X-Git-Url: https://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=elogind.git;a=blobdiff_plain;f=src%2Fnspawn%2Fnspawn.c;h=646c6c02f387063e03e91c664ada0abe6331b27d;hp=cd63bf6a7fbd9de6b3e489b294cf3060940c0ba3;hb=82adf6af7c72b852449346835f33184a841b4796;hpb=d002827b03d78e31503a6b706ad4b4049ebf9a07 diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c index cd63bf6a7..646c6c02f 100644 --- a/src/nspawn/nspawn.c +++ b/src/nspawn/nspawn.c @@ -41,7 +41,7 @@ #include #include #include -#if HAVE_SELINUX +#ifdef HAVE_SELINUX #include #endif @@ -80,8 +80,8 @@ static char *arg_directory = NULL; static char *arg_user = NULL; static sd_id128_t arg_uuid = {}; static char *arg_machine = NULL; -static char *arg_process_label = NULL; -static char *arg_file_label = NULL; +static char *arg_selinux_context = NULL; +static char *arg_selinux_apifs_context = NULL; static const char *arg_slice = NULL; static bool arg_private_network = false; static bool arg_read_only = false; @@ -117,6 +117,7 @@ static uint64_t arg_retain = static char **arg_bind = NULL; static char **arg_bind_ro = NULL; static char **arg_setenv = NULL; +static bool arg_quiet = false; static int help(void) { @@ -130,10 +131,12 @@ static int help(void) { " --uuid=UUID Set a specific machine UUID for the container\n" " -M --machine=NAME Set the machine name for the container\n" " -S --slice=SLICE Place the container in the specified slice\n" - " -L --file-label=LABEL Set the MAC file label to be used by tmpfs file\n" - " systems in the container\n" - " -Z --process-label=LABEL Set the MAC label to be used by processes in\n" - " the container\n" + " -Z --selinux-context=SECLABEL\n" + " Set the SELinux security context to be used by\n" + " processes in the container\n" + " -L --selinux-apifs-context=SECLABEL\n" + " Set the SELinux security context to be used by\n" + " API/tmpfs file systems in the container\n" " --private-network Disable network in container\n" " --read-only Mount the root directory read-only\n" " --capability=CAP In addition to the default, retain specified\n" @@ -144,7 +147,8 @@ static int help(void) { " --bind=PATH[:PATH] Bind mount a file or directory from the host into\n" " the container\n" " --bind-ro=PATH[:PATH] Similar, but creates a read-only bind mount\n" - " --setenv=NAME=VALUE Pass an environment variable to PID 1\n", + " --setenv=NAME=VALUE Pass an environment variable to PID 1\n" + " -q --quiet Do not show status information\n", program_invocation_short_name); return 0; @@ -166,24 +170,25 @@ static int parse_argv(int argc, char *argv[]) { }; static const struct option options[] = { - { "help", no_argument, NULL, 'h' }, - { "version", no_argument, NULL, ARG_VERSION }, - { "directory", required_argument, NULL, 'D' }, - { "user", required_argument, NULL, 'u' }, - { "private-network", no_argument, NULL, ARG_PRIVATE_NETWORK }, - { "boot", no_argument, NULL, 'b' }, - { "uuid", required_argument, NULL, ARG_UUID }, - { "read-only", no_argument, NULL, ARG_READ_ONLY }, - { "capability", required_argument, NULL, ARG_CAPABILITY }, - { "drop-capability", required_argument, NULL, ARG_DROP_CAPABILITY }, - { "link-journal", required_argument, NULL, ARG_LINK_JOURNAL }, - { "bind", required_argument, NULL, ARG_BIND }, - { "bind-ro", required_argument, NULL, ARG_BIND_RO }, - { "machine", required_argument, NULL, 'M' }, - { "slice", required_argument, NULL, 'S' }, - { "setenv", required_argument, NULL, ARG_SETENV }, - { "process-label", required_argument, NULL, 'Z' }, - { "file-label", required_argument, NULL, 'L' }, + { "help", no_argument, NULL, 'h' }, + { "version", no_argument, NULL, ARG_VERSION }, + { "directory", required_argument, NULL, 'D' }, + { "user", required_argument, NULL, 'u' }, + { "private-network", no_argument, NULL, ARG_PRIVATE_NETWORK }, + { "boot", no_argument, NULL, 'b' }, + { "uuid", required_argument, NULL, ARG_UUID }, + { "read-only", no_argument, NULL, ARG_READ_ONLY }, + { "capability", required_argument, NULL, ARG_CAPABILITY }, + { "drop-capability", required_argument, NULL, ARG_DROP_CAPABILITY }, + { "link-journal", required_argument, NULL, ARG_LINK_JOURNAL }, + { "bind", required_argument, NULL, ARG_BIND }, + { "bind-ro", required_argument, NULL, ARG_BIND_RO }, + { "machine", required_argument, NULL, 'M' }, + { "slice", required_argument, NULL, 'S' }, + { "setenv", required_argument, NULL, ARG_SETENV }, + { "selinux-context", required_argument, NULL, 'Z' }, + { "selinux-apifs-context", required_argument, NULL, 'L' }, + { "quiet", no_argument, NULL, 'q' }, {} }; @@ -192,7 +197,7 @@ static int parse_argv(int argc, char *argv[]) { assert(argc >= 0); assert(argv); - while ((c = getopt_long(argc, argv, "+hD:u:bL:M:jS:Z:", options, NULL)) >= 0) { + while ((c = getopt_long(argc, argv, "+hD:u:bL:M:jS:Z:q", options, NULL)) >= 0) { switch (c) { @@ -258,12 +263,12 @@ static int parse_argv(int argc, char *argv[]) { break; - case 'L': - arg_file_label = optarg; + case 'Z': + arg_selinux_context = optarg; break; - case 'Z': - arg_process_label = optarg; + case 'L': + arg_selinux_apifs_context = optarg; break; case ARG_READ_ONLY: @@ -373,6 +378,10 @@ static int parse_argv(int argc, char *argv[]) { break; } + case 'q': + arg_quiet = true; + break; + case '?': return -EINVAL; @@ -442,8 +451,9 @@ static int mount_all(const char *dest) { mkdir_p(where, 0755); #ifdef HAVE_SELINUX - if (arg_file_label && (streq_ptr(mount_table[k].what, "tmpfs") || streq_ptr(mount_table[k].what, "devpts"))) { - options = strjoin(mount_table[k].options, ",context=\"", arg_file_label, "\"", NULL); + if (arg_selinux_apifs_context && + (streq_ptr(mount_table[k].what, "tmpfs") || streq_ptr(mount_table[k].what, "devpts"))) { + options = strjoin(mount_table[k].options, ",context=\"", arg_selinux_apifs_context, "\"", NULL); if (!options) return log_oom(); @@ -1025,7 +1035,7 @@ static int register_machine(pid_t pid) { _cleanup_bus_unref_ sd_bus *bus = NULL; int r; - r = sd_bus_open_system(&bus); + r = sd_bus_default_system(&bus); if (r < 0) { log_error("Failed to open system bus: %s", strerror(-r)); return r; @@ -1193,7 +1203,7 @@ int main(int argc, char *argv[]) { goto finish; } - if (path_is_os_tree(arg_directory) <= 0) { + if (arg_boot && path_is_os_tree(arg_directory) <= 0) { log_error("Directory %s doesn't look like an OS root directory (/etc/os-release is missing). Refusing.", arg_directory); goto finish; } @@ -1222,7 +1232,8 @@ int main(int argc, char *argv[]) { goto finish; } - log_info("Spawning container %s on %s. Press ^] three times within 1s to abort execution.", arg_machine, arg_directory); + if (!arg_quiet) + log_info("Spawning container %s on %s. Press ^] three times within 1s to abort execution.", arg_machine, arg_directory); if (unlockpt(master) < 0) { log_error("Failed to unlock tty: %m"); @@ -1526,10 +1537,10 @@ int main(int argc, char *argv[]) { } else env_use = (char**) envp; -#if HAVE_SELINUX - if (arg_process_label) - if (setexeccon(arg_process_label) < 0) - log_error("setexeccon(\"%s\") failed: %m", arg_process_label); +#ifdef HAVE_SELINUX + if (arg_selinux_context) + if (setexeccon(arg_selinux_context) < 0) + log_error("setexeccon(\"%s\") failed: %m", arg_selinux_context); #endif if (arg_boot) { char **a; @@ -1579,7 +1590,8 @@ int main(int argc, char *argv[]) { break; } - putc('\n', stdout); + if (!arg_quiet) + putc('\n', stdout); /* Kill if it is not dead yet anyway */ terminate_machine(pid); @@ -1602,16 +1614,21 @@ int main(int argc, char *argv[]) { break; } - log_debug("Container %s exited successfully.", arg_machine); + if (!arg_quiet) + log_debug("Container %s exited successfully.", arg_machine); break; } else if (status.si_code == CLD_KILLED && status.si_status == SIGINT) { - log_info("Container %s has been shut down.", arg_machine); + + if (!arg_quiet) + log_info("Container %s has been shut down.", arg_machine); r = 0; break; } else if (status.si_code == CLD_KILLED && status.si_status == SIGHUP) { - log_info("Container %s is being rebooted.", arg_machine); + + if (!arg_quiet) + log_info("Container %s is being rebooted.", arg_machine); continue; } else if (status.si_code == CLD_KILLED || status.si_code == CLD_DUMPED) {