#include <sys/prctl.h>
#include <sys/capability.h>
#include <getopt.h>
-#include <sys/poll.h>
-#include <sys/epoll.h>
#include <termios.h>
#include <sys/signalfd.h>
#include <grp.h>
#include <sys/socket.h>
#include <linux/netlink.h>
-#include <systemd/sd-daemon.h>
-#include <systemd/sd-bus.h>
-
+#include "sd-daemon.h"
+#include "sd-bus.h"
+#include "sd-id128.h"
#include "log.h"
#include "util.h"
#include "mkdir.h"
#include "strv.h"
#include "path-util.h"
#include "loopback-setup.h"
-#include "sd-id128.h"
#include "dev-setup.h"
#include "fdset.h"
#include "build.h"
#include "fileio.h"
#include "bus-util.h"
+#include "bus-error.h"
#include "ptyfwd.h"
#ifndef TTY_GID
" --read-only Mount the root directory read-only\n"
" --capability=CAP In addition to the default, retain specified\n"
" capability\n"
+ " --drop-capability=CAP Drop the specified capability from the default set\n"
" --link-journal=MODE Link up guest journal, one of no, auto, guest, host\n"
" -j Equivalent to --link-journal=host\n"
" --bind=PATH[:PATH] Bind mount a file or directory from the host into\n"
ARG_UUID,
ARG_READ_ONLY,
ARG_CAPABILITY,
+ ARG_DROP_CAPABILITY,
ARG_LINK_JOURNAL,
ARG_BIND,
ARG_BIND_RO
{ "uuid", required_argument, NULL, ARG_UUID },
{ "read-only", no_argument, NULL, ARG_READ_ONLY },
{ "capability", required_argument, NULL, ARG_CAPABILITY },
+ { "drop-capability", required_argument, NULL, ARG_DROP_CAPABILITY },
{ "link-journal", required_argument, NULL, ARG_LINK_JOURNAL },
{ "bind", required_argument, NULL, ARG_BIND },
{ "bind-ro", required_argument, NULL, ARG_BIND_RO },
{ "machine", required_argument, NULL, 'M' },
{ "slice", required_argument, NULL, 'S' },
- { NULL, 0, NULL, 0 }
+ {}
};
int c, r;
switch (c) {
case 'h':
- help();
- return 0;
+ return help();
case ARG_VERSION:
puts(PACKAGE_STRING);
free(arg_directory);
arg_directory = canonicalize_file_name(optarg);
if (!arg_directory) {
- log_error("Failed to canonicalize root directory.");
+ log_error("Invalid root directory: %m");
return -ENOMEM;
}
arg_read_only = true;
break;
- case ARG_CAPABILITY: {
+ case ARG_CAPABILITY:
+ case ARG_DROP_CAPABILITY: {
char *state, *word;
size_t length;
}
free(t);
- arg_retain |= 1ULL << (uint64_t) cap;
+
+ if (c == ARG_CAPABILITY)
+ arg_retain |= 1ULL << (uint64_t) cap;
+ else
+ arg_retain &= ~(1ULL << (uint64_t) cap);
}
break;
return -EINVAL;
default:
- log_error("Unknown option code %c", c);
- return -EINVAL;
+ assert_not_reached("Unhandled option");
}
}
strempty(arg_directory),
!isempty(arg_slice), "Slice", "s", arg_slice);
if (r < 0) {
- log_error("Failed to register machine: %s", error.message ? error.message : strerror(-r));
+ log_error("Failed to register machine: %s", bus_error_message(&error, r));
return r;
}
return 0;
}
+static int terminate_machine(pid_t pid) {
+ _cleanup_bus_error_free_ sd_bus_error error = SD_BUS_ERROR_NULL;
+ _cleanup_bus_message_unref_ sd_bus_message *reply = NULL;
+ _cleanup_bus_unref_ sd_bus *bus = NULL;
+ const char *path;
+ int r;
+
+ r = sd_bus_default_system(&bus);
+ if (r < 0) {
+ log_error("Failed to open system bus: %s", strerror(-r));
+ return r;
+ }
+
+ r = sd_bus_call_method(
+ bus,
+ "org.freedesktop.machine1",
+ "/org/freedesktop/machine1",
+ "org.freedesktop.machine1.Manager",
+ "GetMachineByPID",
+ &error,
+ &reply,
+ "u",
+ (uint32_t) pid);
+ if (r < 0) {
+ /* Note that the machine might already have been
+ * cleaned up automatically, hence don't consider it a
+ * failure if we cannot get the machine object. */
+ log_debug("Failed to get machine: %s", bus_error_message(&error, r));
+ return 0;
+ }
+
+ r = sd_bus_message_read(reply, "o", &path);
+ if (r < 0)
+ return bus_log_parse_error(r);
+
+ r = sd_bus_call_method(
+ bus,
+ "org.freedesktop.machine1",
+ path,
+ "org.freedesktop.machine1.Machine",
+ "Terminate",
+ &error,
+ NULL,
+ NULL);
+ if (r < 0) {
+ log_debug("Failed to terminate machine: %s", bus_error_message(&error, r));
+ return 0;
+ }
+
+ return 0;
+}
+
static bool audit_enabled(void) {
int fd;
putc('\n', stdout);
/* Kill if it is not dead yet anyway */
+ terminate_machine(pid);
+
+ /* Redundant, but better safe than sorry */
kill(pid, SIGKILL);
k = wait_for_terminate(pid, &status);