#include "missing.h"
#include "cgroup-util.h"
#include "strv.h"
+#include "path-util.h"
#include "loopback-setup.h"
static char *arg_directory = NULL;
static char **arg_controllers = NULL;
static char *arg_uuid = NULL;
static bool arg_private_network = false;
+static bool arg_read_only = false;
static bool arg_boot = false;
+static uint64_t arg_retain =
+ (1ULL << CAP_CHOWN) |
+ (1ULL << CAP_DAC_OVERRIDE) |
+ (1ULL << CAP_DAC_READ_SEARCH) |
+ (1ULL << CAP_FOWNER) |
+ (1ULL << CAP_FSETID) |
+ (1ULL << CAP_IPC_OWNER) |
+ (1ULL << CAP_KILL) |
+ (1ULL << CAP_LEASE) |
+ (1ULL << CAP_LINUX_IMMUTABLE) |
+ (1ULL << CAP_NET_BIND_SERVICE) |
+ (1ULL << CAP_NET_BROADCAST) |
+ (1ULL << CAP_NET_RAW) |
+ (1ULL << CAP_SETGID) |
+ (1ULL << CAP_SETFCAP) |
+ (1ULL << CAP_SETPCAP) |
+ (1ULL << CAP_SETUID) |
+ (1ULL << CAP_SYS_ADMIN) |
+ (1ULL << CAP_SYS_CHROOT) |
+ (1ULL << CAP_SYS_NICE) |
+ (1ULL << CAP_SYS_PTRACE) |
+ (1ULL << CAP_SYS_TTY_CONFIG) |
+ (1ULL << CAP_SYS_RESOURCE);
static int help(void) {
" -u --user=USER Run the command under specified user or uid\n"
" -C --controllers=LIST Put the container in specified comma-separated cgroup hierarchies\n"
" --uuid=UUID Set a specific machine UUID for the container\n"
- " --private-network Disable network in container\n",
+ " --private-network Disable network in container\n"
+ " --read-only Mount the root directory read-only\n"
+ " --capability=CAP In addition to the default, retain specified capability\n",
program_invocation_short_name);
return 0;
enum {
ARG_PRIVATE_NETWORK = 0x100,
- ARG_UUID
+ ARG_UUID,
+ ARG_READ_ONLY,
+ ARG_CAPABILITY
};
static const struct option options[] = {
{ "private-network", no_argument, NULL, ARG_PRIVATE_NETWORK },
{ "boot", no_argument, NULL, 'b' },
{ "uuid", required_argument, NULL, ARG_UUID },
+ { "read-only", no_argument, NULL, ARG_READ_ONLY },
+ { "capability", required_argument, NULL, ARG_CAPABILITY },
{ NULL, 0, NULL, 0 }
};
arg_uuid = optarg;
break;
+ case ARG_READ_ONLY:
+ arg_read_only = true;
+ break;
+
+ case ARG_CAPABILITY: {
+ char *state, *word;
+ size_t length;
+
+ FOREACH_WORD_SEPARATOR(word, length, optarg, ",", state) {
+ cap_value_t cap;
+ char *t;
+
+ t = strndup(word, length);
+ if (!t) {
+ log_error("Out of memory.");
+ return -ENOMEM;
+ }
+
+ if (cap_from_name(t, &cap) < 0) {
+ log_error("Failed to parse capability %s.", t);
+ free(t);
+ return -EINVAL;
+ }
+
+ free(t);
+ arg_retain |= 1ULL << (uint64_t) cap;
+ }
+
+ break;
+ }
+
case '?':
return -EINVAL;
continue;
}
- mkdir_p(where, 0755);
+ mkdir_p_label(where, 0755);
if (mount(mount_table[k].what,
where,
char *hn;
int r = 0;
- hn = file_name_from_path(arg_directory);
+ hn = path_get_file_name(arg_directory);
if (hn) {
hn = strdup(hn);
if (!hn)
}
static int drop_capabilities(void) {
- static const unsigned long retain[] = {
- CAP_CHOWN,
- CAP_DAC_OVERRIDE,
- CAP_DAC_READ_SEARCH,
- CAP_FOWNER,
- CAP_FSETID,
- CAP_IPC_OWNER,
- CAP_KILL,
- CAP_LEASE,
- CAP_LINUX_IMMUTABLE,
- CAP_NET_BIND_SERVICE,
- CAP_NET_BROADCAST,
- CAP_NET_RAW,
- CAP_SETGID,
- CAP_SETFCAP,
- CAP_SETPCAP,
- CAP_SETUID,
- CAP_SYS_ADMIN,
- CAP_SYS_CHROOT,
- CAP_SYS_NICE,
- CAP_SYS_PTRACE,
- CAP_SYS_TTY_CONFIG
- };
-
- unsigned long l;
-
- for (l = 0; l <= cap_last_cap(); l++) {
- unsigned i;
-
- for (i = 0; i < ELEMENTSOF(retain); i++)
- if (retain[i] == l)
- break;
-
- if (i < ELEMENTSOF(retain))
- continue;
-
- if (prctl(PR_CAPBSET_DROP, l) < 0) {
- log_error("PR_CAPBSET_DROP failed: %m");
- return -errno;
- }
- }
-
- return 0;
+ return capability_bounding_set_drop(~arg_retain, false);
}
static int is_os_tree(const char *path) {
if (mount(NULL, "/", NULL, MS_PRIVATE|MS_REC, NULL) < 0)
goto child_fail;
+ /* Turn directory into bind mount */
+ if (mount(arg_directory, arg_directory, "bind", MS_BIND, NULL) < 0) {
+ log_error("Failed to make bind mount.");
+ goto child_fail;
+ }
+
+ if (arg_read_only)
+ if (mount(arg_directory, arg_directory, "bind", MS_BIND|MS_REMOUNT|MS_RDONLY, NULL) < 0) {
+ log_error("Failed to make read-only.");
+ goto child_fail;
+ }
+
if (mount_all(arg_directory) < 0)
goto child_fail;
dup2(STDIN_FILENO, STDERR_FILENO) != STDERR_FILENO)
goto child_fail;
- if (mount(arg_directory, "/", "bind", MS_BIND, NULL) < 0) {
- log_error("mount(MS_MOVE) failed: %m");
+ if (mount(arg_directory, "/", "bind", MS_MOVE, NULL) < 0) {
+ log_error("mount(MS_BIND) failed: %m");
goto child_fail;
}
loopback_setup();
- if (drop_capabilities() < 0)
+ if (drop_capabilities() < 0) {
+ log_error("drop_capabilities() failed: %m");
goto child_fail;
+ }
if (arg_user) {
goto child_fail;
}
- if (mkdir_parents(home, 0775) < 0) {
- log_error("mkdir_parents() failed: %m");
+ if (mkdir_parents_label(home, 0775) < 0) {
+ log_error("mkdir_parents_label() failed: %m");
goto child_fail;
}
- if (safe_mkdir(home, 0775, uid, gid) < 0) {
- log_error("safe_mkdir() failed: %m");
+ if (mkdir_safe_label(home, 0775, uid, gid) < 0) {
+ log_error("mkdir_safe_label() failed: %m");
goto child_fail;
}
~ianmdlvl / elogind.git / blobdiff