1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
4 This file is part of systemd.
6 Copyright 2013 Lennart Poettering
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
27 #include "bus-internal.h"
28 #include "bus-socket.h"
29 #include "bus-container.h"
31 int bus_container_connect_socket(sd_bus *b) {
32 _cleanup_close_ int pidnsfd = -1, mntnsfd = -1, rootfd = -1;
38 assert(b->input_fd < 0);
39 assert(b->output_fd < 0);
41 r = container_get_leader(b->machine, &leader);
45 r = namespace_open(leader, &pidnsfd, &mntnsfd, NULL, &rootfd);
49 b->input_fd = socket(b->sockaddr.sa.sa_family, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0);
53 b->output_fd = b->input_fd;
64 r = namespace_enter(pidnsfd, mntnsfd, -1, rootfd);
68 /* We just changed PID namespace, however it will only
69 * take effect on the children we now fork. Hence,
70 * let's fork another time, and connect from this
71 * grandchild, so that SO_PEERCRED of our connection
72 * comes from a process from within the container, and
73 * not outside of it */
79 if (grandchild == 0) {
81 r = connect(b->input_fd, &b->sockaddr.sa, b->sockaddr_size);
83 if (errno == EINPROGRESS)
92 r = wait_for_terminate(grandchild, &si);
96 if (si.si_code != CLD_EXITED)
102 r = wait_for_terminate(child, &si);
106 if (si.si_code != CLD_EXITED)
109 if (si.si_status == 1)
112 if (si.si_status != EXIT_SUCCESS)
115 return bus_socket_start_auth(b);
118 int bus_container_connect_kernel(sd_bus *b) {
119 _cleanup_close_pair_ int pair[2] = { -1, -1 };
120 _cleanup_close_ int pidnsfd = -1, mntnsfd = -1, rootfd = -1;
122 struct cmsghdr cmsghdr;
123 uint8_t buf[CMSG_SPACE(sizeof(int))];
126 .msg_control = &control,
127 .msg_controllen = sizeof(control),
129 struct cmsghdr *cmsg;
133 _cleanup_close_ int fd = -1;
136 assert(b->input_fd < 0);
137 assert(b->output_fd < 0);
139 r = container_get_leader(b->machine, &leader);
143 r = namespace_open(leader, &pidnsfd, &mntnsfd, NULL, &rootfd);
147 if (socketpair(AF_UNIX, SOCK_DGRAM, 0, pair) < 0)
157 pair[0] = safe_close(pair[0]);
159 r = namespace_enter(pidnsfd, mntnsfd, -1, rootfd);
163 /* We just changed PID namespace, however it will only
164 * take effect on the children we now fork. Hence,
165 * let's fork another time, and connect from this
166 * grandchild, so that kdbus only sees the credentials
167 * of this process which comes from within the
168 * container, and not outside of it */
174 if (grandchild == 0) {
176 fd = open(b->kernel, O_RDWR|O_NOCTTY|O_CLOEXEC);
180 cmsg = CMSG_FIRSTHDR(&mh);
181 cmsg->cmsg_level = SOL_SOCKET;
182 cmsg->cmsg_type = SCM_RIGHTS;
183 cmsg->cmsg_len = CMSG_LEN(sizeof(int));
184 memcpy(CMSG_DATA(cmsg), &fd, sizeof(int));
186 mh.msg_controllen = cmsg->cmsg_len;
188 if (sendmsg(pair[1], &mh, MSG_NOSIGNAL) < 0)
194 r = wait_for_terminate(grandchild, &si);
198 if (si.si_code != CLD_EXITED)
204 pair[1] = safe_close(pair[1]);
206 r = wait_for_terminate(child, &si);
210 if (si.si_code != CLD_EXITED)
213 if (si.si_status != EXIT_SUCCESS)
216 if (recvmsg(pair[0], &mh, MSG_NOSIGNAL|MSG_CMSG_CLOEXEC) < 0)
219 for (cmsg = CMSG_FIRSTHDR(&mh); cmsg; cmsg = CMSG_NXTHDR(&mh, cmsg))
220 if (cmsg->cmsg_level == SOL_SOCKET && cmsg->cmsg_type == SCM_RIGHTS) {
224 fds = (int*) CMSG_DATA(cmsg);
225 n_fds = (cmsg->cmsg_len - CMSG_LEN(0)) / sizeof(int);
228 close_many(fds, n_fds);
235 b->input_fd = b->output_fd = fd;
238 return bus_kernel_take_fd(b);
~ianmdlvl / elogind.git / blob