1 /* 2 * Copyright (C) 2015 John Crispin <blogic@openwrt.org> 3 * Copyright (C) 2020 Daniel Golle <daniel@makrotopia.org> 4 * 5 * This program is free software; you can redistribute it and/or modify 6 * it under the terms of the GNU Lesser General Public License version 2.1 7 * as published by the Free Software Foundation 8 * 9 * This program is distributed in the hope that it will be useful, 10 * but WITHOUT ANY WARRANTY; without even the implied warranty of 11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 * GNU General Public License for more details. 13 */ 14 15 #define _GNU_SOURCE 16 #include <sys/mount.h> 17 #include <sys/prctl.h> 18 #include <sys/wait.h> 19 #include <sys/types.h> 20 #include <sys/time.h> 21 #include <sys/resource.h> 22 #include <sys/stat.h> 23 #include <sys/sysmacros.h> 24 25 /* musl only defined 15 limit types, make sure all 16 are supported */ 26 #ifndef RLIMIT_RTTIME 27 #define RLIMIT_RTTIME 15 28 #undef RLIMIT_NLIMITS 29 #define RLIMIT_NLIMITS 16 30 #undef RLIM_NLIMITS 31 #define RLIM_NLIMITS 16 32 #endif 33 34 #include <assert.h> 35 #include <stdlib.h> 36 #include <unistd.h> 37 #include <errno.h> 38 #include <pwd.h> 39 #include <grp.h> 40 #include <string.h> 41 #include <fcntl.h> 42 #include <sched.h> 43 #include <linux/filter.h> 44 #include <linux/limits.h> 45 #include <linux/nsfs.h> 46 #include <linux/securebits.h> 47 #include <signal.h> 48 #include <inttypes.h> 49 50 #include "capabilities.h" 51 #include "elf.h" 52 #include "fs.h" 53 #include "jail.h" 54 #include "log.h" 55 #include "seccomp-oci.h" 56 #include "cgroups.h" 57 #include "netifd.h" 58 59 #include <libubox/blobmsg.h> 60 #include <libubox/blobmsg_json.h> 61 #include <libubox/list.h> 62 #include <libubox/vlist.h> 63 #include <libubox/uloop.h> 64 #include <libubox/utils.h> 65 #include <libubus.h> 66 67 #ifndef CLONE_NEWCGROUP 68 #define CLONE_NEWCGROUP 0x02000000 69 #endif 70 71 #define STACK_SIZE (1024 * 1024) 72 #define OPT_ARGS "cC:d:e:EfFG:h:ij:J:ln:NoO:pP:r:R:sS:uU:w:t:T:y" 73 74 #define OCI_VERSION_STRING "1.0.2" 75 76 struct hook_execvpe { 77 char *file; 78 char **argv; 79 char **envp; 80 int timeout; 81 }; 82 83 struct sysctl_val { 84 char *entry; 85 char *value; 86 }; 87 88 struct mknod_args { 89 char *path; 90 mode_t mode; 91 dev_t dev; 92 uid_t uid; 93 gid_t gid; 94 }; 95 96 static struct { 97 char *name; 98 char *hostname; 99 char **jail_argv; 100 char *cwd; 101 char *seccomp; 102 struct sock_fprog *ociseccomp; 103 char *capabilities; 104 struct jail_capset capset; 105 char *user; 106 char *group; 107 char *extroot; 108 char *overlaydir; 109 char *tmpoverlaysize; 110 char **envp; 111 char *uidmap; 112 char *gidmap; 113 char *pidfile; 114 struct sysctl_val **sysctl; 115 int no_new_privs; 116 int namespace; 117 struct { 118 int pid; 119 int net; 120 int ns; 121 int ipc; 122 int uts; 123 int user; 124 int cgroup; 125 #ifdef CLONE_NEWTIME 126 int time; 127 #endif 128 } setns; 129 int procfs; 130 int ronly; 131 int sysfs; 132 int console; 133 int pw_uid; 134 int pw_gid; 135 int gr_gid; 136 int root_map_uid; 137 gid_t *additional_gids; 138 size_t num_additional_gids; 139 mode_t umask; 140 bool set_umask; 141 int require_jail; 142 struct { 143 struct hook_execvpe **createRuntime; 144 struct hook_execvpe **createContainer; 145 struct hook_execvpe **startContainer; 146 struct hook_execvpe **poststart; 147 struct hook_execvpe **poststop; 148 } hooks; 149 struct rlimit *rlimits[RLIM_NLIMITS]; 150 int oom_score_adj; 151 bool set_oom_score_adj; 152 struct mknod_args **devices; 153 char *ocibundle; 154 bool immediately; 155 struct blob_attr *annotations; 156 int term_timeout; 157 } opts; 158 159 static struct blob_buf ocibuf; 160 161 extern int pivot_root(const char *new_root, const char *put_old); 162 163 int debug = 0; 164 165 static char child_stack[STACK_SIZE]; 166 167 static struct ubus_context *parent_ctx; 168 169 int console_fd; 170 171 172 static inline bool has_namespaces(void) 173 { 174 return ((opts.setns.pid != -1) || 175 (opts.setns.net != -1) || 176 (opts.setns.ns != -1) || 177 (opts.setns.ipc != -1) || 178 (opts.setns.uts != -1) || 179 (opts.setns.user != -1) || 180 (opts.setns.cgroup != -1) || 181 #ifdef CLONE_NEWTIME 182 (opts.setns.time != -1) || 183 #endif 184 opts.namespace); 185 } 186 187 static void free_oci_envp(char **p) { 188 char **tmp; 189 190 if (p) { 191 tmp = p; 192 while (*tmp) 193 free(*(tmp++)); 194 195 free(p); 196 } 197 } 198 199 static void free_hooklist(struct hook_execvpe **hooklist) 200 { 201 struct hook_execvpe *cur; 202 203 if (!hooklist) 204 return; 205 206 cur = *hooklist; 207 while (cur) { 208 free_oci_envp(cur->argv); 209 free_oci_envp(cur->envp); 210 free(cur->file); 211 free(cur++); 212 } 213 free(hooklist); 214 } 215 216 static void free_sysctl(void) { 217 struct sysctl_val *cur; 218 cur = *opts.sysctl; 219 220 while (cur) { 221 free(cur->entry); 222 free(cur->value); 223 free(cur++); 224 } 225 free(opts.sysctl); 226 } 227 228 static void free_devices(void) { 229 struct mknod_args **cur; 230 231 if (!opts.devices) 232 return; 233 234 cur = opts.devices; 235 236 while (*cur) { 237 free((*cur)->path); 238 free(*(cur++)); 239 } 240 free(opts.devices); 241 } 242 243 static void free_rlimits(void) { 244 int type; 245 246 for (type = 0; type < RLIM_NLIMITS; ++type) 247 free(opts.rlimits[type]); 248 } 249 250 static void free_opts(bool parent) { 251 252 free_library_search(); 253 mount_free(); 254 cgroups_free(); 255 256 /* we need to keep argv, envp and seccomp filter in child */ 257 if (parent) { /* parent-only */ 258 if (opts.ociseccomp) { 259 free(opts.ociseccomp->filter); 260 free(opts.ociseccomp); 261 } 262 263 free_oci_envp(opts.jail_argv); 264 free_oci_envp(opts.envp); 265 } 266 267 free_rlimits(); 268 free_sysctl(); 269 free_devices(); 270 free(opts.hostname); 271 free(opts.cwd); 272 free(opts.uidmap); 273 free(opts.gidmap); 274 free(opts.annotations); 275 free(opts.extroot); 276 free(opts.overlaydir); 277 free_hooklist(opts.hooks.createRuntime); 278 free_hooklist(opts.hooks.createContainer); 279 free_hooklist(opts.hooks.startContainer); 280 free_hooklist(opts.hooks.poststart); 281 free_hooklist(opts.hooks.poststop); 282 } 283 284 static int mount_overlay(char *jail_root, char *overlaydir) { 285 char *upperdir, *workdir, *optsstr, *upperetc, *upperresolvconf; 286 const char mountoptsformat[] = "lowerdir=%s,upperdir=%s,workdir=%s"; 287 int ret = -1, fd; 288 289 if (asprintf(&upperdir, "%s%s", overlaydir, "/upper") < 0) 290 goto out; 291 292 if (asprintf(&workdir, "%s%s", overlaydir, "/work") < 0) 293 goto upper_printf; 294 295 if (asprintf(&optsstr, mountoptsformat, jail_root, upperdir, workdir) < 0) 296 goto work_printf; 297 298 if (mkdir_p(upperdir, 0755) || mkdir_p(workdir, 0755)) 299 goto opts_printf; 300 301 /* 302 * make sure /etc/resolv.conf exists in overlay and is owned by jail userns root 303 * this is to work-around a bug in overlayfs described in the overlayfs-userns 304 * patch: 305 * 3. modification of a file 'hithere' which is in l but not yet 306 * in u, and which is not owned by T, is not allowed, even if 307 * writes to u are allowed. This may be a bug in overlayfs, 308 * but it is safe behavior. 309 */ 310 if (asprintf(&upperetc, "%s/etc", upperdir) < 0) 311 goto opts_printf; 312 313 if (mkdir_p(upperetc, 0755)) 314 goto upper_etc_printf; 315 316 if (asprintf(&upperresolvconf, "%s/resolv.conf", upperetc) < 0) 317 goto upper_etc_printf; 318 319 fd = creat(upperresolvconf, 0644); 320 if (fd < 0) { 321 if (errno != EEXIST) 322 ERROR("creat(%s) failed: %m\n", upperresolvconf); 323 } else { 324 close(fd); 325 } 326 DEBUG("mount -t overlay %s %s (%s)\n", jail_root, jail_root, optsstr); 327 328 if (mount(jail_root, jail_root, "overlay", MS_NOATIME, optsstr)) 329 goto upper_resolvconf_printf; 330 331 ret = 0; 332 333 upper_resolvconf_printf: 334 free(upperresolvconf); 335 upper_etc_printf: 336 free(upperetc); 337 opts_printf: 338 free(optsstr); 339 work_printf: 340 free(workdir); 341 upper_printf: 342 free(upperdir); 343 out: 344 return ret; 345 } 346 347 static void pass_console(int console_fd) 348 { 349 struct ubus_context *child_ctx = ubus_connect(NULL); 350 static struct blob_buf req; 351 uint32_t id; 352 353 if (!child_ctx) 354 return; 355 356 blob_buf_init(&req, 0); 357 blobmsg_add_string(&req, "name", opts.name); 358 359 if (ubus_lookup_id(child_ctx, "container", &id) || 360 ubus_invoke_fd(child_ctx, id, "console_set", req.head, NULL, NULL, 3000, console_fd)) 361 INFO("ubus request failed\n"); 362 else 363 close(console_fd); 364 365 blob_buf_free(&req); 366 ubus_free(child_ctx); 367 } 368 369 static int create_dev_console(const char *jail_root) 370 { 371 char *console_fname; 372 char dev_console_path[PATH_MAX]; 373 int slave_console_fd; 374 375 /* Open UNIX/98 virtual console */ 376 console_fd = posix_openpt(O_RDWR | O_NOCTTY); 377 if (console_fd < 0) 378 return -1; 379 380 console_fname = ptsname(console_fd); 381 DEBUG("got console fd %d and PTS client name %s\n", console_fd, console_fname); 382 if (!console_fname) 383 goto no_console; 384 385 grantpt(console_fd); 386 unlockpt(console_fd); 387 388 /* pass PTY master to procd */ 389 pass_console(console_fd); 390 391 /* mount-bind PTY slave to /dev/console in jail */ 392 snprintf(dev_console_path, sizeof(dev_console_path), "%s/dev/console", jail_root); 393 close(creat(dev_console_path, 0620)); 394 395 if (mount(console_fname, dev_console_path, "bind", MS_BIND, NULL)) 396 goto no_console; 397 398 /* use PTY slave for stdio */ 399 slave_console_fd = open(console_fname, O_RDWR); /* | O_NOCTTY */ 400 if (slave_console_fd < 0) 401 goto no_console; 402 403 dup2(slave_console_fd, 0); 404 dup2(slave_console_fd, 1); 405 dup2(slave_console_fd, 2); 406 close(slave_console_fd); 407 408 INFO("using guest console %s\n", console_fname); 409 410 return 0; 411 412 no_console: 413 close(console_fd); 414 return 1; 415 } 416 417 static int hook_running = 0; 418 static int hook_return_code = 0; 419 static struct hook_execvpe **current_hook = NULL; 420 typedef void (*hook_return_handler)(void); 421 static hook_return_handler hook_return_cb = NULL; 422 423 static void hook_process_timeout_cb(struct uloop_timeout *t); 424 static struct uloop_timeout hook_process_timeout = { 425 .cb = hook_process_timeout_cb, 426 }; 427 428 static void run_hooklist(void); 429 static void hook_process_handler(struct uloop_process *c, int ret) 430 { 431 uloop_timeout_cancel(&hook_process_timeout); 432 433 if (WIFEXITED(ret)) { 434 hook_return_code = WEXITSTATUS(ret); 435 if (hook_return_code) 436 ERROR("hook (%d) exited with exit: %d\n", c->pid, hook_return_code); 437 else 438 DEBUG("hook (%d) exited with exit: %d\n", c->pid, hook_return_code); 439 440 } else { 441 hook_return_code = WTERMSIG(ret); 442 ERROR("hook (%d) exited with signal: %d\n", c->pid, hook_return_code); 443 } 444 hook_running = 0; 445 ++current_hook; 446 run_hooklist(); 447 } 448 449 static struct uloop_process hook_process = { 450 .cb = hook_process_handler, 451 }; 452 453 static void hook_process_timeout_cb(struct uloop_timeout *t) 454 { 455 DEBUG("hook process failed to stop, sending SIGKILL\n"); 456 kill(hook_process.pid, SIGKILL); 457 } 458 459 static void run_hooklist(void) 460 { 461 struct hook_execvpe *hook = *current_hook; 462 struct stat s; 463 464 if (!hook) 465 return hook_return_cb(); 466 467 DEBUG("executing hook %s\n", hook->file); 468 469 if (stat(hook->file, &s)) 470 hook_process_handler(&hook_process, ENOENT); 471 472 if (!((unsigned long)s.st_mode & (S_IXUSR | S_IXGRP | S_IXOTH))) 473 hook_process_handler(&hook_process, EPERM); 474 475 hook_running = 1; 476 hook_process.pid = fork(); 477 if (hook_process.pid == 0) { 478 /* child */ 479 execve(hook->file, hook->argv, hook->envp); 480 ERROR("execve error %m\n"); 481 _exit(errno); 482 } else if (hook_process.pid < 0) { 483 /* fork error */ 484 ERROR("hook fork error\n"); 485 hook_running = 0; 486 hook_process_handler(&hook_process, errno); 487 } 488 489 /* parent */ 490 uloop_process_add(&hook_process); 491 492 if (hook->timeout > 0) 493 uloop_timeout_set(&hook_process_timeout, 1000 * hook->timeout); 494 495 uloop_run(); 496 if (hook_running) { 497 DEBUG("uloop interrupted, killing jail process\n"); 498 kill(hook_process.pid, SIGTERM); 499 uloop_timeout_set(&hook_process_timeout, 1000); 500 uloop_run(); 501 } 502 } 503 504 static void run_hooks(struct hook_execvpe **hooklist, hook_return_handler return_cb) 505 { 506 if (!hooklist) 507 return_cb(); 508 509 current_hook = hooklist; 510 hook_return_cb = return_cb; 511 512 run_hooklist(); 513 } 514 515 static int apply_sysctl(const char *jail_root) 516 { 517 struct sysctl_val **cur; 518 char *procdir, *fname; 519 int f; 520 521 if (!opts.sysctl) 522 return 0; 523 524 if (asprintf(&procdir, "%s/proc", jail_root) < 0) 525 return ENOMEM; 526 527 mkdir(procdir, 0700); 528 if (mount("proc", procdir, "proc", MS_NOATIME | MS_NODEV | MS_NOEXEC | MS_NOSUID, 0)) 529 return EPERM; 530 531 cur = opts.sysctl; 532 533 while (*cur) { 534 if (asprintf(&fname, "%s/sys/%s", procdir, (*cur)->entry) < 0) 535 return ENOMEM; 536 537 DEBUG("sysctl: writing '%s' to %s\n", (*cur)->value, fname); 538 539 f = open(fname, O_WRONLY); 540 if (f < 0) { 541 ERROR("sysctl: can't open %s\n", fname); 542 free(fname); 543 return errno; 544 } 545 if (write(f, (*cur)->value, strlen((*cur)->value)) < 0) { 546 ERROR("sysctl: write to %s\n", fname); 547 free(fname); 548 close(f); 549 return errno; 550 } 551 552 free(fname); 553 close(f); 554 ++cur; 555 } 556 umount(procdir); 557 rmdir(procdir); 558 free(procdir); 559 560 return 0; 561 } 562 563 /* glibc defines makedev calling a function. make sure it's a pure macro */ 564 #if defined(__GLIBC__) 565 #undef makedev 566 /* from musl's sys/sysmacros.h */ 567 #define makedev(x,y) ( \ 568 (((x)&0xfffff000ULL) << 32) | \ 569 (((x)&0x00000fffULL) << 8) | \ 570 (((y)&0xffffff00ULL) << 12) | \ 571 (((y)&0x000000ffULL)) ) 572 #endif 573 574 static struct mknod_args default_devices[] = { 575 { .path = "/dev/null", .mode = (S_IFCHR|S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH), .dev = makedev(1, 3) }, 576 { .path = "/dev/zero", .mode = (S_IFCHR|S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH), .dev = makedev(1, 5) }, 577 { .path = "/dev/full", .mode = (S_IFCHR|S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH), .dev = makedev(1, 7) }, 578 { .path = "/dev/random", .mode = (S_IFCHR|S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH), .dev = makedev(1, 8) }, 579 { .path = "/dev/urandom", .mode = (S_IFCHR|S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH), .dev = makedev(1, 9) }, 580 { .path = "/dev/tty", .mode = (S_IFCHR|S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP), .dev = makedev(5, 0), .gid = 5 }, 581 { 0 }, 582 }; 583 584 static int create_devices(void) 585 { 586 struct mknod_args **cur, *curdef; 587 char *path, *tmp; 588 589 if (!opts.devices) 590 goto only_default_devices; 591 592 cur = opts.devices; 593 594 while (*cur) { 595 path = (*cur)->path; 596 /* don't allow devices outside of /dev */ 597 if (strncmp(path, "/dev", 4)) 598 return EPERM; 599 600 /* make sure parent folder exists */ 601 tmp = strrchr(path, '/'); 602 if (!tmp) 603 return EINVAL; 604 605 *tmp = '\0'; 606 if (strcmp(path, "/dev")) { 607 DEBUG("creating directory %s\n", path); 608 609 mkdir_p(path, 0755); 610 } 611 *tmp = '/'; 612 613 DEBUG("creating %s (mode=%08o)\n", path, (*cur)->mode); 614 615 /* create device */ 616 if (mknod(path, (*cur)->mode, (*cur)->dev)) 617 return errno; 618 619 /* change owner, if needed */ 620 if (((*cur)->uid || (*cur)->gid) && 621 chown(path, (*cur)->uid, (*cur)->gid)) 622 return errno; 623 624 ++cur; 625 } 626 627 only_default_devices: 628 curdef = default_devices; 629 while(curdef->path) { 630 DEBUG("creating %s (mode=%08o)\n", curdef->path, curdef->mode); 631 if (mknod(curdef->path, curdef->mode, curdef->dev)) { 632 ++curdef; 633 continue; /* may already exist, eg. due to a bind-mount */ 634 } 635 if ((curdef->uid || curdef->gid) && 636 chown(curdef->path, curdef->uid, curdef->gid)) 637 return errno; 638 639 ++curdef; 640 } 641 642 /* Dev symbolic links as defined in OCI spec */ 643 (void) symlink("/dev/pts/ptmx", "/dev/ptmx"); 644 (void) symlink("/proc/self/fd", "/dev/fd"); 645 (void) symlink("/proc/self/fd/0", "/dev/stdin"); 646 (void) symlink("/proc/self/fd/1", "/dev/stdout"); 647 (void) symlink("/proc/self/fd/2", "/dev/stderr"); 648 649 return 0; 650 } 651 652 static char jail_root[] = "/tmp/ujail-XXXXXX"; 653 static char tmpovdir[] = "/tmp/ujail-overlay-XXXXXX"; 654 static mode_t old_umask; 655 static void enter_jail_fs(void); 656 static int build_jail_fs(void) 657 { 658 char *overlaydir = NULL; 659 int ret; 660 661 old_umask = umask(0); 662 663 if (mkdtemp(jail_root) == NULL) { 664 ERROR("mkdtemp(%s) failed: %m\n", jail_root); 665 return -1; 666 } 667 668 if (apply_sysctl(jail_root)) { 669 ERROR("failed to apply sysctl values\n"); 670 return -1; 671 } 672 673 /* oldroot can't be MS_SHARED else pivot_root() fails */ 674 if (mount("none", "/", "none", MS_REC|MS_PRIVATE, NULL)) { 675 ERROR("private mount failed %m\n"); 676 return -1; 677 } 678 679 if (opts.extroot) { 680 if (mount(opts.extroot, jail_root, "bind", MS_BIND, NULL)) { 681 ERROR("extroot mount failed %m\n"); 682 return -1; 683 } 684 } else { 685 if (mount("tmpfs", jail_root, "tmpfs", MS_NOATIME, "mode=0755")) { 686 ERROR("tmpfs mount failed %m\n"); 687 return -1; 688 } 689 } 690 691 if (opts.tmpoverlaysize) { 692 char mountoptsstr[] = "mode=0755,size=XXXXXXXX"; 693 694 snprintf(mountoptsstr, sizeof(mountoptsstr), 695 "mode=0755,size=%s", opts.tmpoverlaysize); 696 if (mkdtemp(tmpovdir) == NULL) { 697 ERROR("mkdtemp(%s) failed: %m\n", jail_root); 698 return -1; 699 } 700 if (mount("tmpfs", tmpovdir, "tmpfs", MS_NOATIME, 701 mountoptsstr)) { 702 ERROR("failed to mount tmpfs for overlay (size=%s)\n", opts.tmpoverlaysize); 703 return -1; 704 } 705 overlaydir = tmpovdir; 706 } 707 708 if (opts.overlaydir) 709 overlaydir = opts.overlaydir; 710 711 if (overlaydir) { 712 ret = mount_overlay(jail_root, overlaydir); 713 if (ret) 714 return ret; 715 } 716 717 if (chdir(jail_root)) { 718 ERROR("chdir(%s) (jail_root) failed: %m\n", jail_root); 719 return -1; 720 } 721 722 if (mount_all(jail_root)) { 723 ERROR("mount_all() failed\n"); 724 return -1; 725 } 726 727 if (opts.console) 728 create_dev_console(jail_root); 729 730 /* make sure /etc/resolv.conf exists if in new network namespace */ 731 if (opts.namespace & CLONE_NEWNET) { 732 char jailetc[PATH_MAX], jaillink[PATH_MAX]; 733 734 snprintf(jailetc, PATH_MAX, "%s/etc", jail_root); 735 mkdir_p(jailetc, 0755); 736 snprintf(jaillink, PATH_MAX, "%s/etc/resolv.conf", jail_root); 737 if (overlaydir) 738 unlink(jaillink); 739 740 (void) symlink("../dev/resolv.conf.d/resolv.conf.auto", jaillink); 741 } 742 743 run_hooks(opts.hooks.createContainer, enter_jail_fs); 744 745 return 0; 746 } 747 748 static bool exit_from_child; 749 static void free_and_exit(int ret) 750 { 751 if (!exit_from_child && opts.ocibundle) 752 cgroups_free(); 753 754 if (!exit_from_child && parent_ctx) 755 ubus_free(parent_ctx); 756 757 free_opts(!exit_from_child); 758 759 exit(ret); 760 } 761 762 static void post_jail_fs(void); 763 static void enter_jail_fs(void) 764 { 765 char dirbuf[sizeof(jail_root) + 4]; 766 767 snprintf(dirbuf, sizeof(dirbuf), "%s/old", jail_root); 768 mkdir(dirbuf, 0755); 769 770 if (pivot_root(jail_root, dirbuf) == -1) { 771 ERROR("pivot_root(%s, %s) failed: %m\n", jail_root, dirbuf); 772 free_and_exit(-1); 773 } 774 if (chdir("/")) { 775 ERROR("chdir(/) (after pivot_root) failed: %m\n"); 776 free_and_exit(-1); 777 } 778 779 snprintf(dirbuf, sizeof(dirbuf), "/old%s", jail_root); 780 umount2(dirbuf, MNT_DETACH); 781 rmdir(dirbuf); 782 if (opts.tmpoverlaysize) { 783 char tmpdirbuf[sizeof(tmpovdir) + 4]; 784 snprintf(tmpdirbuf, sizeof(tmpdirbuf), "/old%s", tmpovdir); 785 umount2(tmpdirbuf, MNT_DETACH); 786 rmdir(tmpdirbuf); 787 } 788 789 umount2("/old", MNT_DETACH); 790 rmdir("/old"); 791 792 if (create_devices()) { 793 ERROR("create_devices() failed\n"); 794 free_and_exit(-1); 795 } 796 if (opts.ronly) 797 mount(NULL, "/", "bind", MS_REMOUNT | MS_BIND | MS_RDONLY, 0); 798 799 umask(old_umask); 800 post_jail_fs(); 801 } 802 803 static int write_uid_gid_map(pid_t child_pid, bool gidmap, char *mapstr) 804 { 805 int map_file; 806 char map_path[64]; 807 808 if (snprintf(map_path, sizeof(map_path), "/proc/%d/%s", 809 child_pid, gidmap?"gid_map":"uid_map") < 0) 810 return -1; 811 812 if ((map_file = open(map_path, O_WRONLY)) < 0) 813 return -1; 814 815 if (dprintf(map_file, "%s", mapstr)) { 816 close(map_file); 817 return -1; 818 } 819 820 close(map_file); 821 return 0; 822 } 823 824 static int write_single_uid_gid_map(pid_t child_pid, bool gidmap, int id) 825 { 826 int map_file; 827 char map_path[64]; 828 const char *map_format = "%d %d %d\n"; 829 if (snprintf(map_path, sizeof(map_path), "/proc/%d/%s", 830 child_pid, gidmap?"gid_map":"uid_map") < 0) 831 return -1; 832 833 if ((map_file = open(map_path, O_WRONLY)) < 0) 834 return -1; 835 836 if (dprintf(map_file, map_format, 0, id, 1) < 0) { 837 close(map_file); 838 return -1; 839 } 840 841 close(map_file); 842 return 0; 843 } 844 845 static int write_setgroups(pid_t child_pid, bool allow) 846 { 847 int setgroups_file; 848 char setgroups_path[64]; 849 850 if (snprintf(setgroups_path, sizeof(setgroups_path), "/proc/%d/setgroups", 851 child_pid) < 0) { 852 return -1; 853 } 854 855 if ((setgroups_file = open(setgroups_path, O_WRONLY)) < 0) { 856 return -1; 857 } 858 859 if (dprintf(setgroups_file, "%s", allow?"allow":"deny") == -1) { 860 close(setgroups_file); 861 return -1; 862 } 863 864 close(setgroups_file); 865 return 0; 866 } 867 868 static void get_jail_user(int *user, int *user_gid, int *gr_gid) 869 { 870 struct passwd *p = NULL; 871 struct group *g = NULL; 872 873 if (opts.user) { 874 p = getpwnam(opts.user); 875 if (!p) { 876 ERROR("failed to get uid/gid for user %s: %d (%s)\n", 877 opts.user, errno, strerror(errno)); 878 free_and_exit(EXIT_FAILURE); 879 } 880 *user = p->pw_uid; 881 *user_gid = p->pw_gid; 882 } else { 883 *user = -1; 884 *user_gid = -1; 885 } 886 887 if (opts.group) { 888 g = getgrnam(opts.group); 889 if (!g) { 890 ERROR("failed to get gid for group %s: %m\n", opts.group); 891 free_and_exit(EXIT_FAILURE); 892 } 893 *gr_gid = g->gr_gid; 894 } else { 895 *gr_gid = -1; 896 } 897 }; 898 899 static void set_jail_user(int pw_uid, int user_gid, int gr_gid) 900 { 901 if (opts.user && (user_gid != -1) && initgroups(opts.user, user_gid)) { 902 ERROR("failed to initgroups() for user %s: %m\n", opts.user); 903 free_and_exit(EXIT_FAILURE); 904 } 905 906 if ((gr_gid != -1) && setregid(gr_gid, gr_gid)) { 907 ERROR("failed to set group id %d: %m\n", gr_gid); 908 free_and_exit(EXIT_FAILURE); 909 } 910 911 if ((pw_uid != -1) && setreuid(pw_uid, pw_uid)) { 912 ERROR("failed to set user id %d: %m\n", pw_uid); 913 free_and_exit(EXIT_FAILURE); 914 } 915 } 916 917 static int apply_rlimits(void) 918 { 919 int resource; 920 921 for (resource = 0; resource < RLIM_NLIMITS; ++resource) { 922 if (opts.rlimits[resource]) 923 DEBUG("applying limits to resource %u\n", resource); 924 925 if (opts.rlimits[resource] && 926 setrlimit(resource, opts.rlimits[resource])) 927 return errno; 928 } 929 930 return 0; 931 } 932 933 #define MAX_ENVP 64 934 static char** build_envp(const char *seccomp, char **ocienvp) 935 { 936 static char *envp[MAX_ENVP]; 937 static char preload_var[PATH_MAX]; 938 static char seccomp_var[PATH_MAX]; 939 static char seccomp_debug_var[20]; 940 static char debug_var[] = "LD_DEBUG=all"; 941 static char container_var[] = "container=ujail"; 942 const char *preload_lib = find_lib("libpreload-seccomp.so"); 943 char **addenv; 944 945 int count = 0; 946 947 if (seccomp && !preload_lib) { 948 ERROR("failed to add preload-lib to env\n"); 949 return NULL; 950 } 951 if (seccomp) { 952 snprintf(seccomp_var, sizeof(seccomp_var), "SECCOMP_FILE=%s", seccomp); 953 envp[count++] = seccomp_var; 954 snprintf(seccomp_debug_var, sizeof(seccomp_debug_var), "SECCOMP_DEBUG=%2d", debug); 955 envp[count++] = seccomp_debug_var; 956 snprintf(preload_var, sizeof(preload_var), "LD_PRELOAD=%s", preload_lib); 957 envp[count++] = preload_var; 958 } 959 960 envp[count++] = container_var; 961 962 if (debug > 1) 963 envp[count++] = debug_var; 964 965 addenv = ocienvp; 966 while (addenv && *addenv) { 967 envp[count++] = *(addenv++); 968 if (count >= MAX_ENVP) { 969 ERROR("environment limited to %d extra records, truncating\n", MAX_ENVP); 970 break; 971 } 972 } 973 return envp; 974 } 975 976 static void usage(void) 977 { 978 fprintf(stderr, "ujail <options> -- <binary> <params ...>\n"); 979 fprintf(stderr, " -d <num>\tshow debug log (increase num to increase verbosity)\n"); 980 fprintf(stderr, " -S <file>\tseccomp filter config\n"); 981 fprintf(stderr, " -C <file>\tcapabilities drop config\n"); 982 fprintf(stderr, " -c\t\tset PR_SET_NO_NEW_PRIVS\n"); 983 fprintf(stderr, " -n <name>\tthe name of the jail\n"); 984 fprintf(stderr, " -e <var>\timport environment variable\n"); 985 fprintf(stderr, "namespace jail options:\n"); 986 fprintf(stderr, " -h <hostname>\tchange the hostname of the jail\n"); 987 fprintf(stderr, " -N\t\tjail has network namespace\n"); 988 fprintf(stderr, " -f\t\tjail has user namespace\n"); 989 fprintf(stderr, " -F\t\tjail has cgroups namespace\n"); 990 fprintf(stderr, " -r <file>\treadonly files that should be staged\n"); 991 fprintf(stderr, " -w <file>\twriteable files that should be staged\n"); 992 fprintf(stderr, " -p\t\tjail has /proc\n"); 993 fprintf(stderr, " -s\t\tjail has /sys\n"); 994 fprintf(stderr, " -l\t\tjail has /dev/log\n"); 995 fprintf(stderr, " -u\t\tjail has a ubus socket\n"); 996 fprintf(stderr, " -U <name>\tuser to run jailed process\n"); 997 fprintf(stderr, " -G <name>\tgroup to run jailed process\n"); 998 fprintf(stderr, " -o\t\tremont jail root (/) read only\n"); 999 fprintf(stderr, " -R <dir>\texternal jail rootfs (system container)\n"); 1000 fprintf(stderr, " -O <dir>\tdirectory for r/w overlayfs\n"); 1001 fprintf(stderr, " -T <size>\tuse tmpfs r/w overlayfs with <size>\n"); 1002 fprintf(stderr, " -E\t\tfail if jail cannot be setup\n"); 1003 fprintf(stderr, " -y\t\tprovide jail console\n"); 1004 fprintf(stderr, " -J <dir>\tcreate container from OCI bundle\n"); 1005 fprintf(stderr, " -i\t\tstart container immediately\n"); 1006 fprintf(stderr, " -P <pidfile>\tcreate <pidfile>\n"); 1007 fprintf(stderr, "\nWarning: by default root inside the jail is the same\n\ 1008 and he has the same powers as root outside the jail,\n\ 1009 thus he can escape the jail and/or break stuff.\n\ 1010 Please use seccomp/capabilities (-S/-C) to restrict his powers\n\n\ 1011 If you use none of the namespace jail options,\n\ 1012 ujail will not use namespace/build a jail,\n\ 1013 and will only drop capabilities/apply seccomp filter.\n\n"); 1014 } 1015 1016 static int* get_namespace_fd(const unsigned int nstype) 1017 { 1018 switch (nstype) { 1019 case CLONE_NEWPID: 1020 return &opts.setns.pid; 1021 case CLONE_NEWNET: 1022 return &opts.setns.net; 1023 case CLONE_NEWNS: 1024 return &opts.setns.ns; 1025 case CLONE_NEWIPC: 1026 return &opts.setns.ipc; 1027 case CLONE_NEWUTS: 1028 return &opts.setns.uts; 1029 case CLONE_NEWUSER: 1030 return &opts.setns.user; 1031 case CLONE_NEWCGROUP: 1032 return &opts.setns.cgroup; 1033 #ifdef CLONE_NEWTIME 1034 case CLONE_NEWTIME: 1035 return &opts.setns.time; 1036 #endif 1037 default: 1038 return NULL; 1039 } 1040 } 1041 1042 static int setns_open(unsigned long nstype) 1043 { 1044 int *fd = get_namespace_fd(nstype); 1045 1046 assert(fd != NULL); 1047 1048 if (*fd < 0) 1049 return 0; 1050 1051 if (setns(*fd, nstype) == -1) { 1052 close(*fd); 1053 return errno; 1054 } 1055 1056 close(*fd); 1057 return 0; 1058 } 1059 1060 static int jail_running = 0; 1061 static int jail_return_code = 0; 1062 1063 static void jail_process_timeout_cb(struct uloop_timeout *t); 1064 static struct uloop_timeout jail_process_timeout = { 1065 .cb = jail_process_timeout_cb, 1066 }; 1067 static void poststop(void); 1068 static void jail_process_handler(struct uloop_process *c, int ret) 1069 { 1070 uloop_timeout_cancel(&jail_process_timeout); 1071 if (WIFEXITED(ret)) { 1072 jail_return_code = WEXITSTATUS(ret); 1073 INFO("jail (%d) exited with exit: %d\n", c->pid, jail_return_code); 1074 } else { 1075 jail_return_code = WTERMSIG(ret); 1076 INFO("jail (%d) exited with signal: %d\n", c->pid, jail_return_code); 1077 } 1078 jail_running = 0; 1079 poststop(); 1080 } 1081 1082 static struct uloop_process jail_process = { 1083 .cb = jail_process_handler, 1084 }; 1085 1086 static void jail_process_timeout_cb(struct uloop_timeout *t) 1087 { 1088 DEBUG("jail process failed to stop, sending SIGKILL\n"); 1089 kill(jail_process.pid, SIGKILL); 1090 } 1091 1092 static void jail_handle_signal(int signo) 1093 { 1094 if (hook_running) { 1095 DEBUG("forwarding signal %d to the hook process\n", signo); 1096 kill(hook_process.pid, signo); 1097 /* set timeout to send SIGKILL hook process in case SIGTERM doesn't succeed */ 1098 if (signo == SIGTERM) 1099 uloop_timeout_set(&hook_process_timeout, opts.term_timeout * 1000); 1100 } 1101 1102 if (jail_running) { 1103 DEBUG("forwarding signal %d to the jailed process\n", signo); 1104 kill(jail_process.pid, signo); 1105 /* set timeout to send SIGKILL jail process in case SIGTERM doesn't succeed */ 1106 if (signo == SIGTERM) 1107 uloop_timeout_set(&jail_process_timeout, opts.term_timeout * 1000); 1108 } 1109 } 1110 1111 static void signals_init(void) 1112 { 1113 int i; 1114 sigset_t sigmask; 1115 1116 sigfillset(&sigmask); 1117 for (i = 0; i < _NSIG; i++) { 1118 struct sigaction s = { 0 }; 1119 1120 if (!sigismember(&sigmask, i)) 1121 continue; 1122 if ((i == SIGCHLD) || (i == SIGPIPE) || (i == SIGSEGV) || (i == SIGSTOP) || (i == SIGKILL)) 1123 continue; 1124 1125 s.sa_handler = jail_handle_signal; 1126 sigaction(i, &s, NULL); 1127 } 1128 } 1129 1130 static void pre_exec_jail(struct uloop_timeout *t); 1131 static struct uloop_timeout pre_exec_timeout = { 1132 .cb = pre_exec_jail, 1133 }; 1134 1135 int pipes[4]; 1136 static int exec_jail(void *arg) 1137 { 1138 char buf[1]; 1139 1140 exit_from_child = true; 1141 prctl(PR_SET_SECUREBITS, 0); 1142 1143 uloop_init(); 1144 signals_init(); 1145 1146 close(pipes[0]); 1147 close(pipes[3]); 1148 1149 setns_open(CLONE_NEWUSER); 1150 setns_open(CLONE_NEWNET); 1151 setns_open(CLONE_NEWNS); 1152 setns_open(CLONE_NEWIPC); 1153 setns_open(CLONE_NEWUTS); 1154 1155 buf[0] = 'i'; 1156 if (write(pipes[1], buf, 1) < 1) { 1157 ERROR("can't write to parent\n"); 1158 return EXIT_FAILURE; 1159 } 1160 close(pipes[1]); 1161 if (read(pipes[2], buf, 1) < 1) { 1162 ERROR("can't read from parent\n"); 1163 return EXIT_FAILURE; 1164 } 1165 if (buf[0] != 'O') { 1166 ERROR("parent had an error, child exiting\n"); 1167 return EXIT_FAILURE; 1168 } 1169 1170 if (opts.namespace & CLONE_NEWCGROUP) 1171 unshare(CLONE_NEWCGROUP); 1172 1173 setns_open(CLONE_NEWCGROUP); 1174 1175 if ((opts.namespace & CLONE_NEWUSER) || (opts.setns.user != -1)) { 1176 if (setregid(0, 0) < 0) { 1177 ERROR("setgid\n"); 1178 free_and_exit(EXIT_FAILURE); 1179 } 1180 if (setreuid(0, 0) < 0) { 1181 ERROR("setuid\n"); 1182 free_and_exit(EXIT_FAILURE); 1183 } 1184 if (setgroups(0, NULL) < 0) { 1185 ERROR("setgroups\n"); 1186 free_and_exit(EXIT_FAILURE); 1187 } 1188 } 1189 1190 if (opts.namespace && opts.hostname && strlen(opts.hostname) > 0 1191 && sethostname(opts.hostname, strlen(opts.hostname))) { 1192 ERROR("sethostname(%s) failed: %m\n", opts.hostname); 1193 free_and_exit(EXIT_FAILURE); 1194 } 1195 1196 uloop_timeout_add(&pre_exec_timeout); 1197 uloop_run(); 1198 1199 free_and_exit(-1); 1200 return -1; 1201 } 1202 1203 static void pre_exec_jail(struct uloop_timeout *t) 1204 { 1205 if ((opts.namespace & CLONE_NEWNS) && build_jail_fs()) { 1206 ERROR("failed to build jail fs\n"); 1207 free_and_exit(EXIT_FAILURE); 1208 } else { 1209 run_hooks(opts.hooks.createContainer, post_jail_fs); 1210 } 1211 } 1212 1213 static void post_start_hook(void); 1214 static void post_jail_fs(void) 1215 { 1216 char buf[1]; 1217 1218 if (read(pipes[2], buf, 1) < 1) { 1219 ERROR("can't read from parent\n"); 1220 free_and_exit(EXIT_FAILURE); 1221 } 1222 if (buf[0] != '!') { 1223 ERROR("parent had an error, child exiting\n"); 1224 free_and_exit(EXIT_FAILURE); 1225 } 1226 close(pipes[2]); 1227 1228 run_hooks(opts.hooks.startContainer, post_start_hook); 1229 } 1230 1231 static void post_start_hook(void) 1232 { 1233 int pw_uid, pw_gid, gr_gid; 1234 1235 /* 1236 * make sure setuid/setgid won't drop capabilities in case capabilities 1237 * have been specified explicitely. 1238 */ 1239 if (opts.capset.apply) { 1240 if (prctl(PR_SET_SECUREBITS, SECBIT_NO_SETUID_FIXUP)) { 1241 ERROR("prctl(PR_SET_SECUREBITS) failed: %m\n"); 1242 free_and_exit(EXIT_FAILURE); 1243 } 1244 } 1245 1246 /* drop capabilities, retain those still needed to further setup jail */ 1247 if (applyOCIcapabilities(opts.capset, (1LLU << CAP_SETGID) | (1LLU << CAP_SETUID) | (1LLU << CAP_SETPCAP))) 1248 free_and_exit(EXIT_FAILURE); 1249 1250 /* use either cmdline-supplied user/group or uid/gid from OCI spec */ 1251 get_jail_user(&pw_uid, &pw_gid, &gr_gid); 1252 set_jail_user(opts.pw_uid?:pw_uid, opts.pw_gid?:pw_gid, opts.gr_gid?:gr_gid); 1253 1254 if (opts.additional_gids && 1255 (setgroups(opts.num_additional_gids, opts.additional_gids) < 0)) { 1256 ERROR("setgroups failed: %m\n"); 1257 free_and_exit(EXIT_FAILURE); 1258 } 1259 1260 if (opts.set_umask) 1261 umask(opts.umask); 1262 1263 /* restore securebits back to normal (and lock them if not in userns) */ 1264 if (opts.capset.apply) { 1265 if (prctl(PR_SET_SECUREBITS, (opts.namespace & CLONE_NEWUSER)?0: 1266 SECBIT_KEEP_CAPS_LOCKED|SECBIT_NO_SETUID_FIXUP_LOCKED|SECBIT_NOROOT_LOCKED)) { 1267 ERROR("prctl(PR_SET_SECUREBITS) failed: %m\n"); 1268 free_and_exit(EXIT_FAILURE); 1269 } 1270 } 1271 1272 /* drop remaining capabilities to end up with specified sets */ 1273 if (applyOCIcapabilities(opts.capset, 0)) 1274 free_and_exit(EXIT_FAILURE); 1275 1276 if (opts.no_new_privs && prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { 1277 ERROR("prctl(PR_SET_NO_NEW_PRIVS) failed: %m\n"); 1278 free_and_exit(EXIT_FAILURE); 1279 } 1280 1281 char **envp = build_envp(opts.seccomp, opts.envp); 1282 if (!envp) 1283 free_and_exit(EXIT_FAILURE); 1284 1285 if (opts.cwd && chdir(opts.cwd)) 1286 free_and_exit(EXIT_FAILURE); 1287 1288 if (opts.ociseccomp && applyOCIlinuxseccomp(opts.ociseccomp)) 1289 free_and_exit(EXIT_FAILURE); 1290 1291 uloop_end(); 1292 free_opts(false); 1293 INFO("exec-ing %s\n", *opts.jail_argv); 1294 if (opts.envp) /* respect PATH if potentially set in ENV */ 1295 execvpe(*opts.jail_argv, opts.jail_argv, envp); 1296 else 1297 execve(*opts.jail_argv, opts.jail_argv, envp); 1298 1299 /* we get there only if execve fails */ 1300 ERROR("failed to execve %s: %m\n", *opts.jail_argv); 1301 exit(EXIT_FAILURE); 1302 } 1303 1304 int ns_open_pid(const char *nstype, const pid_t target_ns) 1305 { 1306 char pid_pid_path[PATH_MAX]; 1307 1308 snprintf(pid_pid_path, sizeof(pid_pid_path), "/proc/%u/ns/%s", target_ns, nstype); 1309 1310 return open(pid_pid_path, O_RDONLY); 1311 } 1312 1313 static int parseOCIenvarray(struct blob_attr *msg, char ***envp) 1314 { 1315 struct blob_attr *cur; 1316 int sz = 0, rem; 1317 1318 blobmsg_for_each_attr(cur, msg, rem) 1319 ++sz; 1320 1321 if (sz > 0) { 1322 *envp = calloc(1 + sz, sizeof(char*)); 1323 if (!(*envp)) 1324 return ENOMEM; 1325 } else { 1326 *envp = NULL; 1327 return 0; 1328 } 1329 1330 sz = 0; 1331 blobmsg_for_each_attr(cur, msg, rem) 1332 (*envp)[sz++] = strdup(blobmsg_get_string(cur)); 1333 1334 if (sz) 1335 (*envp)[sz] = NULL; 1336 1337 return 0; 1338 } 1339 1340 enum { 1341 OCI_ROOT_PATH, 1342 OCI_ROOT_READONLY, 1343 __OCI_ROOT_MAX, 1344 }; 1345 1346 static const struct blobmsg_policy oci_root_policy[] = { 1347 [OCI_ROOT_PATH] = { "path", BLOBMSG_TYPE_STRING }, 1348 [OCI_ROOT_READONLY] = { "readonly", BLOBMSG_TYPE_BOOL }, 1349 }; 1350 1351 static int parseOCIroot(const char *jsonfile, struct blob_attr *msg) 1352 { 1353 char extroot[PATH_MAX] = { 0 }; 1354 struct blob_attr *tb[__OCI_ROOT_MAX]; 1355 char *cur; 1356 char *root_path; 1357 1358 blobmsg_parse(oci_root_policy, __OCI_ROOT_MAX, tb, blobmsg_data(msg), blobmsg_len(msg)); 1359 1360 if (!tb[OCI_ROOT_PATH]) 1361 return ENODATA; 1362 1363 root_path = blobmsg_get_string(tb[OCI_ROOT_PATH]); 1364 1365 /* prepend bundle directory in case of relative paths */ 1366 if (root_path[0] != '/') { 1367 strncpy(extroot, jsonfile, PATH_MAX - 1); 1368 1369 cur = strrchr(extroot, '/'); 1370 1371 if (!cur) 1372 return ENOTDIR; 1373 1374 *(++cur) = '\0'; 1375 } 1376 1377 strncat(extroot, root_path, PATH_MAX - (strlen(extroot) + 1)); 1378 1379 /* follow symbolic link(s) */ 1380 opts.extroot = realpath(extroot, NULL); 1381 if (!opts.extroot) 1382 return errno; 1383 1384 if (tb[OCI_ROOT_READONLY]) 1385 opts.ronly = blobmsg_get_bool(tb[OCI_ROOT_READONLY]); 1386 1387 return 0; 1388 } 1389 1390 1391 enum { 1392 OCI_HOOK_PATH, 1393 OCI_HOOK_ARGS, 1394 OCI_HOOK_ENV, 1395 OCI_HOOK_TIMEOUT, 1396 __OCI_HOOK_MAX, 1397 }; 1398 1399 static const struct blobmsg_policy oci_hook_policy[] = { 1400 [OCI_HOOK_PATH] = { "path", BLOBMSG_TYPE_STRING }, 1401 [OCI_HOOK_ARGS] = { "args", BLOBMSG_TYPE_ARRAY }, 1402 [OCI_HOOK_ENV] = { "env", BLOBMSG_TYPE_ARRAY }, 1403 [OCI_HOOK_TIMEOUT] = { "timeout", BLOBMSG_TYPE_INT32 }, 1404 }; 1405 1406 1407 static int parseOCIhook(struct hook_execvpe ***hooklist, struct blob_attr *msg) 1408 { 1409 struct blob_attr *tb[__OCI_HOOK_MAX]; 1410 struct blob_attr *cur; 1411 int rem, ret = 0; 1412 int idx = 0; 1413 1414 blobmsg_for_each_attr(cur, msg, rem) 1415 ++idx; 1416 1417 if (!idx) 1418 return 0; 1419 1420 *hooklist = calloc(idx + 1, sizeof(struct hook_execvpe *)); 1421 idx = 0; 1422 1423 if (!(*hooklist)) 1424 return ENOMEM; 1425 1426 blobmsg_for_each_attr(cur, msg, rem) { 1427 blobmsg_parse(oci_hook_policy, __OCI_HOOK_MAX, tb, blobmsg_data(cur), blobmsg_len(cur)); 1428 1429 if (!tb[OCI_HOOK_PATH]) { 1430 ret = EINVAL; 1431 goto errout; 1432 } 1433 1434 (*hooklist)[idx] = calloc(1, sizeof(struct hook_execvpe)); 1435 if (tb[OCI_HOOK_ARGS]) { 1436 ret = parseOCIenvarray(tb[OCI_HOOK_ARGS], &((*hooklist)[idx]->argv)); 1437 if (ret) 1438 goto errout; 1439 } else { 1440 (*hooklist)[idx]->argv = calloc(2, sizeof(char *)); 1441 ((*hooklist)[idx]->argv)[0] = strdup(blobmsg_get_string(tb[OCI_HOOK_PATH])); 1442 ((*hooklist)[idx]->argv)[1] = NULL; 1443 }; 1444 1445 1446 if (tb[OCI_HOOK_ENV]) { 1447 ret = parseOCIenvarray(tb[OCI_HOOK_ENV], &((*hooklist)[idx]->envp)); 1448 if (ret) 1449 goto errout; 1450 } 1451 1452 if (tb[OCI_HOOK_TIMEOUT]) 1453 (*hooklist)[idx]->timeout = blobmsg_get_u32(tb[OCI_HOOK_TIMEOUT]); 1454 1455 (*hooklist)[idx]->file = strdup(blobmsg_get_string(tb[OCI_HOOK_PATH])); 1456 1457 ++idx; 1458 } 1459 1460 (*hooklist)[idx] = NULL; 1461 1462 DEBUG("added %d hooks\n", idx); 1463 1464 return 0; 1465 1466 errout: 1467 free_hooklist(*hooklist); 1468 *hooklist = NULL; 1469 1470 return ret; 1471 }; 1472 1473 1474 enum { 1475 OCI_HOOKS_PRESTART, 1476 OCI_HOOKS_CREATERUNTIME, 1477 OCI_HOOKS_CREATECONTAINER, 1478 OCI_HOOKS_STARTCONTAINER, 1479 OCI_HOOKS_POSTSTART, 1480 OCI_HOOKS_POSTSTOP, 1481 __OCI_HOOKS_MAX, 1482 }; 1483 1484 static const struct blobmsg_policy oci_hooks_policy[] = { 1485 [OCI_HOOKS_PRESTART] = { "prestart", BLOBMSG_TYPE_ARRAY }, 1486 [OCI_HOOKS_CREATERUNTIME] = { "createRuntime", BLOBMSG_TYPE_ARRAY }, 1487 [OCI_HOOKS_CREATECONTAINER] = { "createContainer", BLOBMSG_TYPE_ARRAY }, 1488 [OCI_HOOKS_STARTCONTAINER] = { "startContainer", BLOBMSG_TYPE_ARRAY }, 1489 [OCI_HOOKS_POSTSTART] = { "poststart", BLOBMSG_TYPE_ARRAY }, 1490 [OCI_HOOKS_POSTSTOP] = { "poststop", BLOBMSG_TYPE_ARRAY }, 1491 }; 1492 1493 static int parseOCIhooks(struct blob_attr *msg) 1494 { 1495 struct blob_attr *tb[__OCI_HOOKS_MAX]; 1496 int ret; 1497 1498 blobmsg_parse(oci_hooks_policy, __OCI_HOOKS_MAX, tb, blobmsg_data(msg), blobmsg_len(msg)); 1499 1500 if (tb[OCI_HOOKS_PRESTART]) 1501 INFO("warning: ignoring deprecated prestart hook\n"); 1502 1503 if (tb[OCI_HOOKS_CREATERUNTIME]) { 1504 ret = parseOCIhook(&opts.hooks.createRuntime, tb[OCI_HOOKS_CREATERUNTIME]); 1505 if (ret) 1506 return ret; 1507 } 1508 1509 if (tb[OCI_HOOKS_CREATECONTAINER]) { 1510 ret = parseOCIhook(&opts.hooks.createContainer, tb[OCI_HOOKS_CREATECONTAINER]); 1511 if (ret) 1512 goto out_createruntime; 1513 } 1514 1515 if (tb[OCI_HOOKS_STARTCONTAINER]) { 1516 ret = parseOCIhook(&opts.hooks.startContainer, tb[OCI_HOOKS_STARTCONTAINER]); 1517 if (ret) 1518 goto out_createcontainer; 1519 } 1520 1521 if (tb[OCI_HOOKS_POSTSTART]) { 1522 ret = parseOCIhook(&opts.hooks.poststart, tb[OCI_HOOKS_POSTSTART]); 1523 if (ret) 1524 goto out_startcontainer; 1525 } 1526 1527 if (tb[OCI_HOOKS_POSTSTOP]) { 1528 ret = parseOCIhook(&opts.hooks.poststop, tb[OCI_HOOKS_POSTSTOP]); 1529 if (ret) 1530 goto out_poststart; 1531 } 1532 1533 return 0; 1534 1535 out_poststart: 1536 free_hooklist(opts.hooks.poststart); 1537 out_startcontainer: 1538 free_hooklist(opts.hooks.startContainer); 1539 out_createcontainer: 1540 free_hooklist(opts.hooks.createContainer); 1541 out_createruntime: 1542 free_hooklist(opts.hooks.createRuntime); 1543 1544 return ret; 1545 }; 1546 1547 1548 enum { 1549 OCI_PROCESS_USER_UID, 1550 OCI_PROCESS_USER_GID, 1551 OCI_PROCESS_USER_UMASK, 1552 OCI_PROCESS_USER_ADDITIONALGIDS, 1553 __OCI_PROCESS_USER_MAX, 1554 }; 1555 1556 static const struct blobmsg_policy oci_process_user_policy[] = { 1557 [OCI_PROCESS_USER_UID] = { "uid", BLOBMSG_TYPE_INT32 }, 1558 [OCI_PROCESS_USER_GID] = { "gid", BLOBMSG_TYPE_INT32 }, 1559 [OCI_PROCESS_USER_UMASK] = { "umask", BLOBMSG_TYPE_INT32 }, 1560 [OCI_PROCESS_USER_ADDITIONALGIDS] = { "additionalGids", BLOBMSG_TYPE_ARRAY }, 1561 }; 1562 1563 static int parseOCIprocessuser(struct blob_attr *msg) { 1564 struct blob_attr *tb[__OCI_PROCESS_USER_MAX]; 1565 struct blob_attr *cur; 1566 int rem; 1567 int has_gid = 0; 1568 1569 blobmsg_parse(oci_process_user_policy, __OCI_PROCESS_USER_MAX, tb, blobmsg_data(msg), blobmsg_len(msg)); 1570 1571 if (tb[OCI_PROCESS_USER_UID]) 1572 opts.pw_uid = blobmsg_get_u32(tb[OCI_PROCESS_USER_UID]); 1573 1574 if (tb[OCI_PROCESS_USER_GID]) { 1575 opts.pw_gid = blobmsg_get_u32(tb[OCI_PROCESS_USER_GID]); 1576 opts.gr_gid = blobmsg_get_u32(tb[OCI_PROCESS_USER_GID]); 1577 has_gid = 1; 1578 } 1579 1580 if (tb[OCI_PROCESS_USER_ADDITIONALGIDS]) { 1581 size_t gidcnt = 0; 1582 1583 blobmsg_for_each_attr(cur, tb[OCI_PROCESS_USER_ADDITIONALGIDS], rem) { 1584 ++gidcnt; 1585 if (has_gid && (blobmsg_get_u32(cur) == opts.gr_gid)) 1586 continue; 1587 } 1588 1589 if (gidcnt) { 1590 opts.additional_gids = calloc(gidcnt + has_gid, sizeof(gid_t)); 1591 gidcnt = 0; 1592 1593 /* always add primary GID to set of GIDs if set */ 1594 if (has_gid) 1595 opts.additional_gids[gidcnt++] = opts.gr_gid; 1596 1597 blobmsg_for_each_attr(cur, tb[OCI_PROCESS_USER_ADDITIONALGIDS], rem) { 1598 if (has_gid && (blobmsg_get_u32(cur) == opts.gr_gid)) 1599 continue; 1600 opts.additional_gids[gidcnt++] = blobmsg_get_u32(cur); 1601 } 1602 opts.num_additional_gids = gidcnt; 1603 } 1604 DEBUG("read %zu additional groups\n", gidcnt); 1605 } 1606 1607 if (tb[OCI_PROCESS_USER_UMASK]) { 1608 opts.umask = blobmsg_get_u32(tb[OCI_PROCESS_USER_UMASK]); 1609 opts.set_umask = true; 1610 } 1611 1612 return 0; 1613 } 1614 1615 enum { 1616 OCI_PROCESS_RLIMIT_TYPE, 1617 OCI_PROCESS_RLIMIT_SOFT, 1618 OCI_PROCESS_RLIMIT_HARD, 1619 __OCI_PROCESS_RLIMIT_MAX, 1620 }; 1621 1622 static const struct blobmsg_policy oci_process_rlimit_policy[] = { 1623 [OCI_PROCESS_RLIMIT_TYPE] = { "type", BLOBMSG_TYPE_STRING }, 1624 [OCI_PROCESS_RLIMIT_SOFT] = { "soft", BLOBMSG_CAST_INT64 }, 1625 [OCI_PROCESS_RLIMIT_HARD] = { "hard", BLOBMSG_CAST_INT64 }, 1626 }; 1627 1628 /* from manpage GETRLIMIT(2) */ 1629 static const char* const rlimit_names[RLIM_NLIMITS] = { 1630 [RLIMIT_AS] = "AS", 1631 [RLIMIT_CORE] = "CORE", 1632 [RLIMIT_CPU] = "CPU", 1633 [RLIMIT_DATA] = "DATA", 1634 [RLIMIT_FSIZE] = "FSIZE", 1635 [RLIMIT_LOCKS] = "LOCKS", 1636 [RLIMIT_MEMLOCK] = "MEMLOCK", 1637 [RLIMIT_MSGQUEUE] = "MSGQUEUE", 1638 [RLIMIT_NICE] = "NICE", 1639 [RLIMIT_NOFILE] = "NOFILE", 1640 [RLIMIT_NPROC] = "NPROC", 1641 [RLIMIT_RSS] = "RSS", 1642 [RLIMIT_RTPRIO] = "RTPRIO", 1643 [RLIMIT_RTTIME] = "RTTIME", 1644 [RLIMIT_SIGPENDING] = "SIGPENDING", 1645 [RLIMIT_STACK] = "STACK", 1646 }; 1647 1648 static int resolve_rlimit(char *type) { 1649 unsigned int rltype; 1650 1651 for (rltype = 0; rltype < RLIM_NLIMITS; ++rltype) 1652 if (rlimit_names[rltype] && 1653 !strncmp("RLIMIT_", type, 7) && 1654 !strcmp(rlimit_names[rltype], type + 7)) 1655 return rltype; 1656 1657 return -1; 1658 } 1659 1660 1661 static int parseOCIrlimit(struct blob_attr *msg) 1662 { 1663 struct blob_attr *tb[__OCI_PROCESS_RLIMIT_MAX]; 1664 int limtype = -1; 1665 struct rlimit *curlim; 1666 1667 blobmsg_parse(oci_process_rlimit_policy, __OCI_PROCESS_RLIMIT_MAX, tb, blobmsg_data(msg), blobmsg_len(msg)); 1668 1669 if (!tb[OCI_PROCESS_RLIMIT_TYPE] || 1670 !tb[OCI_PROCESS_RLIMIT_SOFT] || 1671 !tb[OCI_PROCESS_RLIMIT_HARD]) 1672 return ENODATA; 1673 1674 limtype = resolve_rlimit(blobmsg_get_string(tb[OCI_PROCESS_RLIMIT_TYPE])); 1675 1676 if (limtype < 0) 1677 return EINVAL; 1678 1679 if (opts.rlimits[limtype]) 1680 return ENOTUNIQ; 1681 1682 curlim = malloc(sizeof(struct rlimit)); 1683 curlim->rlim_cur = blobmsg_cast_u64(tb[OCI_PROCESS_RLIMIT_SOFT]); 1684 curlim->rlim_max = blobmsg_cast_u64(tb[OCI_PROCESS_RLIMIT_HARD]); 1685 1686 opts.rlimits[limtype] = curlim; 1687 1688 return 0; 1689 }; 1690 1691 enum { 1692 OCI_PROCESS_ARGS, 1693 OCI_PROCESS_CAPABILITIES, 1694 OCI_PROCESS_CWD, 1695 OCI_PROCESS_ENV, 1696 OCI_PROCESS_OOMSCOREADJ, 1697 OCI_PROCESS_NONEWPRIVILEGES, 1698 OCI_PROCESS_RLIMITS, 1699 OCI_PROCESS_TERMINAL, 1700 OCI_PROCESS_USER, 1701 __OCI_PROCESS_MAX, 1702 }; 1703 1704 static const struct blobmsg_policy oci_process_policy[] = { 1705 [OCI_PROCESS_ARGS] = { "args", BLOBMSG_TYPE_ARRAY }, 1706 [OCI_PROCESS_CAPABILITIES] = { "capabilities", BLOBMSG_TYPE_TABLE }, 1707 [OCI_PROCESS_CWD] = { "cwd", BLOBMSG_TYPE_STRING }, 1708 [OCI_PROCESS_ENV] = { "env", BLOBMSG_TYPE_ARRAY }, 1709 [OCI_PROCESS_OOMSCOREADJ] = { "oomScoreAdj", BLOBMSG_TYPE_INT32 }, 1710 [OCI_PROCESS_NONEWPRIVILEGES] = { "noNewPrivileges", BLOBMSG_TYPE_BOOL }, 1711 [OCI_PROCESS_RLIMITS] = { "rlimits", BLOBMSG_TYPE_ARRAY }, 1712 [OCI_PROCESS_TERMINAL] = { "terminal", BLOBMSG_TYPE_BOOL }, 1713 [OCI_PROCESS_USER] = { "user", BLOBMSG_TYPE_TABLE }, 1714 }; 1715 1716 1717 static int parseOCIprocess(struct blob_attr *msg) 1718 { 1719 struct blob_attr *tb[__OCI_PROCESS_MAX], *cur; 1720 int rem, res; 1721 1722 blobmsg_parse(oci_process_policy, __OCI_PROCESS_MAX, tb, blobmsg_data(msg), blobmsg_len(msg)); 1723 1724 if (!tb[OCI_PROCESS_ARGS]) 1725 return ENOENT; 1726 1727 res = parseOCIenvarray(tb[OCI_PROCESS_ARGS], &opts.jail_argv); 1728 if (res) 1729 return res; 1730 1731 if (tb[OCI_PROCESS_TERMINAL]) 1732 opts.console = blobmsg_get_bool(tb[OCI_PROCESS_TERMINAL]); 1733 1734 if (tb[OCI_PROCESS_NONEWPRIVILEGES]) 1735 opts.no_new_privs = blobmsg_get_bool(tb[OCI_PROCESS_NONEWPRIVILEGES]); 1736 1737 if (tb[OCI_PROCESS_CWD]) 1738 opts.cwd = strdup(blobmsg_get_string(tb[OCI_PROCESS_CWD])); 1739 1740 if (tb[OCI_PROCESS_ENV]) { 1741 res = parseOCIenvarray(tb[OCI_PROCESS_ENV], &opts.envp); 1742 if (res) 1743 return res; 1744 } 1745 1746 if (tb[OCI_PROCESS_USER] && (res = parseOCIprocessuser(tb[OCI_PROCESS_USER]))) 1747 return res; 1748 1749 if (tb[OCI_PROCESS_CAPABILITIES] && 1750 (res = parseOCIcapabilities(&opts.capset, tb[OCI_PROCESS_CAPABILITIES]))) 1751 return res; 1752 1753 if (tb[OCI_PROCESS_RLIMITS]) { 1754 blobmsg_for_each_attr(cur, tb[OCI_PROCESS_RLIMITS], rem) { 1755 res = parseOCIrlimit(cur); 1756 if (res) 1757 return res; 1758 } 1759 } 1760 1761 if (tb[OCI_PROCESS_OOMSCOREADJ]) { 1762 opts.oom_score_adj = blobmsg_get_u32(tb[OCI_PROCESS_OOMSCOREADJ]); 1763 opts.set_oom_score_adj = true; 1764 } 1765 1766 return 0; 1767 } 1768 1769 enum { 1770 OCI_LINUX_NAMESPACE_TYPE, 1771 OCI_LINUX_NAMESPACE_PATH, 1772 __OCI_LINUX_NAMESPACE_MAX, 1773 }; 1774 1775 static const struct blobmsg_policy oci_linux_namespace_policy[] = { 1776 [OCI_LINUX_NAMESPACE_TYPE] = { "type", BLOBMSG_TYPE_STRING }, 1777 [OCI_LINUX_NAMESPACE_PATH] = { "path", BLOBMSG_TYPE_STRING }, 1778 }; 1779 1780 static int resolve_nstype(char *type) { 1781 if (!strcmp("pid", type)) 1782 return CLONE_NEWPID; 1783 else if (!strcmp("network", type)) 1784 return CLONE_NEWNET; 1785 else if (!strcmp("net", type)) 1786 return CLONE_NEWNET; 1787 else if (!strcmp("mount", type)) 1788 return CLONE_NEWNS; 1789 else if (!strcmp("ipc", type)) 1790 return CLONE_NEWIPC; 1791 else if (!strcmp("uts", type)) 1792 return CLONE_NEWUTS; 1793 else if (!strcmp("user", type)) 1794 return CLONE_NEWUSER; 1795 else if (!strcmp("cgroup", type)) 1796 return CLONE_NEWCGROUP; 1797 #ifdef CLONE_NEWTIME 1798 else if (!strcmp("time", type)) 1799 return CLONE_NEWTIME; 1800 #endif 1801 else 1802 return 0; 1803 } 1804 1805 static int parseOCIlinuxns(struct blob_attr *msg) 1806 { 1807 struct blob_attr *tb[__OCI_LINUX_NAMESPACE_MAX]; 1808 int nstype; 1809 int *setns; 1810 int fd; 1811 1812 blobmsg_parse(oci_linux_namespace_policy, __OCI_LINUX_NAMESPACE_MAX, tb, blobmsg_data(msg), blobmsg_len(msg)); 1813 1814 if (!tb[OCI_LINUX_NAMESPACE_TYPE]) 1815 return EINVAL; 1816 1817 nstype = resolve_nstype(blobmsg_get_string(tb[OCI_LINUX_NAMESPACE_TYPE])); 1818 if (!nstype) 1819 return EINVAL; 1820 1821 if (opts.namespace & nstype) 1822 return ENOTUNIQ; 1823 1824 setns = get_namespace_fd(nstype); 1825 1826 if (!setns) 1827 return EFAULT; 1828 1829 if (*setns != -1) 1830 return ENOTUNIQ; 1831 1832 if (tb[OCI_LINUX_NAMESPACE_PATH]) { 1833 DEBUG("opening existing %s namespace from path %s\n", 1834 blobmsg_get_string(tb[OCI_LINUX_NAMESPACE_TYPE]), 1835 blobmsg_get_string(tb[OCI_LINUX_NAMESPACE_PATH])); 1836 1837 fd = open(blobmsg_get_string(tb[OCI_LINUX_NAMESPACE_PATH]), O_RDONLY); 1838 if (fd < 0) 1839 return errno?:ESTALE; 1840 1841 if (ioctl(fd, NS_GET_NSTYPE) != nstype) { 1842 close(fd); 1843 return EINVAL; 1844 } 1845 1846 DEBUG("opened existing %s namespace got filehandler %u\n", 1847 blobmsg_get_string(tb[OCI_LINUX_NAMESPACE_TYPE]), 1848 fd); 1849 1850 *setns = fd; 1851 } else { 1852 opts.namespace |= nstype; 1853 } 1854 1855 return 0; 1856 } 1857 1858 /* 1859 * join namespace of existing PID 1860 * The string argument is the reference PID followed by ':' and a 1861 * ',' separated list of namespaces to to join. 1862 */ 1863 static int jail_join_ns(char *arg) 1864 { 1865 pid_t pid; 1866 int fd; 1867 int nstype; 1868 char *tmp, *etmp, *nspath; 1869 int *setns; 1870 1871 tmp = strchr(arg, ':'); 1872 if (!tmp) 1873 return EINVAL; 1874 1875 *tmp = '\0'; 1876 pid = atoi(arg); 1877 1878 do { 1879 ++tmp; 1880 etmp = strchr(tmp, ','); 1881 if (etmp) 1882 *etmp = '\0'; 1883 1884 nstype = resolve_nstype(tmp); 1885 if (!nstype) 1886 return EINVAL; 1887 1888 if (opts.namespace & nstype) 1889 return ENOTUNIQ; 1890 1891 setns = get_namespace_fd(nstype); 1892 1893 if (!setns) 1894 return EFAULT; 1895 1896 if (*setns != -1) 1897 return ENOTUNIQ; 1898 1899 if (asprintf(&nspath, "/proc/%d/ns/%s", pid, tmp) < 0) 1900 return ENOMEM; 1901 1902 fd = open(nspath, O_RDONLY); 1903 free(nspath); 1904 1905 if (fd < 0) 1906 return errno?:ESTALE; 1907 1908 *setns = fd; 1909 1910 if (etmp) 1911 tmp = etmp; 1912 else 1913 tmp = NULL; 1914 } while (tmp); 1915 1916 return 0; 1917 } 1918 1919 static void get_jail_root_user(bool is_gidmap, uint32_t container_id, uint32_t host_id, uint32_t size) 1920 { 1921 if (container_id == 0 && size >= 1) 1922 if (!is_gidmap) 1923 opts.root_map_uid = host_id; 1924 } 1925 1926 enum { 1927 OCI_LINUX_UIDGIDMAP_CONTAINERID, 1928 OCI_LINUX_UIDGIDMAP_HOSTID, 1929 OCI_LINUX_UIDGIDMAP_SIZE, 1930 __OCI_LINUX_UIDGIDMAP_MAX, 1931 }; 1932 1933 static const struct blobmsg_policy oci_linux_uidgidmap_policy[] = { 1934 [OCI_LINUX_UIDGIDMAP_CONTAINERID] = { "containerID", BLOBMSG_TYPE_INT32 }, 1935 [OCI_LINUX_UIDGIDMAP_HOSTID] = { "hostID", BLOBMSG_TYPE_INT32 }, 1936 [OCI_LINUX_UIDGIDMAP_SIZE] = { "size", BLOBMSG_TYPE_INT32 }, 1937 }; 1938 1939 static int parseOCIuidgidmappings(struct blob_attr *msg, bool is_gidmap) 1940 { 1941 struct blob_attr *tb[__OCI_LINUX_UIDGIDMAP_MAX]; 1942 struct blob_attr *cur; 1943 int rem; 1944 char *map; 1945 size_t len, pos, totallen = 0; 1946 1947 blobmsg_for_each_attr(cur, msg, rem) { 1948 blobmsg_parse(oci_linux_uidgidmap_policy, __OCI_LINUX_UIDGIDMAP_MAX, tb, blobmsg_data(cur), blobmsg_len(cur)); 1949 1950 if (!tb[OCI_LINUX_UIDGIDMAP_CONTAINERID] || 1951 !tb[OCI_LINUX_UIDGIDMAP_HOSTID] || 1952 !tb[OCI_LINUX_UIDGIDMAP_SIZE]) 1953 return EINVAL; 1954 1955 /* count length */ 1956 totallen += snprintf(NULL, 0, "%d %d %d\n", 1957 blobmsg_get_u32(tb[OCI_LINUX_UIDGIDMAP_CONTAINERID]), 1958 blobmsg_get_u32(tb[OCI_LINUX_UIDGIDMAP_HOSTID]), 1959 blobmsg_get_u32(tb[OCI_LINUX_UIDGIDMAP_SIZE])); 1960 } 1961 1962 /* allocate combined mapping string */ 1963 map = malloc(totallen + 1); 1964 if (!map) 1965 return ENOMEM; 1966 1967 pos = 0; 1968 blobmsg_for_each_attr(cur, msg, rem) { 1969 blobmsg_parse(oci_linux_uidgidmap_policy, __OCI_LINUX_UIDGIDMAP_MAX, tb, blobmsg_data(cur), blobmsg_len(cur)); 1970 1971 get_jail_root_user(is_gidmap, blobmsg_get_u32(tb[OCI_LINUX_UIDGIDMAP_CONTAINERID]), 1972 blobmsg_get_u32(tb[OCI_LINUX_UIDGIDMAP_HOSTID]), 1973 blobmsg_get_u32(tb[OCI_LINUX_UIDGIDMAP_SIZE])); 1974 1975 /* write mapping line into pre-allocated string */ 1976 len = snprintf(&map[pos], totallen + 1, "%d %d %d\n", 1977 blobmsg_get_u32(tb[OCI_LINUX_UIDGIDMAP_CONTAINERID]), 1978 blobmsg_get_u32(tb[OCI_LINUX_UIDGIDMAP_HOSTID]), 1979 blobmsg_get_u32(tb[OCI_LINUX_UIDGIDMAP_SIZE])); 1980 pos += len; 1981 totallen -= len; 1982 } 1983 1984 assert(totallen == 0); 1985 1986 if (is_gidmap) 1987 opts.gidmap = map; 1988 else 1989 opts.uidmap = map; 1990 1991 return 0; 1992 } 1993 1994 enum { 1995 OCI_DEVICES_TYPE, 1996 OCI_DEVICES_PATH, 1997 OCI_DEVICES_MAJOR, 1998 OCI_DEVICES_MINOR, 1999 OCI_DEVICES_FILEMODE, 2000 OCI_DEVICES_UID, 2001 OCI_DEVICES_GID, 2002 __OCI_DEVICES_MAX, 2003 }; 2004 2005 static const struct blobmsg_policy oci_devices_policy[] = { 2006 [OCI_DEVICES_TYPE] = { "type", BLOBMSG_TYPE_STRING }, 2007 [OCI_DEVICES_PATH] = { "path", BLOBMSG_TYPE_STRING }, 2008 [OCI_DEVICES_MAJOR] = { "major", BLOBMSG_TYPE_INT32 }, 2009 [OCI_DEVICES_MINOR] = { "minor", BLOBMSG_TYPE_INT32 }, 2010 [OCI_DEVICES_FILEMODE] = { "fileMode", BLOBMSG_TYPE_INT32 }, 2011 [OCI_DEVICES_UID] = { "uid", BLOBMSG_TYPE_INT32 }, 2012 [OCI_DEVICES_GID] = { "uid", BLOBMSG_TYPE_INT32 }, 2013 }; 2014 2015 static mode_t resolve_devtype(char *tstr) 2016 { 2017 if (!strcmp("c", tstr) || 2018 !strcmp("u", tstr)) 2019 return S_IFCHR; 2020 else if (!strcmp("b", tstr)) 2021 return S_IFBLK; 2022 else if (!strcmp("p", tstr)) 2023 return S_IFIFO; 2024 else 2025 return 0; 2026 } 2027 2028 static int parseOCIdevices(struct blob_attr *msg) 2029 { 2030 struct blob_attr *tb[__OCI_DEVICES_MAX]; 2031 struct blob_attr *cur; 2032 int rem; 2033 size_t cnt = 0; 2034 struct mknod_args *tmp; 2035 2036 blobmsg_for_each_attr(cur, msg, rem) 2037 ++cnt; 2038 2039 opts.devices = calloc(cnt + 1, sizeof(struct mknod_args *)); 2040 2041 cnt = 0; 2042 blobmsg_for_each_attr(cur, msg, rem) { 2043 blobmsg_parse(oci_devices_policy, __OCI_DEVICES_MAX, tb, blobmsg_data(cur), blobmsg_len(cur)); 2044 if (!tb[OCI_DEVICES_TYPE] || 2045 !tb[OCI_DEVICES_PATH]) 2046 return ENODATA; 2047 2048 tmp = calloc(1, sizeof(struct mknod_args)); 2049 if (!tmp) 2050 return ENOMEM; 2051 2052 tmp->mode = resolve_devtype(blobmsg_get_string(tb[OCI_DEVICES_TYPE])); 2053 if (!tmp->mode) { 2054 free(tmp); 2055 return EINVAL; 2056 } 2057 2058 if (tmp->mode != S_IFIFO) { 2059 if (!tb[OCI_DEVICES_MAJOR] || !tb[OCI_DEVICES_MINOR]) { 2060 free(tmp); 2061 return ENODATA; 2062 } 2063 2064 tmp->dev = makedev(blobmsg_get_u32(tb[OCI_DEVICES_MAJOR]), 2065 blobmsg_get_u32(tb[OCI_DEVICES_MINOR])); 2066 } 2067 2068 if (tb[OCI_DEVICES_FILEMODE]) { 2069 if (~(S_IRWXU|S_IRWXG|S_IRWXO) & blobmsg_get_u32(tb[OCI_DEVICES_FILEMODE])) { 2070 free(tmp); 2071 return EINVAL; 2072 } 2073 2074 tmp->mode |= blobmsg_get_u32(tb[OCI_DEVICES_FILEMODE]); 2075 } else { 2076 tmp->mode |= (S_IRUSR|S_IWUSR); /* 0600 */ 2077 } 2078 2079 tmp->path = strdup(blobmsg_get_string(tb[OCI_DEVICES_PATH])); 2080 2081 if (tb[OCI_DEVICES_UID]) 2082 tmp->uid = blobmsg_get_u32(tb[OCI_DEVICES_UID]); 2083 else 2084 tmp->uid = -1; 2085 2086 if (tb[OCI_DEVICES_GID]) 2087 tmp->gid = blobmsg_get_u32(tb[OCI_DEVICES_GID]); 2088 else 2089 tmp->gid = -1; 2090 2091 DEBUG("read device %s (%s)\n", blobmsg_get_string(tb[OCI_DEVICES_PATH]), blobmsg_get_string(tb[OCI_DEVICES_TYPE])); 2092 opts.devices[cnt++] = tmp; 2093 } 2094 2095 opts.devices[cnt] = NULL; 2096 2097 return 0; 2098 } 2099 2100 static int parseOCIsysctl(struct blob_attr *msg) 2101 { 2102 struct blob_attr *cur; 2103 int rem; 2104 char *tmp, *tc; 2105 size_t cnt = 0; 2106 2107 blobmsg_for_each_attr(cur, msg, rem) { 2108 if (!blobmsg_name(cur) || !blobmsg_get_string(cur)) 2109 return EINVAL; 2110 2111 ++cnt; 2112 } 2113 2114 if (!cnt) 2115 return 0; 2116 2117 opts.sysctl = calloc(cnt + 1, sizeof(struct sysctl_val *)); 2118 if (!opts.sysctl) 2119 return ENOMEM; 2120 2121 cnt = 0; 2122 blobmsg_for_each_attr(cur, msg, rem) { 2123 opts.sysctl[cnt] = malloc(sizeof(struct sysctl_val)); 2124 if (!opts.sysctl[cnt]) 2125 return ENOMEM; 2126 2127 /* replace '.' with '/' in entry name */ 2128 tc = tmp = strdup(blobmsg_name(cur)); 2129 while ((tc = strchr(tc, '.'))) 2130 *tc = '/'; 2131 2132 opts.sysctl[cnt]->value = strdup(blobmsg_get_string(cur)); 2133 opts.sysctl[cnt]->entry = tmp; 2134 2135 ++cnt; 2136 } 2137 2138 opts.sysctl[cnt] = NULL; 2139 2140 return 0; 2141 } 2142 2143 2144 enum { 2145 OCI_LINUX_CGROUPSPATH, 2146 OCI_LINUX_RESOURCES, 2147 OCI_LINUX_SECCOMP, 2148 OCI_LINUX_SYSCTL, 2149 OCI_LINUX_NAMESPACES, 2150 OCI_LINUX_DEVICES, 2151 OCI_LINUX_UIDMAPPINGS, 2152 OCI_LINUX_GIDMAPPINGS, 2153 OCI_LINUX_MASKEDPATHS, 2154 OCI_LINUX_READONLYPATHS, 2155 OCI_LINUX_ROOTFSPROPAGATION, 2156 __OCI_LINUX_MAX, 2157 }; 2158 2159 static const struct blobmsg_policy oci_linux_policy[] = { 2160 [OCI_LINUX_CGROUPSPATH] = { "cgroupsPath", BLOBMSG_TYPE_STRING }, 2161 [OCI_LINUX_RESOURCES] = { "resources", BLOBMSG_TYPE_TABLE }, 2162 [OCI_LINUX_SECCOMP] = { "seccomp", BLOBMSG_TYPE_TABLE }, 2163 [OCI_LINUX_SYSCTL] = { "sysctl", BLOBMSG_TYPE_TABLE }, 2164 [OCI_LINUX_NAMESPACES] = { "namespaces", BLOBMSG_TYPE_ARRAY }, 2165 [OCI_LINUX_DEVICES] = { "devices", BLOBMSG_TYPE_ARRAY }, 2166 [OCI_LINUX_UIDMAPPINGS] = { "uidMappings", BLOBMSG_TYPE_ARRAY }, 2167 [OCI_LINUX_GIDMAPPINGS] = { "gidMappings", BLOBMSG_TYPE_ARRAY }, 2168 [OCI_LINUX_MASKEDPATHS] = { "maskedPaths", BLOBMSG_TYPE_ARRAY }, 2169 [OCI_LINUX_READONLYPATHS] = { "readonlyPaths", BLOBMSG_TYPE_ARRAY }, 2170 [OCI_LINUX_ROOTFSPROPAGATION] = { "rootfsPropagation", BLOBMSG_TYPE_STRING }, 2171 }; 2172 2173 static int parseOCIlinux(struct blob_attr *msg) 2174 { 2175 struct blob_attr *tb[__OCI_LINUX_MAX]; 2176 struct blob_attr *cur; 2177 int rem; 2178 int res = 0; 2179 char *cgpath; 2180 char cgfullpath[256] = "/sys/fs/cgroup"; 2181 2182 blobmsg_parse(oci_linux_policy, __OCI_LINUX_MAX, tb, blobmsg_data(msg), blobmsg_len(msg)); 2183 2184 if (tb[OCI_LINUX_NAMESPACES]) { 2185 blobmsg_for_each_attr(cur, tb[OCI_LINUX_NAMESPACES], rem) { 2186 res = parseOCIlinuxns(cur); 2187 if (res) 2188 return res; 2189 } 2190 } 2191 2192 if (tb[OCI_LINUX_UIDMAPPINGS]) { 2193 res = parseOCIuidgidmappings(tb[OCI_LINUX_GIDMAPPINGS], 0); 2194 if (res) 2195 return res; 2196 } 2197 2198 if (tb[OCI_LINUX_GIDMAPPINGS]) { 2199 res = parseOCIuidgidmappings(tb[OCI_LINUX_GIDMAPPINGS], 1); 2200 if (res) 2201 return res; 2202 } 2203 2204 if (tb[OCI_LINUX_READONLYPATHS]) { 2205 blobmsg_for_each_attr(cur, tb[OCI_LINUX_READONLYPATHS], rem) { 2206 res = add_mount(NULL, blobmsg_get_string(cur), NULL, MS_BIND | MS_REC | MS_RDONLY, 0, NULL, 0); 2207 if (res) 2208 return res; 2209 } 2210 } 2211 2212 if (tb[OCI_LINUX_MASKEDPATHS]) { 2213 blobmsg_for_each_attr(cur, tb[OCI_LINUX_MASKEDPATHS], rem) { 2214 res = add_mount((void *)(-1), blobmsg_get_string(cur), NULL, 0, 0, NULL, 0); 2215 if (res) 2216 return res; 2217 } 2218 } 2219 2220 if (tb[OCI_LINUX_SYSCTL]) { 2221 res = parseOCIsysctl(tb[OCI_LINUX_SYSCTL]); 2222 if (res) 2223 return res; 2224 } 2225 2226 if (tb[OCI_LINUX_SECCOMP]) { 2227 opts.ociseccomp = parseOCIlinuxseccomp(tb[OCI_LINUX_SECCOMP]); 2228 if (!opts.ociseccomp) 2229 return EINVAL; 2230 } 2231 2232 if (tb[OCI_LINUX_DEVICES]) { 2233 res = parseOCIdevices(tb[OCI_LINUX_DEVICES]); 2234 if (res) 2235 return res; 2236 } 2237 2238 if (tb[OCI_LINUX_CGROUPSPATH]) { 2239 cgpath = blobmsg_get_string(tb[OCI_LINUX_CGROUPSPATH]); 2240 if (cgpath[0] == '/') { 2241 if (strlen(cgpath) + 1 >= (sizeof(cgfullpath) - strlen(cgfullpath))) 2242 return E2BIG; 2243 2244 strcat(cgfullpath, cgpath); 2245 } else { 2246 strcat(cgfullpath, "/containers/"); 2247 if (strlen(opts.name) + strlen(cgpath) + 2 >= (sizeof(cgfullpath) - strlen(cgfullpath))) 2248 return E2BIG; 2249 2250 strcat(cgfullpath, opts.name); /* should be container name rather than jail name */ 2251 strcat(cgfullpath, "/"); 2252 strcat(cgfullpath, cgpath); 2253 } 2254 } else { 2255 strcat(cgfullpath, "/containers/"); 2256 if (2 * strlen(opts.name) + 2 >= (sizeof(cgfullpath) - strlen(cgfullpath))) 2257 return E2BIG; 2258 2259 strcat(cgfullpath, opts.name); /* should be container name rather than jail name */ 2260 strcat(cgfullpath, "/"); 2261 strcat(cgfullpath, opts.name); /* should be container instance name rather than jail name */ 2262 } 2263 2264 cgroups_init(cgfullpath); 2265 2266 if (tb[OCI_LINUX_RESOURCES]) { 2267 res = parseOCIlinuxcgroups(tb[OCI_LINUX_RESOURCES]); 2268 if (res) 2269 return res; 2270 } 2271 2272 return 0; 2273 } 2274 2275 enum { 2276 OCI_VERSION, 2277 OCI_HOSTNAME, 2278 OCI_PROCESS, 2279 OCI_ROOT, 2280 OCI_MOUNTS, 2281 OCI_HOOKS, 2282 OCI_LINUX, 2283 OCI_ANNOTATIONS, 2284 __OCI_MAX, 2285 }; 2286 2287 static const struct blobmsg_policy oci_policy[] = { 2288 [OCI_VERSION] = { "ociVersion", BLOBMSG_TYPE_STRING }, 2289 [OCI_HOSTNAME] = { "hostname", BLOBMSG_TYPE_STRING }, 2290 [OCI_PROCESS] = { "process", BLOBMSG_TYPE_TABLE }, 2291 [OCI_ROOT] = { "root", BLOBMSG_TYPE_TABLE }, 2292 [OCI_MOUNTS] = { "mounts", BLOBMSG_TYPE_ARRAY }, 2293 [OCI_HOOKS] = { "hooks", BLOBMSG_TYPE_TABLE }, 2294 [OCI_LINUX] = { "linux", BLOBMSG_TYPE_TABLE }, 2295 [OCI_ANNOTATIONS] = { "annotations", BLOBMSG_TYPE_TABLE }, 2296 }; 2297 2298 static int parseOCI(const char *jsonfile) 2299 { 2300 struct blob_attr *tb[__OCI_MAX]; 2301 struct blob_attr *cur; 2302 int rem; 2303 int res; 2304 2305 blob_buf_init(&ocibuf, 0); 2306 2307 if (!blobmsg_add_json_from_file(&ocibuf, jsonfile)) { 2308 res=ENOENT; 2309 goto errout; 2310 } 2311 2312 blobmsg_parse(oci_policy, __OCI_MAX, tb, blob_data(ocibuf.head), blob_len(ocibuf.head)); 2313 2314 if (!tb[OCI_VERSION]) { 2315 res=ENOMSG; 2316 goto errout; 2317 } 2318 2319 if (strncmp("1.0", blobmsg_get_string(tb[OCI_VERSION]), 3)) { 2320 ERROR("unsupported ociVersion %s\n", blobmsg_get_string(tb[OCI_VERSION])); 2321 res=ENOTSUP; 2322 goto errout; 2323 } 2324 2325 if (tb[OCI_HOSTNAME]) 2326 opts.hostname = strdup(blobmsg_get_string(tb[OCI_HOSTNAME])); 2327 2328 if (!tb[OCI_PROCESS]) { 2329 res=ENODATA; 2330 goto errout; 2331 } 2332 2333 if ((res = parseOCIprocess(tb[OCI_PROCESS]))) 2334 goto errout; 2335 2336 if (!tb[OCI_ROOT]) { 2337 res=ENODATA; 2338 goto errout; 2339 } 2340 if ((res = parseOCIroot(jsonfile, tb[OCI_ROOT]))) 2341 goto errout; 2342 2343 if (!tb[OCI_MOUNTS]) { 2344 res=ENODATA; 2345 goto errout; 2346 } 2347 2348 blobmsg_for_each_attr(cur, tb[OCI_MOUNTS], rem) 2349 if ((res = parseOCImount(cur))) 2350 goto errout; 2351 2352 if (tb[OCI_LINUX] && (res = parseOCIlinux(tb[OCI_LINUX]))) 2353 goto errout; 2354 2355 if (tb[OCI_HOOKS] && (res = parseOCIhooks(tb[OCI_HOOKS]))) 2356 goto errout; 2357 2358 if (tb[OCI_ANNOTATIONS]) 2359 opts.annotations = blob_memdup(tb[OCI_ANNOTATIONS]); 2360 2361 errout: 2362 blob_buf_free(&ocibuf); 2363 2364 return res; 2365 } 2366 2367 static int set_oom_score_adj(void) 2368 { 2369 int f; 2370 char fname[32]; 2371 2372 if (!opts.set_oom_score_adj) 2373 return 0; 2374 2375 snprintf(fname, sizeof(fname), "/proc/%u/oom_score_adj", jail_process.pid); 2376 f = open(fname, O_WRONLY | O_TRUNC); 2377 if (f < 0) 2378 return errno; 2379 2380 dprintf(f, "%d", opts.oom_score_adj); 2381 close(f); 2382 2383 return 0; 2384 } 2385 2386 2387 enum { 2388 OCI_STATE_CREATING, 2389 OCI_STATE_CREATED, 2390 OCI_STATE_RUNNING, 2391 OCI_STATE_STOPPED, 2392 }; 2393 2394 static int jail_oci_state = OCI_STATE_CREATED; 2395 static void pipe_send_start_container(struct uloop_timeout *t); 2396 static struct uloop_timeout start_container_timeout = { 2397 .cb = pipe_send_start_container, 2398 }; 2399 2400 static int handle_start(struct ubus_context *ctx, struct ubus_object *obj, 2401 struct ubus_request_data *req, const char *method, 2402 struct blob_attr *msg) 2403 { 2404 if (jail_oci_state != OCI_STATE_CREATED) 2405 return UBUS_STATUS_INVALID_ARGUMENT; 2406 2407 uloop_timeout_add(&start_container_timeout); 2408 2409 return UBUS_STATUS_OK; 2410 } 2411 2412 static struct blob_buf bb; 2413 static int handle_state(struct ubus_context *ctx, struct ubus_object *obj, 2414 struct ubus_request_data *req, const char *method, 2415 struct blob_attr *msg) 2416 { 2417 char *statusstr; 2418 2419 switch (jail_oci_state) { 2420 case OCI_STATE_CREATING: 2421 statusstr = "creating"; 2422 break; 2423 case OCI_STATE_CREATED: 2424 statusstr = "created"; 2425 break; 2426 case OCI_STATE_RUNNING: 2427 statusstr = "running"; 2428 break; 2429 case OCI_STATE_STOPPED: 2430 statusstr = "stopped"; 2431 break; 2432 default: 2433 statusstr = "unknown"; 2434 } 2435 2436 blob_buf_init(&bb, 0); 2437 blobmsg_add_string(&bb, "ociVersion", OCI_VERSION_STRING); 2438 blobmsg_add_string(&bb, "id", opts.name); 2439 blobmsg_add_string(&bb, "status", statusstr); 2440 if (jail_oci_state == OCI_STATE_CREATED || 2441 jail_oci_state == OCI_STATE_RUNNING) 2442 blobmsg_add_u32(&bb, "pid", jail_process.pid); 2443 2444 blobmsg_add_string(&bb, "bundle", opts.ocibundle); 2445 2446 if (opts.annotations) 2447 blobmsg_add_blob(&bb, opts.annotations); 2448 2449 ubus_send_reply(ctx, req, bb.head); 2450 2451 return UBUS_STATUS_OK; 2452 } 2453 2454 enum { 2455 CONTAINER_KILL_ATTR_SIGNAL, 2456 __CONTAINER_KILL_ATTR_MAX, 2457 }; 2458 2459 static const struct blobmsg_policy container_kill_attrs[__CONTAINER_KILL_ATTR_MAX] = { 2460 [CONTAINER_KILL_ATTR_SIGNAL] = { "signal", BLOBMSG_TYPE_INT32 }, 2461 }; 2462 2463 static int 2464 container_handle_kill(struct ubus_context *ctx, struct ubus_object *obj, 2465 struct ubus_request_data *req, const char *method, 2466 struct blob_attr *msg) 2467 { 2468 struct blob_attr *tb[__CONTAINER_KILL_ATTR_MAX], *cur; 2469 int sig = SIGTERM; 2470 2471 blobmsg_parse(container_kill_attrs, __CONTAINER_KILL_ATTR_MAX, tb, blobmsg_data(msg), blobmsg_data_len(msg)); 2472 2473 cur = tb[CONTAINER_KILL_ATTR_SIGNAL]; 2474 if (cur) 2475 sig = blobmsg_get_u32(cur); 2476 2477 if (jail_oci_state == OCI_STATE_CREATING) 2478 return UBUS_STATUS_NOT_FOUND; 2479 2480 if (kill(jail_process.pid, sig) == 0) 2481 return 0; 2482 2483 switch (errno) { 2484 case EINVAL: return UBUS_STATUS_INVALID_ARGUMENT; 2485 case EPERM: return UBUS_STATUS_PERMISSION_DENIED; 2486 case ESRCH: return UBUS_STATUS_NOT_FOUND; 2487 } 2488 2489 return UBUS_STATUS_UNKNOWN_ERROR; 2490 } 2491 2492 static int 2493 jail_writepid(pid_t pid) 2494 { 2495 FILE *_pidfile; 2496 2497 if (!opts.pidfile) 2498 return 0; 2499 2500 _pidfile = fopen(opts.pidfile, "w"); 2501 if (_pidfile == NULL) 2502 return errno; 2503 2504 if (fprintf(_pidfile, "%d\n", pid) < 0) { 2505 fclose(_pidfile); 2506 return errno; 2507 } 2508 2509 if (fclose(_pidfile)) 2510 return errno; 2511 2512 return 0; 2513 } 2514 2515 static int checkpath(const char *path) 2516 { 2517 int dirfd = open(path, O_RDONLY | O_DIRECTORY | O_CLOEXEC); 2518 if (dirfd < 0) { 2519 ERROR("path %s open failed %m\n", path); 2520 return -1; 2521 } 2522 close(dirfd); 2523 2524 return 0; 2525 } 2526 2527 static struct ubus_method container_methods[] = { 2528 UBUS_METHOD_NOARG("start", handle_start), 2529 UBUS_METHOD_NOARG("state", handle_state), 2530 UBUS_METHOD("kill", container_handle_kill, container_kill_attrs), 2531 }; 2532 2533 static struct ubus_object_type container_object_type = 2534 UBUS_OBJECT_TYPE("container", container_methods); 2535 2536 static struct ubus_object container_object = { 2537 .type = &container_object_type, 2538 .methods = container_methods, 2539 .n_methods = ARRAY_SIZE(container_methods), 2540 }; 2541 2542 static void post_main(struct uloop_timeout *t); 2543 static struct uloop_timeout post_main_timeout = { 2544 .cb = post_main, 2545 }; 2546 static int netns_fd; 2547 static int pidns_fd; 2548 #ifdef CLONE_NEWTIME 2549 static int timens_fd; 2550 #endif 2551 static void post_create_runtime(void); 2552 2553 struct env_e { 2554 struct list_head list; 2555 char *envarg; 2556 }; 2557 2558 int main(int argc, char **argv) 2559 { 2560 uid_t uid = getuid(); 2561 const char log[] = "/dev/log"; 2562 const char ubus[] = "/var/run/ubus/ubus.sock"; 2563 int ret = EXIT_FAILURE; 2564 int ch; 2565 char *tmp; 2566 struct list_head envl = LIST_HEAD_INIT(envl); 2567 struct env_e *enve, *tmpenve; 2568 unsigned short int envn = 0, envc = 0; 2569 2570 if (uid) { 2571 ERROR("not root, aborting: %m\n"); 2572 return EXIT_FAILURE; 2573 } 2574 2575 /* those are filehandlers, so -1 indicates unused */ 2576 opts.setns.pid = -1; 2577 opts.setns.net = -1; 2578 opts.setns.ns = -1; 2579 opts.setns.ipc = -1; 2580 opts.setns.uts = -1; 2581 opts.setns.user = -1; 2582 opts.setns.cgroup = -1; 2583 #ifdef CLONE_NEWTIME 2584 opts.setns.time = -1; 2585 #endif 2586 2587 /* default 5 seconds timeout after SIGTERM before SIGKILL is sent */ 2588 opts.term_timeout = 5; 2589 2590 umask(022); 2591 mount_list_init(); 2592 init_library_search(); 2593 cgroups_prepare(); 2594 exit_from_child = false; 2595 2596 while ((ch = getopt(argc, argv, OPT_ARGS)) != -1) { 2597 switch (ch) { 2598 case 'd': 2599 debug = atoi(optarg); 2600 break; 2601 case 'e': 2602 enve = calloc(1, sizeof(*enve)); 2603 enve->envarg = optarg; 2604 list_add_tail(&enve->list, &envl); 2605 break; 2606 case 'p': 2607 opts.namespace |= CLONE_NEWNS; 2608 opts.procfs = 1; 2609 break; 2610 case 'o': 2611 opts.namespace |= CLONE_NEWNS; 2612 opts.ronly = 1; 2613 break; 2614 case 'f': 2615 opts.namespace |= CLONE_NEWUSER; 2616 break; 2617 case 'F': 2618 opts.namespace |= CLONE_NEWCGROUP; 2619 break; 2620 case 'R': 2621 opts.extroot = realpath(optarg, NULL); 2622 break; 2623 case 's': 2624 opts.namespace |= CLONE_NEWNS; 2625 opts.sysfs = 1; 2626 break; 2627 case 'S': 2628 opts.seccomp = optarg; 2629 add_mount_bind(optarg, 1, -1); 2630 break; 2631 case 'C': 2632 opts.capabilities = optarg; 2633 break; 2634 case 'c': 2635 opts.no_new_privs = 1; 2636 break; 2637 case 'n': 2638 opts.name = optarg; 2639 break; 2640 case 'N': 2641 opts.namespace |= CLONE_NEWNET; 2642 break; 2643 case 'h': 2644 opts.namespace |= CLONE_NEWUTS; 2645 opts.hostname = strdup(optarg); 2646 break; 2647 case 'j': 2648 jail_join_ns(optarg); 2649 break; 2650 case 'r': 2651 opts.namespace |= CLONE_NEWNS; 2652 tmp = strchr(optarg, ':'); 2653 if (tmp) { 2654 *(tmp++) = '\0'; 2655 add_2paths_and_deps(optarg, tmp, 1, 0, 0); 2656 } else { 2657 add_path_and_deps(optarg, 1, 0, 0); 2658 } 2659 break; 2660 case 'w': 2661 opts.namespace |= CLONE_NEWNS; 2662 tmp = strchr(optarg, ':'); 2663 if (tmp) { 2664 *(tmp++) = '\0'; 2665 add_2paths_and_deps(optarg, tmp, 0, 0, 0); 2666 } else { 2667 add_path_and_deps(optarg, 0, 0, 0); 2668 } 2669 break; 2670 case 'u': 2671 opts.namespace |= CLONE_NEWNS; 2672 add_mount_bind(ubus, 0, -1); 2673 break; 2674 case 'l': 2675 opts.namespace |= CLONE_NEWNS; 2676 add_mount_bind(log, 0, -1); 2677 break; 2678 case 'U': 2679 opts.user = optarg; 2680 break; 2681 case 'G': 2682 opts.group = optarg; 2683 break; 2684 case 'O': 2685 opts.overlaydir = realpath(optarg, NULL); 2686 break; 2687 case 't': 2688 opts.term_timeout = atoi(optarg); 2689 break; 2690 case 'T': 2691 opts.tmpoverlaysize = optarg; 2692 break; 2693 case 'E': 2694 opts.require_jail = 1; 2695 break; 2696 case 'y': 2697 opts.console = 1; 2698 break; 2699 case 'J': 2700 opts.ocibundle = optarg; 2701 break; 2702 case 'i': 2703 opts.immediately = true; 2704 break; 2705 case 'P': 2706 opts.pidfile = optarg; 2707 break; 2708 } 2709 } 2710 2711 if (opts.namespace && !opts.ocibundle) 2712 opts.namespace |= CLONE_NEWIPC | CLONE_NEWPID; 2713 2714 /* 2715 * env import from cmdline is not available for OCI containers 2716 */ 2717 if (opts.ocibundle && !list_empty(&envl)) { 2718 ret=-ENOTSUP; 2719 goto errout; 2720 } 2721 2722 /* 2723 * prepare list of env variables to import for slim containers 2724 */ 2725 if (!list_empty(&envl)) { 2726 list_for_each_entry(enve, &envl, list) 2727 ++envn; 2728 2729 opts.envp = calloc(1 + envn, sizeof(char*)); 2730 list_for_each_entry_safe(enve, tmpenve, &envl, list) { 2731 tmp = getenv(enve->envarg); 2732 if (tmp) 2733 asprintf(&opts.envp[envc++], "%s=%s", enve->envarg, tmp); 2734 2735 list_del(&enve->list); 2736 free(enve); 2737 } 2738 2739 opts.envp[envc] = NULL; 2740 } 2741 2742 /* 2743 * uid in parent user namespace representing root user in new 2744 * user namespace, defaults to nobody unless specified in uidMappings 2745 */ 2746 opts.root_map_uid = 65534; 2747 2748 if (opts.capabilities && parseOCIcapabilities_from_file(&opts.capset, opts.capabilities)) { 2749 ERROR("failed to read capabilities from file %s\n", opts.capabilities); 2750 ret=-1; 2751 goto errout; 2752 } 2753 2754 if (opts.ocibundle) { 2755 char *jsonfile; 2756 int ocires; 2757 2758 if (!opts.name) { 2759 ERROR("OCI bundle needs a named jail\n"); 2760 ret=-1; 2761 goto errout; 2762 } 2763 if (asprintf(&jsonfile, "%s/config.json", opts.ocibundle) < 0) { 2764 ret=-ENOMEM; 2765 goto errout; 2766 } 2767 ocires = parseOCI(jsonfile); 2768 free(jsonfile); 2769 if (ocires) { 2770 ERROR("parsing of OCI JSON spec has failed: %s (%d)\n", strerror(ocires), ocires); 2771 ret=ocires; 2772 goto errout; 2773 } 2774 } 2775 2776 if (opts.namespace & CLONE_NEWNET) { 2777 if (!opts.name) { 2778 ERROR("netns needs a named jail\n"); 2779 ret=-1; 2780 goto errout; 2781 } 2782 } 2783 2784 2785 if (opts.tmpoverlaysize && strlen(opts.tmpoverlaysize) > 8) { 2786 ERROR("size parameter too long: \"%s\"\n", opts.tmpoverlaysize); 2787 ret=-1; 2788 goto errout; 2789 } 2790 2791 if (opts.extroot && checkpath(opts.extroot)) { 2792 ERROR("invalid rootfs path '%s'", opts.extroot); 2793 ret=-1; 2794 goto errout; 2795 } 2796 2797 if (opts.overlaydir && checkpath(opts.overlaydir)) { 2798 ERROR("invalid rootfs overlay path '%s'", opts.overlaydir); 2799 ret=-1; 2800 goto errout; 2801 } 2802 2803 /* no <binary> param found */ 2804 if (!opts.ocibundle && (argc - optind < 1)) { 2805 usage(); 2806 ret=EXIT_FAILURE; 2807 goto errout; 2808 } 2809 if (!(opts.ocibundle||opts.namespace||opts.capabilities||opts.seccomp|| 2810 (opts.setns.net != -1) || 2811 (opts.setns.ns != -1) || 2812 (opts.setns.ipc != -1) || 2813 (opts.setns.uts != -1) || 2814 (opts.setns.user != -1) || 2815 (opts.setns.cgroup != -1))) { 2816 ERROR("Not using namespaces, capabilities or seccomp !!!\n\n"); 2817 usage(); 2818 ret=EXIT_FAILURE; 2819 goto errout; 2820 } 2821 DEBUG("Using namespaces(0x%08x), capabilities(%d), seccomp(%d)\n", 2822 opts.namespace, 2823 opts.capset.apply, 2824 opts.seccomp != 0 || opts.ociseccomp != 0); 2825 2826 uloop_init(); 2827 signals_init(); 2828 2829 parent_ctx = ubus_connect(NULL); 2830 ubus_add_uloop(parent_ctx); 2831 2832 if (opts.ocibundle) { 2833 char *objname; 2834 if (asprintf(&objname, "container.%s", opts.name) < 0) { 2835 ret=-ENOMEM; 2836 goto errout; 2837 } 2838 2839 container_object.name = objname; 2840 ret = ubus_add_object(parent_ctx, &container_object); 2841 if (ret) { 2842 ERROR("Failed to add object: %s\n", ubus_strerror(ret)); 2843 ret=-1; 2844 goto errout; 2845 } 2846 } 2847 2848 /* deliberately not using 'else' on unrelated conditional branches */ 2849 if (!opts.ocibundle) { 2850 /* allocate NULL-terminated array for argv */ 2851 opts.jail_argv = calloc(1 + argc - optind, sizeof(void *)); 2852 if (!opts.jail_argv) { 2853 ret=EXIT_FAILURE; 2854 goto errout; 2855 } 2856 for (size_t s = optind; s < argc; s++) 2857 opts.jail_argv[s - optind] = strdup(argv[s]); 2858 2859 if (opts.namespace & CLONE_NEWUSER) 2860 get_jail_user(&opts.pw_uid, &opts.pw_gid, &opts.gr_gid); 2861 } 2862 2863 if (!opts.extroot) { 2864 if (opts.namespace && add_path_and_deps(*opts.jail_argv, 1, -1, 0)) { 2865 ERROR("failed to load dependencies\n"); 2866 ret=-1; 2867 goto errout; 2868 } 2869 } 2870 2871 if (opts.namespace && opts.seccomp && add_path_and_deps("libpreload-seccomp.so", 1, -1, 1)) { 2872 ERROR("failed to load libpreload-seccomp.so\n"); 2873 opts.seccomp = 0; 2874 if (opts.require_jail) { 2875 ret=-1; 2876 goto errout; 2877 } 2878 } 2879 2880 uloop_timeout_add(&post_main_timeout); 2881 uloop_run(); 2882 2883 errout: 2884 if (opts.ocibundle) 2885 cgroups_free(); 2886 2887 free_opts(true); 2888 2889 return ret; 2890 } 2891 2892 static void post_main(struct uloop_timeout *t) 2893 { 2894 if (apply_rlimits()) { 2895 ERROR("error applying resource limits\n"); 2896 free_and_exit(EXIT_FAILURE); 2897 } 2898 2899 if (opts.name) 2900 prctl(PR_SET_NAME, opts.name, NULL, NULL, NULL); 2901 2902 if (pipe(&pipes[0]) < 0 || pipe(&pipes[2]) < 0) 2903 free_and_exit(-1); 2904 2905 if (has_namespaces()) { 2906 if (opts.namespace & CLONE_NEWNS) { 2907 if (!opts.extroot && (opts.user || opts.group)) { 2908 add_mount_bind("/etc/passwd", 1, -1); 2909 add_mount_bind("/etc/group", 1, -1); 2910 } 2911 2912 #if defined(__GLIBC__) 2913 if (!opts.extroot) 2914 add_mount_bind("/etc/nsswitch.conf", 1, -1); 2915 #endif 2916 if (opts.setns.ns == -1) { 2917 if (!(opts.namespace & CLONE_NEWNET)) { 2918 add_mount_bind("/etc/resolv.conf", 1, 0); 2919 } else { 2920 /* new mount namespace to provide /dev/resolv.conf.d */ 2921 char hostdir[PATH_MAX]; 2922 2923 snprintf(hostdir, PATH_MAX, "/tmp/resolv.conf-%s.d", opts.name); 2924 mkdir_p(hostdir, 0755); 2925 add_mount(hostdir, "/dev/resolv.conf.d", NULL, 2926 MS_BIND | MS_NOEXEC | MS_NOATIME | MS_NOSUID | MS_NODEV | MS_RDONLY, 0, NULL, 0); 2927 } 2928 } 2929 /* default mounts */ 2930 add_mount(NULL, "/dev", "tmpfs", MS_NOATIME | MS_NOEXEC | MS_NOSUID, 0, "size=1M", -1); 2931 add_mount(NULL, "/dev/pts", "devpts", MS_NOATIME | MS_NOEXEC | MS_NOSUID, 0, "newinstance,ptmxmode=0666,mode=0620,gid=5", 0); 2932 2933 if (opts.procfs || opts.ocibundle) { 2934 add_mount("proc", "/proc", "proc", MS_NOATIME | MS_NODEV | MS_NOEXEC | MS_NOSUID, 0, NULL, -1); 2935 2936 /* 2937 * hack to make /proc/sys/net read-write while the rest of /proc/sys is read-only 2938 * which cannot be expressed with OCI spec, but happends to be very useful. 2939 * Only apply it if '/proc/sys' is not already listed as mount, maskedPath or 2940 * readonlyPath. 2941 * If not running in a new network namespace, only make /proc/sys read-only. 2942 * If running in a new network namespace, temporarily stash (ie. mount-bind) 2943 * /proc/sys/net into (totally unrelated, but surely existing) /proc/self/net. 2944 * Then we mount-bind /proc/sys read-only and then mount-move /proc/self/net into 2945 * /proc/sys/net. 2946 * This works because mounts are executed in incrementing strcmp() order and 2947 * /proc/self/net appears there before /proc/sys/net and hence the operation 2948 * succeeds as the bind-mount of /proc/self/net is performed first and then 2949 * move-mount of /proc/sys/net follows because 'e' preceeds 'y' in the ASCII 2950 * table (and in the alphabet). 2951 */ 2952 if (!add_mount(NULL, "/proc/sys", NULL, MS_BIND | MS_RDONLY, 0, NULL, -1)) 2953 if (opts.namespace & CLONE_NEWNET) 2954 if (!add_mount_inner("/proc/self/net", "/proc/sys/net", NULL, MS_MOVE, 0, NULL, -1)) 2955 add_mount_inner("/proc/sys/net", "/proc/self/net", NULL, MS_BIND, 0, NULL, -1); 2956 2957 } 2958 if (opts.sysfs || opts.ocibundle) 2959 add_mount("sysfs", "/sys", "sysfs", MS_RELATIME | MS_NODEV | MS_NOEXEC | MS_NOSUID | MS_RDONLY, 0, NULL, -1); 2960 2961 if (opts.ocibundle) 2962 add_mount("shm", "/dev/shm", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV, 0, "mode=1777", -1); 2963 2964 } 2965 2966 if (opts.setns.pid != -1) { 2967 pidns_fd = ns_open_pid("pid", getpid()); 2968 setns_open(CLONE_NEWPID); 2969 } else { 2970 pidns_fd = -1; 2971 } 2972 2973 #ifdef CLONE_NEWTIME 2974 if (opts.setns.time != -1) { 2975 timens_fd = ns_open_pid("time", getpid()); 2976 setns_open(CLONE_NEWTIME); 2977 } else { 2978 timens_fd = -1; 2979 } 2980 #endif 2981 2982 if (opts.namespace & CLONE_NEWUSER) { 2983 if (prctl(PR_SET_SECUREBITS, SECBIT_NO_SETUID_FIXUP)) { 2984 ERROR("prctl(PR_SET_SECUREBITS) failed: %m\n"); 2985 free_and_exit(EXIT_FAILURE); 2986 } 2987 if (seteuid(opts.root_map_uid)) { 2988 ERROR("seteuid(%d) failed: %m\n", opts.root_map_uid); 2989 free_and_exit(EXIT_FAILURE); 2990 } 2991 } 2992 2993 jail_process.pid = clone(exec_jail, child_stack + STACK_SIZE, SIGCHLD | (opts.namespace & (~CLONE_NEWCGROUP)), NULL); 2994 } else { 2995 jail_process.pid = fork(); 2996 } 2997 2998 if (jail_process.pid > 0) { 2999 /* parent process */ 3000 char sig_buf[1]; 3001 3002 uloop_process_add(&jail_process); 3003 jail_running = 1; 3004 if (seteuid(0)) { 3005 ERROR("seteuid(%d) failed: %m\n", opts.root_map_uid); 3006 free_and_exit(EXIT_FAILURE); 3007 } 3008 3009 prctl(PR_SET_SECUREBITS, 0); 3010 3011 if (pidns_fd != -1) { 3012 setns(pidns_fd, CLONE_NEWPID); 3013 close(pidns_fd); 3014 } 3015 #ifdef CLONE_NEWTIME 3016 if (timens_fd != -1) { 3017 setns(timens_fd, CLONE_NEWTIME); 3018 close(timens_fd); 3019 } 3020 #endif 3021 if (opts.setns.net != -1) 3022 close(opts.setns.net); 3023 if (opts.setns.ns != -1) 3024 close(opts.setns.ns); 3025 if (opts.setns.ipc != -1) 3026 close(opts.setns.ipc); 3027 if (opts.setns.uts != -1) 3028 close(opts.setns.uts); 3029 if (opts.setns.user != -1) 3030 close(opts.setns.user); 3031 if (opts.setns.cgroup != -1) 3032 close(opts.setns.cgroup); 3033 close(pipes[1]); 3034 close(pipes[2]); 3035 if (read(pipes[0], sig_buf, 1) < 1) { 3036 ERROR("can't read from child\n"); 3037 free_and_exit(-1); 3038 } 3039 close(pipes[0]); 3040 set_oom_score_adj(); 3041 3042 if (opts.ocibundle) 3043 cgroups_apply(jail_process.pid); 3044 3045 if (opts.namespace & CLONE_NEWUSER) { 3046 if (write_setgroups(jail_process.pid, true)) { 3047 ERROR("can't write setgroups\n"); 3048 free_and_exit(-1); 3049 } 3050 if (!opts.uidmap) { 3051 bool has_gr = (opts.gr_gid != -1); 3052 if (opts.pw_uid != -1) { 3053 write_single_uid_gid_map(jail_process.pid, 0, opts.pw_uid); 3054 write_single_uid_gid_map(jail_process.pid, 1, has_gr?opts.gr_gid:opts.pw_gid); 3055 } else { 3056 write_single_uid_gid_map(jail_process.pid, 0, 65534); 3057 write_single_uid_gid_map(jail_process.pid, 1, has_gr?opts.gr_gid:65534); 3058 } 3059 } else { 3060 write_uid_gid_map(jail_process.pid, 0, opts.uidmap); 3061 if (opts.gidmap) 3062 write_uid_gid_map(jail_process.pid, 1, opts.gidmap); 3063 } 3064 } 3065 3066 if (opts.namespace & CLONE_NEWNET) 3067 jail_network_start(parent_ctx, opts.name, jail_process.pid); 3068 3069 if (jail_writepid(jail_process.pid)) { 3070 ERROR("failed to write pidfile: %m\n"); 3071 free_and_exit(-1); 3072 } 3073 } else if (jail_process.pid == 0) { 3074 /* fork child process */ 3075 free_and_exit(exec_jail(NULL)); 3076 } else { 3077 ERROR("failed to clone/fork: %m\n"); 3078 free_and_exit(EXIT_FAILURE); 3079 } 3080 run_hooks(opts.hooks.createRuntime, post_create_runtime); 3081 } 3082 3083 static void post_poststart(void); 3084 static void post_create_runtime(void) 3085 { 3086 char sig_buf[1]; 3087 3088 sig_buf[0] = 'O'; 3089 if (write(pipes[3], sig_buf, 1) < 0) { 3090 ERROR("can't write to child\n"); 3091 free_and_exit(-1); 3092 } 3093 3094 jail_oci_state = OCI_STATE_CREATED; 3095 if (opts.ocibundle && !opts.immediately) 3096 uloop_run(); /* wait for 'start' command via ubus */ 3097 else 3098 pipe_send_start_container(NULL); 3099 } 3100 3101 static void pipe_send_start_container(struct uloop_timeout *t) 3102 { 3103 char sig_buf[1]; 3104 3105 jail_oci_state = OCI_STATE_RUNNING; 3106 sig_buf[0] = '!'; 3107 if (write(pipes[3], sig_buf, 1) < 0) { 3108 ERROR("can't write to child\n"); 3109 free_and_exit(-1); 3110 } 3111 close(pipes[3]); 3112 3113 run_hooks(opts.hooks.poststart, post_poststart); 3114 } 3115 3116 static void post_poststart(void) 3117 { 3118 uloop_run(); /* idle here while jail is running */ 3119 if (jail_running) { 3120 DEBUG("uloop interrupted, killing jail process\n"); 3121 kill(jail_process.pid, SIGTERM); 3122 uloop_timeout_set(&jail_process_timeout, 1000); 3123 uloop_run(); 3124 } 3125 uloop_done(); 3126 poststop(); 3127 } 3128 3129 static void post_poststop(void); 3130 static void poststop(void) { 3131 if (opts.namespace & CLONE_NEWNET) { 3132 setns(netns_fd, CLONE_NEWNET); 3133 jail_network_stop(); 3134 close(netns_fd); 3135 } 3136 run_hooks(opts.hooks.poststop, post_poststop); 3137 } 3138 3139 static void post_poststop(void) 3140 { 3141 free_opts(true); 3142 if (parent_ctx) 3143 ubus_free(parent_ctx); 3144 3145 exit(jail_return_code); 3146 } 3147
This page was automatically generated by LXR 0.3.1. • OpenWrt