X-Git-Url: https://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?a=blobdiff_plain;f=src%2Fnspawn%2Fnspawn.c;h=04396ebed11716053e96a936d4d2678422ef503a;hb=f01ae8260d90ccff2f299242cd370ab58ea723f0;hp=9ca53cd1b40b485fc4d05aa996a2fe8972584f82;hpb=b9ba4dabbab8a58a044ec42655e11e65bd3ecc47;p=elogind.git

diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index 9ca53cd1b..04396ebed 100644
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -31,7 +31,6 @@
 #include <stdio.h>
 #include <errno.h>
 #include <sys/prctl.h>
-#include <sys/capability.h>
 #include <getopt.h>
 #include <termios.h>
 #include <sys/signalfd.h>
@@ -90,6 +89,7 @@
 #include "base-filesystem.h"
 #include "barrier.h"
 #include "event-util.h"
+#include "capability.h"
 #include "cap-list.h"
 #include "btrfs-util.h"
 
@@ -2082,6 +2082,27 @@ finish:
 
 }
 
+static int setup_propagate(const char *root) {
+        const char *p, *q;
+
+        (void) mkdir_p("/run/systemd/nspawn/", 0755);
+        (void) mkdir_p("/run/systemd/nspawn/propagate", 0600);
+        p = strappenda("/run/systemd/nspawn/propagate/", arg_machine);
+        (void) mkdir_p(p, 0600);
+
+        q = strappenda(root, "/run/systemd/nspawn/incoming");
+        mkdir_parents(q, 0755);
+        mkdir_p(q, 0600);
+
+        if (mount(p, q, NULL, MS_BIND, NULL) < 0)
+                return log_error_errno(errno, "Failed to install propagation bind mount.");
+
+        if (mount(NULL, q, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY, NULL) < 0)
+                return log_error_errno(errno, "Failed to make propagation mount read-only");
+
+        return 0;
+}
+
 static int setup_image(char **device_path, int *loop_nr) {
         struct loop_info64 info = {
                 .lo_flags = LO_FLAGS_AUTOCLEAR|LO_FLAGS_PARTSCAN
@@ -2910,13 +2931,12 @@ static int determine_names(void) {
 
 int main(int argc, char *argv[]) {
 
-        _cleanup_free_ char *device_path = NULL, *root_device = NULL, *home_device = NULL, *srv_device = NULL;
+        _cleanup_free_ char *device_path = NULL, *root_device = NULL, *home_device = NULL, *srv_device = NULL, *console = NULL;
         bool root_device_rw = true, home_device_rw = true, srv_device_rw = true;
         _cleanup_close_ int master = -1, image_fd = -1;
         _cleanup_close_pair_ int kmsg_socket_pair[2] = { -1, -1 };
         _cleanup_fdset_free_ FDSet *fds = NULL;
         int r, n_fd_passed, loop_nr = -1;
-        const char *console = NULL;
         char veth_name[IFNAMSIZ];
         bool secondary = false, remove_subvol = false;
         sigset_t mask, mask_chld;
@@ -3073,9 +3093,9 @@ int main(int argc, char *argv[]) {
                 goto finish;
         }
 
-        console = ptsname(master);
-        if (!console) {
-                r = log_error_errno(errno, "Failed to determine tty name: %m");
+        r = ptsname_malloc(master, &console);
+        if (r < 0) {
+                r = log_error_errno(r, "Failed to determine tty name: %m");
                 goto finish;
         }
 
@@ -3133,9 +3153,9 @@ int main(int argc, char *argv[]) {
                         goto finish;
                 }
 
-                pid = syscall(__NR_clone, SIGCHLD|CLONE_NEWNS|
-                                          (arg_share_system ? 0 : CLONE_NEWIPC|CLONE_NEWPID|CLONE_NEWUTS)|
-                                          (arg_private_network ? CLONE_NEWNET : 0), NULL);
+                pid = raw_clone(SIGCHLD|CLONE_NEWNS|
+                                (arg_share_system ? 0 : CLONE_NEWIPC|CLONE_NEWPID|CLONE_NEWUTS)|
+                                (arg_private_network ? CLONE_NEWNET : 0), NULL);
                 if (pid < 0) {
                         if (errno == EINVAL)
                                 r = log_error_errno(errno, "clone() failed, do you have namespace support enabled in your kernel? (You need UTS, IPC, PID and NET namespacing built in): %m");
@@ -3260,6 +3280,9 @@ int main(int argc, char *argv[]) {
 
                         dev_setup(arg_directory);
 
+                        if (setup_propagate(arg_directory) < 0)
+                                _exit(EXIT_FAILURE);
+
                         if (setup_seccomp() < 0)
                                 _exit(EXIT_FAILURE);
 
@@ -3438,6 +3461,7 @@ int main(int argc, char *argv[]) {
                 if (barrier_place_and_sync(&barrier)) {
                         _cleanup_event_unref_ sd_event *event = NULL;
                         _cleanup_(pty_forward_freep) PTYForward *forward = NULL;
+                        char last_char = 0;
                         int ifi = 0;
 
                         r = move_network_interfaces(pid);
@@ -3495,7 +3519,7 @@ int main(int argc, char *argv[]) {
                         /* simply exit on sigchld */
                         sd_event_add_signal(event, NULL, SIGCHLD, NULL, NULL);
 
-                        r = pty_forward_new(event, master, &forward);
+                        r = pty_forward_new(event, master, true, &forward);
                         if (r < 0) {
                                 log_error_errno(r, "Failed to create PTY forwarder: %m");
                                 goto finish;
@@ -3507,9 +3531,11 @@ int main(int argc, char *argv[]) {
                                 goto finish;
                         }
 
+                        pty_forward_last_char(forward, &last_char);
+
                         forward = pty_forward_free(forward);
 
-                        if (!arg_quiet)
+                        if (!arg_quiet && last_char != '\n')
                                 putc('\n', stdout);
 
                         /* Kill if it is not dead yet anyway */
@@ -3571,6 +3597,13 @@ finish:
                         log_warning_errno(k, "Cannot remove subvolume '%s', ignoring: %m", arg_directory);
         }
 
+        if (arg_machine) {
+                const char *p;
+
+                p = strappenda("/run/systemd/nspawn/propagate", arg_machine);
+                (void) rm_rf(p, false, true, false);
+        }
+
         free(arg_directory);
         free(arg_template);
         free(arg_image);