1 /* 2 * Copyright (C) 2015 John Crispin <blogic@openwrt.org> 3 * Copyright (C) 2020 Daniel Golle <daniel@makrotopia.org> 4 * 5 * This program is free software; you can redistribute it and/or modify 6 * it under the terms of the GNU Lesser General Public License version 2.1 7 * as published by the Free Software Foundation 8 * 9 * This program is distributed in the hope that it will be useful, 10 * but WITHOUT ANY WARRANTY; without even the implied warranty of 11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 * GNU General Public License for more details. 13 */ 14 15 #define _GNU_SOURCE 16 #include <sys/mount.h> 17 #include <sys/prctl.h> 18 #include <sys/wait.h> 19 #include <sys/types.h> 20 #include <sys/time.h> 21 #include <sys/resource.h> 22 #include <sys/stat.h> 23 #include <sys/sysmacros.h> 24 25 /* musl only defined 15 limit types, make sure all 16 are supported */ 26 #ifndef RLIMIT_RTTIME 27 #define RLIMIT_RTTIME 15 28 #undef RLIMIT_NLIMITS 29 #define RLIMIT_NLIMITS 16 30 #undef RLIM_NLIMITS 31 #define RLIM_NLIMITS 16 32 #endif 33 34 #include <assert.h> 35 #include <stdlib.h> 36 #include <unistd.h> 37 #include <errno.h> 38 #include <pwd.h> 39 #include <grp.h> 40 #include <string.h> 41 #include <fcntl.h> 42 #include <sched.h> 43 #include <linux/filter.h> 44 #include <linux/limits.h> 45 #include <linux/nsfs.h> 46 #include <linux/securebits.h> 47 #include <signal.h> 48 #include <inttypes.h> 49 50 #include "capabilities.h" 51 #include "elf.h" 52 #include "fs.h" 53 #include "jail.h" 54 #include "log.h" 55 #include "seccomp-oci.h" 56 #include "cgroups.h" 57 #include "netifd.h" 58 59 #include <libubox/blobmsg.h> 60 #include <libubox/blobmsg_json.h> 61 #include <libubox/list.h> 62 #include <libubox/vlist.h> 63 #include <libubox/uloop.h> 64 #include <libubox/utils.h> 65 #include <libubus.h> 66 67 #ifndef CLONE_NEWCGROUP 68 #define CLONE_NEWCGROUP 0x02000000 69 #endif 70 71 #define STACK_SIZE (1024 * 1024) 72 #define OPT_ARGS "cC:d:EfFG:h:ij:J:ln:NoO:pP:r:R:sS:uU:w:T:y" 73 74 #define OCI_VERSION_STRING "1.0.2" 75 76 struct hook_execvpe { 77 char *file; 78 char **argv; 79 char **envp; 80 int timeout; 81 }; 82 83 struct sysctl_val { 84 char *entry; 85 char *value; 86 }; 87 88 struct mknod_args { 89 char *path; 90 mode_t mode; 91 dev_t dev; 92 uid_t uid; 93 gid_t gid; 94 }; 95 96 static struct { 97 char *name; 98 char *hostname; 99 char **jail_argv; 100 char *cwd; 101 char *seccomp; 102 struct sock_fprog *ociseccomp; 103 char *capabilities; 104 struct jail_capset capset; 105 char *user; 106 char *group; 107 char *extroot; 108 char *overlaydir; 109 char *tmpoverlaysize; 110 char **envp; 111 char *uidmap; 112 char *gidmap; 113 char *pidfile; 114 struct sysctl_val **sysctl; 115 int no_new_privs; 116 int namespace; 117 struct { 118 int pid; 119 int net; 120 int ns; 121 int ipc; 122 int uts; 123 int user; 124 int cgroup; 125 #ifdef CLONE_NEWTIME 126 int time; 127 #endif 128 } setns; 129 int procfs; 130 int ronly; 131 int sysfs; 132 int console; 133 int pw_uid; 134 int pw_gid; 135 int gr_gid; 136 int root_map_uid; 137 gid_t *additional_gids; 138 size_t num_additional_gids; 139 mode_t umask; 140 bool set_umask; 141 int require_jail; 142 struct { 143 struct hook_execvpe **createRuntime; 144 struct hook_execvpe **createContainer; 145 struct hook_execvpe **startContainer; 146 struct hook_execvpe **poststart; 147 struct hook_execvpe **poststop; 148 } hooks; 149 struct rlimit *rlimits[RLIM_NLIMITS]; 150 int oom_score_adj; 151 bool set_oom_score_adj; 152 struct mknod_args **devices; 153 char *ocibundle; 154 bool immediately; 155 struct blob_attr *annotations; 156 } opts; 157 158 static struct blob_buf ocibuf; 159 160 extern int pivot_root(const char *new_root, const char *put_old); 161 162 int debug = 0; 163 164 static char child_stack[STACK_SIZE]; 165 166 static struct ubus_context *parent_ctx; 167 168 int console_fd; 169 170 171 static inline bool has_namespaces(void) 172 { 173 return ((opts.setns.pid != -1) || 174 (opts.setns.net != -1) || 175 (opts.setns.ns != -1) || 176 (opts.setns.ipc != -1) || 177 (opts.setns.uts != -1) || 178 (opts.setns.user != -1) || 179 (opts.setns.cgroup != -1) || 180 #ifdef CLONE_NEWTIME 181 (opts.setns.time != -1) || 182 #endif 183 opts.namespace); 184 } 185 186 static void free_oci_envp(char **p) { 187 char **tmp; 188 189 if (p) { 190 tmp = p; 191 while (*tmp) 192 free(*(tmp++)); 193 194 free(p); 195 } 196 } 197 198 static void free_hooklist(struct hook_execvpe **hooklist) 199 { 200 struct hook_execvpe *cur; 201 202 if (!hooklist) 203 return; 204 205 cur = *hooklist; 206 while (cur) { 207 free_oci_envp(cur->argv); 208 free_oci_envp(cur->envp); 209 free(cur->file); 210 free(cur++); 211 } 212 free(hooklist); 213 } 214 215 static void free_sysctl(void) { 216 struct sysctl_val *cur; 217 cur = *opts.sysctl; 218 219 while (cur) { 220 free(cur->entry); 221 free(cur->value); 222 free(cur++); 223 } 224 free(opts.sysctl); 225 } 226 227 static void free_devices(void) { 228 struct mknod_args **cur; 229 230 if (!opts.devices) 231 return; 232 233 cur = opts.devices; 234 235 while (*cur) { 236 free((*cur)->path); 237 free(*(cur++)); 238 } 239 free(opts.devices); 240 } 241 242 static void free_rlimits(void) { 243 int type; 244 245 for (type = 0; type < RLIM_NLIMITS; ++type) 246 free(opts.rlimits[type]); 247 } 248 249 static void free_opts(bool parent) { 250 251 free_library_search(); 252 mount_free(); 253 cgroups_free(); 254 255 /* we need to keep argv, envp and seccomp filter in child */ 256 if (parent) { /* parent-only */ 257 if (opts.ociseccomp) { 258 free(opts.ociseccomp->filter); 259 free(opts.ociseccomp); 260 } 261 262 free_oci_envp(opts.jail_argv); 263 free_oci_envp(opts.envp); 264 } 265 266 free_rlimits(); 267 free_sysctl(); 268 free_devices(); 269 free(opts.hostname); 270 free(opts.cwd); 271 free(opts.uidmap); 272 free(opts.gidmap); 273 free(opts.annotations); 274 free(opts.extroot); 275 free(opts.overlaydir); 276 free_hooklist(opts.hooks.createRuntime); 277 free_hooklist(opts.hooks.createContainer); 278 free_hooklist(opts.hooks.startContainer); 279 free_hooklist(opts.hooks.poststart); 280 free_hooklist(opts.hooks.poststop); 281 } 282 283 static int mount_overlay(char *jail_root, char *overlaydir) { 284 char *upperdir, *workdir, *optsstr, *upperetc, *upperresolvconf; 285 const char mountoptsformat[] = "lowerdir=%s,upperdir=%s,workdir=%s"; 286 int ret = -1, fd; 287 288 if (asprintf(&upperdir, "%s%s", overlaydir, "/upper") < 0) 289 goto out; 290 291 if (asprintf(&workdir, "%s%s", overlaydir, "/work") < 0) 292 goto upper_printf; 293 294 if (asprintf(&optsstr, mountoptsformat, jail_root, upperdir, workdir) < 0) 295 goto work_printf; 296 297 if (mkdir_p(upperdir, 0755) || mkdir_p(workdir, 0755)) 298 goto opts_printf; 299 300 /* 301 * make sure /etc/resolv.conf exists in overlay and is owned by jail userns root 302 * this is to work-around a bug in overlayfs described in the overlayfs-userns 303 * patch: 304 * 3. modification of a file 'hithere' which is in l but not yet 305 * in u, and which is not owned by T, is not allowed, even if 306 * writes to u are allowed. This may be a bug in overlayfs, 307 * but it is safe behavior. 308 */ 309 if (asprintf(&upperetc, "%s/etc", upperdir) < 0) 310 goto opts_printf; 311 312 if (mkdir_p(upperetc, 0755)) 313 goto upper_etc_printf; 314 315 if (asprintf(&upperresolvconf, "%s/resolv.conf", upperetc) < 0) 316 goto upper_etc_printf; 317 318 fd = creat(upperresolvconf, 0644); 319 if (fd < 0) { 320 if (errno != EEXIST) 321 ERROR("creat(%s) failed: %m\n", upperresolvconf); 322 } else { 323 close(fd); 324 } 325 DEBUG("mount -t overlay %s %s (%s)\n", jail_root, jail_root, optsstr); 326 327 if (mount(jail_root, jail_root, "overlay", MS_NOATIME, optsstr)) 328 goto upper_resolvconf_printf; 329 330 ret = 0; 331 332 upper_resolvconf_printf: 333 free(upperresolvconf); 334 upper_etc_printf: 335 free(upperetc); 336 opts_printf: 337 free(optsstr); 338 work_printf: 339 free(workdir); 340 upper_printf: 341 free(upperdir); 342 out: 343 return ret; 344 } 345 346 static void pass_console(int console_fd) 347 { 348 struct ubus_context *child_ctx = ubus_connect(NULL); 349 static struct blob_buf req; 350 uint32_t id; 351 352 if (!child_ctx) 353 return; 354 355 blob_buf_init(&req, 0); 356 blobmsg_add_string(&req, "name", opts.name); 357 358 if (ubus_lookup_id(child_ctx, "container", &id) || 359 ubus_invoke_fd(child_ctx, id, "console_set", req.head, NULL, NULL, 3000, console_fd)) 360 INFO("ubus request failed\n"); 361 else 362 close(console_fd); 363 364 blob_buf_free(&req); 365 ubus_free(child_ctx); 366 } 367 368 static int create_dev_console(const char *jail_root) 369 { 370 char *console_fname; 371 char dev_console_path[PATH_MAX]; 372 int slave_console_fd; 373 374 /* Open UNIX/98 virtual console */ 375 console_fd = posix_openpt(O_RDWR | O_NOCTTY); 376 if (console_fd < 0) 377 return -1; 378 379 console_fname = ptsname(console_fd); 380 DEBUG("got console fd %d and PTS client name %s\n", console_fd, console_fname); 381 if (!console_fname) 382 goto no_console; 383 384 grantpt(console_fd); 385 unlockpt(console_fd); 386 387 /* pass PTY master to procd */ 388 pass_console(console_fd); 389 390 /* mount-bind PTY slave to /dev/console in jail */ 391 snprintf(dev_console_path, sizeof(dev_console_path), "%s/dev/console", jail_root); 392 close(creat(dev_console_path, 0620)); 393 394 if (mount(console_fname, dev_console_path, "bind", MS_BIND, NULL)) 395 goto no_console; 396 397 /* use PTY slave for stdio */ 398 slave_console_fd = open(console_fname, O_RDWR); /* | O_NOCTTY */ 399 if (slave_console_fd < 0) 400 goto no_console; 401 402 dup2(slave_console_fd, 0); 403 dup2(slave_console_fd, 1); 404 dup2(slave_console_fd, 2); 405 close(slave_console_fd); 406 407 INFO("using guest console %s\n", console_fname); 408 409 return 0; 410 411 no_console: 412 close(console_fd); 413 return 1; 414 } 415 416 static int hook_running = 0; 417 static int hook_return_code = 0; 418 static struct hook_execvpe **current_hook = NULL; 419 typedef void (*hook_return_handler)(void); 420 static hook_return_handler hook_return_cb = NULL; 421 422 static void hook_process_timeout_cb(struct uloop_timeout *t); 423 static struct uloop_timeout hook_process_timeout = { 424 .cb = hook_process_timeout_cb, 425 }; 426 427 static void run_hooklist(void); 428 static void hook_process_handler(struct uloop_process *c, int ret) 429 { 430 uloop_timeout_cancel(&hook_process_timeout); 431 432 if (WIFEXITED(ret)) { 433 hook_return_code = WEXITSTATUS(ret); 434 if (hook_return_code) 435 ERROR("hook (%d) exited with exit: %d\n", c->pid, hook_return_code); 436 else 437 DEBUG("hook (%d) exited with exit: %d\n", c->pid, hook_return_code); 438 439 } else { 440 hook_return_code = WTERMSIG(ret); 441 ERROR("hook (%d) exited with signal: %d\n", c->pid, hook_return_code); 442 } 443 hook_running = 0; 444 ++current_hook; 445 run_hooklist(); 446 } 447 448 static struct uloop_process hook_process = { 449 .cb = hook_process_handler, 450 }; 451 452 static void hook_process_timeout_cb(struct uloop_timeout *t) 453 { 454 DEBUG("hook process failed to stop, sending SIGKILL\n"); 455 kill(hook_process.pid, SIGKILL); 456 } 457 458 static void run_hooklist(void) 459 { 460 struct hook_execvpe *hook = *current_hook; 461 struct stat s; 462 463 if (!hook) 464 return hook_return_cb(); 465 466 DEBUG("executing hook %s\n", hook->file); 467 468 if (stat(hook->file, &s)) 469 hook_process_handler(&hook_process, ENOENT); 470 471 if (!((unsigned long)s.st_mode & (S_IXUSR | S_IXGRP | S_IXOTH))) 472 hook_process_handler(&hook_process, EPERM); 473 474 hook_running = 1; 475 hook_process.pid = fork(); 476 if (hook_process.pid == 0) { 477 /* child */ 478 execve(hook->file, hook->argv, hook->envp); 479 ERROR("execve error %m\n"); 480 _exit(errno); 481 } else if (hook_process.pid < 0) { 482 /* fork error */ 483 ERROR("hook fork error\n"); 484 hook_running = 0; 485 hook_process_handler(&hook_process, errno); 486 } 487 488 /* parent */ 489 uloop_process_add(&hook_process); 490 491 if (hook->timeout > 0) 492 uloop_timeout_set(&hook_process_timeout, 1000 * hook->timeout); 493 494 uloop_run(); 495 if (hook_running) { 496 DEBUG("uloop interrupted, killing jail process\n"); 497 kill(hook_process.pid, SIGTERM); 498 uloop_timeout_set(&hook_process_timeout, 1000); 499 uloop_run(); 500 } 501 } 502 503 static void run_hooks(struct hook_execvpe **hooklist, hook_return_handler return_cb) 504 { 505 if (!hooklist) 506 return_cb(); 507 508 current_hook = hooklist; 509 hook_return_cb = return_cb; 510 511 run_hooklist(); 512 } 513 514 static int apply_sysctl(const char *jail_root) 515 { 516 struct sysctl_val **cur; 517 char *procdir, *fname; 518 int f; 519 520 if (!opts.sysctl) 521 return 0; 522 523 if (asprintf(&procdir, "%s/proc", jail_root) < 0) 524 return ENOMEM; 525 526 mkdir(procdir, 0700); 527 if (mount("proc", procdir, "proc", MS_NOATIME | MS_NODEV | MS_NOEXEC | MS_NOSUID, 0)) 528 return EPERM; 529 530 cur = opts.sysctl; 531 532 while (*cur) { 533 if (asprintf(&fname, "%s/sys/%s", procdir, (*cur)->entry) < 0) 534 return ENOMEM; 535 536 DEBUG("sysctl: writing '%s' to %s\n", (*cur)->value, fname); 537 538 f = open(fname, O_WRONLY); 539 if (f < 0) { 540 ERROR("sysctl: can't open %s\n", fname); 541 free(fname); 542 return errno; 543 } 544 if (write(f, (*cur)->value, strlen((*cur)->value)) < 0) { 545 ERROR("sysctl: write to %s\n", fname); 546 free(fname); 547 close(f); 548 return errno; 549 } 550 551 free(fname); 552 close(f); 553 ++cur; 554 } 555 umount(procdir); 556 rmdir(procdir); 557 free(procdir); 558 559 return 0; 560 } 561 562 /* glibc defines makedev calling a function. make sure it's a pure macro */ 563 #if defined(__GLIBC__) 564 #undef makedev 565 /* from musl's sys/sysmacros.h */ 566 #define makedev(x,y) ( \ 567 (((x)&0xfffff000ULL) << 32) | \ 568 (((x)&0x00000fffULL) << 8) | \ 569 (((y)&0xffffff00ULL) << 12) | \ 570 (((y)&0x000000ffULL)) ) 571 #endif 572 573 static struct mknod_args default_devices[] = { 574 { .path = "/dev/null", .mode = (S_IFCHR|S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH), .dev = makedev(1, 3) }, 575 { .path = "/dev/zero", .mode = (S_IFCHR|S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH), .dev = makedev(1, 5) }, 576 { .path = "/dev/full", .mode = (S_IFCHR|S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH), .dev = makedev(1, 7) }, 577 { .path = "/dev/random", .mode = (S_IFCHR|S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH), .dev = makedev(1, 8) }, 578 { .path = "/dev/urandom", .mode = (S_IFCHR|S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH), .dev = makedev(1, 9) }, 579 { .path = "/dev/tty", .mode = (S_IFCHR|S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP), .dev = makedev(5, 0), .gid = 5 }, 580 { 0 }, 581 }; 582 583 static int create_devices(void) 584 { 585 struct mknod_args **cur, *curdef; 586 char *path, *tmp; 587 588 if (!opts.devices) 589 goto only_default_devices; 590 591 cur = opts.devices; 592 593 while (*cur) { 594 path = (*cur)->path; 595 /* don't allow devices outside of /dev */ 596 if (strncmp(path, "/dev", 4)) 597 return EPERM; 598 599 /* make sure parent folder exists */ 600 tmp = strrchr(path, '/'); 601 if (!tmp) 602 return EINVAL; 603 604 *tmp = '\0'; 605 if (strcmp(path, "/dev")) { 606 DEBUG("creating directory %s\n", path); 607 608 mkdir_p(path, 0755); 609 } 610 *tmp = '/'; 611 612 DEBUG("creating %s (mode=%08o)\n", path, (*cur)->mode); 613 614 /* create device */ 615 if (mknod(path, (*cur)->mode, (*cur)->dev)) 616 return errno; 617 618 /* change owner, if needed */ 619 if (((*cur)->uid || (*cur)->gid) && 620 chown(path, (*cur)->uid, (*cur)->gid)) 621 return errno; 622 623 ++cur; 624 } 625 626 only_default_devices: 627 curdef = default_devices; 628 while(curdef->path) { 629 DEBUG("creating %s (mode=%08o)\n", curdef->path, curdef->mode); 630 if (mknod(curdef->path, curdef->mode, curdef->dev)) { 631 ++curdef; 632 continue; /* may already exist, eg. due to a bind-mount */ 633 } 634 if ((curdef->uid || curdef->gid) && 635 chown(curdef->path, curdef->uid, curdef->gid)) 636 return errno; 637 638 ++curdef; 639 } 640 641 /* Dev symbolic links as defined in OCI spec */ 642 (void) symlink("/dev/pts/ptmx", "/dev/ptmx"); 643 (void) symlink("/proc/self/fd", "/dev/fd"); 644 (void) symlink("/proc/self/fd/0", "/dev/stdin"); 645 (void) symlink("/proc/self/fd/1", "/dev/stdout"); 646 (void) symlink("/proc/self/fd/2", "/dev/stderr"); 647 648 return 0; 649 } 650 651 static char jail_root[] = "/tmp/ujail-XXXXXX"; 652 static char tmpovdir[] = "/tmp/ujail-overlay-XXXXXX"; 653 static mode_t old_umask; 654 static void enter_jail_fs(void); 655 static int build_jail_fs(void) 656 { 657 char *overlaydir = NULL; 658 int ret; 659 660 old_umask = umask(0); 661 662 if (mkdtemp(jail_root) == NULL) { 663 ERROR("mkdtemp(%s) failed: %m\n", jail_root); 664 return -1; 665 } 666 667 if (apply_sysctl(jail_root)) { 668 ERROR("failed to apply sysctl values\n"); 669 return -1; 670 } 671 672 /* oldroot can't be MS_SHARED else pivot_root() fails */ 673 if (mount("none", "/", "none", MS_REC|MS_PRIVATE, NULL)) { 674 ERROR("private mount failed %m\n"); 675 return -1; 676 } 677 678 if (opts.extroot) { 679 if (mount(opts.extroot, jail_root, "bind", MS_BIND, NULL)) { 680 ERROR("extroot mount failed %m\n"); 681 return -1; 682 } 683 } else { 684 if (mount("tmpfs", jail_root, "tmpfs", MS_NOATIME, "mode=0755")) { 685 ERROR("tmpfs mount failed %m\n"); 686 return -1; 687 } 688 } 689 690 if (opts.tmpoverlaysize) { 691 char mountoptsstr[] = "mode=0755,size=XXXXXXXX"; 692 693 snprintf(mountoptsstr, sizeof(mountoptsstr), 694 "mode=0755,size=%s", opts.tmpoverlaysize); 695 if (mkdtemp(tmpovdir) == NULL) { 696 ERROR("mkdtemp(%s) failed: %m\n", jail_root); 697 return -1; 698 } 699 if (mount("tmpfs", tmpovdir, "tmpfs", MS_NOATIME, 700 mountoptsstr)) { 701 ERROR("failed to mount tmpfs for overlay (size=%s)\n", opts.tmpoverlaysize); 702 return -1; 703 } 704 overlaydir = tmpovdir; 705 } 706 707 if (opts.overlaydir) 708 overlaydir = opts.overlaydir; 709 710 if (overlaydir) { 711 ret = mount_overlay(jail_root, overlaydir); 712 if (ret) 713 return ret; 714 } 715 716 if (chdir(jail_root)) { 717 ERROR("chdir(%s) (jail_root) failed: %m\n", jail_root); 718 return -1; 719 } 720 721 if (mount_all(jail_root)) { 722 ERROR("mount_all() failed\n"); 723 return -1; 724 } 725 726 if (opts.console) 727 create_dev_console(jail_root); 728 729 /* make sure /etc/resolv.conf exists if in new network namespace */ 730 if (opts.namespace & CLONE_NEWNET) { 731 char jailetc[PATH_MAX], jaillink[PATH_MAX]; 732 733 snprintf(jailetc, PATH_MAX, "%s/etc", jail_root); 734 mkdir_p(jailetc, 0755); 735 snprintf(jaillink, PATH_MAX, "%s/etc/resolv.conf", jail_root); 736 if (overlaydir) 737 unlink(jaillink); 738 739 (void) symlink("../dev/resolv.conf.d/resolv.conf.auto", jaillink); 740 } 741 742 run_hooks(opts.hooks.createContainer, enter_jail_fs); 743 744 return 0; 745 } 746 747 static bool exit_from_child; 748 static void free_and_exit(int ret) 749 { 750 if (!exit_from_child && opts.ocibundle) 751 cgroups_free(); 752 753 if (!exit_from_child && parent_ctx) 754 ubus_free(parent_ctx); 755 756 free_opts(!exit_from_child); 757 758 exit(ret); 759 } 760 761 static void post_jail_fs(void); 762 static void enter_jail_fs(void) 763 { 764 char dirbuf[sizeof(jail_root) + 4]; 765 766 snprintf(dirbuf, sizeof(dirbuf), "%s/old", jail_root); 767 mkdir(dirbuf, 0755); 768 769 if (pivot_root(jail_root, dirbuf) == -1) { 770 ERROR("pivot_root(%s, %s) failed: %m\n", jail_root, dirbuf); 771 free_and_exit(-1); 772 } 773 if (chdir("/")) { 774 ERROR("chdir(/) (after pivot_root) failed: %m\n"); 775 free_and_exit(-1); 776 } 777 778 snprintf(dirbuf, sizeof(dirbuf), "/old%s", jail_root); 779 umount2(dirbuf, MNT_DETACH); 780 rmdir(dirbuf); 781 if (opts.tmpoverlaysize) { 782 char tmpdirbuf[sizeof(tmpovdir) + 4]; 783 snprintf(tmpdirbuf, sizeof(tmpdirbuf), "/old%s", tmpovdir); 784 umount2(tmpdirbuf, MNT_DETACH); 785 rmdir(tmpdirbuf); 786 } 787 788 umount2("/old", MNT_DETACH); 789 rmdir("/old"); 790 791 if (create_devices()) { 792 ERROR("create_devices() failed\n"); 793 free_and_exit(-1); 794 } 795 if (opts.ronly) 796 mount(NULL, "/", "bind", MS_REMOUNT | MS_BIND | MS_RDONLY, 0); 797 798 umask(old_umask); 799 post_jail_fs(); 800 } 801 802 static int write_uid_gid_map(pid_t child_pid, bool gidmap, char *mapstr) 803 { 804 int map_file; 805 char map_path[64]; 806 807 if (snprintf(map_path, sizeof(map_path), "/proc/%d/%s", 808 child_pid, gidmap?"gid_map":"uid_map") < 0) 809 return -1; 810 811 if ((map_file = open(map_path, O_WRONLY)) < 0) 812 return -1; 813 814 if (dprintf(map_file, "%s", mapstr)) { 815 close(map_file); 816 return -1; 817 } 818 819 close(map_file); 820 return 0; 821 } 822 823 static int write_single_uid_gid_map(pid_t child_pid, bool gidmap, int id) 824 { 825 int map_file; 826 char map_path[64]; 827 const char *map_format = "%d %d %d\n"; 828 if (snprintf(map_path, sizeof(map_path), "/proc/%d/%s", 829 child_pid, gidmap?"gid_map":"uid_map") < 0) 830 return -1; 831 832 if ((map_file = open(map_path, O_WRONLY)) < 0) 833 return -1; 834 835 if (dprintf(map_file, map_format, 0, id, 1) < 0) { 836 close(map_file); 837 return -1; 838 } 839 840 close(map_file); 841 return 0; 842 } 843 844 static int write_setgroups(pid_t child_pid, bool allow) 845 { 846 int setgroups_file; 847 char setgroups_path[64]; 848 849 if (snprintf(setgroups_path, sizeof(setgroups_path), "/proc/%d/setgroups", 850 child_pid) < 0) { 851 return -1; 852 } 853 854 if ((setgroups_file = open(setgroups_path, O_WRONLY)) < 0) { 855 return -1; 856 } 857 858 if (dprintf(setgroups_file, "%s", allow?"allow":"deny") == -1) { 859 close(setgroups_file); 860 return -1; 861 } 862 863 close(setgroups_file); 864 return 0; 865 } 866 867 static void get_jail_user(int *user, int *user_gid, int *gr_gid) 868 { 869 struct passwd *p = NULL; 870 struct group *g = NULL; 871 872 if (opts.user) { 873 p = getpwnam(opts.user); 874 if (!p) { 875 ERROR("failed to get uid/gid for user %s: %d (%s)\n", 876 opts.user, errno, strerror(errno)); 877 free_and_exit(EXIT_FAILURE); 878 } 879 *user = p->pw_uid; 880 *user_gid = p->pw_gid; 881 } else { 882 *user = -1; 883 *user_gid = -1; 884 } 885 886 if (opts.group) { 887 g = getgrnam(opts.group); 888 if (!g) { 889 ERROR("failed to get gid for group %s: %m\n", opts.group); 890 free_and_exit(EXIT_FAILURE); 891 } 892 *gr_gid = g->gr_gid; 893 } else { 894 *gr_gid = -1; 895 } 896 }; 897 898 static void set_jail_user(int pw_uid, int user_gid, int gr_gid) 899 { 900 if (opts.user && (user_gid != -1) && initgroups(opts.user, user_gid)) { 901 ERROR("failed to initgroups() for user %s: %m\n", opts.user); 902 free_and_exit(EXIT_FAILURE); 903 } 904 905 if ((gr_gid != -1) && setregid(gr_gid, gr_gid)) { 906 ERROR("failed to set group id %d: %m\n", gr_gid); 907 free_and_exit(EXIT_FAILURE); 908 } 909 910 if ((pw_uid != -1) && setreuid(pw_uid, pw_uid)) { 911 ERROR("failed to set user id %d: %m\n", pw_uid); 912 free_and_exit(EXIT_FAILURE); 913 } 914 } 915 916 static int apply_rlimits(void) 917 { 918 int resource; 919 920 for (resource = 0; resource < RLIM_NLIMITS; ++resource) { 921 if (opts.rlimits[resource]) 922 DEBUG("applying limits to resource %u\n", resource); 923 924 if (opts.rlimits[resource] && 925 setrlimit(resource, opts.rlimits[resource])) 926 return errno; 927 } 928 929 return 0; 930 } 931 932 #define MAX_ENVP 64 933 static char** build_envp(const char *seccomp, char **ocienvp) 934 { 935 static char *envp[MAX_ENVP]; 936 static char preload_var[PATH_MAX]; 937 static char seccomp_var[PATH_MAX]; 938 static char seccomp_debug_var[20]; 939 static char debug_var[] = "LD_DEBUG=all"; 940 static char container_var[] = "container=ujail"; 941 const char *preload_lib = find_lib("libpreload-seccomp.so"); 942 char **addenv; 943 944 int count = 0; 945 946 if (seccomp && !preload_lib) { 947 ERROR("failed to add preload-lib to env\n"); 948 return NULL; 949 } 950 if (seccomp) { 951 snprintf(seccomp_var, sizeof(seccomp_var), "SECCOMP_FILE=%s", seccomp); 952 envp[count++] = seccomp_var; 953 snprintf(seccomp_debug_var, sizeof(seccomp_debug_var), "SECCOMP_DEBUG=%2d", debug); 954 envp[count++] = seccomp_debug_var; 955 snprintf(preload_var, sizeof(preload_var), "LD_PRELOAD=%s", preload_lib); 956 envp[count++] = preload_var; 957 } 958 959 envp[count++] = container_var; 960 961 if (debug > 1) 962 envp[count++] = debug_var; 963 964 addenv = ocienvp; 965 while (addenv && *addenv) { 966 envp[count++] = *(addenv++); 967 if (count >= MAX_ENVP) { 968 ERROR("environment limited to %d extra records, truncating\n", MAX_ENVP); 969 break; 970 } 971 } 972 return envp; 973 } 974 975 static void usage(void) 976 { 977 fprintf(stderr, "ujail <options> -- <binary> <params ...>\n"); 978 fprintf(stderr, " -d <num>\tshow debug log (increase num to increase verbosity)\n"); 979 fprintf(stderr, " -S <file>\tseccomp filter config\n"); 980 fprintf(stderr, " -C <file>\tcapabilities drop config\n"); 981 fprintf(stderr, " -c\t\tset PR_SET_NO_NEW_PRIVS\n"); 982 fprintf(stderr, " -n <name>\tthe name of the jail\n"); 983 fprintf(stderr, "namespace jail options:\n"); 984 fprintf(stderr, " -h <hostname>\tchange the hostname of the jail\n"); 985 fprintf(stderr, " -N\t\tjail has network namespace\n"); 986 fprintf(stderr, " -f\t\tjail has user namespace\n"); 987 fprintf(stderr, " -F\t\tjail has cgroups namespace\n"); 988 fprintf(stderr, " -r <file>\treadonly files that should be staged\n"); 989 fprintf(stderr, " -w <file>\twriteable files that should be staged\n"); 990 fprintf(stderr, " -p\t\tjail has /proc\n"); 991 fprintf(stderr, " -s\t\tjail has /sys\n"); 992 fprintf(stderr, " -l\t\tjail has /dev/log\n"); 993 fprintf(stderr, " -u\t\tjail has a ubus socket\n"); 994 fprintf(stderr, " -U <name>\tuser to run jailed process\n"); 995 fprintf(stderr, " -G <name>\tgroup to run jailed process\n"); 996 fprintf(stderr, " -o\t\tremont jail root (/) read only\n"); 997 fprintf(stderr, " -R <dir>\texternal jail rootfs (system container)\n"); 998 fprintf(stderr, " -O <dir>\tdirectory for r/w overlayfs\n"); 999 fprintf(stderr, " -T <size>\tuse tmpfs r/w overlayfs with <size>\n"); 1000 fprintf(stderr, " -E\t\tfail if jail cannot be setup\n"); 1001 fprintf(stderr, " -y\t\tprovide jail console\n"); 1002 fprintf(stderr, " -J <dir>\tcreate container from OCI bundle\n"); 1003 fprintf(stderr, " -i\t\tstart container immediately\n"); 1004 fprintf(stderr, " -P <pidfile>\tcreate <pidfile>\n"); 1005 fprintf(stderr, "\nWarning: by default root inside the jail is the same\n\ 1006 and he has the same powers as root outside the jail,\n\ 1007 thus he can escape the jail and/or break stuff.\n\ 1008 Please use seccomp/capabilities (-S/-C) to restrict his powers\n\n\ 1009 If you use none of the namespace jail options,\n\ 1010 ujail will not use namespace/build a jail,\n\ 1011 and will only drop capabilities/apply seccomp filter.\n\n"); 1012 } 1013 1014 static int* get_namespace_fd(const unsigned int nstype) 1015 { 1016 switch (nstype) { 1017 case CLONE_NEWPID: 1018 return &opts.setns.pid; 1019 case CLONE_NEWNET: 1020 return &opts.setns.net; 1021 case CLONE_NEWNS: 1022 return &opts.setns.ns; 1023 case CLONE_NEWIPC: 1024 return &opts.setns.ipc; 1025 case CLONE_NEWUTS: 1026 return &opts.setns.uts; 1027 case CLONE_NEWUSER: 1028 return &opts.setns.user; 1029 case CLONE_NEWCGROUP: 1030 return &opts.setns.cgroup; 1031 #ifdef CLONE_NEWTIME 1032 case CLONE_NEWTIME: 1033 return &opts.setns.time; 1034 #endif 1035 default: 1036 return NULL; 1037 } 1038 } 1039 1040 static int setns_open(unsigned long nstype) 1041 { 1042 int *fd = get_namespace_fd(nstype); 1043 1044 assert(fd != NULL); 1045 1046 if (*fd < 0) 1047 return 0; 1048 1049 if (setns(*fd, nstype) == -1) { 1050 close(*fd); 1051 return errno; 1052 } 1053 1054 close(*fd); 1055 return 0; 1056 } 1057 1058 static int jail_running = 0; 1059 static int jail_return_code = 0; 1060 1061 static void jail_process_timeout_cb(struct uloop_timeout *t); 1062 static struct uloop_timeout jail_process_timeout = { 1063 .cb = jail_process_timeout_cb, 1064 }; 1065 static void poststop(void); 1066 static void jail_process_handler(struct uloop_process *c, int ret) 1067 { 1068 uloop_timeout_cancel(&jail_process_timeout); 1069 if (WIFEXITED(ret)) { 1070 jail_return_code = WEXITSTATUS(ret); 1071 INFO("jail (%d) exited with exit: %d\n", c->pid, jail_return_code); 1072 } else { 1073 jail_return_code = WTERMSIG(ret); 1074 INFO("jail (%d) exited with signal: %d\n", c->pid, jail_return_code); 1075 } 1076 jail_running = 0; 1077 poststop(); 1078 } 1079 1080 static struct uloop_process jail_process = { 1081 .cb = jail_process_handler, 1082 }; 1083 1084 static void jail_process_timeout_cb(struct uloop_timeout *t) 1085 { 1086 DEBUG("jail process failed to stop, sending SIGKILL\n"); 1087 kill(jail_process.pid, SIGKILL); 1088 } 1089 1090 static void jail_handle_signal(int signo) 1091 { 1092 if (hook_running) { 1093 DEBUG("forwarding signal %d to the hook process\n", signo); 1094 kill(hook_process.pid, signo); 1095 } 1096 1097 if (jail_running) { 1098 DEBUG("forwarding signal %d to the jailed process\n", signo); 1099 kill(jail_process.pid, signo); 1100 } 1101 } 1102 1103 static void signals_init(void) 1104 { 1105 int i; 1106 sigset_t sigmask; 1107 1108 sigfillset(&sigmask); 1109 for (i = 0; i < _NSIG; i++) { 1110 struct sigaction s = { 0 }; 1111 1112 if (!sigismember(&sigmask, i)) 1113 continue; 1114 if ((i == SIGCHLD) || (i == SIGPIPE) || (i == SIGSEGV)) 1115 continue; 1116 1117 s.sa_handler = jail_handle_signal; 1118 sigaction(i, &s, NULL); 1119 } 1120 } 1121 1122 static void pre_exec_jail(struct uloop_timeout *t); 1123 static struct uloop_timeout pre_exec_timeout = { 1124 .cb = pre_exec_jail, 1125 }; 1126 1127 int pipes[4]; 1128 static int exec_jail(void *arg) 1129 { 1130 char buf[1]; 1131 1132 exit_from_child = true; 1133 prctl(PR_SET_SECUREBITS, 0); 1134 1135 uloop_init(); 1136 signals_init(); 1137 1138 close(pipes[0]); 1139 close(pipes[3]); 1140 1141 setns_open(CLONE_NEWUSER); 1142 setns_open(CLONE_NEWNET); 1143 setns_open(CLONE_NEWNS); 1144 setns_open(CLONE_NEWIPC); 1145 setns_open(CLONE_NEWUTS); 1146 1147 buf[0] = 'i'; 1148 if (write(pipes[1], buf, 1) < 1) { 1149 ERROR("can't write to parent\n"); 1150 return EXIT_FAILURE; 1151 } 1152 close(pipes[1]); 1153 if (read(pipes[2], buf, 1) < 1) { 1154 ERROR("can't read from parent\n"); 1155 return EXIT_FAILURE; 1156 } 1157 if (buf[0] != 'O') { 1158 ERROR("parent had an error, child exiting\n"); 1159 return EXIT_FAILURE; 1160 } 1161 1162 if (opts.namespace & CLONE_NEWCGROUP) 1163 unshare(CLONE_NEWCGROUP); 1164 1165 setns_open(CLONE_NEWCGROUP); 1166 1167 if ((opts.namespace & CLONE_NEWUSER) || (opts.setns.user != -1)) { 1168 if (setregid(0, 0) < 0) { 1169 ERROR("setgid\n"); 1170 free_and_exit(EXIT_FAILURE); 1171 } 1172 if (setreuid(0, 0) < 0) { 1173 ERROR("setuid\n"); 1174 free_and_exit(EXIT_FAILURE); 1175 } 1176 if (setgroups(0, NULL) < 0) { 1177 ERROR("setgroups\n"); 1178 free_and_exit(EXIT_FAILURE); 1179 } 1180 } 1181 1182 if (opts.namespace && opts.hostname && strlen(opts.hostname) > 0 1183 && sethostname(opts.hostname, strlen(opts.hostname))) { 1184 ERROR("sethostname(%s) failed: %m\n", opts.hostname); 1185 free_and_exit(EXIT_FAILURE); 1186 } 1187 1188 uloop_timeout_add(&pre_exec_timeout); 1189 uloop_run(); 1190 1191 free_and_exit(-1); 1192 return -1; 1193 } 1194 1195 static void pre_exec_jail(struct uloop_timeout *t) 1196 { 1197 if ((opts.namespace & CLONE_NEWNS) && build_jail_fs()) { 1198 ERROR("failed to build jail fs\n"); 1199 free_and_exit(EXIT_FAILURE); 1200 } else { 1201 run_hooks(opts.hooks.createContainer, post_jail_fs); 1202 } 1203 } 1204 1205 static void post_start_hook(void); 1206 static void post_jail_fs(void) 1207 { 1208 char buf[1]; 1209 1210 if (read(pipes[2], buf, 1) < 1) { 1211 ERROR("can't read from parent\n"); 1212 free_and_exit(EXIT_FAILURE); 1213 } 1214 if (buf[0] != '!') { 1215 ERROR("parent had an error, child exiting\n"); 1216 free_and_exit(EXIT_FAILURE); 1217 } 1218 close(pipes[2]); 1219 1220 run_hooks(opts.hooks.startContainer, post_start_hook); 1221 } 1222 1223 static void post_start_hook(void) 1224 { 1225 int pw_uid, pw_gid, gr_gid; 1226 1227 /* 1228 * make sure setuid/setgid won't drop capabilities in case capabilities 1229 * have been specified explicitely. 1230 */ 1231 if (opts.capset.apply) { 1232 if (prctl(PR_SET_SECUREBITS, SECBIT_NO_SETUID_FIXUP)) { 1233 ERROR("prctl(PR_SET_SECUREBITS) failed: %m\n"); 1234 free_and_exit(EXIT_FAILURE); 1235 } 1236 } 1237 1238 /* drop capabilities, retain those still needed to further setup jail */ 1239 if (applyOCIcapabilities(opts.capset, (1LLU << CAP_SETGID) | (1LLU << CAP_SETUID) | (1LLU << CAP_SETPCAP))) 1240 free_and_exit(EXIT_FAILURE); 1241 1242 /* use either cmdline-supplied user/group or uid/gid from OCI spec */ 1243 get_jail_user(&pw_uid, &pw_gid, &gr_gid); 1244 set_jail_user(opts.pw_uid?:pw_uid, opts.pw_gid?:pw_gid, opts.gr_gid?:gr_gid); 1245 1246 if (opts.additional_gids && 1247 (setgroups(opts.num_additional_gids, opts.additional_gids) < 0)) { 1248 ERROR("setgroups failed: %m\n"); 1249 free_and_exit(EXIT_FAILURE); 1250 } 1251 1252 if (opts.set_umask) 1253 umask(opts.umask); 1254 1255 /* restore securebits back to normal (and lock them if not in userns) */ 1256 if (opts.capset.apply) { 1257 if (prctl(PR_SET_SECUREBITS, (opts.namespace & CLONE_NEWUSER)?0: 1258 SECBIT_KEEP_CAPS_LOCKED|SECBIT_NO_SETUID_FIXUP_LOCKED|SECBIT_NOROOT_LOCKED)) { 1259 ERROR("prctl(PR_SET_SECUREBITS) failed: %m\n"); 1260 free_and_exit(EXIT_FAILURE); 1261 } 1262 } 1263 1264 /* drop remaining capabilities to end up with specified sets */ 1265 if (applyOCIcapabilities(opts.capset, 0)) 1266 free_and_exit(EXIT_FAILURE); 1267 1268 if (opts.no_new_privs && prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { 1269 ERROR("prctl(PR_SET_NO_NEW_PRIVS) failed: %m\n"); 1270 free_and_exit(EXIT_FAILURE); 1271 } 1272 1273 char **envp = build_envp(opts.seccomp, opts.envp); 1274 if (!envp) 1275 free_and_exit(EXIT_FAILURE); 1276 1277 if (opts.cwd && chdir(opts.cwd)) 1278 free_and_exit(EXIT_FAILURE); 1279 1280 if (opts.ociseccomp && applyOCIlinuxseccomp(opts.ociseccomp)) 1281 free_and_exit(EXIT_FAILURE); 1282 1283 uloop_end(); 1284 free_opts(false); 1285 INFO("exec-ing %s\n", *opts.jail_argv); 1286 if (opts.envp) /* respect PATH if potentially set in ENV */ 1287 execvpe(*opts.jail_argv, opts.jail_argv, envp); 1288 else 1289 execve(*opts.jail_argv, opts.jail_argv, envp); 1290 1291 /* we get there only if execve fails */ 1292 ERROR("failed to execve %s: %m\n", *opts.jail_argv); 1293 exit(EXIT_FAILURE); 1294 } 1295 1296 static int ns_open_pid(const char *nstype, const pid_t target_ns) 1297 { 1298 char pid_pid_path[PATH_MAX]; 1299 1300 snprintf(pid_pid_path, sizeof(pid_pid_path), "/proc/%u/ns/%s", target_ns, nstype); 1301 1302 return open(pid_pid_path, O_RDONLY); 1303 } 1304 1305 static void netns_updown(pid_t pid, bool start) 1306 { 1307 static struct blob_buf req; 1308 uint32_t id; 1309 1310 if (!parent_ctx) 1311 return; 1312 1313 blob_buf_init(&req, 0); 1314 blobmsg_add_string(&req, "jail", opts.name); 1315 blobmsg_add_u32(&req, "pid", pid); 1316 blobmsg_add_u8(&req, "start", start); 1317 1318 if (ubus_lookup_id(parent_ctx, "network", &id) || 1319 ubus_invoke(parent_ctx, id, "netns_updown", req.head, NULL, NULL, 3000)) 1320 INFO("ubus request failed\n"); 1321 1322 blob_buf_free(&req); 1323 } 1324 1325 static int parseOCIenvarray(struct blob_attr *msg, char ***envp) 1326 { 1327 struct blob_attr *cur; 1328 int sz = 0, rem; 1329 1330 blobmsg_for_each_attr(cur, msg, rem) 1331 ++sz; 1332 1333 if (sz > 0) { 1334 *envp = calloc(1 + sz, sizeof(char*)); 1335 if (!(*envp)) 1336 return ENOMEM; 1337 } else { 1338 *envp = NULL; 1339 return 0; 1340 } 1341 1342 sz = 0; 1343 blobmsg_for_each_attr(cur, msg, rem) 1344 (*envp)[sz++] = strdup(blobmsg_get_string(cur)); 1345 1346 if (sz) 1347 (*envp)[sz] = NULL; 1348 1349 return 0; 1350 } 1351 1352 enum { 1353 OCI_ROOT_PATH, 1354 OCI_ROOT_READONLY, 1355 __OCI_ROOT_MAX, 1356 }; 1357 1358 static const struct blobmsg_policy oci_root_policy[] = { 1359 [OCI_ROOT_PATH] = { "path", BLOBMSG_TYPE_STRING }, 1360 [OCI_ROOT_READONLY] = { "readonly", BLOBMSG_TYPE_BOOL }, 1361 }; 1362 1363 static int parseOCIroot(const char *jsonfile, struct blob_attr *msg) 1364 { 1365 char extroot[PATH_MAX] = { 0 }; 1366 struct blob_attr *tb[__OCI_ROOT_MAX]; 1367 char *cur; 1368 char *root_path; 1369 1370 blobmsg_parse(oci_root_policy, __OCI_ROOT_MAX, tb, blobmsg_data(msg), blobmsg_len(msg)); 1371 1372 if (!tb[OCI_ROOT_PATH]) 1373 return ENODATA; 1374 1375 root_path = blobmsg_get_string(tb[OCI_ROOT_PATH]); 1376 1377 /* prepend bundle directory in case of relative paths */ 1378 if (root_path[0] != '/') { 1379 strncpy(extroot, jsonfile, PATH_MAX - 1); 1380 1381 cur = strrchr(extroot, '/'); 1382 1383 if (!cur) 1384 return ENOTDIR; 1385 1386 *(++cur) = '\0'; 1387 } 1388 1389 strncat(extroot, root_path, PATH_MAX - (strlen(extroot) + 1)); 1390 1391 /* follow symbolic link(s) */ 1392 opts.extroot = realpath(extroot, NULL); 1393 if (!opts.extroot) 1394 return errno; 1395 1396 if (tb[OCI_ROOT_READONLY]) 1397 opts.ronly = blobmsg_get_bool(tb[OCI_ROOT_READONLY]); 1398 1399 return 0; 1400 } 1401 1402 1403 enum { 1404 OCI_HOOK_PATH, 1405 OCI_HOOK_ARGS, 1406 OCI_HOOK_ENV, 1407 OCI_HOOK_TIMEOUT, 1408 __OCI_HOOK_MAX, 1409 }; 1410 1411 static const struct blobmsg_policy oci_hook_policy[] = { 1412 [OCI_HOOK_PATH] = { "path", BLOBMSG_TYPE_STRING }, 1413 [OCI_HOOK_ARGS] = { "args", BLOBMSG_TYPE_ARRAY }, 1414 [OCI_HOOK_ENV] = { "env", BLOBMSG_TYPE_ARRAY }, 1415 [OCI_HOOK_TIMEOUT] = { "timeout", BLOBMSG_TYPE_INT32 }, 1416 }; 1417 1418 1419 static int parseOCIhook(struct hook_execvpe ***hooklist, struct blob_attr *msg) 1420 { 1421 struct blob_attr *tb[__OCI_HOOK_MAX]; 1422 struct blob_attr *cur; 1423 int rem, ret = 0; 1424 int idx = 0; 1425 1426 blobmsg_for_each_attr(cur, msg, rem) 1427 ++idx; 1428 1429 if (!idx) 1430 return 0; 1431 1432 *hooklist = calloc(idx + 1, sizeof(struct hook_execvpe *)); 1433 idx = 0; 1434 1435 if (!(*hooklist)) 1436 return ENOMEM; 1437 1438 blobmsg_for_each_attr(cur, msg, rem) { 1439 blobmsg_parse(oci_hook_policy, __OCI_HOOK_MAX, tb, blobmsg_data(cur), blobmsg_len(cur)); 1440 1441 if (!tb[OCI_HOOK_PATH]) { 1442 ret = EINVAL; 1443 goto errout; 1444 } 1445 1446 (*hooklist)[idx] = calloc(1, sizeof(struct hook_execvpe)); 1447 if (tb[OCI_HOOK_ARGS]) { 1448 ret = parseOCIenvarray(tb[OCI_HOOK_ARGS], &((*hooklist)[idx]->argv)); 1449 if (ret) 1450 goto errout; 1451 } else { 1452 (*hooklist)[idx]->argv = calloc(2, sizeof(char *)); 1453 ((*hooklist)[idx]->argv)[0] = strdup(blobmsg_get_string(tb[OCI_HOOK_PATH])); 1454 ((*hooklist)[idx]->argv)[1] = NULL; 1455 }; 1456 1457 1458 if (tb[OCI_HOOK_ENV]) { 1459 ret = parseOCIenvarray(tb[OCI_HOOK_ENV], &((*hooklist)[idx]->envp)); 1460 if (ret) 1461 goto errout; 1462 } 1463 1464 if (tb[OCI_HOOK_TIMEOUT]) 1465 (*hooklist)[idx]->timeout = blobmsg_get_u32(tb[OCI_HOOK_TIMEOUT]); 1466 1467 (*hooklist)[idx]->file = strdup(blobmsg_get_string(tb[OCI_HOOK_PATH])); 1468 1469 ++idx; 1470 } 1471 1472 (*hooklist)[idx] = NULL; 1473 1474 DEBUG("added %d hooks\n", idx); 1475 1476 return 0; 1477 1478 errout: 1479 free_hooklist(*hooklist); 1480 *hooklist = NULL; 1481 1482 return ret; 1483 }; 1484 1485 1486 enum { 1487 OCI_HOOKS_PRESTART, 1488 OCI_HOOKS_CREATERUNTIME, 1489 OCI_HOOKS_CREATECONTAINER, 1490 OCI_HOOKS_STARTCONTAINER, 1491 OCI_HOOKS_POSTSTART, 1492 OCI_HOOKS_POSTSTOP, 1493 __OCI_HOOKS_MAX, 1494 }; 1495 1496 static const struct blobmsg_policy oci_hooks_policy[] = { 1497 [OCI_HOOKS_PRESTART] = { "prestart", BLOBMSG_TYPE_ARRAY }, 1498 [OCI_HOOKS_CREATERUNTIME] = { "createRuntime", BLOBMSG_TYPE_ARRAY }, 1499 [OCI_HOOKS_CREATECONTAINER] = { "createContainer", BLOBMSG_TYPE_ARRAY }, 1500 [OCI_HOOKS_STARTCONTAINER] = { "startContainer", BLOBMSG_TYPE_ARRAY }, 1501 [OCI_HOOKS_POSTSTART] = { "poststart", BLOBMSG_TYPE_ARRAY }, 1502 [OCI_HOOKS_POSTSTOP] = { "poststop", BLOBMSG_TYPE_ARRAY }, 1503 }; 1504 1505 static int parseOCIhooks(struct blob_attr *msg) 1506 { 1507 struct blob_attr *tb[__OCI_HOOKS_MAX]; 1508 int ret; 1509 1510 blobmsg_parse(oci_hooks_policy, __OCI_HOOKS_MAX, tb, blobmsg_data(msg), blobmsg_len(msg)); 1511 1512 if (tb[OCI_HOOKS_PRESTART]) 1513 INFO("warning: ignoring deprecated prestart hook\n"); 1514 1515 if (tb[OCI_HOOKS_CREATERUNTIME]) { 1516 ret = parseOCIhook(&opts.hooks.createRuntime, tb[OCI_HOOKS_CREATERUNTIME]); 1517 if (ret) 1518 return ret; 1519 } 1520 1521 if (tb[OCI_HOOKS_CREATECONTAINER]) { 1522 ret = parseOCIhook(&opts.hooks.createContainer, tb[OCI_HOOKS_CREATECONTAINER]); 1523 if (ret) 1524 goto out_createruntime; 1525 } 1526 1527 if (tb[OCI_HOOKS_STARTCONTAINER]) { 1528 ret = parseOCIhook(&opts.hooks.startContainer, tb[OCI_HOOKS_STARTCONTAINER]); 1529 if (ret) 1530 goto out_createcontainer; 1531 } 1532 1533 if (tb[OCI_HOOKS_POSTSTART]) { 1534 ret = parseOCIhook(&opts.hooks.poststart, tb[OCI_HOOKS_POSTSTART]); 1535 if (ret) 1536 goto out_startcontainer; 1537 } 1538 1539 if (tb[OCI_HOOKS_POSTSTOP]) { 1540 ret = parseOCIhook(&opts.hooks.poststop, tb[OCI_HOOKS_POSTSTOP]); 1541 if (ret) 1542 goto out_poststart; 1543 } 1544 1545 return 0; 1546 1547 out_poststart: 1548 free_hooklist(opts.hooks.poststart); 1549 out_startcontainer: 1550 free_hooklist(opts.hooks.startContainer); 1551 out_createcontainer: 1552 free_hooklist(opts.hooks.createContainer); 1553 out_createruntime: 1554 free_hooklist(opts.hooks.createRuntime); 1555 1556 return ret; 1557 }; 1558 1559 1560 enum { 1561 OCI_PROCESS_USER_UID, 1562 OCI_PROCESS_USER_GID, 1563 OCI_PROCESS_USER_UMASK, 1564 OCI_PROCESS_USER_ADDITIONALGIDS, 1565 __OCI_PROCESS_USER_MAX, 1566 }; 1567 1568 static const struct blobmsg_policy oci_process_user_policy[] = { 1569 [OCI_PROCESS_USER_UID] = { "uid", BLOBMSG_TYPE_INT32 }, 1570 [OCI_PROCESS_USER_GID] = { "gid", BLOBMSG_TYPE_INT32 }, 1571 [OCI_PROCESS_USER_UMASK] = { "umask", BLOBMSG_TYPE_INT32 }, 1572 [OCI_PROCESS_USER_ADDITIONALGIDS] = { "additionalGids", BLOBMSG_TYPE_ARRAY }, 1573 }; 1574 1575 static int parseOCIprocessuser(struct blob_attr *msg) { 1576 struct blob_attr *tb[__OCI_PROCESS_USER_MAX]; 1577 struct blob_attr *cur; 1578 int rem; 1579 int has_gid = 0; 1580 1581 blobmsg_parse(oci_process_user_policy, __OCI_PROCESS_USER_MAX, tb, blobmsg_data(msg), blobmsg_len(msg)); 1582 1583 if (tb[OCI_PROCESS_USER_UID]) 1584 opts.pw_uid = blobmsg_get_u32(tb[OCI_PROCESS_USER_UID]); 1585 1586 if (tb[OCI_PROCESS_USER_GID]) { 1587 opts.pw_gid = blobmsg_get_u32(tb[OCI_PROCESS_USER_GID]); 1588 opts.gr_gid = blobmsg_get_u32(tb[OCI_PROCESS_USER_GID]); 1589 has_gid = 1; 1590 } 1591 1592 if (tb[OCI_PROCESS_USER_ADDITIONALGIDS]) { 1593 size_t gidcnt = 0; 1594 1595 blobmsg_for_each_attr(cur, tb[OCI_PROCESS_USER_ADDITIONALGIDS], rem) { 1596 ++gidcnt; 1597 if (has_gid && (blobmsg_get_u32(cur) == opts.gr_gid)) 1598 continue; 1599 } 1600 1601 if (gidcnt) { 1602 opts.additional_gids = calloc(gidcnt + has_gid, sizeof(gid_t)); 1603 gidcnt = 0; 1604 1605 /* always add primary GID to set of GIDs if set */ 1606 if (has_gid) 1607 opts.additional_gids[gidcnt++] = opts.gr_gid; 1608 1609 blobmsg_for_each_attr(cur, tb[OCI_PROCESS_USER_ADDITIONALGIDS], rem) { 1610 if (has_gid && (blobmsg_get_u32(cur) == opts.gr_gid)) 1611 continue; 1612 opts.additional_gids[gidcnt++] = blobmsg_get_u32(cur); 1613 } 1614 opts.num_additional_gids = gidcnt; 1615 } 1616 DEBUG("read %zu additional groups\n", gidcnt); 1617 } 1618 1619 if (tb[OCI_PROCESS_USER_UMASK]) { 1620 opts.umask = blobmsg_get_u32(tb[OCI_PROCESS_USER_UMASK]); 1621 opts.set_umask = true; 1622 } 1623 1624 return 0; 1625 } 1626 1627 enum { 1628 OCI_PROCESS_RLIMIT_TYPE, 1629 OCI_PROCESS_RLIMIT_SOFT, 1630 OCI_PROCESS_RLIMIT_HARD, 1631 __OCI_PROCESS_RLIMIT_MAX, 1632 }; 1633 1634 static const struct blobmsg_policy oci_process_rlimit_policy[] = { 1635 [OCI_PROCESS_RLIMIT_TYPE] = { "type", BLOBMSG_TYPE_STRING }, 1636 [OCI_PROCESS_RLIMIT_SOFT] = { "soft", BLOBMSG_CAST_INT64 }, 1637 [OCI_PROCESS_RLIMIT_HARD] = { "hard", BLOBMSG_CAST_INT64 }, 1638 }; 1639 1640 /* from manpage GETRLIMIT(2) */ 1641 static const char* const rlimit_names[RLIM_NLIMITS] = { 1642 [RLIMIT_AS] = "AS", 1643 [RLIMIT_CORE] = "CORE", 1644 [RLIMIT_CPU] = "CPU", 1645 [RLIMIT_DATA] = "DATA", 1646 [RLIMIT_FSIZE] = "FSIZE", 1647 [RLIMIT_LOCKS] = "LOCKS", 1648 [RLIMIT_MEMLOCK] = "MEMLOCK", 1649 [RLIMIT_MSGQUEUE] = "MSGQUEUE", 1650 [RLIMIT_NICE] = "NICE", 1651 [RLIMIT_NOFILE] = "NOFILE", 1652 [RLIMIT_NPROC] = "NPROC", 1653 [RLIMIT_RSS] = "RSS", 1654 [RLIMIT_RTPRIO] = "RTPRIO", 1655 [RLIMIT_RTTIME] = "RTTIME", 1656 [RLIMIT_SIGPENDING] = "SIGPENDING", 1657 [RLIMIT_STACK] = "STACK", 1658 }; 1659 1660 static int resolve_rlimit(char *type) { 1661 unsigned int rltype; 1662 1663 for (rltype = 0; rltype < RLIM_NLIMITS; ++rltype) 1664 if (rlimit_names[rltype] && 1665 !strncmp("RLIMIT_", type, 7) && 1666 !strcmp(rlimit_names[rltype], type + 7)) 1667 return rltype; 1668 1669 return -1; 1670 } 1671 1672 1673 static int parseOCIrlimit(struct blob_attr *msg) 1674 { 1675 struct blob_attr *tb[__OCI_PROCESS_RLIMIT_MAX]; 1676 int limtype = -1; 1677 struct rlimit *curlim; 1678 1679 blobmsg_parse(oci_process_rlimit_policy, __OCI_PROCESS_RLIMIT_MAX, tb, blobmsg_data(msg), blobmsg_len(msg)); 1680 1681 if (!tb[OCI_PROCESS_RLIMIT_TYPE] || 1682 !tb[OCI_PROCESS_RLIMIT_SOFT] || 1683 !tb[OCI_PROCESS_RLIMIT_HARD]) 1684 return ENODATA; 1685 1686 limtype = resolve_rlimit(blobmsg_get_string(tb[OCI_PROCESS_RLIMIT_TYPE])); 1687 1688 if (limtype < 0) 1689 return EINVAL; 1690 1691 if (opts.rlimits[limtype]) 1692 return ENOTUNIQ; 1693 1694 curlim = malloc(sizeof(struct rlimit)); 1695 curlim->rlim_cur = blobmsg_cast_u64(tb[OCI_PROCESS_RLIMIT_SOFT]); 1696 curlim->rlim_max = blobmsg_cast_u64(tb[OCI_PROCESS_RLIMIT_HARD]); 1697 1698 opts.rlimits[limtype] = curlim; 1699 1700 return 0; 1701 }; 1702 1703 enum { 1704 OCI_PROCESS_ARGS, 1705 OCI_PROCESS_CAPABILITIES, 1706 OCI_PROCESS_CWD, 1707 OCI_PROCESS_ENV, 1708 OCI_PROCESS_OOMSCOREADJ, 1709 OCI_PROCESS_NONEWPRIVILEGES, 1710 OCI_PROCESS_RLIMITS, 1711 OCI_PROCESS_TERMINAL, 1712 OCI_PROCESS_USER, 1713 __OCI_PROCESS_MAX, 1714 }; 1715 1716 static const struct blobmsg_policy oci_process_policy[] = { 1717 [OCI_PROCESS_ARGS] = { "args", BLOBMSG_TYPE_ARRAY }, 1718 [OCI_PROCESS_CAPABILITIES] = { "capabilities", BLOBMSG_TYPE_TABLE }, 1719 [OCI_PROCESS_CWD] = { "cwd", BLOBMSG_TYPE_STRING }, 1720 [OCI_PROCESS_ENV] = { "env", BLOBMSG_TYPE_ARRAY }, 1721 [OCI_PROCESS_OOMSCOREADJ] = { "oomScoreAdj", BLOBMSG_TYPE_INT32 }, 1722 [OCI_PROCESS_NONEWPRIVILEGES] = { "noNewPrivileges", BLOBMSG_TYPE_BOOL }, 1723 [OCI_PROCESS_RLIMITS] = { "rlimits", BLOBMSG_TYPE_ARRAY }, 1724 [OCI_PROCESS_TERMINAL] = { "terminal", BLOBMSG_TYPE_BOOL }, 1725 [OCI_PROCESS_USER] = { "user", BLOBMSG_TYPE_TABLE }, 1726 }; 1727 1728 1729 static int parseOCIprocess(struct blob_attr *msg) 1730 { 1731 struct blob_attr *tb[__OCI_PROCESS_MAX], *cur; 1732 int rem, res; 1733 1734 blobmsg_parse(oci_process_policy, __OCI_PROCESS_MAX, tb, blobmsg_data(msg), blobmsg_len(msg)); 1735 1736 if (!tb[OCI_PROCESS_ARGS]) 1737 return ENOENT; 1738 1739 res = parseOCIenvarray(tb[OCI_PROCESS_ARGS], &opts.jail_argv); 1740 if (res) 1741 return res; 1742 1743 if (tb[OCI_PROCESS_TERMINAL]) 1744 opts.console = blobmsg_get_bool(tb[OCI_PROCESS_TERMINAL]); 1745 1746 if (tb[OCI_PROCESS_NONEWPRIVILEGES]) 1747 opts.no_new_privs = blobmsg_get_bool(tb[OCI_PROCESS_NONEWPRIVILEGES]); 1748 1749 if (tb[OCI_PROCESS_CWD]) 1750 opts.cwd = strdup(blobmsg_get_string(tb[OCI_PROCESS_CWD])); 1751 1752 if (tb[OCI_PROCESS_ENV]) { 1753 res = parseOCIenvarray(tb[OCI_PROCESS_ENV], &opts.envp); 1754 if (res) 1755 return res; 1756 } 1757 1758 if (tb[OCI_PROCESS_USER] && (res = parseOCIprocessuser(tb[OCI_PROCESS_USER]))) 1759 return res; 1760 1761 if (tb[OCI_PROCESS_CAPABILITIES] && 1762 (res = parseOCIcapabilities(&opts.capset, tb[OCI_PROCESS_CAPABILITIES]))) 1763 return res; 1764 1765 if (tb[OCI_PROCESS_RLIMITS]) { 1766 blobmsg_for_each_attr(cur, tb[OCI_PROCESS_RLIMITS], rem) { 1767 res = parseOCIrlimit(cur); 1768 if (res) 1769 return res; 1770 } 1771 } 1772 1773 if (tb[OCI_PROCESS_OOMSCOREADJ]) { 1774 opts.oom_score_adj = blobmsg_get_u32(tb[OCI_PROCESS_OOMSCOREADJ]); 1775 opts.set_oom_score_adj = true; 1776 } 1777 1778 return 0; 1779 } 1780 1781 enum { 1782 OCI_LINUX_NAMESPACE_TYPE, 1783 OCI_LINUX_NAMESPACE_PATH, 1784 __OCI_LINUX_NAMESPACE_MAX, 1785 }; 1786 1787 static const struct blobmsg_policy oci_linux_namespace_policy[] = { 1788 [OCI_LINUX_NAMESPACE_TYPE] = { "type", BLOBMSG_TYPE_STRING }, 1789 [OCI_LINUX_NAMESPACE_PATH] = { "path", BLOBMSG_TYPE_STRING }, 1790 }; 1791 1792 static int resolve_nstype(char *type) { 1793 if (!strcmp("pid", type)) 1794 return CLONE_NEWPID; 1795 else if (!strcmp("network", type)) 1796 return CLONE_NEWNET; 1797 else if (!strcmp("net", type)) 1798 return CLONE_NEWNET; 1799 else if (!strcmp("mount", type)) 1800 return CLONE_NEWNS; 1801 else if (!strcmp("ipc", type)) 1802 return CLONE_NEWIPC; 1803 else if (!strcmp("uts", type)) 1804 return CLONE_NEWUTS; 1805 else if (!strcmp("user", type)) 1806 return CLONE_NEWUSER; 1807 else if (!strcmp("cgroup", type)) 1808 return CLONE_NEWCGROUP; 1809 #ifdef CLONE_NEWTIME 1810 else if (!strcmp("time", type)) 1811 return CLONE_NEWTIME; 1812 #endif 1813 else 1814 return 0; 1815 } 1816 1817 static int parseOCIlinuxns(struct blob_attr *msg) 1818 { 1819 struct blob_attr *tb[__OCI_LINUX_NAMESPACE_MAX]; 1820 int nstype; 1821 int *setns; 1822 int fd; 1823 1824 blobmsg_parse(oci_linux_namespace_policy, __OCI_LINUX_NAMESPACE_MAX, tb, blobmsg_data(msg), blobmsg_len(msg)); 1825 1826 if (!tb[OCI_LINUX_NAMESPACE_TYPE]) 1827 return EINVAL; 1828 1829 nstype = resolve_nstype(blobmsg_get_string(tb[OCI_LINUX_NAMESPACE_TYPE])); 1830 if (!nstype) 1831 return EINVAL; 1832 1833 if (opts.namespace & nstype) 1834 return ENOTUNIQ; 1835 1836 setns = get_namespace_fd(nstype); 1837 1838 if (!setns) 1839 return EFAULT; 1840 1841 if (*setns != -1) 1842 return ENOTUNIQ; 1843 1844 if (tb[OCI_LINUX_NAMESPACE_PATH]) { 1845 DEBUG("opening existing %s namespace from path %s\n", 1846 blobmsg_get_string(tb[OCI_LINUX_NAMESPACE_TYPE]), 1847 blobmsg_get_string(tb[OCI_LINUX_NAMESPACE_PATH])); 1848 1849 fd = open(blobmsg_get_string(tb[OCI_LINUX_NAMESPACE_PATH]), O_RDONLY); 1850 if (fd < 0) 1851 return errno?:ESTALE; 1852 1853 if (ioctl(fd, NS_GET_NSTYPE) != nstype) { 1854 close(fd); 1855 return EINVAL; 1856 } 1857 1858 DEBUG("opened existing %s namespace got filehandler %u\n", 1859 blobmsg_get_string(tb[OCI_LINUX_NAMESPACE_TYPE]), 1860 fd); 1861 1862 *setns = fd; 1863 } else { 1864 opts.namespace |= nstype; 1865 } 1866 1867 return 0; 1868 } 1869 1870 /* 1871 * join namespace of existing PID 1872 * The string argument is the reference PID followed by ':' and a 1873 * ',' separated list of namespaces to to join. 1874 */ 1875 static int jail_join_ns(char *arg) 1876 { 1877 pid_t pid; 1878 int fd; 1879 int nstype; 1880 char *tmp, *etmp, *nspath; 1881 int *setns; 1882 1883 tmp = strchr(arg, ':'); 1884 if (!tmp) 1885 return EINVAL; 1886 1887 *tmp = '\0'; 1888 pid = atoi(arg); 1889 1890 do { 1891 ++tmp; 1892 etmp = strchr(tmp, ','); 1893 if (etmp) 1894 *etmp = '\0'; 1895 1896 nstype = resolve_nstype(tmp); 1897 if (!nstype) 1898 return EINVAL; 1899 1900 if (opts.namespace & nstype) 1901 return ENOTUNIQ; 1902 1903 setns = get_namespace_fd(nstype); 1904 1905 if (!setns) 1906 return EFAULT; 1907 1908 if (*setns != -1) 1909 return ENOTUNIQ; 1910 1911 if (asprintf(&nspath, "/proc/%d/ns/%s", pid, tmp) < 0) 1912 return ENOMEM; 1913 1914 fd = open(nspath, O_RDONLY); 1915 free(nspath); 1916 1917 if (fd < 0) 1918 return errno?:ESTALE; 1919 1920 *setns = fd; 1921 1922 if (etmp) 1923 tmp = etmp; 1924 else 1925 tmp = NULL; 1926 } while (tmp); 1927 1928 return 0; 1929 } 1930 1931 static void get_jail_root_user(bool is_gidmap, uint32_t container_id, uint32_t host_id, uint32_t size) 1932 { 1933 if (container_id == 0 && size >= 1) 1934 if (!is_gidmap) 1935 opts.root_map_uid = host_id; 1936 } 1937 1938 enum { 1939 OCI_LINUX_UIDGIDMAP_CONTAINERID, 1940 OCI_LINUX_UIDGIDMAP_HOSTID, 1941 OCI_LINUX_UIDGIDMAP_SIZE, 1942 __OCI_LINUX_UIDGIDMAP_MAX, 1943 }; 1944 1945 static const struct blobmsg_policy oci_linux_uidgidmap_policy[] = { 1946 [OCI_LINUX_UIDGIDMAP_CONTAINERID] = { "containerID", BLOBMSG_TYPE_INT32 }, 1947 [OCI_LINUX_UIDGIDMAP_HOSTID] = { "hostID", BLOBMSG_TYPE_INT32 }, 1948 [OCI_LINUX_UIDGIDMAP_SIZE] = { "size", BLOBMSG_TYPE_INT32 }, 1949 }; 1950 1951 static int parseOCIuidgidmappings(struct blob_attr *msg, bool is_gidmap) 1952 { 1953 struct blob_attr *tb[__OCI_LINUX_UIDGIDMAP_MAX]; 1954 struct blob_attr *cur; 1955 int rem; 1956 char *map; 1957 size_t len, pos, totallen = 0; 1958 1959 blobmsg_for_each_attr(cur, msg, rem) { 1960 blobmsg_parse(oci_linux_uidgidmap_policy, __OCI_LINUX_UIDGIDMAP_MAX, tb, blobmsg_data(cur), blobmsg_len(cur)); 1961 1962 if (!tb[OCI_LINUX_UIDGIDMAP_CONTAINERID] || 1963 !tb[OCI_LINUX_UIDGIDMAP_HOSTID] || 1964 !tb[OCI_LINUX_UIDGIDMAP_SIZE]) 1965 return EINVAL; 1966 1967 /* count length */ 1968 totallen += snprintf(NULL, 0, "%d %d %d\n", 1969 blobmsg_get_u32(tb[OCI_LINUX_UIDGIDMAP_CONTAINERID]), 1970 blobmsg_get_u32(tb[OCI_LINUX_UIDGIDMAP_HOSTID]), 1971 blobmsg_get_u32(tb[OCI_LINUX_UIDGIDMAP_SIZE])); 1972 } 1973 1974 /* allocate combined mapping string */ 1975 map = malloc(totallen + 1); 1976 if (!map) 1977 return ENOMEM; 1978 1979 pos = 0; 1980 blobmsg_for_each_attr(cur, msg, rem) { 1981 blobmsg_parse(oci_linux_uidgidmap_policy, __OCI_LINUX_UIDGIDMAP_MAX, tb, blobmsg_data(cur), blobmsg_len(cur)); 1982 1983 get_jail_root_user(is_gidmap, blobmsg_get_u32(tb[OCI_LINUX_UIDGIDMAP_CONTAINERID]), 1984 blobmsg_get_u32(tb[OCI_LINUX_UIDGIDMAP_HOSTID]), 1985 blobmsg_get_u32(tb[OCI_LINUX_UIDGIDMAP_SIZE])); 1986 1987 /* write mapping line into pre-allocated string */ 1988 len = snprintf(&map[pos], totallen + 1, "%d %d %d\n", 1989 blobmsg_get_u32(tb[OCI_LINUX_UIDGIDMAP_CONTAINERID]), 1990 blobmsg_get_u32(tb[OCI_LINUX_UIDGIDMAP_HOSTID]), 1991 blobmsg_get_u32(tb[OCI_LINUX_UIDGIDMAP_SIZE])); 1992 pos += len; 1993 totallen -= len; 1994 } 1995 1996 assert(totallen == 0); 1997 1998 if (is_gidmap) 1999 opts.gidmap = map; 2000 else 2001 opts.uidmap = map; 2002 2003 return 0; 2004 } 2005 2006 enum { 2007 OCI_DEVICES_TYPE, 2008 OCI_DEVICES_PATH, 2009 OCI_DEVICES_MAJOR, 2010 OCI_DEVICES_MINOR, 2011 OCI_DEVICES_FILEMODE, 2012 OCI_DEVICES_UID, 2013 OCI_DEVICES_GID, 2014 __OCI_DEVICES_MAX, 2015 }; 2016 2017 static const struct blobmsg_policy oci_devices_policy[] = { 2018 [OCI_DEVICES_TYPE] = { "type", BLOBMSG_TYPE_STRING }, 2019 [OCI_DEVICES_PATH] = { "path", BLOBMSG_TYPE_STRING }, 2020 [OCI_DEVICES_MAJOR] = { "major", BLOBMSG_TYPE_INT32 }, 2021 [OCI_DEVICES_MINOR] = { "minor", BLOBMSG_TYPE_INT32 }, 2022 [OCI_DEVICES_FILEMODE] = { "fileMode", BLOBMSG_TYPE_INT32 }, 2023 [OCI_DEVICES_UID] = { "uid", BLOBMSG_TYPE_INT32 }, 2024 [OCI_DEVICES_GID] = { "uid", BLOBMSG_TYPE_INT32 }, 2025 }; 2026 2027 static mode_t resolve_devtype(char *tstr) 2028 { 2029 if (!strcmp("c", tstr) || 2030 !strcmp("u", tstr)) 2031 return S_IFCHR; 2032 else if (!strcmp("b", tstr)) 2033 return S_IFBLK; 2034 else if (!strcmp("p", tstr)) 2035 return S_IFIFO; 2036 else 2037 return 0; 2038 } 2039 2040 static int parseOCIdevices(struct blob_attr *msg) 2041 { 2042 struct blob_attr *tb[__OCI_DEVICES_MAX]; 2043 struct blob_attr *cur; 2044 int rem; 2045 size_t cnt = 0; 2046 struct mknod_args *tmp; 2047 2048 blobmsg_for_each_attr(cur, msg, rem) 2049 ++cnt; 2050 2051 opts.devices = calloc(cnt + 1, sizeof(struct mknod_args *)); 2052 2053 cnt = 0; 2054 blobmsg_for_each_attr(cur, msg, rem) { 2055 blobmsg_parse(oci_devices_policy, __OCI_DEVICES_MAX, tb, blobmsg_data(cur), blobmsg_len(cur)); 2056 if (!tb[OCI_DEVICES_TYPE] || 2057 !tb[OCI_DEVICES_PATH]) 2058 return ENODATA; 2059 2060 tmp = calloc(1, sizeof(struct mknod_args)); 2061 if (!tmp) 2062 return ENOMEM; 2063 2064 tmp->mode = resolve_devtype(blobmsg_get_string(tb[OCI_DEVICES_TYPE])); 2065 if (!tmp->mode) { 2066 free(tmp); 2067 return EINVAL; 2068 } 2069 2070 if (tmp->mode != S_IFIFO) { 2071 if (!tb[OCI_DEVICES_MAJOR] || !tb[OCI_DEVICES_MINOR]) { 2072 free(tmp); 2073 return ENODATA; 2074 } 2075 2076 tmp->dev = makedev(blobmsg_get_u32(tb[OCI_DEVICES_MAJOR]), 2077 blobmsg_get_u32(tb[OCI_DEVICES_MINOR])); 2078 } 2079 2080 if (tb[OCI_DEVICES_FILEMODE]) { 2081 if (~(S_IRWXU|S_IRWXG|S_IRWXO) & blobmsg_get_u32(tb[OCI_DEVICES_FILEMODE])) { 2082 free(tmp); 2083 return EINVAL; 2084 } 2085 2086 tmp->mode |= blobmsg_get_u32(tb[OCI_DEVICES_FILEMODE]); 2087 } else { 2088 tmp->mode |= (S_IRUSR|S_IWUSR); /* 0600 */ 2089 } 2090 2091 tmp->path = strdup(blobmsg_get_string(tb[OCI_DEVICES_PATH])); 2092 2093 if (tb[OCI_DEVICES_UID]) 2094 tmp->uid = blobmsg_get_u32(tb[OCI_DEVICES_UID]); 2095 else 2096 tmp->uid = -1; 2097 2098 if (tb[OCI_DEVICES_GID]) 2099 tmp->gid = blobmsg_get_u32(tb[OCI_DEVICES_GID]); 2100 else 2101 tmp->gid = -1; 2102 2103 DEBUG("read device %s (%s)\n", blobmsg_get_string(tb[OCI_DEVICES_PATH]), blobmsg_get_string(tb[OCI_DEVICES_TYPE])); 2104 opts.devices[cnt++] = tmp; 2105 } 2106 2107 opts.devices[cnt] = NULL; 2108 2109 return 0; 2110 } 2111 2112 static int parseOCIsysctl(struct blob_attr *msg) 2113 { 2114 struct blob_attr *cur; 2115 int rem; 2116 char *tmp, *tc; 2117 size_t cnt = 0; 2118 2119 blobmsg_for_each_attr(cur, msg, rem) { 2120 if (!blobmsg_name(cur) || !blobmsg_get_string(cur)) 2121 return EINVAL; 2122 2123 ++cnt; 2124 } 2125 2126 if (!cnt) 2127 return 0; 2128 2129 opts.sysctl = calloc(cnt + 1, sizeof(struct sysctl_val *)); 2130 if (!opts.sysctl) 2131 return ENOMEM; 2132 2133 cnt = 0; 2134 blobmsg_for_each_attr(cur, msg, rem) { 2135 opts.sysctl[cnt] = malloc(sizeof(struct sysctl_val)); 2136 if (!opts.sysctl[cnt]) 2137 return ENOMEM; 2138 2139 /* replace '.' with '/' in entry name */ 2140 tc = tmp = strdup(blobmsg_name(cur)); 2141 while ((tc = strchr(tc, '.'))) 2142 *tc = '/'; 2143 2144 opts.sysctl[cnt]->value = strdup(blobmsg_get_string(cur)); 2145 opts.sysctl[cnt]->entry = tmp; 2146 2147 ++cnt; 2148 } 2149 2150 opts.sysctl[cnt] = NULL; 2151 2152 return 0; 2153 } 2154 2155 2156 enum { 2157 OCI_LINUX_CGROUPSPATH, 2158 OCI_LINUX_RESOURCES, 2159 OCI_LINUX_SECCOMP, 2160 OCI_LINUX_SYSCTL, 2161 OCI_LINUX_NAMESPACES, 2162 OCI_LINUX_DEVICES, 2163 OCI_LINUX_UIDMAPPINGS, 2164 OCI_LINUX_GIDMAPPINGS, 2165 OCI_LINUX_MASKEDPATHS, 2166 OCI_LINUX_READONLYPATHS, 2167 OCI_LINUX_ROOTFSPROPAGATION, 2168 __OCI_LINUX_MAX, 2169 }; 2170 2171 static const struct blobmsg_policy oci_linux_policy[] = { 2172 [OCI_LINUX_CGROUPSPATH] = { "cgroupsPath", BLOBMSG_TYPE_STRING }, 2173 [OCI_LINUX_RESOURCES] = { "resources", BLOBMSG_TYPE_TABLE }, 2174 [OCI_LINUX_SECCOMP] = { "seccomp", BLOBMSG_TYPE_TABLE }, 2175 [OCI_LINUX_SYSCTL] = { "sysctl", BLOBMSG_TYPE_TABLE }, 2176 [OCI_LINUX_NAMESPACES] = { "namespaces", BLOBMSG_TYPE_ARRAY }, 2177 [OCI_LINUX_DEVICES] = { "devices", BLOBMSG_TYPE_ARRAY }, 2178 [OCI_LINUX_UIDMAPPINGS] = { "uidMappings", BLOBMSG_TYPE_ARRAY }, 2179 [OCI_LINUX_GIDMAPPINGS] = { "gidMappings", BLOBMSG_TYPE_ARRAY }, 2180 [OCI_LINUX_MASKEDPATHS] = { "maskedPaths", BLOBMSG_TYPE_ARRAY }, 2181 [OCI_LINUX_READONLYPATHS] = { "readonlyPaths", BLOBMSG_TYPE_ARRAY }, 2182 [OCI_LINUX_ROOTFSPROPAGATION] = { "rootfsPropagation", BLOBMSG_TYPE_STRING }, 2183 }; 2184 2185 static int parseOCIlinux(struct blob_attr *msg) 2186 { 2187 struct blob_attr *tb[__OCI_LINUX_MAX]; 2188 struct blob_attr *cur; 2189 int rem; 2190 int res = 0; 2191 char *cgpath; 2192 char cgfullpath[256] = "/sys/fs/cgroup"; 2193 2194 blobmsg_parse(oci_linux_policy, __OCI_LINUX_MAX, tb, blobmsg_data(msg), blobmsg_len(msg)); 2195 2196 if (tb[OCI_LINUX_NAMESPACES]) { 2197 blobmsg_for_each_attr(cur, tb[OCI_LINUX_NAMESPACES], rem) { 2198 res = parseOCIlinuxns(cur); 2199 if (res) 2200 return res; 2201 } 2202 } 2203 2204 if (tb[OCI_LINUX_UIDMAPPINGS]) { 2205 res = parseOCIuidgidmappings(tb[OCI_LINUX_GIDMAPPINGS], 0); 2206 if (res) 2207 return res; 2208 } 2209 2210 if (tb[OCI_LINUX_GIDMAPPINGS]) { 2211 res = parseOCIuidgidmappings(tb[OCI_LINUX_GIDMAPPINGS], 1); 2212 if (res) 2213 return res; 2214 } 2215 2216 if (tb[OCI_LINUX_READONLYPATHS]) { 2217 blobmsg_for_each_attr(cur, tb[OCI_LINUX_READONLYPATHS], rem) { 2218 res = add_mount(NULL, blobmsg_get_string(cur), NULL, MS_BIND | MS_REC | MS_RDONLY, 0, NULL, 0); 2219 if (res) 2220 return res; 2221 } 2222 } 2223 2224 if (tb[OCI_LINUX_MASKEDPATHS]) { 2225 blobmsg_for_each_attr(cur, tb[OCI_LINUX_MASKEDPATHS], rem) { 2226 res = add_mount((void *)(-1), blobmsg_get_string(cur), NULL, 0, 0, NULL, 0); 2227 if (res) 2228 return res; 2229 } 2230 } 2231 2232 if (tb[OCI_LINUX_SYSCTL]) { 2233 res = parseOCIsysctl(tb[OCI_LINUX_SYSCTL]); 2234 if (res) 2235 return res; 2236 } 2237 2238 if (tb[OCI_LINUX_SECCOMP]) { 2239 opts.ociseccomp = parseOCIlinuxseccomp(tb[OCI_LINUX_SECCOMP]); 2240 if (!opts.ociseccomp) 2241 return EINVAL; 2242 } 2243 2244 if (tb[OCI_LINUX_DEVICES]) { 2245 res = parseOCIdevices(tb[OCI_LINUX_DEVICES]); 2246 if (res) 2247 return res; 2248 } 2249 2250 if (tb[OCI_LINUX_CGROUPSPATH]) { 2251 cgpath = blobmsg_get_string(tb[OCI_LINUX_CGROUPSPATH]); 2252 if (cgpath[0] == '/') { 2253 if (strlen(cgpath) + 1 >= (sizeof(cgfullpath) - strlen(cgfullpath))) 2254 return E2BIG; 2255 2256 strcat(cgfullpath, cgpath); 2257 } else { 2258 strcat(cgfullpath, "/containers/"); 2259 if (strlen(opts.name) + strlen(cgpath) + 2 >= (sizeof(cgfullpath) - strlen(cgfullpath))) 2260 return E2BIG; 2261 2262 strcat(cgfullpath, opts.name); /* should be container name rather than jail name */ 2263 strcat(cgfullpath, "/"); 2264 strcat(cgfullpath, cgpath); 2265 } 2266 } else { 2267 strcat(cgfullpath, "/containers/"); 2268 if (2 * strlen(opts.name) + 2 >= (sizeof(cgfullpath) - strlen(cgfullpath))) 2269 return E2BIG; 2270 2271 strcat(cgfullpath, opts.name); /* should be container name rather than jail name */ 2272 strcat(cgfullpath, "/"); 2273 strcat(cgfullpath, opts.name); /* should be container instance name rather than jail name */ 2274 } 2275 2276 cgroups_init(cgfullpath); 2277 2278 if (tb[OCI_LINUX_RESOURCES]) { 2279 res = parseOCIlinuxcgroups(tb[OCI_LINUX_RESOURCES]); 2280 if (res) 2281 return res; 2282 } 2283 2284 return 0; 2285 } 2286 2287 enum { 2288 OCI_VERSION, 2289 OCI_HOSTNAME, 2290 OCI_PROCESS, 2291 OCI_ROOT, 2292 OCI_MOUNTS, 2293 OCI_HOOKS, 2294 OCI_LINUX, 2295 OCI_ANNOTATIONS, 2296 __OCI_MAX, 2297 }; 2298 2299 static const struct blobmsg_policy oci_policy[] = { 2300 [OCI_VERSION] = { "ociVersion", BLOBMSG_TYPE_STRING }, 2301 [OCI_HOSTNAME] = { "hostname", BLOBMSG_TYPE_STRING }, 2302 [OCI_PROCESS] = { "process", BLOBMSG_TYPE_TABLE }, 2303 [OCI_ROOT] = { "root", BLOBMSG_TYPE_TABLE }, 2304 [OCI_MOUNTS] = { "mounts", BLOBMSG_TYPE_ARRAY }, 2305 [OCI_HOOKS] = { "hooks", BLOBMSG_TYPE_TABLE }, 2306 [OCI_LINUX] = { "linux", BLOBMSG_TYPE_TABLE }, 2307 [OCI_ANNOTATIONS] = { "annotations", BLOBMSG_TYPE_TABLE }, 2308 }; 2309 2310 static int parseOCI(const char *jsonfile) 2311 { 2312 struct blob_attr *tb[__OCI_MAX]; 2313 struct blob_attr *cur; 2314 int rem; 2315 int res; 2316 2317 blob_buf_init(&ocibuf, 0); 2318 2319 if (!blobmsg_add_json_from_file(&ocibuf, jsonfile)) { 2320 res=ENOENT; 2321 goto errout; 2322 } 2323 2324 blobmsg_parse(oci_policy, __OCI_MAX, tb, blob_data(ocibuf.head), blob_len(ocibuf.head)); 2325 2326 if (!tb[OCI_VERSION]) { 2327 res=ENOMSG; 2328 goto errout; 2329 } 2330 2331 if (strncmp("1.0", blobmsg_get_string(tb[OCI_VERSION]), 3)) { 2332 ERROR("unsupported ociVersion %s\n", blobmsg_get_string(tb[OCI_VERSION])); 2333 res=ENOTSUP; 2334 goto errout; 2335 } 2336 2337 if (tb[OCI_HOSTNAME]) 2338 opts.hostname = strdup(blobmsg_get_string(tb[OCI_HOSTNAME])); 2339 2340 if (!tb[OCI_PROCESS]) { 2341 res=ENODATA; 2342 goto errout; 2343 } 2344 2345 if ((res = parseOCIprocess(tb[OCI_PROCESS]))) 2346 goto errout; 2347 2348 if (!tb[OCI_ROOT]) { 2349 res=ENODATA; 2350 goto errout; 2351 } 2352 if ((res = parseOCIroot(jsonfile, tb[OCI_ROOT]))) 2353 goto errout; 2354 2355 if (!tb[OCI_MOUNTS]) { 2356 res=ENODATA; 2357 goto errout; 2358 } 2359 2360 blobmsg_for_each_attr(cur, tb[OCI_MOUNTS], rem) 2361 if ((res = parseOCImount(cur))) 2362 goto errout; 2363 2364 if (tb[OCI_LINUX] && (res = parseOCIlinux(tb[OCI_LINUX]))) 2365 goto errout; 2366 2367 if (tb[OCI_HOOKS] && (res = parseOCIhooks(tb[OCI_HOOKS]))) 2368 goto errout; 2369 2370 if (tb[OCI_ANNOTATIONS]) 2371 opts.annotations = blob_memdup(tb[OCI_ANNOTATIONS]); 2372 2373 errout: 2374 blob_buf_free(&ocibuf); 2375 2376 return res; 2377 } 2378 2379 static int set_oom_score_adj(void) 2380 { 2381 int f; 2382 char fname[32]; 2383 2384 if (!opts.set_oom_score_adj) 2385 return 0; 2386 2387 snprintf(fname, sizeof(fname), "/proc/%u/oom_score_adj", jail_process.pid); 2388 f = open(fname, O_WRONLY | O_TRUNC); 2389 if (f < 0) 2390 return errno; 2391 2392 dprintf(f, "%d", opts.oom_score_adj); 2393 close(f); 2394 2395 return 0; 2396 } 2397 2398 2399 enum { 2400 OCI_STATE_CREATING, 2401 OCI_STATE_CREATED, 2402 OCI_STATE_RUNNING, 2403 OCI_STATE_STOPPED, 2404 }; 2405 2406 static int jail_oci_state = OCI_STATE_CREATED; 2407 static void pipe_send_start_container(struct uloop_timeout *t); 2408 static struct uloop_timeout start_container_timeout = { 2409 .cb = pipe_send_start_container, 2410 }; 2411 2412 static int handle_start(struct ubus_context *ctx, struct ubus_object *obj, 2413 struct ubus_request_data *req, const char *method, 2414 struct blob_attr *msg) 2415 { 2416 if (jail_oci_state != OCI_STATE_CREATED) 2417 return UBUS_STATUS_INVALID_ARGUMENT; 2418 2419 uloop_timeout_add(&start_container_timeout); 2420 2421 return UBUS_STATUS_OK; 2422 } 2423 2424 static struct blob_buf bb; 2425 static int handle_state(struct ubus_context *ctx, struct ubus_object *obj, 2426 struct ubus_request_data *req, const char *method, 2427 struct blob_attr *msg) 2428 { 2429 char *statusstr; 2430 2431 switch (jail_oci_state) { 2432 case OCI_STATE_CREATING: 2433 statusstr = "creating"; 2434 break; 2435 case OCI_STATE_CREATED: 2436 statusstr = "created"; 2437 break; 2438 case OCI_STATE_RUNNING: 2439 statusstr = "running"; 2440 break; 2441 case OCI_STATE_STOPPED: 2442 statusstr = "stopped"; 2443 break; 2444 default: 2445 statusstr = "unknown"; 2446 } 2447 2448 blob_buf_init(&bb, 0); 2449 blobmsg_add_string(&bb, "ociVersion", OCI_VERSION_STRING); 2450 blobmsg_add_string(&bb, "id", opts.name); 2451 blobmsg_add_string(&bb, "status", statusstr); 2452 if (jail_oci_state == OCI_STATE_CREATED || 2453 jail_oci_state == OCI_STATE_RUNNING) 2454 blobmsg_add_u32(&bb, "pid", jail_process.pid); 2455 2456 blobmsg_add_string(&bb, "bundle", opts.ocibundle); 2457 2458 if (opts.annotations) 2459 blobmsg_add_blob(&bb, opts.annotations); 2460 2461 ubus_send_reply(ctx, req, bb.head); 2462 2463 return UBUS_STATUS_OK; 2464 } 2465 2466 enum { 2467 CONTAINER_KILL_ATTR_SIGNAL, 2468 __CONTAINER_KILL_ATTR_MAX, 2469 }; 2470 2471 static const struct blobmsg_policy container_kill_attrs[__CONTAINER_KILL_ATTR_MAX] = { 2472 [CONTAINER_KILL_ATTR_SIGNAL] = { "signal", BLOBMSG_TYPE_INT32 }, 2473 }; 2474 2475 static int 2476 container_handle_kill(struct ubus_context *ctx, struct ubus_object *obj, 2477 struct ubus_request_data *req, const char *method, 2478 struct blob_attr *msg) 2479 { 2480 struct blob_attr *tb[__CONTAINER_KILL_ATTR_MAX], *cur; 2481 int sig = SIGTERM; 2482 2483 blobmsg_parse(container_kill_attrs, __CONTAINER_KILL_ATTR_MAX, tb, blobmsg_data(msg), blobmsg_data_len(msg)); 2484 2485 cur = tb[CONTAINER_KILL_ATTR_SIGNAL]; 2486 if (cur) 2487 sig = blobmsg_get_u32(cur); 2488 2489 if (jail_oci_state == OCI_STATE_CREATING) 2490 return UBUS_STATUS_NOT_FOUND; 2491 2492 if (kill(jail_process.pid, sig) == 0) 2493 return 0; 2494 2495 switch (errno) { 2496 case EINVAL: return UBUS_STATUS_INVALID_ARGUMENT; 2497 case EPERM: return UBUS_STATUS_PERMISSION_DENIED; 2498 case ESRCH: return UBUS_STATUS_NOT_FOUND; 2499 } 2500 2501 return UBUS_STATUS_UNKNOWN_ERROR; 2502 } 2503 2504 static int 2505 jail_writepid(pid_t pid) 2506 { 2507 FILE *_pidfile; 2508 2509 if (!opts.pidfile) 2510 return 0; 2511 2512 _pidfile = fopen(opts.pidfile, "w"); 2513 if (_pidfile == NULL) 2514 return errno; 2515 2516 if (fprintf(_pidfile, "%d\n", pid) < 0) { 2517 fclose(_pidfile); 2518 return errno; 2519 } 2520 2521 if (fclose(_pidfile)) 2522 return errno; 2523 2524 return 0; 2525 } 2526 2527 static int checkpath(const char *path) 2528 { 2529 int dirfd = open(path, O_RDONLY | O_DIRECTORY | O_CLOEXEC); 2530 if (dirfd < 0) { 2531 ERROR("path %s open failed %m\n", path); 2532 return -1; 2533 } 2534 close(dirfd); 2535 2536 return 0; 2537 } 2538 2539 static struct ubus_method container_methods[] = { 2540 UBUS_METHOD_NOARG("start", handle_start), 2541 UBUS_METHOD_NOARG("state", handle_state), 2542 UBUS_METHOD("kill", container_handle_kill, container_kill_attrs), 2543 }; 2544 2545 static struct ubus_object_type container_object_type = 2546 UBUS_OBJECT_TYPE("container", container_methods); 2547 2548 static struct ubus_object container_object = { 2549 .type = &container_object_type, 2550 .methods = container_methods, 2551 .n_methods = ARRAY_SIZE(container_methods), 2552 }; 2553 2554 static void post_main(struct uloop_timeout *t); 2555 static struct uloop_timeout post_main_timeout = { 2556 .cb = post_main, 2557 }; 2558 static int netns_fd; 2559 static int pidns_fd; 2560 #ifdef CLONE_NEWTIME 2561 static int timens_fd; 2562 #endif 2563 static void post_create_runtime(void); 2564 int main(int argc, char **argv) 2565 { 2566 uid_t uid = getuid(); 2567 const char log[] = "/dev/log"; 2568 const char ubus[] = "/var/run/ubus/ubus.sock"; 2569 int ret = EXIT_FAILURE; 2570 int ch; 2571 2572 if (uid) { 2573 ERROR("not root, aborting: %m\n"); 2574 return EXIT_FAILURE; 2575 } 2576 2577 /* those are filehandlers, so -1 indicates unused */ 2578 opts.setns.pid = -1; 2579 opts.setns.net = -1; 2580 opts.setns.ns = -1; 2581 opts.setns.ipc = -1; 2582 opts.setns.uts = -1; 2583 opts.setns.user = -1; 2584 opts.setns.cgroup = -1; 2585 #ifdef CLONE_NEWTIME 2586 opts.setns.time = -1; 2587 #endif 2588 2589 umask(022); 2590 mount_list_init(); 2591 init_library_search(); 2592 cgroups_prepare(); 2593 exit_from_child = false; 2594 2595 while ((ch = getopt(argc, argv, OPT_ARGS)) != -1) { 2596 switch (ch) { 2597 case 'd': 2598 debug = atoi(optarg); 2599 break; 2600 case 'p': 2601 opts.namespace |= CLONE_NEWNS; 2602 opts.procfs = 1; 2603 break; 2604 case 'o': 2605 opts.namespace |= CLONE_NEWNS; 2606 opts.ronly = 1; 2607 break; 2608 case 'f': 2609 opts.namespace |= CLONE_NEWUSER; 2610 break; 2611 case 'F': 2612 opts.namespace |= CLONE_NEWCGROUP; 2613 break; 2614 case 'R': 2615 opts.extroot = realpath(optarg, NULL); 2616 break; 2617 case 's': 2618 opts.namespace |= CLONE_NEWNS; 2619 opts.sysfs = 1; 2620 break; 2621 case 'S': 2622 opts.seccomp = optarg; 2623 add_mount_bind(optarg, 1, -1); 2624 break; 2625 case 'C': 2626 opts.capabilities = optarg; 2627 break; 2628 case 'c': 2629 opts.no_new_privs = 1; 2630 break; 2631 case 'n': 2632 opts.name = optarg; 2633 break; 2634 case 'N': 2635 opts.namespace |= CLONE_NEWNET; 2636 break; 2637 case 'h': 2638 opts.namespace |= CLONE_NEWUTS; 2639 opts.hostname = strdup(optarg); 2640 break; 2641 case 'j': 2642 jail_join_ns(optarg); 2643 break; 2644 case 'r': 2645 opts.namespace |= CLONE_NEWNS; 2646 add_path_and_deps(optarg, 1, 0, 0); 2647 break; 2648 case 'w': 2649 opts.namespace |= CLONE_NEWNS; 2650 add_path_and_deps(optarg, 0, 0, 0); 2651 break; 2652 case 'u': 2653 opts.namespace |= CLONE_NEWNS; 2654 add_mount_bind(ubus, 0, -1); 2655 break; 2656 case 'l': 2657 opts.namespace |= CLONE_NEWNS; 2658 add_mount_bind(log, 0, -1); 2659 break; 2660 case 'U': 2661 opts.user = optarg; 2662 break; 2663 case 'G': 2664 opts.group = optarg; 2665 break; 2666 case 'O': 2667 opts.overlaydir = realpath(optarg, NULL); 2668 break; 2669 case 'T': 2670 opts.tmpoverlaysize = optarg; 2671 break; 2672 case 'E': 2673 opts.require_jail = 1; 2674 break; 2675 case 'y': 2676 opts.console = 1; 2677 break; 2678 case 'J': 2679 opts.ocibundle = optarg; 2680 break; 2681 case 'i': 2682 opts.immediately = true; 2683 break; 2684 case 'P': 2685 opts.pidfile = optarg; 2686 break; 2687 } 2688 } 2689 2690 if (opts.namespace && !opts.ocibundle) 2691 opts.namespace |= CLONE_NEWIPC | CLONE_NEWPID; 2692 2693 /* 2694 * uid in parent user namespace representing root user in new 2695 * user namespace, defaults to nobody unless specified in uidMappings 2696 */ 2697 opts.root_map_uid = 65534; 2698 2699 if (opts.capabilities && parseOCIcapabilities_from_file(&opts.capset, opts.capabilities)) { 2700 ERROR("failed to read capabilities from file %s\n", opts.capabilities); 2701 ret=-1; 2702 goto errout; 2703 } 2704 2705 if (opts.ocibundle) { 2706 char *jsonfile; 2707 int ocires; 2708 2709 if (!opts.name) { 2710 ERROR("OCI bundle needs a named jail\n"); 2711 ret=-1; 2712 goto errout; 2713 } 2714 if (asprintf(&jsonfile, "%s/config.json", opts.ocibundle) < 0) { 2715 ret=-ENOMEM; 2716 goto errout; 2717 } 2718 ocires = parseOCI(jsonfile); 2719 free(jsonfile); 2720 if (ocires) { 2721 ERROR("parsing of OCI JSON spec has failed: %s (%d)\n", strerror(ocires), ocires); 2722 ret=ocires; 2723 goto errout; 2724 } 2725 } 2726 2727 if (opts.namespace & CLONE_NEWNET) { 2728 if (!opts.name) { 2729 ERROR("netns needs a named jail\n"); 2730 ret=-1; 2731 goto errout; 2732 } 2733 } 2734 2735 2736 if (opts.tmpoverlaysize && strlen(opts.tmpoverlaysize) > 8) { 2737 ERROR("size parameter too long: \"%s\"\n", opts.tmpoverlaysize); 2738 ret=-1; 2739 goto errout; 2740 } 2741 2742 if (opts.extroot && checkpath(opts.extroot)) { 2743 ERROR("invalid rootfs path '%s'", opts.extroot); 2744 ret=-1; 2745 goto errout; 2746 } 2747 2748 if (opts.overlaydir && checkpath(opts.overlaydir)) { 2749 ERROR("invalid rootfs overlay path '%s'", opts.overlaydir); 2750 ret=-1; 2751 goto errout; 2752 } 2753 2754 /* no <binary> param found */ 2755 if (!opts.ocibundle && (argc - optind < 1)) { 2756 usage(); 2757 ret=EXIT_FAILURE; 2758 goto errout; 2759 } 2760 if (!(opts.ocibundle||opts.namespace||opts.capabilities||opts.seccomp|| 2761 (opts.setns.net != -1) || 2762 (opts.setns.ns != -1) || 2763 (opts.setns.ipc != -1) || 2764 (opts.setns.uts != -1) || 2765 (opts.setns.user != -1) || 2766 (opts.setns.cgroup != -1))) { 2767 ERROR("Not using namespaces, capabilities or seccomp !!!\n\n"); 2768 usage(); 2769 ret=EXIT_FAILURE; 2770 goto errout; 2771 } 2772 DEBUG("Using namespaces(0x%08x), capabilities(%d), seccomp(%d)\n", 2773 opts.namespace, 2774 opts.capset.apply, 2775 opts.seccomp != 0 || opts.ociseccomp != 0); 2776 2777 uloop_init(); 2778 signals_init(); 2779 2780 parent_ctx = ubus_connect(NULL); 2781 ubus_add_uloop(parent_ctx); 2782 2783 if (opts.ocibundle) { 2784 char *objname; 2785 if (asprintf(&objname, "container.%s", opts.name) < 0) { 2786 ret=-ENOMEM; 2787 goto errout; 2788 } 2789 2790 container_object.name = objname; 2791 ret = ubus_add_object(parent_ctx, &container_object); 2792 if (ret) { 2793 ERROR("Failed to add object: %s\n", ubus_strerror(ret)); 2794 ret=-1; 2795 goto errout; 2796 } 2797 } 2798 2799 /* deliberately not using 'else' on unrelated conditional branches */ 2800 if (!opts.ocibundle) { 2801 /* allocate NULL-terminated array for argv */ 2802 opts.jail_argv = calloc(1 + argc - optind, sizeof(void *)); 2803 if (!opts.jail_argv) { 2804 ret=EXIT_FAILURE; 2805 goto errout; 2806 } 2807 for (size_t s = optind; s < argc; s++) 2808 opts.jail_argv[s - optind] = strdup(argv[s]); 2809 2810 if (opts.namespace & CLONE_NEWUSER) 2811 get_jail_user(&opts.pw_uid, &opts.pw_gid, &opts.gr_gid); 2812 } 2813 2814 if (!opts.extroot) { 2815 if (opts.namespace && add_path_and_deps(*opts.jail_argv, 1, -1, 0)) { 2816 ERROR("failed to load dependencies\n"); 2817 ret=-1; 2818 goto errout; 2819 } 2820 } 2821 2822 if (opts.namespace && opts.seccomp && add_path_and_deps("libpreload-seccomp.so", 1, -1, 1)) { 2823 ERROR("failed to load libpreload-seccomp.so\n"); 2824 opts.seccomp = 0; 2825 if (opts.require_jail) { 2826 ret=-1; 2827 goto errout; 2828 } 2829 } 2830 2831 uloop_timeout_add(&post_main_timeout); 2832 uloop_run(); 2833 2834 errout: 2835 if (opts.ocibundle) 2836 cgroups_free(); 2837 2838 free_opts(true); 2839 2840 return ret; 2841 } 2842 2843 static void post_main(struct uloop_timeout *t) 2844 { 2845 if (apply_rlimits()) { 2846 ERROR("error applying resource limits\n"); 2847 free_and_exit(EXIT_FAILURE); 2848 } 2849 2850 if (opts.name) 2851 prctl(PR_SET_NAME, opts.name, NULL, NULL, NULL); 2852 2853 if (pipe(&pipes[0]) < 0 || pipe(&pipes[2]) < 0) 2854 free_and_exit(-1); 2855 2856 if (has_namespaces()) { 2857 if (opts.namespace & CLONE_NEWNS) { 2858 if (!opts.extroot && (opts.user || opts.group)) { 2859 add_mount_bind("/etc/passwd", 1, -1); 2860 add_mount_bind("/etc/group", 1, -1); 2861 } 2862 2863 #if defined(__GLIBC__) 2864 if (!opts.extroot) 2865 add_mount_bind("/etc/nsswitch.conf", 1, -1); 2866 #endif 2867 if (opts.setns.ns == -1) { 2868 if (!(opts.namespace & CLONE_NEWNET)) { 2869 add_mount_bind("/etc/resolv.conf", 1, 0); 2870 } else { 2871 /* new mount namespace to provide /dev/resolv.conf.d */ 2872 char hostdir[PATH_MAX]; 2873 2874 snprintf(hostdir, PATH_MAX, "/tmp/resolv.conf-%s.d", opts.name); 2875 mkdir_p(hostdir, 0755); 2876 add_mount(hostdir, "/dev/resolv.conf.d", NULL, 2877 MS_BIND | MS_NOEXEC | MS_NOATIME | MS_NOSUID | MS_NODEV | MS_RDONLY, 0, NULL, 0); 2878 } 2879 } 2880 /* default mounts */ 2881 add_mount(NULL, "/dev", "tmpfs", MS_NOATIME | MS_NOEXEC | MS_NOSUID, 0, "size=1M", -1); 2882 add_mount(NULL, "/dev/pts", "devpts", MS_NOATIME | MS_NOEXEC | MS_NOSUID, 0, "newinstance,ptmxmode=0666,mode=0620,gid=5", 0); 2883 2884 if (opts.procfs || opts.ocibundle) { 2885 add_mount("proc", "/proc", "proc", MS_NOATIME | MS_NODEV | MS_NOEXEC | MS_NOSUID, 0, NULL, -1); 2886 2887 /* 2888 * hack to make /proc/sys/net read-write while the rest of /proc/sys is read-only 2889 * which cannot be expressed with OCI spec, but happends to be very useful. 2890 * Only apply it if '/proc/sys' is not already listed as mount, maskedPath or 2891 * readonlyPath. 2892 * If not running in a new network namespace, only make /proc/sys read-only. 2893 * If running in a new network namespace, temporarily stash (ie. mount-bind) 2894 * /proc/sys/net into (totally unrelated, but surely existing) /proc/self/net. 2895 * Then we mount-bind /proc/sys read-only and then mount-move /proc/self/net into 2896 * /proc/sys/net. 2897 * This works because mounts are executed in incrementing strcmp() order and 2898 * /proc/self/net appears there before /proc/sys/net and hence the operation 2899 * succeeds as the bind-mount of /proc/self/net is performed first and then 2900 * move-mount of /proc/sys/net follows because 'e' preceeds 'y' in the ASCII 2901 * table (and in the alphabet). 2902 */ 2903 if (!add_mount(NULL, "/proc/sys", NULL, MS_BIND | MS_RDONLY, 0, NULL, -1)) 2904 if (opts.namespace & CLONE_NEWNET) 2905 if (!add_mount_inner("/proc/self/net", "/proc/sys/net", NULL, MS_MOVE, 0, NULL, -1)) 2906 add_mount_inner("/proc/sys/net", "/proc/self/net", NULL, MS_BIND, 0, NULL, -1); 2907 2908 } 2909 if (opts.sysfs || opts.ocibundle) 2910 add_mount("sysfs", "/sys", "sysfs", MS_RELATIME | MS_NODEV | MS_NOEXEC | MS_NOSUID | MS_RDONLY, 0, NULL, -1); 2911 2912 if (opts.ocibundle) 2913 add_mount("shm", "/dev/shm", "tmpfs", MS_NOSUID | MS_NOEXEC | MS_NODEV, 0, "mode=1777", -1); 2914 2915 } 2916 2917 if (opts.setns.pid != -1) { 2918 pidns_fd = ns_open_pid("pid", getpid()); 2919 setns_open(CLONE_NEWPID); 2920 } else { 2921 pidns_fd = -1; 2922 } 2923 2924 #ifdef CLONE_NEWTIME 2925 if (opts.setns.time != -1) { 2926 timens_fd = ns_open_pid("time", getpid()); 2927 setns_open(CLONE_NEWTIME); 2928 } else { 2929 timens_fd = -1; 2930 } 2931 #endif 2932 2933 if (opts.namespace & CLONE_NEWUSER) { 2934 if (prctl(PR_SET_SECUREBITS, SECBIT_NO_SETUID_FIXUP)) { 2935 ERROR("prctl(PR_SET_SECUREBITS) failed: %m\n"); 2936 free_and_exit(EXIT_FAILURE); 2937 } 2938 if (seteuid(opts.root_map_uid)) { 2939 ERROR("seteuid(%d) failed: %m\n", opts.root_map_uid); 2940 free_and_exit(EXIT_FAILURE); 2941 } 2942 } 2943 2944 jail_process.pid = clone(exec_jail, child_stack + STACK_SIZE, SIGCHLD | (opts.namespace & (~CLONE_NEWCGROUP)), NULL); 2945 } else { 2946 jail_process.pid = fork(); 2947 } 2948 2949 if (jail_process.pid > 0) { 2950 /* parent process */ 2951 char sig_buf[1]; 2952 2953 uloop_process_add(&jail_process); 2954 jail_running = 1; 2955 if (seteuid(0)) { 2956 ERROR("seteuid(%d) failed: %m\n", opts.root_map_uid); 2957 free_and_exit(EXIT_FAILURE); 2958 } 2959 2960 prctl(PR_SET_SECUREBITS, 0); 2961 2962 if (pidns_fd != -1) { 2963 setns(pidns_fd, CLONE_NEWPID); 2964 close(pidns_fd); 2965 } 2966 #ifdef CLONE_NEWTIME 2967 if (timens_fd != -1) { 2968 setns(timens_fd, CLONE_NEWTIME); 2969 close(timens_fd); 2970 } 2971 #endif 2972 if (opts.setns.net != -1) 2973 close(opts.setns.net); 2974 if (opts.setns.ns != -1) 2975 close(opts.setns.ns); 2976 if (opts.setns.ipc != -1) 2977 close(opts.setns.ipc); 2978 if (opts.setns.uts != -1) 2979 close(opts.setns.uts); 2980 if (opts.setns.user != -1) 2981 close(opts.setns.user); 2982 if (opts.setns.cgroup != -1) 2983 close(opts.setns.cgroup); 2984 close(pipes[1]); 2985 close(pipes[2]); 2986 if (read(pipes[0], sig_buf, 1) < 1) { 2987 ERROR("can't read from child\n"); 2988 free_and_exit(-1); 2989 } 2990 close(pipes[0]); 2991 set_oom_score_adj(); 2992 2993 if (opts.ocibundle) 2994 cgroups_apply(jail_process.pid); 2995 2996 if (opts.namespace & CLONE_NEWUSER) { 2997 if (write_setgroups(jail_process.pid, true)) { 2998 ERROR("can't write setgroups\n"); 2999 free_and_exit(-1); 3000 } 3001 if (!opts.uidmap) { 3002 bool has_gr = (opts.gr_gid != -1); 3003 if (opts.pw_uid != -1) { 3004 write_single_uid_gid_map(jail_process.pid, 0, opts.pw_uid); 3005 write_single_uid_gid_map(jail_process.pid, 1, has_gr?opts.gr_gid:opts.pw_gid); 3006 } else { 3007 write_single_uid_gid_map(jail_process.pid, 0, 65534); 3008 write_single_uid_gid_map(jail_process.pid, 1, has_gr?opts.gr_gid:65534); 3009 } 3010 } else { 3011 write_uid_gid_map(jail_process.pid, 0, opts.uidmap); 3012 if (opts.gidmap) 3013 write_uid_gid_map(jail_process.pid, 1, opts.gidmap); 3014 } 3015 } 3016 3017 if (opts.namespace & CLONE_NEWNET) { 3018 jail_network_start(parent_ctx, opts.name, jail_process.pid); 3019 netns_fd = ns_open_pid("net", jail_process.pid); 3020 netns_updown(jail_process.pid, true); 3021 } 3022 3023 if (jail_writepid(jail_process.pid)) { 3024 ERROR("failed to write pidfile: %m\n"); 3025 free_and_exit(-1); 3026 } 3027 } else if (jail_process.pid == 0) { 3028 /* fork child process */ 3029 free_and_exit(exec_jail(NULL)); 3030 } else { 3031 ERROR("failed to clone/fork: %m\n"); 3032 free_and_exit(EXIT_FAILURE); 3033 } 3034 run_hooks(opts.hooks.createRuntime, post_create_runtime); 3035 } 3036 3037 static void post_poststart(void); 3038 static void post_create_runtime(void) 3039 { 3040 char sig_buf[1]; 3041 3042 sig_buf[0] = 'O'; 3043 if (write(pipes[3], sig_buf, 1) < 0) { 3044 ERROR("can't write to child\n"); 3045 free_and_exit(-1); 3046 } 3047 3048 jail_oci_state = OCI_STATE_CREATED; 3049 if (opts.ocibundle && !opts.immediately) 3050 uloop_run(); /* wait for 'start' command via ubus */ 3051 else 3052 pipe_send_start_container(NULL); 3053 } 3054 3055 static void pipe_send_start_container(struct uloop_timeout *t) 3056 { 3057 char sig_buf[1]; 3058 3059 jail_oci_state = OCI_STATE_RUNNING; 3060 sig_buf[0] = '!'; 3061 if (write(pipes[3], sig_buf, 1) < 0) { 3062 ERROR("can't write to child\n"); 3063 free_and_exit(-1); 3064 } 3065 close(pipes[3]); 3066 3067 run_hooks(opts.hooks.poststart, post_poststart); 3068 } 3069 3070 static void post_poststart(void) 3071 { 3072 uloop_run(); /* idle here while jail is running */ 3073 if (jail_running) { 3074 DEBUG("uloop interrupted, killing jail process\n"); 3075 kill(jail_process.pid, SIGTERM); 3076 uloop_timeout_set(&jail_process_timeout, 1000); 3077 uloop_run(); 3078 } 3079 uloop_done(); 3080 poststop(); 3081 } 3082 3083 static void post_poststop(void); 3084 static void poststop(void) { 3085 if (opts.namespace & CLONE_NEWNET) { 3086 setns(netns_fd, CLONE_NEWNET); 3087 netns_updown(getpid(), false); 3088 jail_network_stop(); 3089 close(netns_fd); 3090 } 3091 run_hooks(opts.hooks.poststop, post_poststop); 3092 } 3093 3094 static void post_poststop(void) 3095 { 3096 free_opts(true); 3097 if (parent_ctx) 3098 ubus_free(parent_ctx); 3099 3100 exit(jail_return_code); 3101 } 3102
This page was automatically generated by LXR 0.3.1. • OpenWrt