+ r = sd_rtnl_open(&rtnl, 0);
+ if (r < 0) {
+ log_error("Failed to connect to netlink: %s", strerror(-r));
+ return r;
+ }
+
+ r = sd_rtnl_message_new_link(rtnl, &m, RTM_NEWLINK, 0);
+ if (r < 0) {
+ log_error("Failed to allocate netlink message: %s", strerror(-r));
+ return r;
+ }
+
+ r = sd_rtnl_message_append_string(m, IFLA_IFNAME, iface_name);
+ if (r < 0) {
+ log_error("Failed to add netlink interface name: %s", strerror(-r));
+ return r;
+ }
+
+ r = sd_rtnl_message_open_container(m, IFLA_LINKINFO);
+ if (r < 0) {
+ log_error("Failed to open netlink container: %s", strerror(-r));
+ return r;
+ }
+
+ r = sd_rtnl_message_append_string(m, IFLA_INFO_KIND, "veth");
+ if (r < 0) {
+ log_error("Failed to append netlink kind: %s", strerror(-r));
+ return r;
+ }
+
+ r = sd_rtnl_message_open_container(m, IFLA_INFO_DATA);
+ if (r < 0) {
+ log_error("Failed to open netlink container: %s", strerror(-r));
+ return r;
+ }
+
+ r = sd_rtnl_message_open_container(m, VETH_INFO_PEER);
+ if (r < 0) {
+ log_error("Failed to open netlink container: %s", strerror(-r));
+ return r;
+ }
+
+ r = sd_rtnl_message_append_string(m, IFLA_IFNAME, "host0");
+ if (r < 0) {
+ log_error("Failed to add netlink interface name: %s", strerror(-r));
+ return r;
+ }
+
+ r = sd_rtnl_message_append_u32(m, IFLA_NET_NS_PID, pid);
+ if (r < 0) {
+ log_error("Failed to add netlink namespace field: %s", strerror(-r));
+ return r;
+ }
+
+ r = sd_rtnl_message_close_container(m);
+ if (r < 0) {
+ log_error("Failed to close netlink container: %s", strerror(-r));
+ return r;
+ }
+
+ r = sd_rtnl_message_close_container(m);
+ if (r < 0) {
+ log_error("Failed to close netlink container: %s", strerror(-r));
+ return r;
+ }
+
+ r = sd_rtnl_message_close_container(m);
+ if (r < 0) {
+ log_error("Failed to close netlink container: %s", strerror(-r));
+ return r;
+ }
+
+ r = sd_rtnl_call(rtnl, m, 0, NULL);
+ if (r < 0) {
+ log_error("Failed to add new veth interfaces: %s", strerror(-r));
+ return r;
+ }
+
+ return 0;
+}
+
+static int setup_bridge(const char veth_name[]) {
+ _cleanup_rtnl_message_unref_ sd_rtnl_message *m = NULL;
+ _cleanup_rtnl_unref_ sd_rtnl *rtnl = NULL;
+ int r, bridge;
+
+ if (!arg_private_network)
+ return 0;
+
+ if (!arg_network_veth)
+ return 0;
+
+ if (!arg_network_bridge)
+ return 0;
+
+ bridge = (int) if_nametoindex(arg_network_bridge);
+ if (bridge <= 0) {
+ log_error("Failed to resolve interface %s: %m", arg_network_bridge);
+ return -errno;
+ }
+
+ r = sd_rtnl_open(&rtnl, 0);
+ if (r < 0) {
+ log_error("Failed to connect to netlink: %s", strerror(-r));
+ return r;
+ }
+
+ r = sd_rtnl_message_new_link(rtnl, &m, RTM_SETLINK, 0);
+ if (r < 0) {
+ log_error("Failed to allocate netlink message: %s", strerror(-r));
+ return r;
+ }
+
+ r = sd_rtnl_message_append_string(m, IFLA_IFNAME, veth_name);
+ if (r < 0) {
+ log_error("Failed to add netlink interface name field: %s", strerror(-r));
+ return r;
+ }
+
+ r = sd_rtnl_message_append_u32(m, IFLA_MASTER, bridge);
+ if (r < 0) {
+ log_error("Failed to add netlink master field: %s", strerror(-r));
+ return r;
+ }
+
+ r = sd_rtnl_call(rtnl, m, 0, NULL);
+ if (r < 0) {
+ log_error("Failed to add veth interface to bridge: %s", strerror(-r));
+ return r;
+ }
+
+ return 0;
+}
+
+static int parse_interface(struct udev *udev, const char *name) {
+ _cleanup_udev_device_unref_ struct udev_device *d = NULL;
+ char ifi_str[2 + DECIMAL_STR_MAX(int)];
+ int ifi;
+
+ ifi = (int) if_nametoindex(name);
+ if (ifi <= 0) {
+ log_error("Failed to resolve interface %s: %m", name);
+ return -errno;
+ }
+
+ sprintf(ifi_str, "n%i", ifi);
+ d = udev_device_new_from_device_id(udev, ifi_str);
+ if (!d) {
+ log_error("Failed to get udev device for interface %s: %m", name);
+ return -errno;
+ }
+
+ if (udev_device_get_is_initialized(d) <= 0) {
+ log_error("Network interface %s is not initialized yet.", name);
+ return -EBUSY;
+ }
+
+ return ifi;
+}
+
+static int move_network_interfaces(pid_t pid) {
+ _cleanup_udev_unref_ struct udev *udev = NULL;
+ _cleanup_rtnl_unref_ sd_rtnl *rtnl = NULL;
+ char **i;
+ int r;
+
+ if (!arg_private_network)
+ return 0;
+
+ if (strv_isempty(arg_network_interfaces))
+ return 0;
+
+ r = sd_rtnl_open(&rtnl, 0);
+ if (r < 0) {
+ log_error("Failed to connect to netlink: %s", strerror(-r));
+ return r;
+ }
+
+ udev = udev_new();
+ if (!udev) {
+ log_error("Failed to connect to udev.");
+ return -ENOMEM;
+ }
+
+ STRV_FOREACH(i, arg_network_interfaces) {
+ _cleanup_rtnl_message_unref_ sd_rtnl_message *m = NULL;
+ int ifi;
+
+ ifi = parse_interface(udev, *i);
+ if (ifi < 0)
+ return ifi;
+
+ r = sd_rtnl_message_new_link(rtnl, &m, RTM_NEWLINK, ifi);
+ if (r < 0) {
+ log_error("Failed to allocate netlink message: %s", strerror(-r));
+ return r;
+ }
+
+ r = sd_rtnl_message_append_u32(m, IFLA_NET_NS_PID, pid);
+ if (r < 0) {
+ log_error("Failed to append namespace PID to netlink message: %s", strerror(-r));
+ return r;
+ }
+
+ r = sd_rtnl_call(rtnl, m, 0, NULL);
+ if (r < 0) {
+ log_error("Failed to move interface %s to namespace: %s", *i, strerror(-r));
+ return r;
+ }
+ }
+
+ return 0;
+}
+
+static int setup_macvlan(pid_t pid) {
+ _cleanup_udev_unref_ struct udev *udev = NULL;
+ _cleanup_rtnl_unref_ sd_rtnl *rtnl = NULL;
+ char **i;
+ int r;
+
+ if (!arg_private_network)
+ return 0;
+
+ if (strv_isempty(arg_network_macvlan))
+ return 0;
+
+ r = sd_rtnl_open(&rtnl, 0);
+ if (r < 0) {
+ log_error("Failed to connect to netlink: %s", strerror(-r));
+ return r;
+ }
+
+ udev = udev_new();
+ if (!udev) {
+ log_error("Failed to connect to udev.");
+ return -ENOMEM;
+ }
+
+ STRV_FOREACH(i, arg_network_macvlan) {
+ _cleanup_rtnl_message_unref_ sd_rtnl_message *m = NULL;
+ _cleanup_free_ char *n = NULL;
+ int ifi;
+
+ ifi = parse_interface(udev, *i);
+ if (ifi < 0)
+ return ifi;
+
+ r = sd_rtnl_message_new_link(rtnl, &m, RTM_NEWLINK, 0);
+ if (r < 0) {
+ log_error("Failed to allocate netlink message: %s", strerror(-r));
+ return r;
+ }
+
+ r = sd_rtnl_message_append_u32(m, IFLA_LINK, ifi);
+ if (r < 0) {
+ log_error("Failed to add netlink interface index: %s", strerror(-r));
+ return r;
+ }
+
+ n = strappend("mv-", *i);
+ if (!n)
+ return log_oom();
+
+ strshorten(n, IFNAMSIZ-1);
+
+ r = sd_rtnl_message_append_string(m, IFLA_IFNAME, n);
+ if (r < 0) {
+ log_error("Failed to add netlink interface name: %s", strerror(-r));
+ return r;
+ }
+
+ r = sd_rtnl_message_append_u32(m, IFLA_NET_NS_PID, pid);
+ if (r < 0) {
+ log_error("Failed to add netlink namespace field: %s", strerror(-r));
+ return r;
+ }
+
+ r = sd_rtnl_message_open_container(m, IFLA_LINKINFO);
+ if (r < 0) {
+ log_error("Failed to open netlink container: %s", strerror(-r));
+ return r;
+ }
+
+ r = sd_rtnl_message_append_string(m, IFLA_INFO_KIND, "macvlan");
+ if (r < 0) {
+ log_error("Failed to append netlink kind: %s", strerror(-r));
+ return r;
+ }
+
+ r = sd_rtnl_message_open_container(m, IFLA_INFO_DATA);
+ if (r < 0) {
+ log_error("Failed to open netlink container: %s", strerror(-r));
+ return r;
+ }
+
+ r = sd_rtnl_message_append_u32(m, IFLA_MACVLAN_MODE, MACVLAN_MODE_BRIDGE);
+ if (r < 0) {
+ log_error("Failed to append macvlan mode: %s", strerror(-r));
+ return r;
+ }
+
+ r = sd_rtnl_message_close_container(m);
+ if (r < 0) {
+ log_error("Failed to close netlink container: %s", strerror(-r));
+ return r;
+ }
+
+ r = sd_rtnl_message_close_container(m);
+ if (r < 0) {
+ log_error("Failed to close netlink container: %s", strerror(-r));
+ return r;
+ }
+
+ r = sd_rtnl_call(rtnl, m, 0, NULL);
+ if (r < 0) {
+ log_error("Failed to add new macvlan interfaces: %s", strerror(-r));
+ return r;
+ }
+ }
+
+ return 0;
+}
+
+static int audit_still_doesnt_work_in_containers(void) {
+
+#ifdef HAVE_SECCOMP
+ scmp_filter_ctx seccomp;
+ int r;
+
+ /*
+ Audit is broken in containers, much of the userspace audit
+ hookup will fail if running inside a container. We don't
+ care and just turn off creation of audit sockets.
+
+ This will make socket(AF_NETLINK, *, NETLINK_AUDIT) fail
+ with EAFNOSUPPORT which audit userspace uses as indication
+ that audit is disabled in the kernel.
+ */
+
+ seccomp = seccomp_init(SCMP_ACT_ALLOW);
+ if (!seccomp)
+ return log_oom();
+
+ r = seccomp_add_secondary_archs(seccomp);
+ if (r < 0) {
+ log_error("Failed to add secondary archs to seccomp filter: %s", strerror(-r));
+ goto finish;
+ }
+
+ r = seccomp_rule_add(
+ seccomp,
+ SCMP_ACT_ERRNO(EAFNOSUPPORT),
+ SCMP_SYS(socket),
+ 2,
+ SCMP_A0(SCMP_CMP_EQ, AF_NETLINK),
+ SCMP_A2(SCMP_CMP_EQ, NETLINK_AUDIT));
+ if (r < 0) {
+ log_error("Failed to add audit seccomp rule: %s", strerror(-r));
+ goto finish;
+ }
+
+ r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_NNP, 0);
+ if (r < 0) {
+ log_error("Failed to unset NO_NEW_PRIVS: %s", strerror(-r));
+ goto finish;
+ }
+
+ r = seccomp_load(seccomp);
+ if (r < 0)
+ log_error("Failed to install seccomp audit filter: %s", strerror(-r));
+
+finish:
+ seccomp_release(seccomp);
+ return r;
+#else
+ return 0;
+#endif
+
+}
+
+static int setup_image(char **device_path, int *loop_nr) {
+ struct loop_info64 info = {
+ .lo_flags = LO_FLAGS_AUTOCLEAR|LO_FLAGS_PARTSCAN
+ };
+ _cleanup_close_ int fd = -1, control = -1, loop = -1;
+ _cleanup_free_ char* loopdev = NULL;
+ struct stat st;
+ int r, nr;
+
+ assert(device_path);
+ assert(loop_nr);
+
+ fd = open(arg_image, O_CLOEXEC|(arg_read_only ? O_RDONLY : O_RDWR)|O_NONBLOCK|O_NOCTTY);
+ if (fd < 0) {
+ log_error("Failed to open %s: %m", arg_image);
+ return -errno;
+ }
+
+ if (fstat(fd, &st) < 0) {
+ log_error("Failed to stat %s: %m", arg_image);
+ return -errno;
+ }
+
+ if (S_ISBLK(st.st_mode)) {
+ char *p;
+
+ p = strdup(arg_image);
+ if (!p)
+ return log_oom();
+
+ *device_path = p;
+
+ *loop_nr = -1;
+
+ r = fd;
+ fd = -1;
+
+ return r;
+ }
+
+ if (!S_ISREG(st.st_mode)) {
+ log_error("%s is not a regular file or block device: %m", arg_image);
+ return -EINVAL;
+ }
+
+ control = open("/dev/loop-control", O_RDWR|O_CLOEXEC|O_NOCTTY|O_NONBLOCK);
+ if (control < 0) {
+ log_error("Failed to open /dev/loop-control: %m");
+ return -errno;
+ }
+
+ nr = ioctl(control, LOOP_CTL_GET_FREE);
+ if (nr < 0) {
+ log_error("Failed to allocate loop device: %m");
+ return -errno;
+ }
+
+ if (asprintf(&loopdev, "/dev/loop%i", nr) < 0)
+ return log_oom();
+
+ loop = open(loopdev, O_CLOEXEC|(arg_read_only ? O_RDONLY : O_RDWR)|O_NONBLOCK|O_NOCTTY);
+ if (loop < 0) {
+ log_error("Failed to open loop device %s: %m", loopdev);
+ return -errno;
+ }
+
+ if (ioctl(loop, LOOP_SET_FD, fd) < 0) {
+ log_error("Failed to set loopback file descriptor on %s: %m", loopdev);
+ return -errno;
+ }
+
+ if (arg_read_only)
+ info.lo_flags |= LO_FLAGS_READ_ONLY;
+
+ if (ioctl(loop, LOOP_SET_STATUS64, &info) < 0) {
+ log_error("Failed to set loopback settings on %s: %m", loopdev);
+ return -errno;
+ }
+
+ *device_path = loopdev;
+ loopdev = NULL;
+
+ *loop_nr = nr;
+
+ r = loop;
+ loop = -1;
+
+ return r;
+}
+
+static int dissect_image(
+ int fd,
+ char **root_device,
+ char **home_device,
+ char **srv_device,
+ bool *secondary) {
+
+#ifdef HAVE_BLKID
+ int home_nr = -1, root_nr = -1, secondary_root_nr = -1, srv_nr = -1;
+ _cleanup_free_ char *home = NULL, *root = NULL, *secondary_root = NULL, *srv = NULL;
+ _cleanup_udev_enumerate_unref_ struct udev_enumerate *e = NULL;
+ _cleanup_udev_device_unref_ struct udev_device *d = NULL;
+ _cleanup_blkid_free_probe_ blkid_probe b = NULL;
+ _cleanup_udev_unref_ struct udev *udev = NULL;
+ struct udev_list_entry *first, *item;
+ const char *pttype = NULL;
+ blkid_partlist pl;
+ struct stat st;
+ int r;