diff options
Diffstat (limited to 'src/shared')
-rw-r--r-- | src/shared/bus-errors.h | 1 | ||||
-rw-r--r-- | src/shared/logs-show.c | 4 | ||||
-rw-r--r-- | src/shared/util.c | 103 | ||||
-rw-r--r-- | src/shared/util.h | 4 |
4 files changed, 73 insertions, 39 deletions
diff --git a/src/shared/bus-errors.h b/src/shared/bus-errors.h index 5637935915..45e129387f 100644 --- a/src/shared/bus-errors.h +++ b/src/shared/bus-errors.h @@ -42,6 +42,7 @@ #define BUS_ERROR_NO_SUCH_MACHINE "org.freedesktop.machine1.NoSuchMachine" #define BUS_ERROR_NO_MACHINE_FOR_PID "org.freedesktop.machine1.NoMachineForPID" #define BUS_ERROR_MACHINE_EXISTS "org.freedesktop.machine1.MachineExists" +#define BUS_ERROR_NO_PRIVATE_NETWORKING "org.freedesktop.machine1.NoPrivateNetworking" #define BUS_ERROR_NO_SUCH_SESSION "org.freedesktop.login1.NoSuchSession" #define BUS_ERROR_NO_SESSION_FOR_PID "org.freedesktop.login1.NoSessionForPID" diff --git a/src/shared/logs-show.c b/src/shared/logs-show.c index 72c9ad2eba..c3578ac918 100644 --- a/src/shared/logs-show.c +++ b/src/shared/logs-show.c @@ -1158,7 +1158,7 @@ static int get_boot_id_for_machine(const char *machine, sd_id128_t *boot_id) { if (r < 0) return r; - r = namespace_open(pid, &pidnsfd, &mntnsfd, &rootfd); + r = namespace_open(pid, &pidnsfd, &mntnsfd, NULL, &rootfd); if (r < 0) return r; @@ -1174,7 +1174,7 @@ static int get_boot_id_for_machine(const char *machine, sd_id128_t *boot_id) { pair[0] = safe_close(pair[0]); - r = namespace_enter(pidnsfd, mntnsfd, rootfd); + r = namespace_enter(pidnsfd, mntnsfd, -1, rootfd); if (r < 0) _exit(EXIT_FAILURE); diff --git a/src/shared/util.c b/src/shared/util.c index 020c1da7a9..0cc51e0962 100644 --- a/src/shared/util.c +++ b/src/shared/util.c @@ -6091,60 +6091,93 @@ int container_get_leader(const char *machine, pid_t *pid) { return 0; } -int namespace_open(pid_t pid, int *pidns_fd, int *mntns_fd, int *root_fd) { - _cleanup_close_ int pidnsfd = -1, mntnsfd = -1; - const char *pidns, *mntns, *root; +int namespace_open(pid_t pid, int *pidns_fd, int *mntns_fd, int *netns_fd, int *root_fd) { + _cleanup_close_ int pidnsfd = -1, mntnsfd = -1, netnsfd = -1; int rfd; assert(pid >= 0); - assert(pidns_fd); - assert(mntns_fd); - assert(root_fd); - mntns = procfs_file_alloca(pid, "ns/mnt"); - mntnsfd = open(mntns, O_RDONLY|O_NOCTTY|O_CLOEXEC); - if (mntnsfd < 0) - return -errno; + if (mntns_fd) { + const char *mntns; - pidns = procfs_file_alloca(pid, "ns/pid"); - pidnsfd = open(pidns, O_RDONLY|O_NOCTTY|O_CLOEXEC); - if (pidnsfd < 0) - return -errno; + mntns = procfs_file_alloca(pid, "ns/mnt"); + mntnsfd = open(mntns, O_RDONLY|O_NOCTTY|O_CLOEXEC); + if (mntnsfd < 0) + return -errno; + } - root = procfs_file_alloca(pid, "root"); - rfd = open(root, O_RDONLY|O_NOCTTY|O_CLOEXEC|O_DIRECTORY); - if (rfd < 0) - return -errno; + if (pidns_fd) { + const char *pidns; + + pidns = procfs_file_alloca(pid, "ns/pid"); + pidnsfd = open(pidns, O_RDONLY|O_NOCTTY|O_CLOEXEC); + if (pidnsfd < 0) + return -errno; + } + + if (netns_fd) { + const char *netns; + + netns = procfs_file_alloca(pid, "ns/net"); + netnsfd = open(netns, O_RDONLY|O_NOCTTY|O_CLOEXEC); + if (netnsfd < 0) + return -errno; + } + + if (root_fd) { + const char *root; + + root = procfs_file_alloca(pid, "root"); + rfd = open(root, O_RDONLY|O_NOCTTY|O_CLOEXEC|O_DIRECTORY); + if (rfd < 0) + return -errno; + } + + if (pidns_fd) + *pidns_fd = pidnsfd; - *pidns_fd = pidnsfd; - *mntns_fd = mntnsfd; - *root_fd = rfd; - pidnsfd = -1; - mntnsfd = -1; + if (mntns_fd) + *mntns_fd = mntnsfd; + + if (netns_fd) + *netns_fd = netnsfd; + + if (root_fd) + *root_fd = rfd; + + pidnsfd = mntnsfd = netnsfd = -1; return 0; } -int namespace_enter(int pidns_fd, int mntns_fd, int root_fd) { - assert(pidns_fd >= 0); - assert(mntns_fd >= 0); - assert(root_fd >= 0); +int namespace_enter(int pidns_fd, int mntns_fd, int netns_fd, int root_fd) { - if (setns(pidns_fd, CLONE_NEWPID) < 0) - return -errno; + if (pidns_fd >= 0) + if (setns(pidns_fd, CLONE_NEWPID) < 0) + return -errno; - if (setns(mntns_fd, CLONE_NEWNS) < 0) - return -errno; + if (mntns_fd >= 0) + if (setns(mntns_fd, CLONE_NEWNS) < 0) + return -errno; - if (fchdir(root_fd) < 0) - return -errno; + if (netns_fd >= 0) + if (setns(netns_fd, CLONE_NEWNET) < 0) + return -errno; - if (chroot(".") < 0) - return -errno; + if (root_fd >= 0) { + if (fchdir(root_fd) < 0) + return -errno; + + if (chroot(".") < 0) + return -errno; + } if (setresgid(0, 0, 0) < 0) return -errno; + if (setgroups(0, NULL) < 0) + return -errno; + if (setresuid(0, 0, 0) < 0) return -errno; diff --git a/src/shared/util.h b/src/shared/util.h index f2ce4f0d6e..7a7d15c82c 100644 --- a/src/shared/util.h +++ b/src/shared/util.h @@ -910,8 +910,8 @@ int parse_proc_cmdline(int (*parse_word)(const char *key, const char *value)); int container_get_leader(const char *machine, pid_t *pid); -int namespace_open(pid_t pid, int *pidns_fd, int *mntns_fd, int *root_fd); -int namespace_enter(int pidns_fd, int mntns_fd, int root_fd); +int namespace_open(pid_t pid, int *pidns_fd, int *mntns_fd, int *netns_fd, int *root_fd); +int namespace_enter(int pidns_fd, int mntns_fd, int netns_fd, int root_fd); bool pid_is_alive(pid_t pid); bool pid_is_unwaited(pid_t pid); |