1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
4 This file is part of systemd.
6 Copyright 2013 Lennart Poettering
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
27 #include "bus-internal.h"
28 #include "bus-socket.h"
29 #include "bus-container.h"
31 int bus_container_connect_socket(sd_bus *b) {
32 _cleanup_close_ int pidnsfd = -1, mntnsfd = -1, rootfd = -1;
38 assert(b->input_fd < 0);
39 assert(b->output_fd < 0);
41 r = container_get_leader(b->machine, &leader);
45 r = namespace_open(leader, &pidnsfd, &mntnsfd, &rootfd);
49 b->input_fd = socket(b->sockaddr.sa.sa_family, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0);
53 b->output_fd = b->input_fd;
64 r = namespace_enter(pidnsfd, mntnsfd, rootfd);
68 /* We just changed PID namespace, however it will only
69 * take effect on the children we now fork. Hence,
70 * let's fork another time, and connect from this
71 * grandchild, so that SO_PEERCRED of our connection
72 * comes from a process from within the container, and
73 * not outside of it */
79 if (grandchild == 0) {
81 r = connect(b->input_fd, &b->sockaddr.sa, b->sockaddr_size);
83 if (errno == EINPROGRESS)
92 r = wait_for_terminate(grandchild, &si);
96 if (si.si_code != CLD_EXITED)
102 r = wait_for_terminate(child, &si);
106 if (si.si_code != CLD_EXITED)
109 if (si.si_status == 1)
112 if (si.si_status != EXIT_SUCCESS)
115 return bus_socket_start_auth(b);
118 int bus_container_connect_kernel(sd_bus *b) {
119 _cleanup_close_pipe_ int pair[2] = { -1, -1 };
120 _cleanup_close_ int pidnsfd = -1, mntnsfd = -1, rootfd = -1;
122 struct cmsghdr cmsghdr;
123 uint8_t buf[CMSG_SPACE(sizeof(int))];
126 .msg_control = &control,
127 .msg_controllen = sizeof(control),
129 struct cmsghdr *cmsg;
133 _cleanup_close_ int fd = -1;
136 assert(b->input_fd < 0);
137 assert(b->output_fd < 0);
139 r = container_get_leader(b->machine, &leader);
143 r = namespace_open(leader, &pidnsfd, &mntnsfd, &rootfd);
147 if (socketpair(AF_UNIX, SOCK_DGRAM, 0, pair) < 0)
157 close_nointr_nofail(pair[0]);
160 r = namespace_enter(pidnsfd, mntnsfd, rootfd);
164 /* We just changed PID namespace, however it will only
165 * take effect on the children we now fork. Hence,
166 * let's fork another time, and connect from this
167 * grandchild, so that kdbus only sees the credentials
168 * of this process which comes from within the
169 * container, and not outside of it */
175 if (grandchild == 0) {
177 fd = open(b->kernel, O_RDWR|O_NOCTTY|O_CLOEXEC);
181 cmsg = CMSG_FIRSTHDR(&mh);
182 cmsg->cmsg_level = SOL_SOCKET;
183 cmsg->cmsg_type = SCM_RIGHTS;
184 cmsg->cmsg_len = CMSG_LEN(sizeof(int));
185 memcpy(CMSG_DATA(cmsg), &fd, sizeof(int));
187 mh.msg_controllen = cmsg->cmsg_len;
189 if (sendmsg(pair[1], &mh, MSG_NOSIGNAL) < 0)
195 r = wait_for_terminate(grandchild, &si);
199 if (si.si_code != CLD_EXITED)
205 close_nointr_nofail(pair[1]);
208 r = wait_for_terminate(child, &si);
212 if (si.si_code != CLD_EXITED)
215 if (si.si_status != EXIT_SUCCESS)
218 if (recvmsg(pair[0], &mh, MSG_NOSIGNAL|MSG_CMSG_CLOEXEC) < 0)
221 for (cmsg = CMSG_FIRSTHDR(&mh); cmsg; cmsg = CMSG_NXTHDR(&mh, cmsg))
222 if (cmsg->cmsg_level == SOL_SOCKET && cmsg->cmsg_type == SCM_RIGHTS) {
226 fds = (int*) CMSG_DATA(cmsg);
227 n_fds = (cmsg->cmsg_len - CMSG_LEN(0)) / sizeof(int);
230 close_many(fds, n_fds);
237 b->input_fd = b->output_fd = fd;
240 return bus_kernel_take_fd(b);
~ianmdlvl / elogind.git / blob