• source navigation  • diff markup  • identifier search  • freetext search  • 

Sources/procd/jail/jail.c

  1 /*
  2  * Copyright (C) 2015 John Crispin <blogic@openwrt.org>
  3  * Copyright (C) 2020 Daniel Golle <daniel@makrotopia.org>
  4  *
  5  * This program is free software; you can redistribute it and/or modify
  6  * it under the terms of the GNU Lesser General Public License version 2.1
  7  * as published by the Free Software Foundation
  8  *
  9  * This program is distributed in the hope that it will be useful,
 10  * but WITHOUT ANY WARRANTY; without even the implied warranty of
 11  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 12  * GNU General Public License for more details.
 13  */
 14 
 15 #define _GNU_SOURCE
 16 #include <sys/mount.h>
 17 #include <sys/prctl.h>
 18 #include <sys/wait.h>
 19 #include <sys/types.h>
 20 #include <sys/time.h>
 21 #include <sys/resource.h>
 22 #include <sys/stat.h>
 23 #include <sys/sysmacros.h>
 24 
 25 /* musl only defined 15 limit types, make sure all 16 are supported */
 26 #ifndef RLIMIT_RTTIME
 27 #define RLIMIT_RTTIME 15
 28 #undef RLIMIT_NLIMITS
 29 #define RLIMIT_NLIMITS 16
 30 #undef RLIM_NLIMITS
 31 #define RLIM_NLIMITS 16
 32 #endif
 33 
 34 #include <assert.h>
 35 #include <stdlib.h>
 36 #include <unistd.h>
 37 #include <errno.h>
 38 #include <pwd.h>
 39 #include <grp.h>
 40 #include <string.h>
 41 #include <fcntl.h>
 42 #include <sched.h>
 43 #include <linux/filter.h>
 44 #include <linux/limits.h>
 45 #include <linux/nsfs.h>
 46 #include <linux/securebits.h>
 47 #include <signal.h>
 48 #include <inttypes.h>
 49 
 50 #include "capabilities.h"
 51 #include "elf.h"
 52 #include "fs.h"
 53 #include "jail.h"
 54 #include "log.h"
 55 #include "seccomp-oci.h"
 56 #include "cgroups.h"
 57 #include "netifd.h"
 58 
 59 #include <libubox/blobmsg.h>
 60 #include <libubox/blobmsg_json.h>
 61 #include <libubox/list.h>
 62 #include <libubox/vlist.h>
 63 #include <libubox/uloop.h>
 64 #include <libubox/utils.h>
 65 #include <libubus.h>
 66 
 67 #ifndef CLONE_NEWCGROUP
 68 #define CLONE_NEWCGROUP 0x02000000
 69 #endif
 70 
 71 #define STACK_SIZE      (1024 * 1024)
 72 #define OPT_ARGS        "cC:d:e:EfFG:h:ij:J:ln:NoO:pP:r:R:sS:uU:w:t:T:y"
 73 
 74 #define OCI_VERSION_STRING "1.0.2"
 75 
 76 struct hook_execvpe {
 77         char *file;
 78         char **argv;
 79         char **envp;
 80         int timeout;
 81 };
 82 
 83 struct sysctl_val {
 84         char *entry;
 85         char *value;
 86 };
 87 
 88 struct mknod_args {
 89         char *path;
 90         mode_t mode;
 91         dev_t dev;
 92         uid_t uid;
 93         gid_t gid;
 94 };
 95 
 96 static struct {
 97         char *name;
 98         char *hostname;
 99         char **jail_argv;
100         char *cwd;
101         char *seccomp;
102         struct sock_fprog *ociseccomp;
103         char *capabilities;
104         struct jail_capset capset;
105         char *user;
106         char *group;
107         char *extroot;
108         char *overlaydir;
109         char *tmpoverlaysize;
110         char **envp;
111         char *uidmap;
112         char *gidmap;
113         char *pidfile;
114         struct sysctl_val **sysctl;
115         int no_new_privs;
116         int namespace;
117         struct {
118                 int pid;
119                 int net;
120                 int ns;
121                 int ipc;
122                 int uts;
123                 int user;
124                 int cgroup;
125 #ifdef CLONE_NEWTIME
126                 int time;
127 #endif
128         } setns;
129         int procfs;
130         int ronly;
131         int sysfs;
132         int console;
133         int pw_uid;
134         int pw_gid;
135         int gr_gid;
136         int root_map_uid;
137         gid_t *additional_gids;
138         size_t num_additional_gids;
139         mode_t umask;
140         bool set_umask;
141         int require_jail;
142         struct {
143                 struct hook_execvpe **createRuntime;
144                 struct hook_execvpe **createContainer;
145                 struct hook_execvpe **startContainer;
146                 struct hook_execvpe **poststart;
147                 struct hook_execvpe **poststop;
148         } hooks;
149         struct rlimit *rlimits[RLIM_NLIMITS];
150         int oom_score_adj;
151         bool set_oom_score_adj;
152         struct mknod_args **devices;
153         char *ocibundle;
154         bool immediately;
155         struct blob_attr *annotations;
156         int term_timeout;
157 } opts;
158 
159 static struct blob_buf ocibuf;
160 
161 extern int pivot_root(const char *new_root, const char *put_old);
162 
163 int debug = 0;
164 
165 static char child_stack[STACK_SIZE];
166 
167 static struct ubus_context *parent_ctx;
168 
169 int console_fd;
170 
171 
172 static inline bool has_namespaces(void)
173 {
174 return ((opts.setns.pid != -1) ||
175         (opts.setns.net != -1) ||
176         (opts.setns.ns != -1) ||
177         (opts.setns.ipc != -1) ||
178         (opts.setns.uts != -1) ||
179         (opts.setns.user != -1) ||
180         (opts.setns.cgroup != -1) ||
181 #ifdef CLONE_NEWTIME
182         (opts.setns.time != -1) ||
183 #endif
184         opts.namespace);
185 }
186 
187 static void free_oci_envp(char **p) {
188         char **tmp;
189 
190         if (p) {
191                 tmp = p;
192                 while (*tmp)
193                         free(*(tmp++));
194 
195                 free(p);
196         }
197 }
198 
199 static void free_hooklist(struct hook_execvpe **hooklist)
200 {
201         struct hook_execvpe *cur;
202 
203         if (!hooklist)
204                 return;
205 
206         cur = *hooklist;
207         while (cur) {
208                 free_oci_envp(cur->argv);
209                 free_oci_envp(cur->envp);
210                 free(cur->file);
211                 free(cur++);
212         }
213         free(hooklist);
214 }
215 
216 static void free_sysctl(void) {
217         struct sysctl_val *cur;
218         cur = *opts.sysctl;
219 
220         while (cur) {
221                 free(cur->entry);
222                 free(cur->value);
223                 free(cur++);
224         }
225         free(opts.sysctl);
226 }
227 
228 static void free_devices(void) {
229         struct mknod_args **cur;
230 
231         if (!opts.devices)
232                 return;
233 
234         cur = opts.devices;
235 
236         while (*cur) {
237                 free((*cur)->path);
238                 free(*(cur++));
239         }
240         free(opts.devices);
241 }
242 
243 static void free_rlimits(void) {
244         int type;
245 
246         for (type = 0; type < RLIM_NLIMITS; ++type)
247                 free(opts.rlimits[type]);
248 }
249 
250 static void free_opts(bool parent) {
251 
252         free_library_search();
253         mount_free();
254         cgroups_free();
255 
256         /* we need to keep argv, envp and seccomp filter in child */
257         if (parent) { /* parent-only */
258                 if (opts.ociseccomp) {
259                         free(opts.ociseccomp->filter);
260                         free(opts.ociseccomp);
261                 }
262 
263                 free_oci_envp(opts.jail_argv);
264                 free_oci_envp(opts.envp);
265         }
266 
267         free_rlimits();
268         free_sysctl();
269         free_devices();
270         free(opts.hostname);
271         free(opts.cwd);
272         free(opts.uidmap);
273         free(opts.gidmap);
274         free(opts.annotations);
275         free(opts.extroot);
276         free(opts.overlaydir);
277         free_hooklist(opts.hooks.createRuntime);
278         free_hooklist(opts.hooks.createContainer);
279         free_hooklist(opts.hooks.startContainer);
280         free_hooklist(opts.hooks.poststart);
281         free_hooklist(opts.hooks.poststop);
282 }
283 
284 static int mount_overlay(char *jail_root, char *overlaydir) {
285         char *upperdir, *workdir, *optsstr, *upperetc, *upperresolvconf;
286         const char mountoptsformat[] = "lowerdir=%s,upperdir=%s,workdir=%s";
287         int ret = -1, fd;
288 
289         if (asprintf(&upperdir, "%s%s", overlaydir, "/upper") < 0)
290                 goto out;
291 
292         if (asprintf(&workdir, "%s%s", overlaydir, "/work") < 0)
293                 goto upper_printf;
294 
295         if (asprintf(&optsstr, mountoptsformat, jail_root, upperdir, workdir) < 0)
296                 goto work_printf;
297 
298         if (mkdir_p(upperdir, 0755) || mkdir_p(workdir, 0755))
299                 goto opts_printf;
300 
301 /*
302  * make sure /etc/resolv.conf exists in overlay and is owned by jail userns root
303  * this is to work-around a bug in overlayfs described in the overlayfs-userns
304  * patch:
305  * 3. modification of a file 'hithere' which is in l but not yet
306  * in u, and which is not owned by T, is not allowed, even if
307  * writes to u are allowed.  This may be a bug in overlayfs,
308  * but it is safe behavior.
309  */
310         if (asprintf(&upperetc, "%s/etc", upperdir) < 0)
311                 goto opts_printf;
312 
313         if (mkdir_p(upperetc, 0755))
314                 goto upper_etc_printf;
315 
316         if (asprintf(&upperresolvconf, "%s/resolv.conf", upperetc) < 0)
317                 goto upper_etc_printf;
318 
319         fd = creat(upperresolvconf, 0644);
320         if (fd < 0) {
321                 if (errno != EEXIST)
322                         ERROR("creat(%s) failed: %m\n", upperresolvconf);
323         } else {
324                 close(fd);
325         }
326         DEBUG("mount -t overlay %s %s (%s)\n", jail_root, jail_root, optsstr);
327 
328         if (mount(jail_root, jail_root, "overlay", MS_NOATIME, optsstr))
329                 goto upper_resolvconf_printf;
330 
331         ret = 0;
332 
333 upper_resolvconf_printf:
334         free(upperresolvconf);
335 upper_etc_printf:
336         free(upperetc);
337 opts_printf:
338         free(optsstr);
339 work_printf:
340         free(workdir);
341 upper_printf:
342         free(upperdir);
343 out:
344         return ret;
345 }
346 
347 static void pass_console(int console_fd)
348 {
349         struct ubus_context *child_ctx = ubus_connect(NULL);
350         static struct blob_buf req;
351         uint32_t id;
352 
353         if (!child_ctx)
354                 return;
355 
356         blob_buf_init(&req, 0);
357         blobmsg_add_string(&req, "name", opts.name);
358 
359         if (ubus_lookup_id(child_ctx, "container", &id) ||
360             ubus_invoke_fd(child_ctx, id, "console_set", req.head, NULL, NULL, 3000, console_fd))
361                 INFO("ubus request failed\n");
362         else
363                 close(console_fd);
364 
365         blob_buf_free(&req);
366         ubus_free(child_ctx);
367 }
368 
369 static int create_dev_console(const char *jail_root)
370 {
371         char *console_fname;
372         char dev_console_path[PATH_MAX];
373         int slave_console_fd;
374 
375         /* Open UNIX/98 virtual console */
376         console_fd = posix_openpt(O_RDWR | O_NOCTTY);
377         if (console_fd < 0)
378                 return -1;
379 
380         console_fname = ptsname(console_fd);
381         DEBUG("got console fd %d and PTS client name %s\n", console_fd, console_fname);
382         if (!console_fname)
383                 goto no_console;
384 
385         grantpt(console_fd);
386         unlockpt(console_fd);
387 
388         /* pass PTY master to procd */
389         pass_console(console_fd);
390 
391         /* mount-bind PTY slave to /dev/console in jail */
392         snprintf(dev_console_path, sizeof(dev_console_path), "%s/dev/console", jail_root);
393         close(creat(dev_console_path, 0620));
394 
395         if (mount(console_fname, dev_console_path, "bind", MS_BIND, NULL))
396                 goto no_console;
397 
398         /* use PTY slave for stdio */
399         slave_console_fd = open(console_fname, O_RDWR); /* | O_NOCTTY */
400         if (slave_console_fd < 0)
401                 goto no_console;
402 
403         dup2(slave_console_fd, 0);
404         dup2(slave_console_fd, 1);
405         dup2(slave_console_fd, 2);
406         close(slave_console_fd);
407 
408         INFO("using guest console %s\n", console_fname);
409 
410         return 0;
411 
412 no_console:
413         close(console_fd);
414         return 1;
415 }
416 
417 static int hook_running = 0;
418 static int hook_return_code = 0;
419 static struct hook_execvpe **current_hook = NULL;
420 typedef void (*hook_return_handler)(void);
421 static hook_return_handler hook_return_cb = NULL;
422 
423 static void hook_process_timeout_cb(struct uloop_timeout *t);
424 static struct uloop_timeout hook_process_timeout = {
425         .cb = hook_process_timeout_cb,
426 };
427 
428 static void run_hooklist(void);
429 static void hook_process_handler(struct uloop_process *c, int ret)
430 {
431         uloop_timeout_cancel(&hook_process_timeout);
432 
433         if (WIFEXITED(ret)) {
434                 hook_return_code = WEXITSTATUS(ret);
435                 if (hook_return_code)
436                         ERROR("hook (%d) exited with exit: %d\n", c->pid, hook_return_code);
437                 else
438                         DEBUG("hook (%d) exited with exit: %d\n", c->pid, hook_return_code);
439 
440         } else {
441                 hook_return_code = WTERMSIG(ret);
442                 ERROR("hook (%d) exited with signal: %d\n", c->pid, hook_return_code);
443         }
444         hook_running = 0;
445         ++current_hook;
446         run_hooklist();
447 }
448 
449 static struct uloop_process hook_process = {
450         .cb = hook_process_handler,
451 };
452 
453 static void hook_process_timeout_cb(struct uloop_timeout *t)
454 {
455         DEBUG("hook process failed to stop, sending SIGKILL\n");
456         kill(hook_process.pid, SIGKILL);
457 }
458 
459 static void run_hooklist(void)
460 {
461         struct hook_execvpe *hook = *current_hook;
462         struct stat s;
463 
464         if (!hook)
465                 return hook_return_cb();
466 
467         DEBUG("executing hook %s\n", hook->file);
468 
469         if (stat(hook->file, &s))
470                 hook_process_handler(&hook_process, ENOENT);
471 
472         if (!((unsigned long)s.st_mode & (S_IXUSR | S_IXGRP | S_IXOTH)))
473                 hook_process_handler(&hook_process, EPERM);
474 
475         hook_running = 1;
476         hook_process.pid = fork();
477         if (hook_process.pid == 0) {
478                 /* child */
479                 execve(hook->file, hook->argv, hook->envp);
480                 ERROR("execve error %m\n");
481                 _exit(errno);
482         } else if (hook_process.pid < 0) {
483                 /* fork error */
484                 ERROR("hook fork error\n");
485                 hook_running = 0;
486                 hook_process_handler(&hook_process, errno);
487         }
488 
489         /* parent */
490         uloop_process_add(&hook_process);
491 
492         if (hook->timeout > 0)
493                 uloop_timeout_set(&hook_process_timeout, 1000 * hook->timeout);
494 
495         uloop_run();
496         if (hook_running) {
497                 DEBUG("uloop interrupted, killing jail process\n");
498                 kill(hook_process.pid, SIGTERM);
499                 uloop_timeout_set(&hook_process_timeout, 1000);
500                 uloop_run();
501         }
502 }
503 
504 static void run_hooks(struct hook_execvpe **hooklist, hook_return_handler return_cb)
505 {
506         if (!hooklist)
507                 return_cb();
508 
509         current_hook = hooklist;
510         hook_return_cb = return_cb;
511 
512         run_hooklist();
513 }
514 
515 static int apply_sysctl(const char *jail_root)
516 {
517         struct sysctl_val **cur;
518         char *procdir, *fname;
519         int f;
520 
521         if (!opts.sysctl)
522                 return 0;
523 
524         if (asprintf(&procdir, "%s/proc", jail_root) < 0)
525                 return ENOMEM;
526 
527         mkdir(procdir, 0700);
528         if (mount("proc", procdir, "proc", MS_NOATIME | MS_NODEV | MS_NOEXEC | MS_NOSUID, 0))
529                 return EPERM;
530 
531         cur = opts.sysctl;
532 
533         while (*cur) {
534                 if (asprintf(&fname, "%s/sys/%s", procdir, (*cur)->entry) < 0)
535                         return ENOMEM;
536 
537                 DEBUG("sysctl: writing '%s' to %s\n", (*cur)->value, fname);
538 
539                 f = open(fname, O_WRONLY);
540                 if (f < 0) {
541                         ERROR("sysctl: can't open %s\n", fname);
542                         free(fname);
543                         return errno;
544                 }
545                 if (write(f, (*cur)->value, strlen((*cur)->value)) < 0) {
546                         ERROR("sysctl: write to %s\n", fname);
547                         free(fname);
548                         close(f);
549                         return errno;
550                 }
551 
552                 free(fname);
553                 close(f);
554                 ++cur;
555         }
556         umount(procdir);
557         rmdir(procdir);
558         free(procdir);
559 
560         return 0;
561 }
562 
563 /* glibc defines makedev calling a function. make sure it's a pure macro */
564 #if defined(__GLIBC__)
565 #undef makedev
566 /* from musl's sys/sysmacros.h */
567 #define makedev(x,y) ( \
568         (((x)&0xfffff000ULL) << 32) | \
569         (((x)&0x00000fffULL) << 8) | \
570         (((y)&0xffffff00ULL) << 12) | \
571         (((y)&0x000000ffULL)) )
572 #endif
573 
574 static struct mknod_args default_devices[] = {
575         { .path = "/dev/null", .mode = (S_IFCHR|S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH), .dev = makedev(1, 3) },
576         { .path = "/dev/zero", .mode = (S_IFCHR|S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH), .dev = makedev(1, 5) },
577         { .path = "/dev/full", .mode = (S_IFCHR|S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH), .dev = makedev(1, 7) },
578         { .path = "/dev/random", .mode = (S_IFCHR|S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH), .dev = makedev(1, 8) },
579         { .path = "/dev/urandom", .mode = (S_IFCHR|S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH), .dev = makedev(1, 9) },
580         { .path = "/dev/tty", .mode = (S_IFCHR|S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP), .dev = makedev(5, 0), .gid = 5 },
581         { 0 },
582 };
583 
584 static int create_devices(void)
585 {
586         struct mknod_args **cur, *curdef;
587         char *path, *tmp;
588 
589         if (!opts.devices)
590                 goto only_default_devices;
591 
592         cur = opts.devices;
593 
594         while (*cur) {
595                 path = (*cur)->path;
596                 /* don't allow devices outside of /dev */
597                 if (strncmp(path, "/dev", 4))
598                         return EPERM;
599 
600                 /* make sure parent folder exists */
601                 tmp = strrchr(path, '/');
602                 if (!tmp)
603                         return EINVAL;
604 
605                 *tmp = '\0';
606                 if (strcmp(path, "/dev")) {
607                         DEBUG("creating directory %s\n", path);
608 
609                         mkdir_p(path, 0755);
610                 }
611                 *tmp = '/';
612 
613                 DEBUG("creating %s (mode=%08o)\n", path, (*cur)->mode);
614 
615                 /* create device */
616                 if (mknod(path, (*cur)->mode, (*cur)->dev))
617                         return errno;
618 
619                 /* change owner, if needed */
620                 if (((*cur)->uid || (*cur)->gid) &&
621                     chown(path, (*cur)->uid, (*cur)->gid))
622                         return errno;
623 
624                 ++cur;
625         }
626 
627 only_default_devices:
628         curdef = default_devices;
629         while(curdef->path) {
630                 DEBUG("creating %s (mode=%08o)\n", curdef->path, curdef->mode);
631                 if (mknod(curdef->path, curdef->mode, curdef->dev)) {
632                         ++curdef;
633                         continue; /* may already exist, eg. due to a bind-mount */
634                 }
635                 if ((curdef->uid || curdef->gid) &&
636                     chown(curdef->path, curdef->uid, curdef->gid))
637                         return errno;
638 
639                 ++curdef;
640         }
641 
642         /* Dev symbolic links as defined in OCI spec */
643         (void) symlink("/dev/pts/ptmx", "/dev/ptmx");
644         (void) symlink("/proc/self/fd", "/dev/fd");
645         (void) symlink("/proc/self/fd/0", "/dev/stdin");
646         (void) symlink("/proc/self/fd/1", "/dev/stdout");
647         (void) symlink("/proc/self/fd/2", "/dev/stderr");
648 
649         return 0;
650 }
651 
652 static char jail_root[] = "/tmp/ujail-XXXXXX";
653 static char tmpovdir[] = "/tmp/ujail-overlay-XXXXXX";
654 static mode_t old_umask;
655 static void enter_jail_fs(void);
656 static int build_jail_fs(void)
657 {
658         char *overlaydir = NULL;
659         int ret;
660 
661         old_umask = umask(0);
662 
663         if (mkdtemp(jail_root) == NULL) {
664                 ERROR("mkdtemp(%s) failed: %m\n", jail_root);
665                 return -1;
666         }
667 
668         if (apply_sysctl(jail_root)) {
669                 ERROR("failed to apply sysctl values\n");
670                 return -1;
671         }
672 
673         /* oldroot can't be MS_SHARED else pivot_root() fails */
674         if (mount("none", "/", "none", MS_REC|MS_PRIVATE, NULL)) {
675                 ERROR("private mount failed %m\n");
676                 return -1;
677         }
678 
679         if (opts.extroot) {
680                 if (mount(opts.extroot, jail_root, "bind", MS_BIND, NULL)) {
681                         ERROR("extroot mount failed %m\n");
682                         return -1;
683                 }
684         } else {
685                 if (mount("tmpfs", jail_root, "tmpfs", MS_NOATIME, "mode=0755")) {
686                         ERROR("tmpfs mount failed %m\n");
687                         return -1;
688                 }
689         }
690 
691         if (opts.tmpoverlaysize) {
692                 char mountoptsstr[] = "mode=0755,size=XXXXXXXX";
693 
694                 snprintf(mountoptsstr, sizeof(mountoptsstr),
695                          "mode=0755,size=%s", opts.tmpoverlaysize);
696                 if (mkdtemp(tmpovdir) == NULL) {
697                         ERROR("mkdtemp(%s) failed: %m\n", jail_root);
698                         return -1;
699                 }
700                 if (mount("tmpfs", tmpovdir, "tmpfs", MS_NOATIME,
701                           mountoptsstr)) {
702                         ERROR("failed to mount tmpfs for overlay (size=%s)\n", opts.tmpoverlaysize);
703                         return -1;
704                 }
705                 overlaydir = tmpovdir;
706         }
707 
708         if (opts.overlaydir)
709                 overlaydir = opts.overlaydir;
710 
711         if (overlaydir) {
712                 ret = mount_overlay(jail_root, overlaydir);
713                 if (ret)
714                         return ret;
715         }
716 
717         if (chdir(jail_root)) {
718                 ERROR("chdir(%s) (jail_root) failed: %m\n", jail_root);
719                 return -1;
720         }
721 
722         if (mount_all(jail_root)) {
723                 ERROR("mount_all() failed\n");
724                 return -1;
725         }
726 
727         if (opts.console)
728                 create_dev_console(jail_root);
729 
730         /* make sure /etc/resolv.conf exists if in new network namespace */
731         if (opts.namespace & CLONE_NEWNET) {
732                 char jailetc[PATH_MAX], jaillink[PATH_MAX];
733 
734                 snprintf(jailetc, PATH_MAX, "%s/etc", jail_root);
735                 mkdir_p(jailetc, 0755);
736                 snprintf(jaillink, PATH_MAX, "%s/etc/resolv.conf", jail_root);
737                 if (overlaydir)
738                         unlink(jaillink);
739 
740                 (void) symlink("../dev/resolv.conf.d/resolv.conf.auto", jaillink);
741         }
742 
743         run_hooks(opts.hooks.createContainer, enter_jail_fs);
744 
745         return 0;
746 }
747 
748 static bool exit_from_child;
749 static void free_and_exit(int ret)
750 {
751         if (!exit_from_child && opts.ocibundle)
752                 cgroups_free();
753 
754         if (!exit_from_child && parent_ctx)
755                 ubus_free(parent_ctx);
756 
757         free_opts(!exit_from_child);
758 
759         exit(ret);
760 }
761 
762 static void post_jail_fs(void);
763 static void enter_jail_fs(void)
764 {
765         char dirbuf[sizeof(jail_root) + 4];
766 
767         snprintf(dirbuf, sizeof(dirbuf), "%s/old", jail_root);
768         mkdir(dirbuf, 0755);
769 
770         if (pivot_root(jail_root, dirbuf) == -1) {
771                 ERROR("pivot_root(%s, %s) failed: %m\n", jail_root, dirbuf);
772                 free_and_exit(-1);
773         }
774         if (chdir("/")) {
775                 ERROR("chdir(/) (after pivot_root) failed: %m\n");
776                 free_and_exit(-1);
777         }
778 
779         snprintf(dirbuf, sizeof(dirbuf), "/old%s", jail_root);
780         umount2(dirbuf, MNT_DETACH);
781         rmdir(dirbuf);
782         if (opts.tmpoverlaysize) {
783                 char tmpdirbuf[sizeof(tmpovdir) + 4];
784                 snprintf(tmpdirbuf, sizeof(tmpdirbuf), "/old%s", tmpovdir);
785                 umount2(tmpdirbuf, MNT_DETACH);
786                 rmdir(tmpdirbuf);
787         }
788 
789         umount2("/old", MNT_DETACH);
790         rmdir("/old");
791 
792         if (create_devices()) {
793                 ERROR("create_devices() failed\n");
794                 free_and_exit(-1);
795         }
796         if (opts.ronly)
797                 mount(NULL, "/", "bind", MS_REMOUNT | MS_BIND | MS_RDONLY, 0);
798 
799         umask(old_umask);
800         post_jail_fs();
801 }
802 
803 static int write_uid_gid_map(pid_t child_pid, bool gidmap, char *mapstr)
804 {
805         int map_file;
806         char map_path[64];
807 
808         if (snprintf(map_path, sizeof(map_path), "/proc/%d/%s",
809                 child_pid, gidmap?"gid_map":"uid_map") < 0)
810                 return -1;
811 
812         if ((map_file = open(map_path, O_WRONLY)) < 0)
813                 return -1;
814 
815         if (dprintf(map_file, "%s", mapstr)) {
816                 close(map_file);
817                 return -1;
818         }
819 
820         close(map_file);
821         return 0;
822 }
823 
824 static int write_single_uid_gid_map(pid_t child_pid, bool gidmap, int id)
825 {
826         int map_file;
827         char map_path[64];
828         const char *map_format = "%d %d %d\n";
829         if (snprintf(map_path, sizeof(map_path), "/proc/%d/%s",
830                 child_pid, gidmap?"gid_map":"uid_map") < 0)
831                 return -1;
832 
833         if ((map_file = open(map_path, O_WRONLY)) < 0)
834                 return -1;
835 
836         if (dprintf(map_file, map_format, 0, id, 1) < 0) {
837                 close(map_file);
838                 return -1;
839         }
840 
841         close(map_file);
842         return 0;
843 }
844 
845 static int write_setgroups(pid_t child_pid, bool allow)
846 {
847         int setgroups_file;
848         char setgroups_path[64];
849 
850         if (snprintf(setgroups_path, sizeof(setgroups_path), "/proc/%d/setgroups",
851                 child_pid) < 0) {
852                 return -1;
853         }
854 
855         if ((setgroups_file = open(setgroups_path, O_WRONLY)) < 0) {
856                 return -1;
857         }
858 
859         if (dprintf(setgroups_file, "%s", allow?"allow":"deny") == -1) {
860                 close(setgroups_file);
861                 return -1;
862         }
863 
864         close(setgroups_file);
865         return 0;
866 }
867 
868 static void get_jail_user(int *user, int *user_gid, int *gr_gid)
869 {
870         struct passwd *p = NULL;
871         struct group *g = NULL;
872 
873         if (opts.user) {
874                 p = getpwnam(opts.user);
875                 if (!p) {
876                         ERROR("failed to get uid/gid for user %s: %d (%s)\n",
877                               opts.user, errno, strerror(errno));
878                         free_and_exit(EXIT_FAILURE);
879                 }
880                 *user = p->pw_uid;
881                 *user_gid = p->pw_gid;
882         } else {
883                 *user = -1;
884                 *user_gid = -1;
885         }
886 
887         if (opts.group) {
888                 g = getgrnam(opts.group);
889                 if (!g) {
890                         ERROR("failed to get gid for group %s: %m\n", opts.group);
891                         free_and_exit(EXIT_FAILURE);
892                 }
893                 *gr_gid = g->gr_gid;
894         } else {
895                 *gr_gid = -1;
896         }
897 };
898 
899 static void set_jail_user(int pw_uid, int user_gid, int gr_gid)
900 {
901         if (opts.user && (user_gid != -1) && initgroups(opts.user, user_gid)) {
902                 ERROR("failed to initgroups() for user %s: %m\n", opts.user);
903                 free_and_exit(EXIT_FAILURE);
904         }
905 
906         if ((gr_gid != -1) && setregid(gr_gid, gr_gid)) {
907                 ERROR("failed to set group id %d: %m\n", gr_gid);
908                 free_and_exit(EXIT_FAILURE);
909         }
910 
911         if ((pw_uid != -1) && setreuid(pw_uid, pw_uid)) {
912                 ERROR("failed to set user id %d: %m\n", pw_uid);
913                 free_and_exit(EXIT_FAILURE);
914         }
915 }
916 
917 static int apply_rlimits(void)
918 {
919         int resource;
920 
921         for (resource = 0; resource < RLIM_NLIMITS; ++resource) {
922                 if (opts.rlimits[resource])
923                         DEBUG("applying limits to resource %u\n", resource);
924 
925                 if (opts.rlimits[resource] &&
926                     setrlimit(resource, opts.rlimits[resource]))
927                         return errno;
928         }
929 
930         return 0;
931 }
932 
933 #define MAX_ENVP        64
934 static char** build_envp(const char *seccomp, char **ocienvp)
935 {
936         static char *envp[MAX_ENVP];
937         static char preload_var[PATH_MAX];
938         static char seccomp_var[PATH_MAX];
939         static char seccomp_debug_var[20];
940         static char debug_var[] = "LD_DEBUG=all";
941         static char container_var[] = "container=ujail";
942         const char *preload_lib = find_lib("libpreload-seccomp.so");
943         char **addenv;
944 
945         int count = 0;
946 
947         if (seccomp && !preload_lib) {
948                 ERROR("failed to add preload-lib to env\n");
949                 return NULL;
950         }
951         if (seccomp) {
952                 snprintf(seccomp_var, sizeof(seccomp_var), "SECCOMP_FILE=%s", seccomp);
953                 envp[count++] = seccomp_var;
954                 snprintf(seccomp_debug_var, sizeof(seccomp_debug_var), "SECCOMP_DEBUG=%2d", debug);
955                 envp[count++] = seccomp_debug_var;
956                 snprintf(preload_var, sizeof(preload_var), "LD_PRELOAD=%s", preload_lib);
957                 envp[count++] = preload_var;
958         }
959 
960         envp[count++] = container_var;
961 
962         if (debug > 1)
963                 envp[count++] = debug_var;
964 
965         addenv = ocienvp;
966         while (addenv && *addenv) {
967                 envp[count++] = *(addenv++);
968                 if (count >= MAX_ENVP) {
969                         ERROR("environment limited to %d extra records, truncating\n", MAX_ENVP);
970                         break;
971                 }
972         }
973         return envp;
974 }
975 
976 static void usage(void)
977 {
978         fprintf(stderr, "ujail <options> -- <binary> <params ...>\n");
979         fprintf(stderr, "  -d <num>\tshow debug log (increase num to increase verbosity)\n");
980         fprintf(stderr, "  -S <file>\tseccomp filter config\n");
981         fprintf(stderr, "  -C <file>\tcapabilities drop config\n");
982         fprintf(stderr, "  -c\t\tset PR_SET_NO_NEW_PRIVS\n");
983         fprintf(stderr, "  -n <name>\tthe name of the jail\n");
984         fprintf(stderr, "  -e <var>\timport environment variable\n");
985         fprintf(stderr, "namespace jail options:\n");
986         fprintf(stderr, "  -h <hostname>\tchange the hostname of the jail\n");
987         fprintf(stderr, "  -N\t\tjail has network namespace\n");
988         fprintf(stderr, "  -f\t\tjail has user namespace\n");
989         fprintf(stderr, "  -F\t\tjail has cgroups namespace\n");
990         fprintf(stderr, "  -r <file>\treadonly files that should be staged\n");
991         fprintf(stderr, "  -w <file>\twriteable files that should be staged\n");
992         fprintf(stderr, "  -p\t\tjail has /proc\n");
993         fprintf(stderr, "  -s\t\tjail has /sys\n");
994         fprintf(stderr, "  -l\t\tjail has /dev/log\n");
995         fprintf(stderr, "  -u\t\tjail has a ubus socket\n");
996         fprintf(stderr, "  -U <name>\tuser to run jailed process\n");
997         fprintf(stderr, "  -G <name>\tgroup to run jailed process\n");
998         fprintf(stderr, "  -o\t\tremont jail root (/) read only\n");
999         fprintf(stderr, "  -R <dir>\texternal jail rootfs (system container)\n");
1000         fprintf(stderr, "  -O <dir>\tdirectory for r/w overlayfs\n");
1001         fprintf(stderr, "  -T <size>\tuse tmpfs r/w overlayfs with <size>\n");
1002         fprintf(stderr, "  -E\t\tfail if jail cannot be setup\n");
1003         fprintf(stderr, "  -y\t\tprovide jail console\n");
1004         fprintf(stderr, "  -J <dir>\tcreate container from OCI bundle\n");
1005         fprintf(stderr, "  -i\t\tstart container immediately\n");
1006         fprintf(stderr, "  -P <pidfile>\tcreate <pidfile>\n");
1007         fprintf(stderr, "\nWarning: by default root inside the jail is the same\n\
1008 and he has the same powers as root outside the jail,\n\
1009 thus he can escape the jail and/or break stuff.\n\
1010 Please use seccomp/capabilities (-S/-C) to restrict his powers\n\n\
1011 If you use none of the namespace jail options,\n\
1012 ujail will not use namespace/build a jail,\n\
1013 and will only drop capabilities/apply seccomp filter.\n\n");
1014 }
1015 
1016 static int* get_namespace_fd(const unsigned int nstype)
1017 {
1018         switch (nstype) {
1019                 case CLONE_NEWPID:
1020                         return &opts.setns.pid;
1021                 case CLONE_NEWNET:
1022                         return &opts.setns.net;
1023                 case CLONE_NEWNS:
1024                         return &opts.setns.ns;
1025                 case CLONE_NEWIPC:
1026                         return &opts.setns.ipc;
1027                 case CLONE_NEWUTS:
1028                         return &opts.setns.uts;
1029                 case CLONE_NEWUSER:
1030                         return &opts.setns.user;
1031                 case CLONE_NEWCGROUP:
1032                         return &opts.setns.cgroup;
1033 #ifdef CLONE_NEWTIME
1034                 case CLONE_NEWTIME:
1035                         return &opts.setns.time;
1036 #endif
1037                 default:
1038                         return NULL;
1039         }
1040 }
1041 
1042 static int setns_open(unsigned long nstype)
1043 {
1044         int *fd = get_namespace_fd(nstype);
1045 
1046         assert(fd != NULL);
1047 
1048         if (*fd < 0)
1049                 return 0;
1050 
1051         if (setns(*fd, nstype) == -1) {
1052                 close(*fd);
1053                 return errno;
1054         }
1055 
1056         close(*fd);
1057         return 0;
1058 }
1059 
1060 static int jail_running = 0;
1061 static int jail_return_code = 0;
1062 
1063 static void jail_process_timeout_cb(struct uloop_timeout *t);
1064 static struct uloop_timeout jail_process_timeout = {
1065         .cb = jail_process_timeout_cb,
1066 };
1067 static void poststop(void);
1068 static void jail_process_handler(struct uloop_process *c, int ret)
1069 {
1070         uloop_timeout_cancel(&jail_process_timeout);
1071         if (WIFEXITED(ret)) {
1072                 jail_return_code = WEXITSTATUS(ret);
1073                 INFO("jail (%d) exited with exit: %d\n", c->pid, jail_return_code);
1074         } else {
1075                 jail_return_code = WTERMSIG(ret);
1076                 INFO("jail (%d) exited with signal: %d\n", c->pid, jail_return_code);
1077         }
1078         jail_running = 0;
1079         poststop();
1080 }
1081 
1082 static struct uloop_process jail_process = {
1083         .cb = jail_process_handler,
1084 };
1085 
1086 static void jail_process_timeout_cb(struct uloop_timeout *t)
1087 {
1088         DEBUG("jail process failed to stop, sending SIGKILL\n");
1089         kill(jail_process.pid, SIGKILL);
1090 }
1091 
1092 static void jail_handle_signal(int signo)
1093 {
1094         if (hook_running) {
1095                 DEBUG("forwarding signal %d to the hook process\n", signo);
1096                 kill(hook_process.pid, signo);
1097                 /* set timeout to send SIGKILL hook process in case SIGTERM doesn't succeed */
1098                 if (signo == SIGTERM)
1099                         uloop_timeout_set(&hook_process_timeout, opts.term_timeout * 1000);
1100         }
1101 
1102         if (jail_running) {
1103                 DEBUG("forwarding signal %d to the jailed process\n", signo);
1104                 kill(jail_process.pid, signo);
1105                 /* set timeout to send SIGKILL jail process in case SIGTERM doesn't succeed */
1106                 if (signo == SIGTERM)
1107                         uloop_timeout_set(&jail_process_timeout, opts.term_timeout * 1000);
1108         }
1109 }
1110 
1111 static void signals_init(void)
1112 {
1113         int i;
1114         sigset_t sigmask;
1115 
1116         sigfillset(&sigmask);
1117         for (i = 0; i < _NSIG; i++) {
1118                 struct sigaction s = { 0 };
1119 
1120                 if (!sigismember(&sigmask, i))
1121                         continue;
1122                 if ((i == SIGCHLD) || (i == SIGPIPE) || (i == SIGSEGV) || (i == SIGSTOP) || (i == SIGKILL))
1123                         continue;
1124 
1125                 s.sa_handler = jail_handle_signal;
1126                 sigaction(i, &s, NULL);
1127         }
1128 }
1129 
1130 static void pre_exec_jail(struct uloop_timeout *t);
1131 static struct uloop_timeout pre_exec_timeout = {
1132         .cb = pre_exec_jail,
1133 };
1134 
1135 int pipes[4];
1136 static int exec_jail(void *arg)
1137 {
1138         char buf[1];
1139 
1140         exit_from_child = true;
1141         prctl(PR_SET_SECUREBITS, 0);
1142 
1143         uloop_init();
1144         signals_init();
1145 
1146         close(pipes[0]);
1147         close(pipes[3]);
1148 
1149         setns_open(CLONE_NEWUSER);
1150         setns_open(CLONE_NEWNET);
1151         setns_open(CLONE_NEWNS);
1152         setns_open(CLONE_NEWIPC);
1153         setns_open(CLONE_NEWUTS);
1154 
1155         buf[0] = 'i';
1156         if (write(pipes[1], buf, 1) < 1) {
1157                 ERROR("can't write to parent\n");
1158                 return EXIT_FAILURE;
1159         }
1160         close(pipes[1]);
1161         if (read(pipes[2], buf, 1) < 1) {
1162                 ERROR("can't read from parent\n");
1163                 return EXIT_FAILURE;
1164         }
1165         if (buf[0] != 'O') {
1166                 ERROR("parent had an error, child exiting\n");
1167                 return EXIT_FAILURE;
1168         }
1169 
1170         if (opts.namespace & CLONE_NEWCGROUP)
1171                 unshare(CLONE_NEWCGROUP);
1172 
1173         setns_open(CLONE_NEWCGROUP);
1174 
1175         if ((opts.namespace & CLONE_NEWUSER) || (opts.setns.user != -1)) {
1176                 if (setregid(0, 0) < 0) {
1177                         ERROR("setgid\n");
1178                         free_and_exit(EXIT_FAILURE);
1179                 }
1180                 if (setreuid(0, 0) < 0) {
1181                         ERROR("setuid\n");
1182                         free_and_exit(EXIT_FAILURE);
1183                 }
1184                 if (setgroups(0, NULL) < 0) {
1185                         ERROR("setgroups\n");
1186                         free_and_exit(EXIT_FAILURE);
1187                 }
1188         }
1189 
1190         if (opts.namespace && opts.hostname && strlen(opts.hostname) > 0
1191                         && sethostname(opts.hostname, strlen(opts.hostname))) {
1192                 ERROR("sethostname(%s) failed: %m\n", opts.hostname);
1193                 free_and_exit(EXIT_FAILURE);
1194         }
1195 
1196         uloop_timeout_add(&pre_exec_timeout);
1197         uloop_run();
1198 
1199         free_and_exit(-1);
1200         return -1;
1201 }
1202 
1203 static void pre_exec_jail(struct uloop_timeout *t)
1204 {
1205         if ((opts.namespace & CLONE_NEWNS) && build_jail_fs()) {
1206                 ERROR("failed to build jail fs\n");
1207                 free_and_exit(EXIT_FAILURE);
1208         } else {
1209                 run_hooks(opts.hooks.createContainer, post_jail_fs);
1210         }
1211 }
1212 
1213 static void post_start_hook(void);
1214 static void post_jail_fs(void)
1215 {
1216         char buf[1];
1217 
1218         if (read(pipes[2], buf, 1) < 1) {
1219                 ERROR("can't read from parent\n");
1220                 free_and_exit(EXIT_FAILURE);
1221         }
1222         if (buf[0] != '!') {
1223                 ERROR("parent had an error, child exiting\n");
1224                 free_and_exit(EXIT_FAILURE);
1225         }
1226         close(pipes[2]);
1227 
1228         run_hooks(opts.hooks.startContainer, post_start_hook);
1229 }
1230 
1231 static void post_start_hook(void)
1232 {
1233         int pw_uid, pw_gid, gr_gid;
1234 
1235         /*
1236          * make sure setuid/setgid won't drop capabilities in case capabilities
1237          * have been specified explicitely.
1238          */
1239         if (opts.capset.apply) {
1240                 if (prctl(PR_SET_SECUREBITS, SECBIT_NO_SETUID_FIXUP)) {
1241                         ERROR("prctl(PR_SET_SECUREBITS) failed: %m\n");
1242                         free_and_exit(EXIT_FAILURE);
1243                 }
1244         }
1245 
1246         /* drop capabilities, retain those still needed to further setup jail */
1247         if (applyOCIcapabilities(opts.capset, (1LLU << CAP_SETGID) | (1LLU << CAP_SETUID) | (1LLU << CAP_SETPCAP)))
1248                 free_and_exit(EXIT_FAILURE);
1249 
1250         /* use either cmdline-supplied user/group or uid/gid from OCI spec */
1251         get_jail_user(&pw_uid, &pw_gid, &gr_gid);
1252         set_jail_user(opts.pw_uid?:pw_uid, opts.pw_gid?:pw_gid, opts.gr_gid?:gr_gid);
1253 
1254         if (opts.additional_gids &&
1255             (setgroups(opts.num_additional_gids, opts.additional_gids) < 0)) {
1256                 ERROR("setgroups failed: %m\n");
1257                 free_and_exit(EXIT_FAILURE);
1258         }
1259 
1260         if (opts.set_umask)
1261                 umask(opts.umask);
1262 
1263         /* restore securebits back to normal (and lock them if not in userns) */
1264         if (opts.capset.apply) {
1265                 if (prctl(PR_SET_SECUREBITS, (opts.namespace & CLONE_NEWUSER)?0:
1266                     SECBIT_KEEP_CAPS_LOCKED|SECBIT_NO_SETUID_FIXUP_LOCKED|SECBIT_NOROOT_LOCKED)) {
1267                         ERROR("prctl(PR_SET_SECUREBITS) failed: %m\n");
1268                         free_and_exit(EXIT_FAILURE);
1269                 }
1270         }
1271 
1272         /* drop remaining capabilities to end up with specified sets */
1273         if (applyOCIcapabilities(opts.capset, 0))
1274                 free_and_exit(EXIT_FAILURE);
1275 
1276         if (opts.no_new_privs && prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
1277                 ERROR("prctl(PR_SET_NO_NEW_PRIVS) failed: %m\n");
1278                 free_and_exit(EXIT_FAILURE);
1279         }
1280 
1281         char **envp = build_envp(opts.seccomp, opts.envp);
1282         if (!envp)
1283                 free_and_exit(EXIT_FAILURE);
1284 
1285         if (opts.cwd && chdir(opts.cwd))
1286                 free_and_exit(EXIT_FAILURE);
1287 
1288         if (opts.ociseccomp && applyOCIlinuxseccomp(opts.ociseccomp))
1289                 free_and_exit(EXIT_FAILURE);
1290 
1291         uloop_end();
1292         free_opts(false);
1293         INFO("exec-ing %s\n", *opts.jail_argv);
1294         if (opts.envp) /* respect PATH if potentially set in ENV */
1295                 execvpe(*opts.jail_argv, opts.jail_argv, envp);
1296         else
1297                 execve(*opts.jail_argv, opts.jail_argv, envp);
1298 
1299         /* we get there only if execve fails */
1300         ERROR("failed to execve %s: %m\n", *opts.jail_argv);
1301         exit(EXIT_FAILURE);
1302 }
1303 
1304 int ns_open_pid(const char *nstype, const pid_t target_ns)
1305 {
1306         char pid_pid_path[PATH_MAX];
1307 
1308         snprintf(pid_pid_path, sizeof(pid_pid_path), "/proc/%u/ns/%s", target_ns, nstype);
1309 
1310         return open(pid_pid_path, O_RDONLY);
1311 }
1312 
1313 static int parseOCIenvarray(struct blob_attr *msg, char ***envp)
1314 {
1315         struct blob_attr *cur;
1316         int sz = 0, rem;
1317 
1318         blobmsg_for_each_attr(cur, msg, rem)
1319                 ++sz;
1320 
1321         if (sz > 0) {
1322                 *envp = calloc(1 + sz, sizeof(char*));
1323                 if (!(*envp))
1324                         return ENOMEM;
1325         } else {
1326                 *envp = NULL;
1327                 return 0;
1328         }
1329 
1330         sz = 0;
1331         blobmsg_for_each_attr(cur, msg, rem)
1332                 (*envp)[sz++] = strdup(blobmsg_get_string(cur));
1333 
1334         if (sz)
1335                 (*envp)[sz] = NULL;
1336 
1337         return 0;
1338 }
1339 
1340 enum {
1341         OCI_ROOT_PATH,
1342         OCI_ROOT_READONLY,
1343         __OCI_ROOT_MAX,
1344 };
1345 
1346 static const struct blobmsg_policy oci_root_policy[] = {
1347         [OCI_ROOT_PATH] = { "path", BLOBMSG_TYPE_STRING },
1348         [OCI_ROOT_READONLY] = { "readonly", BLOBMSG_TYPE_BOOL },
1349 };
1350 
1351 static int parseOCIroot(const char *jsonfile, struct blob_attr *msg)
1352 {
1353         char extroot[PATH_MAX] = { 0 };
1354         struct blob_attr *tb[__OCI_ROOT_MAX];
1355         char *cur;
1356         char *root_path;
1357 
1358         blobmsg_parse(oci_root_policy, __OCI_ROOT_MAX, tb, blobmsg_data(msg), blobmsg_len(msg));
1359 
1360         if (!tb[OCI_ROOT_PATH])
1361                 return ENODATA;
1362 
1363         root_path = blobmsg_get_string(tb[OCI_ROOT_PATH]);
1364 
1365         /* prepend bundle directory in case of relative paths */
1366         if (root_path[0] != '/') {
1367                 strncpy(extroot, jsonfile, PATH_MAX - 1);
1368 
1369                 cur = strrchr(extroot, '/');
1370 
1371                 if (!cur)
1372                         return ENOTDIR;
1373 
1374                 *(++cur) = '\0';
1375         }
1376 
1377         strncat(extroot, root_path, PATH_MAX - (strlen(extroot) + 1));
1378 
1379         /* follow symbolic link(s) */
1380         opts.extroot = realpath(extroot, NULL);
1381         if (!opts.extroot)
1382                 return errno;
1383 
1384         if (tb[OCI_ROOT_READONLY])
1385                 opts.ronly = blobmsg_get_bool(tb[OCI_ROOT_READONLY]);
1386 
1387         return 0;
1388 }
1389 
1390 
1391 enum {
1392         OCI_HOOK_PATH,
1393         OCI_HOOK_ARGS,
1394         OCI_HOOK_ENV,
1395         OCI_HOOK_TIMEOUT,
1396         __OCI_HOOK_MAX,
1397 };
1398 
1399 static const struct blobmsg_policy oci_hook_policy[] = {
1400         [OCI_HOOK_PATH] = { "path", BLOBMSG_TYPE_STRING },
1401         [OCI_HOOK_ARGS] = { "args", BLOBMSG_TYPE_ARRAY },
1402         [OCI_HOOK_ENV] = { "env", BLOBMSG_TYPE_ARRAY },
1403         [OCI_HOOK_TIMEOUT] = { "timeout", BLOBMSG_TYPE_INT32 },
1404 };
1405 
1406 
1407 static int parseOCIhook(struct hook_execvpe ***hooklist, struct blob_attr *msg)
1408 {
1409         struct blob_attr *tb[__OCI_HOOK_MAX];
1410         struct blob_attr *cur;
1411         int rem, ret = 0;
1412         int idx = 0;
1413 
1414         blobmsg_for_each_attr(cur, msg, rem)
1415                 ++idx;
1416 
1417         if (!idx)
1418                 return 0;
1419 
1420         *hooklist = calloc(idx + 1, sizeof(struct hook_execvpe *));
1421         idx = 0;
1422 
1423         if (!(*hooklist))
1424                 return ENOMEM;
1425 
1426         blobmsg_for_each_attr(cur, msg, rem) {
1427                 blobmsg_parse(oci_hook_policy, __OCI_HOOK_MAX, tb, blobmsg_data(cur), blobmsg_len(cur));
1428 
1429                 if (!tb[OCI_HOOK_PATH]) {
1430                         ret = EINVAL;
1431                         goto errout;
1432                 }
1433 
1434                 (*hooklist)[idx] = calloc(1, sizeof(struct hook_execvpe));
1435                 if (tb[OCI_HOOK_ARGS]) {
1436                         ret = parseOCIenvarray(tb[OCI_HOOK_ARGS], &((*hooklist)[idx]->argv));
1437                         if (ret)
1438                                 goto errout;
1439                 } else {
1440                         (*hooklist)[idx]->argv = calloc(2, sizeof(char *));
1441                         ((*hooklist)[idx]->argv)[0] = strdup(blobmsg_get_string(tb[OCI_HOOK_PATH]));
1442                         ((*hooklist)[idx]->argv)[1] = NULL;
1443                 };
1444 
1445 
1446                 if (tb[OCI_HOOK_ENV]) {
1447                         ret = parseOCIenvarray(tb[OCI_HOOK_ENV], &((*hooklist)[idx]->envp));
1448                         if (ret)
1449                                 goto errout;
1450                 }
1451 
1452                 if (tb[OCI_HOOK_TIMEOUT])
1453                         (*hooklist)[idx]->timeout = blobmsg_get_u32(tb[OCI_HOOK_TIMEOUT]);
1454 
1455                 (*hooklist)[idx]->file = strdup(blobmsg_get_string(tb[OCI_HOOK_PATH]));
1456 
1457                 ++idx;
1458         }
1459 
1460         (*hooklist)[idx] = NULL;
1461 
1462         DEBUG("added %d hooks\n", idx);
1463 
1464         return 0;
1465 
1466 errout:
1467         free_hooklist(*hooklist);
1468         *hooklist = NULL;
1469 
1470         return ret;
1471 };
1472 
1473 
1474 enum {
1475         OCI_HOOKS_PRESTART,
1476         OCI_HOOKS_CREATERUNTIME,
1477         OCI_HOOKS_CREATECONTAINER,
1478         OCI_HOOKS_STARTCONTAINER,
1479         OCI_HOOKS_POSTSTART,
1480         OCI_HOOKS_POSTSTOP,
1481         __OCI_HOOKS_MAX,
1482 };
1483 
1484 static const struct blobmsg_policy oci_hooks_policy[] = {
1485         [OCI_HOOKS_PRESTART] = { "prestart", BLOBMSG_TYPE_ARRAY },
1486         [OCI_HOOKS_CREATERUNTIME] = { "createRuntime", BLOBMSG_TYPE_ARRAY },
1487         [OCI_HOOKS_CREATECONTAINER] = { "createContainer", BLOBMSG_TYPE_ARRAY },
1488         [OCI_HOOKS_STARTCONTAINER] = { "startContainer", BLOBMSG_TYPE_ARRAY },
1489         [OCI_HOOKS_POSTSTART] = { "poststart", BLOBMSG_TYPE_ARRAY },
1490         [OCI_HOOKS_POSTSTOP] = { "poststop", BLOBMSG_TYPE_ARRAY },
1491 };
1492 
1493 static int parseOCIhooks(struct blob_attr *msg)
1494 {
1495         struct blob_attr *tb[__OCI_HOOKS_MAX];
1496         int ret;
1497 
1498         blobmsg_parse(oci_hooks_policy, __OCI_HOOKS_MAX, tb, blobmsg_data(msg), blobmsg_len(msg));
1499 
1500         if (tb[OCI_HOOKS_PRESTART])
1501                 INFO("warning: ignoring deprecated prestart hook\n");
1502 
1503         if (tb[OCI_HOOKS_CREATERUNTIME]) {
1504                 ret = parseOCIhook(&opts.hooks.createRuntime, tb[OCI_HOOKS_CREATERUNTIME]);
1505                 if (ret)
1506                         return ret;
1507         }
1508 
1509         if (tb[OCI_HOOKS_CREATECONTAINER]) {
1510                 ret = parseOCIhook(&opts.hooks.createContainer, tb[OCI_HOOKS_CREATECONTAINER]);
1511                 if (ret)
1512                         goto out_createruntime;
1513         }
1514 
1515         if (tb[OCI_HOOKS_STARTCONTAINER]) {
1516                 ret = parseOCIhook(&opts.hooks.startContainer, tb[OCI_HOOKS_STARTCONTAINER]);
1517                 if (ret)
1518                         goto out_createcontainer;
1519         }
1520 
1521         if (tb[OCI_HOOKS_POSTSTART]) {
1522                 ret = parseOCIhook(&opts.hooks.poststart, tb[OCI_HOOKS_POSTSTART]);
1523                 if (ret)
1524                         goto out_startcontainer;
1525         }
1526 
1527         if (tb[OCI_HOOKS_POSTSTOP]) {
1528                 ret = parseOCIhook(&opts.hooks.poststop, tb[OCI_HOOKS_POSTSTOP]);
1529                 if (ret)
1530                         goto out_poststart;
1531         }
1532 
1533         return 0;
1534 
1535 out_poststart:
1536         free_hooklist(opts.hooks.poststart);
1537 out_startcontainer:
1538         free_hooklist(opts.hooks.startContainer);
1539 out_createcontainer:
1540         free_hooklist(opts.hooks.createContainer);
1541 out_createruntime:
1542         free_hooklist(opts.hooks.createRuntime);
1543 
1544         return ret;
1545 };
1546 
1547 
1548 enum {
1549         OCI_PROCESS_USER_UID,
1550         OCI_PROCESS_USER_GID,
1551         OCI_PROCESS_USER_UMASK,
1552         OCI_PROCESS_USER_ADDITIONALGIDS,
1553         __OCI_PROCESS_USER_MAX,
1554 };
1555 
1556 static const struct blobmsg_policy oci_process_user_policy[] = {
1557         [OCI_PROCESS_USER_UID] = { "uid", BLOBMSG_TYPE_INT32 },
1558         [OCI_PROCESS_USER_GID] = { "gid", BLOBMSG_TYPE_INT32 },
1559         [OCI_PROCESS_USER_UMASK] = { "umask", BLOBMSG_TYPE_INT32 },
1560         [OCI_PROCESS_USER_ADDITIONALGIDS] = { "additionalGids", BLOBMSG_TYPE_ARRAY },
1561 };
1562 
1563 static int parseOCIprocessuser(struct blob_attr *msg) {
1564         struct blob_attr *tb[__OCI_PROCESS_USER_MAX];
1565         struct blob_attr *cur;
1566         int rem;
1567         int has_gid = 0;
1568 
1569         blobmsg_parse(oci_process_user_policy, __OCI_PROCESS_USER_MAX, tb, blobmsg_data(msg), blobmsg_len(msg));
1570 
1571         if (tb[OCI_PROCESS_USER_UID])
1572                 opts.pw_uid = blobmsg_get_u32(tb[OCI_PROCESS_USER_UID]);
1573 
1574         if (tb[OCI_PROCESS_USER_GID]) {
1575                 opts.pw_gid = blobmsg_get_u32(tb[OCI_PROCESS_USER_GID]);
1576                 opts.gr_gid = blobmsg_get_u32(tb[OCI_PROCESS_USER_GID]);
1577                 has_gid = 1;
1578         }
1579 
1580         if (tb[OCI_PROCESS_USER_ADDITIONALGIDS]) {
1581                 size_t gidcnt = 0;
1582 
1583                 blobmsg_for_each_attr(cur, tb[OCI_PROCESS_USER_ADDITIONALGIDS], rem) {
1584                         ++gidcnt;
1585                         if (has_gid && (blobmsg_get_u32(cur) == opts.gr_gid))
1586                                 continue;
1587                 }
1588 
1589                 if (gidcnt) {
1590                         opts.additional_gids = calloc(gidcnt + has_gid, sizeof(gid_t));
1591                         gidcnt = 0;
1592 
1593                         /* always add primary GID to set of GIDs if set */
1594                         if (has_gid)
1595                                 opts.additional_gids[gidcnt++] = opts.gr_gid;
1596 
1597                         blobmsg_for_each_attr(cur, tb[OCI_PROCESS_USER_ADDITIONALGIDS], rem) {
1598                                 if (has_gid && (blobmsg_get_u32(cur) == opts.gr_gid))
1599                                         continue;
1600                                 opts.additional_gids[gidcnt++] = blobmsg_get_u32(cur);
1601                         }
1602                         opts.num_additional_gids = gidcnt;
1603                 }
1604                 DEBUG("read %zu additional groups\n", gidcnt);
1605         }
1606 
1607         if (tb[OCI_PROCESS_USER_UMASK]) {
1608                 opts.umask = blobmsg_get_u32(tb[OCI_PROCESS_USER_UMASK]);
1609                 opts.set_umask = true;
1610         }
1611 
1612         return 0;
1613 }
1614 
1615 enum {
1616         OCI_PROCESS_RLIMIT_TYPE,
1617         OCI_PROCESS_RLIMIT_SOFT,
1618         OCI_PROCESS_RLIMIT_HARD,
1619         __OCI_PROCESS_RLIMIT_MAX,
1620 };
1621 
1622 static const struct blobmsg_policy oci_process_rlimit_policy[] = {
1623         [OCI_PROCESS_RLIMIT_TYPE] = { "type", BLOBMSG_TYPE_STRING },
1624         [OCI_PROCESS_RLIMIT_SOFT] = { "soft", BLOBMSG_CAST_INT64 },
1625         [OCI_PROCESS_RLIMIT_HARD] = { "hard", BLOBMSG_CAST_INT64 },
1626 };
1627 
1628 /* from manpage GETRLIMIT(2) */
1629 static const char* const rlimit_names[RLIM_NLIMITS] = {
1630         [RLIMIT_AS] = "AS",
1631         [RLIMIT_CORE] = "CORE",
1632         [RLIMIT_CPU] = "CPU",
1633         [RLIMIT_DATA] = "DATA",
1634         [RLIMIT_FSIZE] = "FSIZE",
1635         [RLIMIT_LOCKS] = "LOCKS",
1636         [RLIMIT_MEMLOCK] = "MEMLOCK",
1637         [RLIMIT_MSGQUEUE] = "MSGQUEUE",
1638         [RLIMIT_NICE] = "NICE",
1639         [RLIMIT_NOFILE] = "NOFILE",
1640         [RLIMIT_NPROC] = "NPROC",
1641         [RLIMIT_RSS] = "RSS",
1642         [RLIMIT_RTPRIO] = "RTPRIO",
1643         [RLIMIT_RTTIME] = "RTTIME",
1644         [RLIMIT_SIGPENDING] = "SIGPENDING",
1645         [RLIMIT_STACK] = "STACK",
1646 };
1647 
1648 static int resolve_rlimit(char *type) {
1649         unsigned int rltype;
1650 
1651         for (rltype = 0; rltype < RLIM_NLIMITS; ++rltype)
1652                 if (rlimit_names[rltype] &&
1653                     !strncmp("RLIMIT_", type, 7) &&
1654                     !strcmp(rlimit_names[rltype], type + 7))
1655                         return rltype;
1656 
1657         return -1;
1658 }
1659 
1660 
1661 static int parseOCIrlimit(struct blob_attr *msg)
1662 {
1663         struct blob_attr *tb[__OCI_PROCESS_RLIMIT_MAX];
1664         int limtype = -1;
1665         struct rlimit *curlim;
1666 
1667         blobmsg_parse(oci_process_rlimit_policy, __OCI_PROCESS_RLIMIT_MAX, tb, blobmsg_data(msg), blobmsg_len(msg));
1668 
1669         if (!tb[OCI_PROCESS_RLIMIT_TYPE] ||
1670             !tb[OCI_PROCESS_RLIMIT_SOFT] ||
1671             !tb[OCI_PROCESS_RLIMIT_HARD])
1672                 return ENODATA;
1673 
1674         limtype = resolve_rlimit(blobmsg_get_string(tb[OCI_PROCESS_RLIMIT_TYPE]));
1675 
1676         if (limtype < 0)
1677                 return EINVAL;
1678 
1679         if (opts.rlimits[limtype])
1680                 return ENOTUNIQ;
1681 
1682         curlim = malloc(sizeof(struct rlimit));
1683         curlim->rlim_cur = blobmsg_cast_u64(tb[OCI_PROCESS_RLIMIT_SOFT]);
1684         curlim->rlim_max = blobmsg_cast_u64(tb[OCI_PROCESS_RLIMIT_HARD]);
1685 
1686         opts.rlimits[limtype] = curlim;
1687 
1688         return 0;
1689 };
1690 
1691 enum {
1692         OCI_PROCESS_ARGS,
1693         OCI_PROCESS_CAPABILITIES,
1694         OCI_PROCESS_CWD,
1695         OCI_PROCESS_ENV,
1696         OCI_PROCESS_OOMSCOREADJ,
1697         OCI_PROCESS_NONEWPRIVILEGES,
1698         OCI_PROCESS_RLIMITS,
1699         OCI_PROCESS_TERMINAL,
1700         OCI_PROCESS_USER,
1701         __OCI_PROCESS_MAX,
1702 };
1703 
1704 static const struct blobmsg_policy oci_process_policy[] = {
1705         [OCI_PROCESS_ARGS] = { "args", BLOBMSG_TYPE_ARRAY },
1706         [OCI_PROCESS_CAPABILITIES] = { "capabilities", BLOBMSG_TYPE_TABLE },
1707         [OCI_PROCESS_CWD] = { "cwd", BLOBMSG_TYPE_STRING },
1708         [OCI_PROCESS_ENV] = { "env", BLOBMSG_TYPE_ARRAY },
1709         [OCI_PROCESS_OOMSCOREADJ] = { "oomScoreAdj", BLOBMSG_TYPE_INT32 },
1710         [OCI_PROCESS_NONEWPRIVILEGES] = { "noNewPrivileges", BLOBMSG_TYPE_BOOL },
1711         [OCI_PROCESS_RLIMITS] = { "rlimits", BLOBMSG_TYPE_ARRAY },
1712         [OCI_PROCESS_TERMINAL] = { "terminal", BLOBMSG_TYPE_BOOL },
1713         [OCI_PROCESS_USER] = { "user", BLOBMSG_TYPE_TABLE },
1714 };
1715 
1716 
1717 static int parseOCIprocess(struct blob_attr *msg)
1718 {
1719         struct blob_attr *tb[__OCI_PROCESS_MAX], *cur;
1720         int rem, res;
1721 
1722         blobmsg_parse(oci_process_policy, __OCI_PROCESS_MAX, tb, blobmsg_data(msg), blobmsg_len(msg));
1723 
1724         if (!tb[OCI_PROCESS_ARGS])
1725                 return ENOENT;
1726 
1727         res = parseOCIenvarray(tb[OCI_PROCESS_ARGS], &opts.jail_argv);
1728         if (res)
1729                 return res;
1730 
1731         if (tb[OCI_PROCESS_TERMINAL])
1732                 opts.console = blobmsg_get_bool(tb[OCI_PROCESS_TERMINAL]);
1733 
1734         if (tb[OCI_PROCESS_NONEWPRIVILEGES])
1735                 opts.no_new_privs = blobmsg_get_bool(tb[OCI_PROCESS_NONEWPRIVILEGES]);
1736 
1737         if (tb[OCI_PROCESS_CWD])
1738                 opts.cwd = strdup(blobmsg_get_string(tb[OCI_PROCESS_CWD]));
1739 
1740         if (tb[OCI_PROCESS_ENV]) {
1741                 res = parseOCIenvarray(tb[OCI_PROCESS_ENV], &opts.envp);
1742                 if (res)
1743                         return res;
1744         }
1745 
1746         if (tb[OCI_PROCESS_USER] && (res = parseOCIprocessuser(tb[OCI_PROCESS_USER])))
1747                 return res;
1748 
1749         if (tb[OCI_PROCESS_CAPABILITIES] &&
1750             (res = parseOCIcapabilities(&opts.capset, tb[OCI_PROCESS_CAPABILITIES])))
1751                 return res;
1752 
1753         if (tb[OCI_PROCESS_RLIMITS]) {
1754                 blobmsg_for_each_attr(cur, tb[OCI_PROCESS_RLIMITS], rem) {
1755                         res = parseOCIrlimit(cur);
1756                         if (res)
1757                                 return res;
1758                 }
1759         }
1760 
1761         if (tb[OCI_PROCESS_OOMSCOREADJ]) {
1762                 opts.oom_score_adj = blobmsg_get_u32(tb[OCI_PROCESS_OOMSCOREADJ]);
1763                 opts.set_oom_score_adj = true;
1764         }
1765 
1766         return 0;
1767 }
1768 
1769 enum {
1770         OCI_LINUX_NAMESPACE_TYPE,
1771         OCI_LINUX_NAMESPACE_PATH,
1772         __OCI_LINUX_NAMESPACE_MAX,
1773 };
1774 
1775 static const struct blobmsg_policy oci_linux_namespace_policy[] = {
1776         [OCI_LINUX_NAMESPACE_TYPE] = { "type", BLOBMSG_TYPE_STRING },
1777         [OCI_LINUX_NAMESPACE_PATH] = { "path", BLOBMSG_TYPE_STRING },
1778 };
1779 
1780 static int resolve_nstype(char *type) {
1781         if (!strcmp("pid", type))
1782                 return CLONE_NEWPID;
1783         else if (!strcmp("network", type))
1784                 return CLONE_NEWNET;
1785         else if (!strcmp("net", type))
1786                 return CLONE_NEWNET;
1787         else if (!strcmp("mount", type))
1788                 return CLONE_NEWNS;
1789         else if (!strcmp("ipc", type))
1790                 return CLONE_NEWIPC;
1791         else if (!strcmp("uts", type))
1792                 return CLONE_NEWUTS;
1793         else if (!strcmp("user", type))
1794                 return CLONE_NEWUSER;
1795         else if (!strcmp("cgroup", type))
1796                 return CLONE_NEWCGROUP;
1797 #ifdef CLONE_NEWTIME
1798         else if (!strcmp("time", type))
1799                 return CLONE_NEWTIME;
1800 #endif
1801         else
1802                 return 0;
1803 }
1804 
1805 static int parseOCIlinuxns(struct blob_attr *msg)
1806 {
1807         struct blob_attr *tb[__OCI_LINUX_NAMESPACE_MAX];
1808         int nstype;
1809         int *setns;
1810         int fd;
1811 
1812         blobmsg_parse(oci_linux_namespace_policy, __OCI_LINUX_NAMESPACE_MAX, tb, blobmsg_data(msg), blobmsg_len(msg));
1813 
1814         if (!tb[OCI_LINUX_NAMESPACE_TYPE])
1815                 return EINVAL;
1816 
1817         nstype = resolve_nstype(blobmsg_get_string(tb[OCI_LINUX_NAMESPACE_TYPE]));
1818         if (!nstype)
1819                 return EINVAL;
1820 
1821         if (opts.namespace & nstype)
1822                 return ENOTUNIQ;
1823 
1824         setns = get_namespace_fd(nstype);
1825 
1826         if (!setns)
1827                 return EFAULT;
1828 
1829         if (*setns != -1)
1830                 return ENOTUNIQ;
1831 
1832         if (tb[OCI_LINUX_NAMESPACE_PATH]) {
1833                 DEBUG("opening existing %s namespace from path %s\n",
1834                         blobmsg_get_string(tb[OCI_LINUX_NAMESPACE_TYPE]),
1835                         blobmsg_get_string(tb[OCI_LINUX_NAMESPACE_PATH]));
1836 
1837                 fd = open(blobmsg_get_string(tb[OCI_LINUX_NAMESPACE_PATH]), O_RDONLY);
1838                 if (fd < 0)
1839                         return errno?:ESTALE;
1840 
1841                 if (ioctl(fd, NS_GET_NSTYPE) != nstype) {
1842                         close(fd);
1843                         return EINVAL;
1844                 }
1845 
1846                 DEBUG("opened existing %s namespace got filehandler %u\n",
1847                         blobmsg_get_string(tb[OCI_LINUX_NAMESPACE_TYPE]),
1848                         fd);
1849 
1850                 *setns = fd;
1851         } else {
1852                 opts.namespace |= nstype;
1853         }
1854 
1855         return 0;
1856 }
1857 
1858 /*
1859  * join namespace of existing PID
1860  * The string argument is the reference PID followed by ':' and a
1861  * ',' separated list of namespaces to to join.
1862  */
1863 static int jail_join_ns(char *arg)
1864 {
1865         pid_t pid;
1866         int fd;
1867         int nstype;
1868         char *tmp, *etmp, *nspath;
1869         int *setns;
1870 
1871         tmp = strchr(arg, ':');
1872         if (!tmp)
1873                 return EINVAL;
1874 
1875         *tmp = '\0';
1876         pid = atoi(arg);
1877 
1878         do {
1879                 ++tmp;
1880                 etmp = strchr(tmp, ',');
1881                 if (etmp)
1882                         *etmp = '\0';
1883 
1884                 nstype = resolve_nstype(tmp);
1885                 if (!nstype)
1886                         return EINVAL;
1887 
1888                 if (opts.namespace & nstype)
1889                         return ENOTUNIQ;
1890 
1891                 setns = get_namespace_fd(nstype);
1892 
1893                 if (!setns)
1894                         return EFAULT;
1895 
1896                 if (*setns != -1)
1897                         return ENOTUNIQ;
1898 
1899                 if (asprintf(&nspath, "/proc/%d/ns/%s", pid, tmp) < 0)
1900                         return ENOMEM;
1901 
1902                 fd = open(nspath, O_RDONLY);
1903                 free(nspath);
1904 
1905                 if (fd < 0)
1906                         return errno?:ESTALE;
1907 
1908                 *setns = fd;
1909 
1910                 if (etmp)
1911                         tmp = etmp;
1912                 else
1913                         tmp = NULL;
1914         } while (tmp);
1915 
1916         return 0;
1917 }
1918 
1919 static void get_jail_root_user(bool is_gidmap, uint32_t container_id, uint32_t host_id, uint32_t size)
1920 {
1921         if (container_id == 0 && size >= 1)
1922                 if (!is_gidmap)
1923                         opts.root_map_uid = host_id;
1924 }
1925 
1926 enum {
1927         OCI_LINUX_UIDGIDMAP_CONTAINERID,
1928         OCI_LINUX_UIDGIDMAP_HOSTID,
1929         OCI_LINUX_UIDGIDMAP_SIZE,
1930         __OCI_LINUX_UIDGIDMAP_MAX,
1931 };
1932 
1933 static const struct blobmsg_policy oci_linux_uidgidmap_policy[] = {
1934         [OCI_LINUX_UIDGIDMAP_CONTAINERID] = { "containerID", BLOBMSG_TYPE_INT32 },
1935         [OCI_LINUX_UIDGIDMAP_HOSTID] = { "hostID", BLOBMSG_TYPE_INT32 },
1936         [OCI_LINUX_UIDGIDMAP_SIZE] = { "size", BLOBMSG_TYPE_INT32 },
1937 };
1938 
1939 static int parseOCIuidgidmappings(struct blob_attr *msg, bool is_gidmap)
1940 {
1941         struct blob_attr *tb[__OCI_LINUX_UIDGIDMAP_MAX];
1942         struct blob_attr *cur;
1943         int rem;
1944         char *map;
1945         size_t len, pos, totallen = 0;
1946 
1947         blobmsg_for_each_attr(cur, msg, rem) {
1948                 blobmsg_parse(oci_linux_uidgidmap_policy, __OCI_LINUX_UIDGIDMAP_MAX, tb, blobmsg_data(cur), blobmsg_len(cur));
1949 
1950                 if (!tb[OCI_LINUX_UIDGIDMAP_CONTAINERID] ||
1951                     !tb[OCI_LINUX_UIDGIDMAP_HOSTID] ||
1952                     !tb[OCI_LINUX_UIDGIDMAP_SIZE])
1953                         return EINVAL;
1954 
1955                 /* count length */
1956                 totallen += snprintf(NULL, 0, "%d %d %d\n",
1957                          blobmsg_get_u32(tb[OCI_LINUX_UIDGIDMAP_CONTAINERID]),
1958                          blobmsg_get_u32(tb[OCI_LINUX_UIDGIDMAP_HOSTID]),
1959                          blobmsg_get_u32(tb[OCI_LINUX_UIDGIDMAP_SIZE]));
1960         }
1961 
1962         /* allocate combined mapping string */
1963         map = malloc(totallen + 1);
1964         if (!map)
1965                 return ENOMEM;
1966 
1967         pos = 0;
1968         blobmsg_for_each_attr(cur, msg, rem) {
1969                 blobmsg_parse(oci_linux_uidgidmap_policy, __OCI_LINUX_UIDGIDMAP_MAX, tb, blobmsg_data(cur), blobmsg_len(cur));
1970 
1971                 get_jail_root_user(is_gidmap, blobmsg_get_u32(tb[OCI_LINUX_UIDGIDMAP_CONTAINERID]),
1972                          blobmsg_get_u32(tb[OCI_LINUX_UIDGIDMAP_HOSTID]),
1973                          blobmsg_get_u32(tb[OCI_LINUX_UIDGIDMAP_SIZE]));
1974 
1975                 /* write mapping line into pre-allocated string */
1976                 len = snprintf(&map[pos], totallen + 1, "%d %d %d\n",
1977                          blobmsg_get_u32(tb[OCI_LINUX_UIDGIDMAP_CONTAINERID]),
1978                          blobmsg_get_u32(tb[OCI_LINUX_UIDGIDMAP_HOSTID]),
1979                          blobmsg_get_u32(tb[OCI_LINUX_UIDGIDMAP_SIZE]));
1980                 pos += len;
1981                 totallen -= len;
1982         }
1983 
1984         assert(totallen == 0);
1985 
1986         if (is_gidmap)
1987                 opts.gidmap = map;
1988         else
1989                 opts.uidmap = map;
1990 
1991         return 0;
1992 }
1993 
1994 enum {
1995         OCI_DEVICES_TYPE,
1996         OCI_DEVICES_PATH,
1997         OCI_DEVICES_MAJOR,
1998         OCI_DEVICES_MINOR,
1999         OCI_DEVICES_FILEMODE,
2000         OCI_DEVICES_UID,
2001         OCI_DEVICES_GID,
2002         __OCI_DEVICES_MAX,
2003 };
2004 
2005 static const struct blobmsg_policy oci_devices_policy[] = {
2006         [OCI_DEVICES_TYPE] = { "type", BLOBMSG_TYPE_STRING },
2007         [OCI_DEVICES_PATH] = { "path", BLOBMSG_TYPE_STRING },
2008         [OCI_DEVICES_MAJOR] = { "major", BLOBMSG_TYPE_INT32 },
2009         [OCI_DEVICES_MINOR] = { "minor", BLOBMSG_TYPE_INT32 },
2010         [OCI_DEVICES_FILEMODE] = { "fileMode", BLOBMSG_TYPE_INT32 },
2011         [OCI_DEVICES_UID] = { "uid", BLOBMSG_TYPE_INT32 },
2012         [OCI_DEVICES_GID] = { "uid", BLOBMSG_TYPE_INT32 },
2013 };
2014 
2015 static mode_t resolve_devtype(char *tstr)
2016 {
2017         if (!strcmp("c", tstr) ||
2018             !strcmp("u", tstr))
2019                 return S_IFCHR;
2020         else if (!strcmp("b", tstr))
2021                 return S_IFBLK;
2022         else if (!strcmp("p", tstr))
2023                 return S_IFIFO;
2024         else
2025                 return 0;
2026 }
2027 
2028 static int parseOCIdevices(struct blob_attr *msg)
2029 {
2030         struct blob_attr *tb[__OCI_DEVICES_MAX];
2031         struct blob_attr *cur;
2032         int rem;
2033         size_t cnt = 0;
2034         struct mknod_args *tmp;
2035 
2036         blobmsg_for_each_attr(cur, msg, rem)
2037                 ++cnt;
2038 
2039         opts.devices = calloc(cnt + 1, sizeof(struct mknod_args *));
2040 
2041         cnt = 0;
2042         blobmsg_for_each_attr(cur, msg, rem) {
2043                 blobmsg_parse(oci_devices_policy, __OCI_DEVICES_MAX, tb, blobmsg_data(cur), blobmsg_len(cur));
2044                 if (!tb[OCI_DEVICES_TYPE] ||
2045                     !tb[OCI_DEVICES_PATH])
2046                         return ENODATA;
2047 
2048                 tmp = calloc(1, sizeof(struct mknod_args));
2049                 if (!tmp)
2050                         return ENOMEM;
2051 
2052                 tmp->mode = resolve_devtype(blobmsg_get_string(tb[OCI_DEVICES_TYPE]));
2053                 if (!tmp->mode) {
2054                         free(tmp);
2055                         return EINVAL;
2056                 }
2057 
2058                 if (tmp->mode != S_IFIFO) {
2059                         if (!tb[OCI_DEVICES_MAJOR] || !tb[OCI_DEVICES_MINOR]) {
2060                                 free(tmp);
2061                                 return ENODATA;
2062                         }
2063 
2064                         tmp->dev = makedev(blobmsg_get_u32(tb[OCI_DEVICES_MAJOR]),
2065                                            blobmsg_get_u32(tb[OCI_DEVICES_MINOR]));
2066                 }
2067 
2068                 if (tb[OCI_DEVICES_FILEMODE]) {
2069                         if (~(S_IRWXU|S_IRWXG|S_IRWXO) & blobmsg_get_u32(tb[OCI_DEVICES_FILEMODE])) {
2070                                 free(tmp);
2071                                 return EINVAL;
2072                         }
2073 
2074                         tmp->mode |= blobmsg_get_u32(tb[OCI_DEVICES_FILEMODE]);
2075                 } else {
2076                         tmp->mode |= (S_IRUSR|S_IWUSR); /* 0600 */
2077                 }
2078 
2079                 tmp->path = strdup(blobmsg_get_string(tb[OCI_DEVICES_PATH]));
2080 
2081                 if (tb[OCI_DEVICES_UID])
2082                         tmp->uid = blobmsg_get_u32(tb[OCI_DEVICES_UID]);
2083                 else
2084                         tmp->uid = -1;
2085 
2086                 if (tb[OCI_DEVICES_GID])
2087                         tmp->gid = blobmsg_get_u32(tb[OCI_DEVICES_GID]);
2088                 else
2089                         tmp->gid = -1;
2090 
2091                 DEBUG("read device %s (%s)\n", blobmsg_get_string(tb[OCI_DEVICES_PATH]), blobmsg_get_string(tb[OCI_DEVICES_TYPE]));
2092                 opts.devices[cnt++] = tmp;
2093         }
2094 
2095         opts.devices[cnt] = NULL;
2096 
2097         return 0;
2098 }
2099 
2100 static int parseOCIsysctl(struct blob_attr *msg)
2101 {
2102         struct blob_attr *cur;
2103         int rem;
2104         char *tmp, *tc;
2105         size_t cnt = 0;
2106 
2107         blobmsg_for_each_attr(cur, msg, rem) {
2108                 if (!blobmsg_name(cur) || !blobmsg_get_string(cur))
2109                         return EINVAL;
2110 
2111                 ++cnt;
2112         }
2113 
2114         if (!cnt)
2115                 return 0;
2116 
2117         opts.sysctl = calloc(cnt + 1, sizeof(struct sysctl_val *));
2118         if (!opts.sysctl)
2119                 return ENOMEM;
2120 
2121         cnt = 0;
2122         blobmsg_for_each_attr(cur, msg, rem) {
2123                 opts.sysctl[cnt] = malloc(sizeof(struct sysctl_val));
2124                 if (!opts.sysctl[cnt])
2125                         return ENOMEM;
2126 
2127                 /* replace '.' with '/' in entry name */
2128                 tc = tmp = strdup(blobmsg_name(cur));
2129                 while ((tc = strchr(tc, '.')))
2130                         *tc = '/';
2131 
2132                 opts.sysctl[cnt]->value = strdup(blobmsg_get_string(cur));
2133                 opts.sysctl[cnt]->entry = tmp;
2134 
2135                 ++cnt;
2136         }
2137 
2138         opts.sysctl[cnt] = NULL;
2139 
2140         return 0;
2141 }
2142 
2143 
2144 enum {
2145         OCI_LINUX_CGROUPSPATH,
2146         OCI_LINUX_RESOURCES,
2147         OCI_LINUX_SECCOMP,
2148         OCI_LINUX_SYSCTL,
2149         OCI_LINUX_NAMESPACES,
2150         OCI_LINUX_DEVICES,
2151         OCI_LINUX_UIDMAPPINGS,
2152         OCI_LINUX_GIDMAPPINGS,
2153         OCI_LINUX_MASKEDPATHS,
2154         OCI_LINUX_READONLYPATHS,
2155         OCI_LINUX_ROOTFSPROPAGATION,
2156         __OCI_LINUX_MAX,
2157 };
2158 
2159 static const struct blobmsg_policy oci_linux_policy[] = {
2160         [OCI_LINUX_CGROUPSPATH] = { "cgroupsPath", BLOBMSG_TYPE_STRING },
2161         [OCI_LINUX_RESOURCES] = { "resources", BLOBMSG_TYPE_TABLE },
2162         [OCI_LINUX_SECCOMP] = { "seccomp", BLOBMSG_TYPE_TABLE },
2163         [OCI_LINUX_SYSCTL] = { "sysctl", BLOBMSG_TYPE_TABLE },
2164         [OCI_LINUX_NAMESPACES] = { "namespaces", BLOBMSG_TYPE_ARRAY },
2165         [OCI_LINUX_DEVICES] = { "devices", BLOBMSG_TYPE_ARRAY },
2166         [OCI_LINUX_UIDMAPPINGS] = { "uidMappings", BLOBMSG_TYPE_ARRAY },
2167         [OCI_LINUX_GIDMAPPINGS] = { "gidMappings", BLOBMSG_TYPE_ARRAY },
2168         [OCI_LINUX_MASKEDPATHS] = { "maskedPaths", BLOBMSG_TYPE_ARRAY },
2169         [OCI_LINUX_READONLYPATHS] = { "readonlyPaths", BLOBMSG_TYPE_ARRAY },
2170         [OCI_LINUX_ROOTFSPROPAGATION] = { "rootfsPropagation", BLOBMSG_TYPE_STRING },
2171 };
2172 
2173 static int parseOCIlinux(struct blob_attr *msg)
2174 {
2175         struct blob_attr *tb[__OCI_LINUX_MAX];
2176         struct blob_attr *cur;
2177         int rem;
2178         int res = 0;
2179         char *cgpath;
2180         char cgfullpath[256] = "/sys/fs/cgroup";
2181 
2182         blobmsg_parse(oci_linux_policy, __OCI_LINUX_MAX, tb, blobmsg_data(msg), blobmsg_len(msg));
2183 
2184         if (tb[OCI_LINUX_NAMESPACES]) {
2185                 blobmsg_for_each_attr(cur, tb[OCI_LINUX_NAMESPACES], rem) {
2186                         res = parseOCIlinuxns(cur);
2187                         if (res)
2188                                 return res;
2189                 }
2190         }
2191 
2192         if (tb[OCI_LINUX_UIDMAPPINGS]) {
2193                 res = parseOCIuidgidmappings(tb[OCI_LINUX_GIDMAPPINGS], 0);
2194                 if (res)
2195                         return res;
2196         }
2197 
2198         if (tb[OCI_LINUX_GIDMAPPINGS]) {
2199                 res = parseOCIuidgidmappings(tb[OCI_LINUX_GIDMAPPINGS], 1);
2200                 if (res)
2201                         return res;
2202         }
2203 
2204         if (tb[OCI_LINUX_READONLYPATHS]) {
2205                 blobmsg_for_each_attr(cur, tb[OCI_LINUX_READONLYPATHS], rem) {
2206                         res = add_mount(NULL, blobmsg_get_string(cur), NULL, MS_BIND | MS_REC | MS_RDONLY, 0, NULL, 0);
2207                         if (res)
2208                                 return res;
2209                 }
2210         }
2211 
2212         if (tb[OCI_LINUX_MASKEDPATHS]) {
2213                 blobmsg_for_each_attr(cur, tb[OCI_LINUX_MASKEDPATHS], rem) {
2214                         res = add_mount((void *)(-1), blobmsg_get_string(cur), NULL, 0, 0, NULL, 0);
2215                         if (res)
2216                                 return res;
2217                 }
2218         }
2219 
2220         if (tb[OCI_LINUX_SYSCTL]) {
2221                 res = parseOCIsysctl(tb[OCI_LINUX_SYSCTL]);
2222                 if (res)
2223                         return res;
2224         }
2225 
2226         if (tb[OCI_LINUX_SECCOMP]) {
2227                 opts.ociseccomp = parseOCIlinuxseccomp(tb[OCI_LINUX_SECCOMP]);
2228                 if (!opts.ociseccomp)
2229                         return EINVAL;
2230         }
2231 
2232         if (tb[OCI_LINUX_DEVICES]) {
2233                 res = parseOCIdevices(tb[OCI_LINUX_DEVICES]);
2234                 if (res)
2235                         return res;
2236         }
2237 
2238         if (tb[OCI_LINUX_CGROUPSPATH]) {
2239                 cgpath = blobmsg_get_string(tb[OCI_LINUX_CGROUPSPATH]);
2240                 if (cgpath[0] == '/') {
2241                         if (strlen(cgpath) + 1 >= (sizeof(cgfullpath) - strlen(cgfullpath)))
2242                                 return E2BIG;
2243 
2244                         strcat(cgfullpath, cgpath);
2245                 } else {
2246                         strcat(cgfullpath, "/containers/");
2247                         if (strlen(opts.name) + strlen(cgpath) + 2 >= (sizeof(cgfullpath) - strlen(cgfullpath)))
2248                                 return E2BIG;
2249 
2250                         strcat(cgfullpath, opts.name); /* should be container name rather than jail name */
2251                         strcat(cgfullpath, "/");
2252                         strcat(cgfullpath, cgpath);
2253                 }
2254         } else {
2255                 strcat(cgfullpath, "/containers/");
2256                 if (2 * strlen(opts.name) + 2 >= (sizeof(cgfullpath) - strlen(cgfullpath)))
2257                         return E2BIG;
2258 
2259                 strcat(cgfullpath, opts.name); /* should be container name rather than jail name */
2260                 strcat(cgfullpath, "/");
2261                 strcat(cgfullpath, opts.name); /* should be container instance name rather than jail name */
2262         }
2263 
2264         cgroups_init(cgfullpath);
2265 
2266         if (tb[OCI_LINUX_RESOURCES]) {
2267                 res = parseOCIlinuxcgroups(tb[OCI_LINUX_RESOURCES]);
2268                 if (res)
2269                         return res;
2270         }
2271 
2272         return 0;
2273 }
2274 
2275 enum {
2276         OCI_VERSION,
2277         OCI_HOSTNAME,
2278         OCI_PROCESS,
2279         OCI_ROOT,
2280         OCI_MOUNTS,
2281         OCI_HOOKS,
2282         OCI_LINUX,
2283         OCI_ANNOTATIONS,
2284         __OCI_MAX,
2285 };
2286 
2287 static const struct blobmsg_policy oci_policy[] = {
2288         [OCI_VERSION] = { "ociVersion", BLOBMSG_TYPE_STRING },
2289         [OCI_HOSTNAME] = { "hostname", BLOBMSG_TYPE_STRING },
2290         [OCI_PROCESS] = { "process", BLOBMSG_TYPE_TABLE },
2291         [OCI_ROOT] = { "root", BLOBMSG_TYPE_TABLE },
2292         [OCI_MOUNTS] = { "mounts", BLOBMSG_TYPE_ARRAY },
2293         [OCI_HOOKS] = { "hooks", BLOBMSG_TYPE_TABLE },
2294         [OCI_LINUX] = { "linux", BLOBMSG_TYPE_TABLE },
2295         [OCI_ANNOTATIONS] = { "annotations", BLOBMSG_TYPE_TABLE },
2296 };
2297 
2298 static int parseOCI(const char *jsonfile)
2299 {
2300         struct blob_attr *tb[__OCI_MAX];
2301         struct blob_attr *cur;
2302         int rem;
2303         int res;
2304 
2305         blob_buf_init(&ocibuf, 0);
2306 
2307         if (!blobmsg_add_json_from_file(&ocibuf, jsonfile)) {
2308                 res=ENOENT;
2309                 goto errout;
2310         }
2311 
2312         blobmsg_parse(oci_policy, __OCI_MAX, tb, blob_data(ocibuf.head), blob_len(ocibuf.head));
2313 
2314         if (!tb[OCI_VERSION]) {
2315                 res=ENOMSG;
2316                 goto errout;
2317         }
2318 
2319         if (strncmp("1.0", blobmsg_get_string(tb[OCI_VERSION]), 3)) {
2320                 ERROR("unsupported ociVersion %s\n", blobmsg_get_string(tb[OCI_VERSION]));
2321                 res=ENOTSUP;
2322                 goto errout;
2323         }
2324 
2325         if (tb[OCI_HOSTNAME])
2326                 opts.hostname = strdup(blobmsg_get_string(tb[OCI_HOSTNAME]));
2327 
2328         if (!tb[OCI_PROCESS]) {
2329                 res=ENODATA;
2330                 goto errout;
2331         }
2332 
2333         if ((res = parseOCIprocess(tb[OCI_PROCESS])))
2334                 goto errout;
2335 
2336         if (!tb[OCI_ROOT]) {
2337                 res=ENODATA;
2338                 goto errout;
2339         }
2340         if ((res = parseOCIroot(jsonfile, tb[OCI_ROOT])))
2341                 goto errout;
2342 
2343         if (!tb[OCI_MOUNTS]) {
2344                 res=ENODATA;
2345                 goto errout;
2346         }
2347 
2348         blobmsg_for_each_attr(cur, tb[OCI_MOUNTS], rem)
2349                 if ((res = parseOCImount(cur)))
2350                         goto errout;
2351 
2352         if (tb[OCI_LINUX] && (res = parseOCIlinux(tb[OCI_LINUX])))
2353                 goto errout;
2354 
2355         if (tb[OCI_HOOKS] && (res = parseOCIhooks(tb[OCI_HOOKS])))
2356                 goto errout;
2357 
2358         if (tb[OCI_ANNOTATIONS])
2359                 opts.annotations = blob_memdup(tb[OCI_ANNOTATIONS]);
2360 
2361 errout:
2362         blob_buf_free(&ocibuf);
2363 
2364         return res;
2365 }
2366 
2367 static int set_oom_score_adj(void)
2368 {
2369         int f;
2370         char fname[32];
2371 
2372         if (!opts.set_oom_score_adj)
2373                 return 0;
2374 
2375         snprintf(fname, sizeof(fname), "/proc/%u/oom_score_adj", jail_process.pid);
2376         f = open(fname, O_WRONLY | O_TRUNC);
2377         if (f < 0)
2378                 return errno;
2379 
2380         dprintf(f, "%d", opts.oom_score_adj);
2381         close(f);
2382 
2383         return 0;
2384 }
2385 
2386 
2387 enum {
2388         OCI_STATE_CREATING,
2389         OCI_STATE_CREATED,
2390         OCI_STATE_RUNNING,
2391         OCI_STATE_STOPPED,
2392 };
2393 
2394 static int jail_oci_state = OCI_STATE_CREATED;
2395 static void pipe_send_start_container(struct uloop_timeout *t);
2396 static struct uloop_timeout start_container_timeout = {
2397         .cb = pipe_send_start_container,
2398 };
2399 
2400 static int handle_start(struct ubus_context *ctx, struct ubus_object *obj,
2401                         struct ubus_request_data *req, const char *method,
2402                         struct blob_attr *msg)
2403 {
2404         if (jail_oci_state != OCI_STATE_CREATED)
2405                 return UBUS_STATUS_INVALID_ARGUMENT;
2406 
2407         uloop_timeout_add(&start_container_timeout);
2408 
2409         return UBUS_STATUS_OK;
2410 }
2411 
2412 static struct blob_buf bb;
2413 static int handle_state(struct ubus_context *ctx, struct ubus_object *obj,
2414                         struct ubus_request_data *req, const char *method,
2415                         struct blob_attr *msg)
2416 {
2417         char *statusstr;
2418 
2419         switch (jail_oci_state) {
2420                 case OCI_STATE_CREATING:
2421                         statusstr = "creating";
2422                         break;
2423                 case OCI_STATE_CREATED:
2424                         statusstr = "created";
2425                         break;
2426                 case OCI_STATE_RUNNING:
2427                         statusstr = "running";
2428                         break;
2429                 case OCI_STATE_STOPPED:
2430                         statusstr = "stopped";
2431                         break;
2432                 default:
2433                         statusstr = "unknown";
2434         }
2435 
2436         blob_buf_init(&bb, 0);
2437         blobmsg_add_string(&bb, "ociVersion", OCI_VERSION_STRING);
2438         blobmsg_add_string(&bb, "id", opts.name);
2439         blobmsg_add_string(&bb, "status", statusstr);
2440         if (jail_oci_state == OCI_STATE_CREATED ||
2441             jail_oci_state == OCI_STATE_RUNNING)
2442                 blobmsg_add_u32(&bb, "pid", jail_process.pid);
2443 
2444         blobmsg_add_string(&bb, "bundle", opts.ocibundle);
2445 
2446         if (opts.annotations)
2447                 blobmsg_add_blob(&bb, opts.annotations);
2448 
2449         ubus_send_reply(ctx, req, bb.head);
2450 
2451         return UBUS_STATUS_OK;
2452 }
2453 
2454 enum {
2455         CONTAINER_KILL_ATTR_SIGNAL,
2456         __CONTAINER_KILL_ATTR_MAX,
2457 };
2458 
2459 static const struct blobmsg_policy container_kill_attrs[__CONTAINER_KILL_ATTR_MAX] = {
2460         [CONTAINER_KILL_ATTR_SIGNAL] = { "signal", BLOBMSG_TYPE_INT32 },
2461 };
2462 
2463 static int
2464 container_handle_kill(struct ubus_context *ctx, struct ubus_object *obj,
2465                     struct ubus_request_data *req, const char *method,
2466                     struct blob_attr *msg)
2467 {
2468         struct blob_attr *tb[__CONTAINER_KILL_ATTR_MAX], *cur;
2469         int sig = SIGTERM;
2470 
2471         blobmsg_parse(container_kill_attrs, __CONTAINER_KILL_ATTR_MAX, tb, blobmsg_data(msg), blobmsg_data_len(msg));
2472 
2473         cur = tb[CONTAINER_KILL_ATTR_SIGNAL];
2474         if (cur)
2475                 sig = blobmsg_get_u32(cur);
2476 
2477         if (jail_oci_state == OCI_STATE_CREATING)
2478                 return UBUS_STATUS_NOT_FOUND;
2479 
2480         if (kill(jail_process.pid, sig) == 0)
2481                 return 0;
2482 
2483         switch (errno) {
2484         case EINVAL: return UBUS_STATUS_INVALID_ARGUMENT;
2485         case EPERM:  return UBUS_STATUS_PERMISSION_DENIED;
2486         case ESRCH:  return UBUS_STATUS_NOT_FOUND;
2487         }
2488 
2489         return UBUS_STATUS_UNKNOWN_ERROR;
2490 }
2491 
2492 static int
2493 jail_writepid(pid_t pid)
2494 {
2495         FILE *_pidfile;
2496 
2497         if (!opts.pidfile)
2498                 return 0;
2499 
2500         _pidfile = fopen(opts.pidfile, "w");
2501         if (_pidfile == NULL)
2502                 return errno;
2503 
2504         if (fprintf(_pidfile, "%d\n", pid) < 0) {
2505                 fclose(_pidfile);
2506                 return errno;
2507         }
2508 
2509         if (fclose(_pidfile))
2510                 return errno;
2511 
2512         return 0;
2513 }
2514 
2515 static int checkpath(const char *path)
2516 {
2517         int dirfd = open(path, O_RDONLY | O_DIRECTORY | O_CLOEXEC);
2518         if (dirfd < 0) {
2519                 ERROR("path %s open failed %m\n", path);
2520                 return -1;
2521         }
2522         close(dirfd);
2523 
2524         return 0;
2525 }
2526 
2527 static struct ubus_method container_methods[] = {
2528         UBUS_METHOD_NOARG("start", handle_start),
2529         UBUS_METHOD_NOARG("state", handle_state),
2530         UBUS_METHOD("kill", container_handle_kill, container_kill_attrs),
2531 };
2532 
2533 static struct ubus_object_type container_object_type =
2534         UBUS_OBJECT_TYPE("container", container_methods);
2535 
2536 static struct ubus_object container_object = {
2537         .type = &container_object_type,
2538         .methods = container_methods,
2539         .n_methods = ARRAY_SIZE(container_methods),
2540 };
2541 
2542 static void post_main(struct uloop_timeout *t);
2543 static struct uloop_timeout post_main_timeout = {
2544         .cb = post_main,
2545 };
2546 static int netns_fd;
2547 static int pidns_fd;
2548 #ifdef CLONE_NEWTIME
2549 static int timens_fd;
2550 #endif
2551 static void post_create_runtime(void);
2552 
2553 struct env_e {
2554         struct list_head list;
2555         char *envarg;
2556 };
2557 
2558 int main(int argc, char **argv)
2559 {
2560         uid_t uid = getuid();
2561         const char log[] = "/dev/log";
2562         const char ubus[] = "/var/run/ubus/ubus.sock";
2563         int ret = EXIT_FAILURE;
2564         int ch;
2565         char *tmp;
2566         struct list_head envl = LIST_HEAD_INIT(envl);
2567         struct env_e *enve, *tmpenve;
2568         unsigned short int envn = 0, envc = 0;
2569 
2570         if (uid) {
2571                 ERROR("not root, aborting: %m\n");
2572                 return EXIT_FAILURE;
2573         }
2574 
2575         /* those are filehandlers, so -1 indicates unused */
2576         opts.setns.pid = -1;
2577         opts.setns.net = -1;
2578         opts.setns.ns = -1;
2579         opts.setns.ipc = -1;
2580         opts.setns.uts = -1;
2581         opts.setns.user = -1;
2582         opts.setns.cgroup = -1;
2583 #ifdef CLONE_NEWTIME
2584         opts.setns.time = -1;
2585 #endif
2586 
2587         /* default 5 seconds timeout after SIGTERM before SIGKILL is sent */
2588         opts.term_timeout = 5;
2589 
2590         umask(022);
2591         mount_list_init();
2592         init_library_search();
2593         cgroups_prepare();
2594         exit_from_child = false;
2595 
2596         while ((ch = getopt(argc, argv, OPT_ARGS)) != -1) {
2597                 switch (ch) {
2598                 case 'd':
2599                         debug = atoi(optarg);
2600                         break;
2601                 case 'e':
2602                         enve = calloc(1, sizeof(*enve));
2603                         enve->envarg = optarg;
2604                         list_add_tail(&enve->list, &envl);
2605                         break;
2606                 case 'p':
2607                         opts.namespace |= CLONE_NEWNS;
2608                         opts.procfs = 1;
2609                         break;
2610                 case 'o':
2611                         opts.namespace |= CLONE_NEWNS;
2612                         opts.ronly = 1;
2613                         break;
2614                 case 'f':
2615                         opts.namespace |= CLONE_NEWUSER;
2616                         break;
2617                 case 'F':
2618                         opts.namespace |= CLONE_NEWCGROUP;
2619                         break;
2620                 case 'R':
2621                         opts.extroot = realpath(optarg, NULL);
2622                         break;
2623                 case 's':
2624                         opts.namespace |= CLONE_NEWNS;
2625                         opts.sysfs = 1;
2626                         break;
2627                 case 'S':
2628                         opts.seccomp = optarg;
2629                         add_mount_bind(optarg, 1, -1);
2630                         break;
2631                 case 'C':
2632                         opts.capabilities = optarg;
2633                         break;
2634                 case 'c':
2635                         opts.no_new_privs = 1;
2636                         break;
2637                 case 'n':
2638                         opts.name = optarg;
2639                         break;
2640                 case 'N':
2641                         opts.namespace |= CLONE_NEWNET;
2642                         break;
2643                 case 'h':
2644                         opts.namespace |= CLONE_NEWUTS;
2645                         opts.hostname = strdup(optarg);
2646                         break;
2647                 case 'j':
2648                         jail_join_ns(optarg);
2649                         break;
2650                 case 'r':
2651                         opts.namespace |= CLONE_NEWNS;
2652                         tmp = strchr(optarg, ':');
2653                         if (tmp) {
2654                                 *(tmp++) = '\0';
2655                                 add_2paths_and_deps(optarg, tmp, 1, 0, 0);
2656                         } else {
2657                                 add_path_and_deps(optarg, 1, 0, 0);
2658                         }
2659                         break;
2660                 case 'w':
2661                         opts.namespace |= CLONE_NEWNS;
2662                         tmp = strchr(optarg, ':');
2663                         if (tmp) {
2664                                 *(tmp++) = '\0';
2665                                 add_2paths_and_deps(optarg, tmp, 0, 0, 0);
2666                         } else {
2667                                 add_path_and_deps(optarg, 0, 0, 0);
2668                         }
2669                         break;
2670                 case 'u':
2671                         opts.namespace |= CLONE_NEWNS;
2672                         add_mount_bind(ubus, 0, -1);
2673                         break;
2674                 case 'l':
2675                         opts.namespace |= CLONE_NEWNS;
2676                         add_mount_bind(log, 0, -1);
2677                         break;
2678                 case 'U':
2679                         opts.user = optarg;
2680                         break;
2681                 case 'G':
2682                         opts.group = optarg;
2683                         break;
2684                 case 'O':
2685                         opts.overlaydir = realpath(optarg, NULL);
2686                         break;
2687                 case 't':
2688                         opts.term_timeout = atoi(optarg);
2689                         break;
2690                 case 'T':
2691                         opts.tmpoverlaysize = optarg;
2692                         break;
2693                 case 'E':
2694                         opts.require_jail = 1;
2695                         break;
2696                 case 'y':
2697                         opts.console = 1;
2698                         break;
2699                 case 'J':
2700                         opts.ocibundle = optarg;
2701                         break;
2702                 case 'i':
2703                         opts.immediately = true;
2704                         break;
2705                 case 'P':
2706                         opts.pidfile = optarg;
2707                         break;
2708                 }
2709         }
2710 
2711         if (opts.namespace && !opts.ocibundle)
2712                 opts.namespace |= CLONE_NEWIPC | CLONE_NEWPID;
2713 
2714         /*
2715          * env import from cmdline is not available for OCI containers
2716          */
2717         if (opts.ocibundle && !list_empty(&envl)) {
2718                 ret=-ENOTSUP;
2719                 goto errout;
2720         }
2721 
2722         /*
2723          * prepare list of env variables to import for slim containers
2724          */
2725         if (!list_empty(&envl)) {
2726                 list_for_each_entry(enve, &envl, list)
2727                         ++envn;
2728 
2729                 opts.envp = calloc(1 + envn, sizeof(char*));
2730                 list_for_each_entry_safe(enve, tmpenve, &envl, list) {
2731                         tmp = getenv(enve->envarg);
2732                         if (tmp)
2733                                 asprintf(&opts.envp[envc++], "%s=%s", enve->envarg, tmp);
2734 
2735                         list_del(&enve->list);
2736                         free(enve);
2737                 }
2738 
2739                 opts.envp[envc] = NULL;
2740         }
2741 
2742         /*
2743          * uid in parent user namespace representing root user in new
2744          * user namespace, defaults to nobody unless specified in uidMappings
2745          */
2746         opts.root_map_uid = 65534;
2747 
2748         if (opts.capabilities && parseOCIcapabilities_from_file(&opts.capset, opts.capabilities)) {
2749                 ERROR("failed to read capabilities from file %s\n", opts.capabilities);
2750                 ret=-1;
2751                 goto errout;
2752         }
2753 
2754         if (opts.ocibundle) {
2755                 char *jsonfile;
2756                 int ocires;
2757 
2758                 if (!opts.name) {
2759                         ERROR("OCI bundle needs a named jail\n");
2760                         ret=-1;
2761                         goto errout;
2762                 }
2763                 if (asprintf(&jsonfile, "%s/config.json", opts.ocibundle) < 0) {
2764                         ret=-ENOMEM;
2765                         goto errout;
2766                 }
2767                 ocires = parseOCI(jsonfile);
2768                 free(jsonfile);
2769                 if (ocires) {
2770                         ERROR("parsing of OCI JSON spec has failed: %s (%d)\n", strerror(ocires), ocires);
2771                         ret=ocires;
2772                         goto errout;
2773                 }
2774         }
2775 
2776         if (opts.namespace & CLONE_NEWNET) {
2777                 if (!opts.name) {
2778                         ERROR("netns needs a named jail\n");
2779                         ret=-1;
2780                         goto errout;
2781                 }
2782         }
2783 
2784 
2785         if (opts.tmpoverlaysize && strlen(opts.tmpoverlaysize) > 8) {
2786                 ERROR("size parameter too long: \"%s\"\n", opts.tmpoverlaysize);
2787                 ret=-1;
2788                 goto errout;
2789         }
2790 
2791         if (opts.extroot && checkpath(opts.extroot)) {
2792                 ERROR("invalid rootfs path '%s'", opts.extroot);
2793                 ret=-1;
2794                 goto errout;
2795         }
2796 
2797         if (opts.overlaydir && checkpath(opts.overlaydir)) {
2798                 ERROR("invalid rootfs overlay path '%s'", opts.overlaydir);
2799                 ret=-1;
2800                 goto errout;
2801         }
2802 
2803         /* no <binary> param found */
2804         if (!opts.ocibundle && (argc - optind < 1)) {
2805                 usage();
2806                 ret=EXIT_FAILURE;
2807                 goto errout;
2808         }
2809         if (!(opts.ocibundle||opts.namespace||opts.capabilities||opts.seccomp||
2810                 (opts.setns.net != -1) ||
2811                 (opts.setns.ns != -1) ||
2812                 (opts.setns.ipc != -1) ||
2813                 (opts.setns.uts != -1) ||
2814                 (opts.setns.user != -1) ||
2815                 (opts.setns.cgroup != -1))) {
2816                 ERROR("Not using namespaces, capabilities or seccomp !!!\n\n");
2817                 usage();
2818                 ret=EXIT_FAILURE;
2819                 goto errout;
2820         }
2821         DEBUG("Using namespaces(0x%08x), capabilities(%d), seccomp(%d)\n",
2822                 opts.namespace,
2823                 opts.capset.apply,
2824                 opts.seccomp != 0 || opts.ociseccomp != 0);
2825 
2826         uloop_init();
2827         signals_init();
2828 
2829         parent_ctx = ubus_connect(NULL);
2830         ubus_add_uloop(parent_ctx);
2831 
2832         if (opts.ocibundle) {
2833                 char *objname;
2834                 if (asprintf(&objname, "container.%s", opts.name) < 0) {
2835                         ret=-ENOMEM;
2836                         goto errout;
2837                 }
2838 
2839                 container_object.name = objname;
2840                 ret = ubus_add_object(parent_ctx, &container_object);
2841                 if (ret) {
2842                         ERROR("Failed to add object: %s\n", ubus_strerror(ret));
2843                         ret=-1;
2844                         goto errout;
2845                 }
2846         }
2847 
2848         /* deliberately not using 'else' on unrelated conditional branches */
2849         if (!opts.ocibundle) {
2850                 /* allocate NULL-terminated array for argv */
2851                 opts.jail_argv = calloc(1 + argc - optind, sizeof(void *));
2852                 if (!opts.jail_argv) {
2853                         ret=EXIT_FAILURE;
2854                         goto errout;
2855                 }
2856                 for (size_t s = optind; s < argc; s++)
2857                         opts.jail_argv[s - optind] = strdup(argv[s]);
2858 
2859                 if (opts.namespace & CLONE_NEWUSER)
2860                         get_jail_user(&opts.pw_uid, &opts.pw_gid, &opts.gr_gid);
2861         }
2862 
2863         if (!opts.extroot) {
2864                 if (opts.namespace && add_path_and_deps(*opts.jail_argv, 1, -1, 0)) {
2865                         ERROR("failed to load dependencies\n");
2866                         ret=-1;
2867                         goto errout;
2868                 }
2869         }
2870 
2871         if (opts.namespace && opts.seccomp && add_path_and_deps("libpreload-seccomp.so", 1, -1, 1)) {
2872                 ERROR("failed to load libpreload-seccomp.so\n");
2873                 opts.seccomp = 0;
2874                 if (opts.require_jail) {
2875                         ret=-1;
2876                         goto errout;
2877                 }
2878         }
2879 
2880         uloop_timeout_add(&post_main_timeout);
2881         uloop_run();
2882 
2883 errout:
2884         if (opts.ocibundle)
2885                 cgroups_free();
2886 
2887         free_opts(true);
2888 
2889         return ret;
2890 }
2891 
2892 static void post_main(struct uloop_timeout *t)
2893 {
2894         if (apply_rlimits()) {
2895                 ERROR("error applying resource limits\n");
2896                 free_and_exit(EXIT_FAILURE);
2897         }
2898 
2899         if (opts.name)
2900                 prctl(PR_SET_NAME, opts.name, NULL, NULL, NULL);
2901 
2902         if (pipe(&pipes[0]) < 0 || pipe(&pipes[2]) < 0)
2903                 free_and_exit(-1);
2904 
2905         if (has_namespaces()) {
2906                 if (opts.namespace & CLONE_NEWNS) {
2907                         if (!opts.extroot && (opts.user || opts.group)) {
2908                                 add_mount_bind("/etc/passwd", 1, -1);
2909                                 add_mount_bind("/etc/group", 1, -1);
2910                         }
2911 
2912 #if defined(__GLIBC__)
2913                         if (!opts.extroot)
2914                                 add_mount_bind("/etc/nsswitch.conf", 1, -1);
2915 #endif
2916                         if (opts.setns.ns == -1) {
2917                                 if (!(opts.namespace & CLONE_NEWNET)) {
2918                                         add_mount_bind("/etc/resolv.conf", 1, 0);
2919                                 } else {
2920                                         /* new mount namespace to provide /dev/resolv.conf.d */
2921                                         char hostdir[PATH_MAX];
2922 
2923                                         snprintf(hostdir, PATH_MAX, "/tmp/resolv.conf-%s.d", opts.name);
2924                                         mkdir_p(hostdir, 0755);
2925                                         add_mount(hostdir, "/dev/resolv.conf.d", NULL,
2926                                                 MS_BIND | MS_NOEXEC | MS_NOATIME | MS_NOSUID | MS_NODEV | MS_RDONLY, 0, NULL, 0);
2927                                 }
2928                         }
2929                         /* default mounts */
2930                         add_mount(NULL, "/dev", "tmpfs", MS_NOATIME | MS_NOEXEC | MS_NOSUID, 0, "size=1M", -1);
2931                         add_mount(NULL, "/dev/pts", "devpts", MS_NOATIME | MS_NOEXEC | MS_NOSUID, 0, "newinstance,ptmxmode=0666,mode=0620,gid=5", 0);
2932 
2933                         if (opts.procfs || opts.ocibundle) {
2934                                 add_mount("proc", "/proc", "proc", MS_NOATIME | MS_NODEV | MS_NOEXEC | MS_NOSUID, 0, NULL, -1);
2935 
2936                                 /*
2937                                  * hack to make /proc/sys/net read-write while the rest of /proc/sys is read-only
2938                                  * which cannot be expressed with OCI spec, but happends to be very useful.
2939                                  * Only apply it if '/proc/sys' is not already listed as mount, maskedPath or
2940                                  * readonlyPath.
2941                                  * If not running in a new network namespace, only make /proc/sys read-only.
2942                                  * If running in a new network namespace, temporarily stash (ie. mount-bind)
2943                                  * /proc/sys/net into (totally unrelated, but surely existing) /proc/self/net.
2944                                  * Then we mount-bind /proc/sys read-only and then mount-move /proc/self/net into
2945                                  * /proc/sys/net.
2946                                  * This works because mounts are executed in incrementing strcmp() order and
2947                                  * /proc/self/net appears there before /proc/sys/net and hence the operation
2948                                  * succeeds as the bind-mount of /proc/self/net is performed first and then
2949                                  * move-mount of /proc/sys/net follows because 'e' preceeds 'y' in the ASCII
2950                                  * table (and in the alphabet).
2951                                  */
2952                                 if (!add_mount(NULL, "/proc/sys", NULL, MS_BIND | MS_RDONLY, 0, NULL, -1))
2953                                         if (opts.namespace & CLONE_NEWNET)
2954                                                 if (!add_mount_inner("/proc/self/net", "/proc/sys/net", NULL, MS_MOVE, 0, NULL, -1))
2955                                                         add_mount_inner("/proc/sys/net", "/proc/self/net", NULL, MS_BIND, 0, NULL, -1);
2956 
2957                         }
2958                         if (opts.sysfs || opts.ocibundle)
2959                                 add_mount("sysfs", "/sys", "sysfs", MS_RELATIME | MS_NODEV | MS_NOEXEC | MS_NOSUID | MS_RDONLY, 0, NULL, -1);
2960 
2961                         if (opts.ocibundle)
2962                                 add_mount("shm", "/dev/shm", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV, 0, "mode=1777", -1);
2963 
2964                 }
2965 
2966                 if (opts.setns.pid != -1) {
2967                         pidns_fd = ns_open_pid("pid", getpid());
2968                         setns_open(CLONE_NEWPID);
2969                 } else {
2970                         pidns_fd = -1;
2971                 }
2972 
2973 #ifdef CLONE_NEWTIME
2974                 if (opts.setns.time != -1) {
2975                         timens_fd = ns_open_pid("time", getpid());
2976                         setns_open(CLONE_NEWTIME);
2977                 } else {
2978                         timens_fd = -1;
2979                 }
2980 #endif
2981 
2982                 if (opts.namespace & CLONE_NEWUSER) {
2983                         if (prctl(PR_SET_SECUREBITS, SECBIT_NO_SETUID_FIXUP)) {
2984                                 ERROR("prctl(PR_SET_SECUREBITS) failed: %m\n");
2985                                 free_and_exit(EXIT_FAILURE);
2986                         }
2987                         if (seteuid(opts.root_map_uid)) {
2988                                 ERROR("seteuid(%d) failed: %m\n", opts.root_map_uid);
2989                                 free_and_exit(EXIT_FAILURE);
2990                         }
2991                 }
2992 
2993                 jail_process.pid = clone(exec_jail, child_stack + STACK_SIZE, SIGCHLD | (opts.namespace & (~CLONE_NEWCGROUP)), NULL);
2994         } else {
2995                 jail_process.pid = fork();
2996         }
2997 
2998         if (jail_process.pid > 0) {
2999                 /* parent process */
3000                 char sig_buf[1];
3001 
3002                 uloop_process_add(&jail_process);
3003                 jail_running = 1;
3004                 if (seteuid(0)) {
3005                         ERROR("seteuid(%d) failed: %m\n", opts.root_map_uid);
3006                         free_and_exit(EXIT_FAILURE);
3007                 }
3008 
3009                 prctl(PR_SET_SECUREBITS, 0);
3010 
3011                 if (pidns_fd != -1) {
3012                         setns(pidns_fd, CLONE_NEWPID);
3013                         close(pidns_fd);
3014                 }
3015 #ifdef CLONE_NEWTIME
3016                 if (timens_fd != -1) {
3017                         setns(timens_fd, CLONE_NEWTIME);
3018                         close(timens_fd);
3019                 }
3020 #endif
3021                 if (opts.setns.net != -1)
3022                         close(opts.setns.net);
3023                 if (opts.setns.ns != -1)
3024                         close(opts.setns.ns);
3025                 if (opts.setns.ipc != -1)
3026                         close(opts.setns.ipc);
3027                 if (opts.setns.uts != -1)
3028                         close(opts.setns.uts);
3029                 if (opts.setns.user != -1)
3030                         close(opts.setns.user);
3031                 if (opts.setns.cgroup != -1)
3032                         close(opts.setns.cgroup);
3033                 close(pipes[1]);
3034                 close(pipes[2]);
3035                 if (read(pipes[0], sig_buf, 1) < 1) {
3036                         ERROR("can't read from child\n");
3037                         free_and_exit(-1);
3038                 }
3039                 close(pipes[0]);
3040                 set_oom_score_adj();
3041 
3042                 if (opts.ocibundle)
3043                         cgroups_apply(jail_process.pid);
3044 
3045                 if (opts.namespace & CLONE_NEWUSER) {
3046                         if (write_setgroups(jail_process.pid, true)) {
3047                                 ERROR("can't write setgroups\n");
3048                                 free_and_exit(-1);
3049                         }
3050                         if (!opts.uidmap) {
3051                                 bool has_gr = (opts.gr_gid != -1);
3052                                 if (opts.pw_uid != -1) {
3053                                         write_single_uid_gid_map(jail_process.pid, 0, opts.pw_uid);
3054                                         write_single_uid_gid_map(jail_process.pid, 1, has_gr?opts.gr_gid:opts.pw_gid);
3055                                 } else {
3056                                         write_single_uid_gid_map(jail_process.pid, 0, 65534);
3057                                         write_single_uid_gid_map(jail_process.pid, 1, has_gr?opts.gr_gid:65534);
3058                                 }
3059                         } else {
3060                                 write_uid_gid_map(jail_process.pid, 0, opts.uidmap);
3061                                 if (opts.gidmap)
3062                                         write_uid_gid_map(jail_process.pid, 1, opts.gidmap);
3063                         }
3064                 }
3065 
3066                 if (opts.namespace & CLONE_NEWNET)
3067                         jail_network_start(parent_ctx, opts.name, jail_process.pid);
3068 
3069                 if (jail_writepid(jail_process.pid)) {
3070                         ERROR("failed to write pidfile: %m\n");
3071                         free_and_exit(-1);
3072                 }
3073         } else if (jail_process.pid == 0) {
3074                 /* fork child process */
3075                 free_and_exit(exec_jail(NULL));
3076         } else {
3077                 ERROR("failed to clone/fork: %m\n");
3078                 free_and_exit(EXIT_FAILURE);
3079         }
3080         run_hooks(opts.hooks.createRuntime, post_create_runtime);
3081 }
3082 
3083 static void post_poststart(void);
3084 static void post_create_runtime(void)
3085 {
3086         char sig_buf[1];
3087 
3088         sig_buf[0] = 'O';
3089         if (write(pipes[3], sig_buf, 1) < 0) {
3090                 ERROR("can't write to child\n");
3091                 free_and_exit(-1);
3092         }
3093 
3094         jail_oci_state = OCI_STATE_CREATED;
3095         if (opts.ocibundle && !opts.immediately)
3096                 uloop_run(); /* wait for 'start' command via ubus */
3097         else
3098                 pipe_send_start_container(NULL);
3099 }
3100 
3101 static void pipe_send_start_container(struct uloop_timeout *t)
3102 {
3103         char sig_buf[1];
3104 
3105         jail_oci_state = OCI_STATE_RUNNING;
3106         sig_buf[0] = '!';
3107         if (write(pipes[3], sig_buf, 1) < 0) {
3108                 ERROR("can't write to child\n");
3109                 free_and_exit(-1);
3110         }
3111         close(pipes[3]);
3112 
3113         run_hooks(opts.hooks.poststart, post_poststart);
3114 }
3115 
3116 static void post_poststart(void)
3117 {
3118         uloop_run(); /* idle here while jail is running */
3119         if (jail_running) {
3120                 DEBUG("uloop interrupted, killing jail process\n");
3121                 kill(jail_process.pid, SIGTERM);
3122                 uloop_timeout_set(&jail_process_timeout, 1000);
3123                 uloop_run();
3124         }
3125         uloop_done();
3126         poststop();
3127 }
3128 
3129 static void post_poststop(void);
3130 static void poststop(void) {
3131         if (opts.namespace & CLONE_NEWNET) {
3132                 setns(netns_fd, CLONE_NEWNET);
3133                 jail_network_stop();
3134                 close(netns_fd);
3135         }
3136         run_hooks(opts.hooks.poststop, post_poststop);
3137 }
3138 
3139 static void post_poststop(void)
3140 {
3141         free_opts(true);
3142         if (parent_ctx)
3143                 ubus_free(parent_ctx);
3144 
3145         exit(jail_return_code);
3146 }
3147 

This page was automatically generated by LXR 0.3.1.  •  OpenWrt