 int use_mknod
= LXC_DEVNODE_MKNOD
;
1157 /* ignore, just don't try to fill in */
1158 if (!exists_dir_at(rootfs
->mntpt_fd
, "dev"))
1161 dev_dir_fd
= openat(rootfs
->mntpt_fd
, "dev/", O_RDONLY
| O_CLOEXEC
| O_DIRECTORY
| O_PATH
| O_NOFOLLOW
);
1165 INFO("Populating \"/dev\"");
1167 cmask
= umask(S_IXUSR
| S_IXGRP
| S_IXOTH
);
1168 for (i
= 0; i
< sizeof(lxc_devices
) / sizeof(lxc_devices
[0]); i
++) {
1169 char hostpath
[PATH_MAX
], path
[PATH_MAX
];
1170 const struct lxc_device_node
*device
= &lxc_devices
[i
];
1172 if (use_mknod
>= LXC_DEVNODE_MKNOD
) {
1173 ret
= mknodat(dev_dir_fd
, device
->name
, device
->mode
, makedev(device
->maj
, device
->min
));
1174 if (ret
== 0 || (ret
< 0 && errno
== EEXIST
)) {
1175 DEBUG("Created device node \"%s\"", device
->name
);
1176 } else if (ret
< 0) {
1178 return log_error_errno(-1, errno
, "Failed to create device node \"%s\"", device
->name
);
1180 use_mknod
= LXC_DEVNODE_BIND
;
1183 /* Device nodes are fully useable. */
1184 if (use_mknod
== LXC_DEVNODE_OPEN
)
1187 if (use_mknod
== LXC_DEVNODE_MKNOD
) {
1188 __do_close
int fd
= -EBADF
;
1190 * - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=55956b59df336f6738da916dbb520b6e37df9fbd
1191 * - https://lists.linuxfoundation.org/pipermail/containers/2018-June/039176.html
1193 fd
= openat(dev_dir_fd
, device
->name
, O_RDONLY
| O_CLOEXEC
);
1195 /* Device nodes are fully useable. */
1196 use_mknod
= LXC_DEVNODE_OPEN
;
1200 SYSTRACE("Failed to open \"%s\" device", device
->name
);
1201 /* Device nodes are only partially useable. */
1202 use_mknod
= LXC_DEVNODE_PARTIAL
;
1206 if (use_mknod
!= LXC_DEVNODE_PARTIAL
) {
1207 /* If we are dealing with partially functional device
1208 * nodes the prio mknod() call will have created the
1209 * device node so we can use it as a bind-mount target.
1211 ret
= mknodat(dev_dir_fd
, device
->name
, S_IFREG
| 0000, 0);
1212 if (ret
< 0 && errno
!= EEXIST
)
1213 return log_error_errno(-1, errno
, "Failed to create file \"%s\"", device
->name
);
1216 /* Fallback to bind-mounting the device from the host. */
1217 ret
= snprintf(hostpath
, sizeof(hostpath
), "/dev/%s", device
->name
);
1218 if (ret
< 0 || (size_t)ret
>= sizeof(hostpath
))
1219 return ret_errno(EIO
);
1221 ret
= safe_mount_beneath_at(dev_dir_fd
, hostpath
, device
->name
, NULL
, MS_BIND
, NULL
);
1223 const char *mntpt
= rootfs
->path
? rootfs
->mount
: NULL
;
1224 if (errno
== ENOSYS
) {
1225 ret
= snprintf(path
, sizeof(path
), "%s/dev/%s", mntpt
, device
->name
);
1226 if (ret
< 0 || ret
>= sizeof(path
))
1227 return log_error(-1, "Failed to create device path for %s", device
->name
);
1228 ret
= safe_mount(hostpath
, path
, 0, MS_BIND
, NULL
, rootfs
->path
? rootfs
->mount
: NULL
);
1232 return log_error_errno(-1, errno
, "Failed to bind mount host device node \"%s\" onto \"%s\"", hostpath
, device
->name
);
1233 DEBUG("Bind mounted host device node \"%s\" onto \"%s\"", hostpath
, device
->name
);
1237 INFO("Populated \"/dev\"");
1241 static int lxc_mount_rootfs(struct lxc_conf
*conf
)
1244 struct lxc_storage
*bdev
;
1245 struct lxc_rootfs
*rootfs
= &conf
->rootfs
;
1247 if (!rootfs
->path
) {
1248 ret
= mount("", "/", NULL
, MS_SLAVE
| MS_REC
, 0);
1250 return log_error_errno(-1, errno
, "Failed to recursively turn root mount tree into dependent mount");
1252 rootfs
->mntpt_fd
= openat(-1, "/", O_RDONLY
| O_CLOEXEC
| O_DIRECTORY
| O_PATH
);
1253 if (rootfs
->mntpt_fd
< 0)
1259 ret
= access(rootfs
->mount
, F_OK
);
1261 return log_error_errno(-1, errno
, "Failed to access to \"%s\". Check it is present",
1264 bdev
= storage_init(conf
);
1266 return log_error(-1, "Failed to mount rootfs \"%s\" onto \"%s\" with options \"%s\"",
1267 rootfs
->path
, rootfs
->mount
,
1268 rootfs
->options
? rootfs
->options
: "(null)");
1270 ret
= bdev
->ops
->mount(bdev
);
1273 return log_error(-1, "Failed to mount rootfs \"%s\" onto \"%s\" with options \"%s\"",
1274 rootfs
->path
, rootfs
->mount
,
1275 rootfs
->options
? rootfs
->options
: "(null)");
1277 DEBUG("Mounted rootfs \"%s\" onto \"%s\" with options \"%s\"",
1278 rootfs
->path
, rootfs
->mount
,
1279 rootfs
->options
? rootfs
->options
: "(null)");
1281 rootfs
->mntpt_fd
= openat(-1, rootfs
->mount
, O_RDONLY
| O_CLOEXEC
| O_DIRECTORY
| O_PATH
);
1282 if (rootfs
->mntpt_fd
< 0)
1288 static int lxc_chroot(const struct lxc_rootfs
*rootfs
)
1290 __do_free
char *nroot
= NULL
;
1292 char *root
= rootfs
->mount
;
1294 nroot
= realpath(root
, NULL
);
1296 return log_error_errno(-1, errno
, "Failed to resolve \"%s\"", root
);
1302 /* We could use here MS_MOVE, but in userns this mount is locked and
1305 ret
= mount(nroot
, "/", NULL
, MS_REC
| MS_BIND
, NULL
);
1307 return log_error_errno(-1, errno
, "Failed to mount \"%s\" onto \"/\" as MS_REC | MS_BIND", nroot
);
1309 ret
= mount(NULL
, "/", NULL
, MS_REC
| MS_PRIVATE
, NULL
);
1311 return log_error_errno(-1, errno
, "Failed to remount \"/\"");
1313 /* The following code cleans up inherited mounts which are not required
1316 * The mountinfo file shows not all mounts, if a few points have been
1317 * unmounted between read operations from the mountinfo. So we need to
1318 * read mountinfo a few times.
1320 * This loop can be skipped if a container uses userns, because all
1321 * inherited mounts are locked and we should live with all this trash.
1324 __do_fclose
FILE *f
= NULL
;
1325 __do_free
char *line
= NULL
;
1326 char *slider1
, *slider2
;
1330 f
= fopen("./proc/self/mountinfo", "re");
1332 return log_error_errno(-1, errno
, "Failed to open \"/proc/self/mountinfo\"");
1334 while (getline(&line
, &len
, f
) > 0) {
1335 for (slider1
= line
, i
= 0; slider1
&& i
< 4; i
++)
1336 slider1
= strchr(slider1
+ 1, ' ');
1341 slider2
= strchr(slider1
+ 1, ' ');
1348 if (strcmp(slider1
+ 1, "/") == 0)
1351 if (strcmp(slider1
+ 1, "/proc") == 0)
1354 ret
= umount2(slider1
, MNT_DETACH
);
1363 /* This also can be skipped if a container uses userns. */
1364 (void)umount2("./proc", MNT_DETACH
);
1366 /* It is weird, but chdir("..") moves us in a new root */
1369 return log_error_errno(-1, errno
, "Failed to chdir(\"..\")");
1373 return log_error_errno(-1, errno
, "Failed to chroot(\".\")");
1378 /* (The following explanation is copied verbatim from the kernel.)
1380 * pivot_root Semantics:
1381 * Moves the root file system of the current process to the directory put_old,
1382 * makes new_root as the new root file system of the current process, and sets
1383 * root/cwd of all processes which had them on the current root to new_root.
1386 * The new_root and put_old must be directories, and must not be on the
1387 * same file system as the current process root. The put_old must be
1388 * underneath new_root, i.e. adding a non-zero number of /.. to the string
1389 * pointed to by put_old must yield the same directory as new_root. No other
1390 * file system may be mounted on put_old. After all, new_root is a mountpoint.
1392 * Also, the current root cannot be on the 'rootfs' (initial ramfs) filesystem.
1393 * See Documentation/filesystems/ramfs-rootfs-initramfs.txt for alternatives
1394 * in this situation.
1397 * - we don't move root/cwd if they are not at the root (reason: if something
1398 * cared enough to change them, it's probably wrong to force them elsewhere)
1399 * - it's okay to pick a root that isn't the root of a file system, e.g.
1400 * /nfs/my_root where /nfs is the mount point. It must be a mountpoint,
1401 * though, so you may need to say mount --bind /nfs/my_root /nfs/my_root
1404 static int lxc_pivot_root(const char *rootfs
)
1406 __do_close
int oldroot
= -EBADF
, newroot
= -EBADF
;
1409 oldroot
= open("/", O_DIRECTORY
| O_RDONLY
| O_CLOEXEC
);
1411 return log_error_errno(-1, errno
, "Failed to open old root directory");
1413 newroot
= open(rootfs
, O_DIRECTORY
| O_RDONLY
| O_CLOEXEC
);
1415 return log_error_errno(-1, errno
, "Failed to open new root directory");
1417 /* change into new root fs */
1418 ret
= fchdir(newroot
);
1420 return log_error_errno(-1, errno
, "Failed to change to new rootfs \"%s\"", rootfs
);
1422 /* pivot_root into our new root fs */
1423 ret
= pivot_root(".", ".");
1425 return log_error_errno(-1, errno
, "Failed to pivot_root()");
1427 /* At this point the old-root is mounted on top of our new-root. To
1428 * unmounted it we must not be chdir'd into it, so escape back to
1431 ret
= fchdir(oldroot
);
1433 return log_error_errno(-1, errno
, "Failed to enter old root directory");
1435 /* Make oldroot a depedent mount to make sure our umounts don't propagate to the
1438 ret
= mount("", ".", "", MS_SLAVE
| MS_REC
, NULL
);
1440 return log_error_errno(-1, errno
, "Failed to recursively turn old root mount tree into dependent mount");
1442 ret
= umount2(".", MNT_DETACH
);
1444 return log_error_errno(-1, errno
, "Failed to detach old root directory");
1446 ret
= fchdir(newroot
);
1448 return log_error_errno(-1, errno
, "Failed to re-enter new root directory");
1450 TRACE("pivot_root(\"%s\") successful", rootfs
);
1455 static int lxc_setup_rootfs_switch_root(const struct lxc_rootfs
*rootfs
)
1458 return log_debug(0, "Container does not have a rootfs");
1460 if (detect_ramfs_rootfs())
1461 return lxc_chroot(rootfs
);
1463 return lxc_pivot_root(rootfs
->mount
);
1466 static const struct id_map
*find_mapped_nsid_entry(const struct lxc_conf
*conf
,
1470 struct lxc_list
*it
;
1472 struct id_map
*retmap
= NULL
;
1474 /* Shortcut for container's root mappings. */
1476 if (idtype
== ID_TYPE_UID
)
1477 return conf
->root_nsuid_map
;
1479 if (idtype
== ID_TYPE_GID
)
1480 return conf
->root_nsgid_map
;
1483 lxc_list_for_each(it
, &conf
->id_map
) {
1485 if (map
->idtype
!= idtype
)
1488 if (id
>= map
->nsid
&& id
< map
->nsid
+ map
->range
) {
1497 int lxc_setup_devpts_parent(struct lxc_handler
*handler
)
1501 if (handler
->conf
->pty_max
<= 0)
1504 ret
= lxc_abstract_unix_recv_fds(handler
->data_sock
[1], &handler
->conf
->devpts_fd
, 1,
1505 &handler
->conf
->devpts_fd
, sizeof(handler
->conf
->devpts_fd
));
1507 return log_error_errno(-1, errno
, "Failed to receive devpts fd from child");
1509 TRACE("Received devpts file descriptor %d from child", handler
->conf
->devpts_fd
);
1513 static int lxc_setup_devpts_child(struct lxc_handler
*handler
)
1515 __do_close
int devpts_fd
= -EBADF
;
1518 char devpts_mntopts
[256];
1519 char *mntopt_sets
[5];
1520 char default_devpts_mntopts
[256] = "gid=5,newinstance,ptmxmode=0666,mode=0620";
1521 struct lxc_conf
*conf
= handler
->conf
;
1522 int sock
= handler
->data_sock
[0];
1524 if (conf
->pty_max
<= 0)
1525 return log_debug(0, "No new devpts instance will be mounted since no pts devices are requested");
1527 ret
= snprintf(devpts_mntopts
, sizeof(devpts_mntopts
), "%s,max=%zu",
1528 default_devpts_mntopts
, conf
->pty_max
);
1529 if (ret
< 0 || (size_t)ret
>= sizeof(devpts_mntopts
))
1532 (void)umount2("/dev/pts", MNT_DETACH
);
1534 /* Create mountpoint for devpts instance. */
1535 ret
= mkdir("/dev/pts", 0755);
1536 if (ret
< 0 && errno
!= EEXIST
)
1537 return log_error_errno(-1, errno
, "Failed to create \"/dev/pts\" directory");
1540 mntopt_sets
[0] = devpts_mntopts
;
1542 /* !gid=5 && max= */
1543 mntopt_sets
[1] = devpts_mntopts
+ STRLITERALLEN("gid=5") + 1;
1545 /* gid=5 && !max= */
1546 mntopt_sets
[2] = default_devpts_mntopts
;
1548 /* !gid=5 && !max= */
1549 mntopt_sets
[3] = default_devpts_mntopts
+ STRLITERALLEN("gid=5") + 1;
1552 mntopt_sets
[4] = NULL
;
1554 for (ret
= -1, opts
= mntopt_sets
; opts
&& *opts
; opts
++) {
1555 /* mount new devpts instance */
1556 ret
= mount("devpts", "/dev/pts", "devpts", MS_NOSUID
| MS_NOEXEC
, *opts
);
1562 return log_error_errno(-1, errno
, "Failed to mount new devpts instance");
1563 DEBUG("Mount new devpts instance with options \"%s\"", *opts
);
1565 devpts_fd
= openat(-EBADF
, "/dev/pts", O_CLOEXEC
| O_DIRECTORY
| O_PATH
| O_NOFOLLOW
);
1566 if (devpts_fd
< 0) {
1568 TRACE("Failed to create detached devpts mount");
1569 ret
= lxc_abstract_unix_send_fds(sock
, NULL
, 0, &devpts_fd
, sizeof(int));
1571 ret
= lxc_abstract_unix_send_fds(sock
, &devpts_fd
, 1, NULL
, 0);
1574 return log_error_errno(-1, errno
, "Failed to send devpts fd to parent");
1576 TRACE("Sent devpts file descriptor %d to parent", devpts_fd
);
1578 /* Remove any pre-existing /dev/ptmx file. */
1579 ret
= remove("/dev/ptmx");
1581 if (errno
!= ENOENT
)
1582 return log_error_errno(-1, errno
, "Failed to remove existing \"/dev/ptmx\" file");
1584 DEBUG("Removed existing \"/dev/ptmx\" file");
1587 /* Create dummy /dev/ptmx file as bind mountpoint for /dev/pts/ptmx. */
1588 ret
= mknod("/dev/ptmx", S_IFREG
| 0000, 0);
1589 if (ret
< 0 && errno
!= EEXIST
)
1590 return log_error_errno(-1, errno
, "Failed to create dummy \"/dev/ptmx\" file as bind mount target");
1591 DEBUG("Created dummy \"/dev/ptmx\" file as bind mount target");
1593 /* Fallback option: create symlink /dev/ptmx -> /dev/pts/ptmx */
1594 ret
= mount("/dev/pts/ptmx", "/dev/ptmx", NULL
, MS_BIND
, NULL
);
1596 return log_debug(0, "Bind mounted \"/dev/pts/ptmx\" to \"/dev/ptmx\"");
1598 /* Fallthrough and try to create a symlink. */
1599 ERROR("Failed to bind mount \"/dev/pts/ptmx\" to \"/dev/ptmx\"");
1601 /* Remove the dummy /dev/ptmx file we created above. */
1602 ret
= remove("/dev/ptmx");
1604 return log_error_errno(-1, errno
, "Failed to remove existing \"/dev/ptmx\"");
1606 /* Fallback option: Create symlink /dev/ptmx -> /dev/pts/ptmx. */
1607 ret
= symlink("/dev/pts/ptmx", "/dev/ptmx");
1609 return log_error_errno(-1, errno
, "Failed to create symlink from \"/dev/ptmx\" to \"/dev/pts/ptmx\"");
1611 DEBUG("Created symlink from \"/dev/ptmx\" to \"/dev/pts/ptmx\"");
1615 static int setup_personality(int persona
)
1619 #if HAVE_SYS_PERSONALITY_H
1623 ret
= personality(persona
);
1625 return log_error_errno(-1, errno
, "Failed to set personality to \"0x%x\"", persona
);
1627 INFO("Set personality to \"0x%x\"", persona
);
1633 static inline bool wants_console(const struct lxc_terminal
*terminal
)
1635 return !terminal
->path
|| strcmp(terminal
->path
, "none");
1638 static int lxc_setup_dev_console(const struct lxc_rootfs
*rootfs
,
1639 const struct lxc_terminal
*console
,
1643 char path
[PATH_MAX
];
1644 char *rootfs_path
= rootfs
->path
? rootfs
->mount
: "";
1646 if (!wants_console(console
))
1650 * When we are asked to setup a console we remove any previous
1651 * /dev/console bind-mounts.
1653 if (exists_file_at(rootfs
->dev_mntpt_fd
, "console")) {
1654 ret
= snprintf(path
, sizeof(path
), "%s/dev/console", rootfs_path
);
1655 if (ret
< 0 || (size_t)ret
>= sizeof(path
))
1658 ret
= lxc_unstack_mountpoint(path
, false);
1660 return log_error_errno(-ret
, errno
, "Failed to unmount \"%s\"", path
);
1662 DEBUG("Cleared all (%d) mounts from \"%s\"", ret
, path
);
1666 * For unprivileged containers autodev or automounts will already have
1667 * taken care of creating /dev/console.
1669 ret
= mknodat(rootfs
->dev_mntpt_fd
, "console", S_IFREG
| 0000, 0);
1670 if (ret
< 0 && errno
!= EEXIST
)
1671 return log_error_errno(-errno
, errno
, "Failed to create console");
1673 ret
= fchmod(console
->pty
, S_IXUSR
| S_IXGRP
);
1675 return log_error_errno(-errno
, errno
, "Failed to set mode \"0%o\" to \"%s\"", S_IXUSR
| S_IXGRP
, console
->name
);
1677 if (pty_mnt_fd
>= 0) {
1678 ret
= move_mount(pty_mnt_fd
, "", rootfs
->dev_mntpt_fd
, "console", MOVE_MOUNT_F_EMPTY_PATH
);
1680 DEBUG("Moved mount \"%s\" onto \"%s\"", console
->name
, path
);
1684 if (ret
&& errno
!= ENOSYS
)
1685 return log_error_errno(-1, errno
,
1686 "Failed to mount %d(%s) on \"%s\"",
1687 pty_mnt_fd
, console
->name
, path
);
1690 ret
= safe_mount_beneath_at(rootfs
->dev_mntpt_fd
, console
->name
, "console", NULL
, MS_BIND
, NULL
);
1692 if (errno
== ENOSYS
) {
1693 ret
= snprintf(path
, sizeof(path
), "%s/dev/console", rootfs_path
);
1694 if (ret
< 0 || (size_t)ret
>= sizeof(path
))
1697 ret
= safe_mount(console
->name
, path
, "none", MS_BIND
, NULL
, rootfs_path
);
1699 return log_error_errno(-1, errno
, "Failed to mount %d(%s) on \"%s\"", pty_mnt_fd
, console
->name
, path
);
1704 DEBUG("Mounted pty device %d(%s) onto \"%s\"", pty_mnt_fd
, console
->name
, path
);
1708 static int lxc_setup_ttydir_console(const struct lxc_rootfs
*rootfs
,
1709 const struct lxc_terminal
*console
,
1710 char *ttydir
, int pty_mnt_fd
)
1713 char path
[PATH_MAX
], lxcpath
[PATH_MAX
];
1714 char *rootfs_path
= rootfs
->path
? rootfs
->mount
: "";
1716 if (!wants_console(console
))
1719 /* create rootfs/dev/<ttydir> directory */
1720 ret
= snprintf(path
, sizeof(path
), "%s/dev/%s", rootfs_path
, ttydir
);
1721 if (ret
< 0 || (size_t)ret
>= sizeof(path
))
1724 ret
= mkdir(path
, 0755);
1725 if (ret
&& errno
!= EEXIST
)
1726 return log_error_errno(-errno
, errno
, "Failed to create \"%s\"", path
);
1727 DEBUG("Created directory for console and tty devices at \"%s\"", path
);
1729 ret
= snprintf(lxcpath
, sizeof(lxcpath
), "%s/dev/%s/console", rootfs_path
, ttydir
);
1730 if (ret
< 0 || (size_t)ret
>= sizeof(lxcpath
))
1733 ret
= mknod(lxcpath
, S_IFREG
| 0000, 0);
1734 if (ret
< 0 && errno
!= EEXIST
)
1735 return log_error_errno(-errno
, errno
, "Failed to create \"%s\"", lxcpath
);
1737 ret
= snprintf(path
, sizeof(path
), "%s/dev/console", rootfs_path
);
1738 if (ret
< 0 || (size_t)ret
>= sizeof(path
))
1741 if (file_exists(path
)) {
1742 ret
= lxc_unstack_mountpoint(path
, false);
1744 return log_error_errno(-ret
, errno
, "Failed to unmount \"%s\"", path
);
1746 DEBUG("Cleared all (%d) mounts from \"%s\"", ret
, path
);
1749 ret
= mknod(path
, S_IFREG
| 0000, 0);
1750 if (ret
< 0 && errno
!= EEXIST
)
1751 return log_error_errno(-errno
, errno
, "Failed to create console");
1753 ret
= fchmod(console
->pty
, S_IXUSR
| S_IXGRP
);
1755 return log_error_errno(-errno
, errno
, "Failed to set mode \"0%o\" to \"%s\"", S_IXUSR
| S_IXGRP
, console
->name
);
1757 /* bind mount console->name to '/dev/<ttydir>/console' */
1758 if (pty_mnt_fd
>= 0) {
1759 ret
= move_mount(pty_mnt_fd
, "", -EBADF
, lxcpath
, MOVE_MOUNT_F_EMPTY_PATH
);
1761 DEBUG("Moved mount \"%s\" onto \"%s\"", console
->name
, lxcpath
);
1765 if (ret
&& errno
!= ENOSYS
)
1766 return log_error_errno(-1, errno
,
1767 "Failed to mount %d(%s) on \"%s\"",
1768 pty_mnt_fd
, console
->name
, lxcpath
);
1771 ret
= safe_mount(console
->name
, lxcpath
, "none", MS_BIND
, 0, rootfs_path
);
1773 return log_error_errno(-1, errno
, "Failed to mount %d(%s) on \"%s\"", pty_mnt_fd
, console
->name
, lxcpath
);
1774 DEBUG("Mounted \"%s\" onto \"%s\"", console
->name
, lxcpath
);
1777 /* bind mount '/dev/<ttydir>/console' to '/dev/console' */
1778 ret
= safe_mount(lxcpath
, path
, "none", MS_BIND
, 0, rootfs_path
);
1780 return log_error_errno(-1, errno
, "Failed to mount \"%s\" on \"%s\"", console
->name
, lxcpath
);
1781 DEBUG("Mounted \"%s\" onto \"%s\"", console
->name
, lxcpath
);
1783 DEBUG("Console has been setup under \"%s\" and mounted to \"%s\"", lxcpath
, path
);
1787 static int lxc_setup_console(const struct lxc_rootfs
*rootfs
,
1788 const struct lxc_terminal
*console
, char *ttydir
,
1793 return lxc_setup_dev_console(rootfs
, console
, pty_mnt_fd
);
1795 return lxc_setup_ttydir_console(rootfs
, console
, ttydir
, pty_mnt_fd
);
1798 static int parse_mntopt(char *opt
, unsigned long *flags
, char **data
, size_t size
)
1802 /* If '=' is contained in opt, the option must go into data. */
1803 if (!strchr(opt
, '=')) {
1805 * If opt is found in mount_opt, set or clear flags.
1806 * Otherwise append it to data.
1808 size_t opt_len
= strlen(opt
);
1809 for (struct mount_opt
*mo
= &mount_opt
[0]; mo
->name
!= NULL
; mo
++) {
1810 size_t mo_name_len
= strlen(mo
->name
);
1812 if (opt_len
== mo_name_len
&& strncmp(opt
, mo
->name
, mo_name_len
) == 0) {
1814 *flags
&= ~mo
->flag
;
1822 if (strlen(*data
)) {
1823 ret
= strlcat(*data
, ",", size
);
1825 return log_error_errno(ret
, errno
, "Failed to append \",\" to %s", *data
);
1828 ret
= strlcat(*data
, opt
, size
);
1830 return log_error_errno(ret
, errno
, "Failed to append \"%s\" to %s", opt
, *data
);
1835 int parse_mntopts(const char *mntopts
, unsigned long *mntflags
, char **mntdata
)
1837 __do_free
char *mntopts_new
= NULL
, *mntopts_dup
= NULL
;
1838 char *mntopt_cur
= NULL
;
1841 if (*mntdata
|| *mntflags
)
1842 return ret_errno(EINVAL
);
1847 mntopts_dup
= strdup(mntopts
);
1849 return ret_errno(ENOMEM
);
1851 size
= strlen(mntopts_dup
) + 1;
1852 mntopts_new
= zalloc(size
);
1854 return ret_errno(ENOMEM
);
1856 lxc_iterate_parts(mntopt_cur
, mntopts_dup
, ",")
1857 if (parse_mntopt(mntopt_cur
, mntflags
, &mntopts_new
, size
) < 0)
1858 return ret_errno(EINVAL
);
1861 *mntdata
= move_ptr(mntopts_new
);
1866 static void parse_propagationopt(char *opt
, unsigned long *flags
)
1868 struct mount_opt
*mo
;
1870 /* If opt is found in propagation_opt, set or clear flags. */
1871 for (mo
= &propagation_opt
[0]; mo
->name
!= NULL
; mo
++) {
1872 if (strncmp(opt
, mo
->name
, strlen(mo
->name
)) != 0)
1876 *flags
&= ~mo
->flag
;
1884 int parse_propagationopts(const char *mntopts
, unsigned long *pflags
)
1886 __do_free
char *s
= NULL
;
1892 s
= strdup(mntopts
);
1894 return log_error_errno(-ENOMEM
, errno
, "Failed to allocate memory");
1897 lxc_iterate_parts(p
, s
, ",")
1898 parse_propagationopt(p
, pflags
);
1903 static void null_endofword(char *word
)
1905 while (*word
&& *word
!= ' ' && *word
!= '\t')
1910 /* skip @nfields spaces in @src */
1911 static char *get_field(char *src
, int nfields
)
1916 for (i
= 0; i
< nfields
; i
++) {
1917 while (*p
&& *p
!= ' ' && *p
!= '\t')
1929 static int mount_entry(const char *fsname
, const char *target
,
1930 const char *fstype
, unsigned long mountflags
,
1931 unsigned long pflags
, const char *data
, bool optional
,
1932 bool dev
, bool relative
, const char *rootfs
)
1935 char srcbuf
[PATH_MAX
];
1936 const char *srcpath
= fsname
;
1942 ret
= snprintf(srcbuf
, sizeof(srcbuf
), "%s/%s", rootfs
? rootfs
: "/", fsname
? fsname
: "");
1943 if (ret
< 0 || ret
>= sizeof(srcbuf
))
1944 return log_error_errno(-1, errno
, "source path is too long");
1948 ret
= safe_mount(srcpath
, target
, fstype
, mountflags
& ~MS_REMOUNT
, data
,
1952 return log_info_errno(0, errno
, "Failed to mount \"%s\" on \"%s\" (optional)",
1953 srcpath
? srcpath
: "(null)", target
);
1955 return log_error_errno(-1, errno
, "Failed to mount \"%s\" on \"%s\"",
1956 srcpath
? srcpath
: "(null)", target
);
1959 if ((mountflags
& MS_REMOUNT
) || (mountflags
& MS_BIND
)) {
1961 DEBUG("Remounting \"%s\" on \"%s\" to respect bind or remount options",
1962 srcpath
? srcpath
: "(none)", target
? target
: "(none)");
1965 if (srcpath
&& statvfs(srcpath
, &sb
) == 0) {
1966 unsigned long required_flags
= 0;
1968 if (sb
.f_flag
& MS_NOSUID
)
1969 required_flags
|= MS_NOSUID
;
1971 if (sb
.f_flag
& MS_NODEV
&& !dev
)
1972 required_flags
|= MS_NODEV
;
1974 if (sb
.f_flag
& MS_RDONLY
)
1975 required_flags
|= MS_RDONLY
;
1977 if (sb
.f_flag
& MS_NOEXEC
)
1978 required_flags
|= MS_NOEXEC
;
1980 DEBUG("Flags for \"%s\" were %lu, required extra flags are %lu",
1981 srcpath
, sb
.f_flag
, required_flags
);
1983 /* If this was a bind mount request, and required_flags
1984 * does not have any flags which are not already in
1985 * mountflags, then skip the remount.
1987 if (!(mountflags
& MS_REMOUNT
) &&
1988 (!(required_flags
& ~mountflags
) && !(mountflags
& MS_RDONLY
))) {
1989 DEBUG("Mountflags already were %lu, skipping remount", mountflags
);
1993 mountflags
|= required_flags
;
1997 ret
= mount(srcpath
, target
, fstype
, mountflags
| MS_REMOUNT
, data
);
2000 return log_info_errno(0, errno
, "Failed to mount \"%s\" on \"%s\" (optional)",
2001 srcpath
? srcpath
: "(null)",
2004 return log_error_errno(-1, errno
, "Failed to mount \"%s\" on \"%s\"",
2005 srcpath
? srcpath
: "(null)",
2014 ret
= mount(NULL
, target
, NULL
, pflags
, NULL
);
2017 return log_info_errno(0, errno
, "Failed to change mount propagation for \"%s\" (optional)", target
);
2019 return log_error_errno(-1, errno
, "Failed to change mount propagation for \"%s\" (optional)", target
);
2021 DEBUG("Changed mount propagation for \"%s\"", target
);
2024 DEBUG("Mounted \"%s\" on \"%s\" with filesystem type \"%s\"",
2025 srcpath
? srcpath
: "(null)", target
, fstype
);
2030 /* Remove "optional", "create=dir", and "create=file" from mntopt */
2031 static void cull_mntent_opt(struct mntent
*mntent
)
2042 for (i
= 0; list
[i
]; i
++) {
2045 p
= strstr(mntent
->mnt_opts
, list
[i
]);
2049 p2
= strchr(p
, ',');
2051 /* no more mntopts, so just chop it here */
2056 memmove(p
, p2
+ 1, strlen(p2
+ 1) + 1);
2060 static int mount_entry_create_dir_file(const struct mntent
*mntent
,
2062 const struct lxc_rootfs
*rootfs
,
2063 const char *lxc_name
, const char *lxc_path
)
2065 __do_free
char *p1
= NULL
;
2069 if (strncmp(mntent
->mnt_type
, "overlay", 7) == 0) {
2070 ret
= ovl_mkdir(mntent
, rootfs
, lxc_name
, lxc_path
);
2075 if (hasmntopt(mntent
, "create=dir")) {
2076 ret
= mkdir_p(path
, 0755);
2077 if (ret
< 0 && errno
!= EEXIST
)
2078 return log_error_errno(-1, errno
, "Failed to create directory \"%s\"", path
);
2081 if (!hasmntopt(mntent
, "create=file"))
2084 ret
= access(path
, F_OK
);
2094 ret
= mkdir_p(p2
, 0755);
2095 if (ret
< 0 && errno
!= EEXIST
)
2096 return log_error_errno(-1, errno
, "Failed to create directory \"%s\"", path
);
2098 ret
= mknod(path
, S_IFREG
| 0000, 0);
2099 if (ret
< 0 && errno
!= EEXIST
)
2105 /* rootfs, lxc_name, and lxc_path can be NULL when the container is created
2106 * without a rootfs. */
2107 static inline int mount_entry_on_generic(struct mntent
*mntent
,
2109 const struct lxc_rootfs
*rootfs
,
2110 const char *lxc_name
,
2111 const char *lxc_path
)
2113 __do_free
char *mntdata
= NULL
;
2114 unsigned long mntflags
= 0, pflags
= 0;
2115 char *rootfs_path
= NULL
;
2117 bool dev
, optional
, relative
;
2119 optional
= hasmntopt(mntent
, "optional") != NULL
;
2120 dev
= hasmntopt(mntent
, "dev") != NULL
;
2121 relative
= hasmntopt(mntent
, "relative") != NULL
;
2123 if (rootfs
&& rootfs
->path
)
2124 rootfs_path
= rootfs
->mount
;
2126 ret
= mount_entry_create_dir_file(mntent
, path
, rootfs
, lxc_name
,
2134 cull_mntent_opt(mntent
);
2136 ret
= parse_propagationopts(mntent
->mnt_opts
, &pflags
);
2140 ret
= parse_mntopts(mntent
->mnt_opts
, &mntflags
, &mntdata
);
2144 ret
= mount_entry(mntent
->mnt_fsname
, path
, mntent
->mnt_type
, mntflags
,
2145 pflags
, mntdata
, optional
, dev
, relative
, rootfs_path
);
2150 static inline int mount_entry_on_systemfs(struct mntent
*mntent
)
2153 char path
[PATH_MAX
];
2155 /* For containers created without a rootfs all mounts are treated as
2156 * absolute paths starting at / on the host.
2158 if (mntent
->mnt_dir
[0] != '/')
2159 ret
= snprintf(path
, sizeof(path
), "/%s", mntent
->mnt_dir
);
2161 ret
= snprintf(path
, sizeof(path
), "%s", mntent
->mnt_dir
);
2162 if (ret
< 0 || ret
>= sizeof(path
))
2165 return mount_entry_on_generic(mntent
, path
, NULL
, NULL
, NULL
);
2168 static int mount_entry_on_absolute_rootfs(struct mntent
*mntent
,
2169 const struct lxc_rootfs
*rootfs
,
2170 const char *lxc_name
,
2171 const char *lxc_path
)
2175 const char *lxcpath
;
2176 char path
[PATH_MAX
];
2179 lxcpath
= lxc_global_config_value("lxc.lxcpath");
2183 /* If rootfs->path is a blockdev path, allow container fstab to use
2184 * <lxcpath>/<name>/rootfs" as the target prefix.
2186 ret
= snprintf(path
, PATH_MAX
, "%s/%s/rootfs", lxcpath
, lxc_name
);
2187 if (ret
< 0 || ret
>= PATH_MAX
)
2190 aux
= strstr(mntent
->mnt_dir
, path
);
2192 offset
= strlen(path
);
2197 aux
= strstr(mntent
->mnt_dir
, rootfs
->path
);
2199 return log_warn(ret
, "Ignoring mount point \"%s\"", mntent
->mnt_dir
);
2200 offset
= strlen(rootfs
->path
);
2203 ret
= snprintf(path
, PATH_MAX
, "%s/%s", rootfs
->mount
, aux
+ offset
);
2204 if (ret
< 0 || ret
>= PATH_MAX
)
2207 return mount_entry_on_generic(mntent
, path
, rootfs
, lxc_name
, lxc_path
);
2210 static int mount_entry_on_relative_rootfs(struct mntent
*mntent
,
2211 const struct lxc_rootfs
*rootfs
,
2212 const char *lxc_name
,
2213 const char *lxc_path
)
2216 char path
[PATH_MAX
];
2218 /* relative to root mount point */
2219 ret
= snprintf(path
, sizeof(path
), "%s/%s", rootfs
->mount
, mntent
->mnt_dir
);
2220 if (ret
< 0 || (size_t)ret
>= sizeof(path
))
2223 return mount_entry_on_generic(mntent
, path
, rootfs
, lxc_name
, lxc_path
);
2226 static int mount_file_entries(const struct lxc_rootfs
*rootfs
, FILE *file
,
2227 const char *lxc_name
, const char *lxc_path
)
2230 struct mntent mntent
;
2232 while (getmntent_r(file
, &mntent
, buf
, sizeof(buf
))) {
2236 ret
= mount_entry_on_systemfs(&mntent
);
2237 else if (mntent
.mnt_dir
[0] != '/')
2238 ret
= mount_entry_on_relative_rootfs(&mntent
, rootfs
,
2239 lxc_name
, lxc_path
);
2241 ret
= mount_entry_on_absolute_rootfs(&mntent
, rootfs
,
2242 lxc_name
, lxc_path
);
2247 if (!feof(file
) || ferror(file
))
2248 return log_error(-1, "Failed to parse mount entries");
2253 static inline void __auto_endmntent__(FILE **f
)
2259 #define __do_endmntent __attribute__((__cleanup__(__auto_endmntent__)))
2261 static int setup_mount(const struct lxc_conf
*conf
,
2262 const struct lxc_rootfs
*rootfs
, const char *fstab
,
2263 const char *lxc_name
, const char *lxc_path
)
2265 __do_endmntent
FILE *f
= NULL
;
2271 f
= setmntent(fstab
, "re");
2273 return log_error_errno(-1, errno
, "Failed to open \"%s\"", fstab
);
2275 ret
= mount_file_entries(rootfs
, f
, lxc_name
, lxc_path
);
2277 ERROR("Failed to set up mount entries");
2283 * In order for nested containers to be able to mount /proc and /sys they need
2284 * to see a "pure" proc and sysfs mount points with nothing mounted on top
2286 * For this we provide proc and sysfs in /dev/.lxc/{proc,sys} while using an
2287 * apparmor rule to deny access to them. This is mostly for convenience: The
2288 * container's root user can mount them anyway and thus has access to the two
2289 * file systems. But a non-root user in the container should not be allowed to
2290 * access them as a side effect without explicitly allowing it.
2292 static const char nesting_helpers
[] =
2293 "proc dev/.lxc/proc proc create=dir,optional 0 0\n"
2294 "sys dev/.lxc/sys sysfs create=dir,optional 0 0\n";
2296 FILE *make_anonymous_mount_file(struct lxc_list
*mount
,
2297 bool include_nesting_helpers
)
2299 __do_close
int fd
= -EBADF
;
2303 struct lxc_list
*iterator
;
2305 fd
= memfd_create(".lxc_mount_file", MFD_CLOEXEC
);
2307 char template[] = P_tmpdir
"/.lxc_mount_file_XXXXXX";
2309 if (errno
!= ENOSYS
)
2312 fd
= lxc_make_tmpfile(template, true);
2314 return log_error_errno(NULL
, errno
, "Could not create temporary mount file");
2316 TRACE("Created temporary mount file");
2319 lxc_list_for_each (iterator
, mount
) {
2322 mount_entry
= iterator
->elem
;
2323 len
= strlen(mount_entry
);
2325 ret
= lxc_write_nointr(fd
, mount_entry
, len
);
2329 ret
= lxc_write_nointr(fd
, "\n", 1);
2334 if (include_nesting_helpers
) {
2335 ret
= lxc_write_nointr(fd
, nesting_helpers
,
2336 STRARRAYLEN(nesting_helpers
));
2337 if (ret
!= STRARRAYLEN(nesting_helpers
))
2341 ret
= lseek(fd
, 0, SEEK_SET
);
2345 f
= fdopen(fd
, "re+");
2347 move_fd(fd
); /* Transfer ownership of fd. */
2351 static int setup_mount_entries(const struct lxc_conf
*conf
,
2352 const struct lxc_rootfs
*rootfs
,
2353 struct lxc_list
*mount
, const char *lxc_name
,
2354 const char *lxc_path
)
2356 __do_fclose
FILE *f
= NULL
;
2358 f
= make_anonymous_mount_file(mount
, conf
->lsm_aa_allow_nesting
);
2362 return mount_file_entries(rootfs
, f
, lxc_name
, lxc_path
);
2365 static int parse_cap(const char *cap
)
2369 size_t end
= sizeof(caps_opt
) / sizeof(caps_opt
[0]);
2372 if (strcmp(cap
, "none") == 0)
2375 for (i
= 0; i
< end
; i
++) {
2376 if (strcmp(cap
, caps_opt
[i
].name
))
2379 capid
= caps_opt
[i
].value
;
2384 /* Try to see if it's numeric, so the user may specify
2385 * capabilities that the running kernel knows about but we
2389 capid
= strtol(cap
, &ptr
, 10);
2390 if (!ptr
|| *ptr
!= '\0' || errno
!= 0)
2391 /* not a valid number */
2393 else if (capid
> lxc_caps_last_cap())
2394 /* we have a number but it's not a valid
2402 int in_caplist(int cap
, struct lxc_list
*caps
)
2405 struct lxc_list
*iterator
;
2407 lxc_list_for_each (iterator
, caps
) {
2408 capid
= parse_cap(iterator
->elem
);
2416 static int setup_caps(struct lxc_list
*caps
)
2420 struct lxc_list
*iterator
;
2422 lxc_list_for_each (iterator
, caps
) {
2425 drop_entry
= iterator
->elem
;
2427 capid
= parse_cap(drop_entry
);
2429 return log_error(-1, "unknown capability %s", drop_entry
);
2431 ret
= prctl(PR_CAPBSET_DROP
, prctl_arg(capid
), prctl_arg(0),
2432 prctl_arg(0), prctl_arg(0));
2434 return log_error_errno(-1, errno
, "Failed to remove %s capability", drop_entry
);
2435 DEBUG("Dropped %s (%d) capability", drop_entry
, capid
);
2438 DEBUG("Capabilities have been setup");
2442 static int dropcaps_except(struct lxc_list
*caps
)
2444 __do_free
int *caplist
= NULL
;
2445 int i
, capid
, numcaps
;
2447 struct lxc_list
*iterator
;
2449 numcaps
= lxc_caps_last_cap() + 1;
2450 if (numcaps
<= 0 || numcaps
> 200)
2452 TRACE("Found %d capabilities", numcaps
);
2454 /* caplist[i] is 1 if we keep capability i */
2455 caplist
= must_realloc(NULL
, numcaps
* sizeof(int));
2456 memset(caplist
, 0, numcaps
* sizeof(int));
2458 lxc_list_for_each (iterator
, caps
) {
2459 keep_entry
= iterator
->elem
;
2461 capid
= parse_cap(keep_entry
);
2466 return log_error(-1, "Unknown capability %s", keep_entry
);
2468 DEBUG("Keep capability %s (%d)", keep_entry
, capid
);
2472 for (i
= 0; i
< numcaps
; i
++) {
2478 ret
= prctl(PR_CAPBSET_DROP
, prctl_arg(i
), prctl_arg(0),
2479 prctl_arg(0), prctl_arg(0));
2481 return log_error_errno(-1, errno
, "Failed to remove capability %d", i
);
2484 DEBUG("Capabilities have been setup");
2488 static int parse_resource(const char *res
)
2494 for (i
= 0; i
< sizeof(limit_opt
) / sizeof(limit_opt
[0]); ++i
)
2495 if (strcmp(res
, limit_opt
[i
].name
) == 0)
2496 return limit_opt
[i
].value
;
2498 /* Try to see if it's numeric, so the user may specify
2499 * resources that the running kernel knows about but
2502 ret
= lxc_safe_int(res
, &resid
);
2509 int setup_resource_limits(struct lxc_list
*limits
, pid_t pid
)
2512 struct lxc_list
*it
;
2513 struct lxc_limit
*lim
;
2515 lxc_list_for_each (it
, limits
) {
2518 resid
= parse_resource(lim
->resource
);
2520 return log_error(-1, "Unknown resource %s", lim
->resource
);
2522 #if HAVE_PRLIMIT || HAVE_PRLIMIT64
2523 if (prlimit(pid
, resid
, &lim
->limit
, NULL
) != 0)
2524 return log_error_errno(-1, errno
, "Failed to set limit %s", lim
->resource
);
2526 TRACE("Setup \"%s\" limit", lim
->resource
);
2528 return log_error(-1, "Cannot set limit \"%s\" as prlimit is missing", lim
->resource
);
2535 int setup_sysctl_parameters(struct lxc_list
*sysctls
)
2537 __do_free
char *tmp
= NULL
;
2538 struct lxc_list
*it
;
2539 struct lxc_sysctl
*elem
;
2541 char filename
[PATH_MAX
] = {0};
2543 lxc_list_for_each (it
, sysctls
) {
2545 tmp
= lxc_string_replace(".", "/", elem
->key
);
2547 return log_error(-1, "Failed to replace key %s", elem
->key
);
2549 ret
= snprintf(filename
, sizeof(filename
), "/proc/sys/%s", tmp
);
2550 if (ret
< 0 || (size_t)ret
>= sizeof(filename
))
2551 return log_error(-1, "Error setting up sysctl parameters path");
2553 ret
= lxc_write_to_file(filename
, elem
->value
,
2554 strlen(elem
->value
), false, 0666);
2556 return log_error_errno(-1, errno
, "Failed to setup sysctl parameters %s to %s",
2557 elem
->key
, elem
->value
);
2563 int setup_proc_filesystem(struct lxc_list
*procs
, pid_t pid
)
2565 __do_free
char *tmp
= NULL
;
2566 struct lxc_list
*it
;
2567 struct lxc_proc
*elem
;
2569 char filename
[PATH_MAX
] = {0};
2571 lxc_list_for_each (it
, procs
) {
2573 tmp
= lxc_string_replace(".", "/", elem
->filename
);
2575 return log_error(-1, "Failed to replace key %s", elem
->filename
);
2577 ret
= snprintf(filename
, sizeof(filename
), "/proc/%d/%s", pid
, tmp
);
2578 if (ret
< 0 || (size_t)ret
>= sizeof(filename
))
2579 return log_error(-1, "Error setting up proc filesystem path");
2581 ret
= lxc_write_to_file(filename
, elem
->value
,
2582 strlen(elem
->value
), false, 0666);
2584 return log_error_errno(-1, errno
, "Failed to setup proc filesystem %s to %s", elem
->filename
, elem
->value
);
2590 static char *default_rootfs_mount
= LXCROOTFSMOUNT
;
2592 struct lxc_conf
*lxc_conf_init(void)
2595 struct lxc_conf
*new;
2597 new = malloc(sizeof(*new));
2600 memset(new, 0, sizeof(*new));
2602 new->loglevel
= LXC_LOG_LEVEL_NOTSET
;
2603 new->personality
= -1;
2605 new->console
.buffer_size
= 0;
2606 new->console
.log_path
= NULL
;
2607 new->console
.log_fd
= -1;
2608 new->console
.log_size
= 0;
2609 new->console
.path
= NULL
;
2610 new->console
.peer
= -1;
2611 new->console
.proxy
.busy
= -1;
2612 new->console
.proxy
.ptx
= -1;
2613 new->console
.proxy
.pty
= -1;
2614 new->console
.ptx
= -1;
2615 new->console
.pty
= -1;
2616 new->console
.name
[0] = '\0';
2617 memset(&new->console
.ringbuf
, 0, sizeof(struct lxc_ringbuf
));
2618 new->maincmd_fd
= -1;
2619 new->monitor_signal_pdeath
= SIGKILL
;
2621 new->rootfs
.mount
= strdup(default_rootfs_mount
);
2622 if (!new->rootfs
.mount
) {
2626 new->rootfs
.managed
= true;
2627 new->rootfs
.mntpt_fd
= -EBADF
;
2628 new->rootfs
.dev_mntpt_fd
= -EBADF
;
2630 lxc_list_init(&new->cgroup
);
2631 lxc_list_init(&new->cgroup2
);
2632 lxc_list_init(&new->devices
);
2633 lxc_list_init(&new->network
);
2634 lxc_list_init(&new->mount_list
);
2635 lxc_list_init(&new->caps
);
2636 lxc_list_init(&new->keepcaps
);
2637 lxc_list_init(&new->id_map
);
2638 new->root_nsuid_map
= NULL
;
2639 new->root_nsgid_map
= NULL
;
2640 lxc_list_init(&new->includes
);
2641 lxc_list_init(&new->aliens
);
2642 lxc_list_init(&new->environment
);
2643 lxc_list_init(&new->limits
);
2644 lxc_list_init(&new->sysctls
);
2645 lxc_list_init(&new->procs
);
2646 new->hooks_version
= 0;
2647 for (i
= 0; i
< NUM_LXC_HOOKS
; i
++)
2648 lxc_list_init(&new->hooks
[i
]);
2649 lxc_list_init(&new->groups
);
2650 lxc_list_init(&new->state_clients
);
2651 new->lsm_aa_profile
= NULL
;
2652 lxc_list_init(&new->lsm_aa_raw
);
2653 new->lsm_se_context
= NULL
;
2654 new->lsm_se_keyring_context
= NULL
;
2655 new->keyring_disable_session
= false;
2656 new->tmp_umount_proc
= false;
2657 new->tmp_umount_proc
= 0;
2658 new->shmount
.path_host
= NULL
;
2659 new->shmount
.path_cont
= NULL
;
2661 /* if running in a new user namespace, init and COMMAND
2662 * default to running as UID/GID 0 when using lxc-execute */
2665 memset(&new->cgroup_meta
, 0, sizeof(struct lxc_cgroup
));
2666 memset(&new->ns_share
, 0, sizeof(char *) * LXC_NS_MAX
);
2667 memset(&new->timens
, 0, sizeof(struct timens_offsets
));
2668 seccomp_conf_init(new);
2673 int write_id_mapping(enum idtype idtype
, pid_t pid
, const char *buf
,
2676 __do_close
int fd
= -EBADF
;
2678 char path
[PATH_MAX
];
2680 if (geteuid() != 0 && idtype
== ID_TYPE_GID
) {
2681 __do_close
int setgroups_fd
= -EBADF
;
2683 ret
= snprintf(path
, PATH_MAX
, "/proc/%d/setgroups", pid
);
2684 if (ret
< 0 || ret
>= PATH_MAX
)
2687 setgroups_fd
= open(path
, O_WRONLY
);
2688 if (setgroups_fd
< 0 && errno
!= ENOENT
)
2689 return log_error_errno(-1, errno
, "Failed to open \"%s\"", path
);
2691 if (setgroups_fd
>= 0) {
2692 ret
= lxc_write_nointr(setgroups_fd
, "deny\n",
2693 STRLITERALLEN("deny\n"));
2694 if (ret
!= STRLITERALLEN("deny\n"))
2695 return log_error_errno(-1, errno
, "Failed to write \"deny\" to \"/proc/%d/setgroups\"", pid
);
2696 TRACE("Wrote \"deny\" to \"/proc/%d/setgroups\"", pid
);
2700 ret
= snprintf(path
, PATH_MAX
, "/proc/%d/%cid_map", pid
,
2701 idtype
== ID_TYPE_UID
? 'u' : 'g');
2702 if (ret
< 0 || ret
>= PATH_MAX
)
2705 fd
= open(path
, O_WRONLY
| O_CLOEXEC
);
2707 return log_error_errno(-1, errno
, "Failed to open \"%s\"", path
);
2709 ret
= lxc_write_nointr(fd
, buf
, buf_size
);
2710 if (ret
!= buf_size
)
2711 return log_error_errno(-1, errno
, "Failed to write %cid mapping to \"%s\"",
2712 idtype
== ID_TYPE_UID
? 'u' : 'g', path
);
2717 /* Check whether a binary exist and has either CAP_SETUID, CAP_SETGID or both.
2719 * @return 1 if functional binary was found
2720 * @return 0 if binary exists but is lacking privilege
2721 * @return -ENOENT if binary does not exist
2722 * @return -EINVAL if cap to check is neither CAP_SETUID nor CAP_SETGID
2724 static int idmaptool_on_path_and_privileged(const char *binary
, cap_value_t cap
)
2726 __do_free
char *path
= NULL
;
2731 if (cap
!= CAP_SETUID
&& cap
!= CAP_SETGID
)
2735 path
= on_path(binary
, NULL
);
2739 ret
= stat(path
, &st
);
2743 /* Check if the binary is setuid. */
2744 if (st
.st_mode
& S_ISUID
)
2745 return log_debug(1, "The binary \"%s\" does have the setuid bit set", path
);
2747 #if HAVE_LIBCAP && LIBCAP_SUPPORTS_FILE_CAPABILITIES
2748 /* Check if it has the CAP_SETUID capability. */
2749 if ((cap
& CAP_SETUID
) &&
2750 lxc_file_cap_is_set(path
, CAP_SETUID
, CAP_EFFECTIVE
) &&
2751 lxc_file_cap_is_set(path
, CAP_SETUID
, CAP_PERMITTED
))
2752 return log_debug(1, "The binary \"%s\" has CAP_SETUID in its CAP_EFFECTIVE and CAP_PERMITTED sets", path
);
2754 /* Check if it has the CAP_SETGID capability. */
2755 if ((cap
& CAP_SETGID
) &&
2756 lxc_file_cap_is_set(path
, CAP_SETGID
, CAP_EFFECTIVE
) &&
2757 lxc_file_cap_is_set(path
, CAP_SETGID
, CAP_PERMITTED
))
2758 return log_debug(1, "The binary \"%s\" has CAP_SETGID in its CAP_EFFECTIVE and CAP_PERMITTED sets", path
);
2760 /* If we cannot check for file capabilities we need to give the benefit
2761 * of the doubt. Otherwise we might fail even though all the necessary
2762 * file capabilities are set.
2764 DEBUG("Cannot check for file capabilities as full capability support is missing. Manual intervention needed");
2770 static int lxc_map_ids_exec_wrapper(void *args
)
2772 execl("/bin/sh", "sh", "-c", (char *)args
, (char *)NULL
);
2776 int lxc_map_ids(struct lxc_list
*idmap
, pid_t pid
)
2781 char cmd_output
[PATH_MAX
];
2783 struct lxc_list
*iterator
;
2785 int ret
= 0, gidmap
= 0, uidmap
= 0;
2786 char mapbuf
[STRLITERALLEN("new@idmap") + STRLITERALLEN(" ") +
2787 INTTYPE_TO_STRLEN(pid_t
) + STRLITERALLEN(" ") +
2788 LXC_IDMAPLEN
] = {0};
2789 bool had_entry
= false, use_shadow
= false;
2790 int hostuid
, hostgid
;
2792 hostuid
= geteuid();
2793 hostgid
= getegid();
2795 /* If new{g,u}idmap exists, that is, if shadow is handing out subuid
2796 * ranges, then insist that root also reserve ranges in subuid. This
2797 * will protected it by preventing another user from being handed the
2800 uidmap
= idmaptool_on_path_and_privileged("newuidmap", CAP_SETUID
);
2801 if (uidmap
== -ENOENT
)
2802 WARN("newuidmap binary is missing");
2804 WARN("newuidmap is lacking necessary privileges");
2806 gidmap
= idmaptool_on_path_and_privileged("newgidmap", CAP_SETGID
);
2807 if (gidmap
== -ENOENT
)
2808 WARN("newgidmap binary is missing");
2810 WARN("newgidmap is lacking necessary privileges");
2812 if (uidmap
> 0 && gidmap
> 0) {
2813 DEBUG("Functional newuidmap and newgidmap binary found");
2816 /* In case unprivileged users run application containers via
2817 * execute() or a start*() there are valid cases where they may
2818 * only want to map their own {g,u}id. Let's not block them from
2819 * doing so by requiring geteuid() == 0.
2821 DEBUG("No newuidmap and newgidmap binary found. Trying to "
2822 "write directly with euid %d", hostuid
);
2825 /* Check if we really need to use newuidmap and newgidmap.
2826 * If the user is only remapping his own {g,u}id, we don't need it.
2828 if (use_shadow
&& lxc_list_len(idmap
) == 2) {
2830 lxc_list_for_each(iterator
, idmap
) {
2831 map
= iterator
->elem
;
2832 if (map
->idtype
== ID_TYPE_UID
&& map
->range
== 1 &&
2833 map
->nsid
== hostuid
&& map
->hostid
== hostuid
)
2835 if (map
->idtype
== ID_TYPE_GID
&& map
->range
== 1 &&
2836 map
->nsid
== hostgid
&& map
->hostid
== hostgid
)
2843 for (type
= ID_TYPE_UID
, u_or_g
= 'u'; type
<= ID_TYPE_GID
;
2844 type
++, u_or_g
= 'g') {
2848 pos
+= sprintf(mapbuf
, "new%cidmap %d", u_or_g
, pid
);
2850 lxc_list_for_each(iterator
, idmap
) {
2851 map
= iterator
->elem
;
2852 if (map
->idtype
!= type
)
2857 left
= LXC_IDMAPLEN
- (pos
- mapbuf
);
2858 fill
= snprintf(pos
, left
, "%s%lu %lu %lu%s",
2859 use_shadow
? " " : "", map
->nsid
,
2860 map
->hostid
, map
->range
,
2861 use_shadow
? "" : "\n");
2863 * The kernel only takes <= 4k for writes to
2864 * /proc/<pid>/{g,u}id_map
2866 if (fill
<= 0 || fill
>= left
)
2867 return log_error_errno(-1, errno
, "Too many %cid mappings defined", u_or_g
);
2874 /* Try to catch the output of new{g,u}idmap to make debugging
2878 ret
= run_command(cmd_output
, sizeof(cmd_output
),
2879 lxc_map_ids_exec_wrapper
,
2882 return log_error(-1, "new%cidmap failed to write mapping \"%s\": %s", u_or_g
, cmd_output
, mapbuf
);
2883 TRACE("new%cidmap wrote mapping \"%s\"", u_or_g
, mapbuf
);
2885 ret
= write_id_mapping(type
, pid
, mapbuf
, pos
- mapbuf
);
2887 return log_error(-1, "Failed to write mapping: %s", mapbuf
);
2888 TRACE("Wrote mapping \"%s\"", mapbuf
);
2891 memset(mapbuf
, 0, sizeof(mapbuf
));
2898 * Return the host uid/gid to which the container root is mapped in val.
2899 * Return true if id was found, false otherwise.
2901 static id_t
get_mapped_rootid(const struct lxc_conf
*conf
, enum idtype idtype
)
2905 struct lxc_list
*it
;
2907 if (idtype
== ID_TYPE_UID
)
2908 nsid
= (conf
->root_nsuid_map
!= NULL
) ? 0 : conf
->init_uid
;
2910 nsid
= (conf
->root_nsgid_map
!= NULL
) ? 0 : conf
->init_gid
;
2912 lxc_list_for_each (it
, &conf
->id_map
) {
2914 if (map
->idtype
!= idtype
)
2916 if (map
->nsid
!= nsid
)
2921 if (idtype
== ID_TYPE_UID
)
2922 return LXC_INVALID_UID
;
2924 return LXC_INVALID_GID
;
2927 int mapped_hostid(unsigned id
, const struct lxc_conf
*conf
, enum idtype idtype
)
2930 struct lxc_list
*it
;
2932 lxc_list_for_each (it
, &conf
->id_map
) {
2934 if (map
->idtype
!= idtype
)
2937 if (id
>= map
->hostid
&& id
< map
->hostid
+ map
->range
)
2938 return (id
- map
->hostid
) + map
->nsid
;
2944 int find_unmapped_nsid(const struct lxc_conf
*conf
, enum idtype idtype
)
2947 struct lxc_list
*it
;
2948 unsigned int freeid
= 0;
2951 lxc_list_for_each (it
, &conf
->id_map
) {
2953 if (map
->idtype
!= idtype
)
2956 if (freeid
>= map
->nsid
&& freeid
< map
->nsid
+ map
->range
) {
2957 freeid
= map
->nsid
+ map
->range
;
2965 /* NOTE: Must not be called from inside the container namespace! */
2966 static int lxc_create_tmp_proc_mount(struct lxc_conf
*conf
)
2970 mounted
= lxc_mount_proc_if_needed(conf
->rootfs
.path
? conf
->rootfs
.mount
: "");
2971 if (mounted
== -1) {
2972 SYSERROR("Failed to mount proc in the container");
2973 /* continue only if there is no rootfs */
2974 if (conf
->rootfs
.path
)
2976 } else if (mounted
== 1) {
2977 conf
->tmp_umount_proc
= true;
2983 void tmp_proc_unmount(struct lxc_conf
*lxc_conf
)
2985 if (!lxc_conf
->tmp_umount_proc
)
2988 (void)umount2("/proc", MNT_DETACH
);
2989 lxc_conf
->tmp_umount_proc
= false;
2992 /* Walk /proc/mounts and change any shared entries to dependent mounts. */
2993 void turn_into_dependent_mounts(void)
2995 __do_free
char *line
= NULL
;
2996 __do_fclose
FILE *f
= NULL
;
2997 __do_close
int memfd
= -EBADF
, mntinfo_fd
= -EBADF
;
3002 mntinfo_fd
= open("/proc/self/mountinfo", O_RDONLY
| O_CLOEXEC
);
3003 if (mntinfo_fd
< 0) {
3004 SYSERROR("Failed to open \"/proc/self/mountinfo\"");
3008 memfd
= memfd_create(".lxc_mountinfo", MFD_CLOEXEC
);
3010 char template[] = P_tmpdir
"/.lxc_mountinfo_XXXXXX";
3012 if (errno
!= ENOSYS
) {
3013 SYSERROR("Failed to create temporary in-memory file");
3017 memfd
= lxc_make_tmpfile(template, true);
3019 WARN("Failed to create temporary file");
3024 copied
= fd_to_fd(mntinfo_fd
, memfd
);
3026 SYSERROR("Failed to copy \"/proc/self/mountinfo\"");
3030 ret
= lseek(memfd
, 0, SEEK_SET
);
3032 SYSERROR("Failed to reset file descriptor offset");
3036 f
= fdopen(memfd
, "re");
3038 SYSERROR("Failed to open copy of \"/proc/self/mountinfo\" to mark all shared. Continuing");
3043 * After a successful fdopen() memfd will be closed when calling
3044 * fclose(f). Calling close(memfd) afterwards is undefined.
3048 while (getline(&line
, &len
, f
) != -1) {
3049 char *opts
, *target
;
3051 target
= get_field(line
, 4);
3055 opts
= get_field(target
, 2);
3059 null_endofword(opts
);
3060 if (!strstr(opts
, "shared"))
3063 null_endofword(target
);
3064 ret
= mount(NULL
, target
, NULL
, MS_SLAVE
, NULL
);
3066 SYSERROR("Failed to recursively turn old root mount tree into dependent mount. Continuing...");
3069 TRACE("Recursively turned old root mount tree into dependent mount");
3071 TRACE("Turned all mount table entries into dependent mount");
3074 static int lxc_execute_bind_init(struct lxc_handler
*handler
)
3078 char path
[PATH_MAX
], destpath
[PATH_MAX
];
3079 struct lxc_conf
*conf
= handler
->conf
;
3081 /* If init exists in the container, don't bind mount a static one */
3082 p
= choose_init(conf
->rootfs
.mount
);
3084 __do_free
char *old
= p
;
3086 p
= strdup(old
+ strlen(conf
->rootfs
.mount
));
3090 INFO("Found existing init at \"%s\"", p
);
3094 ret
= snprintf(path
, PATH_MAX
, SBINDIR
"/init.lxc.static");
3095 if (ret
< 0 || ret
>= PATH_MAX
)
3098 if (!file_exists(path
))
3099 return log_error_errno(-1, errno
, "The file \"%s\" does not exist on host", path
);
3101 ret
= snprintf(destpath
, PATH_MAX
, "%s" P_tmpdir
"%s", conf
->rootfs
.mount
, "/.lxc-init");
3102 if (ret
< 0 || ret
>= PATH_MAX
)
3105 if (!file_exists(destpath
)) {
3106 ret
= mknod(destpath
, S_IFREG
| 0000, 0);
3107 if (ret
< 0 && errno
!= EEXIST
)
3108 return log_error_errno(-1, errno
, "Failed to create dummy \"%s\" file as bind mount target", destpath
);
3111 ret
= safe_mount(path
, destpath
, "none", MS_BIND
, NULL
, conf
->rootfs
.mount
);
3113 return log_error_errno(-1, errno
, "Failed to bind mount lxc.init.static into container");
3115 p
= strdup(destpath
+ strlen(conf
->rootfs
.mount
));
3119 INFO("Bind mounted lxc.init.static into container at \"%s\"", path
);
3121 ((struct execute_args
*)handler
->data
)->init_fd
= -1;
3122 ((struct execute_args
*)handler
->data
)->init_path
= p
;
3126 /* This does the work of remounting / if it is shared, calling the container
3127 * pre-mount hooks, and mounting the rootfs.
3129 int lxc_setup_rootfs_prepare_root(struct lxc_conf
*conf
, const char *name
,
3130 const char *lxcpath
)
3134 if (conf
->rootfs_setup
) {
3135 const char *path
= conf
->rootfs
.mount
;
3137 /* The rootfs was set up in another namespace. bind-mount it to
3138 * give us a mount in our own ns so we can pivot_root to it
3140 ret
= mount(path
, path
, "rootfs", MS_BIND
, NULL
);
3142 return log_error(-1, "Failed to bind mount container / onto itself");
3144 conf
->rootfs
.mntpt_fd
= openat(-EBADF
, path
, O_RDONLY
| O_CLOEXEC
| O_DIRECTORY
| O_PATH
| O_NOCTTY
);
3145 if (conf
->rootfs
.mntpt_fd
< 0)
3146 return log_error_errno(-errno
, errno
, "Failed to open file descriptor for container rootfs");
3148 return log_trace(0, "Bind mounted container / onto itself");
3151 turn_into_dependent_mounts();
3153 ret
= run_lxc_hooks(name
, "pre-mount", conf
, NULL
);
3155 return log_error(-1, "Failed to run pre-mount hooks");
3157 ret
= lxc_mount_rootfs(conf
);
3159 return log_error(-1, "Failed to setup rootfs for");
3161 conf
->rootfs_setup
= true;
3165 static bool verify_start_hooks(struct lxc_conf
*conf
)
3167 char path
[PATH_MAX
];
3168 struct lxc_list
*it
;
3170 lxc_list_for_each (it
, &conf
->hooks
[LXCHOOK_START
]) {
3172 char *hookname
= it
->elem
;
3174 ret
= snprintf(path
, PATH_MAX
, "%s%s",
3175 conf
->rootfs
.path
? conf
->rootfs
.mount
: "",
3177 if (ret
< 0 || ret
>= PATH_MAX
)
3180 ret
= access(path
, X_OK
);
3182 return log_error_errno(false, errno
, "Start hook \"%s\" not found in container", hookname
);
3190 static bool execveat_supported(void)
3192 execveat(-1, "", NULL
, NULL
, AT_EMPTY_PATH
);
3193 if (errno
== ENOSYS
)
3199 static int lxc_setup_boot_id(void)
3202 const char *boot_id_path
= "/proc/sys/kernel/random/boot_id";
3203 const char *mock_boot_id_path
= "/dev/.lxc-boot-id";
3206 if (access(boot_id_path
, F_OK
))
3209 memset(&n
, 0, sizeof(n
));
3210 if (lxc_id128_randomize(&n
)) {
3211 SYSERROR("Failed to generate random data for uuid");
3215 ret
= lxc_id128_write(mock_boot_id_path
, n
);
3217 SYSERROR("Failed to write uuid to %s", mock_boot_id_path
);
3221 ret
= chmod(mock_boot_id_path
, 0444);
3223 SYSERROR("Failed to chown %s", mock_boot_id_path
);
3224 (void)unlink(mock_boot_id_path
);
3228 ret
= mount(mock_boot_id_path
, boot_id_path
, NULL
, MS_BIND
, NULL
);
3230 SYSERROR("Failed to mount %s to %s", mock_boot_id_path
,
3232 (void)unlink(mock_boot_id_path
);
3236 ret
= mount(NULL
, boot_id_path
, NULL
,
3237 (MS_BIND
| MS_REMOUNT
| MS_RDONLY
| MS_NOSUID
| MS_NOEXEC
|
3241 SYSERROR("Failed to remount %s read-only", boot_id_path
);
3242 (void)unlink(mock_boot_id_path
);
3249 static int lxc_setup_keyring(struct lsm_ops
*lsm_ops
, const struct lxc_conf
*conf
)
3251 key_serial_t keyring
;
3254 if (conf
->lsm_se_keyring_context
)
3255 ret
= lsm_ops
->keyring_label_set(lsm_ops
, conf
->lsm_se_keyring_context
);
3256 else if (conf
->lsm_se_context
)
3257 ret
= lsm_ops
->keyring_label_set(lsm_ops
, conf
->lsm_se_context
);
3259 return log_error_errno(-1, errno
, "Failed to set keyring context");
3262 * Try to allocate a new session keyring for the container to prevent
3263 * information leaks.
3265 keyring
= keyctl(KEYCTL_JOIN_SESSION_KEYRING
, prctl_arg(0),
3266 prctl_arg(0), prctl_arg(0), prctl_arg(0));
3270 DEBUG("The keyctl() syscall is not supported or blocked");
3275 DEBUG("Failed to access kernel keyring. Continuing...");
3278 SYSERROR("Failed to create kernel keyring");
3286 int lxc_setup(struct lxc_handler
*handler
)
3288 __do_close
int pty_mnt_fd
= -EBADF
;
3290 const char *lxcpath
= handler
->lxcpath
, *name
= handler
->name
;
3291 struct lxc_conf
*lxc_conf
= handler
->conf
;
3293 ret
= lxc_setup_rootfs_prepare_root(lxc_conf
, name
, lxcpath
);
3295 return log_error(-1, "Failed to setup rootfs");
3297 if (handler
->nsfd
[LXC_NS_UTS
] == -EBADF
) {
3298 ret
= setup_utsname(lxc_conf
->utsname
);
3300 return log_error(-1, "Failed to setup the utsname %s", name
);
3303 if (!lxc_conf
->keyring_disable_session
) {
3304 ret
= lxc_setup_keyring(handler
->lsm_ops
, lxc_conf
);
3306 return log_error(-1, "Failed to setup container keyring");
3309 if (handler
->ns_clone_flags
& CLONE_NEWNET
) {
3310 ret
= lxc_setup_network_in_child_namespaces(lxc_conf
,
3311 &lxc_conf
->network
);
3313 return log_error(-1, "Failed to setup network");
3315 ret
= lxc_network_send_name_and_ifindex_to_parent(handler
);
3317 return log_error(-1, "Failed to send network device names and ifindices to parent");
3320 if (wants_console(&lxc_conf
->console
)) {
3321 pty_mnt_fd
= open_tree(-EBADF
, lxc_conf
->console
.name
,
3322 OPEN_TREE_CLONE
| OPEN_TREE_CLOEXEC
| AT_EMPTY_PATH
);
3324 SYSTRACE("Failed to create detached mount for container's console \"%s\"",
3325 lxc_conf
->console
.name
);
3327 TRACE("Created detached mount for container's console \"%s\"",
3328 lxc_conf
->console
.name
);
3331 if (lxc_conf
->autodev
> 0) {
3332 ret
= mount_autodev(name
, &lxc_conf
->rootfs
, lxc_conf
->autodevtmpfssize
, lxcpath
);
3334 return log_error(-1, "Failed to mount \"/dev\"");
3337 lxc_conf
->rootfs
.dev_mntpt_fd
= openat(lxc_conf
->rootfs
.mntpt_fd
, "dev",
3338 O_RDONLY
| O_CLOEXEC
| O_DIRECTORY
| O_NOFOLLOW
);
3339 if (lxc_conf
->rootfs
.dev_mntpt_fd
< 0 && errno
!= ENOENT
)
3340 return log_error_errno(-errno
, errno
, "Failed to open \"/dev\"");
3342 /* Do automatic mounts (mainly /proc and /sys), but exclude those that
3343 * need to wait until other stuff has finished.
3345 ret
= lxc_mount_auto_mounts(lxc_conf
, lxc_conf
->auto_mounts
& ~LXC_AUTO_CGROUP_MASK
, handler
);
3347 return log_error(-1, "Failed to setup first automatic mounts");
3349 ret
= setup_mount(lxc_conf
, &lxc_conf
->rootfs
, lxc_conf
->fstab
, name
, lxcpath
);
3351 return log_error(-1, "Failed to setup mounts");
3353 if (!lxc_list_empty(&lxc_conf
->mount_list
)) {
3354 ret
= setup_mount_entries(lxc_conf
, &lxc_conf
->rootfs
,
3355 &lxc_conf
->mount_list
, name
, lxcpath
);
3357 return log_error(-1, "Failed to setup mount entries");
3360 if (lxc_conf
->is_execute
) {
3361 if (execveat_supported()) {
3363 char path
[STRLITERALLEN(SBINDIR
) + STRLITERALLEN("/init.lxc.static") + 1];
3365 ret
= snprintf(path
, sizeof(path
), SBINDIR
"/init.lxc.static");
3366 if (ret
< 0 || ret
>= PATH_MAX
)
3367 return log_error(-1, "Path to init.lxc.static too long");
3369 fd
= open(path
, O_NOCTTY
| O_NOFOLLOW
| O_CLOEXEC
| O_PATH
);
3371 return log_error_errno(-1, errno
, "Unable to open lxc.init.static");
3373 ((struct execute_args
*)handler
->data
)->init_fd
= fd
;
3374 ((struct execute_args
*)handler
->data
)->init_path
= NULL
;
3376 ret
= lxc_execute_bind_init(handler
);
3378 return log_error(-1, "Failed to bind-mount the lxc init system");
3382 /* Now mount only cgroups, if wanted. Before, /sys could not have been
3383 * mounted. It is guaranteed to be mounted now either through
3384 * automatically or via fstab entries.
3386 ret
= lxc_mount_auto_mounts(lxc_conf
, lxc_conf
->auto_mounts
& LXC_AUTO_CGROUP_MASK
, handler
);
3388 return log_error(-1, "Failed to setup remaining automatic mounts");
3390 ret
= run_lxc_hooks(name
, "mount", lxc_conf
, NULL
);
3392 return log_error(-1, "Failed to run mount hooks");
3394 if (lxc_conf
->autodev
> 0) {
3395 ret
= run_lxc_hooks(name
, "autodev", lxc_conf
, NULL
);
3397 return log_error(-1, "Failed to run autodev hooks");
3399 ret
= lxc_fill_autodev(&lxc_conf
->rootfs
);
3401 return log_error(-1, "Failed to populate \"/dev\"");
3404 /* Make sure any start hooks are in the container */
3405 if (!verify_start_hooks(lxc_conf
))
3406 return log_error(-1, "Failed to verify start hooks");
3408 ret
= lxc_create_tmp_proc_mount(lxc_conf
);
3410 return log_error(-1, "Failed to \"/proc\" LSMs");
3412 ret
= lxc_setup_console(&lxc_conf
->rootfs
, &lxc_conf
->console
,
3413 lxc_conf
->ttys
.dir
, pty_mnt_fd
);
3415 return log_error(-1, "Failed to setup console");
3417 ret
= lxc_setup_dev_symlinks(&lxc_conf
->rootfs
);
3419 return log_error(-1, "Failed to setup \"/dev\" symlinks");
3421 ret
= lxc_setup_rootfs_switch_root(&lxc_conf
->rootfs
);
3423 return log_error(-1, "Failed to pivot root into rootfs");
3425 /* Setting the boot-id is best-effort for now. */
3426 if (lxc_conf
->autodev
> 0)
3427 (void)lxc_setup_boot_id();
3429 ret
= lxc_setup_devpts_child(handler
);
3431 return log_error(-1, "Failed to setup new devpts instance");
3433 ret
= lxc_create_ttys(handler
);
3437 ret
= setup_personality(lxc_conf
->personality
);
3439 return log_error(-1, "Failed to set personality");
3441 /* Set sysctl value to a path under /proc/sys as determined from the
3442 * key. For e.g. net.ipv4.ip_forward translated to
3443 * /proc/sys/net/ipv4/ip_forward.
3445 if (!lxc_list_empty(&lxc_conf
->sysctls
)) {
3446 ret
= setup_sysctl_parameters(&lxc_conf
->sysctls
);
3448 return log_error(-1, "Failed to setup sysctl parameters");
3451 if (!lxc_list_empty(&lxc_conf
->keepcaps
)) {
3452 if (!lxc_list_empty(&lxc_conf
->caps
))
3453 return log_error(-1, "Container requests lxc.cap.drop and lxc.cap.keep: either use lxc.cap.drop or lxc.cap.keep, not both");
3455 if (dropcaps_except(&lxc_conf
->keepcaps
))
3456 return log_error(-1, "Failed to keep capabilities");
3457 } else if (setup_caps(&lxc_conf
->caps
)) {
3458 return log_error(-1, "Failed to drop capabilities");
3461 close_prot_errno_disarm(lxc_conf
->rootfs
.mntpt_fd
)
3462 close_prot_errno_disarm(lxc_conf
->rootfs
.dev_mntpt_fd
)
3463 NOTICE("The container \"%s\" is set up", name
);
3468 int run_lxc_hooks(const char *name
, char *hookname
, struct lxc_conf
*conf
,
3471 struct lxc_list
*it
;
3474 for (which
= 0; which
< NUM_LXC_HOOKS
; which
++) {
3475 if (strcmp(hookname
, lxchook_names
[which
]) == 0)
3479 if (which
>= NUM_LXC_HOOKS
)
3482 lxc_list_for_each (it
, &conf
->hooks
[which
]) {
3484 char *hook
= it
->elem
;
3486 ret
= run_script_argv(name
, conf
->hooks_version
, "lxc", hook
,
3495 int lxc_clear_config_caps(struct lxc_conf
*c
)
3497 struct lxc_list
*it
, *next
;
3499 lxc_list_for_each_safe (it
, &c
->caps
, next
) {
3508 static int lxc_free_idmap(struct lxc_list
*id_map
)
3510 struct lxc_list
*it
, *next
;
3512 lxc_list_for_each_safe(it
, id_map
, next
) {
3521 static int __lxc_free_idmap(struct lxc_list
*id_map
)
3523 lxc_free_idmap(id_map
);
3527 define_cleanup_function(struct lxc_list
*, __lxc_free_idmap
);
3529 int lxc_clear_idmaps(struct lxc_conf
*c
)
3531 return lxc_free_idmap(&c
->id_map
);
3534 int lxc_clear_config_keepcaps(struct lxc_conf
*c
)
3536 struct lxc_list
*it
, *next
;
3538 lxc_list_for_each_safe (it
, &c
->keepcaps
, next
) {
3547 int lxc_clear_namespace(struct lxc_conf
*c
)
3550 for (i
= 0; i
< LXC_NS_MAX
; i
++) {
3551 free(c
->ns_share
[i
]);
3552 c
->ns_share
[i
] = NULL
;
3557 int lxc_clear_cgroups(struct lxc_conf
*c
, const char *key
, int version
)
3559 char *global_token
, *namespaced_token
;
3560 size_t namespaced_token_len
;
3561 struct lxc_list
*it
, *next
, *list
;
3562 const char *k
= key
;
3565 if (version
== CGROUP2_SUPER_MAGIC
) {
3566 global_token
= "lxc.cgroup2";
3567 namespaced_token
= "lxc.cgroup2.";
3568 namespaced_token_len
= STRLITERALLEN("lxc.cgroup2.");
3570 } else if (version
== CGROUP_SUPER_MAGIC
) {
3571 global_token
= "lxc.cgroup";
3572 namespaced_token
= "lxc.cgroup.";
3573 namespaced_token_len
= STRLITERALLEN("lxc.cgroup.");
3579 if (strcmp(key
, global_token
) == 0)
3581 else if (strncmp(key
, namespaced_token
, namespaced_token_len
) == 0)
3582 k
+= namespaced_token_len
;
3586 lxc_list_for_each_safe (it
, list
, next
) {
3587 struct lxc_cgroup
*cg
= it
->elem
;
3589 if (!all
&& strcmp(cg
->subsystem
, k
) != 0)
3593 free(cg
->subsystem
);
3602 static void lxc_clear_devices(struct lxc_conf
*conf
)
3604 struct lxc_list
*list
= &conf
->devices
;
3605 struct lxc_list
*it
, *next
;
3607 lxc_list_for_each_safe(it
, list
, next
) {
3613 int lxc_clear_limits(struct lxc_conf
*c
, const char *key
)
3615 struct lxc_list
*it
, *next
;
3616 const char *k
= NULL
;
3619 if (strcmp(key
, "lxc.limit") == 0 || strcmp(key
, "lxc.prlimit") == 0)
3621 else if (strncmp(key
, "lxc.limit.", STRLITERALLEN("lxc.limit.")) == 0)
3622 k
= key
+ STRLITERALLEN("lxc.limit.");
3623 else if (strncmp(key
, "lxc.prlimit.", STRLITERALLEN("lxc.prlimit.")) == 0)
3624 k
= key
+ STRLITERALLEN("lxc.prlimit.");
3628 lxc_list_for_each_safe (it
, &c
->limits
, next
) {
3629 struct lxc_limit
*lim
= it
->elem
;
3631 if (!all
&& strcmp(lim
->resource
, k
) != 0)
3635 free(lim
->resource
);
3643 int lxc_clear_sysctls(struct lxc_conf
*c
, const char *key
)
3645 struct lxc_list
*it
, *next
;
3646 const char *k
= NULL
;
3649 if (strcmp(key
, "lxc.sysctl") == 0)
3651 else if (strncmp(key
, "lxc.sysctl.", STRLITERALLEN("lxc.sysctl.")) == 0)
3652 k
= key
+ STRLITERALLEN("lxc.sysctl.");
3656 lxc_list_for_each_safe (it
, &c
->sysctls
, next
) {
3657 struct lxc_sysctl
*elem
= it
->elem
;
3659 if (!all
&& strcmp(elem
->key
, k
) != 0)
3672 int lxc_clear_procs(struct lxc_conf
*c
, const char *key
)
3674 struct lxc_list
*it
, *next
;
3675 const char *k
= NULL
;
3678 if (strcmp(key
, "lxc.proc") == 0)
3680 else if (strncmp(key
, "lxc.proc.", STRLITERALLEN("lxc.proc.")) == 0)
3681 k
= key
+ STRLITERALLEN("lxc.proc.");
3685 lxc_list_for_each_safe (it
, &c
->procs
, next
) {
3686 struct lxc_proc
*proc
= it
->elem
;
3688 if (!all
&& strcmp(proc
->filename
, k
) != 0)
3692 free(proc
->filename
);
3701 int lxc_clear_groups(struct lxc_conf
*c
)
3703 struct lxc_list
*it
, *next
;
3705 lxc_list_for_each_safe (it
, &c
->groups
, next
) {
3714 int lxc_clear_environment(struct lxc_conf
*c
)
3716 struct lxc_list
*it
, *next
;
3718 lxc_list_for_each_safe (it
, &c
->environment
, next
) {
3727 int lxc_clear_mount_entries(struct lxc_conf
*c
)
3729 struct lxc_list
*it
, *next
;
3731 lxc_list_for_each_safe (it
, &c
->mount_list
, next
) {
3740 int lxc_clear_automounts(struct lxc_conf
*c
)
3746 int lxc_clear_hooks(struct lxc_conf
*c
, const char *key
)
3749 struct lxc_list
*it
, *next
;
3750 const char *k
= NULL
;
3751 bool all
= false, done
= false;
3753 if (strcmp(key
, "lxc.hook") == 0)
3755 else if (strncmp(key
, "lxc.hook.", STRLITERALLEN("lxc.hook.")) == 0)
3756 k
= key
+ STRLITERALLEN("lxc.hook.");
3760 for (i
= 0; i
< NUM_LXC_HOOKS
; i
++) {
3761 if (all
|| strcmp(k
, lxchook_names
[i
]) == 0) {
3762 lxc_list_for_each_safe (it
, &c
->hooks
[i
], next
) {
3773 return log_error(-1, "Invalid hook key: %s", key
);
3778 static inline void lxc_clear_aliens(struct lxc_conf
*conf
)
3780 struct lxc_list
*it
, *next
;
3782 lxc_list_for_each_safe (it
, &conf
->aliens
, next
) {
3789 void lxc_clear_includes(struct lxc_conf
*conf
)
3791 struct lxc_list
*it
, *next
;
3793 lxc_list_for_each_safe (it
, &conf
->includes
, next
) {
3800 int lxc_clear_apparmor_raw(struct lxc_conf
*c
)
3802 struct lxc_list
*it
, *next
;
3804 lxc_list_for_each_safe (it
, &c
->lsm_aa_raw
, next
) {
3813 void lxc_conf_free(struct lxc_conf
*conf
)
3818 if (current_config
== conf
)
3819 current_config
= NULL
;
3820 lxc_terminal_conf_free(&conf
->console
);
3821 free(conf
->rootfs
.mount
);
3822 free(conf
->rootfs
.bdev_type
);
3823 free(conf
->rootfs
.options
);
3824 free(conf
->rootfs
.path
);
3825 free(conf
->rootfs
.data
);
3826 close_prot_errno_disarm(conf
->rootfs
.mntpt_fd
);
3827 close_prot_errno_disarm(conf
->rootfs
.dev_mntpt_fd
);
3828 free(conf
->logfile
);
3829 if (conf
->logfd
!= -1)
3831 free(conf
->utsname
);
3832 free(conf
->ttys
.dir
);
3833 free(conf
->ttys
.tty_names
);
3836 free(conf
->execute_cmd
);
3837 free(conf
->init_cmd
);
3838 free(conf
->init_cwd
);
3839 free(conf
->unexpanded_config
);
3841 lxc_free_networks(&conf
->network
);
3842 free(conf
->lsm_aa_profile
);
3843 free(conf
->lsm_aa_profile_computed
);
3844 free(conf
->lsm_se_context
);
3845 lxc_seccomp_free(&conf
->seccomp
);
3846 lxc_clear_config_caps(conf
);
3847 lxc_clear_config_keepcaps(conf
);
3848 lxc_clear_cgroups(conf
, "lxc.cgroup", CGROUP_SUPER_MAGIC
);
3849 lxc_clear_cgroups(conf
, "lxc.cgroup2", CGROUP2_SUPER_MAGIC
);
3850 lxc_clear_devices(conf
);
3851 lxc_clear_hooks(conf
, "lxc.hook");
3852 lxc_clear_mount_entries(conf
);
3853 lxc_clear_idmaps(conf
);
3854 lxc_clear_groups(conf
);
3855 lxc_clear_includes(conf
);
3856 lxc_clear_aliens(conf
);
3857 lxc_clear_environment(conf
);
3858 lxc_clear_limits(conf
, "lxc.prlimit");
3859 lxc_clear_sysctls(conf
, "lxc.sysctl");
3860 lxc_clear_procs(conf
, "lxc.proc");
3861 lxc_clear_apparmor_raw(conf
);
3862 lxc_clear_namespace(conf
);
3863 free(conf
->cgroup_meta
.dir
);
3864 free(conf
->cgroup_meta
.monitor_dir
);
3865 free(conf
->cgroup_meta
.monitor_pivot_dir
);
3866 free(conf
->cgroup_meta
.container_dir
);
3867 free(conf
->cgroup_meta
.namespace_dir
);
3868 free(conf
->cgroup_meta
.controllers
);
3869 free(conf
->shmount
.path_host
);
3870 free(conf
->shmount
.path_cont
);
3874 struct userns_fn_data
{
3876 const char *fn_name
;
3881 static int run_userns_fn(void *data
)
3883 struct userns_fn_data
*d
= data
;
3887 close_prot_errno_disarm(d
->p
[1]);
3890 * Wait for parent to finish establishing a new mapping in the user
3891 * namespace we are executing in.
3893 ret
= lxc_read_nointr(d
->p
[0], &c
, 1);
3894 close_prot_errno_disarm(d
->p
[0]);
3899 TRACE("Calling function \"%s\"", d
->fn_name
);
3901 /* Call function to run. */
3902 return d
->fn(d
->arg
);
3905 static struct id_map
*mapped_nsid_add(const struct lxc_conf
*conf
, unsigned id
,
3908 const struct id_map
*map
;
3909 struct id_map
*retmap
;
3911 map
= find_mapped_nsid_entry(conf
, id
, idtype
);
3915 retmap
= malloc(sizeof(*retmap
));
3919 memcpy(retmap
, map
, sizeof(*retmap
));
3923 static struct id_map
*find_mapped_hostid_entry(const struct lxc_conf
*conf
,
3924 unsigned id
, enum idtype idtype
)
3927 struct lxc_list
*it
;
3928 struct id_map
*retmap
= NULL
;
3930 lxc_list_for_each (it
, &conf
->id_map
) {
3932 if (map
->idtype
!= idtype
)
3935 if (id
>= map
->hostid
&& id
< map
->hostid
+ map
->range
) {
3944 /* Allocate a new {g,u}id mapping for the given {g,u}id. Re-use an already
3945 * existing one or establish a new one.
3947 static struct id_map
*mapped_hostid_add(const struct lxc_conf
*conf
, uid_t id
,
3950 __do_free
struct id_map
*entry
= NULL
;
3952 struct id_map
*tmp
= NULL
;
3954 entry
= malloc(sizeof(*entry
));
3958 /* Reuse existing mapping. */
3959 tmp
= find_mapped_hostid_entry(conf
, id
, type
);
3961 memcpy(entry
, tmp
, sizeof(*entry
));
3963 /* Find new mapping. */
3964 hostid_mapped
= find_unmapped_nsid(conf
, type
);
3965 if (hostid_mapped
< 0)
3966 return log_debug(NULL
, "Failed to find free mapping for id %d", id
);
3968 entry
->idtype
= type
;
3969 entry
->nsid
= hostid_mapped
;
3970 entry
->hostid
= (unsigned long)id
;
3974 return move_ptr(entry
);
3977 static struct lxc_list
*get_minimal_idmap(const struct lxc_conf
*conf
,
3978 uid_t
*resuid
, gid_t
*resgid
)
3980 __do_free
struct id_map
*container_root_uid
= NULL
,
3981 *container_root_gid
= NULL
,
3982 *host_uid_map
= NULL
, *host_gid_map
= NULL
;
3983 __do_free
struct lxc_list
*idmap
= NULL
;
3985 uid_t nsuid
= (conf
->root_nsuid_map
!= NULL
) ? 0 : conf
->init_uid
;
3986 gid_t nsgid
= (conf
->root_nsgid_map
!= NULL
) ? 0 : conf
->init_gid
;
3987 struct lxc_list
*tmplist
= NULL
;
3989 /* Find container root mappings. */
3990 container_root_uid
= mapped_nsid_add(conf
, nsuid
, ID_TYPE_UID
);
3991 if (!container_root_uid
)
3992 return log_debug(NULL
, "Failed to find mapping for namespace uid %d", 0);
3994 if (euid
>= container_root_uid
->hostid
&&
3995 euid
< (container_root_uid
->hostid
+ container_root_uid
->range
))
3996 host_uid_map
= move_ptr(container_root_uid
);
3998 container_root_gid
= mapped_nsid_add(conf
, nsgid
, ID_TYPE_GID
);
3999 if (!container_root_gid
)
4000 return log_debug(NULL
, "Failed to find mapping for namespace gid %d", 0);
4002 if (egid
>= container_root_gid
->hostid
&&
4003 egid
< (container_root_gid
->hostid
+ container_root_gid
->range
))
4004 host_gid_map
= move_ptr(container_root_gid
);
4006 /* Check whether the {g,u}id of the user has a mapping. */
4008 host_uid_map
= mapped_hostid_add(conf
, euid
, ID_TYPE_UID
);
4010 return log_debug(NULL
, "Failed to find mapping for uid %d", euid
);
4013 host_gid_map
= mapped_hostid_add(conf
, egid
, ID_TYPE_GID
);
4015 return log_debug(NULL
, "Failed to find mapping for gid %d", egid
);
4017 /* Allocate new {g,u}id map list. */
4018 idmap
= malloc(sizeof(*idmap
));
4021 lxc_list_init(idmap
);
4023 /* Add container root to the map. */
4024 tmplist
= malloc(sizeof(*tmplist
));
4027 /* idmap will now keep track of that memory. */
4028 lxc_list_add_elem(tmplist
, move_ptr(host_uid_map
));
4029 lxc_list_add_tail(idmap
, tmplist
);
4031 if (container_root_uid
) {
4032 /* Add container root to the map. */
4033 tmplist
= malloc(sizeof(*tmplist
));
4036 /* idmap will now keep track of that memory. */
4037 lxc_list_add_elem(tmplist
, move_ptr(container_root_uid
));
4038 lxc_list_add_tail(idmap
, tmplist
);
4041 tmplist
= malloc(sizeof(*tmplist
));
4044 /* idmap will now keep track of that memory. */
4045 lxc_list_add_elem(tmplist
, move_ptr(host_gid_map
));
4046 lxc_list_add_tail(idmap
, tmplist
);
4048 if (container_root_gid
) {
4049 tmplist
= malloc(sizeof(*tmplist
));
4052 /* idmap will now keep track of that memory. */
4053 lxc_list_add_elem(tmplist
, move_ptr(container_root_gid
));
4054 lxc_list_add_tail(idmap
, tmplist
);
4057 TRACE("Allocated minimal idmapping for ns uid %d and ns gid %d", nsuid
, nsgid
);
4063 return move_ptr(idmap
);
4067 * Run a function in a new user namespace.
4068 * The caller's euid/egid will be mapped if it is not already.
4069 * Afaict, userns_exec_1() is only used to operate based on privileges for the
4070 * user's own {g,u}id on the host and for the container root's unmapped {g,u}id.
4071 * This means we require only to establish a mapping from:
4072 * - the container root {g,u}id as seen from the host > user's host {g,u}id
4073 * - the container root -> some sub{g,u}id
4074 * The former we add, if the user did not specify a mapping. The latter we
4075 * retrieve from the container's configured {g,u}id mappings as it must have been
4076 * there to start the container in the first place.
4078 int userns_exec_1(const struct lxc_conf
*conf
, int (*fn
)(void *), void *data
,
4079 const char *fn_name
)
4081 call_cleaner(__lxc_free_idmap
) struct lxc_list
*idmap
= NULL
;
4082 int ret
= -1, status
= -1;
4084 struct userns_fn_data d
= {
4095 idmap
= get_minimal_idmap(conf
, NULL
, NULL
);
4097 return ret_errno(ENOENT
);
4099 ret
= pipe2(pipe_fds
, O_CLOEXEC
);
4103 d
.p
[0] = pipe_fds
[0];
4104 d
.p
[1] = pipe_fds
[1];
4106 /* Clone child in new user namespace. */
4107 pid
= lxc_raw_clone_cb(run_userns_fn
, &d
, CLONE_NEWUSER
, NULL
);
4109 ERROR("Failed to clone process in new user namespace");
4113 close_prot_errno_disarm(pipe_fds
[0]);
4115 if (lxc_log_get_level() == LXC_LOG_LEVEL_TRACE
||
4116 conf
->loglevel
== LXC_LOG_LEVEL_TRACE
) {
4118 struct lxc_list
*it
;
4120 lxc_list_for_each(it
, idmap
) {
4122 TRACE("Establishing %cid mapping for \"%d\" in new user namespace: nsuid %lu - hostid %lu - range %lu",
4123 (map
->idtype
== ID_TYPE_UID
) ? 'u' : 'g', pid
, map
->nsid
, map
->hostid
, map
->range
);
4127 /* Set up {g,u}id mapping for user namespace of child process. */
4128 ret
= lxc_map_ids(idmap
, pid
);
4130 ERROR("Error setting up {g,u}id mappings for child process \"%d\"", pid
);
4134 /* Tell child to proceed. */
4135 if (lxc_write_nointr(pipe_fds
[1], &c
, 1) != 1) {
4136 SYSERROR("Failed telling child process \"%d\" to proceed", pid
);
4141 close_prot_errno_disarm(pipe_fds
[0]);
4142 close_prot_errno_disarm(pipe_fds
[1]);
4144 /* Wait for child to finish. */
4146 status
= wait_for_pid(pid
);
4154 int userns_exec_minimal(const struct lxc_conf
*conf
,
4155 int (*fn_parent
)(void *), void *fn_parent_data
,
4156 int (*fn_child
)(void *), void *fn_child_data
)
4158 call_cleaner(__lxc_free_idmap
) struct lxc_list
*idmap
= NULL
;
4159 uid_t resuid
= LXC_INVALID_UID
;
4160 gid_t resgid
= LXC_INVALID_GID
;
4166 if (!conf
|| !fn_child
)
4167 return ret_errno(EINVAL
);
4169 idmap
= get_minimal_idmap(conf
, &resuid
, &resgid
);
4171 return ret_errno(ENOENT
);
4173 ret
= socketpair(PF_LOCAL
, SOCK_STREAM
| SOCK_CLOEXEC
, 0, sock_fds
);
4179 SYSERROR("Failed to create new process");
4184 close_prot_errno_disarm(sock_fds
[1]);
4186 ret
= unshare(CLONE_NEWUSER
);
4188 SYSERROR("Failed to unshare new user namespace");
4189 _exit(EXIT_FAILURE
);
4192 ret
= lxc_write_nointr(sock_fds
[0], &c
, 1);
4194 _exit(EXIT_FAILURE
);
4196 ret
= lxc_read_nointr(sock_fds
[0], &c
, 1);
4198 _exit(EXIT_FAILURE
);
4200 close_prot_errno_disarm(sock_fds
[0]);
4202 if (!lxc_setgroups(0, NULL
) && errno
!= EPERM
)
4203 _exit(EXIT_FAILURE
);
4205 ret
= setresgid(resgid
, resgid
, resgid
);
4207 SYSERROR("Failed to setresgid(%d, %d, %d)",
4208 resgid
, resgid
, resgid
);
4209 _exit(EXIT_FAILURE
);
4212 ret
= setresuid(resuid
, resuid
, resuid
);
4214 SYSERROR("Failed to setresuid(%d, %d, %d)",
4215 resuid
, resuid
, resuid
);
4216 _exit(EXIT_FAILURE
);
4219 ret
= fn_child(fn_child_data
);
4221 SYSERROR("Running function in new user namespace failed");
4222 _exit(EXIT_FAILURE
);
4225 _exit(EXIT_SUCCESS
);
4228 close_prot_errno_disarm(sock_fds
[0]);
4230 if (lxc_log_get_level() == LXC_LOG_LEVEL_TRACE
||
4231 conf
->loglevel
== LXC_LOG_LEVEL_TRACE
) {
4233 struct lxc_list
*it
;
4235 lxc_list_for_each(it
, idmap
) {
4237 TRACE("Establishing %cid mapping for \"%d\" in new user namespace: nsuid %lu - hostid %lu - range %lu",
4238 (map
->idtype
== ID_TYPE_UID
) ? 'u' : 'g', pid
, map
->nsid
, map
->hostid
, map
->range
);
4242 ret
= lxc_read_nointr(sock_fds
[1], &c
, 1);
4244 SYSERROR("Failed waiting for child process %d\" to tell us to proceed", pid
);
4248 /* Set up {g,u}id mapping for user namespace of child process. */
4249 ret
= lxc_map_ids(idmap
, pid
);
4251 ERROR("Error setting up {g,u}id mappings for child process \"%d\"", pid
);
4255 /* Tell child to proceed. */
4256 ret
= lxc_write_nointr(sock_fds
[1], &c
, 1);
4258 SYSERROR("Failed telling child process \"%d\" to proceed", pid
);
4262 if (fn_parent
&& fn_parent(fn_parent_data
)) {
4263 SYSERROR("Running parent function failed");
4264 _exit(EXIT_FAILURE
);
4268 close_prot_errno_disarm(sock_fds
[0]);
4269 close_prot_errno_disarm(sock_fds
[1]);
4271 /* Wait for child to finish. */
4275 return wait_for_pid(pid
);
4278 int userns_exec_full(struct lxc_conf
*conf
, int (*fn
)(void *), void *data
,
4279 const char *fn_name
)
4285 struct lxc_list
*cur
;
4286 struct userns_fn_data d
;
4289 struct lxc_list
*idmap
= NULL
, *tmplist
= NULL
;
4290 struct id_map
*container_root_uid
= NULL
, *container_root_gid
= NULL
,
4291 *host_uid_map
= NULL
, *host_gid_map
= NULL
;
4296 ret
= pipe2(p
, O_CLOEXEC
);
4298 SYSERROR("opening pipe");
4302 d
.fn_name
= fn_name
;
4307 /* Clone child in new user namespace. */
4308 pid
= lxc_clone(run_userns_fn
, &d
, CLONE_NEWUSER
, NULL
);
4310 ERROR("Failed to clone process in new user namespace");
4320 /* Allocate new {g,u}id map list. */
4321 idmap
= malloc(sizeof(*idmap
));
4324 lxc_list_init(idmap
);
4326 /* Find container root. */
4327 lxc_list_for_each (cur
, &conf
->id_map
) {
4328 struct id_map
*tmpmap
;
4330 tmplist
= malloc(sizeof(*tmplist
));
4334 tmpmap
= malloc(sizeof(*tmpmap
));
4340 memset(tmpmap
, 0, sizeof(*tmpmap
));
4341 memcpy(tmpmap
, cur
->elem
, sizeof(*tmpmap
));
4342 tmplist
->elem
= tmpmap
;
4344 lxc_list_add_tail(idmap
, tmplist
);
4348 if (map
->idtype
== ID_TYPE_UID
)
4349 if (euid
>= map
->hostid
&& euid
< map
->hostid
+ map
->range
)
4352 if (map
->idtype
== ID_TYPE_GID
)
4353 if (egid
>= map
->hostid
&& egid
< map
->hostid
+ map
->range
)
4359 if (map
->idtype
== ID_TYPE_UID
)
4360 if (container_root_uid
== NULL
)
4361 container_root_uid
= map
;
4363 if (map
->idtype
== ID_TYPE_GID
)
4364 if (container_root_gid
== NULL
)
4365 container_root_gid
= map
;
4368 if (!container_root_uid
|| !container_root_gid
) {
4369 ERROR("No mapping for container root found");
4373 /* Check whether the {g,u}id of the user has a mapping. */
4375 host_uid_map
= mapped_hostid_add(conf
, euid
, ID_TYPE_UID
);
4377 host_uid_map
= container_root_uid
;
4380 host_gid_map
= mapped_hostid_add(conf
, egid
, ID_TYPE_GID
);
4382 host_gid_map
= container_root_gid
;
4384 if (!host_uid_map
) {
4385 DEBUG("Failed to find mapping for uid %d", euid
);
4389 if (!host_gid_map
) {
4390 DEBUG("Failed to find mapping for gid %d", egid
);
4394 if (host_uid_map
&& (host_uid_map
!= container_root_uid
)) {
4395 /* Add container root to the map. */
4396 tmplist
= malloc(sizeof(*tmplist
));
4399 lxc_list_add_elem(tmplist
, host_uid_map
);
4400 lxc_list_add_tail(idmap
, tmplist
);
4402 /* idmap will now keep track of that memory. */
4403 host_uid_map
= NULL
;
4405 if (host_gid_map
&& (host_gid_map
!= container_root_gid
)) {
4406 tmplist
= malloc(sizeof(*tmplist
));
4409 lxc_list_add_elem(tmplist
, host_gid_map
);
4410 lxc_list_add_tail(idmap
, tmplist
);
4412 /* idmap will now keep track of that memory. */
4413 host_gid_map
= NULL
;
4415 if (lxc_log_get_level() == LXC_LOG_LEVEL_TRACE
||
4416 conf
->loglevel
== LXC_LOG_LEVEL_TRACE
) {
4417 lxc_list_for_each (cur
, idmap
) {
4419 TRACE("establishing %cid mapping for \"%d\" in new "
4420 "user namespace: nsuid %lu - hostid %lu - range "
4422 (map
->idtype
== ID_TYPE_UID
) ? 'u' : 'g', pid
,
4423 map
->nsid
, map
->hostid
, map
->range
);
4427 /* Set up {g,u}id mapping for user namespace of child process. */
4428 ret
= lxc_map_ids(idmap
, pid
);
4430 ERROR("error setting up {g,u}id mappings for child process \"%d\"", pid
);
4434 /* Tell child to proceed. */
4435 if (lxc_write_nointr(p
[1], &c
, 1) != 1) {
4436 SYSERROR("Failed telling child process \"%d\" to proceed", pid
);
4445 /* Wait for child to finish. */
4447 ret
= wait_for_pid(pid
);
4450 __lxc_free_idmap(idmap
);
4452 if (host_uid_map
&& (host_uid_map
!= container_root_uid
))
4454 if (host_gid_map
&& (host_gid_map
!= container_root_gid
))
4460 static int add_idmap_entry(struct lxc_list
*idmap
, enum idtype idtype
,
4461 unsigned long nsid
, unsigned long hostid
,
4462 unsigned long range
)
4464 __do_free
struct id_map
*new_idmap
= NULL
;
4465 __do_free
struct lxc_list
*new_list
= NULL
;
4467 new_idmap
= zalloc(sizeof(*new_idmap
));
4469 return ret_errno(ENOMEM
);
4471 new_idmap
->idtype
= idtype
;
4472 new_idmap
->hostid
= hostid
;
4473 new_idmap
->nsid
= nsid
;
4474 new_idmap
->range
= range
;
4476 new_list
= zalloc(sizeof(*new_list
));
4478 return ret_errno(ENOMEM
);
4480 new_list
->elem
= move_ptr(new_idmap
);
4481 lxc_list_add_tail(idmap
, move_ptr(new_list
));
4483 INFO("Adding id map: type %c nsid %lu hostid %lu range %lu",
4484 idtype
== ID_TYPE_UID
? 'u' : 'g', nsid
, hostid
, range
);
4488 int userns_exec_mapped_root(const char *path
, int path_fd
,
4489 const struct lxc_conf
*conf
)
4491 call_cleaner(__lxc_free_idmap
) struct lxc_list
*idmap
= NULL
;
4492 __do_close
int fd
= -EBADF
;
4493 int target_fd
= -EBADF
;
4498 uid_t container_host_uid
, hostuid
;
4499 gid_t container_host_gid
, hostgid
;
4502 if (!conf
|| (!path
&& path_fd
< 0))
4503 return ret_errno(EINVAL
);
4508 container_host_uid
= get_mapped_rootid(conf
, ID_TYPE_UID
);
4509 if (!uid_valid(container_host_uid
))
4510 return log_error(-1, "No uid mapping for container root");
4512 container_host_gid
= get_mapped_rootid(conf
, ID_TYPE_GID
);
4513 if (!gid_valid(container_host_gid
))
4514 return log_error(-1, "No gid mapping for container root");
4517 fd
= open(path
, O_CLOEXEC
| O_NOCTTY
);
4519 return log_error_errno(-errno
, errno
, "Failed to open \"%s\"", path
);
4522 target_fd
= path_fd
;
4525 hostuid
= geteuid();
4526 /* We are root so chown directly. */
4528 ret
= fchown(target_fd
, container_host_uid
, container_host_gid
);
4530 return log_error_errno(-errno
, errno
,
4531 "Failed to fchown(%d(%s), %d, %d)",
4532 target_fd
, path
, container_host_uid
,
4533 container_host_gid
);
4534 return log_trace(0, "Chowned %d(%s) to uid %d and %d", target_fd
, path
,
4535 container_host_uid
, container_host_gid
);
4538 /* The container's root host id matches */
4539 if (container_host_uid
== hostuid
)
4540 return log_info(0, "Container root id is mapped to our uid");
4542 /* Get the current ids of our target. */
4543 ret
= fstat(target_fd
, &st
);
4545 return log_error_errno(-errno
, errno
, "Failed to stat \"%s\"", path
);
4547 hostgid
= getegid();
4548 if (st
.st_uid
== hostuid
&& mapped_hostid(st
.st_gid
, conf
, ID_TYPE_GID
) < 0) {
4549 ret
= fchown(target_fd
, -1, hostgid
);
4551 return log_error_errno(-errno
, errno
,
4552 "Failed to fchown(%d(%s), -1, %d)",
4553 target_fd
, path
, hostgid
);
4554 TRACE("Chowned %d(%s) to -1:%d", target_fd
, path
, hostgid
);
4557 idmap
= malloc(sizeof(*idmap
));
4560 lxc_list_init(idmap
);
4562 /* "u:0:rootuid:1" */
4563 ret
= add_idmap_entry(idmap
, ID_TYPE_UID
, 0, container_host_uid
, 1);
4565 return log_error_errno(ret
, -ret
, "Failed to add idmap entry");
4567 /* "u:hostuid:hostuid:1" */
4568 ret
= add_idmap_entry(idmap
, ID_TYPE_UID
, hostuid
, hostuid
, 1);
4570 return log_error_errno(ret
, -ret
, "Failed to add idmap entry");
4572 /* "g:0:rootgid:1" */
4573 ret
= add_idmap_entry(idmap
, ID_TYPE_GID
, 0, container_host_gid
, 1);
4575 return log_error_errno(ret
, -ret
, "Failed to add idmap entry");
4577 /* "g:hostgid:hostgid:1" */
4578 ret
= add_idmap_entry(idmap
, ID_TYPE_GID
, hostgid
, hostgid
, 1);
4580 return log_error_errno(ret
, -ret
, "Failed to add idmap entry");
4582 if (hostgid
!= st
.st_gid
) {
4583 /* "g:pathgid:rootgid+pathgid:1" */
4584 ret
= add_idmap_entry(idmap
, ID_TYPE_GID
, st
.st_gid
,
4585 container_host_gid
+ (gid_t
)st
.st_gid
, 1);
4587 return log_error_errno(ret
, -ret
, "Failed to add idmap entry");
4590 ret
= socketpair(PF_LOCAL
, SOCK_STREAM
| SOCK_CLOEXEC
, 0, sock_fds
);
4596 SYSERROR("Failed to create new process");
4601 close_prot_errno_disarm(sock_fds
[1]);
4603 ret
= unshare(CLONE_NEWUSER
);
4605 SYSERROR("Failed to unshare new user namespace");
4606 _exit(EXIT_FAILURE
);
4609 ret
= lxc_write_nointr(sock_fds
[0], &c
, 1);
4611 _exit(EXIT_FAILURE
);
4613 ret
= lxc_read_nointr(sock_fds
[0], &c
, 1);
4615 _exit(EXIT_FAILURE
);
4617 close_prot_errno_disarm(sock_fds
[0]);
4619 if (!lxc_switch_uid_gid(0, 0))
4620 _exit(EXIT_FAILURE
);
4622 if (!lxc_setgroups(0, NULL
))
4623 _exit(EXIT_FAILURE
);
4625 ret
= fchown(target_fd
, 0, st
.st_gid
);
4627 SYSERROR("Failed to chown %d(%s) to 0:%d", target_fd
, path
, st
.st_gid
);
4628 _exit(EXIT_FAILURE
);
4631 TRACE("Chowned %d(%s) to 0:%d", target_fd
, path
, st
.st_gid
);
4632 _exit(EXIT_SUCCESS
);
4635 close_prot_errno_disarm(sock_fds
[0]);
4637 if (lxc_log_get_level() == LXC_LOG_LEVEL_TRACE
||
4638 conf
->loglevel
== LXC_LOG_LEVEL_TRACE
) {
4640 struct lxc_list
*it
;
4642 lxc_list_for_each(it
, idmap
) {
4644 TRACE("Establishing %cid mapping for \"%d\" in new user namespace: nsuid %lu - hostid %lu - range %lu",
4645 (map
->idtype
== ID_TYPE_UID
) ? 'u' : 'g', pid
, map
->nsid
, map
->hostid
, map
->range
);
4649 ret
= lxc_read_nointr(sock_fds
[1], &c
, 1);
4651 SYSERROR("Failed waiting for child process %d\" to tell us to proceed", pid
);
4655 /* Set up {g,u}id mapping for user namespace of child process. */
4656 ret
= lxc_map_ids(idmap
, pid
);
4658 ERROR("Error setting up {g,u}id mappings for child process \"%d\"", pid
);
4662 /* Tell child to proceed. */
4663 ret
= lxc_write_nointr(sock_fds
[1], &c
, 1);
4665 SYSERROR("Failed telling child process \"%d\" to proceed", pid
);
4670 close_prot_errno_disarm(sock_fds
[0]);
4671 close_prot_errno_disarm(sock_fds
[1]);
4673 /* Wait for child to finish. */
4677 return wait_for_pid(pid
);
4680 /* not thread-safe, do not use from api without first forking */
4681 static char *getuname(void)
4683 __do_free
char *buf
= NULL
;
4684 struct passwd pwent
;
4685 struct passwd
*pwentp
= NULL
;
4689 bufsize
= sysconf(_SC_GETPW_R_SIZE_MAX
);
4693 buf
= malloc(bufsize
);
4697 ret
= getpwuid_r(geteuid(), &pwent
, buf
, bufsize
, &pwentp
);
4700 WARN("Could not find matched password record.");
4702 return log_error(NULL
, "Failed to get password record - %u", geteuid());
4705 return strdup(pwent
.pw_name
);
4708 /* not thread-safe, do not use from api without first forking */
4709 static char *getgname(void)
4711 __do_free
char *buf
= NULL
;
4713 struct group
*grentp
= NULL
;
4717 bufsize
= sysconf(_SC_GETGR_R_SIZE_MAX
);
4721 buf
= malloc(bufsize
);
4725 ret
= getgrgid_r(getegid(), &grent
, buf
, bufsize
, &grentp
);
4728 WARN("Could not find matched group record");
4730 return log_error(NULL
, "Failed to get group record - %u", getegid());
4733 return strdup(grent
.gr_name
);
4736 /* not thread-safe, do not use from api without first forking */
4737 void suggest_default_idmap(void)
4739 __do_free
char *gname
= NULL
, *line
= NULL
, *uname
= NULL
;
4740 __do_fclose
FILE *subuid_f
= NULL
, *subgid_f
= NULL
;
4741 unsigned int uid
= 0, urange
= 0, gid
= 0, grange
= 0;
4752 subuid_f
= fopen(subuidfile
, "re");
4754 ERROR("Your system is not configured with subuids");
4758 while (getline(&line
, &len
, subuid_f
) != -1) {
4760 size_t no_newline
= 0;
4762 p
= strchr(line
, ':');
4770 if (strcmp(line
, uname
))
4773 p2
= strchr(p
, ':');
4780 no_newline
= strcspn(p2
, "\n");
4781 p2
[no_newline
] = '\0';
4783 if (lxc_safe_uint(p
, &uid
) < 0)
4784 WARN("Could not parse UID");
4785 if (lxc_safe_uint(p2
, &urange
) < 0)
4786 WARN("Could not parse UID range");
4789 subgid_f
= fopen(subgidfile
, "re");
4791 ERROR("Your system is not configured with subgids");
4795 while (getline(&line
, &len
, subgid_f
) != -1) {
4797 size_t no_newline
= 0;
4799 p
= strchr(line
, ':');
4807 if (strcmp(line
, uname
))
4810 p2
= strchr(p
, ':');
4817 no_newline
= strcspn(p2
, "\n");
4818 p2
[no_newline
] = '\0';
4820 if (lxc_safe_uint(p
, &gid
) < 0)
4821 WARN("Could not parse GID");
4822 if (lxc_safe_uint(p2
, &grange
) < 0)
4823 WARN("Could not parse GID range");
4826 if (!urange
|| !grange
) {
4827 ERROR("You do not have subuids or subgids allocated");
4828 ERROR("Unprivileged containers require subuids and subgids");
4832 ERROR("You must either run as root, or define uid mappings");
4833 ERROR("To pass uid mappings to lxc-create, you could create");
4834 ERROR("~/.config/lxc/default.conf:");
4835 ERROR("lxc.include = %s", LXC_DEFAULT_CONFIG
);
4836 ERROR("lxc.idmap = u 0 %u %u", uid
, urange
);
4837 ERROR("lxc.idmap = g 0 %u %u", gid
, grange
);
4840 static void free_cgroup_settings(struct lxc_list
*result
)
4842 struct lxc_list
*iterator
, *next
;
4844 lxc_list_for_each_safe (iterator
, result
, next
) {
4845 lxc_list_del(iterator
);
4846 free_disarm(iterator
);
4848 free_disarm(result
);
4851 /* Return the list of cgroup_settings sorted according to the following rules
4852 * 1. Put memory.limit_in_bytes before memory.memsw.limit_in_bytes
4854 struct lxc_list
*sort_cgroup_settings(struct lxc_list
*cgroup_settings
)
4856 struct lxc_list
*result
;
4857 struct lxc_cgroup
*cg
= NULL
;
4858 struct lxc_list
*it
= NULL
, *item
= NULL
, *memsw_limit
= NULL
;
4860 result
= malloc(sizeof(*result
));
4863 lxc_list_init(result
);
4865 /* Iterate over the cgroup settings and copy them to the output list. */
4866 lxc_list_for_each (it
, cgroup_settings
) {
4867 item
= malloc(sizeof(*item
));
4869 free_cgroup_settings(result
);
4873 item
->elem
= it
->elem
;
4875 if (strcmp(cg
->subsystem
, "memory.memsw.limit_in_bytes") == 0) {
4876 /* Store the memsw_limit location */
4878 } else if (strcmp(cg
->subsystem
, "memory.limit_in_bytes") == 0 &&
4879 memsw_limit
!= NULL
) {
4880 /* lxc.cgroup.memory.memsw.limit_in_bytes is found
4881 * before lxc.cgroup.memory.limit_in_bytes, swap these
4883 item
->elem
= memsw_limit
->elem
;
4884 memsw_limit
->elem
= it
->elem
;
4886 lxc_list_add_tail(result
, item
);