#include "bus-util.h"
#include "bus-error.h"
#include "ptyfwd.h"
+#include "bus-kernel.h"
#ifndef TTY_GID
#define TTY_GID 5
" --read-only Mount the root directory read-only\n"
" --capability=CAP In addition to the default, retain specified\n"
" capability\n"
+ " --drop-capability=CAP Drop the specified capability from the default set\n"
" --link-journal=MODE Link up guest journal, one of no, auto, guest, host\n"
" -j Equivalent to --link-journal=host\n"
" --bind=PATH[:PATH] Bind mount a file or directory from the host into\n"
ARG_UUID,
ARG_READ_ONLY,
ARG_CAPABILITY,
+ ARG_DROP_CAPABILITY,
ARG_LINK_JOURNAL,
ARG_BIND,
ARG_BIND_RO
{ "uuid", required_argument, NULL, ARG_UUID },
{ "read-only", no_argument, NULL, ARG_READ_ONLY },
{ "capability", required_argument, NULL, ARG_CAPABILITY },
+ { "drop-capability", required_argument, NULL, ARG_DROP_CAPABILITY },
{ "link-journal", required_argument, NULL, ARG_LINK_JOURNAL },
{ "bind", required_argument, NULL, ARG_BIND },
{ "bind-ro", required_argument, NULL, ARG_BIND_RO },
free(arg_directory);
arg_directory = canonicalize_file_name(optarg);
if (!arg_directory) {
- log_error("Failed to canonicalize root directory.");
+ log_error("Invalid root directory: %m");
return -ENOMEM;
}
arg_read_only = true;
break;
- case ARG_CAPABILITY: {
+ case ARG_CAPABILITY:
+ case ARG_DROP_CAPABILITY: {
char *state, *word;
size_t length;
}
free(t);
- arg_retain |= 1ULL << (uint64_t) cap;
+
+ if (c == ARG_CAPABILITY)
+ arg_retain |= 1ULL << (uint64_t) cap;
+ else
+ arg_retain &= ~(1ULL << (uint64_t) cap);
}
break;
return 0;
}
+static int setup_kdbus(const char *dest, const char *path) {
+ const char *p;
+
+ if (!path)
+ return 0;
+
+ p = strappenda(dest, "/dev/kdbus");
+ if (mkdir(p, 0755) < 0) {
+ log_error("Failed to create kdbus path: %m");
+ return -errno;
+ }
+
+ if (mount(path, p, "bind", MS_BIND, NULL) < 0) {
+ log_error("Failed to mount kdbus namespace path: %m");
+ return -errno;
+ }
+
+ return 0;
+}
+
static int drop_capabilities(void) {
return capability_bounding_set_drop(~arg_retain, false);
}
const char *path;
int r;
- r = sd_bus_open_system(&bus);
+ r = sd_bus_default_system(&bus);
if (r < 0) {
log_error("Failed to open system bus: %s", strerror(-r));
return r;
}
r = sd_bus_message_read(reply, "o", &path);
- if (r < 0) {
- log_error("Failed to parse GetMachineByPID() reply: %s", bus_error_message(&error, r));
- return r;
- }
+ if (r < 0)
+ return bus_log_parse_error(r);
r = sd_bus_call_method(
bus,
int main(int argc, char *argv[]) {
pid_t pid = 0;
int r = EXIT_FAILURE, k;
- _cleanup_close_ int master = -1;
+ _cleanup_close_ int master = -1, kdbus_fd = -1;
int n_fd_passed;
const char *console = NULL;
sigset_t mask;
_cleanup_close_pipe_ int kmsg_socket_pair[2] = { -1, -1 };
_cleanup_fdset_free_ FDSet *fds = NULL;
+ _cleanup_free_ char *kdbus_namespace = NULL;
log_parse_environment();
log_open();
goto finish;
}
+ kdbus_fd = bus_kernel_create_namespace(arg_machine, &kdbus_namespace);
+ if (r < 0)
+ log_debug("Failed to create kdbus namespace: %s", strerror(-r));
+ else
+ log_debug("Successfully created kdbus namespace as %s", kdbus_namespace);
+
if (socketpair(AF_UNIX, SOCK_DGRAM|SOCK_NONBLOCK|SOCK_CLOEXEC, 0, kmsg_socket_pair) < 0) {
log_error("Failed to create kmsg socket pair.");
goto finish;
if (mount_binds(arg_directory, arg_bind_ro, MS_RDONLY) < 0)
goto child_fail;
+ if (setup_kdbus(arg_directory, kdbus_namespace) < 0)
+ goto child_fail;
+
if (chdir(arg_directory) < 0) {
log_error("chdir(%s) failed: %m", arg_directory);
goto child_fail;