• source navigation  • diff markup  • identifier search  • freetext search  • 

Sources/procd/jail/jail.c

  1 /*
  2  * Copyright (C) 2015 John Crispin <blogic@openwrt.org>
  3  * Copyright (C) 2020 Daniel Golle <daniel@makrotopia.org>
  4  *
  5  * This program is free software; you can redistribute it and/or modify
  6  * it under the terms of the GNU Lesser General Public License version 2.1
  7  * as published by the Free Software Foundation
  8  *
  9  * This program is distributed in the hope that it will be useful,
 10  * but WITHOUT ANY WARRANTY; without even the implied warranty of
 11  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 12  * GNU General Public License for more details.
 13  */
 14 
 15 #define _GNU_SOURCE
 16 #include <sys/mount.h>
 17 #include <sys/prctl.h>
 18 #include <sys/wait.h>
 19 #include <sys/types.h>
 20 #include <sys/time.h>
 21 #include <sys/resource.h>
 22 #include <sys/stat.h>
 23 #include <sys/sysmacros.h>
 24 
 25 /* musl only defined 15 limit types, make sure all 16 are supported */
 26 #ifndef RLIMIT_RTTIME
 27 #define RLIMIT_RTTIME 15
 28 #undef RLIMIT_NLIMITS
 29 #define RLIMIT_NLIMITS 16
 30 #undef RLIM_NLIMITS
 31 #define RLIM_NLIMITS 16
 32 #endif
 33 
 34 #include <stdlib.h>
 35 #include <unistd.h>
 36 #include <errno.h>
 37 #include <pwd.h>
 38 #include <grp.h>
 39 #include <string.h>
 40 #include <fcntl.h>
 41 #include <sched.h>
 42 #include <linux/filter.h>
 43 #include <linux/limits.h>
 44 #include <linux/nsfs.h>
 45 #include <signal.h>
 46 #include <inttypes.h>
 47 
 48 #include "capabilities.h"
 49 #include "elf.h"
 50 #include "fs.h"
 51 #include "jail.h"
 52 #include "log.h"
 53 #include "seccomp-oci.h"
 54 #include "cgroups.h"
 55 
 56 #include <libubox/utils.h>
 57 #include <libubox/blobmsg.h>
 58 #include <libubox/blobmsg_json.h>
 59 #include <libubox/list.h>
 60 #include <libubox/vlist.h>
 61 #include <libubox/uloop.h>
 62 #include <libubus.h>
 63 
 64 #ifndef CLONE_NEWCGROUP
 65 #define CLONE_NEWCGROUP 0x02000000
 66 #endif
 67 
 68 #define STACK_SIZE      (1024 * 1024)
 69 #define OPT_ARGS        "S:C:n:h:r:w:d:psulocU:G:NR:fFO:T:EyJ:i"
 70 
 71 #define OCI_VERSION_STRING "1.0.2"
 72 
 73 struct hook_execvpe {
 74         char *file;
 75         char **argv;
 76         char **envp;
 77         int timeout;
 78 };
 79 
 80 struct sysctl_val {
 81         char *entry;
 82         char *value;
 83 };
 84 
 85 struct mknod_args {
 86         char *path;
 87         mode_t mode;
 88         dev_t dev;
 89         uid_t uid;
 90         gid_t gid;
 91 };
 92 
 93 static struct {
 94         char *name;
 95         char *hostname;
 96         char **jail_argv;
 97         char *cwd;
 98         char *seccomp;
 99         struct sock_fprog *ociseccomp;
100         char *capabilities;
101         struct jail_capset capset;
102         char *user;
103         char *group;
104         char *extroot;
105         char *overlaydir;
106         char *tmpoverlaysize;
107         char **envp;
108         char *uidmap;
109         char *gidmap;
110         struct sysctl_val **sysctl;
111         int no_new_privs;
112         int namespace;
113         struct {
114                 int pid;
115                 int net;
116                 int ns;
117                 int ipc;
118                 int uts;
119                 int user;
120                 int cgroup;
121 #ifdef CLONE_NEWTIME
122                 int time;
123 #endif
124         } setns;
125         int procfs;
126         int ronly;
127         int sysfs;
128         int console;
129         int pw_uid;
130         int pw_gid;
131         int gr_gid;
132         gid_t *additional_gids;
133         size_t num_additional_gids;
134         mode_t umask;
135         bool set_umask;
136         int require_jail;
137         struct {
138                 struct hook_execvpe **createRuntime;
139                 struct hook_execvpe **createContainer;
140                 struct hook_execvpe **startContainer;
141                 struct hook_execvpe **poststart;
142                 struct hook_execvpe **poststop;
143         } hooks;
144         struct rlimit *rlimits[RLIM_NLIMITS];
145         int oom_score_adj;
146         bool set_oom_score_adj;
147         struct mknod_args **devices;
148         char *ocibundle;
149         bool immediately;
150         struct blob_attr *annotations;
151 } opts;
152 
153 static struct blob_buf ocibuf;
154 
155 extern int pivot_root(const char *new_root, const char *put_old);
156 
157 int debug = 0;
158 
159 static char child_stack[STACK_SIZE];
160 
161 static struct ubus_context *parent_ctx;
162 
163 int console_fd;
164 
165 
166 static inline bool has_namespaces(void)
167 {
168 return ((opts.setns.pid != -1) ||
169         (opts.setns.net != -1) ||
170         (opts.setns.ns != -1) ||
171         (opts.setns.ipc != -1) ||
172         (opts.setns.uts != -1) ||
173         (opts.setns.user != -1) ||
174         (opts.setns.cgroup != -1) ||
175 #ifdef CLONE_NEWTIME
176         (opts.setns.time != -1) ||
177 #endif
178         opts.namespace);
179 }
180 
181 static void free_hooklist(struct hook_execvpe **hooklist)
182 {
183         struct hook_execvpe *cur;
184         char **tmp;
185 
186         if (!hooklist)
187                 return;
188 
189         cur = *hooklist;
190         while (cur) {
191                 free(cur->file);
192                 tmp = cur->argv;
193                 while (tmp)
194                         free(*(tmp++));
195 
196                 free(cur->argv);
197 
198                 tmp = cur->envp;
199                 while (tmp)
200                         free(*(tmp++));
201 
202                 free(cur->envp);
203                 free(cur++);
204         }
205         free(hooklist);
206 }
207 
208 static void free_sysctl(void) {
209         struct sysctl_val *cur;
210         cur = *opts.sysctl;
211 
212         while (cur) {
213                 free(cur->entry);
214                 free(cur->value);
215                 free(cur++);
216         }
217         free(opts.sysctl);
218 }
219 
220 static void free_devices(void) {
221         struct mknod_args **cur;
222 
223         if (!opts.devices)
224                 return;
225 
226         cur = opts.devices;
227 
228         while (*cur) {
229                 free((*cur)->path);
230                 free(*(cur++));
231         }
232         free(opts.devices);
233 }
234 
235 static void free_rlimits(void) {
236         int type;
237 
238         for (type = 0; type < RLIM_NLIMITS; ++type)
239                 free(opts.rlimits[type]);
240 }
241 
242 static void free_opts(bool parent) {
243         char **tmp;
244 
245         /* we need to keep argv, envp and seccomp filter in child */
246         if (parent) { /* parent-only */
247                 if (opts.ociseccomp) {
248                         free(opts.ociseccomp->filter);
249                         free(opts.ociseccomp);
250                 }
251 
252                 tmp = opts.jail_argv;
253                 while(tmp)
254                         free(*(tmp++));
255 
256                 free(opts.jail_argv);
257 
258                 tmp = opts.envp;
259                 while (tmp)
260                         free(*(tmp++));
261 
262                 free(opts.envp);
263         } else { /* child-only */
264                 if (opts.ocibundle)
265                         cgroups_free();
266         }
267 
268         free_rlimits();
269         free_sysctl();
270         free_devices();
271         free(opts.hostname);
272         free(opts.cwd);
273         free(opts.extroot);
274         free(opts.uidmap);
275         free(opts.gidmap);
276         free(opts.annotations);
277         free(opts.ocibundle);
278         free_hooklist(opts.hooks.createRuntime);
279         free_hooklist(opts.hooks.createContainer);
280         free_hooklist(opts.hooks.startContainer);
281         free_hooklist(opts.hooks.poststart);
282         free_hooklist(opts.hooks.poststop);
283 }
284 
285 static int mount_overlay(char *jail_root, char *overlaydir) {
286         char *upperdir, *workdir, *optsstr, *upperetc, *upperresolvconf;
287         const char mountoptsformat[] = "lowerdir=%s,upperdir=%s,workdir=%s";
288         int ret = -1, fd;
289 
290         if (asprintf(&upperdir, "%s%s", overlaydir, "/upper") < 0)
291                 goto out;
292 
293         if (asprintf(&workdir, "%s%s", overlaydir, "/work") < 0)
294                 goto upper_printf;
295 
296         if (asprintf(&optsstr, mountoptsformat, jail_root, upperdir, workdir) < 0)
297                 goto work_printf;
298 
299         if (mkdir_p(upperdir, 0755) || mkdir_p(workdir, 0755))
300                 goto opts_printf;
301 
302 /*
303  * make sure /etc/resolv.conf exists in overlay and is owned by jail userns root
304  * this is to work-around a bug in overlayfs described in the overlayfs-userns
305  * patch:
306  * 3. modification of a file 'hithere' which is in l but not yet
307  * in u, and which is not owned by T, is not allowed, even if
308  * writes to u are allowed.  This may be a bug in overlayfs,
309  * but it is safe behavior.
310  */
311         if (asprintf(&upperetc, "%s/etc", upperdir) < 0)
312                 goto opts_printf;
313 
314         if (mkdir_p(upperetc, 0755))
315                 goto upper_etc_printf;
316 
317         if (asprintf(&upperresolvconf, "%s/resolv.conf", upperetc) < 0)
318                 goto upper_etc_printf;
319 
320         fd = creat(upperresolvconf, 0644);
321         if (fd == -1) {
322                 ERROR("creat(%s) failed: %m\n", upperresolvconf);
323                 goto upper_resolvconf_printf;
324         }
325         close(fd);
326 
327         DEBUG("mount -t overlay %s %s (%s)\n", jail_root, jail_root, optsstr);
328 
329         if (mount(jail_root, jail_root, "overlay", MS_NOATIME, optsstr))
330                 goto opts_printf;
331 
332         ret = 0;
333 
334 upper_resolvconf_printf:
335         free(upperresolvconf);
336 upper_etc_printf:
337         free(upperetc);
338 opts_printf:
339         free(optsstr);
340 work_printf:
341         free(workdir);
342 upper_printf:
343         free(upperdir);
344 out:
345         return ret;
346 }
347 
348 static void pass_console(int console_fd)
349 {
350         struct ubus_context *child_ctx = ubus_connect(NULL);
351         static struct blob_buf req;
352         uint32_t id;
353 
354         if (!child_ctx)
355                 return;
356 
357         blob_buf_init(&req, 0);
358         blobmsg_add_string(&req, "name", opts.name);
359 
360         if (ubus_lookup_id(child_ctx, "container", &id) ||
361             ubus_invoke_fd(child_ctx, id, "console_set", req.head, NULL, NULL, 3000, console_fd))
362                 INFO("ubus request failed\n");
363         else
364                 close(console_fd);
365 
366         blob_buf_free(&req);
367         ubus_free(child_ctx);
368 }
369 
370 static int create_dev_console(const char *jail_root)
371 {
372         char *console_fname;
373         char dev_console_path[PATH_MAX];
374         int slave_console_fd;
375 
376         /* Open UNIX/98 virtual console */
377         console_fd = posix_openpt(O_RDWR | O_NOCTTY);
378         if (console_fd == -1)
379                 return -1;
380 
381         console_fname = ptsname(console_fd);
382         DEBUG("got console fd %d and PTS client name %s\n", console_fd, console_fname);
383         if (!console_fname)
384                 goto no_console;
385 
386         grantpt(console_fd);
387         unlockpt(console_fd);
388 
389         /* pass PTY master to procd */
390         pass_console(console_fd);
391 
392         /* mount-bind PTY slave to /dev/console in jail */
393         snprintf(dev_console_path, sizeof(dev_console_path), "%s/dev/console", jail_root);
394         close(creat(dev_console_path, 0620));
395 
396         if (mount(console_fname, dev_console_path, NULL, MS_BIND, NULL))
397                 goto no_console;
398 
399         /* use PTY slave for stdio */
400         slave_console_fd = open(console_fname, O_RDWR); /* | O_NOCTTY */
401         dup2(slave_console_fd, 0);
402         dup2(slave_console_fd, 1);
403         dup2(slave_console_fd, 2);
404         close(slave_console_fd);
405 
406         INFO("using guest console %s\n", console_fname);
407 
408         return 0;
409 
410 no_console:
411         close(console_fd);
412         return 1;
413 }
414 
415 static int hook_running = 0;
416 static int hook_return_code = 0;
417 static struct hook_execvpe **current_hook = NULL;
418 typedef void (*hook_return_handler)(void);
419 static hook_return_handler hook_return_cb = NULL;
420 
421 static void hook_process_timeout_cb(struct uloop_timeout *t);
422 static struct uloop_timeout hook_process_timeout = {
423         .cb = hook_process_timeout_cb,
424 };
425 
426 static void run_hooklist(void);
427 static void hook_process_handler(struct uloop_process *c, int ret)
428 {
429         uloop_timeout_cancel(&hook_process_timeout);
430 
431         if (WIFEXITED(ret)) {
432                 hook_return_code = WEXITSTATUS(ret);
433                 if (hook_return_code)
434                         ERROR("hook (%d) exited with exit: %d\n", c->pid, hook_return_code);
435                 else
436                         DEBUG("hook (%d) exited with exit: %d\n", c->pid, hook_return_code);
437 
438         } else {
439                 hook_return_code = WTERMSIG(ret);
440                 ERROR("hook (%d) exited with signal: %d\n", c->pid, hook_return_code);
441         }
442         hook_running = 0;
443         ++current_hook;
444         run_hooklist();
445 }
446 
447 static struct uloop_process hook_process = {
448         .cb = hook_process_handler,
449 };
450 
451 static void hook_process_timeout_cb(struct uloop_timeout *t)
452 {
453         DEBUG("hook process failed to stop, sending SIGKILL\n");
454         kill(hook_process.pid, SIGKILL);
455 }
456 
457 static void run_hooklist(void)
458 {
459         struct hook_execvpe *hook = *current_hook;
460         struct stat s;
461 
462         if (!hook)
463                 hook_return_cb();
464 
465         DEBUG("executing hook %s\n", hook->file);
466 
467         if (stat(hook->file, &s))
468                 hook_process_handler(&hook_process, ENOENT);
469 
470         if (!((unsigned long)s.st_mode & (S_IXUSR | S_IXGRP | S_IXOTH)))
471                 hook_process_handler(&hook_process, EPERM);
472 
473         if (!((unsigned long)s.st_mode & (S_IRUSR | S_IRGRP | S_IROTH)))
474                 hook_process_handler(&hook_process, EPERM);
475 
476         hook_running = 1;
477         hook_process.pid = fork();
478         if (hook_process.pid == 0) {
479                 /* child */
480                 execve(hook->file, hook->argv, hook->envp);
481                 ERROR("execve error %m\n");
482                 _exit(errno);
483         } else if (hook_process.pid < 0) {
484                 /* fork error */
485                 ERROR("hook fork error\n");
486                 hook_running = 0;
487                 hook_process_handler(&hook_process, errno);
488         }
489 
490         /* parent */
491         uloop_process_add(&hook_process);
492 
493         if (hook->timeout > 0)
494                 uloop_timeout_set(&hook_process_timeout, 1000 * hook->timeout);
495 
496         uloop_run();
497         if (hook_running) {
498                 DEBUG("uloop interrupted, killing jail process\n");
499                 kill(hook_process.pid, SIGTERM);
500                 uloop_timeout_set(&hook_process_timeout, 1000);
501                 uloop_run();
502         }
503 }
504 
505 static void run_hooks(struct hook_execvpe **hooklist, hook_return_handler return_cb)
506 {
507         if (!hooklist)
508                 return_cb();
509 
510         current_hook = hooklist;
511         hook_return_cb = return_cb;
512 
513         run_hooklist();
514 }
515 
516 static int apply_sysctl(const char *jail_root)
517 {
518         struct sysctl_val **cur;
519         char *procdir, *fname;
520         int f;
521 
522         if (!opts.sysctl)
523                 return 0;
524 
525         asprintf(&procdir, "%s/proc", jail_root);
526         if (!procdir)
527                 return ENOMEM;
528 
529         mkdir(procdir, 0700);
530         if (mount("proc", procdir, "proc", MS_NOATIME | MS_NODEV | MS_NOEXEC | MS_NOSUID, 0))
531                 return EPERM;
532 
533         cur = opts.sysctl;
534 
535         while (*cur) {
536                 asprintf(&fname, "%s/sys/%s", procdir, (*cur)->entry);
537                 if (!fname)
538                         return ENOMEM;
539 
540                 DEBUG("sysctl: writing '%s' to %s\n", (*cur)->value, fname);
541 
542                 f = open(fname, O_WRONLY);
543                 if (f == -1) {
544                         ERROR("sysctl: can't open %s\n", fname);
545                         return errno;
546                 }
547                 write(f, (*cur)->value, strlen((*cur)->value));
548 
549                 free(fname);
550                 close(f);
551                 ++cur;
552         }
553         umount(procdir);
554         rmdir(procdir);
555         free(procdir);
556 
557         return 0;
558 }
559 
560 /* glibc defines makedev calling a function. make sure it's a pure macro */
561 #if defined(__GLIBC__)
562 #undef makedev
563 /* from musl's sys/sysmacros.h */
564 #define makedev(x,y) ( \
565         (((x)&0xfffff000ULL) << 32) | \
566         (((x)&0x00000fffULL) << 8) | \
567         (((y)&0xffffff00ULL) << 12) | \
568         (((y)&0x000000ffULL)) )
569 #endif
570 
571 static struct mknod_args default_devices[] = {
572         { .path = "/dev/null", .mode = (S_IFCHR|S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH), .dev = makedev(1, 3) },
573         { .path = "/dev/zero", .mode = (S_IFCHR|S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH), .dev = makedev(1, 5) },
574         { .path = "/dev/full", .mode = (S_IFCHR|S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH), .dev = makedev(1, 7) },
575         { .path = "/dev/random", .mode = (S_IFCHR|S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH), .dev = makedev(1, 8) },
576         { .path = "/dev/urandom", .mode = (S_IFCHR|S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH), .dev = makedev(1, 9) },
577         { .path = "/dev/tty", .mode = (S_IFCHR|S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP), .dev = makedev(5, 0), .gid = 5 },
578         { 0 },
579 };
580 
581 static int create_devices(void)
582 {
583         struct mknod_args **cur, *curdef;
584 
585         if (!opts.devices)
586                 goto only_default_devices;
587 
588         cur = opts.devices;
589 
590         while (*cur) {
591                 DEBUG("creating %s (mode=%08o)\n", (*cur)->path, (*cur)->mode);
592                 if (mknod((*cur)->path, (*cur)->mode, (*cur)->dev))
593                         return errno;
594 
595                 if (((*cur)->uid || (*cur)->gid) &&
596                     chown((*cur)->path, (*cur)->uid, (*cur)->gid))
597                         return errno;
598 
599                 ++cur;
600         }
601 
602 only_default_devices:
603         curdef = default_devices;
604         while(curdef->path) {
605                 DEBUG("creating %s (mode=%08o)\n", curdef->path, curdef->mode);
606                 if (mknod(curdef->path, curdef->mode, curdef->dev)) {
607                         ++curdef;
608                         continue; /* may already exist, eg. due to a bind-mount */
609                 }
610                 if ((curdef->uid || curdef->gid) &&
611                     chown(curdef->path, curdef->uid, curdef->gid))
612                         return errno;
613 
614                 ++curdef;
615         }
616 
617         /* Dev symbolic links as defined in OCI spec */
618         symlink("/dev/pts/ptmx", "/dev/ptmx");
619         symlink("/proc/self/fd", "/dev/fd");
620         symlink("/proc/self/fd/0", "/dev/stdin");
621         symlink("/proc/self/fd/1", "/dev/stdout");
622         symlink("/proc/self/fd/2", "/dev/stderr");
623 
624         return 0;
625 }
626 
627 static char jail_root[] = "/tmp/ujail-XXXXXX";
628 static char tmpovdir[] = "/tmp/ujail-overlay-XXXXXX";
629 static mode_t old_umask;
630 static void enter_jail_fs(void);
631 static int build_jail_fs(void)
632 {
633         char *overlaydir = NULL;
634 
635         old_umask = umask(0);
636 
637         if (mkdtemp(jail_root) == NULL) {
638                 ERROR("mkdtemp(%s) failed: %m\n", jail_root);
639                 return -1;
640         }
641 
642         if (apply_sysctl(jail_root)) {
643                 ERROR("failed to apply sysctl values\n");
644                 return -1;
645         }
646 
647         /* oldroot can't be MS_SHARED else pivot_root() fails */
648         if (mount("none", "/", NULL, MS_REC|MS_PRIVATE, NULL)) {
649                 ERROR("private mount failed %m\n");
650                 return -1;
651         }
652 
653         if (opts.extroot) {
654                 if (mount(opts.extroot, jail_root, NULL, MS_BIND, NULL)) {
655                         ERROR("extroot mount failed %m\n");
656                         return -1;
657                 }
658         } else {
659                 if (mount("tmpfs", jail_root, "tmpfs", MS_NOATIME, "mode=0755")) {
660                         ERROR("tmpfs mount failed %m\n");
661                         return -1;
662                 }
663         }
664 
665         if (opts.tmpoverlaysize) {
666                 char mountoptsstr[] = "mode=0755,size=XXXXXXXX";
667 
668                 snprintf(mountoptsstr, sizeof(mountoptsstr),
669                          "mode=0755,size=%s", opts.tmpoverlaysize);
670                 if (mkdtemp(tmpovdir) == NULL) {
671                         ERROR("mkdtemp(%s) failed: %m\n", jail_root);
672                         return -1;
673                 }
674                 if (mount("tmpfs", tmpovdir, "tmpfs", MS_NOATIME,
675                           mountoptsstr)) {
676                         ERROR("failed to mount tmpfs for overlay (size=%s)\n", opts.tmpoverlaysize);
677                         return -1;
678                 }
679                 overlaydir = tmpovdir;
680         }
681 
682         if (opts.overlaydir)
683                 overlaydir = opts.overlaydir;
684 
685         if (overlaydir)
686                 mount_overlay(jail_root, overlaydir);
687 
688         if (chdir(jail_root)) {
689                 ERROR("chdir(%s) (jail_root) failed: %m\n", jail_root);
690                 return -1;
691         }
692 
693         if (mount_all(jail_root)) {
694                 ERROR("mount_all() failed\n");
695                 return -1;
696         }
697 
698         if (opts.console)
699                 create_dev_console(jail_root);
700 
701         /* make sure /etc/resolv.conf exists if in new network namespace */
702         if (opts.namespace & CLONE_NEWNET) {
703                 char jailetc[PATH_MAX], jaillink[PATH_MAX];
704 
705                 snprintf(jailetc, PATH_MAX, "%s/etc", jail_root);
706                 mkdir_p(jailetc, 0755);
707                 snprintf(jaillink, PATH_MAX, "%s/etc/resolv.conf", jail_root);
708                 if (overlaydir)
709                         unlink(jaillink);
710 
711                 symlink("../dev/resolv.conf.d/resolv.conf.auto", jaillink);
712         }
713 
714         run_hooks(opts.hooks.createContainer, enter_jail_fs);
715 
716         return 0;
717 }
718 
719 static void post_jail_fs(void);
720 static void enter_jail_fs(void)
721 {
722         char dirbuf[sizeof(jail_root) + 4];
723 
724         snprintf(dirbuf, sizeof(dirbuf), "%s/old", jail_root);
725         mkdir(dirbuf, 0755);
726 
727         if (pivot_root(jail_root, dirbuf) == -1) {
728                 ERROR("pivot_root(%s, %s) failed: %m\n", jail_root, dirbuf);
729                 exit(-1);
730         }
731         if (chdir("/")) {
732                 ERROR("chdir(/) (after pivot_root) failed: %m\n");
733                 exit(-1);
734         }
735 
736         snprintf(dirbuf, sizeof(dirbuf), "/old%s", jail_root);
737         umount2(dirbuf, MNT_DETACH);
738         rmdir(dirbuf);
739         if (opts.tmpoverlaysize) {
740                 char tmpdirbuf[sizeof(tmpovdir) + 4];
741                 snprintf(tmpdirbuf, sizeof(tmpdirbuf), "/old%s", tmpovdir);
742                 umount2(tmpdirbuf, MNT_DETACH);
743                 rmdir(tmpdirbuf);
744         }
745 
746         umount2("/old", MNT_DETACH);
747         rmdir("/old");
748 
749         if (create_devices()) {
750                 ERROR("create_devices() failed\n");
751                 exit(-1);
752         }
753         if (opts.ronly)
754                 mount(NULL, "/", NULL, MS_REMOUNT | MS_BIND | MS_RDONLY, 0);
755 
756         umask(old_umask);
757         post_jail_fs();
758 }
759 
760 static int write_uid_gid_map(pid_t child_pid, bool gidmap, char *mapstr)
761 {
762         int map_file;
763         char map_path[64];
764 
765         if (snprintf(map_path, sizeof(map_path), "/proc/%d/%s",
766                 child_pid, gidmap?"gid_map":"uid_map") < 0)
767                 return -1;
768 
769         if ((map_file = open(map_path, O_WRONLY)) == -1)
770                 return -1;
771 
772         if (dprintf(map_file, "%s", mapstr)) {
773                 close(map_file);
774                 return -1;
775         }
776 
777         close(map_file);
778         free(mapstr);
779         return 0;
780 }
781 
782 static int write_single_uid_gid_map(pid_t child_pid, bool gidmap, int id)
783 {
784         int map_file;
785         char map_path[64];
786         const char *map_format = "%d %d %d\n";
787         if (snprintf(map_path, sizeof(map_path), "/proc/%d/%s",
788                 child_pid, gidmap?"gid_map":"uid_map") < 0)
789                 return -1;
790 
791         if ((map_file = open(map_path, O_WRONLY)) == -1)
792                 return -1;
793 
794         if (dprintf(map_file, map_format, 0, id, 1) == -1) {
795                 close(map_file);
796                 return -1;
797         }
798 
799         close(map_file);
800         return 0;
801 }
802 
803 static int write_setgroups(pid_t child_pid, bool allow)
804 {
805         int setgroups_file;
806         char setgroups_path[64];
807 
808         if (snprintf(setgroups_path, sizeof(setgroups_path), "/proc/%d/setgroups",
809                 child_pid) < 0) {
810                 return -1;
811         }
812 
813         if ((setgroups_file = open(setgroups_path, O_WRONLY)) == -1) {
814                 return -1;
815         }
816 
817         if (dprintf(setgroups_file, "%s", allow?"allow":"deny") == -1) {
818                 close(setgroups_file);
819                 return -1;
820         }
821 
822         close(setgroups_file);
823         return 0;
824 }
825 
826 static void get_jail_user(int *user, int *user_gid, int *gr_gid)
827 {
828         struct passwd *p = NULL;
829         struct group *g = NULL;
830 
831         if (opts.user) {
832                 p = getpwnam(opts.user);
833                 if (!p) {
834                         ERROR("failed to get uid/gid for user %s: %d (%s)\n",
835                               opts.user, errno, strerror(errno));
836                         exit(EXIT_FAILURE);
837                 }
838                 *user = p->pw_uid;
839                 *user_gid = p->pw_gid;
840         } else {
841                 *user = -1;
842                 *user_gid = -1;
843         }
844 
845         if (opts.group) {
846                 g = getgrnam(opts.group);
847                 if (!g) {
848                         ERROR("failed to get gid for group %s: %m\n", opts.group);
849                         exit(EXIT_FAILURE);
850                 }
851                 *gr_gid = g->gr_gid;
852         } else {
853                 *gr_gid = -1;
854         }
855 };
856 
857 static void set_jail_user(int pw_uid, int user_gid, int gr_gid)
858 {
859         if (opts.user && (user_gid != -1) && initgroups(opts.user, user_gid)) {
860                 ERROR("failed to initgroups() for user %s: %m\n", opts.user);
861                 exit(EXIT_FAILURE);
862         }
863 
864         if ((gr_gid != -1) && setregid(gr_gid, gr_gid)) {
865                 ERROR("failed to set group id %d: %m\n", gr_gid);
866                 exit(EXIT_FAILURE);
867         }
868 
869         if ((pw_uid != -1) && setreuid(pw_uid, pw_uid)) {
870                 ERROR("failed to set user id %d: %m\n", pw_uid);
871                 exit(EXIT_FAILURE);
872         }
873 }
874 
875 static int apply_rlimits(void)
876 {
877         int resource;
878 
879         for (resource = 0; resource < RLIM_NLIMITS; ++resource) {
880                 if (opts.rlimits[resource])
881                         DEBUG("applying limits to resource %u\n", resource);
882 
883                 if (opts.rlimits[resource] &&
884                     setrlimit(resource, opts.rlimits[resource]))
885                         return errno;
886         }
887 
888         return 0;
889 }
890 
891 #define MAX_ENVP        8
892 static char** build_envp(const char *seccomp, char **ocienvp)
893 {
894         static char *envp[MAX_ENVP];
895         static char preload_var[PATH_MAX];
896         static char seccomp_var[PATH_MAX];
897         static char debug_var[] = "LD_DEBUG=all";
898         static char container_var[] = "container=ujail";
899         const char *preload_lib = find_lib("libpreload-seccomp.so");
900         char **addenv;
901 
902         int count = 0;
903 
904         if (seccomp && !preload_lib) {
905                 ERROR("failed to add preload-lib to env\n");
906                 return NULL;
907         }
908         if (seccomp) {
909                 snprintf(seccomp_var, sizeof(seccomp_var), "SECCOMP_FILE=%s", seccomp);
910                 envp[count++] = seccomp_var;
911                 snprintf(preload_var, sizeof(preload_var), "LD_PRELOAD=%s", preload_lib);
912                 envp[count++] = preload_var;
913         }
914 
915         envp[count++] = container_var;
916 
917         if (debug > 1)
918                 envp[count++] = debug_var;
919 
920         addenv = ocienvp;
921         while (addenv && *addenv) {
922                 envp[count++] = *(addenv++);
923                 if (count >= MAX_ENVP) {
924                         ERROR("environment limited to %d extra records, truncating\n", MAX_ENVP);
925                         break;
926                 }
927         }
928         return envp;
929 }
930 
931 static void usage(void)
932 {
933         fprintf(stderr, "ujail <options> -- <binary> <params ...>\n");
934         fprintf(stderr, "  -d <num>\tshow debug log (increase num to increase verbosity)\n");
935         fprintf(stderr, "  -S <file>\tseccomp filter config\n");
936         fprintf(stderr, "  -C <file>\tcapabilities drop config\n");
937         fprintf(stderr, "  -c\t\tset PR_SET_NO_NEW_PRIVS\n");
938         fprintf(stderr, "  -n <name>\tthe name of the jail\n");
939         fprintf(stderr, "namespace jail options:\n");
940         fprintf(stderr, "  -h <hostname>\tchange the hostname of the jail\n");
941         fprintf(stderr, "  -N\t\tjail has network namespace\n");
942         fprintf(stderr, "  -f\t\tjail has user namespace\n");
943         fprintf(stderr, "  -F\t\tjail has cgroups namespace\n");
944         fprintf(stderr, "  -r <file>\treadonly files that should be staged\n");
945         fprintf(stderr, "  -w <file>\twriteable files that should be staged\n");
946         fprintf(stderr, "  -p\t\tjail has /proc\n");
947         fprintf(stderr, "  -s\t\tjail has /sys\n");
948         fprintf(stderr, "  -l\t\tjail has /dev/log\n");
949         fprintf(stderr, "  -u\t\tjail has a ubus socket\n");
950         fprintf(stderr, "  -U <name>\tuser to run jailed process\n");
951         fprintf(stderr, "  -G <name>\tgroup to run jailed process\n");
952         fprintf(stderr, "  -o\t\tremont jail root (/) read only\n");
953         fprintf(stderr, "  -R <dir>\texternal jail rootfs (system container)\n");
954         fprintf(stderr, "  -O <dir>\tdirectory for r/w overlayfs\n");
955         fprintf(stderr, "  -T <size>\tuse tmpfs r/w overlayfs with <size>\n");
956         fprintf(stderr, "  -E\t\tfail if jail cannot be setup\n");
957         fprintf(stderr, "  -y\t\tprovide jail console\n");
958         fprintf(stderr, "  -J <dir>\tcreate container from OCI bundle\n");
959         fprintf(stderr, "  -j\t\tstart container immediately\n");
960         fprintf(stderr, "\nWarning: by default root inside the jail is the same\n\
961 and he has the same powers as root outside the jail,\n\
962 thus he can escape the jail and/or break stuff.\n\
963 Please use seccomp/capabilities (-S/-C) to restrict his powers\n\n\
964 If you use none of the namespace jail options,\n\
965 ujail will not use namespace/build a jail,\n\
966 and will only drop capabilities/apply seccomp filter.\n\n");
967 }
968 
969 static int* get_namespace_fd(const unsigned int nstype)
970 {
971         switch (nstype) {
972                 case CLONE_NEWPID:
973                         return &opts.setns.pid;
974                 case CLONE_NEWNET:
975                         return &opts.setns.net;
976                 case CLONE_NEWNS:
977                         return &opts.setns.ns;
978                 case CLONE_NEWIPC:
979                         return &opts.setns.ipc;
980                 case CLONE_NEWUTS:
981                         return &opts.setns.uts;
982                 case CLONE_NEWUSER:
983                         return &opts.setns.user;
984                 case CLONE_NEWCGROUP:
985                         return &opts.setns.cgroup;
986 #ifdef CLONE_NEWTIME
987                 case CLONE_NEWTIME:
988                         return &opts.setns.time;
989 #endif
990                 default:
991                         return NULL;
992         }
993 }
994 
995 static int setns_open(unsigned long nstype)
996 {
997         int *fd = get_namespace_fd(nstype);
998 
999         if (!*fd)
1000                 return EFAULT;
1001 
1002         if (*fd == -1)
1003                 return 0;
1004 
1005         if (setns(*fd, nstype) == -1) {
1006                 close(*fd);
1007                 return errno;
1008         }
1009 
1010         close(*fd);
1011         return 0;
1012 }
1013 
1014 static int jail_running = 0;
1015 static int jail_return_code = 0;
1016 
1017 static void jail_process_timeout_cb(struct uloop_timeout *t);
1018 static struct uloop_timeout jail_process_timeout = {
1019         .cb = jail_process_timeout_cb,
1020 };
1021 static void poststop(void);
1022 static void jail_process_handler(struct uloop_process *c, int ret)
1023 {
1024         uloop_timeout_cancel(&jail_process_timeout);
1025         if (WIFEXITED(ret)) {
1026                 jail_return_code = WEXITSTATUS(ret);
1027                 INFO("jail (%d) exited with exit: %d\n", c->pid, jail_return_code);
1028         } else {
1029                 jail_return_code = WTERMSIG(ret);
1030                 INFO("jail (%d) exited with signal: %d\n", c->pid, jail_return_code);
1031         }
1032         jail_running = 0;
1033         poststop();
1034 }
1035 
1036 static struct uloop_process jail_process = {
1037         .cb = jail_process_handler,
1038 };
1039 
1040 static void jail_process_timeout_cb(struct uloop_timeout *t)
1041 {
1042         DEBUG("jail process failed to stop, sending SIGKILL\n");
1043         kill(jail_process.pid, SIGKILL);
1044 }
1045 
1046 static void jail_handle_signal(int signo)
1047 {
1048         if (hook_running) {
1049                 DEBUG("forwarding signal %d to the hook process\n", signo);
1050                 kill(hook_process.pid, signo);
1051         }
1052 
1053         if (jail_running) {
1054                 DEBUG("forwarding signal %d to the jailed process\n", signo);
1055                 kill(jail_process.pid, signo);
1056         }
1057 }
1058 
1059 static void signals_init(void)
1060 {
1061         int i;
1062         sigset_t sigmask;
1063 
1064         sigfillset(&sigmask);
1065         for (i = 0; i < _NSIG; i++) {
1066                 struct sigaction s = { 0 };
1067 
1068                 if (!sigismember(&sigmask, i))
1069                         continue;
1070                 if ((i == SIGCHLD) || (i == SIGPIPE) || (i == SIGSEGV))
1071                         continue;
1072 
1073                 s.sa_handler = jail_handle_signal;
1074                 sigaction(i, &s, NULL);
1075         }
1076 }
1077 
1078 static void pre_exec_jail(struct uloop_timeout *t);
1079 static struct uloop_timeout pre_exec_timeout = {
1080         .cb = pre_exec_jail,
1081 };
1082 
1083 int pipes[4];
1084 static int exec_jail(void *arg)
1085 {
1086         char buf[1];
1087 
1088         uloop_init();
1089         signals_init();
1090 
1091         close(pipes[0]);
1092         close(pipes[3]);
1093 
1094         setns_open(CLONE_NEWUSER);
1095         setns_open(CLONE_NEWNET);
1096         setns_open(CLONE_NEWNS);
1097         setns_open(CLONE_NEWIPC);
1098         setns_open(CLONE_NEWUTS);
1099 
1100         buf[0] = 'i';
1101         if (write(pipes[1], buf, 1) < 1) {
1102                 ERROR("can't write to parent\n");
1103                 return EXIT_FAILURE;
1104         }
1105         close(pipes[1]);
1106         if (read(pipes[2], buf, 1) < 1) {
1107                 ERROR("can't read from parent\n");
1108                 return EXIT_FAILURE;
1109         }
1110         if (buf[0] != 'O') {
1111                 ERROR("parent had an error, child exiting\n");
1112                 return EXIT_FAILURE;
1113         }
1114 
1115         if (opts.namespace & CLONE_NEWCGROUP)
1116                 unshare(CLONE_NEWCGROUP);
1117 
1118         if ((opts.namespace & CLONE_NEWUSER) || (opts.setns.user != -1)) {
1119                 if (setregid(0, 0) < 0) {
1120                         ERROR("setgid\n");
1121                         exit(EXIT_FAILURE);
1122                 }
1123                 if (setreuid(0, 0) < 0) {
1124                         ERROR("setuid\n");
1125                         exit(EXIT_FAILURE);
1126                 }
1127                 if (setgroups(0, NULL) < 0) {
1128                         ERROR("setgroups\n");
1129                         exit(EXIT_FAILURE);
1130                 }
1131         }
1132 
1133         if (opts.namespace && opts.hostname && strlen(opts.hostname) > 0
1134                         && sethostname(opts.hostname, strlen(opts.hostname))) {
1135                 ERROR("sethostname(%s) failed: %m\n", opts.hostname);
1136                 exit(EXIT_FAILURE);
1137         }
1138 
1139         uloop_timeout_add(&pre_exec_timeout);
1140         uloop_run();
1141 
1142         exit(-1);
1143 }
1144 
1145 static void pre_exec_jail(struct uloop_timeout *t)
1146 {
1147         if ((opts.namespace & CLONE_NEWNS) && build_jail_fs()) {
1148                 ERROR("failed to build jail fs\n");
1149                 exit(EXIT_FAILURE);
1150         } else {
1151                 run_hooks(opts.hooks.createContainer, post_jail_fs);
1152         }
1153 }
1154 
1155 static void post_start_hook(void);
1156 static void post_jail_fs(void)
1157 {
1158         char buf[1];
1159 
1160         if (read(pipes[2], buf, 1) < 1) {
1161                 ERROR("can't read from parent\n");
1162                 exit(EXIT_FAILURE);
1163         }
1164         if (buf[0] != '!') {
1165                 ERROR("parent had an error, child exiting\n");
1166                 exit(EXIT_FAILURE);
1167         }
1168         close(pipes[2]);
1169 
1170         run_hooks(opts.hooks.startContainer, post_start_hook);
1171 }
1172 
1173 static void post_start_hook(void)
1174 {
1175         if (!(opts.namespace & CLONE_NEWUSER) && (opts.setns.user == -1)) {
1176                 int pw_uid, pw_gid, gr_gid;
1177                 get_jail_user(&pw_uid, &pw_gid, &gr_gid);
1178 
1179                 set_jail_user(opts.pw_uid?:pw_uid, opts.pw_gid?:pw_gid, opts.gr_gid?:gr_gid);
1180         }
1181 
1182         if (opts.additional_gids &&
1183             (setgroups(opts.num_additional_gids, opts.additional_gids) < 0)) {
1184                 ERROR("setgroups failed: %m\n");
1185                 exit(EXIT_FAILURE);
1186         }
1187 
1188         if (opts.set_umask)
1189                 umask(opts.umask);
1190 
1191         if (applyOCIcapabilities(opts.capset))
1192                 exit(EXIT_FAILURE);
1193 
1194         if (opts.capabilities && drop_capabilities(opts.capabilities))
1195                 exit(EXIT_FAILURE);
1196 
1197         if (opts.no_new_privs && prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
1198                 ERROR("prctl(PR_SET_NO_NEW_PRIVS) failed: %m\n");
1199                 exit(EXIT_FAILURE);
1200         }
1201 
1202         char **envp = build_envp(opts.seccomp, opts.envp);
1203         if (!envp)
1204                 exit(EXIT_FAILURE);
1205 
1206         if (opts.cwd && chdir(opts.cwd))
1207                 exit(EXIT_FAILURE);
1208 
1209         if (opts.ociseccomp && applyOCIlinuxseccomp(opts.ociseccomp))
1210                 exit(EXIT_FAILURE);
1211 
1212         uloop_end();
1213         free_opts(false);
1214         INFO("exec-ing %s\n", *opts.jail_argv);
1215         if (opts.envp) /* respect PATH if potentially set in ENV */
1216                 execvpe(*opts.jail_argv, opts.jail_argv, envp);
1217         else
1218                 execve(*opts.jail_argv, opts.jail_argv, envp);
1219 
1220         /* we get there only if execve fails */
1221         ERROR("failed to execve %s: %m\n", *opts.jail_argv);
1222         exit(EXIT_FAILURE);
1223 }
1224 
1225 static int ns_open_pid(const char *nstype, const pid_t target_ns)
1226 {
1227         char pid_pid_path[PATH_MAX];
1228 
1229         snprintf(pid_pid_path, sizeof(pid_pid_path), "/proc/%u/ns/%s", target_ns, nstype);
1230 
1231         return open(pid_pid_path, O_RDONLY);
1232 }
1233 
1234 static void netns_updown(pid_t pid, bool start)
1235 {
1236         static struct blob_buf req;
1237         uint32_t id;
1238 
1239         if (!parent_ctx)
1240                 return;
1241 
1242         blob_buf_init(&req, 0);
1243         blobmsg_add_string(&req, "jail", opts.name);
1244         blobmsg_add_u32(&req, "pid", pid);
1245         blobmsg_add_u8(&req, "start", start);
1246 
1247         if (ubus_lookup_id(parent_ctx, "network", &id) ||
1248             ubus_invoke(parent_ctx, id, "netns_updown", req.head, NULL, NULL, 3000))
1249                 INFO("ubus request failed\n");
1250 
1251         blob_buf_free(&req);
1252 }
1253 
1254 static int parseOCIenvarray(struct blob_attr *msg, char ***envp)
1255 {
1256         struct blob_attr *cur;
1257         int sz = 0, rem;
1258 
1259         blobmsg_for_each_attr(cur, msg, rem)
1260                 ++sz;
1261 
1262         if (sz > 0) {
1263                 *envp = calloc(1 + sz, sizeof(char*));
1264                 if (!(*envp))
1265                         return ENOMEM;
1266         } else {
1267                 *envp = NULL;
1268                 return 0;
1269         }
1270 
1271         sz = 0;
1272         blobmsg_for_each_attr(cur, msg, rem)
1273                 (*envp)[sz++] = strdup(blobmsg_get_string(cur));
1274 
1275         if (sz)
1276                 (*envp)[sz] = NULL;
1277 
1278         return 0;
1279 }
1280 
1281 enum {
1282         OCI_ROOT_PATH,
1283         OCI_ROOT_READONLY,
1284         __OCI_ROOT_MAX,
1285 };
1286 
1287 static const struct blobmsg_policy oci_root_policy[] = {
1288         [OCI_ROOT_PATH] = { "path", BLOBMSG_TYPE_STRING },
1289         [OCI_ROOT_READONLY] = { "readonly", BLOBMSG_TYPE_BOOL },
1290 };
1291 
1292 static int parseOCIroot(const char *jsonfile, struct blob_attr *msg)
1293 {
1294         static char rootpath[PATH_MAX] = { 0 };
1295         struct blob_attr *tb[__OCI_ROOT_MAX];
1296         char *cur;
1297 
1298         blobmsg_parse(oci_root_policy, __OCI_ROOT_MAX, tb, blobmsg_data(msg), blobmsg_len(msg));
1299 
1300         if (!tb[OCI_ROOT_PATH])
1301                 return ENODATA;
1302 
1303         strncpy(rootpath, jsonfile, PATH_MAX);
1304         cur = strrchr(rootpath, '/');
1305 
1306         if (!cur)
1307                 return ENOTDIR;
1308 
1309         *(++cur) = '\0';
1310         strncat(rootpath, blobmsg_get_string(tb[OCI_ROOT_PATH]), PATH_MAX - (strlen(rootpath) + 1));
1311 
1312         opts.extroot = rootpath;
1313 
1314         opts.ronly = blobmsg_get_bool(tb[OCI_ROOT_READONLY]);
1315 
1316         return 0;
1317 }
1318 
1319 
1320 enum {
1321         OCI_HOOK_PATH,
1322         OCI_HOOK_ARGS,
1323         OCI_HOOK_ENV,
1324         OCI_HOOK_TIMEOUT,
1325         __OCI_HOOK_MAX,
1326 };
1327 
1328 static const struct blobmsg_policy oci_hook_policy[] = {
1329         [OCI_HOOK_PATH] = { "path", BLOBMSG_TYPE_STRING },
1330         [OCI_HOOK_ARGS] = { "args", BLOBMSG_TYPE_ARRAY },
1331         [OCI_HOOK_ENV] = { "env", BLOBMSG_TYPE_ARRAY },
1332         [OCI_HOOK_TIMEOUT] = { "timeout", BLOBMSG_TYPE_INT32 },
1333 };
1334 
1335 
1336 static int parseOCIhook(struct hook_execvpe ***hooklist, struct blob_attr *msg)
1337 {
1338         struct blob_attr *tb[__OCI_HOOK_MAX];
1339         struct blob_attr *cur;
1340         int rem, ret = 0;
1341         int idx = 0;
1342 
1343         blobmsg_for_each_attr(cur, msg, rem)
1344                 ++idx;
1345 
1346         if (!idx)
1347                 return 0;
1348 
1349         *hooklist = calloc(idx + 1, sizeof(struct hook_execvpe *));
1350         idx = 0;
1351 
1352         if (!(*hooklist))
1353                 return ENOMEM;
1354 
1355         blobmsg_for_each_attr(cur, msg, rem) {
1356                 blobmsg_parse(oci_hook_policy, __OCI_HOOK_MAX, tb, blobmsg_data(cur), blobmsg_len(cur));
1357 
1358                 if (!tb[OCI_HOOK_PATH]) {
1359                         ret = EINVAL;
1360                         goto errout;
1361                 }
1362 
1363                 (*hooklist)[idx] = calloc(1, sizeof(struct hook_execvpe));
1364                 if (tb[OCI_HOOK_ARGS]) {
1365                         ret = parseOCIenvarray(tb[OCI_HOOK_ARGS], &((*hooklist)[idx]->argv));
1366                         if (ret)
1367                                 goto errout;
1368                 } else {
1369                         (*hooklist)[idx]->argv = calloc(2, sizeof(char *));
1370                         ((*hooklist)[idx]->argv)[0] = strdup(blobmsg_get_string(tb[OCI_HOOK_PATH]));
1371                         ((*hooklist)[idx]->argv)[1] = NULL;
1372                 };
1373 
1374 
1375                 if (tb[OCI_HOOK_ENV]) {
1376                         ret = parseOCIenvarray(tb[OCI_HOOK_ENV], &((*hooklist)[idx]->envp));
1377                         if (ret)
1378                                 goto errout;
1379                 }
1380 
1381                 if (tb[OCI_HOOK_TIMEOUT])
1382                         (*hooklist)[idx]->timeout = blobmsg_get_u32(tb[OCI_HOOK_TIMEOUT]);
1383 
1384                 (*hooklist)[idx]->file = strdup(blobmsg_get_string(tb[OCI_HOOK_PATH]));
1385 
1386                 ++idx;
1387         }
1388 
1389         (*hooklist)[idx] = NULL;
1390 
1391         DEBUG("added %d hooks\n", idx);
1392 
1393         return 0;
1394 
1395 errout:
1396         free_hooklist(*hooklist);
1397         *hooklist = NULL;
1398 
1399         return ret;
1400 };
1401 
1402 
1403 enum {
1404         OCI_HOOKS_PRESTART,
1405         OCI_HOOKS_CREATERUNTIME,
1406         OCI_HOOKS_CREATECONTAINER,
1407         OCI_HOOKS_STARTCONTAINER,
1408         OCI_HOOKS_POSTSTART,
1409         OCI_HOOKS_POSTSTOP,
1410         __OCI_HOOKS_MAX,
1411 };
1412 
1413 static const struct blobmsg_policy oci_hooks_policy[] = {
1414         [OCI_HOOKS_PRESTART] = { "prestart", BLOBMSG_TYPE_ARRAY },
1415         [OCI_HOOKS_CREATERUNTIME] = { "createRuntime", BLOBMSG_TYPE_ARRAY },
1416         [OCI_HOOKS_CREATECONTAINER] = { "createContainer", BLOBMSG_TYPE_ARRAY },
1417         [OCI_HOOKS_STARTCONTAINER] = { "startContainer", BLOBMSG_TYPE_ARRAY },
1418         [OCI_HOOKS_POSTSTART] = { "poststart", BLOBMSG_TYPE_ARRAY },
1419         [OCI_HOOKS_POSTSTOP] = { "poststop", BLOBMSG_TYPE_ARRAY },
1420 };
1421 
1422 static int parseOCIhooks(struct blob_attr *msg)
1423 {
1424         struct blob_attr *tb[__OCI_HOOKS_MAX];
1425         int ret;
1426 
1427         blobmsg_parse(oci_hooks_policy, __OCI_HOOKS_MAX, tb, blobmsg_data(msg), blobmsg_len(msg));
1428 
1429         if (tb[OCI_HOOKS_PRESTART])
1430                 INFO("warning: ignoring deprecated prestart hook\n");
1431 
1432         if (tb[OCI_HOOKS_CREATERUNTIME]) {
1433                 ret = parseOCIhook(&opts.hooks.createRuntime, tb[OCI_HOOKS_CREATERUNTIME]);
1434                 if (ret)
1435                         return ret;
1436         }
1437 
1438         if (tb[OCI_HOOKS_CREATECONTAINER]) {
1439                 ret = parseOCIhook(&opts.hooks.createContainer, tb[OCI_HOOKS_CREATECONTAINER]);
1440                 if (ret)
1441                         goto out_createruntime;
1442         }
1443 
1444         if (tb[OCI_HOOKS_STARTCONTAINER]) {
1445                 ret = parseOCIhook(&opts.hooks.startContainer, tb[OCI_HOOKS_STARTCONTAINER]);
1446                 if (ret)
1447                         goto out_createcontainer;
1448         }
1449 
1450         if (tb[OCI_HOOKS_POSTSTART]) {
1451                 ret = parseOCIhook(&opts.hooks.poststart, tb[OCI_HOOKS_POSTSTART]);
1452                 if (ret)
1453                         goto out_startcontainer;
1454         }
1455 
1456         if (tb[OCI_HOOKS_POSTSTOP]) {
1457                 ret = parseOCIhook(&opts.hooks.poststop, tb[OCI_HOOKS_POSTSTOP]);
1458                 if (ret)
1459                         goto out_poststart;
1460         }
1461 
1462         return 0;
1463 
1464 out_poststart:
1465         free_hooklist(opts.hooks.poststart);
1466 out_startcontainer:
1467         free_hooklist(opts.hooks.startContainer);
1468 out_createcontainer:
1469         free_hooklist(opts.hooks.createContainer);
1470 out_createruntime:
1471         free_hooklist(opts.hooks.createRuntime);
1472 
1473         return ret;
1474 };
1475 
1476 
1477 enum {
1478         OCI_PROCESS_USER_UID,
1479         OCI_PROCESS_USER_GID,
1480         OCI_PROCESS_USER_UMASK,
1481         OCI_PROCESS_USER_ADDITIONALGIDS,
1482         __OCI_PROCESS_USER_MAX,
1483 };
1484 
1485 static const struct blobmsg_policy oci_process_user_policy[] = {
1486         [OCI_PROCESS_USER_UID] = { "uid", BLOBMSG_TYPE_INT32 },
1487         [OCI_PROCESS_USER_GID] = { "gid", BLOBMSG_TYPE_INT32 },
1488         [OCI_PROCESS_USER_UMASK] = { "umask", BLOBMSG_TYPE_INT32 },
1489         [OCI_PROCESS_USER_ADDITIONALGIDS] = { "additionalGids", BLOBMSG_TYPE_ARRAY },
1490 };
1491 
1492 static int parseOCIprocessuser(struct blob_attr *msg) {
1493         struct blob_attr *tb[__OCI_PROCESS_USER_MAX];
1494         struct blob_attr *cur;
1495         int rem;
1496         int has_gid = 0;
1497 
1498         blobmsg_parse(oci_process_user_policy, __OCI_PROCESS_USER_MAX, tb, blobmsg_data(msg), blobmsg_len(msg));
1499 
1500         if (tb[OCI_PROCESS_USER_UID])
1501                 opts.pw_uid = blobmsg_get_u32(tb[OCI_PROCESS_USER_UID]);
1502 
1503         if (tb[OCI_PROCESS_USER_GID]) {
1504                 opts.pw_gid = blobmsg_get_u32(tb[OCI_PROCESS_USER_GID]);
1505                 opts.gr_gid = blobmsg_get_u32(tb[OCI_PROCESS_USER_GID]);
1506                 has_gid = 1;
1507         }
1508 
1509         if (tb[OCI_PROCESS_USER_ADDITIONALGIDS]) {
1510                 size_t gidcnt = 0;
1511 
1512                 blobmsg_for_each_attr(cur, tb[OCI_PROCESS_USER_ADDITIONALGIDS], rem) {
1513                         ++gidcnt;
1514                         if (has_gid && (blobmsg_get_u32(cur) == opts.gr_gid))
1515                                 continue;
1516                 }
1517 
1518                 if (gidcnt) {
1519                         opts.additional_gids = calloc(gidcnt + has_gid, sizeof(gid_t));
1520                         gidcnt = 0;
1521 
1522                         /* always add primary GID to set of GIDs if set */
1523                         if (has_gid)
1524                                 opts.additional_gids[gidcnt++] = opts.gr_gid;
1525 
1526                         blobmsg_for_each_attr(cur, tb[OCI_PROCESS_USER_ADDITIONALGIDS], rem) {
1527                                 if (has_gid && (blobmsg_get_u32(cur) == opts.gr_gid))
1528                                         continue;
1529                                 opts.additional_gids[gidcnt++] = blobmsg_get_u32(cur);
1530                         }
1531                         opts.num_additional_gids = gidcnt;
1532                 }
1533                 DEBUG("read %zu additional groups\n", gidcnt);
1534         }
1535 
1536         if (tb[OCI_PROCESS_USER_UMASK]) {
1537                 opts.umask = blobmsg_get_u32(tb[OCI_PROCESS_USER_UMASK]);
1538                 opts.set_umask = true;
1539         }
1540 
1541         return 0;
1542 }
1543 
1544 enum {
1545         OCI_PROCESS_RLIMIT_TYPE,
1546         OCI_PROCESS_RLIMIT_SOFT,
1547         OCI_PROCESS_RLIMIT_HARD,
1548         __OCI_PROCESS_RLIMIT_MAX,
1549 };
1550 
1551 static const struct blobmsg_policy oci_process_rlimit_policy[] = {
1552         [OCI_PROCESS_RLIMIT_TYPE] = { "type", BLOBMSG_TYPE_STRING },
1553         [OCI_PROCESS_RLIMIT_SOFT] = { "soft", BLOBMSG_CAST_INT64 },
1554         [OCI_PROCESS_RLIMIT_HARD] = { "hard", BLOBMSG_CAST_INT64 },
1555 };
1556 
1557 /* from manpage GETRLIMIT(2) */
1558 static const char* const rlimit_names[RLIM_NLIMITS] = {
1559         [RLIMIT_AS] = "AS",
1560         [RLIMIT_CORE] = "CORE",
1561         [RLIMIT_CPU] = "CPU",
1562         [RLIMIT_DATA] = "DATA",
1563         [RLIMIT_FSIZE] = "FSIZE",
1564         [RLIMIT_LOCKS] = "LOCKS",
1565         [RLIMIT_MEMLOCK] = "MEMLOCK",
1566         [RLIMIT_MSGQUEUE] = "MSGQUEUE",
1567         [RLIMIT_NICE] = "NICE",
1568         [RLIMIT_NOFILE] = "NOFILE",
1569         [RLIMIT_NPROC] = "NPROC",
1570         [RLIMIT_RSS] = "RSS",
1571         [RLIMIT_RTPRIO] = "RTPRIO",
1572         [RLIMIT_RTTIME] = "RTTIME",
1573         [RLIMIT_SIGPENDING] = "SIGPENDING",
1574         [RLIMIT_STACK] = "STACK",
1575 };
1576 
1577 static int resolve_rlimit(char *type) {
1578         unsigned int rltype;
1579 
1580         for (rltype = 0; rltype < RLIM_NLIMITS; ++rltype)
1581                 if (rlimit_names[rltype] &&
1582                     !strncmp("RLIMIT_", type, 7) &&
1583                     !strcmp(rlimit_names[rltype], type + 7))
1584                         return rltype;
1585 
1586         return -1;
1587 }
1588 
1589 
1590 static int parseOCIrlimit(struct blob_attr *msg)
1591 {
1592         struct blob_attr *tb[__OCI_PROCESS_RLIMIT_MAX];
1593         int limtype = -1;
1594         struct rlimit *curlim;
1595 
1596         blobmsg_parse(oci_process_rlimit_policy, __OCI_PROCESS_RLIMIT_MAX, tb, blobmsg_data(msg), blobmsg_len(msg));
1597 
1598         if (!tb[OCI_PROCESS_RLIMIT_TYPE] ||
1599             !tb[OCI_PROCESS_RLIMIT_SOFT] ||
1600             !tb[OCI_PROCESS_RLIMIT_HARD])
1601                 return ENODATA;
1602 
1603         limtype = resolve_rlimit(blobmsg_get_string(tb[OCI_PROCESS_RLIMIT_TYPE]));
1604 
1605         if (limtype < 0)
1606                 return EINVAL;
1607 
1608         if (opts.rlimits[limtype])
1609                 return ENOTUNIQ;
1610 
1611         curlim = malloc(sizeof(struct rlimit));
1612         curlim->rlim_cur = blobmsg_cast_u64(tb[OCI_PROCESS_RLIMIT_SOFT]);
1613         curlim->rlim_max = blobmsg_cast_u64(tb[OCI_PROCESS_RLIMIT_HARD]);
1614 
1615         opts.rlimits[limtype] = curlim;
1616 
1617         return 0;
1618 };
1619 
1620 enum {
1621         OCI_PROCESS_ARGS,
1622         OCI_PROCESS_CAPABILITIES,
1623         OCI_PROCESS_CWD,
1624         OCI_PROCESS_ENV,
1625         OCI_PROCESS_OOMSCOREADJ,
1626         OCI_PROCESS_NONEWPRIVILEGES,
1627         OCI_PROCESS_RLIMITS,
1628         OCI_PROCESS_TERMINAL,
1629         OCI_PROCESS_USER,
1630         __OCI_PROCESS_MAX,
1631 };
1632 
1633 static const struct blobmsg_policy oci_process_policy[] = {
1634         [OCI_PROCESS_ARGS] = { "args", BLOBMSG_TYPE_ARRAY },
1635         [OCI_PROCESS_CAPABILITIES] = { "capabilities", BLOBMSG_TYPE_TABLE },
1636         [OCI_PROCESS_CWD] = { "cwd", BLOBMSG_TYPE_STRING },
1637         [OCI_PROCESS_ENV] = { "env", BLOBMSG_TYPE_ARRAY },
1638         [OCI_PROCESS_OOMSCOREADJ] = { "oomScoreAdj", BLOBMSG_TYPE_INT32 },
1639         [OCI_PROCESS_NONEWPRIVILEGES] = { "noNewPrivileges", BLOBMSG_TYPE_BOOL },
1640         [OCI_PROCESS_RLIMITS] = { "rlimits", BLOBMSG_TYPE_ARRAY },
1641         [OCI_PROCESS_TERMINAL] = { "terminal", BLOBMSG_TYPE_BOOL },
1642         [OCI_PROCESS_USER] = { "user", BLOBMSG_TYPE_TABLE },
1643 };
1644 
1645 
1646 static int parseOCIprocess(struct blob_attr *msg)
1647 {
1648         struct blob_attr *tb[__OCI_PROCESS_MAX], *cur;
1649         int rem, res;
1650 
1651         blobmsg_parse(oci_process_policy, __OCI_PROCESS_MAX, tb, blobmsg_data(msg), blobmsg_len(msg));
1652 
1653         if (!tb[OCI_PROCESS_ARGS])
1654                 return ENOENT;
1655 
1656         res = parseOCIenvarray(tb[OCI_PROCESS_ARGS], &opts.jail_argv);
1657         if (res)
1658                 return res;
1659 
1660         opts.console = blobmsg_get_bool(tb[OCI_PROCESS_TERMINAL]);
1661         opts.no_new_privs = blobmsg_get_bool(tb[OCI_PROCESS_NONEWPRIVILEGES]);
1662 
1663         if (tb[OCI_PROCESS_CWD])
1664                 opts.cwd = strdup(blobmsg_get_string(tb[OCI_PROCESS_CWD]));
1665 
1666         if (tb[OCI_PROCESS_ENV]) {
1667                 res = parseOCIenvarray(tb[OCI_PROCESS_ENV], &opts.envp);
1668                 if (res)
1669                         return res;
1670         }
1671 
1672         if (tb[OCI_PROCESS_USER] && (res = parseOCIprocessuser(tb[OCI_PROCESS_USER])))
1673                 return res;
1674 
1675         if (tb[OCI_PROCESS_CAPABILITIES] &&
1676             (res = parseOCIcapabilities(&opts.capset, tb[OCI_PROCESS_CAPABILITIES])))
1677                 return res;
1678 
1679         if (tb[OCI_PROCESS_RLIMITS]) {
1680                 blobmsg_for_each_attr(cur, tb[OCI_PROCESS_RLIMITS], rem) {
1681                         res = parseOCIrlimit(cur);
1682                         if (res)
1683                                 return res;
1684                 }
1685         }
1686 
1687         if (tb[OCI_PROCESS_OOMSCOREADJ]) {
1688                 opts.oom_score_adj = blobmsg_get_u32(tb[OCI_PROCESS_OOMSCOREADJ]);
1689                 opts.set_oom_score_adj = true;
1690         }
1691 
1692         return 0;
1693 }
1694 
1695 enum {
1696         OCI_LINUX_NAMESPACE_TYPE,
1697         OCI_LINUX_NAMESPACE_PATH,
1698         __OCI_LINUX_NAMESPACE_MAX,
1699 };
1700 
1701 static const struct blobmsg_policy oci_linux_namespace_policy[] = {
1702         [OCI_LINUX_NAMESPACE_TYPE] = { "type", BLOBMSG_TYPE_STRING },
1703         [OCI_LINUX_NAMESPACE_PATH] = { "path", BLOBMSG_TYPE_STRING },
1704 };
1705 
1706 static int resolve_nstype(char *type) {
1707         if (!strcmp("pid", type))
1708                 return CLONE_NEWPID;
1709         else if (!strcmp("network", type))
1710                 return CLONE_NEWNET;
1711         else if (!strcmp("mount", type))
1712                 return CLONE_NEWNS;
1713         else if (!strcmp("ipc", type))
1714                 return CLONE_NEWIPC;
1715         else if (!strcmp("uts", type))
1716                 return CLONE_NEWUTS;
1717         else if (!strcmp("user", type))
1718                 return CLONE_NEWUSER;
1719         else if (!strcmp("cgroup", type))
1720                 return CLONE_NEWCGROUP;
1721 #ifdef CLONE_NEWTIME
1722         else if (!strcmp("time", type))
1723                 return CLONE_NEWTIME;
1724 #endif
1725         else
1726                 return 0;
1727 }
1728 
1729 static int parseOCIlinuxns(struct blob_attr *msg)
1730 {
1731         struct blob_attr *tb[__OCI_LINUX_NAMESPACE_MAX];
1732         int nstype;
1733         int *setns;
1734         int fd;
1735 
1736         blobmsg_parse(oci_linux_namespace_policy, __OCI_LINUX_NAMESPACE_MAX, tb, blobmsg_data(msg), blobmsg_len(msg));
1737 
1738         if (!tb[OCI_LINUX_NAMESPACE_TYPE])
1739                 return EINVAL;
1740 
1741         nstype = resolve_nstype(blobmsg_get_string(tb[OCI_LINUX_NAMESPACE_TYPE]));
1742         if (!nstype)
1743                 return EINVAL;
1744 
1745         if (opts.namespace & nstype)
1746                 return ENOTUNIQ;
1747 
1748         setns = get_namespace_fd(nstype);
1749 
1750         if (!setns)
1751                 return EFAULT;
1752 
1753         if (*setns != -1)
1754                 return ENOTUNIQ;
1755 
1756         if (tb[OCI_LINUX_NAMESPACE_PATH]) {
1757                 DEBUG("opening existing %s namespace from path %s\n",
1758                         blobmsg_get_string(tb[OCI_LINUX_NAMESPACE_TYPE]),
1759                         blobmsg_get_string(tb[OCI_LINUX_NAMESPACE_PATH]));
1760 
1761                 fd = open(blobmsg_get_string(tb[OCI_LINUX_NAMESPACE_PATH]), O_RDONLY);
1762                 if (fd == -1)
1763                         return errno?:ESTALE;
1764 
1765                 if (ioctl(fd, NS_GET_NSTYPE) != nstype)
1766                         return EINVAL;
1767 
1768                 DEBUG("opened existing %s namespace got filehandler %u\n",
1769                         blobmsg_get_string(tb[OCI_LINUX_NAMESPACE_TYPE]),
1770                         fd);
1771 
1772                 *setns = fd;
1773         } else {
1774                 opts.namespace |= nstype;
1775         }
1776 
1777         return 0;
1778 };
1779 
1780 
1781 enum {
1782         OCI_LINUX_UIDGIDMAP_CONTAINERID,
1783         OCI_LINUX_UIDGIDMAP_HOSTID,
1784         OCI_LINUX_UIDGIDMAP_SIZE,
1785         __OCI_LINUX_UIDGIDMAP_MAX,
1786 };
1787 
1788 static const struct blobmsg_policy oci_linux_uidgidmap_policy[] = {
1789         [OCI_LINUX_UIDGIDMAP_CONTAINERID] = { "containerID", BLOBMSG_TYPE_INT32 },
1790         [OCI_LINUX_UIDGIDMAP_HOSTID] = { "hostID", BLOBMSG_TYPE_INT32 },
1791         [OCI_LINUX_UIDGIDMAP_SIZE] = { "size", BLOBMSG_TYPE_INT32 },
1792 };
1793 
1794 static int parseOCIuidgidmappings(struct blob_attr *msg, bool is_gidmap)
1795 {
1796         const char *map_format = "%d %d %d\n";
1797         struct blob_attr *tb[__OCI_LINUX_UIDGIDMAP_MAX];
1798         struct blob_attr *cur;
1799         int rem, len;
1800         char **mappings;
1801         char *map, *curstr;
1802         unsigned int cnt = 0;
1803         size_t totallen = 0;
1804 
1805         /* count number of mappings */
1806         blobmsg_for_each_attr(cur, msg, rem)
1807                 cnt++;
1808 
1809         if (!cnt)
1810                 return 0;
1811 
1812         /* allocate array for mappings */
1813         mappings = calloc(1 + cnt, sizeof(char*));
1814         if (!mappings)
1815                 return ENOMEM;
1816 
1817         mappings[cnt] = NULL;
1818 
1819         cnt = 0;
1820         blobmsg_for_each_attr(cur, msg, rem) {
1821                 blobmsg_parse(oci_linux_uidgidmap_policy, __OCI_LINUX_UIDGIDMAP_MAX, tb, blobmsg_data(cur), blobmsg_len(cur));
1822 
1823                 if (!tb[OCI_LINUX_UIDGIDMAP_CONTAINERID] ||
1824                     !tb[OCI_LINUX_UIDGIDMAP_HOSTID] ||
1825                     !tb[OCI_LINUX_UIDGIDMAP_SIZE])
1826                         return EINVAL;
1827 
1828                 /* write mapping line into allocated string */
1829                 len = asprintf(&mappings[cnt++], map_format,
1830                          blobmsg_get_u32(tb[OCI_LINUX_UIDGIDMAP_CONTAINERID]),
1831                          blobmsg_get_u32(tb[OCI_LINUX_UIDGIDMAP_HOSTID]),
1832                          blobmsg_get_u32(tb[OCI_LINUX_UIDGIDMAP_SIZE]));
1833 
1834                 if (len < 0)
1835                         return ENOMEM;
1836 
1837                 totallen += len;
1838         }
1839 
1840         /* allocate combined mapping string */
1841         map = calloc(1 + totallen, sizeof(char));
1842         if (!map)
1843                 return ENOMEM;
1844 
1845         map[0] = '\0';
1846 
1847         /* concatenate mapping strings into combined string */
1848         curstr = mappings[0];
1849         while (curstr) {
1850                 strcat(map, curstr);
1851                 free(curstr++);
1852         }
1853         free(mappings);
1854 
1855         if (is_gidmap)
1856                 opts.gidmap = map;
1857         else
1858                 opts.uidmap = map;
1859 
1860         return 0;
1861 }
1862 
1863 enum {
1864         OCI_DEVICES_TYPE,
1865         OCI_DEVICES_PATH,
1866         OCI_DEVICES_MAJOR,
1867         OCI_DEVICES_MINOR,
1868         OCI_DEVICES_FILEMODE,
1869         OCI_DEVICES_UID,
1870         OCI_DEVICES_GID,
1871         __OCI_DEVICES_MAX,
1872 };
1873 
1874 static const struct blobmsg_policy oci_devices_policy[] = {
1875         [OCI_DEVICES_TYPE] = { "type", BLOBMSG_TYPE_STRING },
1876         [OCI_DEVICES_PATH] = { "path", BLOBMSG_TYPE_STRING },
1877         [OCI_DEVICES_MAJOR] = { "major", BLOBMSG_TYPE_INT32 },
1878         [OCI_DEVICES_MINOR] = { "minor", BLOBMSG_TYPE_INT32 },
1879         [OCI_DEVICES_FILEMODE] = { "fileMode", BLOBMSG_TYPE_INT32 },
1880         [OCI_DEVICES_UID] = { "uid", BLOBMSG_TYPE_INT32 },
1881         [OCI_DEVICES_GID] = { "uid", BLOBMSG_TYPE_INT32 },
1882 };
1883 
1884 static mode_t resolve_devtype(char *tstr)
1885 {
1886         if (!strcmp("c", tstr) ||
1887             !strcmp("u", tstr))
1888                 return S_IFCHR;
1889         else if (!strcmp("b", tstr))
1890                 return S_IFBLK;
1891         else if (!strcmp("p", tstr))
1892                 return S_IFIFO;
1893         else
1894                 return 0;
1895 }
1896 
1897 static int parseOCIdevices(struct blob_attr *msg)
1898 {
1899         struct blob_attr *tb[__OCI_DEVICES_MAX];
1900         struct blob_attr *cur;
1901         int rem;
1902         size_t cnt = 0;
1903         struct mknod_args *tmp;
1904 
1905         blobmsg_for_each_attr(cur, msg, rem)
1906                 ++cnt;
1907 
1908         opts.devices = calloc(cnt + 1, sizeof(struct mknod_args *));
1909 
1910         cnt = 0;
1911         blobmsg_for_each_attr(cur, msg, rem) {
1912                 blobmsg_parse(oci_devices_policy, __OCI_DEVICES_MAX, tb, blobmsg_data(cur), blobmsg_len(cur));
1913                 if (!tb[OCI_DEVICES_TYPE] ||
1914                     !tb[OCI_DEVICES_PATH])
1915                         return ENODATA;
1916 
1917                 tmp = calloc(1, sizeof(struct mknod_args));
1918                 if (!tmp)
1919                         return ENOMEM;
1920 
1921                 tmp->mode = resolve_devtype(blobmsg_get_string(tb[OCI_DEVICES_TYPE]));
1922                 if (!tmp->mode)
1923                         return EINVAL;
1924 
1925                 if (tmp->mode != S_IFIFO) {
1926                         if (!tb[OCI_DEVICES_MAJOR] || !tb[OCI_DEVICES_MINOR])
1927                                 return ENODATA;
1928 
1929                         tmp->dev = makedev(blobmsg_get_u32(tb[OCI_DEVICES_MAJOR]),
1930                                            blobmsg_get_u32(tb[OCI_DEVICES_MINOR]));
1931                 }
1932 
1933                 if (tb[OCI_DEVICES_FILEMODE]) {
1934                         if (~(S_IRWXU|S_IRWXG|S_IRWXO) & blobmsg_get_u32(tb[OCI_DEVICES_FILEMODE]))
1935                                 return EINVAL;
1936 
1937                         tmp->mode |= blobmsg_get_u32(tb[OCI_DEVICES_FILEMODE]);
1938                 } else {
1939                         tmp->mode |= (S_IRUSR|S_IWUSR); /* 0600 */
1940                 }
1941 
1942                 tmp->path = strdup(blobmsg_get_string(tb[OCI_DEVICES_PATH]));
1943 
1944                 if (tb[OCI_DEVICES_UID])
1945                         tmp->uid = blobmsg_get_u32(tb[OCI_DEVICES_UID]);
1946                 else
1947                         tmp->uid = -1;
1948 
1949                 if (tb[OCI_DEVICES_GID])
1950                         tmp->gid = blobmsg_get_u32(tb[OCI_DEVICES_GID]);
1951                 else
1952                         tmp->gid = -1;
1953 
1954                 DEBUG("read device %s (%s)\n", blobmsg_get_string(tb[OCI_DEVICES_PATH]), blobmsg_get_string(tb[OCI_DEVICES_TYPE]));
1955                 opts.devices[cnt++] = tmp;
1956         }
1957 
1958         opts.devices[cnt] = NULL;
1959 
1960         return 0;
1961 }
1962 
1963 static int parseOCIsysctl(struct blob_attr *msg)
1964 {
1965         struct blob_attr *cur;
1966         int rem;
1967         char *tmp, *tc;
1968         size_t cnt = 0;
1969 
1970         blobmsg_for_each_attr(cur, msg, rem) {
1971                 if (!blobmsg_name(cur) || !blobmsg_get_string(cur))
1972                         return EINVAL;
1973 
1974                 ++cnt;
1975         }
1976 
1977         if (!cnt)
1978                 return 0;
1979 
1980         opts.sysctl = calloc(cnt + 1, sizeof(struct sysctl_val *));
1981         if (!opts.sysctl)
1982                 return ENOMEM;
1983 
1984         cnt = 0;
1985         blobmsg_for_each_attr(cur, msg, rem) {
1986                 opts.sysctl[cnt] = malloc(sizeof(struct sysctl_val));
1987                 if (!opts.sysctl[cnt])
1988                         return ENOMEM;
1989 
1990                 /* replace '.' with '/' in entry name */
1991                 tc = tmp = strdup(blobmsg_name(cur));
1992                 while ((tc = strchr(tc, '.')))
1993                         *tc = '/';
1994 
1995                 opts.sysctl[cnt]->value = strdup(blobmsg_get_string(cur));
1996                 opts.sysctl[cnt]->entry = tmp;
1997 
1998                 ++cnt;
1999         }
2000 
2001         opts.sysctl[cnt] = NULL;
2002 
2003         return 0;
2004 }
2005 
2006 
2007 enum {
2008         OCI_LINUX_CGROUPSPATH,
2009         OCI_LINUX_RESOURCES,
2010         OCI_LINUX_SECCOMP,
2011         OCI_LINUX_SYSCTL,
2012         OCI_LINUX_NAMESPACES,
2013         OCI_LINUX_DEVICES,
2014         OCI_LINUX_UIDMAPPINGS,
2015         OCI_LINUX_GIDMAPPINGS,
2016         OCI_LINUX_MASKEDPATHS,
2017         OCI_LINUX_READONLYPATHS,
2018         OCI_LINUX_ROOTFSPROPAGATION,
2019         __OCI_LINUX_MAX,
2020 };
2021 
2022 static const struct blobmsg_policy oci_linux_policy[] = {
2023         [OCI_LINUX_CGROUPSPATH] = { "cgroupsPath", BLOBMSG_TYPE_STRING },
2024         [OCI_LINUX_RESOURCES] = { "resources", BLOBMSG_TYPE_TABLE },
2025         [OCI_LINUX_SECCOMP] = { "seccomp", BLOBMSG_TYPE_TABLE },
2026         [OCI_LINUX_SYSCTL] = { "sysctl", BLOBMSG_TYPE_TABLE },
2027         [OCI_LINUX_NAMESPACES] = { "namespaces", BLOBMSG_TYPE_ARRAY },
2028         [OCI_LINUX_DEVICES] = { "devices", BLOBMSG_TYPE_ARRAY },
2029         [OCI_LINUX_UIDMAPPINGS] = { "uidMappings", BLOBMSG_TYPE_ARRAY },
2030         [OCI_LINUX_GIDMAPPINGS] = { "gidMappings", BLOBMSG_TYPE_ARRAY },
2031         [OCI_LINUX_MASKEDPATHS] = { "maskedPaths", BLOBMSG_TYPE_ARRAY },
2032         [OCI_LINUX_READONLYPATHS] = { "readonlyPaths", BLOBMSG_TYPE_ARRAY },
2033         [OCI_LINUX_ROOTFSPROPAGATION] = { "rootfsPropagation", BLOBMSG_TYPE_STRING },
2034 };
2035 
2036 static int parseOCIlinux(struct blob_attr *msg)
2037 {
2038         struct blob_attr *tb[__OCI_LINUX_MAX];
2039         struct blob_attr *cur;
2040         int rem;
2041         int res = 0;
2042         char *cgpath;
2043         char cgfullpath[256] = "/sys/fs/cgroup";
2044 
2045         blobmsg_parse(oci_linux_policy, __OCI_LINUX_MAX, tb, blobmsg_data(msg), blobmsg_len(msg));
2046 
2047         if (tb[OCI_LINUX_NAMESPACES]) {
2048                 blobmsg_for_each_attr(cur, tb[OCI_LINUX_NAMESPACES], rem) {
2049                         res = parseOCIlinuxns(cur);
2050                         if (res)
2051                                 return res;
2052                 }
2053         }
2054 
2055         if (tb[OCI_LINUX_UIDMAPPINGS]) {
2056                 res = parseOCIuidgidmappings(tb[OCI_LINUX_GIDMAPPINGS], 0);
2057                 if (res)
2058                         return res;
2059         }
2060 
2061         if (tb[OCI_LINUX_GIDMAPPINGS]) {
2062                 res = parseOCIuidgidmappings(tb[OCI_LINUX_GIDMAPPINGS], 1);
2063                 if (res)
2064                         return res;
2065         }
2066 
2067         if (tb[OCI_LINUX_READONLYPATHS]) {
2068                 blobmsg_for_each_attr(cur, tb[OCI_LINUX_READONLYPATHS], rem) {
2069                         res = add_mount(NULL, blobmsg_get_string(cur), NULL, MS_BIND | MS_REC | MS_RDONLY, NULL, 0);
2070                         if (res)
2071                                 return res;
2072                 }
2073         }
2074 
2075         if (tb[OCI_LINUX_MASKEDPATHS]) {
2076                 blobmsg_for_each_attr(cur, tb[OCI_LINUX_MASKEDPATHS], rem) {
2077                         res = add_mount((void *)(-1), blobmsg_get_string(cur), NULL, 0, NULL, 1);
2078                         if (res)
2079                                 return res;
2080                 }
2081         }
2082 
2083         if (tb[OCI_LINUX_SYSCTL]) {
2084                 res = parseOCIsysctl(tb[OCI_LINUX_SYSCTL]);
2085                 if (res)
2086                         return res;
2087         }
2088 
2089         if (tb[OCI_LINUX_SECCOMP]) {
2090                 opts.ociseccomp = parseOCIlinuxseccomp(tb[OCI_LINUX_SECCOMP]);
2091                 if (!opts.ociseccomp)
2092                         return EINVAL;
2093         }
2094 
2095         if (tb[OCI_LINUX_DEVICES]) {
2096                 res = parseOCIdevices(tb[OCI_LINUX_DEVICES]);
2097                 if (res)
2098                         return res;
2099         }
2100 
2101         if (tb[OCI_LINUX_CGROUPSPATH]) {
2102                 cgpath = blobmsg_get_string(tb[OCI_LINUX_CGROUPSPATH]);
2103                 if (cgpath[0] == '/') {
2104                         if (strlen(cgpath) >= (sizeof(cgfullpath) - strlen(cgfullpath)))
2105                                 return E2BIG;
2106 
2107                         strcat(cgfullpath, cgpath);
2108                 } else {
2109                         strcat(cgfullpath, "/containers/");
2110                         strcat(cgfullpath, opts.name); /* should be container name rather than jail name */
2111                         strcat(cgfullpath, "/");
2112                         if (strlen(cgpath) >= (sizeof(cgfullpath) - strlen(cgfullpath)))
2113                                 return E2BIG;
2114 
2115                         strcat(cgfullpath, cgpath);
2116                 }
2117         } else {
2118                 strcat(cgfullpath, "/containers/");
2119                 strcat(cgfullpath, opts.name); /* should be container name rather than jail name */
2120                 strcat(cgfullpath, "/");
2121                 strcat(cgfullpath, opts.name); /* should be container instance name rather than jail name */
2122         }
2123 
2124         cgroups_init(cgfullpath);
2125 
2126         if (tb[OCI_LINUX_RESOURCES]) {
2127                 res = parseOCIlinuxcgroups(tb[OCI_LINUX_RESOURCES]);
2128                 if (res)
2129                         return res;
2130         }
2131 
2132         return 0;
2133 }
2134 
2135 enum {
2136         OCI_VERSION,
2137         OCI_HOSTNAME,
2138         OCI_PROCESS,
2139         OCI_ROOT,
2140         OCI_MOUNTS,
2141         OCI_HOOKS,
2142         OCI_LINUX,
2143         OCI_ANNOTATIONS,
2144         __OCI_MAX,
2145 };
2146 
2147 static const struct blobmsg_policy oci_policy[] = {
2148         [OCI_VERSION] = { "ociVersion", BLOBMSG_TYPE_STRING },
2149         [OCI_HOSTNAME] = { "hostname", BLOBMSG_TYPE_STRING },
2150         [OCI_PROCESS] = { "process", BLOBMSG_TYPE_TABLE },
2151         [OCI_ROOT] = { "root", BLOBMSG_TYPE_TABLE },
2152         [OCI_MOUNTS] = { "mounts", BLOBMSG_TYPE_ARRAY },
2153         [OCI_HOOKS] = { "hooks", BLOBMSG_TYPE_TABLE },
2154         [OCI_LINUX] = { "linux", BLOBMSG_TYPE_TABLE },
2155         [OCI_ANNOTATIONS] = { "annotations", BLOBMSG_TYPE_TABLE },
2156 };
2157 
2158 static int parseOCI(const char *jsonfile)
2159 {
2160         struct blob_attr *tb[__OCI_MAX];
2161         struct blob_attr *cur;
2162         int rem;
2163         int res;
2164 
2165         blob_buf_init(&ocibuf, 0);
2166         if (!blobmsg_add_json_from_file(&ocibuf, jsonfile))
2167                 return ENOENT;
2168 
2169         blobmsg_parse(oci_policy, __OCI_MAX, tb, blob_data(ocibuf.head), blob_len(ocibuf.head));
2170 
2171         if (!tb[OCI_VERSION])
2172                 return ENOMSG;
2173 
2174         if (strncmp("1.0", blobmsg_get_string(tb[OCI_VERSION]), 3)) {
2175                 ERROR("unsupported ociVersion %s\n", blobmsg_get_string(tb[OCI_VERSION]));
2176                 return ENOTSUP;
2177         }
2178 
2179         if (tb[OCI_HOSTNAME])
2180                 opts.hostname = strdup(blobmsg_get_string(tb[OCI_HOSTNAME]));
2181 
2182         if (!tb[OCI_PROCESS])
2183                 return ENODATA;
2184 
2185         if ((res = parseOCIprocess(tb[OCI_PROCESS])))
2186                 return res;
2187 
2188         if (!tb[OCI_ROOT])
2189                 return ENODATA;
2190 
2191         if ((res = parseOCIroot(jsonfile, tb[OCI_ROOT])))
2192                 return res;
2193 
2194         if (!tb[OCI_MOUNTS])
2195                 return ENODATA;
2196 
2197         blobmsg_for_each_attr(cur, tb[OCI_MOUNTS], rem)
2198                 if ((res = parseOCImount(cur)))
2199                         return res;
2200 
2201         if (tb[OCI_LINUX] && (res = parseOCIlinux(tb[OCI_LINUX])))
2202                 return res;
2203 
2204         if (tb[OCI_HOOKS] && (res = parseOCIhooks(tb[OCI_HOOKS])))
2205                 return res;
2206 
2207         if (tb[OCI_ANNOTATIONS])
2208                 opts.annotations = blob_memdup(tb[OCI_ANNOTATIONS]);
2209 
2210         blob_buf_free(&ocibuf);
2211 
2212         return 0;
2213 }
2214 
2215 static int set_oom_score_adj(void)
2216 {
2217         int f;
2218         char fname[32];
2219 
2220         if (!opts.set_oom_score_adj)
2221                 return 0;
2222 
2223         snprintf(fname, sizeof(fname), "/proc/%u/oom_score_adj", jail_process.pid);
2224         f = open(fname, O_WRONLY | O_TRUNC);
2225         if (f == -1)
2226                 return errno;
2227 
2228         dprintf(f, "%d", opts.oom_score_adj);
2229         close(f);
2230 
2231         return 0;
2232 }
2233 
2234 
2235 enum {
2236         OCI_STATE_CREATING,
2237         OCI_STATE_CREATED,
2238         OCI_STATE_RUNNING,
2239         OCI_STATE_STOPPED,
2240 };
2241 
2242 static int jail_oci_state = OCI_STATE_CREATED;
2243 static void pipe_send_start_container(struct uloop_timeout *t);
2244 static struct uloop_timeout start_container_timeout = {
2245         .cb = pipe_send_start_container,
2246 };
2247 
2248 static int handle_start(struct ubus_context *ctx, struct ubus_object *obj,
2249                         struct ubus_request_data *req, const char *method,
2250                         struct blob_attr *msg)
2251 {
2252         if (jail_oci_state != OCI_STATE_CREATED)
2253                 return UBUS_STATUS_INVALID_ARGUMENT;
2254 
2255         uloop_timeout_add(&start_container_timeout);
2256 
2257         return UBUS_STATUS_OK;
2258 }
2259 
2260 static struct blob_buf bb;
2261 static int handle_state(struct ubus_context *ctx, struct ubus_object *obj,
2262                         struct ubus_request_data *req, const char *method,
2263                         struct blob_attr *msg)
2264 {
2265         char *statusstr;
2266 
2267         switch (jail_oci_state) {
2268                 case OCI_STATE_CREATING:
2269                         statusstr = "creating";
2270                         break;
2271                 case OCI_STATE_CREATED:
2272                         statusstr = "created";
2273                         break;
2274                 case OCI_STATE_RUNNING:
2275                         statusstr = "running";
2276                         break;
2277                 case OCI_STATE_STOPPED:
2278                         statusstr = "stopped";
2279                         break;
2280                 default:
2281                         statusstr = "unknown";
2282         }
2283 
2284         blob_buf_init(&bb, 0);
2285         blobmsg_add_string(&bb, "ociVersion", OCI_VERSION_STRING);
2286         blobmsg_add_string(&bb, "id", opts.name);
2287         blobmsg_add_string(&bb, "status", statusstr);
2288         if (jail_oci_state == OCI_STATE_CREATED ||
2289             jail_oci_state == OCI_STATE_RUNNING)
2290                 blobmsg_add_u32(&bb, "pid", jail_process.pid);
2291 
2292         blobmsg_add_string(&bb, "bundle", opts.ocibundle);
2293 
2294         if (opts.annotations)
2295                 blobmsg_add_blob(&bb, opts.annotations);
2296 
2297         ubus_send_reply(ctx, req, bb.head);
2298 
2299         return UBUS_STATUS_OK;
2300 }
2301 
2302 enum {
2303         CONTAINER_KILL_ATTR_SIGNAL,
2304         __CONTAINER_KILL_ATTR_MAX,
2305 };
2306 
2307 static const struct blobmsg_policy container_kill_attrs[__CONTAINER_KILL_ATTR_MAX] = {
2308         [CONTAINER_KILL_ATTR_SIGNAL] = { "signal", BLOBMSG_TYPE_INT32 },
2309 };
2310 
2311 static int
2312 container_handle_kill(struct ubus_context *ctx, struct ubus_object *obj,
2313                     struct ubus_request_data *req, const char *method,
2314                     struct blob_attr *msg)
2315 {
2316         struct blob_attr *tb[__CONTAINER_KILL_ATTR_MAX], *cur;
2317         int sig = SIGTERM;
2318 
2319         blobmsg_parse(container_kill_attrs, __CONTAINER_KILL_ATTR_MAX, tb, blobmsg_data(msg), blobmsg_data_len(msg));
2320 
2321         cur = tb[CONTAINER_KILL_ATTR_SIGNAL];
2322         if (cur)
2323                 sig = blobmsg_get_u32(cur);
2324 
2325         if (jail_oci_state == OCI_STATE_CREATING)
2326                 return UBUS_STATUS_NOT_FOUND;
2327 
2328         if (kill(jail_process.pid, sig) == 0)
2329                 return 0;
2330 
2331         switch (errno) {
2332         case EINVAL: return UBUS_STATUS_INVALID_ARGUMENT;
2333         case EPERM:  return UBUS_STATUS_PERMISSION_DENIED;
2334         case ESRCH:  return UBUS_STATUS_NOT_FOUND;
2335         }
2336 
2337         return UBUS_STATUS_UNKNOWN_ERROR;
2338 }
2339 
2340 static struct ubus_method container_methods[] = {
2341         UBUS_METHOD_NOARG("start", handle_start),
2342         UBUS_METHOD_NOARG("state", handle_state),
2343         UBUS_METHOD("kill", container_handle_kill, container_kill_attrs),
2344 };
2345 
2346 static struct ubus_object_type container_object_type =
2347         UBUS_OBJECT_TYPE("container", container_methods);
2348 
2349 static struct ubus_object container_object = {
2350         .type = &container_object_type,
2351         .methods = container_methods,
2352         .n_methods = ARRAY_SIZE(container_methods),
2353 };
2354 
2355 static void post_main(struct uloop_timeout *t);
2356 static struct uloop_timeout post_main_timeout = {
2357         .cb = post_main,
2358 };
2359 static int netns_fd;
2360 static int pidns_fd;
2361 #ifdef CLONE_NEWTIME
2362 static int timens_fd;
2363 #endif
2364 static void post_create_runtime(void);
2365 int main(int argc, char **argv)
2366 {
2367         uid_t uid = getuid();
2368         const char log[] = "/dev/log";
2369         const char ubus[] = "/var/run/ubus.sock";
2370         int ch, ret;
2371 
2372         if (uid) {
2373                 ERROR("not root, aborting: %m\n");
2374                 return EXIT_FAILURE;
2375         }
2376 
2377         umask(022);
2378         mount_list_init();
2379         init_library_search();
2380 
2381         while ((ch = getopt(argc, argv, OPT_ARGS)) != -1) {
2382                 switch (ch) {
2383                 case 'd':
2384                         debug = atoi(optarg);
2385                         break;
2386                 case 'p':
2387                         opts.namespace |= CLONE_NEWNS;
2388                         opts.procfs = 1;
2389                         break;
2390                 case 'o':
2391                         opts.namespace |= CLONE_NEWNS;
2392                         opts.ronly = 1;
2393                         break;
2394                 case 'f':
2395                         opts.namespace |= CLONE_NEWUSER;
2396                         break;
2397                 case 'F':
2398                         opts.namespace |= CLONE_NEWCGROUP;
2399                         break;
2400                 case 'R':
2401                         opts.extroot = strdup(optarg);
2402                         break;
2403                 case 's':
2404                         opts.namespace |= CLONE_NEWNS;
2405                         opts.sysfs = 1;
2406                         break;
2407                 case 'S':
2408                         opts.seccomp = optarg;
2409                         add_mount_bind(optarg, 1, -1);
2410                         break;
2411                 case 'C':
2412                         opts.capabilities = optarg;
2413                         break;
2414                 case 'c':
2415                         opts.no_new_privs = 1;
2416                         break;
2417                 case 'n':
2418                         opts.name = optarg;
2419                         break;
2420                 case 'N':
2421                         opts.namespace |= CLONE_NEWNET;
2422                         break;
2423                 case 'h':
2424                         opts.namespace |= CLONE_NEWUTS;
2425                         opts.hostname = strdup(optarg);
2426                         break;
2427                 case 'r':
2428                         opts.namespace |= CLONE_NEWNS;
2429                         add_path_and_deps(optarg, 1, 0, 0);
2430                         break;
2431                 case 'w':
2432                         opts.namespace |= CLONE_NEWNS;
2433                         add_path_and_deps(optarg, 0, 0, 0);
2434                         break;
2435                 case 'u':
2436                         opts.namespace |= CLONE_NEWNS;
2437                         add_mount_bind(ubus, 0, -1);
2438                         break;
2439                 case 'l':
2440                         opts.namespace |= CLONE_NEWNS;
2441                         add_mount_bind(log, 0, -1);
2442                         break;
2443                 case 'U':
2444                         opts.user = optarg;
2445                         break;
2446                 case 'G':
2447                         opts.group = optarg;
2448                         break;
2449                 case 'O':
2450                         opts.overlaydir = optarg;
2451                         break;
2452                 case 'T':
2453                         opts.tmpoverlaysize = optarg;
2454                         break;
2455                 case 'E':
2456                         opts.require_jail = 1;
2457                         break;
2458                 case 'y':
2459                         opts.console = 1;
2460                         break;
2461                 case 'J':
2462                         opts.ocibundle = strdup(optarg);
2463                         break;
2464                 case 'i':
2465                         opts.immediately = true;
2466                         break;
2467                 }
2468         }
2469 
2470         if (opts.namespace && !opts.ocibundle)
2471                 opts.namespace |= CLONE_NEWIPC | CLONE_NEWPID;
2472 
2473         /* those are filehandlers, so -1 indicates unused */
2474         opts.setns.pid = -1;
2475         opts.setns.net = -1;
2476         opts.setns.ns = -1;
2477         opts.setns.ipc = -1;
2478         opts.setns.uts = -1;
2479         opts.setns.user = -1;
2480         opts.setns.cgroup = -1;
2481 #ifdef CLONE_NEWTIME
2482         opts.setns.time = -1;
2483 #endif
2484 
2485         if (opts.ocibundle) {
2486                 char *jsonfile;
2487                 int ocires;
2488 
2489                 asprintf(&jsonfile, "%s/config.json", opts.ocibundle);
2490                 ocires = parseOCI(jsonfile);
2491                 free(jsonfile);
2492                 if (ocires) {
2493                         ERROR("parsing of OCI JSON spec has failed: %s (%d)\n", strerror(ocires), ocires);
2494                         return ocires;
2495                 }
2496         }
2497 
2498         if (opts.tmpoverlaysize && strlen(opts.tmpoverlaysize) > 8) {
2499                 ERROR("size parameter too long: \"%s\"\n", opts.tmpoverlaysize);
2500                 return -1;
2501         }
2502 
2503         /* no <binary> param found */
2504         if (!opts.ocibundle && (argc - optind < 1)) {
2505                 usage();
2506                 return EXIT_FAILURE;
2507         }
2508         if (!(opts.ocibundle||opts.namespace||opts.capabilities||opts.seccomp)) {
2509                 ERROR("Not using namespaces, capabilities or seccomp !!!\n\n");
2510                 usage();
2511                 return EXIT_FAILURE;
2512         }
2513         DEBUG("Using namespaces(0x%08x), capabilities(%d), seccomp(%d)\n",
2514                 opts.namespace,
2515                 opts.capabilities != 0 || opts.capset.apply,
2516                 opts.seccomp != 0 || opts.ociseccomp != 0);
2517 
2518         uloop_init();
2519         signals_init();
2520 
2521         parent_ctx = ubus_connect(NULL);
2522         ubus_add_uloop(parent_ctx);
2523 
2524         if (opts.ocibundle) {
2525                 char *objname;
2526                 if (asprintf(&objname, "container.%s", opts.name) < 0)
2527                         exit(-ENOMEM);
2528 
2529                 container_object.name = objname;
2530                 ret = ubus_add_object(parent_ctx, &container_object);
2531                 if (ret) {
2532                         ERROR("Failed to add object: %s\n", ubus_strerror(ret));
2533                         exit(-1);
2534                 }
2535         }
2536 
2537         /* deliberately not using 'else' on unrelated conditional branches */
2538         if (!opts.ocibundle) {
2539                 /* allocate NULL-terminated array for argv */
2540                 opts.jail_argv = calloc(1 + argc - optind, sizeof(char**));
2541                 if (!opts.jail_argv)
2542                         return EXIT_FAILURE;
2543 
2544                 for (size_t s = optind; s < argc; s++)
2545                         opts.jail_argv[s - optind] = strdup(argv[s]);
2546 
2547                 if (opts.namespace & CLONE_NEWUSER)
2548                         get_jail_user(&opts.pw_uid, &opts.pw_gid, &opts.gr_gid);
2549         }
2550 
2551         if (!opts.extroot) {
2552                 if (opts.namespace && add_path_and_deps(*opts.jail_argv, 1, -1, 0)) {
2553                         ERROR("failed to load dependencies\n");
2554                         return -1;
2555                 }
2556         }
2557 
2558         if (opts.namespace && opts.seccomp && add_path_and_deps("libpreload-seccomp.so", 1, -1, 1)) {
2559                 ERROR("failed to load libpreload-seccomp.so\n");
2560                 opts.seccomp = 0;
2561                 if (opts.require_jail)
2562                         return -1;
2563         }
2564 
2565         uloop_timeout_add(&post_main_timeout);
2566         uloop_run();
2567 
2568         /* unreachable */
2569         return 0;
2570 }
2571 
2572 static void post_main(struct uloop_timeout *t)
2573 {
2574         if (apply_rlimits()) {
2575                 ERROR("error applying resource limits\n");
2576                 exit(EXIT_FAILURE);
2577         }
2578 
2579         if (opts.name)
2580                 prctl(PR_SET_NAME, opts.name, NULL, NULL, NULL);
2581 
2582         if (pipe(&pipes[0]) < 0 || pipe(&pipes[2]) < 0)
2583                 exit(-1);
2584 
2585         if (has_namespaces()) {
2586                 if (opts.namespace & CLONE_NEWNS) {
2587                         if (!opts.extroot && (opts.user || opts.group)) {
2588                                 add_mount_bind("/etc/passwd", 0, -1);
2589                                 add_mount_bind("/etc/group", 0, -1);
2590                         }
2591 
2592 #if defined(__GLIBC__)
2593                         if (!opts.extroot)
2594                                 add_mount_bind("/etc/nsswitch.conf", 0, -1);
2595 #endif
2596 
2597                         if (!(opts.namespace & CLONE_NEWNET)) {
2598                                 add_mount_bind("/etc/resolv.conf", 0, -1);
2599                         } else if (opts.setns.net == -1) {
2600                                 char hostdir[PATH_MAX];
2601 
2602                                 snprintf(hostdir, PATH_MAX, "/tmp/resolv.conf-%s.d", opts.name);
2603                                 mkdir_p(hostdir, 0755);
2604                                 add_mount(hostdir, "/dev/resolv.conf.d", NULL, MS_BIND | MS_NOEXEC | MS_NOATIME | MS_NOSUID | MS_NODEV | MS_RDONLY, NULL, -1);
2605                         }
2606 
2607                         /* default mounts */
2608                         add_mount(NULL, "/dev", "tmpfs", MS_NOATIME | MS_NOEXEC | MS_NOSUID, "size=1M", -1);
2609                         add_mount(NULL, "/dev/pts", "devpts", MS_NOATIME | MS_NOEXEC | MS_NOSUID, "newinstance,ptmxmode=0666,mode=0620,gid=5", 0);
2610 
2611                         if (opts.procfs || opts.ocibundle) {
2612                                 add_mount("proc", "/proc", "proc", MS_NOATIME | MS_NODEV | MS_NOEXEC | MS_NOSUID, NULL, -1);
2613 
2614                                 /*
2615                                  * hack to make /proc/sys/net read-write while the rest of /proc/sys is read-only
2616                                  * which cannot be expressed with OCI spec, but happends to be very useful.
2617                                  * Only apply it if '/proc/sys' is not already listed as mount, maskedPath or
2618                                  * readonlyPath.
2619                                  * If not running in a new network namespace, only make /proc/sys read-only.
2620                                  * If running in a new network namespace, temporarily stash (ie. mount-bind)
2621                                  * /proc/sys/net into (totally unrelated, but surely existing) /proc/self/net.
2622                                  * Then we mount-bind /proc/sys read-only and then mount-move /proc/self/net into
2623                                  * /proc/sys/net.
2624                                  * This works because mounts are executed in incrementing strcmp() order and
2625                                  * /proc/self/net appears there before /proc/sys/net and hence the operation
2626                                  * succeeds as the bind-mount of /proc/self/net is performed first and then
2627                                  * move-mount of /proc/sys/net follows because 'e' preceeds 'y' in the ASCII
2628                                  * table (and in the alphabet).
2629                                  */
2630                                 if (!add_mount(NULL, "/proc/sys", NULL, MS_BIND | MS_RDONLY, NULL, -1))
2631                                         if (opts.namespace & CLONE_NEWNET)
2632                                                 if (!add_mount_inner("/proc/self/net", "/proc/sys/net", NULL, MS_MOVE, NULL, -1))
2633                                                         add_mount_inner("/proc/sys/net", "/proc/self/net", NULL, MS_BIND, NULL, -1);
2634 
2635                         }
2636                         if (opts.sysfs || opts.ocibundle)
2637                                 add_mount("sysfs", "/sys", "sysfs", MS_NOATIME | MS_NODEV | MS_NOEXEC | MS_NOSUID | MS_RDONLY, NULL, -1);
2638 
2639                         if (opts.ocibundle)
2640                                 add_mount("shm", "/dev/shm", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV, "mode=1777", -1);
2641 
2642                 }
2643 
2644                 if (opts.setns.pid != -1) {
2645                         pidns_fd = ns_open_pid("pid", getpid());
2646                         setns_open(CLONE_NEWPID);
2647                 } else {
2648                         pidns_fd = -1;
2649                 }
2650 
2651 #ifdef CLONE_NEWTIME
2652                 if (opts.setns.time != -1) {
2653                         timens_fd = ns_open_pid("time", getpid());
2654                         setns_open(CLONE_NEWTIME);
2655                 }
2656 #endif
2657 
2658                 jail_process.pid = clone(exec_jail, child_stack + STACK_SIZE, SIGCHLD | (opts.namespace & (~CLONE_NEWCGROUP)), NULL);
2659         } else {
2660                 jail_process.pid = fork();
2661         }
2662 
2663         if (jail_process.pid > 0) {
2664                 /* parent process */
2665                 char sig_buf[1];
2666 
2667                 uloop_process_add(&jail_process);
2668                 jail_running = 1;
2669                 seteuid(0);
2670                 if (pidns_fd != -1) {
2671                         setns(pidns_fd, CLONE_NEWPID);
2672                         close(pidns_fd);
2673                 }
2674 #ifdef CLONE_NEWTIME
2675                 if (timens_fd != -1)
2676                         setns(timens_fd, CLONE_NEWTIME);
2677                         close(timens_fd);
2678                 }
2679 #endif
2680                 if (opts.setns.net != -1)
2681                         close(opts.setns.net);
2682                 if (opts.setns.ns != -1)
2683                         close(opts.setns.ns);
2684                 if (opts.setns.ipc != -1)
2685                         close(opts.setns.ipc);
2686                 if (opts.setns.uts != -1)
2687                         close(opts.setns.uts);
2688                 if (opts.setns.user != -1)
2689                         close(opts.setns.user);
2690                 if (opts.setns.cgroup != -1)
2691                         close(opts.setns.cgroup);
2692                 close(pipes[1]);
2693                 close(pipes[2]);
2694                 if (read(pipes[0], sig_buf, 1) < 1) {
2695                         ERROR("can't read from child\n");
2696                         exit(-1);
2697                 }
2698                 close(pipes[0]);
2699                 set_oom_score_adj();
2700 
2701                 if (opts.ocibundle)
2702                         cgroups_apply(jail_process.pid);
2703 
2704                 if (opts.namespace & CLONE_NEWUSER) {
2705                         if (write_setgroups(jail_process.pid, true)) {
2706                                 ERROR("can't write setgroups\n");
2707                                 exit(-1);
2708                         }
2709                         if (!opts.uidmap) {
2710                                 bool has_gr = (opts.gr_gid != -1);
2711                                 if (opts.pw_uid != -1) {
2712                                         write_single_uid_gid_map(jail_process.pid, 0, opts.pw_uid);
2713                                         write_single_uid_gid_map(jail_process.pid, 1, has_gr?opts.gr_gid:opts.pw_gid);
2714                                 } else {
2715                                         write_single_uid_gid_map(jail_process.pid, 0, 65534);
2716                                         write_single_uid_gid_map(jail_process.pid, 1, has_gr?opts.gr_gid:65534);
2717                                 }
2718                         } else {
2719                                 write_uid_gid_map(jail_process.pid, 0, opts.uidmap);
2720                                 if (opts.gidmap)
2721                                         write_uid_gid_map(jail_process.pid, 1, opts.gidmap);
2722                         }
2723                 }
2724 
2725                 if (opts.namespace & CLONE_NEWNET) {
2726                         if (!opts.name) {
2727                                 ERROR("netns needs a named jail\n");
2728                                 exit(-1);
2729                         }
2730                         netns_fd = ns_open_pid("net", jail_process.pid);
2731                         netns_updown(jail_process.pid, true);
2732                 }
2733         } else if (jail_process.pid == 0) {
2734                 /* fork child process */
2735                 exit(exec_jail(NULL));
2736         } else {
2737                 ERROR("failed to clone/fork: %m\n");
2738                 exit(EXIT_FAILURE);
2739         }
2740         run_hooks(opts.hooks.createRuntime, post_create_runtime);
2741 }
2742 
2743 static void post_poststart(void);
2744 static void post_create_runtime(void)
2745 {
2746         char sig_buf[1];
2747 
2748         sig_buf[0] = 'O';
2749         if (write(pipes[3], sig_buf, 1) < 0) {
2750                 ERROR("can't write to child\n");
2751                 exit(-1);
2752         }
2753 
2754         jail_oci_state = OCI_STATE_CREATED;
2755         if (opts.ocibundle && !opts.immediately)
2756                 uloop_run(); /* wait for 'start' command via ubus */
2757         else
2758                 pipe_send_start_container(NULL);
2759 }
2760 
2761 static void pipe_send_start_container(struct uloop_timeout *t)
2762 {
2763         char sig_buf[1];
2764 
2765         jail_oci_state = OCI_STATE_RUNNING;
2766         sig_buf[0] = '!';
2767         if (write(pipes[3], sig_buf, 1) < 0) {
2768                 ERROR("can't write to child\n");
2769                 exit(-1);
2770         }
2771         close(pipes[3]);
2772 
2773         run_hooks(opts.hooks.poststart, post_poststart);
2774 }
2775 
2776 static void post_poststart(void)
2777 {
2778         uloop_run(); /* idle here while jail is running */
2779         if (jail_running) {
2780                 DEBUG("uloop interrupted, killing jail process\n");
2781                 kill(jail_process.pid, SIGTERM);
2782                 uloop_timeout_set(&jail_process_timeout, 1000);
2783                 uloop_run();
2784         }
2785         uloop_done();
2786         poststop();
2787 }
2788 
2789 static void post_poststop(void);
2790 static void poststop(void) {
2791         if (opts.namespace & CLONE_NEWNET) {
2792                 setns(netns_fd, CLONE_NEWNET);
2793                 netns_updown(getpid(), false);
2794                 close(netns_fd);
2795         }
2796         run_hooks(opts.hooks.poststop, post_poststop);
2797 }
2798 
2799 static void post_poststop(void)
2800 {
2801         free_opts(true);
2802         if (parent_ctx)
2803                 ubus_free(parent_ctx);
2804 
2805         exit(jail_return_code);
2806 }
2807 

This page was automatically generated by LXR 0.3.1.  •  OpenWrt