1 /* 2 * Copyright (C) 2015 John Crispin <blogic@openwrt.org> 3 * Copyright (C) 2020 Daniel Golle <daniel@makrotopia.org> 4 * 5 * This program is free software; you can redistribute it and/or modify 6 * it under the terms of the GNU Lesser General Public License version 2.1 7 * as published by the Free Software Foundation 8 * 9 * This program is distributed in the hope that it will be useful, 10 * but WITHOUT ANY WARRANTY; without even the implied warranty of 11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 * GNU General Public License for more details. 13 */ 14 15 #define _GNU_SOURCE 16 #include <sys/mount.h> 17 #include <sys/prctl.h> 18 #include <sys/wait.h> 19 #include <sys/types.h> 20 #include <sys/time.h> 21 #include <sys/resource.h> 22 #include <sys/stat.h> 23 #include <sys/sysmacros.h> 24 25 /* musl only defined 15 limit types, make sure all 16 are supported */ 26 #ifndef RLIMIT_RTTIME 27 #define RLIMIT_RTTIME 15 28 #undef RLIMIT_NLIMITS 29 #define RLIMIT_NLIMITS 16 30 #undef RLIM_NLIMITS 31 #define RLIM_NLIMITS 16 32 #endif 33 34 #include <assert.h> 35 #include <stdlib.h> 36 #include <unistd.h> 37 #include <errno.h> 38 #include <pwd.h> 39 #include <grp.h> 40 #include <string.h> 41 #include <fcntl.h> 42 #include <sched.h> 43 #include <linux/filter.h> 44 #include <linux/limits.h> 45 #include <linux/nsfs.h> 46 #include <linux/securebits.h> 47 #include <signal.h> 48 #include <inttypes.h> 49 50 #include "capabilities.h" 51 #include "elf.h" 52 #include "fs.h" 53 #include "jail.h" 54 #include "log.h" 55 #include "seccomp-oci.h" 56 #include "cgroups.h" 57 #include "netifd.h" 58 59 #include <libubox/blobmsg.h> 60 #include <libubox/blobmsg_json.h> 61 #include <libubox/list.h> 62 #include <libubox/vlist.h> 63 #include <libubox/uloop.h> 64 #include <libubox/utils.h> 65 #include <libubus.h> 66 67 #ifndef CLONE_NEWCGROUP 68 #define CLONE_NEWCGROUP 0x02000000 69 #endif 70 71 #define STACK_SIZE (1024 * 1024) 72 #define OPT_ARGS "cC:d:e:EfFG:h:ij:J:ln:NoO:pP:r:R:sS:uU:w:t:T:y" 73 74 #define OCI_VERSION_STRING "1.0.2" 75 76 struct hook_execvpe { 77 char *file; 78 char **argv; 79 char **envp; 80 int timeout; 81 }; 82 83 struct sysctl_val { 84 char *entry; 85 char *value; 86 }; 87 88 struct mknod_args { 89 char *path; 90 mode_t mode; 91 dev_t dev; 92 uid_t uid; 93 gid_t gid; 94 }; 95 96 static struct { 97 char *name; 98 char *hostname; 99 char **jail_argv; 100 char *cwd; 101 char *seccomp; 102 struct sock_fprog *ociseccomp; 103 char *capabilities; 104 struct jail_capset capset; 105 char *user; 106 char *group; 107 char *extroot; 108 char *overlaydir; 109 char *tmpoverlaysize; 110 char **envp; 111 char *uidmap; 112 char *gidmap; 113 char *pidfile; 114 struct sysctl_val **sysctl; 115 int no_new_privs; 116 int namespace; 117 struct { 118 int pid; 119 int net; 120 int ns; 121 int ipc; 122 int uts; 123 int user; 124 int cgroup; 125 #ifdef CLONE_NEWTIME 126 int time; 127 #endif 128 } setns; 129 int procfs; 130 int ronly; 131 int sysfs; 132 int console; 133 int pw_uid; 134 int pw_gid; 135 int gr_gid; 136 int root_map_uid; 137 gid_t *additional_gids; 138 size_t num_additional_gids; 139 mode_t umask; 140 bool set_umask; 141 int require_jail; 142 struct { 143 struct hook_execvpe **createRuntime; 144 struct hook_execvpe **createContainer; 145 struct hook_execvpe **startContainer; 146 struct hook_execvpe **poststart; 147 struct hook_execvpe **poststop; 148 } hooks; 149 struct rlimit *rlimits[RLIM_NLIMITS]; 150 int oom_score_adj; 151 bool set_oom_score_adj; 152 struct mknod_args **devices; 153 char *ocibundle; 154 bool immediately; 155 struct blob_attr *annotations; 156 int term_timeout; 157 } opts; 158 159 static struct blob_buf ocibuf; 160 161 extern int pivot_root(const char *new_root, const char *put_old); 162 163 int debug = 0; 164 165 static char child_stack[STACK_SIZE]; 166 167 static struct ubus_context *parent_ctx; 168 169 int console_fd; 170 171 172 static inline bool has_namespaces(void) 173 { 174 return ((opts.setns.pid != -1) || 175 (opts.setns.net != -1) || 176 (opts.setns.ns != -1) || 177 (opts.setns.ipc != -1) || 178 (opts.setns.uts != -1) || 179 (opts.setns.user != -1) || 180 (opts.setns.cgroup != -1) || 181 #ifdef CLONE_NEWTIME 182 (opts.setns.time != -1) || 183 #endif 184 opts.namespace); 185 } 186 187 static void free_oci_envp(char **p) { 188 char **tmp; 189 190 if (p) { 191 tmp = p; 192 while (*tmp) 193 free(*(tmp++)); 194 195 free(p); 196 } 197 } 198 199 static void free_hooklist(struct hook_execvpe **hooklist) 200 { 201 struct hook_execvpe *cur; 202 203 if (!hooklist) 204 return; 205 206 cur = *hooklist; 207 while (cur) { 208 free_oci_envp(cur->argv); 209 free_oci_envp(cur->envp); 210 free(cur->file); 211 free(cur++); 212 } 213 free(hooklist); 214 } 215 216 static void free_sysctl(void) { 217 struct sysctl_val *cur; 218 cur = *opts.sysctl; 219 220 while (cur) { 221 free(cur->entry); 222 free(cur->value); 223 free(cur++); 224 } 225 free(opts.sysctl); 226 } 227 228 static void free_devices(void) { 229 struct mknod_args **cur; 230 231 if (!opts.devices) 232 return; 233 234 cur = opts.devices; 235 236 while (*cur) { 237 free((*cur)->path); 238 free(*(cur++)); 239 } 240 free(opts.devices); 241 } 242 243 static void free_rlimits(void) { 244 int type; 245 246 for (type = 0; type < RLIM_NLIMITS; ++type) 247 free(opts.rlimits[type]); 248 } 249 250 static void free_opts(bool parent) { 251 252 free_library_search(); 253 mount_free(); 254 cgroups_free(); 255 256 /* we need to keep argv, envp and seccomp filter in child */ 257 if (parent) { /* parent-only */ 258 if (opts.ociseccomp) { 259 free(opts.ociseccomp->filter); 260 free(opts.ociseccomp); 261 } 262 263 free_oci_envp(opts.jail_argv); 264 free_oci_envp(opts.envp); 265 } 266 267 free_rlimits(); 268 free_sysctl(); 269 free_devices(); 270 free(opts.hostname); 271 free(opts.cwd); 272 free(opts.uidmap); 273 free(opts.gidmap); 274 free(opts.annotations); 275 free(opts.extroot); 276 free(opts.overlaydir); 277 free_hooklist(opts.hooks.createRuntime); 278 free_hooklist(opts.hooks.createContainer); 279 free_hooklist(opts.hooks.startContainer); 280 free_hooklist(opts.hooks.poststart); 281 free_hooklist(opts.hooks.poststop); 282 } 283 284 static int mount_overlay(char *jail_root, char *overlaydir) { 285 char *upperdir, *workdir, *optsstr, *upperetc, *upperresolvconf; 286 const char mountoptsformat[] = "lowerdir=%s,upperdir=%s,workdir=%s"; 287 int ret = -1, fd; 288 289 if (asprintf(&upperdir, "%s%s", overlaydir, "/upper") < 0) 290 goto out; 291 292 if (asprintf(&workdir, "%s%s", overlaydir, "/work") < 0) 293 goto upper_printf; 294 295 if (asprintf(&optsstr, mountoptsformat, jail_root, upperdir, workdir) < 0) 296 goto work_printf; 297 298 if (mkdir_p(upperdir, 0755) || mkdir_p(workdir, 0755)) 299 goto opts_printf; 300 301 /* 302 * make sure /etc/resolv.conf exists in overlay and is owned by jail userns root 303 * this is to work-around a bug in overlayfs described in the overlayfs-userns 304 * patch: 305 * 3. modification of a file 'hithere' which is in l but not yet 306 * in u, and which is not owned by T, is not allowed, even if 307 * writes to u are allowed. This may be a bug in overlayfs, 308 * but it is safe behavior. 309 */ 310 if (asprintf(&upperetc, "%s/etc", upperdir) < 0) 311 goto opts_printf; 312 313 if (mkdir_p(upperetc, 0755)) 314 goto upper_etc_printf; 315 316 if (asprintf(&upperresolvconf, "%s/resolv.conf", upperetc) < 0) 317 goto upper_etc_printf; 318 319 fd = creat(upperresolvconf, 0644); 320 if (fd < 0) { 321 if (errno != EEXIST) 322 ERROR("creat(%s) failed: %m\n", upperresolvconf); 323 } else { 324 close(fd); 325 } 326 DEBUG("mount -t overlay %s %s (%s)\n", jail_root, jail_root, optsstr); 327 328 if (mount(jail_root, jail_root, "overlay", MS_NOATIME, optsstr)) 329 goto upper_resolvconf_printf; 330 331 ret = 0; 332 333 upper_resolvconf_printf: 334 free(upperresolvconf); 335 upper_etc_printf: 336 free(upperetc); 337 opts_printf: 338 free(optsstr); 339 work_printf: 340 free(workdir); 341 upper_printf: 342 free(upperdir); 343 out: 344 return ret; 345 } 346 347 static void pass_console(int console_fd) 348 { 349 struct ubus_context *child_ctx = ubus_connect(NULL); 350 static struct blob_buf req; 351 uint32_t id; 352 353 if (!child_ctx) 354 return; 355 356 blob_buf_init(&req, 0); 357 blobmsg_add_string(&req, "name", opts.name); 358 359 if (ubus_lookup_id(child_ctx, "container", &id) || 360 ubus_invoke_fd(child_ctx, id, "console_set", req.head, NULL, NULL, 3000, console_fd)) 361 INFO("ubus request failed\n"); 362 else 363 close(console_fd); 364 365 blob_buf_free(&req); 366 ubus_free(child_ctx); 367 } 368 369 static int create_dev_console(const char *jail_root) 370 { 371 char *console_fname; 372 char dev_console_path[PATH_MAX]; 373 int slave_console_fd; 374 375 /* Open UNIX/98 virtual console */ 376 console_fd = posix_openpt(O_RDWR | O_NOCTTY); 377 if (console_fd < 0) 378 return -1; 379 380 console_fname = ptsname(console_fd); 381 DEBUG("got console fd %d and PTS client name %s\n", console_fd, console_fname); 382 if (!console_fname) 383 goto no_console; 384 385 grantpt(console_fd); 386 unlockpt(console_fd); 387 388 /* pass PTY master to procd */ 389 pass_console(console_fd); 390 391 /* mount-bind PTY slave to /dev/console in jail */ 392 snprintf(dev_console_path, sizeof(dev_console_path), "%s/dev/console", jail_root); 393 close(creat(dev_console_path, 0620)); 394 395 if (mount(console_fname, dev_console_path, "bind", MS_BIND, NULL)) 396 goto no_console; 397 398 /* use PTY slave for stdio */ 399 slave_console_fd = open(console_fname, O_RDWR); /* | O_NOCTTY */ 400 if (slave_console_fd < 0) 401 goto no_console; 402 403 dup2(slave_console_fd, 0); 404 dup2(slave_console_fd, 1); 405 dup2(slave_console_fd, 2); 406 close(slave_console_fd); 407 408 INFO("using guest console %s\n", console_fname); 409 410 return 0; 411 412 no_console: 413 close(console_fd); 414 return 1; 415 } 416 417 static int hook_running = 0; 418 static int hook_return_code = 0; 419 static struct hook_execvpe **current_hook = NULL; 420 typedef void (*hook_return_handler)(void); 421 static hook_return_handler hook_return_cb = NULL; 422 423 static void hook_process_timeout_cb(struct uloop_timeout *t); 424 static struct uloop_timeout hook_process_timeout = { 425 .cb = hook_process_timeout_cb, 426 }; 427 428 static void run_hooklist(void); 429 static void hook_process_handler(struct uloop_process *c, int ret) 430 { 431 uloop_timeout_cancel(&hook_process_timeout); 432 433 if (WIFEXITED(ret)) { 434 hook_return_code = WEXITSTATUS(ret); 435 if (hook_return_code) 436 ERROR("hook (%d) exited with exit: %d\n", c->pid, hook_return_code); 437 else 438 DEBUG("hook (%d) exited with exit: %d\n", c->pid, hook_return_code); 439 440 } else { 441 hook_return_code = WTERMSIG(ret); 442 ERROR("hook (%d) exited with signal: %d\n", c->pid, hook_return_code); 443 } 444 hook_running = 0; 445 ++current_hook; 446 run_hooklist(); 447 } 448 449 static struct uloop_process hook_process = { 450 .cb = hook_process_handler, 451 }; 452 453 static void hook_process_timeout_cb(struct uloop_timeout *t) 454 { 455 DEBUG("hook process failed to stop, sending SIGKILL\n"); 456 kill(hook_process.pid, SIGKILL); 457 } 458 459 static void run_hooklist(void) 460 { 461 struct hook_execvpe *hook = *current_hook; 462 struct stat s; 463 464 if (!hook) 465 return hook_return_cb(); 466 467 DEBUG("executing hook %s\n", hook->file); 468 469 if (stat(hook->file, &s)) 470 hook_process_handler(&hook_process, ENOENT); 471 472 if (!((unsigned long)s.st_mode & (S_IXUSR | S_IXGRP | S_IXOTH))) 473 hook_process_handler(&hook_process, EPERM); 474 475 hook_running = 1; 476 hook_process.pid = fork(); 477 if (hook_process.pid == 0) { 478 /* child */ 479 execve(hook->file, hook->argv, hook->envp); 480 ERROR("execve error %m\n"); 481 _exit(errno); 482 } else if (hook_process.pid < 0) { 483 /* fork error */ 484 ERROR("hook fork error\n"); 485 hook_running = 0; 486 hook_process_handler(&hook_process, errno); 487 } 488 489 /* parent */ 490 uloop_process_add(&hook_process); 491 492 if (hook->timeout > 0) 493 uloop_timeout_set(&hook_process_timeout, 1000 * hook->timeout); 494 495 uloop_run(); 496 if (hook_running) { 497 DEBUG("uloop interrupted, killing jail process\n"); 498 kill(hook_process.pid, SIGTERM); 499 uloop_timeout_set(&hook_process_timeout, 1000); 500 uloop_run(); 501 } 502 } 503 504 static void run_hooks(struct hook_execvpe **hooklist, hook_return_handler return_cb) 505 { 506 if (!hooklist) 507 return_cb(); 508 509 current_hook = hooklist; 510 hook_return_cb = return_cb; 511 512 run_hooklist(); 513 } 514 515 static int apply_sysctl(const char *jail_root) 516 { 517 struct sysctl_val **cur; 518 char *procdir, *fname; 519 int f; 520 521 if (!opts.sysctl) 522 return 0; 523 524 if (asprintf(&procdir, "%s/proc", jail_root) < 0) 525 return ENOMEM; 526 527 mkdir(procdir, 0700); 528 if (mount("proc", procdir, "proc", MS_NOATIME | MS_NODEV | MS_NOEXEC | MS_NOSUID, 0)) 529 return EPERM; 530 531 cur = opts.sysctl; 532 533 while (*cur) { 534 if (asprintf(&fname, "%s/sys/%s", procdir, (*cur)->entry) < 0) 535 return ENOMEM; 536 537 DEBUG("sysctl: writing '%s' to %s\n", (*cur)->value, fname); 538 539 f = open(fname, O_WRONLY); 540 if (f < 0) { 541 ERROR("sysctl: can't open %s\n", fname); 542 free(fname); 543 return errno; 544 } 545 if (write(f, (*cur)->value, strlen((*cur)->value)) < 0) { 546 ERROR("sysctl: write to %s\n", fname); 547 free(fname); 548 close(f); 549 return errno; 550 } 551 552 free(fname); 553 close(f); 554 ++cur; 555 } 556 umount(procdir); 557 rmdir(procdir); 558 free(procdir); 559 560 return 0; 561 } 562 563 /* glibc defines makedev calling a function. make sure it's a pure macro */ 564 #if defined(__GLIBC__) 565 #undef makedev 566 /* from musl's sys/sysmacros.h */ 567 #define makedev(x,y) ( \ 568 (((x)&0xfffff000ULL) << 32) | \ 569 (((x)&0x00000fffULL) << 8) | \ 570 (((y)&0xffffff00ULL) << 12) | \ 571 (((y)&0x000000ffULL)) ) 572 #endif 573 574 static struct mknod_args default_devices[] = { 575 { .path = "/dev/null", .mode = (S_IFCHR|S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH), .dev = makedev(1, 3) }, 576 { .path = "/dev/zero", .mode = (S_IFCHR|S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH), .dev = makedev(1, 5) }, 577 { .path = "/dev/full", .mode = (S_IFCHR|S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH), .dev = makedev(1, 7) }, 578 { .path = "/dev/random", .mode = (S_IFCHR|S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH), .dev = makedev(1, 8) }, 579 { .path = "/dev/urandom", .mode = (S_IFCHR|S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH), .dev = makedev(1, 9) }, 580 { .path = "/dev/tty", .mode = (S_IFCHR|S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP), .dev = makedev(5, 0), .gid = 5 }, 581 { 0 }, 582 }; 583 584 static int create_devices(void) 585 { 586 struct mknod_args **cur, *curdef; 587 char *path, *tmp; 588 int ret; 589 590 if (!opts.devices) 591 goto only_default_devices; 592 593 cur = opts.devices; 594 595 while (*cur) { 596 path = (*cur)->path; 597 /* don't allow devices outside of /dev */ 598 if (strncmp(path, "/dev", 4)) 599 return EPERM; 600 601 /* make sure parent folder exists */ 602 tmp = strrchr(path, '/'); 603 if (!tmp) 604 return EINVAL; 605 606 *tmp = '\0'; 607 if (strcmp(path, "/dev")) { 608 DEBUG("creating directory %s\n", path); 609 610 mkdir_p(path, 0755); 611 } 612 *tmp = '/'; 613 614 DEBUG("creating %s (mode=%08o)\n", path, (*cur)->mode); 615 616 /* create device */ 617 if (mknod(path, (*cur)->mode, (*cur)->dev)) 618 return errno; 619 620 /* change owner, if needed */ 621 if (((*cur)->uid || (*cur)->gid) && 622 chown(path, (*cur)->uid, (*cur)->gid)) 623 return errno; 624 625 ++cur; 626 } 627 628 only_default_devices: 629 curdef = default_devices; 630 while(curdef->path) { 631 DEBUG("creating %s (mode=%08o)\n", curdef->path, curdef->mode); 632 if (mknod(curdef->path, curdef->mode, curdef->dev)) { 633 ++curdef; 634 continue; /* may already exist, eg. due to a bind-mount */ 635 } 636 if ((curdef->uid || curdef->gid) && 637 chown(curdef->path, curdef->uid, curdef->gid)) 638 return errno; 639 640 ++curdef; 641 } 642 643 /* Dev symbolic links as defined in OCI spec */ 644 ret = symlink("/dev/pts/ptmx", "/dev/ptmx"); 645 if (ret < 0) 646 WARNING("symlink() failed to create link to /dev/pts/ptmx"); 647 648 ret = symlink("/proc/self/fd", "/dev/fd"); 649 if (ret < 0) 650 WARNING("symlink() failed to create link to /proc/self/fd"); 651 652 ret = symlink("/proc/self/fd/0", "/dev/stdin"); 653 if (ret < 0) 654 WARNING("symlink() failed to create link to /proc/self/fd/0"); 655 656 ret = symlink("/proc/self/fd/1", "/dev/stdout"); 657 if (ret < 0) 658 WARNING("symlink() failed to create link to /proc/self/fd/1"); 659 660 ret = symlink("/proc/self/fd/2", "/dev/stderr"); 661 if (ret < 0) 662 WARNING("symlink() failed to create link to /proc/self/fd/2"); 663 664 return 0; 665 } 666 667 static char jail_root[] = "/tmp/ujail-XXXXXX"; 668 static char tmpovdir[] = "/tmp/ujail-overlay-XXXXXX"; 669 static mode_t old_umask; 670 static void enter_jail_fs(void); 671 static int build_jail_fs(void) 672 { 673 char *overlaydir = NULL; 674 int ret; 675 676 old_umask = umask(0); 677 678 if (mkdtemp(jail_root) == NULL) { 679 ERROR("mkdtemp(%s) failed: %m\n", jail_root); 680 return -1; 681 } 682 683 if (apply_sysctl(jail_root)) { 684 ERROR("failed to apply sysctl values\n"); 685 return -1; 686 } 687 688 /* oldroot can't be MS_SHARED else pivot_root() fails */ 689 if (mount("none", "/", "none", MS_REC|MS_PRIVATE, NULL)) { 690 ERROR("private mount failed %m\n"); 691 return -1; 692 } 693 694 if (opts.extroot) { 695 if (mount(opts.extroot, jail_root, "bind", MS_BIND, NULL)) { 696 ERROR("extroot mount failed %m\n"); 697 return -1; 698 } 699 } else { 700 if (mount("tmpfs", jail_root, "tmpfs", MS_NOATIME, "mode=0755")) { 701 ERROR("tmpfs mount failed %m\n"); 702 return -1; 703 } 704 } 705 706 if (opts.tmpoverlaysize) { 707 char mountoptsstr[] = "mode=0755,size=XXXXXXXX"; 708 709 snprintf(mountoptsstr, sizeof(mountoptsstr), 710 "mode=0755,size=%s", opts.tmpoverlaysize); 711 if (mkdtemp(tmpovdir) == NULL) { 712 ERROR("mkdtemp(%s) failed: %m\n", jail_root); 713 return -1; 714 } 715 if (mount("tmpfs", tmpovdir, "tmpfs", MS_NOATIME, 716 mountoptsstr)) { 717 ERROR("failed to mount tmpfs for overlay (size=%s)\n", opts.tmpoverlaysize); 718 return -1; 719 } 720 overlaydir = tmpovdir; 721 } 722 723 if (opts.overlaydir) 724 overlaydir = opts.overlaydir; 725 726 if (overlaydir) { 727 ret = mount_overlay(jail_root, overlaydir); 728 if (ret) 729 return ret; 730 } 731 732 if (chdir(jail_root)) { 733 ERROR("chdir(%s) (jail_root) failed: %m\n", jail_root); 734 return -1; 735 } 736 737 if (mount_all(jail_root)) { 738 ERROR("mount_all() failed\n"); 739 return -1; 740 } 741 742 if (opts.console) 743 create_dev_console(jail_root); 744 745 /* make sure /etc/resolv.conf exists if in new network namespace */ 746 if (opts.namespace & CLONE_NEWNET) { 747 char jailetc[PATH_MAX], jaillink[PATH_MAX]; 748 749 snprintf(jailetc, PATH_MAX, "%s/etc", jail_root); 750 mkdir_p(jailetc, 0755); 751 snprintf(jaillink, PATH_MAX, "%s/etc/resolv.conf", jail_root); 752 if (overlaydir) 753 unlink(jaillink); 754 755 ret = symlink("../dev/resolv.conf.d/resolv.conf.auto", jaillink); 756 if (ret < 0) 757 WARNING("symlink() failed to create link to ../dev/resolv.conf.d/resolv.conf.auto"); 758 } 759 760 run_hooks(opts.hooks.createContainer, enter_jail_fs); 761 762 return 0; 763 } 764 765 static bool exit_from_child; 766 static void free_and_exit(int ret) 767 { 768 if (!exit_from_child && opts.ocibundle) 769 cgroups_free(); 770 771 if (!exit_from_child && parent_ctx) 772 ubus_free(parent_ctx); 773 774 free_opts(!exit_from_child); 775 776 exit(ret); 777 } 778 779 static void post_jail_fs(void); 780 static void enter_jail_fs(void) 781 { 782 char dirbuf[sizeof(jail_root) + 4]; 783 784 snprintf(dirbuf, sizeof(dirbuf), "%s/old", jail_root); 785 mkdir(dirbuf, 0755); 786 787 if (pivot_root(jail_root, dirbuf) == -1) { 788 ERROR("pivot_root(%s, %s) failed: %m\n", jail_root, dirbuf); 789 free_and_exit(-1); 790 } 791 if (chdir("/")) { 792 ERROR("chdir(/) (after pivot_root) failed: %m\n"); 793 free_and_exit(-1); 794 } 795 796 snprintf(dirbuf, sizeof(dirbuf), "/old%s", jail_root); 797 umount2(dirbuf, MNT_DETACH); 798 rmdir(dirbuf); 799 if (opts.tmpoverlaysize) { 800 char tmpdirbuf[sizeof(tmpovdir) + 4]; 801 snprintf(tmpdirbuf, sizeof(tmpdirbuf), "/old%s", tmpovdir); 802 umount2(tmpdirbuf, MNT_DETACH); 803 rmdir(tmpdirbuf); 804 } 805 806 umount2("/old", MNT_DETACH); 807 rmdir("/old"); 808 809 if (create_devices()) { 810 ERROR("create_devices() failed\n"); 811 free_and_exit(-1); 812 } 813 if (opts.ronly) 814 mount(NULL, "/", "bind", MS_REMOUNT | MS_BIND | MS_RDONLY, 0); 815 816 umask(old_umask); 817 post_jail_fs(); 818 } 819 820 static int write_uid_gid_map(pid_t child_pid, bool gidmap, char *mapstr) 821 { 822 int map_file; 823 char map_path[64]; 824 825 if (snprintf(map_path, sizeof(map_path), "/proc/%d/%s", 826 child_pid, gidmap?"gid_map":"uid_map") < 0) 827 return -1; 828 829 if ((map_file = open(map_path, O_WRONLY)) < 0) 830 return -1; 831 832 if (dprintf(map_file, "%s", mapstr)) { 833 close(map_file); 834 return -1; 835 } 836 837 close(map_file); 838 return 0; 839 } 840 841 static int write_single_uid_gid_map(pid_t child_pid, bool gidmap, int id) 842 { 843 int map_file; 844 char map_path[64]; 845 const char *map_format = "%d %d %d\n"; 846 if (snprintf(map_path, sizeof(map_path), "/proc/%d/%s", 847 child_pid, gidmap?"gid_map":"uid_map") < 0) 848 return -1; 849 850 if ((map_file = open(map_path, O_WRONLY)) < 0) 851 return -1; 852 853 if (dprintf(map_file, map_format, 0, id, 1) < 0) { 854 close(map_file); 855 return -1; 856 } 857 858 close(map_file); 859 return 0; 860 } 861 862 static int write_setgroups(pid_t child_pid, bool allow) 863 { 864 int setgroups_file; 865 char setgroups_path[64]; 866 867 if (snprintf(setgroups_path, sizeof(setgroups_path), "/proc/%d/setgroups", 868 child_pid) < 0) { 869 return -1; 870 } 871 872 if ((setgroups_file = open(setgroups_path, O_WRONLY)) < 0) { 873 return -1; 874 } 875 876 if (dprintf(setgroups_file, "%s", allow?"allow":"deny") == -1) { 877 close(setgroups_file); 878 return -1; 879 } 880 881 close(setgroups_file); 882 return 0; 883 } 884 885 static void get_jail_user(int *user, int *user_gid, int *gr_gid) 886 { 887 struct passwd *p = NULL; 888 struct group *g = NULL; 889 890 if (opts.user) { 891 p = getpwnam(opts.user); 892 if (!p) { 893 ERROR("failed to get uid/gid for user %s: %d (%s)\n", 894 opts.user, errno, strerror(errno)); 895 free_and_exit(EXIT_FAILURE); 896 } 897 *user = p->pw_uid; 898 *user_gid = p->pw_gid; 899 } else { 900 *user = -1; 901 *user_gid = -1; 902 } 903 904 if (opts.group) { 905 g = getgrnam(opts.group); 906 if (!g) { 907 ERROR("failed to get gid for group %s: %m\n", opts.group); 908 free_and_exit(EXIT_FAILURE); 909 } 910 *gr_gid = g->gr_gid; 911 } else { 912 *gr_gid = -1; 913 } 914 }; 915 916 static void set_jail_user(int pw_uid, int user_gid, int gr_gid) 917 { 918 if (opts.user && (user_gid != -1) && initgroups(opts.user, user_gid)) { 919 ERROR("failed to initgroups() for user %s: %m\n", opts.user); 920 free_and_exit(EXIT_FAILURE); 921 } 922 923 if ((gr_gid != -1) && setregid(gr_gid, gr_gid)) { 924 ERROR("failed to set group id %d: %m\n", gr_gid); 925 free_and_exit(EXIT_FAILURE); 926 } 927 928 if ((pw_uid != -1) && setreuid(pw_uid, pw_uid)) { 929 ERROR("failed to set user id %d: %m\n", pw_uid); 930 free_and_exit(EXIT_FAILURE); 931 } 932 } 933 934 static int apply_rlimits(void) 935 { 936 int resource; 937 938 for (resource = 0; resource < RLIM_NLIMITS; ++resource) { 939 if (opts.rlimits[resource]) 940 DEBUG("applying limits to resource %u\n", resource); 941 942 if (opts.rlimits[resource] && 943 setrlimit(resource, opts.rlimits[resource])) 944 return errno; 945 } 946 947 return 0; 948 } 949 950 #define MAX_ENVP 64 951 static char** build_envp(const char *seccomp, char **ocienvp) 952 { 953 static char *envp[MAX_ENVP]; 954 static char preload_var[PATH_MAX]; 955 static char seccomp_var[PATH_MAX]; 956 static char seccomp_debug_var[20]; 957 static char debug_var[] = "LD_DEBUG=all"; 958 static char container_var[] = "container=ujail"; 959 const char *preload_lib = find_lib("libpreload-seccomp.so"); 960 char **addenv; 961 962 int count = 0; 963 964 if (seccomp && !preload_lib) { 965 ERROR("failed to add preload-lib to env\n"); 966 return NULL; 967 } 968 if (seccomp) { 969 snprintf(seccomp_var, sizeof(seccomp_var), "SECCOMP_FILE=%s", seccomp); 970 envp[count++] = seccomp_var; 971 snprintf(seccomp_debug_var, sizeof(seccomp_debug_var), "SECCOMP_DEBUG=%2d", debug); 972 envp[count++] = seccomp_debug_var; 973 snprintf(preload_var, sizeof(preload_var), "LD_PRELOAD=%s", preload_lib); 974 envp[count++] = preload_var; 975 } 976 977 envp[count++] = container_var; 978 979 if (debug > 1) 980 envp[count++] = debug_var; 981 982 addenv = ocienvp; 983 while (addenv && *addenv) { 984 envp[count++] = *(addenv++); 985 if (count >= MAX_ENVP) { 986 ERROR("environment limited to %d extra records, truncating\n", MAX_ENVP); 987 break; 988 } 989 } 990 return envp; 991 } 992 993 static void usage(void) 994 { 995 fprintf(stderr, "ujail <options> -- <binary> <params ...>\n"); 996 fprintf(stderr, " -d <num>\tshow debug log (increase num to increase verbosity)\n"); 997 fprintf(stderr, " -S <file>\tseccomp filter config\n"); 998 fprintf(stderr, " -C <file>\tcapabilities drop config\n"); 999 fprintf(stderr, " -c\t\tset PR_SET_NO_NEW_PRIVS\n"); 1000 fprintf(stderr, " -n <name>\tthe name of the jail\n"); 1001 fprintf(stderr, " -e <var>\timport environment variable\n"); 1002 fprintf(stderr, "namespace jail options:\n"); 1003 fprintf(stderr, " -h <hostname>\tchange the hostname of the jail\n"); 1004 fprintf(stderr, " -N\t\tjail has network namespace\n"); 1005 fprintf(stderr, " -f\t\tjail has user namespace\n"); 1006 fprintf(stderr, " -F\t\tjail has cgroups namespace\n"); 1007 fprintf(stderr, " -r <file>\treadonly files that should be staged\n"); 1008 fprintf(stderr, " -w <file>\twriteable files that should be staged\n"); 1009 fprintf(stderr, " -p\t\tjail has /proc\n"); 1010 fprintf(stderr, " -s\t\tjail has /sys\n"); 1011 fprintf(stderr, " -l\t\tjail has /dev/log\n"); 1012 fprintf(stderr, " -u\t\tjail has a ubus socket\n"); 1013 fprintf(stderr, " -U <name>\tuser to run jailed process\n"); 1014 fprintf(stderr, " -G <name>\tgroup to run jailed process\n"); 1015 fprintf(stderr, " -o\t\tremont jail root (/) read only\n"); 1016 fprintf(stderr, " -R <dir>\texternal jail rootfs (system container)\n"); 1017 fprintf(stderr, " -O <dir>\tdirectory for r/w overlayfs\n"); 1018 fprintf(stderr, " -T <size>\tuse tmpfs r/w overlayfs with <size>\n"); 1019 fprintf(stderr, " -E\t\tfail if jail cannot be setup\n"); 1020 fprintf(stderr, " -y\t\tprovide jail console\n"); 1021 fprintf(stderr, " -J <dir>\tcreate container from OCI bundle\n"); 1022 fprintf(stderr, " -i\t\tstart container immediately\n"); 1023 fprintf(stderr, " -P <pidfile>\tcreate <pidfile>\n"); 1024 fprintf(stderr, "\nWarning: by default root inside the jail is the same\n\ 1025 and he has the same powers as root outside the jail,\n\ 1026 thus he can escape the jail and/or break stuff.\n\ 1027 Please use seccomp/capabilities (-S/-C) to restrict his powers\n\n\ 1028 If you use none of the namespace jail options,\n\ 1029 ujail will not use namespace/build a jail,\n\ 1030 and will only drop capabilities/apply seccomp filter.\n\n"); 1031 } 1032 1033 static int* get_namespace_fd(const unsigned int nstype) 1034 { 1035 switch (nstype) { 1036 case CLONE_NEWPID: 1037 return &opts.setns.pid; 1038 case CLONE_NEWNET: 1039 return &opts.setns.net; 1040 case CLONE_NEWNS: 1041 return &opts.setns.ns; 1042 case CLONE_NEWIPC: 1043 return &opts.setns.ipc; 1044 case CLONE_NEWUTS: 1045 return &opts.setns.uts; 1046 case CLONE_NEWUSER: 1047 return &opts.setns.user; 1048 case CLONE_NEWCGROUP: 1049 return &opts.setns.cgroup; 1050 #ifdef CLONE_NEWTIME 1051 case CLONE_NEWTIME: 1052 return &opts.setns.time; 1053 #endif 1054 default: 1055 return NULL; 1056 } 1057 } 1058 1059 static int setns_open(unsigned long nstype) 1060 { 1061 int *fd = get_namespace_fd(nstype); 1062 1063 assert(fd != NULL); 1064 1065 if (*fd < 0) 1066 return 0; 1067 1068 if (setns(*fd, nstype) == -1) { 1069 close(*fd); 1070 return errno; 1071 } 1072 1073 close(*fd); 1074 return 0; 1075 } 1076 1077 static int jail_running = 0; 1078 static int jail_return_code = 0; 1079 1080 static void jail_process_timeout_cb(struct uloop_timeout *t); 1081 static struct uloop_timeout jail_process_timeout = { 1082 .cb = jail_process_timeout_cb, 1083 }; 1084 static void poststop(void); 1085 static void jail_process_handler(struct uloop_process *c, int ret) 1086 { 1087 uloop_timeout_cancel(&jail_process_timeout); 1088 if (WIFEXITED(ret)) { 1089 jail_return_code = WEXITSTATUS(ret); 1090 INFO("jail (%d) exited with exit: %d\n", c->pid, jail_return_code); 1091 } else { 1092 jail_return_code = WTERMSIG(ret); 1093 INFO("jail (%d) exited with signal: %d\n", c->pid, jail_return_code); 1094 } 1095 jail_running = 0; 1096 poststop(); 1097 } 1098 1099 static struct uloop_process jail_process = { 1100 .cb = jail_process_handler, 1101 }; 1102 1103 static void jail_process_timeout_cb(struct uloop_timeout *t) 1104 { 1105 DEBUG("jail process failed to stop, sending SIGKILL\n"); 1106 kill(jail_process.pid, SIGKILL); 1107 } 1108 1109 static void jail_handle_signal(int signo) 1110 { 1111 if (hook_running) { 1112 DEBUG("forwarding signal %d to the hook process\n", signo); 1113 kill(hook_process.pid, signo); 1114 /* set timeout to send SIGKILL hook process in case SIGTERM doesn't succeed */ 1115 if (signo == SIGTERM) 1116 uloop_timeout_set(&hook_process_timeout, opts.term_timeout * 1000); 1117 } 1118 1119 if (jail_running) { 1120 DEBUG("forwarding signal %d to the jailed process\n", signo); 1121 kill(jail_process.pid, signo); 1122 /* set timeout to send SIGKILL jail process in case SIGTERM doesn't succeed */ 1123 if (signo == SIGTERM) 1124 uloop_timeout_set(&jail_process_timeout, opts.term_timeout * 1000); 1125 } 1126 } 1127 1128 static void signals_init(void) 1129 { 1130 int i; 1131 sigset_t sigmask; 1132 1133 sigfillset(&sigmask); 1134 for (i = 0; i < _NSIG; i++) { 1135 struct sigaction s = { 0 }; 1136 1137 if (!sigismember(&sigmask, i)) 1138 continue; 1139 if ((i == SIGCHLD) || (i == SIGPIPE) || (i == SIGSEGV) || (i == SIGSTOP) || (i == SIGKILL)) 1140 continue; 1141 1142 s.sa_handler = jail_handle_signal; 1143 sigaction(i, &s, NULL); 1144 } 1145 } 1146 1147 static void pre_exec_jail(struct uloop_timeout *t); 1148 static struct uloop_timeout pre_exec_timeout = { 1149 .cb = pre_exec_jail, 1150 }; 1151 1152 int pipes[4]; 1153 static int exec_jail(void *arg) 1154 { 1155 char buf[1]; 1156 1157 exit_from_child = true; 1158 prctl(PR_SET_SECUREBITS, 0); 1159 1160 uloop_init(); 1161 signals_init(); 1162 1163 close(pipes[0]); 1164 close(pipes[3]); 1165 1166 setns_open(CLONE_NEWUSER); 1167 setns_open(CLONE_NEWNET); 1168 setns_open(CLONE_NEWNS); 1169 setns_open(CLONE_NEWIPC); 1170 setns_open(CLONE_NEWUTS); 1171 1172 buf[0] = 'i'; 1173 if (write(pipes[1], buf, 1) < 1) { 1174 ERROR("can't write to parent\n"); 1175 return EXIT_FAILURE; 1176 } 1177 close(pipes[1]); 1178 if (read(pipes[2], buf, 1) < 1) { 1179 ERROR("can't read from parent\n"); 1180 return EXIT_FAILURE; 1181 } 1182 if (buf[0] != 'O') { 1183 ERROR("parent had an error, child exiting\n"); 1184 return EXIT_FAILURE; 1185 } 1186 1187 if (opts.namespace & CLONE_NEWCGROUP) 1188 unshare(CLONE_NEWCGROUP); 1189 1190 setns_open(CLONE_NEWCGROUP); 1191 1192 if ((opts.namespace & CLONE_NEWUSER) || (opts.setns.user != -1)) { 1193 if (setregid(0, 0) < 0) { 1194 ERROR("setgid\n"); 1195 free_and_exit(EXIT_FAILURE); 1196 } 1197 if (setreuid(0, 0) < 0) { 1198 ERROR("setuid\n"); 1199 free_and_exit(EXIT_FAILURE); 1200 } 1201 if (setgroups(0, NULL) < 0) { 1202 ERROR("setgroups\n"); 1203 free_and_exit(EXIT_FAILURE); 1204 } 1205 } 1206 1207 if (opts.namespace && opts.hostname && strlen(opts.hostname) > 0 1208 && sethostname(opts.hostname, strlen(opts.hostname))) { 1209 ERROR("sethostname(%s) failed: %m\n", opts.hostname); 1210 free_and_exit(EXIT_FAILURE); 1211 } 1212 1213 uloop_timeout_add(&pre_exec_timeout); 1214 uloop_run(); 1215 1216 free_and_exit(-1); 1217 return -1; 1218 } 1219 1220 static void pre_exec_jail(struct uloop_timeout *t) 1221 { 1222 if ((opts.namespace & CLONE_NEWNS) && build_jail_fs()) { 1223 ERROR("failed to build jail fs\n"); 1224 free_and_exit(EXIT_FAILURE); 1225 } else { 1226 run_hooks(opts.hooks.createContainer, post_jail_fs); 1227 } 1228 } 1229 1230 static void post_start_hook(void); 1231 static void post_jail_fs(void) 1232 { 1233 char buf[1]; 1234 1235 if (read(pipes[2], buf, 1) < 1) { 1236 ERROR("can't read from parent\n"); 1237 free_and_exit(EXIT_FAILURE); 1238 } 1239 if (buf[0] != '!') { 1240 ERROR("parent had an error, child exiting\n"); 1241 free_and_exit(EXIT_FAILURE); 1242 } 1243 close(pipes[2]); 1244 1245 run_hooks(opts.hooks.startContainer, post_start_hook); 1246 } 1247 1248 static void post_start_hook(void) 1249 { 1250 int pw_uid, pw_gid, gr_gid; 1251 1252 /* 1253 * make sure setuid/setgid won't drop capabilities in case capabilities 1254 * have been specified explicitely. 1255 */ 1256 if (opts.capset.apply) { 1257 if (prctl(PR_SET_SECUREBITS, SECBIT_NO_SETUID_FIXUP)) { 1258 ERROR("prctl(PR_SET_SECUREBITS) failed: %m\n"); 1259 free_and_exit(EXIT_FAILURE); 1260 } 1261 } 1262 1263 /* drop capabilities, retain those still needed to further setup jail */ 1264 if (applyOCIcapabilities(opts.capset, (1LLU << CAP_SETGID) | (1LLU << CAP_SETUID) | (1LLU << CAP_SETPCAP))) 1265 free_and_exit(EXIT_FAILURE); 1266 1267 /* use either cmdline-supplied user/group or uid/gid from OCI spec */ 1268 get_jail_user(&pw_uid, &pw_gid, &gr_gid); 1269 set_jail_user(opts.pw_uid?:pw_uid, opts.pw_gid?:pw_gid, opts.gr_gid?:gr_gid); 1270 1271 if (opts.additional_gids && 1272 (setgroups(opts.num_additional_gids, opts.additional_gids) < 0)) { 1273 ERROR("setgroups failed: %m\n"); 1274 free_and_exit(EXIT_FAILURE); 1275 } 1276 1277 if (opts.set_umask) 1278 umask(opts.umask); 1279 1280 /* restore securebits back to normal (and lock them if not in userns) */ 1281 if (opts.capset.apply) { 1282 if (prctl(PR_SET_SECUREBITS, (opts.namespace & CLONE_NEWUSER)?0: 1283 SECBIT_KEEP_CAPS_LOCKED|SECBIT_NO_SETUID_FIXUP_LOCKED|SECBIT_NOROOT_LOCKED)) { 1284 ERROR("prctl(PR_SET_SECUREBITS) failed: %m\n"); 1285 free_and_exit(EXIT_FAILURE); 1286 } 1287 } 1288 1289 /* drop remaining capabilities to end up with specified sets */ 1290 if (applyOCIcapabilities(opts.capset, 0)) 1291 free_and_exit(EXIT_FAILURE); 1292 1293 if (opts.no_new_privs && prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { 1294 ERROR("prctl(PR_SET_NO_NEW_PRIVS) failed: %m\n"); 1295 free_and_exit(EXIT_FAILURE); 1296 } 1297 1298 char **envp = build_envp(opts.seccomp, opts.envp); 1299 if (!envp) 1300 free_and_exit(EXIT_FAILURE); 1301 1302 if (opts.cwd && chdir(opts.cwd)) 1303 free_and_exit(EXIT_FAILURE); 1304 1305 if (opts.ociseccomp && applyOCIlinuxseccomp(opts.ociseccomp)) 1306 free_and_exit(EXIT_FAILURE); 1307 1308 uloop_end(); 1309 free_opts(false); 1310 INFO("exec-ing %s\n", *opts.jail_argv); 1311 if (opts.envp) /* respect PATH if potentially set in ENV */ 1312 execvpe(*opts.jail_argv, opts.jail_argv, envp); 1313 else 1314 execve(*opts.jail_argv, opts.jail_argv, envp); 1315 1316 /* we get there only if execve fails */ 1317 ERROR("failed to execve %s: %m\n", *opts.jail_argv); 1318 exit(EXIT_FAILURE); 1319 } 1320 1321 int ns_open_pid(const char *nstype, const pid_t target_ns) 1322 { 1323 char pid_pid_path[PATH_MAX]; 1324 1325 snprintf(pid_pid_path, sizeof(pid_pid_path), "/proc/%u/ns/%s", target_ns, nstype); 1326 1327 return open(pid_pid_path, O_RDONLY); 1328 } 1329 1330 static int parseOCIenvarray(struct blob_attr *msg, char ***envp) 1331 { 1332 struct blob_attr *cur; 1333 int sz = 0, rem; 1334 1335 blobmsg_for_each_attr(cur, msg, rem) 1336 ++sz; 1337 1338 if (sz > 0) { 1339 *envp = calloc(1 + sz, sizeof(char*)); 1340 if (!(*envp)) 1341 return ENOMEM; 1342 } else { 1343 *envp = NULL; 1344 return 0; 1345 } 1346 1347 sz = 0; 1348 blobmsg_for_each_attr(cur, msg, rem) 1349 (*envp)[sz++] = strdup(blobmsg_get_string(cur)); 1350 1351 if (sz) 1352 (*envp)[sz] = NULL; 1353 1354 return 0; 1355 } 1356 1357 enum { 1358 OCI_ROOT_PATH, 1359 OCI_ROOT_READONLY, 1360 __OCI_ROOT_MAX, 1361 }; 1362 1363 static const struct blobmsg_policy oci_root_policy[] = { 1364 [OCI_ROOT_PATH] = { "path", BLOBMSG_TYPE_STRING }, 1365 [OCI_ROOT_READONLY] = { "readonly", BLOBMSG_TYPE_BOOL }, 1366 }; 1367 1368 static int parseOCIroot(const char *jsonfile, struct blob_attr *msg) 1369 { 1370 char extroot[PATH_MAX] = { 0 }; 1371 struct blob_attr *tb[__OCI_ROOT_MAX]; 1372 char *cur; 1373 char *root_path; 1374 1375 blobmsg_parse(oci_root_policy, __OCI_ROOT_MAX, tb, blobmsg_data(msg), blobmsg_len(msg)); 1376 1377 if (!tb[OCI_ROOT_PATH]) 1378 return ENODATA; 1379 1380 root_path = blobmsg_get_string(tb[OCI_ROOT_PATH]); 1381 1382 /* prepend bundle directory in case of relative paths */ 1383 if (root_path[0] != '/') { 1384 strncpy(extroot, jsonfile, PATH_MAX - 1); 1385 1386 cur = strrchr(extroot, '/'); 1387 1388 if (!cur) 1389 return ENOTDIR; 1390 1391 *(++cur) = '\0'; 1392 } 1393 1394 strncat(extroot, root_path, PATH_MAX - (strlen(extroot) + 1)); 1395 1396 /* follow symbolic link(s) */ 1397 opts.extroot = realpath(extroot, NULL); 1398 if (!opts.extroot) 1399 return errno; 1400 1401 if (tb[OCI_ROOT_READONLY]) 1402 opts.ronly = blobmsg_get_bool(tb[OCI_ROOT_READONLY]); 1403 1404 return 0; 1405 } 1406 1407 1408 enum { 1409 OCI_HOOK_PATH, 1410 OCI_HOOK_ARGS, 1411 OCI_HOOK_ENV, 1412 OCI_HOOK_TIMEOUT, 1413 __OCI_HOOK_MAX, 1414 }; 1415 1416 static const struct blobmsg_policy oci_hook_policy[] = { 1417 [OCI_HOOK_PATH] = { "path", BLOBMSG_TYPE_STRING }, 1418 [OCI_HOOK_ARGS] = { "args", BLOBMSG_TYPE_ARRAY }, 1419 [OCI_HOOK_ENV] = { "env", BLOBMSG_TYPE_ARRAY }, 1420 [OCI_HOOK_TIMEOUT] = { "timeout", BLOBMSG_TYPE_INT32 }, 1421 }; 1422 1423 1424 static int parseOCIhook(struct hook_execvpe ***hooklist, struct blob_attr *msg) 1425 { 1426 struct blob_attr *tb[__OCI_HOOK_MAX]; 1427 struct blob_attr *cur; 1428 int rem, ret = 0; 1429 int idx = 0; 1430 1431 blobmsg_for_each_attr(cur, msg, rem) 1432 ++idx; 1433 1434 if (!idx) 1435 return 0; 1436 1437 *hooklist = calloc(idx + 1, sizeof(struct hook_execvpe *)); 1438 idx = 0; 1439 1440 if (!(*hooklist)) 1441 return ENOMEM; 1442 1443 blobmsg_for_each_attr(cur, msg, rem) { 1444 blobmsg_parse(oci_hook_policy, __OCI_HOOK_MAX, tb, blobmsg_data(cur), blobmsg_len(cur)); 1445 1446 if (!tb[OCI_HOOK_PATH]) { 1447 ret = EINVAL; 1448 goto errout; 1449 } 1450 1451 (*hooklist)[idx] = calloc(1, sizeof(struct hook_execvpe)); 1452 if (tb[OCI_HOOK_ARGS]) { 1453 ret = parseOCIenvarray(tb[OCI_HOOK_ARGS], &((*hooklist)[idx]->argv)); 1454 if (ret) 1455 goto errout; 1456 } else { 1457 (*hooklist)[idx]->argv = calloc(2, sizeof(char *)); 1458 ((*hooklist)[idx]->argv)[0] = strdup(blobmsg_get_string(tb[OCI_HOOK_PATH])); 1459 ((*hooklist)[idx]->argv)[1] = NULL; 1460 }; 1461 1462 1463 if (tb[OCI_HOOK_ENV]) { 1464 ret = parseOCIenvarray(tb[OCI_HOOK_ENV], &((*hooklist)[idx]->envp)); 1465 if (ret) 1466 goto errout; 1467 } 1468 1469 if (tb[OCI_HOOK_TIMEOUT]) 1470 (*hooklist)[idx]->timeout = blobmsg_get_u32(tb[OCI_HOOK_TIMEOUT]); 1471 1472 (*hooklist)[idx]->file = strdup(blobmsg_get_string(tb[OCI_HOOK_PATH])); 1473 1474 ++idx; 1475 } 1476 1477 (*hooklist)[idx] = NULL; 1478 1479 DEBUG("added %d hooks\n", idx); 1480 1481 return 0; 1482 1483 errout: 1484 free_hooklist(*hooklist); 1485 *hooklist = NULL; 1486 1487 return ret; 1488 }; 1489 1490 1491 enum { 1492 OCI_HOOKS_PRESTART, 1493 OCI_HOOKS_CREATERUNTIME, 1494 OCI_HOOKS_CREATECONTAINER, 1495 OCI_HOOKS_STARTCONTAINER, 1496 OCI_HOOKS_POSTSTART, 1497 OCI_HOOKS_POSTSTOP, 1498 __OCI_HOOKS_MAX, 1499 }; 1500 1501 static const struct blobmsg_policy oci_hooks_policy[] = { 1502 [OCI_HOOKS_PRESTART] = { "prestart", BLOBMSG_TYPE_ARRAY }, 1503 [OCI_HOOKS_CREATERUNTIME] = { "createRuntime", BLOBMSG_TYPE_ARRAY }, 1504 [OCI_HOOKS_CREATECONTAINER] = { "createContainer", BLOBMSG_TYPE_ARRAY }, 1505 [OCI_HOOKS_STARTCONTAINER] = { "startContainer", BLOBMSG_TYPE_ARRAY }, 1506 [OCI_HOOKS_POSTSTART] = { "poststart", BLOBMSG_TYPE_ARRAY }, 1507 [OCI_HOOKS_POSTSTOP] = { "poststop", BLOBMSG_TYPE_ARRAY }, 1508 }; 1509 1510 static int parseOCIhooks(struct blob_attr *msg) 1511 { 1512 struct blob_attr *tb[__OCI_HOOKS_MAX]; 1513 int ret; 1514 1515 blobmsg_parse(oci_hooks_policy, __OCI_HOOKS_MAX, tb, blobmsg_data(msg), blobmsg_len(msg)); 1516 1517 if (tb[OCI_HOOKS_PRESTART]) 1518 INFO("warning: ignoring deprecated prestart hook\n"); 1519 1520 if (tb[OCI_HOOKS_CREATERUNTIME]) { 1521 ret = parseOCIhook(&opts.hooks.createRuntime, tb[OCI_HOOKS_CREATERUNTIME]); 1522 if (ret) 1523 return ret; 1524 } 1525 1526 if (tb[OCI_HOOKS_CREATECONTAINER]) { 1527 ret = parseOCIhook(&opts.hooks.createContainer, tb[OCI_HOOKS_CREATECONTAINER]); 1528 if (ret) 1529 goto out_createruntime; 1530 } 1531 1532 if (tb[OCI_HOOKS_STARTCONTAINER]) { 1533 ret = parseOCIhook(&opts.hooks.startContainer, tb[OCI_HOOKS_STARTCONTAINER]); 1534 if (ret) 1535 goto out_createcontainer; 1536 } 1537 1538 if (tb[OCI_HOOKS_POSTSTART]) { 1539 ret = parseOCIhook(&opts.hooks.poststart, tb[OCI_HOOKS_POSTSTART]); 1540 if (ret) 1541 goto out_startcontainer; 1542 } 1543 1544 if (tb[OCI_HOOKS_POSTSTOP]) { 1545 ret = parseOCIhook(&opts.hooks.poststop, tb[OCI_HOOKS_POSTSTOP]); 1546 if (ret) 1547 goto out_poststart; 1548 } 1549 1550 return 0; 1551 1552 out_poststart: 1553 free_hooklist(opts.hooks.poststart); 1554 out_startcontainer: 1555 free_hooklist(opts.hooks.startContainer); 1556 out_createcontainer: 1557 free_hooklist(opts.hooks.createContainer); 1558 out_createruntime: 1559 free_hooklist(opts.hooks.createRuntime); 1560 1561 return ret; 1562 }; 1563 1564 1565 enum { 1566 OCI_PROCESS_USER_UID, 1567 OCI_PROCESS_USER_GID, 1568 OCI_PROCESS_USER_UMASK, 1569 OCI_PROCESS_USER_ADDITIONALGIDS, 1570 __OCI_PROCESS_USER_MAX, 1571 }; 1572 1573 static const struct blobmsg_policy oci_process_user_policy[] = { 1574 [OCI_PROCESS_USER_UID] = { "uid", BLOBMSG_TYPE_INT32 }, 1575 [OCI_PROCESS_USER_GID] = { "gid", BLOBMSG_TYPE_INT32 }, 1576 [OCI_PROCESS_USER_UMASK] = { "umask", BLOBMSG_TYPE_INT32 }, 1577 [OCI_PROCESS_USER_ADDITIONALGIDS] = { "additionalGids", BLOBMSG_TYPE_ARRAY }, 1578 }; 1579 1580 static int parseOCIprocessuser(struct blob_attr *msg) { 1581 struct blob_attr *tb[__OCI_PROCESS_USER_MAX]; 1582 struct blob_attr *cur; 1583 int rem; 1584 int has_gid = 0; 1585 1586 blobmsg_parse(oci_process_user_policy, __OCI_PROCESS_USER_MAX, tb, blobmsg_data(msg), blobmsg_len(msg)); 1587 1588 if (tb[OCI_PROCESS_USER_UID]) 1589 opts.pw_uid = blobmsg_get_u32(tb[OCI_PROCESS_USER_UID]); 1590 1591 if (tb[OCI_PROCESS_USER_GID]) { 1592 opts.pw_gid = blobmsg_get_u32(tb[OCI_PROCESS_USER_GID]); 1593 opts.gr_gid = blobmsg_get_u32(tb[OCI_PROCESS_USER_GID]); 1594 has_gid = 1; 1595 } 1596 1597 if (tb[OCI_PROCESS_USER_ADDITIONALGIDS]) { 1598 size_t gidcnt = 0; 1599 1600 blobmsg_for_each_attr(cur, tb[OCI_PROCESS_USER_ADDITIONALGIDS], rem) { 1601 ++gidcnt; 1602 if (has_gid && (blobmsg_get_u32(cur) == opts.gr_gid)) 1603 continue; 1604 } 1605 1606 if (gidcnt) { 1607 opts.additional_gids = calloc(gidcnt + has_gid, sizeof(gid_t)); 1608 gidcnt = 0; 1609 1610 /* always add primary GID to set of GIDs if set */ 1611 if (has_gid) 1612 opts.additional_gids[gidcnt++] = opts.gr_gid; 1613 1614 blobmsg_for_each_attr(cur, tb[OCI_PROCESS_USER_ADDITIONALGIDS], rem) { 1615 if (has_gid && (blobmsg_get_u32(cur) == opts.gr_gid)) 1616 continue; 1617 opts.additional_gids[gidcnt++] = blobmsg_get_u32(cur); 1618 } 1619 opts.num_additional_gids = gidcnt; 1620 } 1621 DEBUG("read %zu additional groups\n", gidcnt); 1622 } 1623 1624 if (tb[OCI_PROCESS_USER_UMASK]) { 1625 opts.umask = blobmsg_get_u32(tb[OCI_PROCESS_USER_UMASK]); 1626 opts.set_umask = true; 1627 } 1628 1629 return 0; 1630 } 1631 1632 enum { 1633 OCI_PROCESS_RLIMIT_TYPE, 1634 OCI_PROCESS_RLIMIT_SOFT, 1635 OCI_PROCESS_RLIMIT_HARD, 1636 __OCI_PROCESS_RLIMIT_MAX, 1637 }; 1638 1639 static const struct blobmsg_policy oci_process_rlimit_policy[] = { 1640 [OCI_PROCESS_RLIMIT_TYPE] = { "type", BLOBMSG_TYPE_STRING }, 1641 [OCI_PROCESS_RLIMIT_SOFT] = { "soft", BLOBMSG_CAST_INT64 }, 1642 [OCI_PROCESS_RLIMIT_HARD] = { "hard", BLOBMSG_CAST_INT64 }, 1643 }; 1644 1645 /* from manpage GETRLIMIT(2) */ 1646 static const char* const rlimit_names[RLIM_NLIMITS] = { 1647 [RLIMIT_AS] = "AS", 1648 [RLIMIT_CORE] = "CORE", 1649 [RLIMIT_CPU] = "CPU", 1650 [RLIMIT_DATA] = "DATA", 1651 [RLIMIT_FSIZE] = "FSIZE", 1652 [RLIMIT_LOCKS] = "LOCKS", 1653 [RLIMIT_MEMLOCK] = "MEMLOCK", 1654 [RLIMIT_MSGQUEUE] = "MSGQUEUE", 1655 [RLIMIT_NICE] = "NICE", 1656 [RLIMIT_NOFILE] = "NOFILE", 1657 [RLIMIT_NPROC] = "NPROC", 1658 [RLIMIT_RSS] = "RSS", 1659 [RLIMIT_RTPRIO] = "RTPRIO", 1660 [RLIMIT_RTTIME] = "RTTIME", 1661 [RLIMIT_SIGPENDING] = "SIGPENDING", 1662 [RLIMIT_STACK] = "STACK", 1663 }; 1664 1665 static int resolve_rlimit(char *type) { 1666 unsigned int rltype; 1667 1668 for (rltype = 0; rltype < RLIM_NLIMITS; ++rltype) 1669 if (rlimit_names[rltype] && 1670 !strncmp("RLIMIT_", type, 7) && 1671 !strcmp(rlimit_names[rltype], type + 7)) 1672 return rltype; 1673 1674 return -1; 1675 } 1676 1677 1678 static int parseOCIrlimit(struct blob_attr *msg) 1679 { 1680 struct blob_attr *tb[__OCI_PROCESS_RLIMIT_MAX]; 1681 int limtype = -1; 1682 struct rlimit *curlim; 1683 1684 blobmsg_parse(oci_process_rlimit_policy, __OCI_PROCESS_RLIMIT_MAX, tb, blobmsg_data(msg), blobmsg_len(msg)); 1685 1686 if (!tb[OCI_PROCESS_RLIMIT_TYPE] || 1687 !tb[OCI_PROCESS_RLIMIT_SOFT] || 1688 !tb[OCI_PROCESS_RLIMIT_HARD]) 1689 return ENODATA; 1690 1691 limtype = resolve_rlimit(blobmsg_get_string(tb[OCI_PROCESS_RLIMIT_TYPE])); 1692 1693 if (limtype < 0) 1694 return EINVAL; 1695 1696 if (opts.rlimits[limtype]) 1697 return ENOTUNIQ; 1698 1699 curlim = malloc(sizeof(struct rlimit)); 1700 curlim->rlim_cur = blobmsg_cast_u64(tb[OCI_PROCESS_RLIMIT_SOFT]); 1701 curlim->rlim_max = blobmsg_cast_u64(tb[OCI_PROCESS_RLIMIT_HARD]); 1702 1703 opts.rlimits[limtype] = curlim; 1704 1705 return 0; 1706 }; 1707 1708 enum { 1709 OCI_PROCESS_ARGS, 1710 OCI_PROCESS_CAPABILITIES, 1711 OCI_PROCESS_CWD, 1712 OCI_PROCESS_ENV, 1713 OCI_PROCESS_OOMSCOREADJ, 1714 OCI_PROCESS_NONEWPRIVILEGES, 1715 OCI_PROCESS_RLIMITS, 1716 OCI_PROCESS_TERMINAL, 1717 OCI_PROCESS_USER, 1718 __OCI_PROCESS_MAX, 1719 }; 1720 1721 static const struct blobmsg_policy oci_process_policy[] = { 1722 [OCI_PROCESS_ARGS] = { "args", BLOBMSG_TYPE_ARRAY }, 1723 [OCI_PROCESS_CAPABILITIES] = { "capabilities", BLOBMSG_TYPE_TABLE }, 1724 [OCI_PROCESS_CWD] = { "cwd", BLOBMSG_TYPE_STRING }, 1725 [OCI_PROCESS_ENV] = { "env", BLOBMSG_TYPE_ARRAY }, 1726 [OCI_PROCESS_OOMSCOREADJ] = { "oomScoreAdj", BLOBMSG_TYPE_INT32 }, 1727 [OCI_PROCESS_NONEWPRIVILEGES] = { "noNewPrivileges", BLOBMSG_TYPE_BOOL }, 1728 [OCI_PROCESS_RLIMITS] = { "rlimits", BLOBMSG_TYPE_ARRAY }, 1729 [OCI_PROCESS_TERMINAL] = { "terminal", BLOBMSG_TYPE_BOOL }, 1730 [OCI_PROCESS_USER] = { "user", BLOBMSG_TYPE_TABLE }, 1731 }; 1732 1733 1734 static int parseOCIprocess(struct blob_attr *msg) 1735 { 1736 struct blob_attr *tb[__OCI_PROCESS_MAX], *cur; 1737 int rem, res; 1738 1739 blobmsg_parse(oci_process_policy, __OCI_PROCESS_MAX, tb, blobmsg_data(msg), blobmsg_len(msg)); 1740 1741 if (!tb[OCI_PROCESS_ARGS]) 1742 return ENOENT; 1743 1744 res = parseOCIenvarray(tb[OCI_PROCESS_ARGS], &opts.jail_argv); 1745 if (res) 1746 return res; 1747 1748 if (tb[OCI_PROCESS_TERMINAL]) 1749 opts.console = blobmsg_get_bool(tb[OCI_PROCESS_TERMINAL]); 1750 1751 if (tb[OCI_PROCESS_NONEWPRIVILEGES]) 1752 opts.no_new_privs = blobmsg_get_bool(tb[OCI_PROCESS_NONEWPRIVILEGES]); 1753 1754 if (tb[OCI_PROCESS_CWD]) 1755 opts.cwd = strdup(blobmsg_get_string(tb[OCI_PROCESS_CWD])); 1756 1757 if (tb[OCI_PROCESS_ENV]) { 1758 res = parseOCIenvarray(tb[OCI_PROCESS_ENV], &opts.envp); 1759 if (res) 1760 return res; 1761 } 1762 1763 if (tb[OCI_PROCESS_USER] && (res = parseOCIprocessuser(tb[OCI_PROCESS_USER]))) 1764 return res; 1765 1766 if (tb[OCI_PROCESS_CAPABILITIES] && 1767 (res = parseOCIcapabilities(&opts.capset, tb[OCI_PROCESS_CAPABILITIES]))) 1768 return res; 1769 1770 if (tb[OCI_PROCESS_RLIMITS]) { 1771 blobmsg_for_each_attr(cur, tb[OCI_PROCESS_RLIMITS], rem) { 1772 res = parseOCIrlimit(cur); 1773 if (res) 1774 return res; 1775 } 1776 } 1777 1778 if (tb[OCI_PROCESS_OOMSCOREADJ]) { 1779 opts.oom_score_adj = blobmsg_get_u32(tb[OCI_PROCESS_OOMSCOREADJ]); 1780 opts.set_oom_score_adj = true; 1781 } 1782 1783 return 0; 1784 } 1785 1786 enum { 1787 OCI_LINUX_NAMESPACE_TYPE, 1788 OCI_LINUX_NAMESPACE_PATH, 1789 __OCI_LINUX_NAMESPACE_MAX, 1790 }; 1791 1792 static const struct blobmsg_policy oci_linux_namespace_policy[] = { 1793 [OCI_LINUX_NAMESPACE_TYPE] = { "type", BLOBMSG_TYPE_STRING }, 1794 [OCI_LINUX_NAMESPACE_PATH] = { "path", BLOBMSG_TYPE_STRING }, 1795 }; 1796 1797 static int resolve_nstype(char *type) { 1798 if (!strcmp("pid", type)) 1799 return CLONE_NEWPID; 1800 else if (!strcmp("network", type)) 1801 return CLONE_NEWNET; 1802 else if (!strcmp("net", type)) 1803 return CLONE_NEWNET; 1804 else if (!strcmp("mount", type)) 1805 return CLONE_NEWNS; 1806 else if (!strcmp("ipc", type)) 1807 return CLONE_NEWIPC; 1808 else if (!strcmp("uts", type)) 1809 return CLONE_NEWUTS; 1810 else if (!strcmp("user", type)) 1811 return CLONE_NEWUSER; 1812 else if (!strcmp("cgroup", type)) 1813 return CLONE_NEWCGROUP; 1814 #ifdef CLONE_NEWTIME 1815 else if (!strcmp("time", type)) 1816 return CLONE_NEWTIME; 1817 #endif 1818 else 1819 return 0; 1820 } 1821 1822 static int parseOCIlinuxns(struct blob_attr *msg) 1823 { 1824 struct blob_attr *tb[__OCI_LINUX_NAMESPACE_MAX]; 1825 int nstype; 1826 int *setns; 1827 int fd; 1828 1829 blobmsg_parse(oci_linux_namespace_policy, __OCI_LINUX_NAMESPACE_MAX, tb, blobmsg_data(msg), blobmsg_len(msg)); 1830 1831 if (!tb[OCI_LINUX_NAMESPACE_TYPE]) 1832 return EINVAL; 1833 1834 nstype = resolve_nstype(blobmsg_get_string(tb[OCI_LINUX_NAMESPACE_TYPE])); 1835 if (!nstype) 1836 return EINVAL; 1837 1838 if (opts.namespace & nstype) 1839 return ENOTUNIQ; 1840 1841 setns = get_namespace_fd(nstype); 1842 1843 if (!setns) 1844 return EFAULT; 1845 1846 if (*setns != -1) 1847 return ENOTUNIQ; 1848 1849 if (tb[OCI_LINUX_NAMESPACE_PATH]) { 1850 DEBUG("opening existing %s namespace from path %s\n", 1851 blobmsg_get_string(tb[OCI_LINUX_NAMESPACE_TYPE]), 1852 blobmsg_get_string(tb[OCI_LINUX_NAMESPACE_PATH])); 1853 1854 fd = open(blobmsg_get_string(tb[OCI_LINUX_NAMESPACE_PATH]), O_RDONLY); 1855 if (fd < 0) 1856 return errno?:ESTALE; 1857 1858 if (ioctl(fd, NS_GET_NSTYPE) != nstype) { 1859 close(fd); 1860 return EINVAL; 1861 } 1862 1863 DEBUG("opened existing %s namespace got filehandler %u\n", 1864 blobmsg_get_string(tb[OCI_LINUX_NAMESPACE_TYPE]), 1865 fd); 1866 1867 *setns = fd; 1868 } else { 1869 opts.namespace |= nstype; 1870 } 1871 1872 return 0; 1873 } 1874 1875 /* 1876 * join namespace of existing PID 1877 * The string argument is the reference PID followed by ':' and a 1878 * ',' separated list of namespaces to to join. 1879 */ 1880 static int jail_join_ns(char *arg) 1881 { 1882 pid_t pid; 1883 int fd; 1884 int nstype; 1885 char *tmp, *etmp, *nspath; 1886 int *setns; 1887 1888 tmp = strchr(arg, ':'); 1889 if (!tmp) 1890 return EINVAL; 1891 1892 *tmp = '\0'; 1893 pid = atoi(arg); 1894 1895 do { 1896 ++tmp; 1897 etmp = strchr(tmp, ','); 1898 if (etmp) 1899 *etmp = '\0'; 1900 1901 nstype = resolve_nstype(tmp); 1902 if (!nstype) 1903 return EINVAL; 1904 1905 if (opts.namespace & nstype) 1906 return ENOTUNIQ; 1907 1908 setns = get_namespace_fd(nstype); 1909 1910 if (!setns) 1911 return EFAULT; 1912 1913 if (*setns != -1) 1914 return ENOTUNIQ; 1915 1916 if (asprintf(&nspath, "/proc/%d/ns/%s", pid, tmp) < 0) 1917 return ENOMEM; 1918 1919 fd = open(nspath, O_RDONLY); 1920 free(nspath); 1921 1922 if (fd < 0) 1923 return errno?:ESTALE; 1924 1925 *setns = fd; 1926 1927 if (etmp) 1928 tmp = etmp; 1929 else 1930 tmp = NULL; 1931 } while (tmp); 1932 1933 return 0; 1934 } 1935 1936 static void get_jail_root_user(bool is_gidmap, uint32_t container_id, uint32_t host_id, uint32_t size) 1937 { 1938 if (container_id == 0 && size >= 1) 1939 if (!is_gidmap) 1940 opts.root_map_uid = host_id; 1941 } 1942 1943 enum { 1944 OCI_LINUX_UIDGIDMAP_CONTAINERID, 1945 OCI_LINUX_UIDGIDMAP_HOSTID, 1946 OCI_LINUX_UIDGIDMAP_SIZE, 1947 __OCI_LINUX_UIDGIDMAP_MAX, 1948 }; 1949 1950 static const struct blobmsg_policy oci_linux_uidgidmap_policy[] = { 1951 [OCI_LINUX_UIDGIDMAP_CONTAINERID] = { "containerID", BLOBMSG_TYPE_INT32 }, 1952 [OCI_LINUX_UIDGIDMAP_HOSTID] = { "hostID", BLOBMSG_TYPE_INT32 }, 1953 [OCI_LINUX_UIDGIDMAP_SIZE] = { "size", BLOBMSG_TYPE_INT32 }, 1954 }; 1955 1956 static int parseOCIuidgidmappings(struct blob_attr *msg, bool is_gidmap) 1957 { 1958 struct blob_attr *tb[__OCI_LINUX_UIDGIDMAP_MAX]; 1959 struct blob_attr *cur; 1960 int rem; 1961 char *map; 1962 size_t len, pos, totallen = 0; 1963 1964 blobmsg_for_each_attr(cur, msg, rem) { 1965 blobmsg_parse(oci_linux_uidgidmap_policy, __OCI_LINUX_UIDGIDMAP_MAX, tb, blobmsg_data(cur), blobmsg_len(cur)); 1966 1967 if (!tb[OCI_LINUX_UIDGIDMAP_CONTAINERID] || 1968 !tb[OCI_LINUX_UIDGIDMAP_HOSTID] || 1969 !tb[OCI_LINUX_UIDGIDMAP_SIZE]) 1970 return EINVAL; 1971 1972 /* count length */ 1973 totallen += snprintf(NULL, 0, "%d %d %d\n", 1974 blobmsg_get_u32(tb[OCI_LINUX_UIDGIDMAP_CONTAINERID]), 1975 blobmsg_get_u32(tb[OCI_LINUX_UIDGIDMAP_HOSTID]), 1976 blobmsg_get_u32(tb[OCI_LINUX_UIDGIDMAP_SIZE])); 1977 } 1978 1979 /* allocate combined mapping string */ 1980 map = malloc(totallen + 1); 1981 if (!map) 1982 return ENOMEM; 1983 1984 pos = 0; 1985 blobmsg_for_each_attr(cur, msg, rem) { 1986 blobmsg_parse(oci_linux_uidgidmap_policy, __OCI_LINUX_UIDGIDMAP_MAX, tb, blobmsg_data(cur), blobmsg_len(cur)); 1987 1988 get_jail_root_user(is_gidmap, blobmsg_get_u32(tb[OCI_LINUX_UIDGIDMAP_CONTAINERID]), 1989 blobmsg_get_u32(tb[OCI_LINUX_UIDGIDMAP_HOSTID]), 1990 blobmsg_get_u32(tb[OCI_LINUX_UIDGIDMAP_SIZE])); 1991 1992 /* write mapping line into pre-allocated string */ 1993 len = snprintf(&map[pos], totallen + 1, "%d %d %d\n", 1994 blobmsg_get_u32(tb[OCI_LINUX_UIDGIDMAP_CONTAINERID]), 1995 blobmsg_get_u32(tb[OCI_LINUX_UIDGIDMAP_HOSTID]), 1996 blobmsg_get_u32(tb[OCI_LINUX_UIDGIDMAP_SIZE])); 1997 pos += len; 1998 totallen -= len; 1999 } 2000 2001 assert(totallen == 0); 2002 2003 if (is_gidmap) 2004 opts.gidmap = map; 2005 else 2006 opts.uidmap = map; 2007 2008 return 0; 2009 } 2010 2011 enum { 2012 OCI_DEVICES_TYPE, 2013 OCI_DEVICES_PATH, 2014 OCI_DEVICES_MAJOR, 2015 OCI_DEVICES_MINOR, 2016 OCI_DEVICES_FILEMODE, 2017 OCI_DEVICES_UID, 2018 OCI_DEVICES_GID, 2019 __OCI_DEVICES_MAX, 2020 }; 2021 2022 static const struct blobmsg_policy oci_devices_policy[] = { 2023 [OCI_DEVICES_TYPE] = { "type", BLOBMSG_TYPE_STRING }, 2024 [OCI_DEVICES_PATH] = { "path", BLOBMSG_TYPE_STRING }, 2025 [OCI_DEVICES_MAJOR] = { "major", BLOBMSG_TYPE_INT32 }, 2026 [OCI_DEVICES_MINOR] = { "minor", BLOBMSG_TYPE_INT32 }, 2027 [OCI_DEVICES_FILEMODE] = { "fileMode", BLOBMSG_TYPE_INT32 }, 2028 [OCI_DEVICES_UID] = { "uid", BLOBMSG_TYPE_INT32 }, 2029 [OCI_DEVICES_GID] = { "uid", BLOBMSG_TYPE_INT32 }, 2030 }; 2031 2032 static mode_t resolve_devtype(char *tstr) 2033 { 2034 if (!strcmp("c", tstr) || 2035 !strcmp("u", tstr)) 2036 return S_IFCHR; 2037 else if (!strcmp("b", tstr)) 2038 return S_IFBLK; 2039 else if (!strcmp("p", tstr)) 2040 return S_IFIFO; 2041 else 2042 return 0; 2043 } 2044 2045 static int parseOCIdevices(struct blob_attr *msg) 2046 { 2047 struct blob_attr *tb[__OCI_DEVICES_MAX]; 2048 struct blob_attr *cur; 2049 int rem; 2050 size_t cnt = 0; 2051 struct mknod_args *tmp; 2052 2053 blobmsg_for_each_attr(cur, msg, rem) 2054 ++cnt; 2055 2056 opts.devices = calloc(cnt + 1, sizeof(struct mknod_args *)); 2057 2058 cnt = 0; 2059 blobmsg_for_each_attr(cur, msg, rem) { 2060 blobmsg_parse(oci_devices_policy, __OCI_DEVICES_MAX, tb, blobmsg_data(cur), blobmsg_len(cur)); 2061 if (!tb[OCI_DEVICES_TYPE] || 2062 !tb[OCI_DEVICES_PATH]) 2063 return ENODATA; 2064 2065 tmp = calloc(1, sizeof(struct mknod_args)); 2066 if (!tmp) 2067 return ENOMEM; 2068 2069 tmp->mode = resolve_devtype(blobmsg_get_string(tb[OCI_DEVICES_TYPE])); 2070 if (!tmp->mode) { 2071 free(tmp); 2072 return EINVAL; 2073 } 2074 2075 if (tmp->mode != S_IFIFO) { 2076 if (!tb[OCI_DEVICES_MAJOR] || !tb[OCI_DEVICES_MINOR]) { 2077 free(tmp); 2078 return ENODATA; 2079 } 2080 2081 tmp->dev = makedev(blobmsg_get_u32(tb[OCI_DEVICES_MAJOR]), 2082 blobmsg_get_u32(tb[OCI_DEVICES_MINOR])); 2083 } 2084 2085 if (tb[OCI_DEVICES_FILEMODE]) { 2086 if (~(S_IRWXU|S_IRWXG|S_IRWXO) & blobmsg_get_u32(tb[OCI_DEVICES_FILEMODE])) { 2087 free(tmp); 2088 return EINVAL; 2089 } 2090 2091 tmp->mode |= blobmsg_get_u32(tb[OCI_DEVICES_FILEMODE]); 2092 } else { 2093 tmp->mode |= (S_IRUSR|S_IWUSR); /* 0600 */ 2094 } 2095 2096 tmp->path = strdup(blobmsg_get_string(tb[OCI_DEVICES_PATH])); 2097 2098 if (tb[OCI_DEVICES_UID]) 2099 tmp->uid = blobmsg_get_u32(tb[OCI_DEVICES_UID]); 2100 else 2101 tmp->uid = -1; 2102 2103 if (tb[OCI_DEVICES_GID]) 2104 tmp->gid = blobmsg_get_u32(tb[OCI_DEVICES_GID]); 2105 else 2106 tmp->gid = -1; 2107 2108 DEBUG("read device %s (%s)\n", blobmsg_get_string(tb[OCI_DEVICES_PATH]), blobmsg_get_string(tb[OCI_DEVICES_TYPE])); 2109 opts.devices[cnt++] = tmp; 2110 } 2111 2112 opts.devices[cnt] = NULL; 2113 2114 return 0; 2115 } 2116 2117 static int parseOCIsysctl(struct blob_attr *msg) 2118 { 2119 struct blob_attr *cur; 2120 int rem; 2121 char *tmp, *tc; 2122 size_t cnt = 0; 2123 2124 blobmsg_for_each_attr(cur, msg, rem) { 2125 if (!blobmsg_name(cur) || !blobmsg_get_string(cur)) 2126 return EINVAL; 2127 2128 ++cnt; 2129 } 2130 2131 if (!cnt) 2132 return 0; 2133 2134 opts.sysctl = calloc(cnt + 1, sizeof(struct sysctl_val *)); 2135 if (!opts.sysctl) 2136 return ENOMEM; 2137 2138 cnt = 0; 2139 blobmsg_for_each_attr(cur, msg, rem) { 2140 opts.sysctl[cnt] = malloc(sizeof(struct sysctl_val)); 2141 if (!opts.sysctl[cnt]) 2142 return ENOMEM; 2143 2144 /* replace '.' with '/' in entry name */ 2145 tc = tmp = strdup(blobmsg_name(cur)); 2146 while ((tc = strchr(tc, '.'))) 2147 *tc = '/'; 2148 2149 opts.sysctl[cnt]->value = strdup(blobmsg_get_string(cur)); 2150 opts.sysctl[cnt]->entry = tmp; 2151 2152 ++cnt; 2153 } 2154 2155 opts.sysctl[cnt] = NULL; 2156 2157 return 0; 2158 } 2159 2160 2161 enum { 2162 OCI_LINUX_CGROUPSPATH, 2163 OCI_LINUX_RESOURCES, 2164 OCI_LINUX_SECCOMP, 2165 OCI_LINUX_SYSCTL, 2166 OCI_LINUX_NAMESPACES, 2167 OCI_LINUX_DEVICES, 2168 OCI_LINUX_UIDMAPPINGS, 2169 OCI_LINUX_GIDMAPPINGS, 2170 OCI_LINUX_MASKEDPATHS, 2171 OCI_LINUX_READONLYPATHS, 2172 OCI_LINUX_ROOTFSPROPAGATION, 2173 __OCI_LINUX_MAX, 2174 }; 2175 2176 static const struct blobmsg_policy oci_linux_policy[] = { 2177 [OCI_LINUX_CGROUPSPATH] = { "cgroupsPath", BLOBMSG_TYPE_STRING }, 2178 [OCI_LINUX_RESOURCES] = { "resources", BLOBMSG_TYPE_TABLE }, 2179 [OCI_LINUX_SECCOMP] = { "seccomp", BLOBMSG_TYPE_TABLE }, 2180 [OCI_LINUX_SYSCTL] = { "sysctl", BLOBMSG_TYPE_TABLE }, 2181 [OCI_LINUX_NAMESPACES] = { "namespaces", BLOBMSG_TYPE_ARRAY }, 2182 [OCI_LINUX_DEVICES] = { "devices", BLOBMSG_TYPE_ARRAY }, 2183 [OCI_LINUX_UIDMAPPINGS] = { "uidMappings", BLOBMSG_TYPE_ARRAY }, 2184 [OCI_LINUX_GIDMAPPINGS] = { "gidMappings", BLOBMSG_TYPE_ARRAY }, 2185 [OCI_LINUX_MASKEDPATHS] = { "maskedPaths", BLOBMSG_TYPE_ARRAY }, 2186 [OCI_LINUX_READONLYPATHS] = { "readonlyPaths", BLOBMSG_TYPE_ARRAY }, 2187 [OCI_LINUX_ROOTFSPROPAGATION] = { "rootfsPropagation", BLOBMSG_TYPE_STRING }, 2188 }; 2189 2190 static int parseOCIlinux(struct blob_attr *msg) 2191 { 2192 struct blob_attr *tb[__OCI_LINUX_MAX]; 2193 struct blob_attr *cur; 2194 int rem; 2195 int res = 0; 2196 char *cgpath; 2197 char cgfullpath[256] = "/sys/fs/cgroup"; 2198 2199 blobmsg_parse(oci_linux_policy, __OCI_LINUX_MAX, tb, blobmsg_data(msg), blobmsg_len(msg)); 2200 2201 if (tb[OCI_LINUX_NAMESPACES]) { 2202 blobmsg_for_each_attr(cur, tb[OCI_LINUX_NAMESPACES], rem) { 2203 res = parseOCIlinuxns(cur); 2204 if (res) 2205 return res; 2206 } 2207 } 2208 2209 if (tb[OCI_LINUX_UIDMAPPINGS]) { 2210 res = parseOCIuidgidmappings(tb[OCI_LINUX_GIDMAPPINGS], 0); 2211 if (res) 2212 return res; 2213 } 2214 2215 if (tb[OCI_LINUX_GIDMAPPINGS]) { 2216 res = parseOCIuidgidmappings(tb[OCI_LINUX_GIDMAPPINGS], 1); 2217 if (res) 2218 return res; 2219 } 2220 2221 if (tb[OCI_LINUX_READONLYPATHS]) { 2222 blobmsg_for_each_attr(cur, tb[OCI_LINUX_READONLYPATHS], rem) { 2223 res = add_mount(NULL, blobmsg_get_string(cur), NULL, MS_BIND | MS_REC | MS_RDONLY, 0, NULL, 0); 2224 if (res) 2225 return res; 2226 } 2227 } 2228 2229 if (tb[OCI_LINUX_MASKEDPATHS]) { 2230 blobmsg_for_each_attr(cur, tb[OCI_LINUX_MASKEDPATHS], rem) { 2231 res = add_mount((void *)(-1), blobmsg_get_string(cur), NULL, 0, 0, NULL, 0); 2232 if (res) 2233 return res; 2234 } 2235 } 2236 2237 if (tb[OCI_LINUX_SYSCTL]) { 2238 res = parseOCIsysctl(tb[OCI_LINUX_SYSCTL]); 2239 if (res) 2240 return res; 2241 } 2242 2243 if (tb[OCI_LINUX_SECCOMP]) { 2244 opts.ociseccomp = parseOCIlinuxseccomp(tb[OCI_LINUX_SECCOMP]); 2245 if (!opts.ociseccomp) 2246 return EINVAL; 2247 } 2248 2249 if (tb[OCI_LINUX_DEVICES]) { 2250 res = parseOCIdevices(tb[OCI_LINUX_DEVICES]); 2251 if (res) 2252 return res; 2253 } 2254 2255 if (tb[OCI_LINUX_CGROUPSPATH]) { 2256 cgpath = blobmsg_get_string(tb[OCI_LINUX_CGROUPSPATH]); 2257 if (cgpath[0] == '/') { 2258 if (strlen(cgpath) + 1 >= (sizeof(cgfullpath) - strlen(cgfullpath))) 2259 return E2BIG; 2260 2261 strcat(cgfullpath, cgpath); 2262 } else { 2263 strcat(cgfullpath, "/containers/"); 2264 if (strlen(opts.name) + strlen(cgpath) + 2 >= (sizeof(cgfullpath) - strlen(cgfullpath))) 2265 return E2BIG; 2266 2267 strcat(cgfullpath, opts.name); /* should be container name rather than jail name */ 2268 strcat(cgfullpath, "/"); 2269 strcat(cgfullpath, cgpath); 2270 } 2271 } else { 2272 strcat(cgfullpath, "/containers/"); 2273 if (2 * strlen(opts.name) + 2 >= (sizeof(cgfullpath) - strlen(cgfullpath))) 2274 return E2BIG; 2275 2276 strcat(cgfullpath, opts.name); /* should be container name rather than jail name */ 2277 strcat(cgfullpath, "/"); 2278 strcat(cgfullpath, opts.name); /* should be container instance name rather than jail name */ 2279 } 2280 2281 cgroups_init(cgfullpath); 2282 2283 if (tb[OCI_LINUX_RESOURCES]) { 2284 res = parseOCIlinuxcgroups(tb[OCI_LINUX_RESOURCES]); 2285 if (res) 2286 return res; 2287 } 2288 2289 return 0; 2290 } 2291 2292 enum { 2293 OCI_VERSION, 2294 OCI_HOSTNAME, 2295 OCI_PROCESS, 2296 OCI_ROOT, 2297 OCI_MOUNTS, 2298 OCI_HOOKS, 2299 OCI_LINUX, 2300 OCI_ANNOTATIONS, 2301 __OCI_MAX, 2302 }; 2303 2304 static const struct blobmsg_policy oci_policy[] = { 2305 [OCI_VERSION] = { "ociVersion", BLOBMSG_TYPE_STRING }, 2306 [OCI_HOSTNAME] = { "hostname", BLOBMSG_TYPE_STRING }, 2307 [OCI_PROCESS] = { "process", BLOBMSG_TYPE_TABLE }, 2308 [OCI_ROOT] = { "root", BLOBMSG_TYPE_TABLE }, 2309 [OCI_MOUNTS] = { "mounts", BLOBMSG_TYPE_ARRAY }, 2310 [OCI_HOOKS] = { "hooks", BLOBMSG_TYPE_TABLE }, 2311 [OCI_LINUX] = { "linux", BLOBMSG_TYPE_TABLE }, 2312 [OCI_ANNOTATIONS] = { "annotations", BLOBMSG_TYPE_TABLE }, 2313 }; 2314 2315 static int parseOCI(const char *jsonfile) 2316 { 2317 struct blob_attr *tb[__OCI_MAX]; 2318 struct blob_attr *cur; 2319 int rem; 2320 int res; 2321 2322 blob_buf_init(&ocibuf, 0); 2323 2324 if (!blobmsg_add_json_from_file(&ocibuf, jsonfile)) { 2325 res=ENOENT; 2326 goto errout; 2327 } 2328 2329 blobmsg_parse(oci_policy, __OCI_MAX, tb, blob_data(ocibuf.head), blob_len(ocibuf.head)); 2330 2331 if (!tb[OCI_VERSION]) { 2332 res=ENOMSG; 2333 goto errout; 2334 } 2335 2336 if (strncmp("1.0", blobmsg_get_string(tb[OCI_VERSION]), 3)) { 2337 ERROR("unsupported ociVersion %s\n", blobmsg_get_string(tb[OCI_VERSION])); 2338 res=ENOTSUP; 2339 goto errout; 2340 } 2341 2342 if (tb[OCI_HOSTNAME]) 2343 opts.hostname = strdup(blobmsg_get_string(tb[OCI_HOSTNAME])); 2344 2345 if (!tb[OCI_PROCESS]) { 2346 res=ENODATA; 2347 goto errout; 2348 } 2349 2350 if ((res = parseOCIprocess(tb[OCI_PROCESS]))) 2351 goto errout; 2352 2353 if (!tb[OCI_ROOT]) { 2354 res=ENODATA; 2355 goto errout; 2356 } 2357 if ((res = parseOCIroot(jsonfile, tb[OCI_ROOT]))) 2358 goto errout; 2359 2360 if (!tb[OCI_MOUNTS]) { 2361 res=ENODATA; 2362 goto errout; 2363 } 2364 2365 blobmsg_for_each_attr(cur, tb[OCI_MOUNTS], rem) 2366 if ((res = parseOCImount(cur))) 2367 goto errout; 2368 2369 if (tb[OCI_LINUX] && (res = parseOCIlinux(tb[OCI_LINUX]))) 2370 goto errout; 2371 2372 if (tb[OCI_HOOKS] && (res = parseOCIhooks(tb[OCI_HOOKS]))) 2373 goto errout; 2374 2375 if (tb[OCI_ANNOTATIONS]) 2376 opts.annotations = blob_memdup(tb[OCI_ANNOTATIONS]); 2377 2378 errout: 2379 blob_buf_free(&ocibuf); 2380 2381 return res; 2382 } 2383 2384 static int set_oom_score_adj(void) 2385 { 2386 int f; 2387 char fname[32]; 2388 2389 if (!opts.set_oom_score_adj) 2390 return 0; 2391 2392 snprintf(fname, sizeof(fname), "/proc/%u/oom_score_adj", jail_process.pid); 2393 f = open(fname, O_WRONLY | O_TRUNC); 2394 if (f < 0) 2395 return errno; 2396 2397 dprintf(f, "%d", opts.oom_score_adj); 2398 close(f); 2399 2400 return 0; 2401 } 2402 2403 2404 enum { 2405 OCI_STATE_CREATING, 2406 OCI_STATE_CREATED, 2407 OCI_STATE_RUNNING, 2408 OCI_STATE_STOPPED, 2409 }; 2410 2411 static int jail_oci_state = OCI_STATE_CREATED; 2412 static void pipe_send_start_container(struct uloop_timeout *t); 2413 static struct uloop_timeout start_container_timeout = { 2414 .cb = pipe_send_start_container, 2415 }; 2416 2417 static int handle_start(struct ubus_context *ctx, struct ubus_object *obj, 2418 struct ubus_request_data *req, const char *method, 2419 struct blob_attr *msg) 2420 { 2421 if (jail_oci_state != OCI_STATE_CREATED) 2422 return UBUS_STATUS_INVALID_ARGUMENT; 2423 2424 uloop_timeout_add(&start_container_timeout); 2425 2426 return UBUS_STATUS_OK; 2427 } 2428 2429 static struct blob_buf bb; 2430 static int handle_state(struct ubus_context *ctx, struct ubus_object *obj, 2431 struct ubus_request_data *req, const char *method, 2432 struct blob_attr *msg) 2433 { 2434 char *statusstr; 2435 2436 switch (jail_oci_state) { 2437 case OCI_STATE_CREATING: 2438 statusstr = "creating"; 2439 break; 2440 case OCI_STATE_CREATED: 2441 statusstr = "created"; 2442 break; 2443 case OCI_STATE_RUNNING: 2444 statusstr = "running"; 2445 break; 2446 case OCI_STATE_STOPPED: 2447 statusstr = "stopped"; 2448 break; 2449 default: 2450 statusstr = "unknown"; 2451 } 2452 2453 blob_buf_init(&bb, 0); 2454 blobmsg_add_string(&bb, "ociVersion", OCI_VERSION_STRING); 2455 blobmsg_add_string(&bb, "id", opts.name); 2456 blobmsg_add_string(&bb, "status", statusstr); 2457 if (jail_oci_state == OCI_STATE_CREATED || 2458 jail_oci_state == OCI_STATE_RUNNING) 2459 blobmsg_add_u32(&bb, "pid", jail_process.pid); 2460 2461 blobmsg_add_string(&bb, "bundle", opts.ocibundle); 2462 2463 if (opts.annotations) 2464 blobmsg_add_blob(&bb, opts.annotations); 2465 2466 ubus_send_reply(ctx, req, bb.head); 2467 2468 return UBUS_STATUS_OK; 2469 } 2470 2471 enum { 2472 CONTAINER_KILL_ATTR_SIGNAL, 2473 __CONTAINER_KILL_ATTR_MAX, 2474 }; 2475 2476 static const struct blobmsg_policy container_kill_attrs[__CONTAINER_KILL_ATTR_MAX] = { 2477 [CONTAINER_KILL_ATTR_SIGNAL] = { "signal", BLOBMSG_TYPE_INT32 }, 2478 }; 2479 2480 static int 2481 container_handle_kill(struct ubus_context *ctx, struct ubus_object *obj, 2482 struct ubus_request_data *req, const char *method, 2483 struct blob_attr *msg) 2484 { 2485 struct blob_attr *tb[__CONTAINER_KILL_ATTR_MAX], *cur; 2486 int sig = SIGTERM; 2487 2488 blobmsg_parse(container_kill_attrs, __CONTAINER_KILL_ATTR_MAX, tb, blobmsg_data(msg), blobmsg_data_len(msg)); 2489 2490 cur = tb[CONTAINER_KILL_ATTR_SIGNAL]; 2491 if (cur) 2492 sig = blobmsg_get_u32(cur); 2493 2494 if (jail_oci_state == OCI_STATE_CREATING) 2495 return UBUS_STATUS_NOT_FOUND; 2496 2497 if (kill(jail_process.pid, sig) == 0) 2498 return 0; 2499 2500 switch (errno) { 2501 case EINVAL: return UBUS_STATUS_INVALID_ARGUMENT; 2502 case EPERM: return UBUS_STATUS_PERMISSION_DENIED; 2503 case ESRCH: return UBUS_STATUS_NOT_FOUND; 2504 } 2505 2506 return UBUS_STATUS_UNKNOWN_ERROR; 2507 } 2508 2509 static int 2510 jail_writepid(pid_t pid) 2511 { 2512 FILE *_pidfile; 2513 2514 if (!opts.pidfile) 2515 return 0; 2516 2517 _pidfile = fopen(opts.pidfile, "w"); 2518 if (_pidfile == NULL) 2519 return errno; 2520 2521 if (fprintf(_pidfile, "%d\n", pid) < 0) { 2522 fclose(_pidfile); 2523 return errno; 2524 } 2525 2526 if (fclose(_pidfile)) 2527 return errno; 2528 2529 return 0; 2530 } 2531 2532 static int checkpath(const char *path) 2533 { 2534 int dirfd = open(path, O_RDONLY | O_DIRECTORY | O_CLOEXEC); 2535 if (dirfd < 0) { 2536 ERROR("path %s open failed %m\n", path); 2537 return -1; 2538 } 2539 close(dirfd); 2540 2541 return 0; 2542 } 2543 2544 static struct ubus_method container_methods[] = { 2545 UBUS_METHOD_NOARG("start", handle_start), 2546 UBUS_METHOD_NOARG("state", handle_state), 2547 UBUS_METHOD("kill", container_handle_kill, container_kill_attrs), 2548 }; 2549 2550 static struct ubus_object_type container_object_type = 2551 UBUS_OBJECT_TYPE("container", container_methods); 2552 2553 static struct ubus_object container_object = { 2554 .type = &container_object_type, 2555 .methods = container_methods, 2556 .n_methods = ARRAY_SIZE(container_methods), 2557 }; 2558 2559 static void post_main(struct uloop_timeout *t); 2560 static struct uloop_timeout post_main_timeout = { 2561 .cb = post_main, 2562 }; 2563 static int netns_fd; 2564 static int pidns_fd; 2565 #ifdef CLONE_NEWTIME 2566 static int timens_fd; 2567 #endif 2568 static void post_create_runtime(void); 2569 2570 struct env_e { 2571 struct list_head list; 2572 char *envarg; 2573 }; 2574 2575 int main(int argc, char **argv) 2576 { 2577 uid_t uid = getuid(); 2578 const char log[] = "/dev/log"; 2579 const char ubus[] = "/var/run/ubus/ubus.sock"; 2580 int ret = EXIT_FAILURE; 2581 int ch; 2582 char *tmp; 2583 struct list_head envl = LIST_HEAD_INIT(envl); 2584 struct env_e *enve, *tmpenve; 2585 unsigned short int envn = 0, envc = 0; 2586 2587 if (uid) { 2588 ERROR("not root, aborting: %m\n"); 2589 return EXIT_FAILURE; 2590 } 2591 2592 /* those are filehandlers, so -1 indicates unused */ 2593 opts.setns.pid = -1; 2594 opts.setns.net = -1; 2595 opts.setns.ns = -1; 2596 opts.setns.ipc = -1; 2597 opts.setns.uts = -1; 2598 opts.setns.user = -1; 2599 opts.setns.cgroup = -1; 2600 #ifdef CLONE_NEWTIME 2601 opts.setns.time = -1; 2602 #endif 2603 2604 /* default 5 seconds timeout after SIGTERM before SIGKILL is sent */ 2605 opts.term_timeout = 5; 2606 2607 umask(022); 2608 mount_list_init(); 2609 init_library_search(); 2610 cgroups_prepare(); 2611 exit_from_child = false; 2612 2613 while ((ch = getopt(argc, argv, OPT_ARGS)) != -1) { 2614 switch (ch) { 2615 case 'd': 2616 debug = atoi(optarg); 2617 break; 2618 case 'e': 2619 enve = calloc(1, sizeof(*enve)); 2620 enve->envarg = optarg; 2621 list_add_tail(&enve->list, &envl); 2622 break; 2623 case 'p': 2624 opts.namespace |= CLONE_NEWNS; 2625 opts.procfs = 1; 2626 break; 2627 case 'o': 2628 opts.namespace |= CLONE_NEWNS; 2629 opts.ronly = 1; 2630 break; 2631 case 'f': 2632 opts.namespace |= CLONE_NEWUSER; 2633 break; 2634 case 'F': 2635 opts.namespace |= CLONE_NEWCGROUP; 2636 break; 2637 case 'R': 2638 opts.extroot = realpath(optarg, NULL); 2639 break; 2640 case 's': 2641 opts.namespace |= CLONE_NEWNS; 2642 opts.sysfs = 1; 2643 break; 2644 case 'S': 2645 opts.seccomp = optarg; 2646 add_mount_bind(optarg, 1, -1); 2647 break; 2648 case 'C': 2649 opts.capabilities = optarg; 2650 break; 2651 case 'c': 2652 opts.no_new_privs = 1; 2653 break; 2654 case 'n': 2655 opts.name = optarg; 2656 break; 2657 case 'N': 2658 opts.namespace |= CLONE_NEWNET; 2659 break; 2660 case 'h': 2661 opts.namespace |= CLONE_NEWUTS; 2662 opts.hostname = strdup(optarg); 2663 break; 2664 case 'j': 2665 jail_join_ns(optarg); 2666 break; 2667 case 'r': 2668 opts.namespace |= CLONE_NEWNS; 2669 tmp = strchr(optarg, ':'); 2670 if (tmp) { 2671 *(tmp++) = '\0'; 2672 add_2paths_and_deps(optarg, tmp, 1, 0, 0); 2673 } else { 2674 add_path_and_deps(optarg, 1, 0, 0); 2675 } 2676 break; 2677 case 'w': 2678 opts.namespace |= CLONE_NEWNS; 2679 tmp = strchr(optarg, ':'); 2680 if (tmp) { 2681 *(tmp++) = '\0'; 2682 add_2paths_and_deps(optarg, tmp, 0, 0, 0); 2683 } else { 2684 add_path_and_deps(optarg, 0, 0, 0); 2685 } 2686 break; 2687 case 'u': 2688 opts.namespace |= CLONE_NEWNS; 2689 add_mount_bind(ubus, 0, -1); 2690 break; 2691 case 'l': 2692 opts.namespace |= CLONE_NEWNS; 2693 add_mount_bind(log, 0, -1); 2694 break; 2695 case 'U': 2696 opts.user = optarg; 2697 break; 2698 case 'G': 2699 opts.group = optarg; 2700 break; 2701 case 'O': 2702 opts.overlaydir = realpath(optarg, NULL); 2703 break; 2704 case 't': 2705 opts.term_timeout = atoi(optarg); 2706 break; 2707 case 'T': 2708 opts.tmpoverlaysize = optarg; 2709 break; 2710 case 'E': 2711 opts.require_jail = 1; 2712 break; 2713 case 'y': 2714 opts.console = 1; 2715 break; 2716 case 'J': 2717 opts.ocibundle = optarg; 2718 break; 2719 case 'i': 2720 opts.immediately = true; 2721 break; 2722 case 'P': 2723 opts.pidfile = optarg; 2724 break; 2725 } 2726 } 2727 2728 if (opts.namespace && !opts.ocibundle) 2729 opts.namespace |= CLONE_NEWIPC | CLONE_NEWPID; 2730 2731 /* 2732 * env import from cmdline is not available for OCI containers 2733 */ 2734 if (opts.ocibundle && !list_empty(&envl)) { 2735 ret=-ENOTSUP; 2736 goto errout; 2737 } 2738 2739 /* 2740 * prepare list of env variables to import for slim containers 2741 */ 2742 if (!list_empty(&envl)) { 2743 list_for_each_entry(enve, &envl, list) 2744 ++envn; 2745 2746 opts.envp = calloc(1 + envn, sizeof(char*)); 2747 list_for_each_entry_safe(enve, tmpenve, &envl, list) { 2748 tmp = getenv(enve->envarg); 2749 if (tmp) { 2750 ret = asprintf(&opts.envp[envc++], "%s=%s", enve->envarg, tmp); 2751 if (ret < 0) { 2752 ERROR("filed to handle envargs %s\n", tmp); 2753 free(enve); 2754 goto errout; 2755 } 2756 } 2757 2758 list_del(&enve->list); 2759 free(enve); 2760 } 2761 2762 opts.envp[envc] = NULL; 2763 } 2764 2765 /* 2766 * uid in parent user namespace representing root user in new 2767 * user namespace, defaults to nobody unless specified in uidMappings 2768 */ 2769 opts.root_map_uid = 65534; 2770 2771 if (opts.capabilities && parseOCIcapabilities_from_file(&opts.capset, opts.capabilities)) { 2772 ERROR("failed to read capabilities from file %s\n", opts.capabilities); 2773 ret=-1; 2774 goto errout; 2775 } 2776 2777 if (opts.ocibundle) { 2778 char *jsonfile; 2779 int ocires; 2780 2781 if (!opts.name) { 2782 ERROR("OCI bundle needs a named jail\n"); 2783 ret=-1; 2784 goto errout; 2785 } 2786 if (asprintf(&jsonfile, "%s/config.json", opts.ocibundle) < 0) { 2787 ret=-ENOMEM; 2788 goto errout; 2789 } 2790 ocires = parseOCI(jsonfile); 2791 free(jsonfile); 2792 if (ocires) { 2793 ERROR("parsing of OCI JSON spec has failed: %s (%d)\n", strerror(ocires), ocires); 2794 ret=ocires; 2795 goto errout; 2796 } 2797 } 2798 2799 if (opts.namespace & CLONE_NEWNET) { 2800 if (!opts.name) { 2801 ERROR("netns needs a named jail\n"); 2802 ret=-1; 2803 goto errout; 2804 } 2805 } 2806 2807 2808 if (opts.tmpoverlaysize && strlen(opts.tmpoverlaysize) > 8) { 2809 ERROR("size parameter too long: \"%s\"\n", opts.tmpoverlaysize); 2810 ret=-1; 2811 goto errout; 2812 } 2813 2814 if (opts.extroot && checkpath(opts.extroot)) { 2815 ERROR("invalid rootfs path '%s'", opts.extroot); 2816 ret=-1; 2817 goto errout; 2818 } 2819 2820 if (opts.overlaydir && checkpath(opts.overlaydir)) { 2821 ERROR("invalid rootfs overlay path '%s'", opts.overlaydir); 2822 ret=-1; 2823 goto errout; 2824 } 2825 2826 /* no <binary> param found */ 2827 if (!opts.ocibundle && (argc - optind < 1)) { 2828 usage(); 2829 ret=EXIT_FAILURE; 2830 goto errout; 2831 } 2832 if (!(opts.ocibundle||opts.namespace||opts.capabilities||opts.seccomp|| 2833 (opts.setns.net != -1) || 2834 (opts.setns.ns != -1) || 2835 (opts.setns.ipc != -1) || 2836 (opts.setns.uts != -1) || 2837 (opts.setns.user != -1) || 2838 (opts.setns.cgroup != -1))) { 2839 ERROR("Not using namespaces, capabilities or seccomp !!!\n\n"); 2840 usage(); 2841 ret=EXIT_FAILURE; 2842 goto errout; 2843 } 2844 DEBUG("Using namespaces(0x%08x), capabilities(%d), seccomp(%d)\n", 2845 opts.namespace, 2846 opts.capset.apply, 2847 opts.seccomp != 0 || opts.ociseccomp != 0); 2848 2849 uloop_init(); 2850 signals_init(); 2851 2852 parent_ctx = ubus_connect(NULL); 2853 ubus_add_uloop(parent_ctx); 2854 2855 if (opts.ocibundle) { 2856 char *objname; 2857 if (asprintf(&objname, "container.%s", opts.name) < 0) { 2858 ret=-ENOMEM; 2859 goto errout; 2860 } 2861 2862 container_object.name = objname; 2863 ret = ubus_add_object(parent_ctx, &container_object); 2864 if (ret) { 2865 ERROR("Failed to add object: %s\n", ubus_strerror(ret)); 2866 ret=-1; 2867 goto errout; 2868 } 2869 } 2870 2871 /* deliberately not using 'else' on unrelated conditional branches */ 2872 if (!opts.ocibundle) { 2873 /* allocate NULL-terminated array for argv */ 2874 opts.jail_argv = calloc(1 + argc - optind, sizeof(void *)); 2875 if (!opts.jail_argv) { 2876 ret=EXIT_FAILURE; 2877 goto errout; 2878 } 2879 for (size_t s = optind; s < argc; s++) 2880 opts.jail_argv[s - optind] = strdup(argv[s]); 2881 2882 if (opts.namespace & CLONE_NEWUSER) 2883 get_jail_user(&opts.pw_uid, &opts.pw_gid, &opts.gr_gid); 2884 } 2885 2886 if (!opts.extroot) { 2887 if (opts.namespace && add_path_and_deps(*opts.jail_argv, 1, -1, 0)) { 2888 ERROR("failed to load dependencies\n"); 2889 ret=-1; 2890 goto errout; 2891 } 2892 } 2893 2894 if (opts.namespace && opts.seccomp && add_path_and_deps("libpreload-seccomp.so", 1, -1, 1)) { 2895 ERROR("failed to load libpreload-seccomp.so\n"); 2896 opts.seccomp = 0; 2897 if (opts.require_jail) { 2898 ret=-1; 2899 goto errout; 2900 } 2901 } 2902 2903 uloop_timeout_add(&post_main_timeout); 2904 uloop_run(); 2905 2906 errout: 2907 if (opts.ocibundle) 2908 cgroups_free(); 2909 2910 free_opts(true); 2911 2912 return ret; 2913 } 2914 2915 static void post_main(struct uloop_timeout *t) 2916 { 2917 if (apply_rlimits()) { 2918 ERROR("error applying resource limits\n"); 2919 free_and_exit(EXIT_FAILURE); 2920 } 2921 2922 if (opts.name) 2923 prctl(PR_SET_NAME, opts.name, NULL, NULL, NULL); 2924 2925 if (pipe(&pipes[0]) < 0 || pipe(&pipes[2]) < 0) 2926 free_and_exit(-1); 2927 2928 if (has_namespaces()) { 2929 if (opts.namespace & CLONE_NEWNS) { 2930 if (!opts.extroot && (opts.user || opts.group)) { 2931 add_mount_bind("/etc/passwd", 1, -1); 2932 add_mount_bind("/etc/group", 1, -1); 2933 } 2934 2935 #if defined(__GLIBC__) 2936 if (!opts.extroot) 2937 add_mount_bind("/etc/nsswitch.conf", 1, -1); 2938 #endif 2939 if (opts.setns.ns == -1) { 2940 if (!(opts.namespace & CLONE_NEWNET)) { 2941 add_mount_bind("/etc/resolv.conf", 1, 0); 2942 } else { 2943 /* new mount namespace to provide /dev/resolv.conf.d */ 2944 char hostdir[PATH_MAX]; 2945 2946 snprintf(hostdir, PATH_MAX, "/tmp/resolv.conf-%s.d", opts.name); 2947 mkdir_p(hostdir, 0755); 2948 add_mount(hostdir, "/dev/resolv.conf.d", NULL, 2949 MS_BIND | MS_NOEXEC | MS_NOATIME | MS_NOSUID | MS_NODEV | MS_RDONLY, 0, NULL, 0); 2950 } 2951 } 2952 /* default mounts */ 2953 add_mount(NULL, "/dev", "tmpfs", MS_NOATIME | MS_NOEXEC | MS_NOSUID, 0, "size=1M", -1); 2954 add_mount(NULL, "/dev/pts", "devpts", MS_NOATIME | MS_NOEXEC | MS_NOSUID, 0, "newinstance,ptmxmode=0666,mode=0620,gid=5", 0); 2955 2956 if (opts.procfs || opts.ocibundle) { 2957 add_mount("proc", "/proc", "proc", MS_NOATIME | MS_NODEV | MS_NOEXEC | MS_NOSUID, 0, NULL, -1); 2958 2959 /* 2960 * hack to make /proc/sys/net read-write while the rest of /proc/sys is read-only 2961 * which cannot be expressed with OCI spec, but happends to be very useful. 2962 * Only apply it if '/proc/sys' is not already listed as mount, maskedPath or 2963 * readonlyPath. 2964 * If not running in a new network namespace, only make /proc/sys read-only. 2965 * If running in a new network namespace, temporarily stash (ie. mount-bind) 2966 * /proc/sys/net into (totally unrelated, but surely existing) /proc/self/net. 2967 * Then we mount-bind /proc/sys read-only and then mount-move /proc/self/net into 2968 * /proc/sys/net. 2969 * This works because mounts are executed in incrementing strcmp() order and 2970 * /proc/self/net appears there before /proc/sys/net and hence the operation 2971 * succeeds as the bind-mount of /proc/self/net is performed first and then 2972 * move-mount of /proc/sys/net follows because 'e' preceeds 'y' in the ASCII 2973 * table (and in the alphabet). 2974 */ 2975 if (!add_mount(NULL, "/proc/sys", NULL, MS_BIND | MS_RDONLY, 0, NULL, -1)) 2976 if (opts.namespace & CLONE_NEWNET) 2977 if (!add_mount_inner("/proc/self/net", "/proc/sys/net", NULL, MS_MOVE, 0, NULL, -1)) 2978 add_mount_inner("/proc/sys/net", "/proc/self/net", NULL, MS_BIND, 0, NULL, -1); 2979 2980 } 2981 if (opts.sysfs || opts.ocibundle) 2982 add_mount("sysfs", "/sys", "sysfs", MS_RELATIME | MS_NODEV | MS_NOEXEC | MS_NOSUID | MS_RDONLY, 0, NULL, -1); 2983 2984 if (opts.ocibundle) 2985 add_mount("shm", "/dev/shm", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV, 0, "mode=1777", -1); 2986 2987 } 2988 2989 if (opts.setns.pid != -1) { 2990 pidns_fd = ns_open_pid("pid", getpid()); 2991 setns_open(CLONE_NEWPID); 2992 } else { 2993 pidns_fd = -1; 2994 } 2995 2996 #ifdef CLONE_NEWTIME 2997 if (opts.setns.time != -1) { 2998 timens_fd = ns_open_pid("time", getpid()); 2999 setns_open(CLONE_NEWTIME); 3000 } else { 3001 timens_fd = -1; 3002 } 3003 #endif 3004 3005 if (opts.namespace & CLONE_NEWUSER) { 3006 if (prctl(PR_SET_SECUREBITS, SECBIT_NO_SETUID_FIXUP)) { 3007 ERROR("prctl(PR_SET_SECUREBITS) failed: %m\n"); 3008 free_and_exit(EXIT_FAILURE); 3009 } 3010 if (seteuid(opts.root_map_uid)) { 3011 ERROR("seteuid(%d) failed: %m\n", opts.root_map_uid); 3012 free_and_exit(EXIT_FAILURE); 3013 } 3014 } 3015 3016 jail_process.pid = clone(exec_jail, child_stack + STACK_SIZE, SIGCHLD | (opts.namespace & (~CLONE_NEWCGROUP)), NULL); 3017 } else { 3018 jail_process.pid = fork(); 3019 } 3020 3021 if (jail_process.pid > 0) { 3022 /* parent process */ 3023 char sig_buf[1]; 3024 3025 uloop_process_add(&jail_process); 3026 jail_running = 1; 3027 if (seteuid(0)) { 3028 ERROR("seteuid(%d) failed: %m\n", opts.root_map_uid); 3029 free_and_exit(EXIT_FAILURE); 3030 } 3031 3032 prctl(PR_SET_SECUREBITS, 0); 3033 3034 if (pidns_fd != -1) { 3035 setns(pidns_fd, CLONE_NEWPID); 3036 close(pidns_fd); 3037 } 3038 #ifdef CLONE_NEWTIME 3039 if (timens_fd != -1) { 3040 setns(timens_fd, CLONE_NEWTIME); 3041 close(timens_fd); 3042 } 3043 #endif 3044 if (opts.setns.net != -1) 3045 close(opts.setns.net); 3046 if (opts.setns.ns != -1) 3047 close(opts.setns.ns); 3048 if (opts.setns.ipc != -1) 3049 close(opts.setns.ipc); 3050 if (opts.setns.uts != -1) 3051 close(opts.setns.uts); 3052 if (opts.setns.user != -1) 3053 close(opts.setns.user); 3054 if (opts.setns.cgroup != -1) 3055 close(opts.setns.cgroup); 3056 close(pipes[1]); 3057 close(pipes[2]); 3058 if (read(pipes[0], sig_buf, 1) < 1) { 3059 ERROR("can't read from child\n"); 3060 free_and_exit(-1); 3061 } 3062 close(pipes[0]); 3063 set_oom_score_adj(); 3064 3065 if (opts.ocibundle) 3066 cgroups_apply(jail_process.pid); 3067 3068 if (opts.namespace & CLONE_NEWUSER) { 3069 if (write_setgroups(jail_process.pid, true)) { 3070 ERROR("can't write setgroups\n"); 3071 free_and_exit(-1); 3072 } 3073 if (!opts.uidmap) { 3074 bool has_gr = (opts.gr_gid != -1); 3075 if (opts.pw_uid != -1) { 3076 write_single_uid_gid_map(jail_process.pid, 0, opts.pw_uid); 3077 write_single_uid_gid_map(jail_process.pid, 1, has_gr?opts.gr_gid:opts.pw_gid); 3078 } else { 3079 write_single_uid_gid_map(jail_process.pid, 0, 65534); 3080 write_single_uid_gid_map(jail_process.pid, 1, has_gr?opts.gr_gid:65534); 3081 } 3082 } else { 3083 write_uid_gid_map(jail_process.pid, 0, opts.uidmap); 3084 if (opts.gidmap) 3085 write_uid_gid_map(jail_process.pid, 1, opts.gidmap); 3086 } 3087 } 3088 3089 if (opts.namespace & CLONE_NEWNET) 3090 jail_network_start(parent_ctx, opts.name, jail_process.pid); 3091 3092 if (jail_writepid(jail_process.pid)) { 3093 ERROR("failed to write pidfile: %m\n"); 3094 free_and_exit(-1); 3095 } 3096 } else if (jail_process.pid == 0) { 3097 /* fork child process */ 3098 free_and_exit(exec_jail(NULL)); 3099 } else { 3100 ERROR("failed to clone/fork: %m\n"); 3101 free_and_exit(EXIT_FAILURE); 3102 } 3103 run_hooks(opts.hooks.createRuntime, post_create_runtime); 3104 } 3105 3106 static void post_poststart(void); 3107 static void post_create_runtime(void) 3108 { 3109 char sig_buf[1]; 3110 3111 sig_buf[0] = 'O'; 3112 if (write(pipes[3], sig_buf, 1) < 0) { 3113 ERROR("can't write to child\n"); 3114 free_and_exit(-1); 3115 } 3116 3117 jail_oci_state = OCI_STATE_CREATED; 3118 if (opts.ocibundle && !opts.immediately) 3119 uloop_run(); /* wait for 'start' command via ubus */ 3120 else 3121 pipe_send_start_container(NULL); 3122 } 3123 3124 static void pipe_send_start_container(struct uloop_timeout *t) 3125 { 3126 char sig_buf[1]; 3127 3128 jail_oci_state = OCI_STATE_RUNNING; 3129 sig_buf[0] = '!'; 3130 if (write(pipes[3], sig_buf, 1) < 0) { 3131 ERROR("can't write to child\n"); 3132 free_and_exit(-1); 3133 } 3134 close(pipes[3]); 3135 3136 run_hooks(opts.hooks.poststart, post_poststart); 3137 } 3138 3139 static void post_poststart(void) 3140 { 3141 uloop_run(); /* idle here while jail is running */ 3142 if (jail_running) { 3143 DEBUG("uloop interrupted, killing jail process\n"); 3144 kill(jail_process.pid, SIGTERM); 3145 uloop_timeout_set(&jail_process_timeout, 1000); 3146 uloop_run(); 3147 } 3148 uloop_done(); 3149 poststop(); 3150 } 3151 3152 static void post_poststop(void); 3153 static void poststop(void) { 3154 if (opts.namespace & CLONE_NEWNET) { 3155 setns(netns_fd, CLONE_NEWNET); 3156 jail_network_stop(); 3157 close(netns_fd); 3158 } 3159 run_hooks(opts.hooks.poststop, post_poststop); 3160 } 3161 3162 static void post_poststop(void) 3163 { 3164 free_opts(true); 3165 if (parent_ctx) 3166 ubus_free(parent_ctx); 3167 3168 exit(jail_return_code); 3169 } 3170
This page was automatically generated by LXR 0.3.1. • OpenWrt