1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
4 This file is part of systemd.
6 Copyright 2013 Lennart Poettering
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
26 #include "bus-internal.h"
27 #include "bus-socket.h"
28 #include "bus-container.h"
30 int bus_container_connect_socket(sd_bus *b) {
31 _cleanup_close_ int pidnsfd = -1, mntnsfd = -1, rootfd = -1;
37 assert(b->input_fd < 0);
38 assert(b->output_fd < 0);
39 assert(b->nspid > 0 || b->machine);
42 r = container_get_leader(b->machine, &b->nspid);
47 r = namespace_open(b->nspid, &pidnsfd, &mntnsfd, NULL, &rootfd);
51 b->input_fd = socket(b->sockaddr.sa.sa_family, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0);
55 b->output_fd = b->input_fd;
66 r = namespace_enter(pidnsfd, mntnsfd, -1, rootfd);
70 /* We just changed PID namespace, however it will only
71 * take effect on the children we now fork. Hence,
72 * let's fork another time, and connect from this
73 * grandchild, so that SO_PEERCRED of our connection
74 * comes from a process from within the container, and
75 * not outside of it */
81 if (grandchild == 0) {
83 r = connect(b->input_fd, &b->sockaddr.sa, b->sockaddr_size);
85 if (errno == EINPROGRESS)
94 r = wait_for_terminate(grandchild, &si);
98 if (si.si_code != CLD_EXITED)
104 r = wait_for_terminate(child, &si);
108 if (si.si_code != CLD_EXITED)
111 if (si.si_status == 1)
114 if (si.si_status != EXIT_SUCCESS)
117 return bus_socket_start_auth(b);
120 int bus_container_connect_kernel(sd_bus *b) {
121 _cleanup_close_pair_ int pair[2] = { -1, -1 };
122 _cleanup_close_ int pidnsfd = -1, mntnsfd = -1, rootfd = -1;
124 struct cmsghdr cmsghdr;
125 uint8_t buf[CMSG_SPACE(sizeof(int))];
128 .msg_control = &control,
129 .msg_controllen = sizeof(control),
131 struct cmsghdr *cmsg;
135 _cleanup_close_ int fd = -1;
138 assert(b->input_fd < 0);
139 assert(b->output_fd < 0);
140 assert(b->nspid > 0 || b->machine);
143 r = container_get_leader(b->machine, &b->nspid);
148 r = namespace_open(b->nspid, &pidnsfd, &mntnsfd, NULL, &rootfd);
152 if (socketpair(AF_UNIX, SOCK_DGRAM, 0, pair) < 0)
162 pair[0] = safe_close(pair[0]);
164 r = namespace_enter(pidnsfd, mntnsfd, -1, rootfd);
168 /* We just changed PID namespace, however it will only
169 * take effect on the children we now fork. Hence,
170 * let's fork another time, and connect from this
171 * grandchild, so that kdbus only sees the credentials
172 * of this process which comes from within the
173 * container, and not outside of it */
179 if (grandchild == 0) {
181 fd = open(b->kernel, O_RDWR|O_NOCTTY|O_CLOEXEC);
185 cmsg = CMSG_FIRSTHDR(&mh);
186 cmsg->cmsg_level = SOL_SOCKET;
187 cmsg->cmsg_type = SCM_RIGHTS;
188 cmsg->cmsg_len = CMSG_LEN(sizeof(int));
189 memcpy(CMSG_DATA(cmsg), &fd, sizeof(int));
191 mh.msg_controllen = cmsg->cmsg_len;
193 if (sendmsg(pair[1], &mh, MSG_NOSIGNAL) < 0)
199 r = wait_for_terminate(grandchild, &si);
203 if (si.si_code != CLD_EXITED)
209 pair[1] = safe_close(pair[1]);
211 r = wait_for_terminate(child, &si);
215 if (si.si_code != CLD_EXITED)
218 if (si.si_status != EXIT_SUCCESS)
221 if (recvmsg(pair[0], &mh, MSG_NOSIGNAL|MSG_CMSG_CLOEXEC) < 0)
224 for (cmsg = CMSG_FIRSTHDR(&mh); cmsg; cmsg = CMSG_NXTHDR(&mh, cmsg))
225 if (cmsg->cmsg_level == SOL_SOCKET && cmsg->cmsg_type == SCM_RIGHTS) {
229 fds = (int*) CMSG_DATA(cmsg);
230 n_fds = (cmsg->cmsg_len - CMSG_LEN(0)) / sizeof(int);
233 close_many(fds, n_fds);
240 b->input_fd = b->output_fd = fd;
243 return bus_kernel_take_fd(b);