• source navigation  • diff markup  • identifier search  • freetext search  • 

Sources/procd/jail/jail.c

  1 /*
  2  * Copyright (C) 2015 John Crispin <blogic@openwrt.org>
  3  * Copyright (C) 2020 Daniel Golle <daniel@makrotopia.org>
  4  *
  5  * This program is free software; you can redistribute it and/or modify
  6  * it under the terms of the GNU Lesser General Public License version 2.1
  7  * as published by the Free Software Foundation
  8  *
  9  * This program is distributed in the hope that it will be useful,
 10  * but WITHOUT ANY WARRANTY; without even the implied warranty of
 11  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 12  * GNU General Public License for more details.
 13  */
 14 
 15 #define _GNU_SOURCE
 16 #include <sys/mount.h>
 17 #include <sys/prctl.h>
 18 #include <sys/wait.h>
 19 #include <sys/types.h>
 20 #include <sys/time.h>
 21 #include <sys/resource.h>
 22 #include <sys/stat.h>
 23 #include <sys/sysmacros.h>
 24 
 25 /* musl only defined 15 limit types, make sure all 16 are supported */
 26 #ifndef RLIMIT_RTTIME
 27 #define RLIMIT_RTTIME 15
 28 #undef RLIMIT_NLIMITS
 29 #define RLIMIT_NLIMITS 16
 30 #undef RLIM_NLIMITS
 31 #define RLIM_NLIMITS 16
 32 #endif
 33 
 34 #include <assert.h>
 35 #include <stdlib.h>
 36 #include <unistd.h>
 37 #include <errno.h>
 38 #include <pwd.h>
 39 #include <grp.h>
 40 #include <string.h>
 41 #include <fcntl.h>
 42 #include <sched.h>
 43 #include <linux/filter.h>
 44 #include <linux/limits.h>
 45 #include <linux/nsfs.h>
 46 #include <linux/securebits.h>
 47 #include <signal.h>
 48 #include <inttypes.h>
 49 
 50 #include "capabilities.h"
 51 #include "elf.h"
 52 #include "fs.h"
 53 #include "jail.h"
 54 #include "log.h"
 55 #include "seccomp-oci.h"
 56 #include "cgroups.h"
 57 #include "netifd.h"
 58 
 59 #include <libubox/blobmsg.h>
 60 #include <libubox/blobmsg_json.h>
 61 #include <libubox/list.h>
 62 #include <libubox/vlist.h>
 63 #include <libubox/uloop.h>
 64 #include <libubox/utils.h>
 65 #include <libubus.h>
 66 
 67 #ifndef CLONE_NEWCGROUP
 68 #define CLONE_NEWCGROUP 0x02000000
 69 #endif
 70 
 71 #define STACK_SIZE      (1024 * 1024)
 72 #define OPT_ARGS        "cC:d:EfFG:h:ij:J:ln:NoO:pP:r:R:sS:uU:w:T:y"
 73 
 74 #define OCI_VERSION_STRING "1.0.2"
 75 
 76 struct hook_execvpe {
 77         char *file;
 78         char **argv;
 79         char **envp;
 80         int timeout;
 81 };
 82 
 83 struct sysctl_val {
 84         char *entry;
 85         char *value;
 86 };
 87 
 88 struct mknod_args {
 89         char *path;
 90         mode_t mode;
 91         dev_t dev;
 92         uid_t uid;
 93         gid_t gid;
 94 };
 95 
 96 static struct {
 97         char *name;
 98         char *hostname;
 99         char **jail_argv;
100         char *cwd;
101         char *seccomp;
102         struct sock_fprog *ociseccomp;
103         char *capabilities;
104         struct jail_capset capset;
105         char *user;
106         char *group;
107         char *extroot;
108         char *overlaydir;
109         char *tmpoverlaysize;
110         char **envp;
111         char *uidmap;
112         char *gidmap;
113         char *pidfile;
114         struct sysctl_val **sysctl;
115         int no_new_privs;
116         int namespace;
117         struct {
118                 int pid;
119                 int net;
120                 int ns;
121                 int ipc;
122                 int uts;
123                 int user;
124                 int cgroup;
125 #ifdef CLONE_NEWTIME
126                 int time;
127 #endif
128         } setns;
129         int procfs;
130         int ronly;
131         int sysfs;
132         int console;
133         int pw_uid;
134         int pw_gid;
135         int gr_gid;
136         int root_map_uid;
137         gid_t *additional_gids;
138         size_t num_additional_gids;
139         mode_t umask;
140         bool set_umask;
141         int require_jail;
142         struct {
143                 struct hook_execvpe **createRuntime;
144                 struct hook_execvpe **createContainer;
145                 struct hook_execvpe **startContainer;
146                 struct hook_execvpe **poststart;
147                 struct hook_execvpe **poststop;
148         } hooks;
149         struct rlimit *rlimits[RLIM_NLIMITS];
150         int oom_score_adj;
151         bool set_oom_score_adj;
152         struct mknod_args **devices;
153         char *ocibundle;
154         bool immediately;
155         struct blob_attr *annotations;
156 } opts;
157 
158 static struct blob_buf ocibuf;
159 
160 extern int pivot_root(const char *new_root, const char *put_old);
161 
162 int debug = 0;
163 
164 static char child_stack[STACK_SIZE];
165 
166 static struct ubus_context *parent_ctx;
167 
168 int console_fd;
169 
170 
171 static inline bool has_namespaces(void)
172 {
173 return ((opts.setns.pid != -1) ||
174         (opts.setns.net != -1) ||
175         (opts.setns.ns != -1) ||
176         (opts.setns.ipc != -1) ||
177         (opts.setns.uts != -1) ||
178         (opts.setns.user != -1) ||
179         (opts.setns.cgroup != -1) ||
180 #ifdef CLONE_NEWTIME
181         (opts.setns.time != -1) ||
182 #endif
183         opts.namespace);
184 }
185 
186 static void free_oci_envp(char **p) {
187         char **tmp;
188 
189         if (p) {
190                 tmp = p;
191                 while (*tmp)
192                         free(*(tmp++));
193 
194                 free(p);
195         }
196 }
197 
198 static void free_hooklist(struct hook_execvpe **hooklist)
199 {
200         struct hook_execvpe *cur;
201 
202         if (!hooklist)
203                 return;
204 
205         cur = *hooklist;
206         while (cur) {
207                 free_oci_envp(cur->argv);
208                 free_oci_envp(cur->envp);
209                 free(cur->file);
210                 free(cur++);
211         }
212         free(hooklist);
213 }
214 
215 static void free_sysctl(void) {
216         struct sysctl_val *cur;
217         cur = *opts.sysctl;
218 
219         while (cur) {
220                 free(cur->entry);
221                 free(cur->value);
222                 free(cur++);
223         }
224         free(opts.sysctl);
225 }
226 
227 static void free_devices(void) {
228         struct mknod_args **cur;
229 
230         if (!opts.devices)
231                 return;
232 
233         cur = opts.devices;
234 
235         while (*cur) {
236                 free((*cur)->path);
237                 free(*(cur++));
238         }
239         free(opts.devices);
240 }
241 
242 static void free_rlimits(void) {
243         int type;
244 
245         for (type = 0; type < RLIM_NLIMITS; ++type)
246                 free(opts.rlimits[type]);
247 }
248 
249 static void free_opts(bool parent) {
250 
251         free_library_search();
252         mount_free();
253         cgroups_free();
254 
255         /* we need to keep argv, envp and seccomp filter in child */
256         if (parent) { /* parent-only */
257                 if (opts.ociseccomp) {
258                         free(opts.ociseccomp->filter);
259                         free(opts.ociseccomp);
260                 }
261 
262                 free_oci_envp(opts.jail_argv);
263                 free_oci_envp(opts.envp);
264         }
265 
266         free_rlimits();
267         free_sysctl();
268         free_devices();
269         free(opts.hostname);
270         free(opts.cwd);
271         free(opts.uidmap);
272         free(opts.gidmap);
273         free(opts.annotations);
274         free(opts.extroot);
275         free(opts.overlaydir);
276         free_hooklist(opts.hooks.createRuntime);
277         free_hooklist(opts.hooks.createContainer);
278         free_hooklist(opts.hooks.startContainer);
279         free_hooklist(opts.hooks.poststart);
280         free_hooklist(opts.hooks.poststop);
281 }
282 
283 static int mount_overlay(char *jail_root, char *overlaydir) {
284         char *upperdir, *workdir, *optsstr, *upperetc, *upperresolvconf;
285         const char mountoptsformat[] = "lowerdir=%s,upperdir=%s,workdir=%s";
286         int ret = -1, fd;
287 
288         if (asprintf(&upperdir, "%s%s", overlaydir, "/upper") < 0)
289                 goto out;
290 
291         if (asprintf(&workdir, "%s%s", overlaydir, "/work") < 0)
292                 goto upper_printf;
293 
294         if (asprintf(&optsstr, mountoptsformat, jail_root, upperdir, workdir) < 0)
295                 goto work_printf;
296 
297         if (mkdir_p(upperdir, 0755) || mkdir_p(workdir, 0755))
298                 goto opts_printf;
299 
300 /*
301  * make sure /etc/resolv.conf exists in overlay and is owned by jail userns root
302  * this is to work-around a bug in overlayfs described in the overlayfs-userns
303  * patch:
304  * 3. modification of a file 'hithere' which is in l but not yet
305  * in u, and which is not owned by T, is not allowed, even if
306  * writes to u are allowed.  This may be a bug in overlayfs,
307  * but it is safe behavior.
308  */
309         if (asprintf(&upperetc, "%s/etc", upperdir) < 0)
310                 goto opts_printf;
311 
312         if (mkdir_p(upperetc, 0755))
313                 goto upper_etc_printf;
314 
315         if (asprintf(&upperresolvconf, "%s/resolv.conf", upperetc) < 0)
316                 goto upper_etc_printf;
317 
318         fd = creat(upperresolvconf, 0644);
319         if (fd < 0) {
320                 if (errno != EEXIST)
321                         ERROR("creat(%s) failed: %m\n", upperresolvconf);
322         } else {
323                 close(fd);
324         }
325         DEBUG("mount -t overlay %s %s (%s)\n", jail_root, jail_root, optsstr);
326 
327         if (mount(jail_root, jail_root, "overlay", MS_NOATIME, optsstr))
328                 goto upper_resolvconf_printf;
329 
330         ret = 0;
331 
332 upper_resolvconf_printf:
333         free(upperresolvconf);
334 upper_etc_printf:
335         free(upperetc);
336 opts_printf:
337         free(optsstr);
338 work_printf:
339         free(workdir);
340 upper_printf:
341         free(upperdir);
342 out:
343         return ret;
344 }
345 
346 static void pass_console(int console_fd)
347 {
348         struct ubus_context *child_ctx = ubus_connect(NULL);
349         static struct blob_buf req;
350         uint32_t id;
351 
352         if (!child_ctx)
353                 return;
354 
355         blob_buf_init(&req, 0);
356         blobmsg_add_string(&req, "name", opts.name);
357 
358         if (ubus_lookup_id(child_ctx, "container", &id) ||
359             ubus_invoke_fd(child_ctx, id, "console_set", req.head, NULL, NULL, 3000, console_fd))
360                 INFO("ubus request failed\n");
361         else
362                 close(console_fd);
363 
364         blob_buf_free(&req);
365         ubus_free(child_ctx);
366 }
367 
368 static int create_dev_console(const char *jail_root)
369 {
370         char *console_fname;
371         char dev_console_path[PATH_MAX];
372         int slave_console_fd;
373 
374         /* Open UNIX/98 virtual console */
375         console_fd = posix_openpt(O_RDWR | O_NOCTTY);
376         if (console_fd < 0)
377                 return -1;
378 
379         console_fname = ptsname(console_fd);
380         DEBUG("got console fd %d and PTS client name %s\n", console_fd, console_fname);
381         if (!console_fname)
382                 goto no_console;
383 
384         grantpt(console_fd);
385         unlockpt(console_fd);
386 
387         /* pass PTY master to procd */
388         pass_console(console_fd);
389 
390         /* mount-bind PTY slave to /dev/console in jail */
391         snprintf(dev_console_path, sizeof(dev_console_path), "%s/dev/console", jail_root);
392         close(creat(dev_console_path, 0620));
393 
394         if (mount(console_fname, dev_console_path, "bind", MS_BIND, NULL))
395                 goto no_console;
396 
397         /* use PTY slave for stdio */
398         slave_console_fd = open(console_fname, O_RDWR); /* | O_NOCTTY */
399         if (slave_console_fd < 0)
400                 goto no_console;
401 
402         dup2(slave_console_fd, 0);
403         dup2(slave_console_fd, 1);
404         dup2(slave_console_fd, 2);
405         close(slave_console_fd);
406 
407         INFO("using guest console %s\n", console_fname);
408 
409         return 0;
410 
411 no_console:
412         close(console_fd);
413         return 1;
414 }
415 
416 static int hook_running = 0;
417 static int hook_return_code = 0;
418 static struct hook_execvpe **current_hook = NULL;
419 typedef void (*hook_return_handler)(void);
420 static hook_return_handler hook_return_cb = NULL;
421 
422 static void hook_process_timeout_cb(struct uloop_timeout *t);
423 static struct uloop_timeout hook_process_timeout = {
424         .cb = hook_process_timeout_cb,
425 };
426 
427 static void run_hooklist(void);
428 static void hook_process_handler(struct uloop_process *c, int ret)
429 {
430         uloop_timeout_cancel(&hook_process_timeout);
431 
432         if (WIFEXITED(ret)) {
433                 hook_return_code = WEXITSTATUS(ret);
434                 if (hook_return_code)
435                         ERROR("hook (%d) exited with exit: %d\n", c->pid, hook_return_code);
436                 else
437                         DEBUG("hook (%d) exited with exit: %d\n", c->pid, hook_return_code);
438 
439         } else {
440                 hook_return_code = WTERMSIG(ret);
441                 ERROR("hook (%d) exited with signal: %d\n", c->pid, hook_return_code);
442         }
443         hook_running = 0;
444         ++current_hook;
445         run_hooklist();
446 }
447 
448 static struct uloop_process hook_process = {
449         .cb = hook_process_handler,
450 };
451 
452 static void hook_process_timeout_cb(struct uloop_timeout *t)
453 {
454         DEBUG("hook process failed to stop, sending SIGKILL\n");
455         kill(hook_process.pid, SIGKILL);
456 }
457 
458 static void run_hooklist(void)
459 {
460         struct hook_execvpe *hook = *current_hook;
461         struct stat s;
462 
463         if (!hook)
464                 return hook_return_cb();
465 
466         DEBUG("executing hook %s\n", hook->file);
467 
468         if (stat(hook->file, &s))
469                 hook_process_handler(&hook_process, ENOENT);
470 
471         if (!((unsigned long)s.st_mode & (S_IXUSR | S_IXGRP | S_IXOTH)))
472                 hook_process_handler(&hook_process, EPERM);
473 
474         hook_running = 1;
475         hook_process.pid = fork();
476         if (hook_process.pid == 0) {
477                 /* child */
478                 execve(hook->file, hook->argv, hook->envp);
479                 ERROR("execve error %m\n");
480                 _exit(errno);
481         } else if (hook_process.pid < 0) {
482                 /* fork error */
483                 ERROR("hook fork error\n");
484                 hook_running = 0;
485                 hook_process_handler(&hook_process, errno);
486         }
487 
488         /* parent */
489         uloop_process_add(&hook_process);
490 
491         if (hook->timeout > 0)
492                 uloop_timeout_set(&hook_process_timeout, 1000 * hook->timeout);
493 
494         uloop_run();
495         if (hook_running) {
496                 DEBUG("uloop interrupted, killing jail process\n");
497                 kill(hook_process.pid, SIGTERM);
498                 uloop_timeout_set(&hook_process_timeout, 1000);
499                 uloop_run();
500         }
501 }
502 
503 static void run_hooks(struct hook_execvpe **hooklist, hook_return_handler return_cb)
504 {
505         if (!hooklist)
506                 return_cb();
507 
508         current_hook = hooklist;
509         hook_return_cb = return_cb;
510 
511         run_hooklist();
512 }
513 
514 static int apply_sysctl(const char *jail_root)
515 {
516         struct sysctl_val **cur;
517         char *procdir, *fname;
518         int f;
519 
520         if (!opts.sysctl)
521                 return 0;
522 
523         if (asprintf(&procdir, "%s/proc", jail_root) < 0)
524                 return ENOMEM;
525 
526         mkdir(procdir, 0700);
527         if (mount("proc", procdir, "proc", MS_NOATIME | MS_NODEV | MS_NOEXEC | MS_NOSUID, 0))
528                 return EPERM;
529 
530         cur = opts.sysctl;
531 
532         while (*cur) {
533                 if (asprintf(&fname, "%s/sys/%s", procdir, (*cur)->entry) < 0)
534                         return ENOMEM;
535 
536                 DEBUG("sysctl: writing '%s' to %s\n", (*cur)->value, fname);
537 
538                 f = open(fname, O_WRONLY);
539                 if (f < 0) {
540                         ERROR("sysctl: can't open %s\n", fname);
541                         free(fname);
542                         return errno;
543                 }
544                 if (write(f, (*cur)->value, strlen((*cur)->value)) < 0) {
545                         ERROR("sysctl: write to %s\n", fname);
546                         free(fname);
547                         close(f);
548                         return errno;
549                 }
550 
551                 free(fname);
552                 close(f);
553                 ++cur;
554         }
555         umount(procdir);
556         rmdir(procdir);
557         free(procdir);
558 
559         return 0;
560 }
561 
562 /* glibc defines makedev calling a function. make sure it's a pure macro */
563 #if defined(__GLIBC__)
564 #undef makedev
565 /* from musl's sys/sysmacros.h */
566 #define makedev(x,y) ( \
567         (((x)&0xfffff000ULL) << 32) | \
568         (((x)&0x00000fffULL) << 8) | \
569         (((y)&0xffffff00ULL) << 12) | \
570         (((y)&0x000000ffULL)) )
571 #endif
572 
573 static struct mknod_args default_devices[] = {
574         { .path = "/dev/null", .mode = (S_IFCHR|S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH), .dev = makedev(1, 3) },
575         { .path = "/dev/zero", .mode = (S_IFCHR|S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH), .dev = makedev(1, 5) },
576         { .path = "/dev/full", .mode = (S_IFCHR|S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH), .dev = makedev(1, 7) },
577         { .path = "/dev/random", .mode = (S_IFCHR|S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH), .dev = makedev(1, 8) },
578         { .path = "/dev/urandom", .mode = (S_IFCHR|S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH), .dev = makedev(1, 9) },
579         { .path = "/dev/tty", .mode = (S_IFCHR|S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP), .dev = makedev(5, 0), .gid = 5 },
580         { 0 },
581 };
582 
583 static int create_devices(void)
584 {
585         struct mknod_args **cur, *curdef;
586         char *path, *tmp;
587 
588         if (!opts.devices)
589                 goto only_default_devices;
590 
591         cur = opts.devices;
592 
593         while (*cur) {
594                 path = (*cur)->path;
595                 /* don't allow devices outside of /dev */
596                 if (strncmp(path, "/dev", 4))
597                         return EPERM;
598 
599                 /* make sure parent folder exists */
600                 tmp = strrchr(path, '/');
601                 if (!tmp)
602                         return EINVAL;
603 
604                 *tmp = '\0';
605                 if (strcmp(path, "/dev")) {
606                         DEBUG("creating directory %s\n", path);
607 
608                         mkdir_p(path, 0755);
609                 }
610                 *tmp = '/';
611 
612                 DEBUG("creating %s (mode=%08o)\n", path, (*cur)->mode);
613 
614                 /* create device */
615                 if (mknod(path, (*cur)->mode, (*cur)->dev))
616                         return errno;
617 
618                 /* change owner, if needed */
619                 if (((*cur)->uid || (*cur)->gid) &&
620                     chown(path, (*cur)->uid, (*cur)->gid))
621                         return errno;
622 
623                 ++cur;
624         }
625 
626 only_default_devices:
627         curdef = default_devices;
628         while(curdef->path) {
629                 DEBUG("creating %s (mode=%08o)\n", curdef->path, curdef->mode);
630                 if (mknod(curdef->path, curdef->mode, curdef->dev)) {
631                         ++curdef;
632                         continue; /* may already exist, eg. due to a bind-mount */
633                 }
634                 if ((curdef->uid || curdef->gid) &&
635                     chown(curdef->path, curdef->uid, curdef->gid))
636                         return errno;
637 
638                 ++curdef;
639         }
640 
641         /* Dev symbolic links as defined in OCI spec */
642         (void) symlink("/dev/pts/ptmx", "/dev/ptmx");
643         (void) symlink("/proc/self/fd", "/dev/fd");
644         (void) symlink("/proc/self/fd/0", "/dev/stdin");
645         (void) symlink("/proc/self/fd/1", "/dev/stdout");
646         (void) symlink("/proc/self/fd/2", "/dev/stderr");
647 
648         return 0;
649 }
650 
651 static char jail_root[] = "/tmp/ujail-XXXXXX";
652 static char tmpovdir[] = "/tmp/ujail-overlay-XXXXXX";
653 static mode_t old_umask;
654 static void enter_jail_fs(void);
655 static int build_jail_fs(void)
656 {
657         char *overlaydir = NULL;
658         int ret;
659 
660         old_umask = umask(0);
661 
662         if (mkdtemp(jail_root) == NULL) {
663                 ERROR("mkdtemp(%s) failed: %m\n", jail_root);
664                 return -1;
665         }
666 
667         if (apply_sysctl(jail_root)) {
668                 ERROR("failed to apply sysctl values\n");
669                 return -1;
670         }
671 
672         /* oldroot can't be MS_SHARED else pivot_root() fails */
673         if (mount("none", "/", "none", MS_REC|MS_PRIVATE, NULL)) {
674                 ERROR("private mount failed %m\n");
675                 return -1;
676         }
677 
678         if (opts.extroot) {
679                 if (mount(opts.extroot, jail_root, "bind", MS_BIND, NULL)) {
680                         ERROR("extroot mount failed %m\n");
681                         return -1;
682                 }
683         } else {
684                 if (mount("tmpfs", jail_root, "tmpfs", MS_NOATIME, "mode=0755")) {
685                         ERROR("tmpfs mount failed %m\n");
686                         return -1;
687                 }
688         }
689 
690         if (opts.tmpoverlaysize) {
691                 char mountoptsstr[] = "mode=0755,size=XXXXXXXX";
692 
693                 snprintf(mountoptsstr, sizeof(mountoptsstr),
694                          "mode=0755,size=%s", opts.tmpoverlaysize);
695                 if (mkdtemp(tmpovdir) == NULL) {
696                         ERROR("mkdtemp(%s) failed: %m\n", jail_root);
697                         return -1;
698                 }
699                 if (mount("tmpfs", tmpovdir, "tmpfs", MS_NOATIME,
700                           mountoptsstr)) {
701                         ERROR("failed to mount tmpfs for overlay (size=%s)\n", opts.tmpoverlaysize);
702                         return -1;
703                 }
704                 overlaydir = tmpovdir;
705         }
706 
707         if (opts.overlaydir)
708                 overlaydir = opts.overlaydir;
709 
710         if (overlaydir) {
711                 ret = mount_overlay(jail_root, overlaydir);
712                 if (ret)
713                         return ret;
714         }
715 
716         if (chdir(jail_root)) {
717                 ERROR("chdir(%s) (jail_root) failed: %m\n", jail_root);
718                 return -1;
719         }
720 
721         if (mount_all(jail_root)) {
722                 ERROR("mount_all() failed\n");
723                 return -1;
724         }
725 
726         if (opts.console)
727                 create_dev_console(jail_root);
728 
729         /* make sure /etc/resolv.conf exists if in new network namespace */
730         if (opts.namespace & CLONE_NEWNET) {
731                 char jailetc[PATH_MAX], jaillink[PATH_MAX];
732 
733                 snprintf(jailetc, PATH_MAX, "%s/etc", jail_root);
734                 mkdir_p(jailetc, 0755);
735                 snprintf(jaillink, PATH_MAX, "%s/etc/resolv.conf", jail_root);
736                 if (overlaydir)
737                         unlink(jaillink);
738 
739                 (void) symlink("../dev/resolv.conf.d/resolv.conf.auto", jaillink);
740         }
741 
742         run_hooks(opts.hooks.createContainer, enter_jail_fs);
743 
744         return 0;
745 }
746 
747 static bool exit_from_child;
748 static void free_and_exit(int ret)
749 {
750         if (!exit_from_child && opts.ocibundle)
751                 cgroups_free();
752 
753         if (!exit_from_child && parent_ctx)
754                 ubus_free(parent_ctx);
755 
756         free_opts(!exit_from_child);
757 
758         exit(ret);
759 }
760 
761 static void post_jail_fs(void);
762 static void enter_jail_fs(void)
763 {
764         char dirbuf[sizeof(jail_root) + 4];
765 
766         snprintf(dirbuf, sizeof(dirbuf), "%s/old", jail_root);
767         mkdir(dirbuf, 0755);
768 
769         if (pivot_root(jail_root, dirbuf) == -1) {
770                 ERROR("pivot_root(%s, %s) failed: %m\n", jail_root, dirbuf);
771                 free_and_exit(-1);
772         }
773         if (chdir("/")) {
774                 ERROR("chdir(/) (after pivot_root) failed: %m\n");
775                 free_and_exit(-1);
776         }
777 
778         snprintf(dirbuf, sizeof(dirbuf), "/old%s", jail_root);
779         umount2(dirbuf, MNT_DETACH);
780         rmdir(dirbuf);
781         if (opts.tmpoverlaysize) {
782                 char tmpdirbuf[sizeof(tmpovdir) + 4];
783                 snprintf(tmpdirbuf, sizeof(tmpdirbuf), "/old%s", tmpovdir);
784                 umount2(tmpdirbuf, MNT_DETACH);
785                 rmdir(tmpdirbuf);
786         }
787 
788         umount2("/old", MNT_DETACH);
789         rmdir("/old");
790 
791         if (create_devices()) {
792                 ERROR("create_devices() failed\n");
793                 free_and_exit(-1);
794         }
795         if (opts.ronly)
796                 mount(NULL, "/", "bind", MS_REMOUNT | MS_BIND | MS_RDONLY, 0);
797 
798         umask(old_umask);
799         post_jail_fs();
800 }
801 
802 static int write_uid_gid_map(pid_t child_pid, bool gidmap, char *mapstr)
803 {
804         int map_file;
805         char map_path[64];
806 
807         if (snprintf(map_path, sizeof(map_path), "/proc/%d/%s",
808                 child_pid, gidmap?"gid_map":"uid_map") < 0)
809                 return -1;
810 
811         if ((map_file = open(map_path, O_WRONLY)) < 0)
812                 return -1;
813 
814         if (dprintf(map_file, "%s", mapstr)) {
815                 close(map_file);
816                 return -1;
817         }
818 
819         close(map_file);
820         return 0;
821 }
822 
823 static int write_single_uid_gid_map(pid_t child_pid, bool gidmap, int id)
824 {
825         int map_file;
826         char map_path[64];
827         const char *map_format = "%d %d %d\n";
828         if (snprintf(map_path, sizeof(map_path), "/proc/%d/%s",
829                 child_pid, gidmap?"gid_map":"uid_map") < 0)
830                 return -1;
831 
832         if ((map_file = open(map_path, O_WRONLY)) < 0)
833                 return -1;
834 
835         if (dprintf(map_file, map_format, 0, id, 1) < 0) {
836                 close(map_file);
837                 return -1;
838         }
839 
840         close(map_file);
841         return 0;
842 }
843 
844 static int write_setgroups(pid_t child_pid, bool allow)
845 {
846         int setgroups_file;
847         char setgroups_path[64];
848 
849         if (snprintf(setgroups_path, sizeof(setgroups_path), "/proc/%d/setgroups",
850                 child_pid) < 0) {
851                 return -1;
852         }
853 
854         if ((setgroups_file = open(setgroups_path, O_WRONLY)) < 0) {
855                 return -1;
856         }
857 
858         if (dprintf(setgroups_file, "%s", allow?"allow":"deny") == -1) {
859                 close(setgroups_file);
860                 return -1;
861         }
862 
863         close(setgroups_file);
864         return 0;
865 }
866 
867 static void get_jail_user(int *user, int *user_gid, int *gr_gid)
868 {
869         struct passwd *p = NULL;
870         struct group *g = NULL;
871 
872         if (opts.user) {
873                 p = getpwnam(opts.user);
874                 if (!p) {
875                         ERROR("failed to get uid/gid for user %s: %d (%s)\n",
876                               opts.user, errno, strerror(errno));
877                         free_and_exit(EXIT_FAILURE);
878                 }
879                 *user = p->pw_uid;
880                 *user_gid = p->pw_gid;
881         } else {
882                 *user = -1;
883                 *user_gid = -1;
884         }
885 
886         if (opts.group) {
887                 g = getgrnam(opts.group);
888                 if (!g) {
889                         ERROR("failed to get gid for group %s: %m\n", opts.group);
890                         free_and_exit(EXIT_FAILURE);
891                 }
892                 *gr_gid = g->gr_gid;
893         } else {
894                 *gr_gid = -1;
895         }
896 };
897 
898 static void set_jail_user(int pw_uid, int user_gid, int gr_gid)
899 {
900         if (opts.user && (user_gid != -1) && initgroups(opts.user, user_gid)) {
901                 ERROR("failed to initgroups() for user %s: %m\n", opts.user);
902                 free_and_exit(EXIT_FAILURE);
903         }
904 
905         if ((gr_gid != -1) && setregid(gr_gid, gr_gid)) {
906                 ERROR("failed to set group id %d: %m\n", gr_gid);
907                 free_and_exit(EXIT_FAILURE);
908         }
909 
910         if ((pw_uid != -1) && setreuid(pw_uid, pw_uid)) {
911                 ERROR("failed to set user id %d: %m\n", pw_uid);
912                 free_and_exit(EXIT_FAILURE);
913         }
914 }
915 
916 static int apply_rlimits(void)
917 {
918         int resource;
919 
920         for (resource = 0; resource < RLIM_NLIMITS; ++resource) {
921                 if (opts.rlimits[resource])
922                         DEBUG("applying limits to resource %u\n", resource);
923 
924                 if (opts.rlimits[resource] &&
925                     setrlimit(resource, opts.rlimits[resource]))
926                         return errno;
927         }
928 
929         return 0;
930 }
931 
932 #define MAX_ENVP        64
933 static char** build_envp(const char *seccomp, char **ocienvp)
934 {
935         static char *envp[MAX_ENVP];
936         static char preload_var[PATH_MAX];
937         static char seccomp_var[PATH_MAX];
938         static char seccomp_debug_var[20];
939         static char debug_var[] = "LD_DEBUG=all";
940         static char container_var[] = "container=ujail";
941         const char *preload_lib = find_lib("libpreload-seccomp.so");
942         char **addenv;
943 
944         int count = 0;
945 
946         if (seccomp && !preload_lib) {
947                 ERROR("failed to add preload-lib to env\n");
948                 return NULL;
949         }
950         if (seccomp) {
951                 snprintf(seccomp_var, sizeof(seccomp_var), "SECCOMP_FILE=%s", seccomp);
952                 envp[count++] = seccomp_var;
953                 snprintf(seccomp_debug_var, sizeof(seccomp_debug_var), "SECCOMP_DEBUG=%2d", debug);
954                 envp[count++] = seccomp_debug_var;
955                 snprintf(preload_var, sizeof(preload_var), "LD_PRELOAD=%s", preload_lib);
956                 envp[count++] = preload_var;
957         }
958 
959         envp[count++] = container_var;
960 
961         if (debug > 1)
962                 envp[count++] = debug_var;
963 
964         addenv = ocienvp;
965         while (addenv && *addenv) {
966                 envp[count++] = *(addenv++);
967                 if (count >= MAX_ENVP) {
968                         ERROR("environment limited to %d extra records, truncating\n", MAX_ENVP);
969                         break;
970                 }
971         }
972         return envp;
973 }
974 
975 static void usage(void)
976 {
977         fprintf(stderr, "ujail <options> -- <binary> <params ...>\n");
978         fprintf(stderr, "  -d <num>\tshow debug log (increase num to increase verbosity)\n");
979         fprintf(stderr, "  -S <file>\tseccomp filter config\n");
980         fprintf(stderr, "  -C <file>\tcapabilities drop config\n");
981         fprintf(stderr, "  -c\t\tset PR_SET_NO_NEW_PRIVS\n");
982         fprintf(stderr, "  -n <name>\tthe name of the jail\n");
983         fprintf(stderr, "namespace jail options:\n");
984         fprintf(stderr, "  -h <hostname>\tchange the hostname of the jail\n");
985         fprintf(stderr, "  -N\t\tjail has network namespace\n");
986         fprintf(stderr, "  -f\t\tjail has user namespace\n");
987         fprintf(stderr, "  -F\t\tjail has cgroups namespace\n");
988         fprintf(stderr, "  -r <file>\treadonly files that should be staged\n");
989         fprintf(stderr, "  -w <file>\twriteable files that should be staged\n");
990         fprintf(stderr, "  -p\t\tjail has /proc\n");
991         fprintf(stderr, "  -s\t\tjail has /sys\n");
992         fprintf(stderr, "  -l\t\tjail has /dev/log\n");
993         fprintf(stderr, "  -u\t\tjail has a ubus socket\n");
994         fprintf(stderr, "  -U <name>\tuser to run jailed process\n");
995         fprintf(stderr, "  -G <name>\tgroup to run jailed process\n");
996         fprintf(stderr, "  -o\t\tremont jail root (/) read only\n");
997         fprintf(stderr, "  -R <dir>\texternal jail rootfs (system container)\n");
998         fprintf(stderr, "  -O <dir>\tdirectory for r/w overlayfs\n");
999         fprintf(stderr, "  -T <size>\tuse tmpfs r/w overlayfs with <size>\n");
1000         fprintf(stderr, "  -E\t\tfail if jail cannot be setup\n");
1001         fprintf(stderr, "  -y\t\tprovide jail console\n");
1002         fprintf(stderr, "  -J <dir>\tcreate container from OCI bundle\n");
1003         fprintf(stderr, "  -i\t\tstart container immediately\n");
1004         fprintf(stderr, "  -P <pidfile>\tcreate <pidfile>\n");
1005         fprintf(stderr, "\nWarning: by default root inside the jail is the same\n\
1006 and he has the same powers as root outside the jail,\n\
1007 thus he can escape the jail and/or break stuff.\n\
1008 Please use seccomp/capabilities (-S/-C) to restrict his powers\n\n\
1009 If you use none of the namespace jail options,\n\
1010 ujail will not use namespace/build a jail,\n\
1011 and will only drop capabilities/apply seccomp filter.\n\n");
1012 }
1013 
1014 static int* get_namespace_fd(const unsigned int nstype)
1015 {
1016         switch (nstype) {
1017                 case CLONE_NEWPID:
1018                         return &opts.setns.pid;
1019                 case CLONE_NEWNET:
1020                         return &opts.setns.net;
1021                 case CLONE_NEWNS:
1022                         return &opts.setns.ns;
1023                 case CLONE_NEWIPC:
1024                         return &opts.setns.ipc;
1025                 case CLONE_NEWUTS:
1026                         return &opts.setns.uts;
1027                 case CLONE_NEWUSER:
1028                         return &opts.setns.user;
1029                 case CLONE_NEWCGROUP:
1030                         return &opts.setns.cgroup;
1031 #ifdef CLONE_NEWTIME
1032                 case CLONE_NEWTIME:
1033                         return &opts.setns.time;
1034 #endif
1035                 default:
1036                         return NULL;
1037         }
1038 }
1039 
1040 static int setns_open(unsigned long nstype)
1041 {
1042         int *fd = get_namespace_fd(nstype);
1043 
1044         assert(fd != NULL);
1045 
1046         if (*fd < 0)
1047                 return 0;
1048 
1049         if (setns(*fd, nstype) == -1) {
1050                 close(*fd);
1051                 return errno;
1052         }
1053 
1054         close(*fd);
1055         return 0;
1056 }
1057 
1058 static int jail_running = 0;
1059 static int jail_return_code = 0;
1060 
1061 static void jail_process_timeout_cb(struct uloop_timeout *t);
1062 static struct uloop_timeout jail_process_timeout = {
1063         .cb = jail_process_timeout_cb,
1064 };
1065 static void poststop(void);
1066 static void jail_process_handler(struct uloop_process *c, int ret)
1067 {
1068         uloop_timeout_cancel(&jail_process_timeout);
1069         if (WIFEXITED(ret)) {
1070                 jail_return_code = WEXITSTATUS(ret);
1071                 INFO("jail (%d) exited with exit: %d\n", c->pid, jail_return_code);
1072         } else {
1073                 jail_return_code = WTERMSIG(ret);
1074                 INFO("jail (%d) exited with signal: %d\n", c->pid, jail_return_code);
1075         }
1076         jail_running = 0;
1077         poststop();
1078 }
1079 
1080 static struct uloop_process jail_process = {
1081         .cb = jail_process_handler,
1082 };
1083 
1084 static void jail_process_timeout_cb(struct uloop_timeout *t)
1085 {
1086         DEBUG("jail process failed to stop, sending SIGKILL\n");
1087         kill(jail_process.pid, SIGKILL);
1088 }
1089 
1090 static void jail_handle_signal(int signo)
1091 {
1092         if (hook_running) {
1093                 DEBUG("forwarding signal %d to the hook process\n", signo);
1094                 kill(hook_process.pid, signo);
1095         }
1096 
1097         if (jail_running) {
1098                 DEBUG("forwarding signal %d to the jailed process\n", signo);
1099                 kill(jail_process.pid, signo);
1100         }
1101 }
1102 
1103 static void signals_init(void)
1104 {
1105         int i;
1106         sigset_t sigmask;
1107 
1108         sigfillset(&sigmask);
1109         for (i = 0; i < _NSIG; i++) {
1110                 struct sigaction s = { 0 };
1111 
1112                 if (!sigismember(&sigmask, i))
1113                         continue;
1114                 if ((i == SIGCHLD) || (i == SIGPIPE) || (i == SIGSEGV))
1115                         continue;
1116 
1117                 s.sa_handler = jail_handle_signal;
1118                 sigaction(i, &s, NULL);
1119         }
1120 }
1121 
1122 static void pre_exec_jail(struct uloop_timeout *t);
1123 static struct uloop_timeout pre_exec_timeout = {
1124         .cb = pre_exec_jail,
1125 };
1126 
1127 int pipes[4];
1128 static int exec_jail(void *arg)
1129 {
1130         char buf[1];
1131 
1132         exit_from_child = true;
1133         prctl(PR_SET_SECUREBITS, 0);
1134 
1135         uloop_init();
1136         signals_init();
1137 
1138         close(pipes[0]);
1139         close(pipes[3]);
1140 
1141         setns_open(CLONE_NEWUSER);
1142         setns_open(CLONE_NEWNET);
1143         setns_open(CLONE_NEWNS);
1144         setns_open(CLONE_NEWIPC);
1145         setns_open(CLONE_NEWUTS);
1146 
1147         buf[0] = 'i';
1148         if (write(pipes[1], buf, 1) < 1) {
1149                 ERROR("can't write to parent\n");
1150                 return EXIT_FAILURE;
1151         }
1152         close(pipes[1]);
1153         if (read(pipes[2], buf, 1) < 1) {
1154                 ERROR("can't read from parent\n");
1155                 return EXIT_FAILURE;
1156         }
1157         if (buf[0] != 'O') {
1158                 ERROR("parent had an error, child exiting\n");
1159                 return EXIT_FAILURE;
1160         }
1161 
1162         if (opts.namespace & CLONE_NEWCGROUP)
1163                 unshare(CLONE_NEWCGROUP);
1164 
1165         setns_open(CLONE_NEWCGROUP);
1166 
1167         if ((opts.namespace & CLONE_NEWUSER) || (opts.setns.user != -1)) {
1168                 if (setregid(0, 0) < 0) {
1169                         ERROR("setgid\n");
1170                         free_and_exit(EXIT_FAILURE);
1171                 }
1172                 if (setreuid(0, 0) < 0) {
1173                         ERROR("setuid\n");
1174                         free_and_exit(EXIT_FAILURE);
1175                 }
1176                 if (setgroups(0, NULL) < 0) {
1177                         ERROR("setgroups\n");
1178                         free_and_exit(EXIT_FAILURE);
1179                 }
1180         }
1181 
1182         if (opts.namespace && opts.hostname && strlen(opts.hostname) > 0
1183                         && sethostname(opts.hostname, strlen(opts.hostname))) {
1184                 ERROR("sethostname(%s) failed: %m\n", opts.hostname);
1185                 free_and_exit(EXIT_FAILURE);
1186         }
1187 
1188         uloop_timeout_add(&pre_exec_timeout);
1189         uloop_run();
1190 
1191         free_and_exit(-1);
1192         return -1;
1193 }
1194 
1195 static void pre_exec_jail(struct uloop_timeout *t)
1196 {
1197         if ((opts.namespace & CLONE_NEWNS) && build_jail_fs()) {
1198                 ERROR("failed to build jail fs\n");
1199                 free_and_exit(EXIT_FAILURE);
1200         } else {
1201                 run_hooks(opts.hooks.createContainer, post_jail_fs);
1202         }
1203 }
1204 
1205 static void post_start_hook(void);
1206 static void post_jail_fs(void)
1207 {
1208         char buf[1];
1209 
1210         if (read(pipes[2], buf, 1) < 1) {
1211                 ERROR("can't read from parent\n");
1212                 free_and_exit(EXIT_FAILURE);
1213         }
1214         if (buf[0] != '!') {
1215                 ERROR("parent had an error, child exiting\n");
1216                 free_and_exit(EXIT_FAILURE);
1217         }
1218         close(pipes[2]);
1219 
1220         run_hooks(opts.hooks.startContainer, post_start_hook);
1221 }
1222 
1223 static void post_start_hook(void)
1224 {
1225         int pw_uid, pw_gid, gr_gid;
1226 
1227         /*
1228          * make sure setuid/setgid won't drop capabilities in case capabilities
1229          * have been specified explicitely.
1230          */
1231         if (opts.capset.apply) {
1232                 if (prctl(PR_SET_SECUREBITS, SECBIT_NO_SETUID_FIXUP)) {
1233                         ERROR("prctl(PR_SET_SECUREBITS) failed: %m\n");
1234                         free_and_exit(EXIT_FAILURE);
1235                 }
1236         }
1237 
1238         /* drop capabilities, retain those still needed to further setup jail */
1239         if (applyOCIcapabilities(opts.capset, (1LLU << CAP_SETGID) | (1LLU << CAP_SETUID) | (1LLU << CAP_SETPCAP)))
1240                 free_and_exit(EXIT_FAILURE);
1241 
1242         /* use either cmdline-supplied user/group or uid/gid from OCI spec */
1243         get_jail_user(&pw_uid, &pw_gid, &gr_gid);
1244         set_jail_user(opts.pw_uid?:pw_uid, opts.pw_gid?:pw_gid, opts.gr_gid?:gr_gid);
1245 
1246         if (opts.additional_gids &&
1247             (setgroups(opts.num_additional_gids, opts.additional_gids) < 0)) {
1248                 ERROR("setgroups failed: %m\n");
1249                 free_and_exit(EXIT_FAILURE);
1250         }
1251 
1252         if (opts.set_umask)
1253                 umask(opts.umask);
1254 
1255         /* restore securebits back to normal (and lock them if not in userns) */
1256         if (opts.capset.apply) {
1257                 if (prctl(PR_SET_SECUREBITS, (opts.namespace & CLONE_NEWUSER)?0:
1258                     SECBIT_KEEP_CAPS_LOCKED|SECBIT_NO_SETUID_FIXUP_LOCKED|SECBIT_NOROOT_LOCKED)) {
1259                         ERROR("prctl(PR_SET_SECUREBITS) failed: %m\n");
1260                         free_and_exit(EXIT_FAILURE);
1261                 }
1262         }
1263 
1264         /* drop remaining capabilities to end up with specified sets */
1265         if (applyOCIcapabilities(opts.capset, 0))
1266                 free_and_exit(EXIT_FAILURE);
1267 
1268         if (opts.no_new_privs && prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
1269                 ERROR("prctl(PR_SET_NO_NEW_PRIVS) failed: %m\n");
1270                 free_and_exit(EXIT_FAILURE);
1271         }
1272 
1273         char **envp = build_envp(opts.seccomp, opts.envp);
1274         if (!envp)
1275                 free_and_exit(EXIT_FAILURE);
1276 
1277         if (opts.cwd && chdir(opts.cwd))
1278                 free_and_exit(EXIT_FAILURE);
1279 
1280         if (opts.ociseccomp && applyOCIlinuxseccomp(opts.ociseccomp))
1281                 free_and_exit(EXIT_FAILURE);
1282 
1283         uloop_end();
1284         free_opts(false);
1285         INFO("exec-ing %s\n", *opts.jail_argv);
1286         if (opts.envp) /* respect PATH if potentially set in ENV */
1287                 execvpe(*opts.jail_argv, opts.jail_argv, envp);
1288         else
1289                 execve(*opts.jail_argv, opts.jail_argv, envp);
1290 
1291         /* we get there only if execve fails */
1292         ERROR("failed to execve %s: %m\n", *opts.jail_argv);
1293         exit(EXIT_FAILURE);
1294 }
1295 
1296 static int ns_open_pid(const char *nstype, const pid_t target_ns)
1297 {
1298         char pid_pid_path[PATH_MAX];
1299 
1300         snprintf(pid_pid_path, sizeof(pid_pid_path), "/proc/%u/ns/%s", target_ns, nstype);
1301 
1302         return open(pid_pid_path, O_RDONLY);
1303 }
1304 
1305 static void netns_updown(pid_t pid, bool start)
1306 {
1307         static struct blob_buf req;
1308         uint32_t id;
1309 
1310         if (!parent_ctx)
1311                 return;
1312 
1313         blob_buf_init(&req, 0);
1314         blobmsg_add_string(&req, "jail", opts.name);
1315         blobmsg_add_u32(&req, "pid", pid);
1316         blobmsg_add_u8(&req, "start", start);
1317 
1318         if (ubus_lookup_id(parent_ctx, "network", &id) ||
1319             ubus_invoke(parent_ctx, id, "netns_updown", req.head, NULL, NULL, 3000))
1320                 INFO("ubus request failed\n");
1321 
1322         blob_buf_free(&req);
1323 }
1324 
1325 static int parseOCIenvarray(struct blob_attr *msg, char ***envp)
1326 {
1327         struct blob_attr *cur;
1328         int sz = 0, rem;
1329 
1330         blobmsg_for_each_attr(cur, msg, rem)
1331                 ++sz;
1332 
1333         if (sz > 0) {
1334                 *envp = calloc(1 + sz, sizeof(char*));
1335                 if (!(*envp))
1336                         return ENOMEM;
1337         } else {
1338                 *envp = NULL;
1339                 return 0;
1340         }
1341 
1342         sz = 0;
1343         blobmsg_for_each_attr(cur, msg, rem)
1344                 (*envp)[sz++] = strdup(blobmsg_get_string(cur));
1345 
1346         if (sz)
1347                 (*envp)[sz] = NULL;
1348 
1349         return 0;
1350 }
1351 
1352 enum {
1353         OCI_ROOT_PATH,
1354         OCI_ROOT_READONLY,
1355         __OCI_ROOT_MAX,
1356 };
1357 
1358 static const struct blobmsg_policy oci_root_policy[] = {
1359         [OCI_ROOT_PATH] = { "path", BLOBMSG_TYPE_STRING },
1360         [OCI_ROOT_READONLY] = { "readonly", BLOBMSG_TYPE_BOOL },
1361 };
1362 
1363 static int parseOCIroot(const char *jsonfile, struct blob_attr *msg)
1364 {
1365         char extroot[PATH_MAX] = { 0 };
1366         struct blob_attr *tb[__OCI_ROOT_MAX];
1367         char *cur;
1368         char *root_path;
1369 
1370         blobmsg_parse(oci_root_policy, __OCI_ROOT_MAX, tb, blobmsg_data(msg), blobmsg_len(msg));
1371 
1372         if (!tb[OCI_ROOT_PATH])
1373                 return ENODATA;
1374 
1375         root_path = blobmsg_get_string(tb[OCI_ROOT_PATH]);
1376 
1377         /* prepend bundle directory in case of relative paths */
1378         if (root_path[0] != '/') {
1379                 strncpy(extroot, jsonfile, PATH_MAX - 1);
1380 
1381                 cur = strrchr(extroot, '/');
1382 
1383                 if (!cur)
1384                         return ENOTDIR;
1385 
1386                 *(++cur) = '\0';
1387         }
1388 
1389         strncat(extroot, root_path, PATH_MAX - (strlen(extroot) + 1));
1390 
1391         /* follow symbolic link(s) */
1392         opts.extroot = realpath(extroot, NULL);
1393         if (!opts.extroot)
1394                 return errno;
1395 
1396         if (tb[OCI_ROOT_READONLY])
1397                 opts.ronly = blobmsg_get_bool(tb[OCI_ROOT_READONLY]);
1398 
1399         return 0;
1400 }
1401 
1402 
1403 enum {
1404         OCI_HOOK_PATH,
1405         OCI_HOOK_ARGS,
1406         OCI_HOOK_ENV,
1407         OCI_HOOK_TIMEOUT,
1408         __OCI_HOOK_MAX,
1409 };
1410 
1411 static const struct blobmsg_policy oci_hook_policy[] = {
1412         [OCI_HOOK_PATH] = { "path", BLOBMSG_TYPE_STRING },
1413         [OCI_HOOK_ARGS] = { "args", BLOBMSG_TYPE_ARRAY },
1414         [OCI_HOOK_ENV] = { "env", BLOBMSG_TYPE_ARRAY },
1415         [OCI_HOOK_TIMEOUT] = { "timeout", BLOBMSG_TYPE_INT32 },
1416 };
1417 
1418 
1419 static int parseOCIhook(struct hook_execvpe ***hooklist, struct blob_attr *msg)
1420 {
1421         struct blob_attr *tb[__OCI_HOOK_MAX];
1422         struct blob_attr *cur;
1423         int rem, ret = 0;
1424         int idx = 0;
1425 
1426         blobmsg_for_each_attr(cur, msg, rem)
1427                 ++idx;
1428 
1429         if (!idx)
1430                 return 0;
1431 
1432         *hooklist = calloc(idx + 1, sizeof(struct hook_execvpe *));
1433         idx = 0;
1434 
1435         if (!(*hooklist))
1436                 return ENOMEM;
1437 
1438         blobmsg_for_each_attr(cur, msg, rem) {
1439                 blobmsg_parse(oci_hook_policy, __OCI_HOOK_MAX, tb, blobmsg_data(cur), blobmsg_len(cur));
1440 
1441                 if (!tb[OCI_HOOK_PATH]) {
1442                         ret = EINVAL;
1443                         goto errout;
1444                 }
1445 
1446                 (*hooklist)[idx] = calloc(1, sizeof(struct hook_execvpe));
1447                 if (tb[OCI_HOOK_ARGS]) {
1448                         ret = parseOCIenvarray(tb[OCI_HOOK_ARGS], &((*hooklist)[idx]->argv));
1449                         if (ret)
1450                                 goto errout;
1451                 } else {
1452                         (*hooklist)[idx]->argv = calloc(2, sizeof(char *));
1453                         ((*hooklist)[idx]->argv)[0] = strdup(blobmsg_get_string(tb[OCI_HOOK_PATH]));
1454                         ((*hooklist)[idx]->argv)[1] = NULL;
1455                 };
1456 
1457 
1458                 if (tb[OCI_HOOK_ENV]) {
1459                         ret = parseOCIenvarray(tb[OCI_HOOK_ENV], &((*hooklist)[idx]->envp));
1460                         if (ret)
1461                                 goto errout;
1462                 }
1463 
1464                 if (tb[OCI_HOOK_TIMEOUT])
1465                         (*hooklist)[idx]->timeout = blobmsg_get_u32(tb[OCI_HOOK_TIMEOUT]);
1466 
1467                 (*hooklist)[idx]->file = strdup(blobmsg_get_string(tb[OCI_HOOK_PATH]));
1468 
1469                 ++idx;
1470         }
1471 
1472         (*hooklist)[idx] = NULL;
1473 
1474         DEBUG("added %d hooks\n", idx);
1475 
1476         return 0;
1477 
1478 errout:
1479         free_hooklist(*hooklist);
1480         *hooklist = NULL;
1481 
1482         return ret;
1483 };
1484 
1485 
1486 enum {
1487         OCI_HOOKS_PRESTART,
1488         OCI_HOOKS_CREATERUNTIME,
1489         OCI_HOOKS_CREATECONTAINER,
1490         OCI_HOOKS_STARTCONTAINER,
1491         OCI_HOOKS_POSTSTART,
1492         OCI_HOOKS_POSTSTOP,
1493         __OCI_HOOKS_MAX,
1494 };
1495 
1496 static const struct blobmsg_policy oci_hooks_policy[] = {
1497         [OCI_HOOKS_PRESTART] = { "prestart", BLOBMSG_TYPE_ARRAY },
1498         [OCI_HOOKS_CREATERUNTIME] = { "createRuntime", BLOBMSG_TYPE_ARRAY },
1499         [OCI_HOOKS_CREATECONTAINER] = { "createContainer", BLOBMSG_TYPE_ARRAY },
1500         [OCI_HOOKS_STARTCONTAINER] = { "startContainer", BLOBMSG_TYPE_ARRAY },
1501         [OCI_HOOKS_POSTSTART] = { "poststart", BLOBMSG_TYPE_ARRAY },
1502         [OCI_HOOKS_POSTSTOP] = { "poststop", BLOBMSG_TYPE_ARRAY },
1503 };
1504 
1505 static int parseOCIhooks(struct blob_attr *msg)
1506 {
1507         struct blob_attr *tb[__OCI_HOOKS_MAX];
1508         int ret;
1509 
1510         blobmsg_parse(oci_hooks_policy, __OCI_HOOKS_MAX, tb, blobmsg_data(msg), blobmsg_len(msg));
1511 
1512         if (tb[OCI_HOOKS_PRESTART])
1513                 INFO("warning: ignoring deprecated prestart hook\n");
1514 
1515         if (tb[OCI_HOOKS_CREATERUNTIME]) {
1516                 ret = parseOCIhook(&opts.hooks.createRuntime, tb[OCI_HOOKS_CREATERUNTIME]);
1517                 if (ret)
1518                         return ret;
1519         }
1520 
1521         if (tb[OCI_HOOKS_CREATECONTAINER]) {
1522                 ret = parseOCIhook(&opts.hooks.createContainer, tb[OCI_HOOKS_CREATECONTAINER]);
1523                 if (ret)
1524                         goto out_createruntime;
1525         }
1526 
1527         if (tb[OCI_HOOKS_STARTCONTAINER]) {
1528                 ret = parseOCIhook(&opts.hooks.startContainer, tb[OCI_HOOKS_STARTCONTAINER]);
1529                 if (ret)
1530                         goto out_createcontainer;
1531         }
1532 
1533         if (tb[OCI_HOOKS_POSTSTART]) {
1534                 ret = parseOCIhook(&opts.hooks.poststart, tb[OCI_HOOKS_POSTSTART]);
1535                 if (ret)
1536                         goto out_startcontainer;
1537         }
1538 
1539         if (tb[OCI_HOOKS_POSTSTOP]) {
1540                 ret = parseOCIhook(&opts.hooks.poststop, tb[OCI_HOOKS_POSTSTOP]);
1541                 if (ret)
1542                         goto out_poststart;
1543         }
1544 
1545         return 0;
1546 
1547 out_poststart:
1548         free_hooklist(opts.hooks.poststart);
1549 out_startcontainer:
1550         free_hooklist(opts.hooks.startContainer);
1551 out_createcontainer:
1552         free_hooklist(opts.hooks.createContainer);
1553 out_createruntime:
1554         free_hooklist(opts.hooks.createRuntime);
1555 
1556         return ret;
1557 };
1558 
1559 
1560 enum {
1561         OCI_PROCESS_USER_UID,
1562         OCI_PROCESS_USER_GID,
1563         OCI_PROCESS_USER_UMASK,
1564         OCI_PROCESS_USER_ADDITIONALGIDS,
1565         __OCI_PROCESS_USER_MAX,
1566 };
1567 
1568 static const struct blobmsg_policy oci_process_user_policy[] = {
1569         [OCI_PROCESS_USER_UID] = { "uid", BLOBMSG_TYPE_INT32 },
1570         [OCI_PROCESS_USER_GID] = { "gid", BLOBMSG_TYPE_INT32 },
1571         [OCI_PROCESS_USER_UMASK] = { "umask", BLOBMSG_TYPE_INT32 },
1572         [OCI_PROCESS_USER_ADDITIONALGIDS] = { "additionalGids", BLOBMSG_TYPE_ARRAY },
1573 };
1574 
1575 static int parseOCIprocessuser(struct blob_attr *msg) {
1576         struct blob_attr *tb[__OCI_PROCESS_USER_MAX];
1577         struct blob_attr *cur;
1578         int rem;
1579         int has_gid = 0;
1580 
1581         blobmsg_parse(oci_process_user_policy, __OCI_PROCESS_USER_MAX, tb, blobmsg_data(msg), blobmsg_len(msg));
1582 
1583         if (tb[OCI_PROCESS_USER_UID])
1584                 opts.pw_uid = blobmsg_get_u32(tb[OCI_PROCESS_USER_UID]);
1585 
1586         if (tb[OCI_PROCESS_USER_GID]) {
1587                 opts.pw_gid = blobmsg_get_u32(tb[OCI_PROCESS_USER_GID]);
1588                 opts.gr_gid = blobmsg_get_u32(tb[OCI_PROCESS_USER_GID]);
1589                 has_gid = 1;
1590         }
1591 
1592         if (tb[OCI_PROCESS_USER_ADDITIONALGIDS]) {
1593                 size_t gidcnt = 0;
1594 
1595                 blobmsg_for_each_attr(cur, tb[OCI_PROCESS_USER_ADDITIONALGIDS], rem) {
1596                         ++gidcnt;
1597                         if (has_gid && (blobmsg_get_u32(cur) == opts.gr_gid))
1598                                 continue;
1599                 }
1600 
1601                 if (gidcnt) {
1602                         opts.additional_gids = calloc(gidcnt + has_gid, sizeof(gid_t));
1603                         gidcnt = 0;
1604 
1605                         /* always add primary GID to set of GIDs if set */
1606                         if (has_gid)
1607                                 opts.additional_gids[gidcnt++] = opts.gr_gid;
1608 
1609                         blobmsg_for_each_attr(cur, tb[OCI_PROCESS_USER_ADDITIONALGIDS], rem) {
1610                                 if (has_gid && (blobmsg_get_u32(cur) == opts.gr_gid))
1611                                         continue;
1612                                 opts.additional_gids[gidcnt++] = blobmsg_get_u32(cur);
1613                         }
1614                         opts.num_additional_gids = gidcnt;
1615                 }
1616                 DEBUG("read %zu additional groups\n", gidcnt);
1617         }
1618 
1619         if (tb[OCI_PROCESS_USER_UMASK]) {
1620                 opts.umask = blobmsg_get_u32(tb[OCI_PROCESS_USER_UMASK]);
1621                 opts.set_umask = true;
1622         }
1623 
1624         return 0;
1625 }
1626 
1627 enum {
1628         OCI_PROCESS_RLIMIT_TYPE,
1629         OCI_PROCESS_RLIMIT_SOFT,
1630         OCI_PROCESS_RLIMIT_HARD,
1631         __OCI_PROCESS_RLIMIT_MAX,
1632 };
1633 
1634 static const struct blobmsg_policy oci_process_rlimit_policy[] = {
1635         [OCI_PROCESS_RLIMIT_TYPE] = { "type", BLOBMSG_TYPE_STRING },
1636         [OCI_PROCESS_RLIMIT_SOFT] = { "soft", BLOBMSG_CAST_INT64 },
1637         [OCI_PROCESS_RLIMIT_HARD] = { "hard", BLOBMSG_CAST_INT64 },
1638 };
1639 
1640 /* from manpage GETRLIMIT(2) */
1641 static const char* const rlimit_names[RLIM_NLIMITS] = {
1642         [RLIMIT_AS] = "AS",
1643         [RLIMIT_CORE] = "CORE",
1644         [RLIMIT_CPU] = "CPU",
1645         [RLIMIT_DATA] = "DATA",
1646         [RLIMIT_FSIZE] = "FSIZE",
1647         [RLIMIT_LOCKS] = "LOCKS",
1648         [RLIMIT_MEMLOCK] = "MEMLOCK",
1649         [RLIMIT_MSGQUEUE] = "MSGQUEUE",
1650         [RLIMIT_NICE] = "NICE",
1651         [RLIMIT_NOFILE] = "NOFILE",
1652         [RLIMIT_NPROC] = "NPROC",
1653         [RLIMIT_RSS] = "RSS",
1654         [RLIMIT_RTPRIO] = "RTPRIO",
1655         [RLIMIT_RTTIME] = "RTTIME",
1656         [RLIMIT_SIGPENDING] = "SIGPENDING",
1657         [RLIMIT_STACK] = "STACK",
1658 };
1659 
1660 static int resolve_rlimit(char *type) {
1661         unsigned int rltype;
1662 
1663         for (rltype = 0; rltype < RLIM_NLIMITS; ++rltype)
1664                 if (rlimit_names[rltype] &&
1665                     !strncmp("RLIMIT_", type, 7) &&
1666                     !strcmp(rlimit_names[rltype], type + 7))
1667                         return rltype;
1668 
1669         return -1;
1670 }
1671 
1672 
1673 static int parseOCIrlimit(struct blob_attr *msg)
1674 {
1675         struct blob_attr *tb[__OCI_PROCESS_RLIMIT_MAX];
1676         int limtype = -1;
1677         struct rlimit *curlim;
1678 
1679         blobmsg_parse(oci_process_rlimit_policy, __OCI_PROCESS_RLIMIT_MAX, tb, blobmsg_data(msg), blobmsg_len(msg));
1680 
1681         if (!tb[OCI_PROCESS_RLIMIT_TYPE] ||
1682             !tb[OCI_PROCESS_RLIMIT_SOFT] ||
1683             !tb[OCI_PROCESS_RLIMIT_HARD])
1684                 return ENODATA;
1685 
1686         limtype = resolve_rlimit(blobmsg_get_string(tb[OCI_PROCESS_RLIMIT_TYPE]));
1687 
1688         if (limtype < 0)
1689                 return EINVAL;
1690 
1691         if (opts.rlimits[limtype])
1692                 return ENOTUNIQ;
1693 
1694         curlim = malloc(sizeof(struct rlimit));
1695         curlim->rlim_cur = blobmsg_cast_u64(tb[OCI_PROCESS_RLIMIT_SOFT]);
1696         curlim->rlim_max = blobmsg_cast_u64(tb[OCI_PROCESS_RLIMIT_HARD]);
1697 
1698         opts.rlimits[limtype] = curlim;
1699 
1700         return 0;
1701 };
1702 
1703 enum {
1704         OCI_PROCESS_ARGS,
1705         OCI_PROCESS_CAPABILITIES,
1706         OCI_PROCESS_CWD,
1707         OCI_PROCESS_ENV,
1708         OCI_PROCESS_OOMSCOREADJ,
1709         OCI_PROCESS_NONEWPRIVILEGES,
1710         OCI_PROCESS_RLIMITS,
1711         OCI_PROCESS_TERMINAL,
1712         OCI_PROCESS_USER,
1713         __OCI_PROCESS_MAX,
1714 };
1715 
1716 static const struct blobmsg_policy oci_process_policy[] = {
1717         [OCI_PROCESS_ARGS] = { "args", BLOBMSG_TYPE_ARRAY },
1718         [OCI_PROCESS_CAPABILITIES] = { "capabilities", BLOBMSG_TYPE_TABLE },
1719         [OCI_PROCESS_CWD] = { "cwd", BLOBMSG_TYPE_STRING },
1720         [OCI_PROCESS_ENV] = { "env", BLOBMSG_TYPE_ARRAY },
1721         [OCI_PROCESS_OOMSCOREADJ] = { "oomScoreAdj", BLOBMSG_TYPE_INT32 },
1722         [OCI_PROCESS_NONEWPRIVILEGES] = { "noNewPrivileges", BLOBMSG_TYPE_BOOL },
1723         [OCI_PROCESS_RLIMITS] = { "rlimits", BLOBMSG_TYPE_ARRAY },
1724         [OCI_PROCESS_TERMINAL] = { "terminal", BLOBMSG_TYPE_BOOL },
1725         [OCI_PROCESS_USER] = { "user", BLOBMSG_TYPE_TABLE },
1726 };
1727 
1728 
1729 static int parseOCIprocess(struct blob_attr *msg)
1730 {
1731         struct blob_attr *tb[__OCI_PROCESS_MAX], *cur;
1732         int rem, res;
1733 
1734         blobmsg_parse(oci_process_policy, __OCI_PROCESS_MAX, tb, blobmsg_data(msg), blobmsg_len(msg));
1735 
1736         if (!tb[OCI_PROCESS_ARGS])
1737                 return ENOENT;
1738 
1739         res = parseOCIenvarray(tb[OCI_PROCESS_ARGS], &opts.jail_argv);
1740         if (res)
1741                 return res;
1742 
1743         if (tb[OCI_PROCESS_TERMINAL])
1744                 opts.console = blobmsg_get_bool(tb[OCI_PROCESS_TERMINAL]);
1745 
1746         if (tb[OCI_PROCESS_NONEWPRIVILEGES])
1747                 opts.no_new_privs = blobmsg_get_bool(tb[OCI_PROCESS_NONEWPRIVILEGES]);
1748 
1749         if (tb[OCI_PROCESS_CWD])
1750                 opts.cwd = strdup(blobmsg_get_string(tb[OCI_PROCESS_CWD]));
1751 
1752         if (tb[OCI_PROCESS_ENV]) {
1753                 res = parseOCIenvarray(tb[OCI_PROCESS_ENV], &opts.envp);
1754                 if (res)
1755                         return res;
1756         }
1757 
1758         if (tb[OCI_PROCESS_USER] && (res = parseOCIprocessuser(tb[OCI_PROCESS_USER])))
1759                 return res;
1760 
1761         if (tb[OCI_PROCESS_CAPABILITIES] &&
1762             (res = parseOCIcapabilities(&opts.capset, tb[OCI_PROCESS_CAPABILITIES])))
1763                 return res;
1764 
1765         if (tb[OCI_PROCESS_RLIMITS]) {
1766                 blobmsg_for_each_attr(cur, tb[OCI_PROCESS_RLIMITS], rem) {
1767                         res = parseOCIrlimit(cur);
1768                         if (res)
1769                                 return res;
1770                 }
1771         }
1772 
1773         if (tb[OCI_PROCESS_OOMSCOREADJ]) {
1774                 opts.oom_score_adj = blobmsg_get_u32(tb[OCI_PROCESS_OOMSCOREADJ]);
1775                 opts.set_oom_score_adj = true;
1776         }
1777 
1778         return 0;
1779 }
1780 
1781 enum {
1782         OCI_LINUX_NAMESPACE_TYPE,
1783         OCI_LINUX_NAMESPACE_PATH,
1784         __OCI_LINUX_NAMESPACE_MAX,
1785 };
1786 
1787 static const struct blobmsg_policy oci_linux_namespace_policy[] = {
1788         [OCI_LINUX_NAMESPACE_TYPE] = { "type", BLOBMSG_TYPE_STRING },
1789         [OCI_LINUX_NAMESPACE_PATH] = { "path", BLOBMSG_TYPE_STRING },
1790 };
1791 
1792 static int resolve_nstype(char *type) {
1793         if (!strcmp("pid", type))
1794                 return CLONE_NEWPID;
1795         else if (!strcmp("network", type))
1796                 return CLONE_NEWNET;
1797         else if (!strcmp("net", type))
1798                 return CLONE_NEWNET;
1799         else if (!strcmp("mount", type))
1800                 return CLONE_NEWNS;
1801         else if (!strcmp("ipc", type))
1802                 return CLONE_NEWIPC;
1803         else if (!strcmp("uts", type))
1804                 return CLONE_NEWUTS;
1805         else if (!strcmp("user", type))
1806                 return CLONE_NEWUSER;
1807         else if (!strcmp("cgroup", type))
1808                 return CLONE_NEWCGROUP;
1809 #ifdef CLONE_NEWTIME
1810         else if (!strcmp("time", type))
1811                 return CLONE_NEWTIME;
1812 #endif
1813         else
1814                 return 0;
1815 }
1816 
1817 static int parseOCIlinuxns(struct blob_attr *msg)
1818 {
1819         struct blob_attr *tb[__OCI_LINUX_NAMESPACE_MAX];
1820         int nstype;
1821         int *setns;
1822         int fd;
1823 
1824         blobmsg_parse(oci_linux_namespace_policy, __OCI_LINUX_NAMESPACE_MAX, tb, blobmsg_data(msg), blobmsg_len(msg));
1825 
1826         if (!tb[OCI_LINUX_NAMESPACE_TYPE])
1827                 return EINVAL;
1828 
1829         nstype = resolve_nstype(blobmsg_get_string(tb[OCI_LINUX_NAMESPACE_TYPE]));
1830         if (!nstype)
1831                 return EINVAL;
1832 
1833         if (opts.namespace & nstype)
1834                 return ENOTUNIQ;
1835 
1836         setns = get_namespace_fd(nstype);
1837 
1838         if (!setns)
1839                 return EFAULT;
1840 
1841         if (*setns != -1)
1842                 return ENOTUNIQ;
1843 
1844         if (tb[OCI_LINUX_NAMESPACE_PATH]) {
1845                 DEBUG("opening existing %s namespace from path %s\n",
1846                         blobmsg_get_string(tb[OCI_LINUX_NAMESPACE_TYPE]),
1847                         blobmsg_get_string(tb[OCI_LINUX_NAMESPACE_PATH]));
1848 
1849                 fd = open(blobmsg_get_string(tb[OCI_LINUX_NAMESPACE_PATH]), O_RDONLY);
1850                 if (fd < 0)
1851                         return errno?:ESTALE;
1852 
1853                 if (ioctl(fd, NS_GET_NSTYPE) != nstype) {
1854                         close(fd);
1855                         return EINVAL;
1856                 }
1857 
1858                 DEBUG("opened existing %s namespace got filehandler %u\n",
1859                         blobmsg_get_string(tb[OCI_LINUX_NAMESPACE_TYPE]),
1860                         fd);
1861 
1862                 *setns = fd;
1863         } else {
1864                 opts.namespace |= nstype;
1865         }
1866 
1867         return 0;
1868 }
1869 
1870 /*
1871  * join namespace of existing PID
1872  * The string argument is the reference PID followed by ':' and a
1873  * ',' separated list of namespaces to to join.
1874  */
1875 static int jail_join_ns(char *arg)
1876 {
1877         pid_t pid;
1878         int fd;
1879         int nstype;
1880         char *tmp, *etmp, *nspath;
1881         int *setns;
1882 
1883         tmp = strchr(arg, ':');
1884         if (!tmp)
1885                 return EINVAL;
1886 
1887         *tmp = '\0';
1888         pid = atoi(arg);
1889 
1890         do {
1891                 ++tmp;
1892                 etmp = strchr(tmp, ',');
1893                 if (etmp)
1894                         *etmp = '\0';
1895 
1896                 nstype = resolve_nstype(tmp);
1897                 if (!nstype)
1898                         return EINVAL;
1899 
1900                 if (opts.namespace & nstype)
1901                         return ENOTUNIQ;
1902 
1903                 setns = get_namespace_fd(nstype);
1904 
1905                 if (!setns)
1906                         return EFAULT;
1907 
1908                 if (*setns != -1)
1909                         return ENOTUNIQ;
1910 
1911                 if (asprintf(&nspath, "/proc/%d/ns/%s", pid, tmp) < 0)
1912                         return ENOMEM;
1913 
1914                 fd = open(nspath, O_RDONLY);
1915                 free(nspath);
1916 
1917                 if (fd < 0)
1918                         return errno?:ESTALE;
1919 
1920                 *setns = fd;
1921 
1922                 if (etmp)
1923                         tmp = etmp;
1924                 else
1925                         tmp = NULL;
1926         } while (tmp);
1927 
1928         return 0;
1929 }
1930 
1931 static void get_jail_root_user(bool is_gidmap, uint32_t container_id, uint32_t host_id, uint32_t size)
1932 {
1933         if (container_id == 0 && size >= 1)
1934                 if (!is_gidmap)
1935                         opts.root_map_uid = host_id;
1936 }
1937 
1938 enum {
1939         OCI_LINUX_UIDGIDMAP_CONTAINERID,
1940         OCI_LINUX_UIDGIDMAP_HOSTID,
1941         OCI_LINUX_UIDGIDMAP_SIZE,
1942         __OCI_LINUX_UIDGIDMAP_MAX,
1943 };
1944 
1945 static const struct blobmsg_policy oci_linux_uidgidmap_policy[] = {
1946         [OCI_LINUX_UIDGIDMAP_CONTAINERID] = { "containerID", BLOBMSG_TYPE_INT32 },
1947         [OCI_LINUX_UIDGIDMAP_HOSTID] = { "hostID", BLOBMSG_TYPE_INT32 },
1948         [OCI_LINUX_UIDGIDMAP_SIZE] = { "size", BLOBMSG_TYPE_INT32 },
1949 };
1950 
1951 static int parseOCIuidgidmappings(struct blob_attr *msg, bool is_gidmap)
1952 {
1953         struct blob_attr *tb[__OCI_LINUX_UIDGIDMAP_MAX];
1954         struct blob_attr *cur;
1955         int rem;
1956         char *map;
1957         size_t len, pos, totallen = 0;
1958 
1959         blobmsg_for_each_attr(cur, msg, rem) {
1960                 blobmsg_parse(oci_linux_uidgidmap_policy, __OCI_LINUX_UIDGIDMAP_MAX, tb, blobmsg_data(cur), blobmsg_len(cur));
1961 
1962                 if (!tb[OCI_LINUX_UIDGIDMAP_CONTAINERID] ||
1963                     !tb[OCI_LINUX_UIDGIDMAP_HOSTID] ||
1964                     !tb[OCI_LINUX_UIDGIDMAP_SIZE])
1965                         return EINVAL;
1966 
1967                 /* count length */
1968                 totallen += snprintf(NULL, 0, "%d %d %d\n",
1969                          blobmsg_get_u32(tb[OCI_LINUX_UIDGIDMAP_CONTAINERID]),
1970                          blobmsg_get_u32(tb[OCI_LINUX_UIDGIDMAP_HOSTID]),
1971                          blobmsg_get_u32(tb[OCI_LINUX_UIDGIDMAP_SIZE]));
1972         }
1973 
1974         /* allocate combined mapping string */
1975         map = malloc(totallen + 1);
1976         if (!map)
1977                 return ENOMEM;
1978 
1979         pos = 0;
1980         blobmsg_for_each_attr(cur, msg, rem) {
1981                 blobmsg_parse(oci_linux_uidgidmap_policy, __OCI_LINUX_UIDGIDMAP_MAX, tb, blobmsg_data(cur), blobmsg_len(cur));
1982 
1983                 get_jail_root_user(is_gidmap, blobmsg_get_u32(tb[OCI_LINUX_UIDGIDMAP_CONTAINERID]),
1984                          blobmsg_get_u32(tb[OCI_LINUX_UIDGIDMAP_HOSTID]),
1985                          blobmsg_get_u32(tb[OCI_LINUX_UIDGIDMAP_SIZE]));
1986 
1987                 /* write mapping line into pre-allocated string */
1988                 len = snprintf(&map[pos], totallen + 1, "%d %d %d\n",
1989                          blobmsg_get_u32(tb[OCI_LINUX_UIDGIDMAP_CONTAINERID]),
1990                          blobmsg_get_u32(tb[OCI_LINUX_UIDGIDMAP_HOSTID]),
1991                          blobmsg_get_u32(tb[OCI_LINUX_UIDGIDMAP_SIZE]));
1992                 pos += len;
1993                 totallen -= len;
1994         }
1995 
1996         assert(totallen == 0);
1997 
1998         if (is_gidmap)
1999                 opts.gidmap = map;
2000         else
2001                 opts.uidmap = map;
2002 
2003         return 0;
2004 }
2005 
2006 enum {
2007         OCI_DEVICES_TYPE,
2008         OCI_DEVICES_PATH,
2009         OCI_DEVICES_MAJOR,
2010         OCI_DEVICES_MINOR,
2011         OCI_DEVICES_FILEMODE,
2012         OCI_DEVICES_UID,
2013         OCI_DEVICES_GID,
2014         __OCI_DEVICES_MAX,
2015 };
2016 
2017 static const struct blobmsg_policy oci_devices_policy[] = {
2018         [OCI_DEVICES_TYPE] = { "type", BLOBMSG_TYPE_STRING },
2019         [OCI_DEVICES_PATH] = { "path", BLOBMSG_TYPE_STRING },
2020         [OCI_DEVICES_MAJOR] = { "major", BLOBMSG_TYPE_INT32 },
2021         [OCI_DEVICES_MINOR] = { "minor", BLOBMSG_TYPE_INT32 },
2022         [OCI_DEVICES_FILEMODE] = { "fileMode", BLOBMSG_TYPE_INT32 },
2023         [OCI_DEVICES_UID] = { "uid", BLOBMSG_TYPE_INT32 },
2024         [OCI_DEVICES_GID] = { "uid", BLOBMSG_TYPE_INT32 },
2025 };
2026 
2027 static mode_t resolve_devtype(char *tstr)
2028 {
2029         if (!strcmp("c", tstr) ||
2030             !strcmp("u", tstr))
2031                 return S_IFCHR;
2032         else if (!strcmp("b", tstr))
2033                 return S_IFBLK;
2034         else if (!strcmp("p", tstr))
2035                 return S_IFIFO;
2036         else
2037                 return 0;
2038 }
2039 
2040 static int parseOCIdevices(struct blob_attr *msg)
2041 {
2042         struct blob_attr *tb[__OCI_DEVICES_MAX];
2043         struct blob_attr *cur;
2044         int rem;
2045         size_t cnt = 0;
2046         struct mknod_args *tmp;
2047 
2048         blobmsg_for_each_attr(cur, msg, rem)
2049                 ++cnt;
2050 
2051         opts.devices = calloc(cnt + 1, sizeof(struct mknod_args *));
2052 
2053         cnt = 0;
2054         blobmsg_for_each_attr(cur, msg, rem) {
2055                 blobmsg_parse(oci_devices_policy, __OCI_DEVICES_MAX, tb, blobmsg_data(cur), blobmsg_len(cur));
2056                 if (!tb[OCI_DEVICES_TYPE] ||
2057                     !tb[OCI_DEVICES_PATH])
2058                         return ENODATA;
2059 
2060                 tmp = calloc(1, sizeof(struct mknod_args));
2061                 if (!tmp)
2062                         return ENOMEM;
2063 
2064                 tmp->mode = resolve_devtype(blobmsg_get_string(tb[OCI_DEVICES_TYPE]));
2065                 if (!tmp->mode) {
2066                         free(tmp);
2067                         return EINVAL;
2068                 }
2069 
2070                 if (tmp->mode != S_IFIFO) {
2071                         if (!tb[OCI_DEVICES_MAJOR] || !tb[OCI_DEVICES_MINOR]) {
2072                                 free(tmp);
2073                                 return ENODATA;
2074                         }
2075 
2076                         tmp->dev = makedev(blobmsg_get_u32(tb[OCI_DEVICES_MAJOR]),
2077                                            blobmsg_get_u32(tb[OCI_DEVICES_MINOR]));
2078                 }
2079 
2080                 if (tb[OCI_DEVICES_FILEMODE]) {
2081                         if (~(S_IRWXU|S_IRWXG|S_IRWXO) & blobmsg_get_u32(tb[OCI_DEVICES_FILEMODE])) {
2082                                 free(tmp);
2083                                 return EINVAL;
2084                         }
2085 
2086                         tmp->mode |= blobmsg_get_u32(tb[OCI_DEVICES_FILEMODE]);
2087                 } else {
2088                         tmp->mode |= (S_IRUSR|S_IWUSR); /* 0600 */
2089                 }
2090 
2091                 tmp->path = strdup(blobmsg_get_string(tb[OCI_DEVICES_PATH]));
2092 
2093                 if (tb[OCI_DEVICES_UID])
2094                         tmp->uid = blobmsg_get_u32(tb[OCI_DEVICES_UID]);
2095                 else
2096                         tmp->uid = -1;
2097 
2098                 if (tb[OCI_DEVICES_GID])
2099                         tmp->gid = blobmsg_get_u32(tb[OCI_DEVICES_GID]);
2100                 else
2101                         tmp->gid = -1;
2102 
2103                 DEBUG("read device %s (%s)\n", blobmsg_get_string(tb[OCI_DEVICES_PATH]), blobmsg_get_string(tb[OCI_DEVICES_TYPE]));
2104                 opts.devices[cnt++] = tmp;
2105         }
2106 
2107         opts.devices[cnt] = NULL;
2108 
2109         return 0;
2110 }
2111 
2112 static int parseOCIsysctl(struct blob_attr *msg)
2113 {
2114         struct blob_attr *cur;
2115         int rem;
2116         char *tmp, *tc;
2117         size_t cnt = 0;
2118 
2119         blobmsg_for_each_attr(cur, msg, rem) {
2120                 if (!blobmsg_name(cur) || !blobmsg_get_string(cur))
2121                         return EINVAL;
2122 
2123                 ++cnt;
2124         }
2125 
2126         if (!cnt)
2127                 return 0;
2128 
2129         opts.sysctl = calloc(cnt + 1, sizeof(struct sysctl_val *));
2130         if (!opts.sysctl)
2131                 return ENOMEM;
2132 
2133         cnt = 0;
2134         blobmsg_for_each_attr(cur, msg, rem) {
2135                 opts.sysctl[cnt] = malloc(sizeof(struct sysctl_val));
2136                 if (!opts.sysctl[cnt])
2137                         return ENOMEM;
2138 
2139                 /* replace '.' with '/' in entry name */
2140                 tc = tmp = strdup(blobmsg_name(cur));
2141                 while ((tc = strchr(tc, '.')))
2142                         *tc = '/';
2143 
2144                 opts.sysctl[cnt]->value = strdup(blobmsg_get_string(cur));
2145                 opts.sysctl[cnt]->entry = tmp;
2146 
2147                 ++cnt;
2148         }
2149 
2150         opts.sysctl[cnt] = NULL;
2151 
2152         return 0;
2153 }
2154 
2155 
2156 enum {
2157         OCI_LINUX_CGROUPSPATH,
2158         OCI_LINUX_RESOURCES,
2159         OCI_LINUX_SECCOMP,
2160         OCI_LINUX_SYSCTL,
2161         OCI_LINUX_NAMESPACES,
2162         OCI_LINUX_DEVICES,
2163         OCI_LINUX_UIDMAPPINGS,
2164         OCI_LINUX_GIDMAPPINGS,
2165         OCI_LINUX_MASKEDPATHS,
2166         OCI_LINUX_READONLYPATHS,
2167         OCI_LINUX_ROOTFSPROPAGATION,
2168         __OCI_LINUX_MAX,
2169 };
2170 
2171 static const struct blobmsg_policy oci_linux_policy[] = {
2172         [OCI_LINUX_CGROUPSPATH] = { "cgroupsPath", BLOBMSG_TYPE_STRING },
2173         [OCI_LINUX_RESOURCES] = { "resources", BLOBMSG_TYPE_TABLE },
2174         [OCI_LINUX_SECCOMP] = { "seccomp", BLOBMSG_TYPE_TABLE },
2175         [OCI_LINUX_SYSCTL] = { "sysctl", BLOBMSG_TYPE_TABLE },
2176         [OCI_LINUX_NAMESPACES] = { "namespaces", BLOBMSG_TYPE_ARRAY },
2177         [OCI_LINUX_DEVICES] = { "devices", BLOBMSG_TYPE_ARRAY },
2178         [OCI_LINUX_UIDMAPPINGS] = { "uidMappings", BLOBMSG_TYPE_ARRAY },
2179         [OCI_LINUX_GIDMAPPINGS] = { "gidMappings", BLOBMSG_TYPE_ARRAY },
2180         [OCI_LINUX_MASKEDPATHS] = { "maskedPaths", BLOBMSG_TYPE_ARRAY },
2181         [OCI_LINUX_READONLYPATHS] = { "readonlyPaths", BLOBMSG_TYPE_ARRAY },
2182         [OCI_LINUX_ROOTFSPROPAGATION] = { "rootfsPropagation", BLOBMSG_TYPE_STRING },
2183 };
2184 
2185 static int parseOCIlinux(struct blob_attr *msg)
2186 {
2187         struct blob_attr *tb[__OCI_LINUX_MAX];
2188         struct blob_attr *cur;
2189         int rem;
2190         int res = 0;
2191         char *cgpath;
2192         char cgfullpath[256] = "/sys/fs/cgroup";
2193 
2194         blobmsg_parse(oci_linux_policy, __OCI_LINUX_MAX, tb, blobmsg_data(msg), blobmsg_len(msg));
2195 
2196         if (tb[OCI_LINUX_NAMESPACES]) {
2197                 blobmsg_for_each_attr(cur, tb[OCI_LINUX_NAMESPACES], rem) {
2198                         res = parseOCIlinuxns(cur);
2199                         if (res)
2200                                 return res;
2201                 }
2202         }
2203 
2204         if (tb[OCI_LINUX_UIDMAPPINGS]) {
2205                 res = parseOCIuidgidmappings(tb[OCI_LINUX_GIDMAPPINGS], 0);
2206                 if (res)
2207                         return res;
2208         }
2209 
2210         if (tb[OCI_LINUX_GIDMAPPINGS]) {
2211                 res = parseOCIuidgidmappings(tb[OCI_LINUX_GIDMAPPINGS], 1);
2212                 if (res)
2213                         return res;
2214         }
2215 
2216         if (tb[OCI_LINUX_READONLYPATHS]) {
2217                 blobmsg_for_each_attr(cur, tb[OCI_LINUX_READONLYPATHS], rem) {
2218                         res = add_mount(NULL, blobmsg_get_string(cur), NULL, MS_BIND | MS_REC | MS_RDONLY, 0, NULL, 0);
2219                         if (res)
2220                                 return res;
2221                 }
2222         }
2223 
2224         if (tb[OCI_LINUX_MASKEDPATHS]) {
2225                 blobmsg_for_each_attr(cur, tb[OCI_LINUX_MASKEDPATHS], rem) {
2226                         res = add_mount((void *)(-1), blobmsg_get_string(cur), NULL, 0, 0, NULL, 0);
2227                         if (res)
2228                                 return res;
2229                 }
2230         }
2231 
2232         if (tb[OCI_LINUX_SYSCTL]) {
2233                 res = parseOCIsysctl(tb[OCI_LINUX_SYSCTL]);
2234                 if (res)
2235                         return res;
2236         }
2237 
2238         if (tb[OCI_LINUX_SECCOMP]) {
2239                 opts.ociseccomp = parseOCIlinuxseccomp(tb[OCI_LINUX_SECCOMP]);
2240                 if (!opts.ociseccomp)
2241                         return EINVAL;
2242         }
2243 
2244         if (tb[OCI_LINUX_DEVICES]) {
2245                 res = parseOCIdevices(tb[OCI_LINUX_DEVICES]);
2246                 if (res)
2247                         return res;
2248         }
2249 
2250         if (tb[OCI_LINUX_CGROUPSPATH]) {
2251                 cgpath = blobmsg_get_string(tb[OCI_LINUX_CGROUPSPATH]);
2252                 if (cgpath[0] == '/') {
2253                         if (strlen(cgpath) + 1 >= (sizeof(cgfullpath) - strlen(cgfullpath)))
2254                                 return E2BIG;
2255 
2256                         strcat(cgfullpath, cgpath);
2257                 } else {
2258                         strcat(cgfullpath, "/containers/");
2259                         if (strlen(opts.name) + strlen(cgpath) + 2 >= (sizeof(cgfullpath) - strlen(cgfullpath)))
2260                                 return E2BIG;
2261 
2262                         strcat(cgfullpath, opts.name); /* should be container name rather than jail name */
2263                         strcat(cgfullpath, "/");
2264                         strcat(cgfullpath, cgpath);
2265                 }
2266         } else {
2267                 strcat(cgfullpath, "/containers/");
2268                 if (2 * strlen(opts.name) + 2 >= (sizeof(cgfullpath) - strlen(cgfullpath)))
2269                         return E2BIG;
2270 
2271                 strcat(cgfullpath, opts.name); /* should be container name rather than jail name */
2272                 strcat(cgfullpath, "/");
2273                 strcat(cgfullpath, opts.name); /* should be container instance name rather than jail name */
2274         }
2275 
2276         cgroups_init(cgfullpath);
2277 
2278         if (tb[OCI_LINUX_RESOURCES]) {
2279                 res = parseOCIlinuxcgroups(tb[OCI_LINUX_RESOURCES]);
2280                 if (res)
2281                         return res;
2282         }
2283 
2284         return 0;
2285 }
2286 
2287 enum {
2288         OCI_VERSION,
2289         OCI_HOSTNAME,
2290         OCI_PROCESS,
2291         OCI_ROOT,
2292         OCI_MOUNTS,
2293         OCI_HOOKS,
2294         OCI_LINUX,
2295         OCI_ANNOTATIONS,
2296         __OCI_MAX,
2297 };
2298 
2299 static const struct blobmsg_policy oci_policy[] = {
2300         [OCI_VERSION] = { "ociVersion", BLOBMSG_TYPE_STRING },
2301         [OCI_HOSTNAME] = { "hostname", BLOBMSG_TYPE_STRING },
2302         [OCI_PROCESS] = { "process", BLOBMSG_TYPE_TABLE },
2303         [OCI_ROOT] = { "root", BLOBMSG_TYPE_TABLE },
2304         [OCI_MOUNTS] = { "mounts", BLOBMSG_TYPE_ARRAY },
2305         [OCI_HOOKS] = { "hooks", BLOBMSG_TYPE_TABLE },
2306         [OCI_LINUX] = { "linux", BLOBMSG_TYPE_TABLE },
2307         [OCI_ANNOTATIONS] = { "annotations", BLOBMSG_TYPE_TABLE },
2308 };
2309 
2310 static int parseOCI(const char *jsonfile)
2311 {
2312         struct blob_attr *tb[__OCI_MAX];
2313         struct blob_attr *cur;
2314         int rem;
2315         int res;
2316 
2317         blob_buf_init(&ocibuf, 0);
2318 
2319         if (!blobmsg_add_json_from_file(&ocibuf, jsonfile)) {
2320                 res=ENOENT;
2321                 goto errout;
2322         }
2323 
2324         blobmsg_parse(oci_policy, __OCI_MAX, tb, blob_data(ocibuf.head), blob_len(ocibuf.head));
2325 
2326         if (!tb[OCI_VERSION]) {
2327                 res=ENOMSG;
2328                 goto errout;
2329         }
2330 
2331         if (strncmp("1.0", blobmsg_get_string(tb[OCI_VERSION]), 3)) {
2332                 ERROR("unsupported ociVersion %s\n", blobmsg_get_string(tb[OCI_VERSION]));
2333                 res=ENOTSUP;
2334                 goto errout;
2335         }
2336 
2337         if (tb[OCI_HOSTNAME])
2338                 opts.hostname = strdup(blobmsg_get_string(tb[OCI_HOSTNAME]));
2339 
2340         if (!tb[OCI_PROCESS]) {
2341                 res=ENODATA;
2342                 goto errout;
2343         }
2344 
2345         if ((res = parseOCIprocess(tb[OCI_PROCESS])))
2346                 goto errout;
2347 
2348         if (!tb[OCI_ROOT]) {
2349                 res=ENODATA;
2350                 goto errout;
2351         }
2352         if ((res = parseOCIroot(jsonfile, tb[OCI_ROOT])))
2353                 goto errout;
2354 
2355         if (!tb[OCI_MOUNTS]) {
2356                 res=ENODATA;
2357                 goto errout;
2358         }
2359 
2360         blobmsg_for_each_attr(cur, tb[OCI_MOUNTS], rem)
2361                 if ((res = parseOCImount(cur)))
2362                         goto errout;
2363 
2364         if (tb[OCI_LINUX] && (res = parseOCIlinux(tb[OCI_LINUX])))
2365                 goto errout;
2366 
2367         if (tb[OCI_HOOKS] && (res = parseOCIhooks(tb[OCI_HOOKS])))
2368                 goto errout;
2369 
2370         if (tb[OCI_ANNOTATIONS])
2371                 opts.annotations = blob_memdup(tb[OCI_ANNOTATIONS]);
2372 
2373 errout:
2374         blob_buf_free(&ocibuf);
2375 
2376         return res;
2377 }
2378 
2379 static int set_oom_score_adj(void)
2380 {
2381         int f;
2382         char fname[32];
2383 
2384         if (!opts.set_oom_score_adj)
2385                 return 0;
2386 
2387         snprintf(fname, sizeof(fname), "/proc/%u/oom_score_adj", jail_process.pid);
2388         f = open(fname, O_WRONLY | O_TRUNC);
2389         if (f < 0)
2390                 return errno;
2391 
2392         dprintf(f, "%d", opts.oom_score_adj);
2393         close(f);
2394 
2395         return 0;
2396 }
2397 
2398 
2399 enum {
2400         OCI_STATE_CREATING,
2401         OCI_STATE_CREATED,
2402         OCI_STATE_RUNNING,
2403         OCI_STATE_STOPPED,
2404 };
2405 
2406 static int jail_oci_state = OCI_STATE_CREATED;
2407 static void pipe_send_start_container(struct uloop_timeout *t);
2408 static struct uloop_timeout start_container_timeout = {
2409         .cb = pipe_send_start_container,
2410 };
2411 
2412 static int handle_start(struct ubus_context *ctx, struct ubus_object *obj,
2413                         struct ubus_request_data *req, const char *method,
2414                         struct blob_attr *msg)
2415 {
2416         if (jail_oci_state != OCI_STATE_CREATED)
2417                 return UBUS_STATUS_INVALID_ARGUMENT;
2418 
2419         uloop_timeout_add(&start_container_timeout);
2420 
2421         return UBUS_STATUS_OK;
2422 }
2423 
2424 static struct blob_buf bb;
2425 static int handle_state(struct ubus_context *ctx, struct ubus_object *obj,
2426                         struct ubus_request_data *req, const char *method,
2427                         struct blob_attr *msg)
2428 {
2429         char *statusstr;
2430 
2431         switch (jail_oci_state) {
2432                 case OCI_STATE_CREATING:
2433                         statusstr = "creating";
2434                         break;
2435                 case OCI_STATE_CREATED:
2436                         statusstr = "created";
2437                         break;
2438                 case OCI_STATE_RUNNING:
2439                         statusstr = "running";
2440                         break;
2441                 case OCI_STATE_STOPPED:
2442                         statusstr = "stopped";
2443                         break;
2444                 default:
2445                         statusstr = "unknown";
2446         }
2447 
2448         blob_buf_init(&bb, 0);
2449         blobmsg_add_string(&bb, "ociVersion", OCI_VERSION_STRING);
2450         blobmsg_add_string(&bb, "id", opts.name);
2451         blobmsg_add_string(&bb, "status", statusstr);
2452         if (jail_oci_state == OCI_STATE_CREATED ||
2453             jail_oci_state == OCI_STATE_RUNNING)
2454                 blobmsg_add_u32(&bb, "pid", jail_process.pid);
2455 
2456         blobmsg_add_string(&bb, "bundle", opts.ocibundle);
2457 
2458         if (opts.annotations)
2459                 blobmsg_add_blob(&bb, opts.annotations);
2460 
2461         ubus_send_reply(ctx, req, bb.head);
2462 
2463         return UBUS_STATUS_OK;
2464 }
2465 
2466 enum {
2467         CONTAINER_KILL_ATTR_SIGNAL,
2468         __CONTAINER_KILL_ATTR_MAX,
2469 };
2470 
2471 static const struct blobmsg_policy container_kill_attrs[__CONTAINER_KILL_ATTR_MAX] = {
2472         [CONTAINER_KILL_ATTR_SIGNAL] = { "signal", BLOBMSG_TYPE_INT32 },
2473 };
2474 
2475 static int
2476 container_handle_kill(struct ubus_context *ctx, struct ubus_object *obj,
2477                     struct ubus_request_data *req, const char *method,
2478                     struct blob_attr *msg)
2479 {
2480         struct blob_attr *tb[__CONTAINER_KILL_ATTR_MAX], *cur;
2481         int sig = SIGTERM;
2482 
2483         blobmsg_parse(container_kill_attrs, __CONTAINER_KILL_ATTR_MAX, tb, blobmsg_data(msg), blobmsg_data_len(msg));
2484 
2485         cur = tb[CONTAINER_KILL_ATTR_SIGNAL];
2486         if (cur)
2487                 sig = blobmsg_get_u32(cur);
2488 
2489         if (jail_oci_state == OCI_STATE_CREATING)
2490                 return UBUS_STATUS_NOT_FOUND;
2491 
2492         if (kill(jail_process.pid, sig) == 0)
2493                 return 0;
2494 
2495         switch (errno) {
2496         case EINVAL: return UBUS_STATUS_INVALID_ARGUMENT;
2497         case EPERM:  return UBUS_STATUS_PERMISSION_DENIED;
2498         case ESRCH:  return UBUS_STATUS_NOT_FOUND;
2499         }
2500 
2501         return UBUS_STATUS_UNKNOWN_ERROR;
2502 }
2503 
2504 static int
2505 jail_writepid(pid_t pid)
2506 {
2507         FILE *_pidfile;
2508 
2509         if (!opts.pidfile)
2510                 return 0;
2511 
2512         _pidfile = fopen(opts.pidfile, "w");
2513         if (_pidfile == NULL)
2514                 return errno;
2515 
2516         if (fprintf(_pidfile, "%d\n", pid) < 0) {
2517                 fclose(_pidfile);
2518                 return errno;
2519         }
2520 
2521         if (fclose(_pidfile))
2522                 return errno;
2523 
2524         return 0;
2525 }
2526 
2527 static int checkpath(const char *path)
2528 {
2529         int dirfd = open(path, O_RDONLY | O_DIRECTORY | O_CLOEXEC);
2530         if (dirfd < 0) {
2531                 ERROR("path %s open failed %m\n", path);
2532                 return -1;
2533         }
2534         close(dirfd);
2535 
2536         return 0;
2537 }
2538 
2539 static struct ubus_method container_methods[] = {
2540         UBUS_METHOD_NOARG("start", handle_start),
2541         UBUS_METHOD_NOARG("state", handle_state),
2542         UBUS_METHOD("kill", container_handle_kill, container_kill_attrs),
2543 };
2544 
2545 static struct ubus_object_type container_object_type =
2546         UBUS_OBJECT_TYPE("container", container_methods);
2547 
2548 static struct ubus_object container_object = {
2549         .type = &container_object_type,
2550         .methods = container_methods,
2551         .n_methods = ARRAY_SIZE(container_methods),
2552 };
2553 
2554 static void post_main(struct uloop_timeout *t);
2555 static struct uloop_timeout post_main_timeout = {
2556         .cb = post_main,
2557 };
2558 static int netns_fd;
2559 static int pidns_fd;
2560 #ifdef CLONE_NEWTIME
2561 static int timens_fd;
2562 #endif
2563 static void post_create_runtime(void);
2564 int main(int argc, char **argv)
2565 {
2566         uid_t uid = getuid();
2567         const char log[] = "/dev/log";
2568         const char ubus[] = "/var/run/ubus/ubus.sock";
2569         int ret = EXIT_FAILURE;
2570         int ch;
2571 
2572         if (uid) {
2573                 ERROR("not root, aborting: %m\n");
2574                 return EXIT_FAILURE;
2575         }
2576 
2577         /* those are filehandlers, so -1 indicates unused */
2578         opts.setns.pid = -1;
2579         opts.setns.net = -1;
2580         opts.setns.ns = -1;
2581         opts.setns.ipc = -1;
2582         opts.setns.uts = -1;
2583         opts.setns.user = -1;
2584         opts.setns.cgroup = -1;
2585 #ifdef CLONE_NEWTIME
2586         opts.setns.time = -1;
2587 #endif
2588 
2589         umask(022);
2590         mount_list_init();
2591         init_library_search();
2592         cgroups_prepare();
2593         exit_from_child = false;
2594 
2595         while ((ch = getopt(argc, argv, OPT_ARGS)) != -1) {
2596                 switch (ch) {
2597                 case 'd':
2598                         debug = atoi(optarg);
2599                         break;
2600                 case 'p':
2601                         opts.namespace |= CLONE_NEWNS;
2602                         opts.procfs = 1;
2603                         break;
2604                 case 'o':
2605                         opts.namespace |= CLONE_NEWNS;
2606                         opts.ronly = 1;
2607                         break;
2608                 case 'f':
2609                         opts.namespace |= CLONE_NEWUSER;
2610                         break;
2611                 case 'F':
2612                         opts.namespace |= CLONE_NEWCGROUP;
2613                         break;
2614                 case 'R':
2615                         opts.extroot = realpath(optarg, NULL);
2616                         break;
2617                 case 's':
2618                         opts.namespace |= CLONE_NEWNS;
2619                         opts.sysfs = 1;
2620                         break;
2621                 case 'S':
2622                         opts.seccomp = optarg;
2623                         add_mount_bind(optarg, 1, -1);
2624                         break;
2625                 case 'C':
2626                         opts.capabilities = optarg;
2627                         break;
2628                 case 'c':
2629                         opts.no_new_privs = 1;
2630                         break;
2631                 case 'n':
2632                         opts.name = optarg;
2633                         break;
2634                 case 'N':
2635                         opts.namespace |= CLONE_NEWNET;
2636                         break;
2637                 case 'h':
2638                         opts.namespace |= CLONE_NEWUTS;
2639                         opts.hostname = strdup(optarg);
2640                         break;
2641                 case 'j':
2642                         jail_join_ns(optarg);
2643                         break;
2644                 case 'r':
2645                         opts.namespace |= CLONE_NEWNS;
2646                         add_path_and_deps(optarg, 1, 0, 0);
2647                         break;
2648                 case 'w':
2649                         opts.namespace |= CLONE_NEWNS;
2650                         add_path_and_deps(optarg, 0, 0, 0);
2651                         break;
2652                 case 'u':
2653                         opts.namespace |= CLONE_NEWNS;
2654                         add_mount_bind(ubus, 0, -1);
2655                         break;
2656                 case 'l':
2657                         opts.namespace |= CLONE_NEWNS;
2658                         add_mount_bind(log, 0, -1);
2659                         break;
2660                 case 'U':
2661                         opts.user = optarg;
2662                         break;
2663                 case 'G':
2664                         opts.group = optarg;
2665                         break;
2666                 case 'O':
2667                         opts.overlaydir = realpath(optarg, NULL);
2668                         break;
2669                 case 'T':
2670                         opts.tmpoverlaysize = optarg;
2671                         break;
2672                 case 'E':
2673                         opts.require_jail = 1;
2674                         break;
2675                 case 'y':
2676                         opts.console = 1;
2677                         break;
2678                 case 'J':
2679                         opts.ocibundle = optarg;
2680                         break;
2681                 case 'i':
2682                         opts.immediately = true;
2683                         break;
2684                 case 'P':
2685                         opts.pidfile = optarg;
2686                         break;
2687                 }
2688         }
2689 
2690         if (opts.namespace && !opts.ocibundle)
2691                 opts.namespace |= CLONE_NEWIPC | CLONE_NEWPID;
2692 
2693         /*
2694          * uid in parent user namespace representing root user in new
2695          * user namespace, defaults to nobody unless specified in uidMappings
2696          */
2697         opts.root_map_uid = 65534;
2698 
2699         if (opts.capabilities && parseOCIcapabilities_from_file(&opts.capset, opts.capabilities)) {
2700                 ERROR("failed to read capabilities from file %s\n", opts.capabilities);
2701                 ret=-1;
2702                 goto errout;
2703         }
2704 
2705         if (opts.ocibundle) {
2706                 char *jsonfile;
2707                 int ocires;
2708 
2709                 if (!opts.name) {
2710                         ERROR("OCI bundle needs a named jail\n");
2711                         ret=-1;
2712                         goto errout;
2713                 }
2714                 if (asprintf(&jsonfile, "%s/config.json", opts.ocibundle) < 0) {
2715                         ret=-ENOMEM;
2716                         goto errout;
2717                 }
2718                 ocires = parseOCI(jsonfile);
2719                 free(jsonfile);
2720                 if (ocires) {
2721                         ERROR("parsing of OCI JSON spec has failed: %s (%d)\n", strerror(ocires), ocires);
2722                         ret=ocires;
2723                         goto errout;
2724                 }
2725         }
2726 
2727         if (opts.namespace & CLONE_NEWNET) {
2728                 if (!opts.name) {
2729                         ERROR("netns needs a named jail\n");
2730                         ret=-1;
2731                         goto errout;
2732                 }
2733         }
2734 
2735 
2736         if (opts.tmpoverlaysize && strlen(opts.tmpoverlaysize) > 8) {
2737                 ERROR("size parameter too long: \"%s\"\n", opts.tmpoverlaysize);
2738                 ret=-1;
2739                 goto errout;
2740         }
2741 
2742         if (opts.extroot && checkpath(opts.extroot)) {
2743                 ERROR("invalid rootfs path '%s'", opts.extroot);
2744                 ret=-1;
2745                 goto errout;
2746         }
2747 
2748         if (opts.overlaydir && checkpath(opts.overlaydir)) {
2749                 ERROR("invalid rootfs overlay path '%s'", opts.overlaydir);
2750                 ret=-1;
2751                 goto errout;
2752         }
2753 
2754         /* no <binary> param found */
2755         if (!opts.ocibundle && (argc - optind < 1)) {
2756                 usage();
2757                 ret=EXIT_FAILURE;
2758                 goto errout;
2759         }
2760         if (!(opts.ocibundle||opts.namespace||opts.capabilities||opts.seccomp||
2761                 (opts.setns.net != -1) ||
2762                 (opts.setns.ns != -1) ||
2763                 (opts.setns.ipc != -1) ||
2764                 (opts.setns.uts != -1) ||
2765                 (opts.setns.user != -1) ||
2766                 (opts.setns.cgroup != -1))) {
2767                 ERROR("Not using namespaces, capabilities or seccomp !!!\n\n");
2768                 usage();
2769                 ret=EXIT_FAILURE;
2770                 goto errout;
2771         }
2772         DEBUG("Using namespaces(0x%08x), capabilities(%d), seccomp(%d)\n",
2773                 opts.namespace,
2774                 opts.capset.apply,
2775                 opts.seccomp != 0 || opts.ociseccomp != 0);
2776 
2777         uloop_init();
2778         signals_init();
2779 
2780         parent_ctx = ubus_connect(NULL);
2781         ubus_add_uloop(parent_ctx);
2782 
2783         if (opts.ocibundle) {
2784                 char *objname;
2785                 if (asprintf(&objname, "container.%s", opts.name) < 0) {
2786                         ret=-ENOMEM;
2787                         goto errout;
2788                 }
2789 
2790                 container_object.name = objname;
2791                 ret = ubus_add_object(parent_ctx, &container_object);
2792                 if (ret) {
2793                         ERROR("Failed to add object: %s\n", ubus_strerror(ret));
2794                         ret=-1;
2795                         goto errout;
2796                 }
2797         }
2798 
2799         /* deliberately not using 'else' on unrelated conditional branches */
2800         if (!opts.ocibundle) {
2801                 /* allocate NULL-terminated array for argv */
2802                 opts.jail_argv = calloc(1 + argc - optind, sizeof(void *));
2803                 if (!opts.jail_argv) {
2804                         ret=EXIT_FAILURE;
2805                         goto errout;
2806                 }
2807                 for (size_t s = optind; s < argc; s++)
2808                         opts.jail_argv[s - optind] = strdup(argv[s]);
2809 
2810                 if (opts.namespace & CLONE_NEWUSER)
2811                         get_jail_user(&opts.pw_uid, &opts.pw_gid, &opts.gr_gid);
2812         }
2813 
2814         if (!opts.extroot) {
2815                 if (opts.namespace && add_path_and_deps(*opts.jail_argv, 1, -1, 0)) {
2816                         ERROR("failed to load dependencies\n");
2817                         ret=-1;
2818                         goto errout;
2819                 }
2820         }
2821 
2822         if (opts.namespace && opts.seccomp && add_path_and_deps("libpreload-seccomp.so", 1, -1, 1)) {
2823                 ERROR("failed to load libpreload-seccomp.so\n");
2824                 opts.seccomp = 0;
2825                 if (opts.require_jail) {
2826                         ret=-1;
2827                         goto errout;
2828                 }
2829         }
2830 
2831         uloop_timeout_add(&post_main_timeout);
2832         uloop_run();
2833 
2834 errout:
2835         if (opts.ocibundle)
2836                 cgroups_free();
2837 
2838         free_opts(true);
2839 
2840         return ret;
2841 }
2842 
2843 static void post_main(struct uloop_timeout *t)
2844 {
2845         if (apply_rlimits()) {
2846                 ERROR("error applying resource limits\n");
2847                 free_and_exit(EXIT_FAILURE);
2848         }
2849 
2850         if (opts.name)
2851                 prctl(PR_SET_NAME, opts.name, NULL, NULL, NULL);
2852 
2853         if (pipe(&pipes[0]) < 0 || pipe(&pipes[2]) < 0)
2854                 free_and_exit(-1);
2855 
2856         if (has_namespaces()) {
2857                 if (opts.namespace & CLONE_NEWNS) {
2858                         if (!opts.extroot && (opts.user || opts.group)) {
2859                                 add_mount_bind("/etc/passwd", 1, -1);
2860                                 add_mount_bind("/etc/group", 1, -1);
2861                         }
2862 
2863 #if defined(__GLIBC__)
2864                         if (!opts.extroot)
2865                                 add_mount_bind("/etc/nsswitch.conf", 1, -1);
2866 #endif
2867                         if (opts.setns.ns == -1) {
2868                                 if (!(opts.namespace & CLONE_NEWNET)) {
2869                                         add_mount_bind("/etc/resolv.conf", 1, 0);
2870                                 } else {
2871                                         /* new mount namespace to provide /dev/resolv.conf.d */
2872                                         char hostdir[PATH_MAX];
2873 
2874                                         snprintf(hostdir, PATH_MAX, "/tmp/resolv.conf-%s.d", opts.name);
2875                                         mkdir_p(hostdir, 0755);
2876                                         add_mount(hostdir, "/dev/resolv.conf.d", NULL,
2877                                                 MS_BIND | MS_NOEXEC | MS_NOATIME | MS_NOSUID | MS_NODEV | MS_RDONLY, 0, NULL, 0);
2878                                 }
2879                         }
2880                         /* default mounts */
2881                         add_mount(NULL, "/dev", "tmpfs", MS_NOATIME | MS_NOEXEC | MS_NOSUID, 0, "size=1M", -1);
2882                         add_mount(NULL, "/dev/pts", "devpts", MS_NOATIME | MS_NOEXEC | MS_NOSUID, 0, "newinstance,ptmxmode=0666,mode=0620,gid=5", 0);
2883 
2884                         if (opts.procfs || opts.ocibundle) {
2885                                 add_mount("proc", "/proc", "proc", MS_NOATIME | MS_NODEV | MS_NOEXEC | MS_NOSUID, 0, NULL, -1);
2886 
2887                                 /*
2888                                  * hack to make /proc/sys/net read-write while the rest of /proc/sys is read-only
2889                                  * which cannot be expressed with OCI spec, but happends to be very useful.
2890                                  * Only apply it if '/proc/sys' is not already listed as mount, maskedPath or
2891                                  * readonlyPath.
2892                                  * If not running in a new network namespace, only make /proc/sys read-only.
2893                                  * If running in a new network namespace, temporarily stash (ie. mount-bind)
2894                                  * /proc/sys/net into (totally unrelated, but surely existing) /proc/self/net.
2895                                  * Then we mount-bind /proc/sys read-only and then mount-move /proc/self/net into
2896                                  * /proc/sys/net.
2897                                  * This works because mounts are executed in incrementing strcmp() order and
2898                                  * /proc/self/net appears there before /proc/sys/net and hence the operation
2899                                  * succeeds as the bind-mount of /proc/self/net is performed first and then
2900                                  * move-mount of /proc/sys/net follows because 'e' preceeds 'y' in the ASCII
2901                                  * table (and in the alphabet).
2902                                  */
2903                                 if (!add_mount(NULL, "/proc/sys", NULL, MS_BIND | MS_RDONLY, 0, NULL, -1))
2904                                         if (opts.namespace & CLONE_NEWNET)
2905                                                 if (!add_mount_inner("/proc/self/net", "/proc/sys/net", NULL, MS_MOVE, 0, NULL, -1))
2906                                                         add_mount_inner("/proc/sys/net", "/proc/self/net", NULL, MS_BIND, 0, NULL, -1);
2907 
2908                         }
2909                         if (opts.sysfs || opts.ocibundle)
2910                                 add_mount("sysfs", "/sys", "sysfs", MS_RELATIME | MS_NODEV | MS_NOEXEC | MS_NOSUID | MS_RDONLY, 0, NULL, -1);
2911 
2912                         if (opts.ocibundle)
2913                                 add_mount("shm", "/dev/shm", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV, 0, "mode=1777", -1);
2914 
2915                 }
2916 
2917                 if (opts.setns.pid != -1) {
2918                         pidns_fd = ns_open_pid("pid", getpid());
2919                         setns_open(CLONE_NEWPID);
2920                 } else {
2921                         pidns_fd = -1;
2922                 }
2923 
2924 #ifdef CLONE_NEWTIME
2925                 if (opts.setns.time != -1) {
2926                         timens_fd = ns_open_pid("time", getpid());
2927                         setns_open(CLONE_NEWTIME);
2928                 } else {
2929                         timens_fd = -1;
2930                 }
2931 #endif
2932 
2933                 if (opts.namespace & CLONE_NEWUSER) {
2934                         if (prctl(PR_SET_SECUREBITS, SECBIT_NO_SETUID_FIXUP)) {
2935                                 ERROR("prctl(PR_SET_SECUREBITS) failed: %m\n");
2936                                 free_and_exit(EXIT_FAILURE);
2937                         }
2938                         if (seteuid(opts.root_map_uid)) {
2939                                 ERROR("seteuid(%d) failed: %m\n", opts.root_map_uid);
2940                                 free_and_exit(EXIT_FAILURE);
2941                         }
2942                 }
2943 
2944                 jail_process.pid = clone(exec_jail, child_stack + STACK_SIZE, SIGCHLD | (opts.namespace & (~CLONE_NEWCGROUP)), NULL);
2945         } else {
2946                 jail_process.pid = fork();
2947         }
2948 
2949         if (jail_process.pid > 0) {
2950                 /* parent process */
2951                 char sig_buf[1];
2952 
2953                 uloop_process_add(&jail_process);
2954                 jail_running = 1;
2955                 if (seteuid(0)) {
2956                         ERROR("seteuid(%d) failed: %m\n", opts.root_map_uid);
2957                         free_and_exit(EXIT_FAILURE);
2958                 }
2959 
2960                 prctl(PR_SET_SECUREBITS, 0);
2961 
2962                 if (pidns_fd != -1) {
2963                         setns(pidns_fd, CLONE_NEWPID);
2964                         close(pidns_fd);
2965                 }
2966 #ifdef CLONE_NEWTIME
2967                 if (timens_fd != -1) {
2968                         setns(timens_fd, CLONE_NEWTIME);
2969                         close(timens_fd);
2970                 }
2971 #endif
2972                 if (opts.setns.net != -1)
2973                         close(opts.setns.net);
2974                 if (opts.setns.ns != -1)
2975                         close(opts.setns.ns);
2976                 if (opts.setns.ipc != -1)
2977                         close(opts.setns.ipc);
2978                 if (opts.setns.uts != -1)
2979                         close(opts.setns.uts);
2980                 if (opts.setns.user != -1)
2981                         close(opts.setns.user);
2982                 if (opts.setns.cgroup != -1)
2983                         close(opts.setns.cgroup);
2984                 close(pipes[1]);
2985                 close(pipes[2]);
2986                 if (read(pipes[0], sig_buf, 1) < 1) {
2987                         ERROR("can't read from child\n");
2988                         free_and_exit(-1);
2989                 }
2990                 close(pipes[0]);
2991                 set_oom_score_adj();
2992 
2993                 if (opts.ocibundle)
2994                         cgroups_apply(jail_process.pid);
2995 
2996                 if (opts.namespace & CLONE_NEWUSER) {
2997                         if (write_setgroups(jail_process.pid, true)) {
2998                                 ERROR("can't write setgroups\n");
2999                                 free_and_exit(-1);
3000                         }
3001                         if (!opts.uidmap) {
3002                                 bool has_gr = (opts.gr_gid != -1);
3003                                 if (opts.pw_uid != -1) {
3004                                         write_single_uid_gid_map(jail_process.pid, 0, opts.pw_uid);
3005                                         write_single_uid_gid_map(jail_process.pid, 1, has_gr?opts.gr_gid:opts.pw_gid);
3006                                 } else {
3007                                         write_single_uid_gid_map(jail_process.pid, 0, 65534);
3008                                         write_single_uid_gid_map(jail_process.pid, 1, has_gr?opts.gr_gid:65534);
3009                                 }
3010                         } else {
3011                                 write_uid_gid_map(jail_process.pid, 0, opts.uidmap);
3012                                 if (opts.gidmap)
3013                                         write_uid_gid_map(jail_process.pid, 1, opts.gidmap);
3014                         }
3015                 }
3016 
3017                 if (opts.namespace & CLONE_NEWNET) {
3018                         jail_network_start(parent_ctx, opts.name, jail_process.pid);
3019                         netns_fd = ns_open_pid("net", jail_process.pid);
3020                         netns_updown(jail_process.pid, true);
3021                 }
3022 
3023                 if (jail_writepid(jail_process.pid)) {
3024                         ERROR("failed to write pidfile: %m\n");
3025                         free_and_exit(-1);
3026                 }
3027         } else if (jail_process.pid == 0) {
3028                 /* fork child process */
3029                 free_and_exit(exec_jail(NULL));
3030         } else {
3031                 ERROR("failed to clone/fork: %m\n");
3032                 free_and_exit(EXIT_FAILURE);
3033         }
3034         run_hooks(opts.hooks.createRuntime, post_create_runtime);
3035 }
3036 
3037 static void post_poststart(void);
3038 static void post_create_runtime(void)
3039 {
3040         char sig_buf[1];
3041 
3042         sig_buf[0] = 'O';
3043         if (write(pipes[3], sig_buf, 1) < 0) {
3044                 ERROR("can't write to child\n");
3045                 free_and_exit(-1);
3046         }
3047 
3048         jail_oci_state = OCI_STATE_CREATED;
3049         if (opts.ocibundle && !opts.immediately)
3050                 uloop_run(); /* wait for 'start' command via ubus */
3051         else
3052                 pipe_send_start_container(NULL);
3053 }
3054 
3055 static void pipe_send_start_container(struct uloop_timeout *t)
3056 {
3057         char sig_buf[1];
3058 
3059         jail_oci_state = OCI_STATE_RUNNING;
3060         sig_buf[0] = '!';
3061         if (write(pipes[3], sig_buf, 1) < 0) {
3062                 ERROR("can't write to child\n");
3063                 free_and_exit(-1);
3064         }
3065         close(pipes[3]);
3066 
3067         run_hooks(opts.hooks.poststart, post_poststart);
3068 }
3069 
3070 static void post_poststart(void)
3071 {
3072         uloop_run(); /* idle here while jail is running */
3073         if (jail_running) {
3074                 DEBUG("uloop interrupted, killing jail process\n");
3075                 kill(jail_process.pid, SIGTERM);
3076                 uloop_timeout_set(&jail_process_timeout, 1000);
3077                 uloop_run();
3078         }
3079         uloop_done();
3080         poststop();
3081 }
3082 
3083 static void post_poststop(void);
3084 static void poststop(void) {
3085         if (opts.namespace & CLONE_NEWNET) {
3086                 setns(netns_fd, CLONE_NEWNET);
3087                 netns_updown(getpid(), false);
3088                 jail_network_stop();
3089                 close(netns_fd);
3090         }
3091         run_hooks(opts.hooks.poststop, post_poststop);
3092 }
3093 
3094 static void post_poststop(void)
3095 {
3096         free_opts(true);
3097         if (parent_ctx)
3098                 ubus_free(parent_ctx);
3099 
3100         exit(jail_return_code);
3101 }
3102 

This page was automatically generated by LXR 0.3.1.  •  OpenWrt