X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=elogind.git;a=blobdiff_plain;f=src%2Fnspawn%2Fnspawn.c;h=ffd8fd4ef50a74ac22ebb8fb6c590f1abd09ea85;hp=7050c05ec2be3e059a9b8da3f29945443744b26c;hb=b2896c905bef7be7ed9a760d9d61aa6ad0f614a3;hpb=0f0dbc46ccf5aaaf3131446d0a4d78bc97a37295 diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c index 7050c05ec..ffd8fd4ef 100644 --- a/src/nspawn/nspawn.c +++ b/src/nspawn/nspawn.c @@ -50,13 +50,39 @@ #include "missing.h" #include "cgroup-util.h" #include "strv.h" +#include "path-util.h" #include "loopback-setup.h" static char *arg_directory = NULL; static char *arg_user = NULL; static char **arg_controllers = NULL; +static char *arg_uuid = NULL; static bool arg_private_network = false; +static bool arg_read_only = false; static bool arg_boot = false; +static uint64_t arg_retain = + (1ULL << CAP_CHOWN) | + (1ULL << CAP_DAC_OVERRIDE) | + (1ULL << CAP_DAC_READ_SEARCH) | + (1ULL << CAP_FOWNER) | + (1ULL << CAP_FSETID) | + (1ULL << CAP_IPC_OWNER) | + (1ULL << CAP_KILL) | + (1ULL << CAP_LEASE) | + (1ULL << CAP_LINUX_IMMUTABLE) | + (1ULL << CAP_NET_BIND_SERVICE) | + (1ULL << CAP_NET_BROADCAST) | + (1ULL << CAP_NET_RAW) | + (1ULL << CAP_SETGID) | + (1ULL << CAP_SETFCAP) | + (1ULL << CAP_SETPCAP) | + (1ULL << CAP_SETUID) | + (1ULL << CAP_SYS_ADMIN) | + (1ULL << CAP_SYS_CHROOT) | + (1ULL << CAP_SYS_NICE) | + (1ULL << CAP_SYS_PTRACE) | + (1ULL << CAP_SYS_TTY_CONFIG) | + (1ULL << CAP_SYS_RESOURCE); static int help(void) { @@ -67,7 +93,10 @@ static int help(void) { " -b --boot Boot up full system (i.e. invoke init)\n" " -u --user=USER Run the command under specified user or uid\n" " -C --controllers=LIST Put the container in specified comma-separated cgroup hierarchies\n" - " --private-network Disable network in container\n", + " --uuid=UUID Set a specific machine UUID for the container\n" + " --private-network Disable network in container\n" + " --read-only Mount the root directory read-only\n" + " --capability=CAP In addition to the default, retain specified capability\n", program_invocation_short_name); return 0; @@ -76,7 +105,10 @@ static int help(void) { static int parse_argv(int argc, char *argv[]) { enum { - ARG_PRIVATE_NETWORK = 0x100 + ARG_PRIVATE_NETWORK = 0x100, + ARG_UUID, + ARG_READ_ONLY, + ARG_CAPABILITY }; static const struct option options[] = { @@ -86,6 +118,9 @@ static int parse_argv(int argc, char *argv[]) { { "controllers", required_argument, NULL, 'C' }, { "private-network", no_argument, NULL, ARG_PRIVATE_NETWORK }, { "boot", no_argument, NULL, 'b' }, + { "uuid", required_argument, NULL, ARG_UUID }, + { "read-only", no_argument, NULL, ARG_READ_ONLY }, + { "capability", required_argument, NULL, ARG_CAPABILITY }, { NULL, 0, NULL, 0 } }; @@ -140,6 +175,41 @@ static int parse_argv(int argc, char *argv[]) { arg_boot = true; break; + case ARG_UUID: + arg_uuid = optarg; + break; + + case ARG_READ_ONLY: + arg_read_only = true; + break; + + case ARG_CAPABILITY: { + char *state, *word; + size_t length; + + FOREACH_WORD_SEPARATOR(word, length, optarg, ",", state) { + cap_value_t cap; + char *t; + + t = strndup(word, length); + if (!t) { + log_error("Out of memory."); + return -ENOMEM; + } + + if (cap_from_name(t, &cap) < 0) { + log_error("Failed to parse capability %s.", t); + free(t); + return -EINVAL; + } + + free(t); + arg_retain |= 1ULL << (uint64_t) cap; + } + + break; + } + case '?': return -EINVAL; @@ -205,7 +275,7 @@ static int mount_all(const char *dest) { continue; } - mkdir_p(where, 0755); + mkdir_p_label(where, 0755); if (mount(mount_table[k].what, where, @@ -255,6 +325,28 @@ static int setup_timezone(const char *dest) { return 0; } +static int setup_resolv_conf(const char *dest) { + char *where; + + assert(dest); + + if (arg_private_network) + return 0; + + /* Fix resolv.conf, if possible */ + if (asprintf(&where, "%s/etc/resolv.conf", dest) < 0) { + log_error("Out of memory"); + return -ENOMEM; + } + + if (mount("/etc/resolv.conf", where, "bind", MS_BIND, NULL) >= 0) + mount("/etc/resolv.conf", where, "bind", MS_BIND|MS_REMOUNT|MS_RDONLY, NULL); + + free(where); + + return 0; +} + static int copy_devnodes(const char *dest) { static const char devnodes[] = @@ -486,7 +578,7 @@ static int setup_hostname(void) { char *hn; int r = 0; - hn = file_name_from_path(arg_directory); + hn = path_get_file_name(arg_directory); if (hn) { hn = strdup(hn); if (!hn) @@ -505,49 +597,7 @@ static int setup_hostname(void) { } static int drop_capabilities(void) { - static const unsigned long retain[] = { - CAP_CHOWN, - CAP_DAC_OVERRIDE, - CAP_DAC_READ_SEARCH, - CAP_FOWNER, - CAP_FSETID, - CAP_IPC_OWNER, - CAP_KILL, - CAP_LEASE, - CAP_LINUX_IMMUTABLE, - CAP_NET_BIND_SERVICE, - CAP_NET_BROADCAST, - CAP_NET_RAW, - CAP_SETGID, - CAP_SETFCAP, - CAP_SETPCAP, - CAP_SETUID, - CAP_SYS_ADMIN, - CAP_SYS_CHROOT, - CAP_SYS_NICE, - CAP_SYS_PTRACE, - CAP_SYS_TTY_CONFIG - }; - - unsigned long l; - - for (l = 0; l <= cap_last_cap(); l++) { - unsigned i; - - for (i = 0; i < ELEMENTSOF(retain); i++) - if (retain[i] == l) - break; - - if (i < ELEMENTSOF(retain)) - continue; - - if (prctl(PR_CAPBSET_DROP, l) < 0) { - log_error("PR_CAPBSET_DROP failed: %m"); - return -errno; - } - } - - return 0; + return capability_bounding_set_drop(~arg_retain, false); } static int is_os_tree(const char *path) { @@ -912,6 +962,7 @@ int main(int argc, char *argv[]) { NULL, /* HOME */ NULL, /* USER */ NULL, /* LOGNAME */ + NULL, /* container_uuid */ NULL }; @@ -940,6 +991,18 @@ int main(int argc, char *argv[]) { if (mount(NULL, "/", NULL, MS_PRIVATE|MS_REC, NULL) < 0) goto child_fail; + /* Turn directory into bind mount */ + if (mount(arg_directory, arg_directory, "bind", MS_BIND, NULL) < 0) { + log_error("Failed to make bind mount."); + goto child_fail; + } + + if (arg_read_only) + if (mount(arg_directory, arg_directory, "bind", MS_BIND|MS_REMOUNT|MS_RDONLY, NULL) < 0) { + log_error("Failed to make read-only."); + goto child_fail; + } + if (mount_all(arg_directory) < 0) goto child_fail; @@ -957,6 +1020,9 @@ int main(int argc, char *argv[]) { if (setup_timezone(arg_directory) < 0) goto child_fail; + if (setup_resolv_conf(arg_directory) < 0) + goto child_fail; + if (chdir(arg_directory) < 0) { log_error("chdir(%s) failed: %m", arg_directory); goto child_fail; @@ -967,8 +1033,8 @@ int main(int argc, char *argv[]) { dup2(STDIN_FILENO, STDERR_FILENO) != STDERR_FILENO) goto child_fail; - if (mount(arg_directory, "/", "bind", MS_BIND, NULL) < 0) { - log_error("mount(MS_MOVE) failed: %m"); + if (mount(arg_directory, "/", "bind", MS_MOVE, NULL) < 0) { + log_error("mount(MS_BIND) failed: %m"); goto child_fail; } @@ -986,8 +1052,10 @@ int main(int argc, char *argv[]) { loopback_setup(); - if (drop_capabilities() < 0) + if (drop_capabilities() < 0) { + log_error("drop_capabilities() failed: %m"); goto child_fail; + } if (arg_user) { @@ -996,13 +1064,13 @@ int main(int argc, char *argv[]) { goto child_fail; } - if (mkdir_parents(home, 0775) < 0) { - log_error("mkdir_parents() failed: %m"); + if (mkdir_parents_label(home, 0775) < 0) { + log_error("mkdir_parents_label() failed: %m"); goto child_fail; } - if (safe_mkdir(home, 0775, uid, gid) < 0) { - log_error("safe_mkdir() failed: %m"); + if (mkdir_safe_label(home, 0775, uid, gid) < 0) { + log_error("mkdir_safe_label() failed: %m"); goto child_fail; } @@ -1022,13 +1090,20 @@ int main(int argc, char *argv[]) { } } - if ((asprintf((char**)(envp + 3), "HOME=%s", home? home: "/root") < 0) || - (asprintf((char**)(envp + 4), "USER=%s", arg_user? arg_user : "root") < 0) || - (asprintf((char**)(envp + 5), "LOGNAME=%s", arg_user? arg_user : "root") < 0)) { + if ((asprintf((char**)(envp + 3), "HOME=%s", home ? home: "/root") < 0) || + (asprintf((char**)(envp + 4), "USER=%s", arg_user ? arg_user : "root") < 0) || + (asprintf((char**)(envp + 5), "LOGNAME=%s", arg_user ? arg_user : "root") < 0)) { log_error("Out of memory"); goto child_fail; } + if (arg_uuid) { + if (asprintf((char**)(envp + 6), "container_uuid=%s", arg_uuid) < 0) { + log_error("Out of memory"); + goto child_fail; + } + } + setup_hostname(); if (arg_boot) {