{ "devpts", "/dev/pts", "devpts","newinstance,ptmxmode=0666,mode=620,gid=" STRINGIFY(TTY_GID), MS_NOSUID|MS_NOEXEC, true },
{ "tmpfs", "/dev/shm", "tmpfs", "mode=1777", MS_NOSUID|MS_NODEV|MS_STRICTATIME, true },
{ "tmpfs", "/run", "tmpfs", "mode=755", MS_NOSUID|MS_NODEV|MS_STRICTATIME, true },
+ { "tmpfs", "/tmp", "tmpfs", "mode=1777", MS_STRICTATIME, true },
#ifdef HAVE_SELINUX
{ "/sys/fs/selinux", "/sys/fs/selinux", NULL, NULL, MS_BIND, false }, /* Bind mount first */
{ NULL, "/sys/fs/selinux", NULL, NULL, MS_BIND|MS_RDONLY|MS_REMOUNT, false }, /* Then, make it r/o */
r = stat(where, &dest_st);
if (r == 0) {
- if ((source_st.st_mode & S_IFMT) != (dest_st.st_mode & S_IFMT)) {
- log_error("The file types of %s and %s do not match. Refusing bind mount", *x, where);
+ if (S_ISDIR(source_st.st_mode) && !S_ISDIR(dest_st.st_mode)) {
+ log_error("Cannot bind mount directory %s on file %s.", *x, where);
+ return -EINVAL;
+ }
+ if (!S_ISDIR(source_st.st_mode) && S_ISDIR(dest_st.st_mode)) {
+ log_error("Cannot bind mount file %s on directory %s.", *x, where);
return -EINVAL;
}
} else if (errno == ENOENT) {
return -errno;
}
- /* Create the mount point, but be conservative -- refuse to create block
- * and char devices. */
+ /* Create the mount point. Any non-directory file can be
+ * mounted on any non-directory file (regular, fifo, socket,
+ * char, block).
+ */
if (S_ISDIR(source_st.st_mode)) {
r = mkdir_label(where, 0755);
if (r < 0 && errno != EEXIST)
return log_error_errno(r, "Failed to create mount point %s: %m", where);
- } else if (S_ISFIFO(source_st.st_mode)) {
- r = mkfifo(where, 0644);
- if (r < 0 && errno != EEXIST)
- return log_error_errno(errno, "Failed to create mount point %s: %m", where);
- } else if (S_ISSOCK(source_st.st_mode)) {
- r = mknod(where, 0644 | S_IFSOCK, 0);
- if (r < 0 && errno != EEXIST)
- return log_error_errno(errno, "Failed to create mount point %s: %m", where);
- } else if (S_ISREG(source_st.st_mode)) {
+ } else {
r = touch(where);
if (r < 0)
return log_error_errno(r, "Failed to create mount point %s: %m", where);
- } else {
- log_error("Refusing to create mountpoint for file: %s", *x);
- return -ENOTSUP;
}
if (mount(*x, where, "bind", MS_BIND, NULL) < 0)
char *to;
int r;
- to = strappenda(dest, "/sys/fs/cgroup/", hierarchy);
+ to = strjoina(dest, "/sys/fs/cgroup/", hierarchy);
r = path_is_mount_point(to, false);
if (r < 0)
mkdir_p(to, 0755);
- if (mount("cgroup", to, "cgroup", MS_NOSUID|MS_NOEXEC|MS_NODEV|(read_only ? MS_RDONLY : 0), controller) < 0)
+ /* The superblock mount options of the mount point need to be
+ * identical to the hosts', and hence writable... */
+ if (mount("cgroup", to, "cgroup", MS_NOSUID|MS_NOEXEC|MS_NODEV, controller) < 0)
return log_error_errno(errno, "Failed to mount to %s: %m", to);
+ /* ... hence let's only make the bind mount read-only, not the
+ * superblock. */
+ if (read_only) {
+ if (mount(NULL, to, NULL, MS_BIND|MS_REMOUNT|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY, NULL) < 0)
+ return log_error_errno(errno, "Failed to remount %s read-only: %m", to);
+ }
return 1;
}
if (r < 0)
return log_error_errno(r, "Failed to determine our own cgroup path: %m");
- cgroup_root = strappenda(dest, "/sys/fs/cgroup");
+ cgroup_root = strjoina(dest, "/sys/fs/cgroup");
if (mount("tmpfs", cgroup_root, "tmpfs", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME, "mode=755") < 0)
return log_error_errno(errno, "Failed to mount tmpfs to /sys/fs/cgroup: %m");
}
}
- r = mount_cgroup_hierarchy(dest, "name=systemd", "systemd", false);
+ r = mount_cgroup_hierarchy(dest, "name=systemd,xattr", "systemd", false);
if (r < 0)
return r;
/* Make our own cgroup a (writable) bind mount */
- systemd_own = strappenda(dest, "/sys/fs/cgroup/systemd", own_cgroup_path);
+ systemd_own = strjoina(dest, "/sys/fs/cgroup/systemd", own_cgroup_path);
if (mount(systemd_own, systemd_own, NULL, MS_BIND, NULL) < 0)
return log_error_errno(errno, "Failed to turn %s into a bind mount: %m", own_cgroup_path);
/* And then remount the systemd cgroup root read-only */
- systemd_root = strappenda(dest, "/sys/fs/cgroup/systemd");
+ systemd_root = strjoina(dest, "/sys/fs/cgroup/systemd");
if (mount(NULL, systemd_root, NULL, MS_BIND|MS_REMOUNT|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY, NULL) < 0)
return log_error_errno(errno, "Failed to mount cgroup root read-only: %m");
if (r < 0)
return log_error_errno(r, "Failed to remount %s read-only: %m", directory);
- p = strappenda(directory, "/var");
+ p = strjoina(directory, "/var");
r = mkdir(p, 0755);
if (r < 0 && errno != EEXIST)
return log_error_errno(errno, "Failed to create %s: %m", directory);
tmpfs_mounted = true;
- f = strappenda(directory, "/usr");
- t = strappenda(template, "/usr");
+ f = strjoina(directory, "/usr");
+ t = strjoina(template, "/usr");
r = mkdir(t, 0755);
if (r < 0 && errno != EEXIST) {
* /dev/console. (Note that the major minor doesn't actually
* matter here, since we mount it over anyway). */
- to = strappenda(dest, "/dev/console");
+ to = strjoina(dest, "/dev/console");
if (mknod(to, (st.st_mode & ~07777) | 0600, st.st_rdev) < 0)
return log_error_errno(errno, "mknod() for /dev/console failed: %m");
static const int blacklist[] = {
SCMP_SYS(kexec_load),
SCMP_SYS(open_by_handle_at),
- SCMP_SYS(init_module),
- SCMP_SYS(finit_module),
- SCMP_SYS(delete_module),
SCMP_SYS(iopl),
SCMP_SYS(ioperm),
SCMP_SYS(swapon),
SCMP_SYS(swapoff),
};
+ static const int kmod_blacklist[] = {
+ SCMP_SYS(init_module),
+ SCMP_SYS(finit_module),
+ SCMP_SYS(delete_module),
+ };
+
scmp_filter_ctx seccomp;
unsigned i;
int r;
}
}
+ /* If the CAP_SYS_MODULE capability is not requested then
+ * we'll block the kmod syscalls too */
+ if (!(arg_retain & (1ULL << CAP_SYS_MODULE))) {
+ for (i = 0; i < ELEMENTSOF(kmod_blacklist); i++) {
+ r = seccomp_rule_add(seccomp, SCMP_ACT_ERRNO(EPERM), kmod_blacklist[i], 0);
+ if (r == -EFAULT)
+ continue; /* unknown syscall */
+ if (r < 0) {
+ log_error_errno(r, "Failed to block syscall: %m");
+ goto finish;
+ }
+ }
+ }
+
/*
Audit is broken in containers, much of the userspace audit
hookup will fail if running inside a container. We don't
(void) mkdir_p("/run/systemd/nspawn/", 0755);
(void) mkdir_p("/run/systemd/nspawn/propagate", 0600);
- p = strappenda("/run/systemd/nspawn/propagate/", arg_machine);
+ p = strjoina("/run/systemd/nspawn/propagate/", arg_machine);
(void) mkdir_p(p, 0600);
- q = strappenda(root, "/run/systemd/nspawn/incoming");
+ q = strjoina(root, "/run/systemd/nspawn/incoming");
mkdir_parents(q, 0755);
mkdir_p(q, 0600);
return r;
}
-static int wait_for_block_device(struct udev *udev, dev_t devnum, struct udev_device **ret) {
- _cleanup_udev_monitor_unref_ struct udev_monitor *monitor = NULL;
- int r;
-
- assert(udev);
- assert(ret);
-
- for (;;) {
- _cleanup_udev_device_unref_ struct udev_device *d = NULL;
- struct pollfd pfd = {
- .events = POLLIN
- };
-
- d = udev_device_new_from_devnum(udev, 'b', devnum);
- if (!d)
- return log_oom();
-
- r = udev_device_get_is_initialized(d);
- if (r < 0)
- return log_error_errno(r, "Failed to check if device is initialized: %m");
- if (r > 0) {
- *ret = d;
- d = NULL;
- return 0;
- }
- d = udev_device_unref(d);
-
- if (!monitor) {
- monitor = udev_monitor_new_from_netlink(udev, "udev");
- if (!monitor)
- return log_oom();
-
- r = udev_monitor_filter_add_match_subsystem_devtype(monitor, "block", NULL);
- if (r < 0)
- return log_error_errno(r, "Failed to add block match: %m");
-
- r = udev_monitor_enable_receiving(monitor);
- if (r < 0)
- return log_error_errno(r, "Failed to turn on monitor: %m");
-
- continue;
- }
-
- pfd.fd = udev_monitor_get_fd(monitor);
- if (pfd.fd < 0)
- return log_error_errno(r, "Failed to get udev monitor fd: %m");
-
- r = poll(&pfd, 1, -1);
- if (r < 0)
- return log_error_errno(errno, "Failed to wait for device initialization: %m");
-
- d = udev_monitor_receive_device(monitor);
- }
-
- return 0;
-}
-
#define PARTITION_TABLE_BLURB \
"Note that the disk image needs to either contain only a single MBR partition of\n" \
"type 0x83 that is marked bootable, or a sinlge GPT partition of type" \
_cleanup_udev_unref_ struct udev *udev = NULL;
struct udev_list_entry *first, *item;
bool home_rw = true, root_rw = true, secondary_root_rw = true, srv_rw = true, generic_rw = true;
+ bool is_gpt, is_mbr, multiple_generic = false;
const char *pttype = NULL;
blkid_partlist pl;
struct stat st;
+ unsigned i;
int r;
- bool is_gpt, is_mbr, multiple_generic = false;
assert(fd >= 0);
assert(root_device);
if (fstat(fd, &st) < 0)
return log_error_errno(errno, "Failed to stat block device: %m");
- r = wait_for_block_device(udev, st.st_rdev, &d);
- if (r < 0)
- return r;
-
- e = udev_enumerate_new(udev);
- if (!e)
+ d = udev_device_new_from_devnum(udev, 'b', st.st_rdev);
+ if (!d)
return log_oom();
- r = udev_enumerate_add_match_parent(e, d);
- if (r < 0)
- return log_oom();
+ for (i = 0;; i++) {
+ int n, m;
- r = udev_enumerate_scan_devices(e);
- if (r < 0)
- return log_error_errno(r, "Failed to scan for partition devices of %s: %m", arg_image);
+ if (i >= 10) {
+ log_error("Kernel partitions never appeared.");
+ return -ENXIO;
+ }
+
+ e = udev_enumerate_new(udev);
+ if (!e)
+ return log_oom();
+
+ r = udev_enumerate_add_match_parent(e, d);
+ if (r < 0)
+ return log_oom();
+
+ r = udev_enumerate_scan_devices(e);
+ if (r < 0)
+ return log_error_errno(r, "Failed to scan for partition devices of %s: %m", arg_image);
+
+ /* Count the partitions enumerated by the kernel */
+ n = 0;
+ first = udev_enumerate_get_list_entry(e);
+ udev_list_entry_foreach(item, first)
+ n++;
+
+ /* Count the partitions enumerated by blkid */
+ m = blkid_partlist_numof_partitions(pl);
+ if (n == m + 1)
+ break;
+ if (n > m + 1) {
+ log_error("blkid and kernel partition list do not match.");
+ return -EIO;
+ }
+ if (n < m + 1) {
+ unsigned j;
+
+ /* The kernel has probed fewer partitions than
+ * blkid? Maybe the kernel prober is still
+ * running or it got EBUSY because udev
+ * already opened the device. Let's reprobe
+ * the device, which is a synchronous call
+ * that waits until probing is complete. */
+
+ for (j = 0; j < 20; j++) {
+
+ r = ioctl(fd, BLKRRPART, 0);
+ if (r < 0)
+ r = -errno;
+ if (r >= 0 || r != -EBUSY)
+ break;
+
+ /* If something else has the device
+ * open, such as an udev rule, the
+ * ioctl will return EBUSY. Since
+ * there's no way to wait until it
+ * isn't busy anymore, let's just wait
+ * a bit, and try again.
+ *
+ * This is really something they
+ * should fix in the kernel! */
+
+ usleep(50 * USEC_PER_MSEC);
+ }
+
+ if (r < 0)
+ return log_error_errno(r, "Failed to reread partition table: %m");
+ }
+
+ e = udev_enumerate_unref(e);
+ }
first = udev_enumerate_get_list_entry(e);
udev_list_entry_foreach(item, first) {
rw = false;
if (directory)
- p = strappenda(where, directory);
+ p = strjoina(where, directory);
else
p = where;
}
if (arg_ephemeral) {
- _cleanup_release_lock_file_ LockFile original_lock = LOCK_FILE_INIT;
char *np;
/* If the specified path is a mount point we
} else {
const char *p;
- p = strappenda(arg_directory,
+ p = strjoina(arg_directory,
argc > optind && path_is_absolute(argv[optind]) ? argv[optind] : "/usr/bin/");
if (access(p, F_OK) < 0) {
log_error("Directory %s lacks the binary to execute or doesn't look like a binary tree. Refusing.", arg_directory);
if (arg_machine) {
const char *p;
- p = strappenda("/run/systemd/nspawn/propagate/", arg_machine);
+ p = strjoina("/run/systemd/nspawn/propagate/", arg_machine);
(void) rm_rf(p, false, true, false);
}