From d2d6c096f6373a76f3b303a7a116e7cfe7139c4d Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Wed, 23 Nov 2016 22:21:40 +0100
Subject: core: add ability to define arbitrary bind mounts for services

This adds two new settings BindPaths= and BindReadOnlyPaths=. They allow
defining arbitrary bind mounts specific to particular services. This is
particularly useful for services with RootDirectory= set as this permits making
specific bits of the host directory available to chrooted services.

The two new settings follow the concepts nspawn already possess in --bind= and
--bind-ro=, as well as the .nspawn settings Bind= and BindReadOnly= (and these
latter options should probably be renamed to BindPaths= and BindReadOnlyPaths=
too).

Fixes: #3439
---
 src/core/namespace.h | 44 ++++++++++++++++++++++++++++++--------------
 1 file changed, 30 insertions(+), 14 deletions(-)

(limited to 'src/core/namespace.h')

diff --git a/src/core/namespace.h b/src/core/namespace.h
index 2c278fd457..de3edc419c 100644
--- a/src/core/namespace.h
+++ b/src/core/namespace.h
@@ -21,6 +21,7 @@
 ***/
 
 typedef struct NameSpaceInfo NameSpaceInfo;
+typedef struct BindMount BindMount;
 
 #include <stdbool.h>
 
@@ -51,20 +52,32 @@ struct NameSpaceInfo {
         bool protect_kernel_modules:1;
 };
 
-int setup_namespace(const char *chroot,
-                    const NameSpaceInfo *ns_info,
-                    char **read_write_paths,
-                    char **read_only_paths,
-                    char **inaccessible_paths,
-                    const char *tmp_dir,
-                    const char *var_tmp_dir,
-                    ProtectHome protect_home,
-                    ProtectSystem protect_system,
-                    unsigned long mount_flags);
-
-int setup_tmp_dirs(const char *id,
-                  char **tmp_dir,
-                  char **var_tmp_dir);
+struct BindMount {
+        char *source;
+        char *destination;
+        bool read_only:1;
+        bool recursive:1;
+        bool ignore_enoent:1;
+};
+
+int setup_namespace(
+                const char *root_directory,
+                const NameSpaceInfo *ns_info,
+                char **read_write_paths,
+                char **read_only_paths,
+                char **inaccessible_paths,
+                const BindMount *bind_mounts,
+                unsigned n_bind_mounts,
+                const char *tmp_dir,
+                const char *var_tmp_dir,
+                ProtectHome protect_home,
+                ProtectSystem protect_system,
+                unsigned long mount_flags);
+
+int setup_tmp_dirs(
+                const char *id,
+                char **tmp_dir,
+                char **var_tmp_dir);
 
 int setup_netns(int netns_storage_socket[2]);
 
@@ -73,3 +86,6 @@ ProtectHome protect_home_from_string(const char *s) _pure_;
 
 const char* protect_system_to_string(ProtectSystem p) _const_;
 ProtectSystem protect_system_from_string(const char *s) _pure_;
+
+void bind_mount_free_many(BindMount *b, unsigned n);
+int bind_mount_add(BindMount **b, unsigned *n, const BindMount *item);
-- 
cgit v1.2.3-54-g00ecf