1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
4 This file is part of systemd.
6 Copyright 2010 Lennart Poettering
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
25 #include <sys/types.h>
26 #include <sys/syscall.h>
27 #include <sys/mount.h>
33 #include <sys/prctl.h>
34 #include <sys/capability.h>
40 #include "cgroup-util.h"
41 #include "sd-daemon.h"
43 static char *arg_directory = NULL;
45 static int help(void) {
47 printf("%s [OPTIONS...] [PATH] [ARGUMENTS...]\n\n"
48 "Spawn a minimal namespace container for debugging, testing and building.\n\n"
49 " -h --help Show this help\n"
50 " -D --directory=NAME Root directory for the container\n",
51 program_invocation_short_name);
56 static int parse_argv(int argc, char *argv[]) {
58 static const struct option options[] = {
59 { "help", no_argument, NULL, 'h' },
60 { "directory", required_argument, NULL, 'D' },
69 while ((c = getopt_long(argc, argv, "+hD:", options, NULL)) >= 0) {
79 if (!(arg_directory = strdup(optarg))) {
80 log_error("Failed to duplicate root directory.");
90 log_error("Unknown option code %c", c);
98 static int mount_all(const char *dest) {
100 typedef struct MountPoint {
109 static const MountPoint mount_table[] = {
110 { "proc", "/proc", "proc", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV, true },
111 { "/proc/sys", "/proc/sys", "bind", NULL, MS_BIND, true }, /* Bind mount first */
112 { "/proc/sys", "/proc/sys", "bind", NULL, MS_BIND|MS_RDONLY|MS_REMOUNT, true }, /* Then, make it r/o */
113 { "sysfs", "/sys", "sysfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY, true },
114 { "tmpfs", "/dev", "tmpfs", "mode=755", MS_NOSUID, true },
115 { "/dev/pts", "/dev/pts", "bind", NULL, MS_BIND, true },
116 { "tmpfs", "/dev/.run", "tmpfs", "mode=755", MS_NOSUID|MS_NOEXEC|MS_NODEV, true },
118 { "selinux", "/selinux", "selinuxfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY, false },
125 for (k = 0; k < ELEMENTSOF(mount_table); k++) {
129 if (asprintf(&where, "%s/%s", dest, mount_table[k].where) < 0) {
130 log_error("Out of memory");
138 if ((t = path_is_mount_point(where)) < 0) {
139 log_error("Failed to detect whether %s is a mount point: %s", where, strerror(-t));
148 mkdir_p(where, 0755);
150 if (mount(mount_table[k].what,
153 mount_table[k].flags,
154 mount_table[k].options) < 0 &&
155 mount_table[k].fatal) {
157 log_error("mount(%s) failed: %m", where);
169 static int copy_devnodes(const char *dest) {
171 static const char devnodes[] =
190 NULSTR_FOREACH(d, devnodes) {
191 char *from = NULL, *to = NULL;
194 asprintf(&from, "/dev/%s", d);
195 asprintf(&to, "%s/dev/%s", dest, d);
198 log_error("Failed to allocate devnode path");
209 if (stat(from, &st) < 0) {
211 if (errno != ENOENT) {
212 log_error("Failed to stat %s: %m", from);
219 if (mknod(to, st.st_mode, st.st_rdev) < 0) {
220 log_error("mknod(%s) failed: %m", dest);
231 if ((k = get_ctty(&tty, &tty_devnum)) < 0) {
232 log_error("Failed to determine controlling tty: %s", strerror(-k));
237 char *from = NULL, *to = NULL;
239 asprintf(&from, "/dev/%s", tty);
240 asprintf(&to, "%s/dev/console", dest);
243 log_error("Out of memory");
248 /* We need to bind mount our own tty on
249 * /dev/console, since ptys cannot be used
250 * unless on a devpts file system. But to bind
251 * mount it we first have to create a device
252 * node where we can bind mount it on. This is
253 * kinda ugly since the TTY will very likely
254 * be owned by a user/group that does not
255 * exist in the container. */
257 if (mknod(to, S_IFCHR|0600, tty_devnum) < 0) {
258 log_error("mknod for /dev/console failed: %m");
264 if (mount(from, to, "bind", MS_BIND|MS_RDONLY, NULL) < 0) {
265 log_error("bind mount for /dev/console failed: %m");
283 static int drop_capabilities(void) {
284 static const unsigned long retain[] = {
294 CAP_NET_BIND_SERVICE,
310 for (l = 0; l <= MAX(63LU, (unsigned long) CAP_LAST_CAP); l ++) {
313 for (i = 0; i < ELEMENTSOF(retain); i++)
317 if (i < ELEMENTSOF(retain))
320 if (prctl(PR_CAPBSET_DROP, l) < 0) {
322 /* If this capability is not known, EINVAL
323 * will be returned, let's ignore this. */
327 log_error("PR_CAPBSET_DROP failed: %m");
335 static int is_os_tree(const char *path) {
338 /* We use /bin/sh as flag file if something is an OS */
340 if (asprintf(&p, "%s/bin/sh", path) < 0)
346 return r < 0 ? 0 : 1;
350 int main(int argc, char *argv[]) {
352 int r = EXIT_FAILURE, k;
353 char *oldcg = NULL, *newcg = NULL;
355 log_parse_environment();
358 if ((r = parse_argv(argc, argv)) <= 0)
364 p = path_make_absolute_cwd(arg_directory);
368 arg_directory = get_current_dir_name();
370 if (!arg_directory) {
371 log_error("Failed to determine path");
375 path_kill_slashes(arg_directory);
377 if (geteuid() != 0) {
378 log_error("Need to be root.");
382 if (sd_booted() <= 0) {
383 log_error("Not running on a systemd system.");
387 if (path_equal(arg_directory, "/")) {
388 log_error("Spawning container on root directory not supported.");
392 if (is_os_tree(arg_directory) <= 0) {
393 log_error("Directory %s doesn't look like an OS root directory. Refusing.", arg_directory);
397 log_info("Spawning namespace container on %s.", arg_directory);
399 if ((k = cg_get_by_pid(SYSTEMD_CGROUP_CONTROLLER, 0, &oldcg)) < 0) {
400 log_error("Failed to determine current cgroup: %s", strerror(-k));
404 if (asprintf(&newcg, "%s/nspawn-%lu", oldcg, (unsigned long) getpid()) < 0) {
405 log_error("Failed to allocate cgroup path.");
409 if ((k = cg_create_and_attach(SYSTEMD_CGROUP_CONTROLLER, newcg, 0)) < 0) {
410 log_error("Failed to create cgroup: %s", strerror(-k));
414 if ((pid = syscall(__NR_clone, SIGCHLD|CLONE_NEWIPC|CLONE_NEWNS|CLONE_NEWPID|CLONE_NEWUTS, NULL)) < 0) {
415 log_error("clone() failed: %m");
421 const char *envp[] = {
423 "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
429 if (mount_all(arg_directory) < 0)
432 if (copy_devnodes(arg_directory) < 0)
435 if (chdir(arg_directory) < 0) {
436 log_error("chdir(%s) failed: %m", arg_directory);
439 if (mount(arg_directory, "/", "bind", MS_BIND|MS_MOVE, NULL) < 0) {
440 log_error("mount(MS_MOVE) failed: %m");
444 if (chroot(".") < 0) {
445 log_error("chroot() failed: %m");
449 if (chdir("/") < 0) {
450 log_error("chdir() failed: %m");
454 if (drop_capabilities() < 0)
457 if ((hn = file_name_from_path(arg_directory)))
458 sethostname(hn, strlen(hn));
461 execvpe(argv[optind], argv + optind, (char**) envp);
464 execle("/bin/bash", "-bash", NULL, (char**) envp);
467 log_error("execv() failed: %m");
473 r = wait_for_terminate_and_warn(argc > optind ? argv[optind] : "bash", pid);
480 cg_attach(SYSTEMD_CGROUP_CONTROLLER, oldcg, 0);
483 cg_kill_recursive_and_wait(SYSTEMD_CGROUP_CONTROLLER, newcg, true);