1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
4 This file is part of systemd.
6 Copyright 2013 Lennart Poettering
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
27 #include "bus-internal.h"
28 #include "bus-socket.h"
29 #include "bus-container.h"
31 int bus_container_connect_socket(sd_bus *b) {
32 _cleanup_close_ int pidnsfd = -1, mntnsfd = -1, rootfd = -1;
38 assert(b->input_fd < 0);
39 assert(b->output_fd < 0);
41 r = container_get_leader(b->machine, &leader);
45 r = namespace_open(leader, &pidnsfd, &mntnsfd, &rootfd);
49 b->input_fd = socket(b->sockaddr.sa.sa_family, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0);
53 b->output_fd = b->input_fd;
55 r = bus_socket_setup(b);
66 r = namespace_enter(pidnsfd, mntnsfd, rootfd);
70 /* We just changed PID namespace, however it will only
71 * take effect on the children we now fork. Hence,
72 * let's fork another time, and connect from this
73 * grandchild, so that SO_PEERCRED of our connection
74 * comes from a process from within the container, and
75 * not outside of it */
81 if (grandchild == 0) {
83 r = connect(b->input_fd, &b->sockaddr.sa, b->sockaddr_size);
85 if (errno == EINPROGRESS)
94 r = wait_for_terminate(grandchild, &si);
98 if (si.si_code != CLD_EXITED)
104 r = wait_for_terminate(child, &si);
108 if (si.si_code != CLD_EXITED)
111 if (si.si_status == 1)
114 if (si.si_status != EXIT_SUCCESS)
117 return bus_socket_start_auth(b);
120 int bus_container_connect_kernel(sd_bus *b) {
121 _cleanup_close_pipe_ int pair[2] = { -1, -1 };
122 _cleanup_close_ int pidnsfd = -1, mntnsfd = -1, rootfd = -1;
124 struct cmsghdr cmsghdr;
125 uint8_t buf[CMSG_SPACE(sizeof(int))];
128 .msg_control = &control,
129 .msg_controllen = sizeof(control),
131 struct cmsghdr *cmsg;
135 _cleanup_close_ int fd = -1;
138 assert(b->input_fd < 0);
139 assert(b->output_fd < 0);
141 r = container_get_leader(b->machine, &leader);
145 r = namespace_open(leader, &pidnsfd, &mntnsfd, &rootfd);
149 if (socketpair(AF_UNIX, SOCK_DGRAM, 0, pair) < 0)
159 close_nointr_nofail(pair[0]);
162 r = namespace_enter(pidnsfd, mntnsfd, rootfd);
166 /* We just changed PID namespace, however it will only
167 * take effect on the children we now fork. Hence,
168 * let's fork another time, and connect from this
169 * grandchild, so that kdbus only sees the credentials
170 * of this process which comes from within the
171 * container, and not outside of it */
177 if (grandchild == 0) {
179 fd = open(b->kernel, O_RDWR|O_NOCTTY|O_CLOEXEC);
183 cmsg = CMSG_FIRSTHDR(&mh);
184 cmsg->cmsg_level = SOL_SOCKET;
185 cmsg->cmsg_type = SCM_RIGHTS;
186 cmsg->cmsg_len = CMSG_LEN(sizeof(int));
187 memcpy(CMSG_DATA(cmsg), &fd, sizeof(int));
189 mh.msg_controllen = cmsg->cmsg_len;
191 if (sendmsg(pair[1], &mh, MSG_NOSIGNAL) < 0)
197 r = wait_for_terminate(grandchild, &si);
201 if (si.si_code != CLD_EXITED)
207 close_nointr_nofail(pair[1]);
210 if (recvmsg(pair[0], &mh, MSG_NOSIGNAL|MSG_CMSG_CLOEXEC) < 0)
213 for (cmsg = CMSG_FIRSTHDR(&mh); cmsg; cmsg = CMSG_NXTHDR(&mh, cmsg))
214 if (cmsg->cmsg_level == SOL_SOCKET && cmsg->cmsg_type == SCM_RIGHTS) {
218 fds = (int*) CMSG_DATA(cmsg);
219 n_fds = (cmsg->cmsg_len - CMSG_LEN(0)) / sizeof(int);
222 close_many(fds, n_fds);
229 r = wait_for_terminate(child, &si);
233 if (si.si_code != CLD_EXITED)
236 if (si.si_status != EXIT_SUCCESS)
239 b->input_fd = b->output_fd = fd;
242 return bus_kernel_take_fd(b);
~ianmdlvl / elogind.git / blob