return 0;
}
-static int audit_still_doesnt_work_in_containers(void) {
+static int setup_seccomp(void) {
#ifdef HAVE_SECCOMP
+ static const int blacklist[] = {
+ SCMP_SYS(kexec_load),
+ SCMP_SYS(open_by_handle_at),
+ SCMP_SYS(init_module),
+ SCMP_SYS(finit_module),
+ SCMP_SYS(delete_module),
+ SCMP_SYS(iopl),
+ SCMP_SYS(ioperm),
+ SCMP_SYS(swapon),
+ SCMP_SYS(swapoff),
+ };
+
scmp_filter_ctx seccomp;
+ unsigned i;
int r;
- /*
- Audit is broken in containers, much of the userspace audit
- hookup will fail if running inside a container. We don't
- care and just turn off creation of audit sockets.
-
- This will make socket(AF_NETLINK, *, NETLINK_AUDIT) fail
- with EAFNOSUPPORT which audit userspace uses as indication
- that audit is disabled in the kernel.
- */
-
seccomp = seccomp_init(SCMP_ACT_ALLOW);
if (!seccomp)
return log_oom();
goto finish;
}
+ for (i = 0; i < ELEMENTSOF(blacklist); i++) {
+ r = seccomp_rule_add(seccomp, SCMP_ACT_ERRNO(EPERM), blacklist[i], 0);
+ if (r == -EFAULT)
+ continue; /* unknown syscall */
+ if (r < 0) {
+ log_error("Failed to block syscall: %s", strerror(-r));
+ goto finish;
+ }
+ }
+
+ /*
+ Audit is broken in containers, much of the userspace audit
+ hookup will fail if running inside a container. We don't
+ care and just turn off creation of audit sockets.
+
+ This will make socket(AF_NETLINK, *, NETLINK_AUDIT) fail
+ with EAFNOSUPPORT which audit userspace uses as indication
+ that audit is disabled in the kernel.
+ */
+
r = seccomp_rule_add(
seccomp,
SCMP_ACT_ERRNO(EAFNOSUPPORT),
dev_setup(arg_directory);
- if (audit_still_doesnt_work_in_containers() < 0)
+ if (setup_seccomp() < 0)
goto child_fail;
if (setup_dev_console(arg_directory, console) < 0)
* join its cgroup which might limit what it can do */
r = eventfd_child_succeeded(eventfds[1]);
eventfds[1] = safe_close(eventfds[1]);
- if (r < 0)
- goto check_container_status;
- r = register_machine(pid);
- if (r < 0)
- goto finish;
+ if (r >= 0) {
+ r = register_machine(pid);
+ if (r < 0)
+ goto finish;
- r = move_network_interfaces(pid);
- if (r < 0)
- goto finish;
+ r = move_network_interfaces(pid);
+ if (r < 0)
+ goto finish;
- r = setup_veth(pid, veth_name);
- if (r < 0)
- goto finish;
+ r = setup_veth(pid, veth_name);
+ if (r < 0)
+ goto finish;
- r = setup_bridge(veth_name);
- if (r < 0)
- goto finish;
+ r = setup_bridge(veth_name);
+ if (r < 0)
+ goto finish;
- r = setup_macvlan(pid);
- if (r < 0)
- goto finish;
+ r = setup_macvlan(pid);
+ if (r < 0)
+ goto finish;
- /* Block SIGCHLD here, before notifying child.
- * process_pty() will handle it with the other signals. */
- r = sigprocmask(SIG_BLOCK, &mask_chld, NULL);
- if (r < 0)
- goto finish;
+ /* Block SIGCHLD here, before notifying child.
+ * process_pty() will handle it with the other signals. */
+ r = sigprocmask(SIG_BLOCK, &mask_chld, NULL);
+ if (r < 0)
+ goto finish;
- /* Reset signal to default */
- r = default_signals(SIGCHLD, -1);
- if (r < 0)
- goto finish;
+ /* Reset signal to default */
+ r = default_signals(SIGCHLD, -1);
+ if (r < 0)
+ goto finish;
- /* Notify the child that the parent is ready with all
- * its setup, and that the child can now hand over
- * control to the code to run inside the container. */
- r = eventfd_send_state(eventfds[0],
- EVENTFD_PARENT_SUCCEEDED);
- eventfds[0] = safe_close(eventfds[0]);
- if (r < 0)
- goto finish;
+ /* Notify the child that the parent is ready with all
+ * its setup, and that the child can now hand over
+ * control to the code to run inside the container. */
+ r = eventfd_send_state(eventfds[0], EVENTFD_PARENT_SUCCEEDED);
+ eventfds[0] = safe_close(eventfds[0]);
+ if (r < 0)
+ goto finish;
- k = process_pty(master, &mask, arg_boot ? pid : 0, SIGRTMIN+3);
- if (k < 0) {
- r = EXIT_FAILURE;
- break;
- }
+ k = process_pty(master, &mask, arg_boot ? pid : 0, SIGRTMIN+3);
+ if (k < 0) {
+ r = EXIT_FAILURE;
+ break;
+ }
- if (!arg_quiet)
- putc('\n', stdout);
+ if (!arg_quiet)
+ putc('\n', stdout);
- /* Kill if it is not dead yet anyway */
- terminate_machine(pid);
+ /* Kill if it is not dead yet anyway */
+ terminate_machine(pid);
+ }
-check_container_status:
- /* Redundant, but better safe than sorry */
+ /* Normally redundant, but better safe than sorry */
kill(pid, SIGKILL);
r = wait_for_container(pid, &container_status);
break;
/* CONTAINER_REBOOTED, loop again */
+
+ if (arg_keep_unit) {
+ /* Special handling if we are running as a
+ * service: instead of simply restarting the
+ * machine we want to restart the entire
+ * service, so let's inform systemd about this
+ * with the special exit code 133. The service
+ * file uses RestartForceExitStatus=133 so
+ * that this results in a full nspawn
+ * restart. This is necessary since we might
+ * have cgroup parameters set we want to have
+ * flushed out. */
+ r = 133;
+ break;
+ }
}
finish:
~ianmdlvl / elogind.git / blobdiff