picnoir/Systemd
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity
Systemd/src/test/test-ns.c

107 lines
3.4 KiB
C
Raw Normal View History

Add SPDX license identifiers to source files under the LGPL This follows what the kernel is doing, c.f. https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=5fd54ace4721fc5ce2bb5aef6318fcf17f421460.
2017-11-18 17:09:20 +01:00
/* SPDX-License-Identifier: LGPL-2.1+ */
execute: support basic filesystem namespacing
2010-04-21 22:15:06 +02:00
log: minimize includes in log.h log.h really should only include the bare minimum of other headers, as it is really pulled into pretty much everything else and already in itself one of the most basic pieces of code we have. Let's hence drop inclusion of: 1. sd-id128.h because it's entirely unneeded in current log.h 2. errno.h, dito. 3. sys/signalfd.h which we can replace by a simple struct forward declaration 4. process-util.h which was needed for getpid_cached() which we now hide in a funciton log_emergency_level() instead, which nicely abstracts the details away. 5. sys/socket.h which was needed for struct iovec, but a simple struct forward declaration suffices for that too. Ultimately this actually makes our source tree larger (since users of the functionality above must now include it themselves, log.h won't do that for them), but I think it helps to untangle our web of includes a tiny bit. (Background: I'd like to isolate the generic bits of src/basic/ enough so that we can do a git submodule import into casync for it)
2018-01-11 00:39:12 +01:00
#include <errno.h>
execute: support basic filesystem namespacing
2010-04-21 22:15:06 +02:00
#include <stdlib.h>
#include <unistd.h>
#include "log.h"
tree-wide: sort includes Sort the includes accoding to the new coding style.
2015-11-16 22:09:36 +01:00
#include "namespace.h"
tests: use a helper function to parse environment and open logging The advantages are that we save a few lines, and that we can override logging using environment variables in more test executables.
2018-09-13 14:31:13 +02:00
#include "tests.h"
execute: support basic filesystem namespacing
2010-04-21 22:15:06 +02:00
int main(int argc, char *argv[]) {
const char * const writable[] = {
"/home",
namespace: chase symlinks for mounts to set up in userspace This adds logic to chase symlinks for all mount points that shall be created in a namespace environment in userspace, instead of leaving this to the kernel. This has the advantage that we can correctly handle absolute symlinks that shall be taken relative to a specific root directory. Moreover, we can properly handle mounts created on symlinked files or directories as we can merge their mounts as necessary. (This also drops the "done" flag in the namespace logic, which was never actually working, but was supposed to permit a partial rollback of the namespace logic, which however is only mildly useful as it wasn't clear in which case it would or would not be able to roll back.) Fixes: #3867
2016-09-24 12:41:30 +02:00
"-/home/lennart/projects/foobar", /* this should be masked automatically */
execute: support basic filesystem namespacing
2010-04-21 22:15:06 +02:00
NULL
};
namespace: rework namespace support - don't use pivot_root() anymore, just reuse root hierarchy - first create all mounts, then mark them read-only so that we get the right behaviour when people want writable mounts inside of read-only mounts - don't pass invalid combinations of MS_ constants to the kernel
2012-08-13 15:27:04 +02:00
const char * const readonly[] = {
namespace: chase symlinks for mounts to set up in userspace This adds logic to chase symlinks for all mount points that shall be created in a namespace environment in userspace, instead of leaving this to the kernel. This has the advantage that we can correctly handle absolute symlinks that shall be taken relative to a specific root directory. Moreover, we can properly handle mounts created on symlinked files or directories as we can merge their mounts as necessary. (This also drops the "done" flag in the namespace logic, which was never actually working, but was supposed to permit a partial rollback of the namespace logic, which however is only mildly useful as it wasn't clear in which case it would or would not be able to roll back.) Fixes: #3867
2016-09-24 12:41:30 +02:00
/* "/", */
/* "/usr", */
namespace: make ro bind mounts work
2010-04-23 18:48:07 +02:00
"/boot",
namespace: chase symlinks for mounts to set up in userspace This adds logic to chase symlinks for all mount points that shall be created in a namespace environment in userspace, instead of leaving this to the kernel. This has the advantage that we can correctly handle absolute symlinks that shall be taken relative to a specific root directory. Moreover, we can properly handle mounts created on symlinked files or directories as we can merge their mounts as necessary. (This also drops the "done" flag in the namespace logic, which was never actually working, but was supposed to permit a partial rollback of the namespace logic, which however is only mildly useful as it wasn't clear in which case it would or would not be able to roll back.) Fixes: #3867
2016-09-24 12:41:30 +02:00
"/lib",
"/usr/lib",
"-/lib64",
"-/usr/lib64",
execute: support basic filesystem namespacing
2010-04-21 22:15:06 +02:00
NULL
};
core: Private*/Protect* options with RootDirectory When a service is chrooted with the option RootDirectory=/opt/..., then the options PrivateDevices, PrivateTmp, ProtectHome, ProtectSystem must mount the directories under $RootDirectory/{dev,tmp,home,usr,boot}. The test-ns tool can test setup_namespace() with and without chroot: $ sudo TEST_NS_PROJECTS=/home/lennart/projects ./test-ns $ sudo TEST_NS_CHROOT=/home/alban/debian-tree TEST_NS_PROJECTS=/home/alban/debian-tree/home/alban/Documents ./test-ns
2015-05-18 12:20:28 +02:00
const char *inaccessible[] = {
execute: support basic filesystem namespacing
2010-04-21 22:15:06 +02:00
"/home/lennart/projects",
NULL
};
core:sandbox: lets make /lib/modules/ inaccessible on ProtectKernelModules= Lets go further and make /lib/modules/ inaccessible for services that do not have business with modules, this is a minor improvment but it may help on setups with custom modules and they are limited... in regard of kernel auto-load feature. This change introduce NameSpaceInfo struct which we may embed later inside ExecContext but for now lets just reduce the argument number to setup_namespace() and merge ProtectKernelModules feature.
2016-10-12 14:11:16 +02:00
namespace: change NameSpace → Namespace We generally use the casing "Namespace" for the word, and that's visible in a number of user-facing interfaces, including "RestrictNamespace=" or "JoinsNamespaceOf=". Let's make sure to use the same casing internally too. As discussed in #7024
2017-10-10 09:49:20 +02:00
static const NamespaceInfo ns_info = {
core:sandbox: lets make /lib/modules/ inaccessible on ProtectKernelModules= Lets go further and make /lib/modules/ inaccessible for services that do not have business with modules, this is a minor improvment but it may help on setups with custom modules and they are limited... in regard of kernel auto-load feature. This change introduce NameSpaceInfo struct which we may embed later inside ExecContext but for now lets just reduce the argument number to setup_namespace() and merge ProtectKernelModules feature.
2016-10-12 14:11:16 +02:00
.private_dev = true,
.protect_control_groups = true,
.protect_kernel_tunables = true,
.protect_kernel_modules = true,
core: introduce ProtectProc= and ProcSubset= to expose hidepid= and subset= procfs mount options Kernel 5.8 gained a hidepid= implementation that is truly per procfs, which allows us to mount a distinct once into every unit, with individual hidepid= settings. Let's expose this via two new settings: ProtectProc= (wrapping hidpid=) and ProcSubset= (wrapping subset=). Replaces: #11670
2020-08-06 12:51:50 +02:00
.protect_proc = PROTECT_PROC_NOACCESS,
.proc_subset = PROC_SUBSET_PID,
core:sandbox: lets make /lib/modules/ inaccessible on ProtectKernelModules= Lets go further and make /lib/modules/ inaccessible for services that do not have business with modules, this is a minor improvment but it may help on setups with custom modules and they are limited... in regard of kernel auto-load feature. This change introduce NameSpaceInfo struct which we may embed later inside ExecContext but for now lets just reduce the argument number to setup_namespace() and merge ProtectKernelModules feature.
2016-10-12 14:11:16 +02:00
};
core: Private*/Protect* options with RootDirectory When a service is chrooted with the option RootDirectory=/opt/..., then the options PrivateDevices, PrivateTmp, ProtectHome, ProtectSystem must mount the directories under $RootDirectory/{dev,tmp,home,usr,boot}. The test-ns tool can test setup_namespace() with and without chroot: $ sudo TEST_NS_PROJECTS=/home/lennart/projects ./test-ns $ sudo TEST_NS_CHROOT=/home/alban/debian-tree TEST_NS_PROJECTS=/home/alban/debian-tree/home/alban/Documents ./test-ns
2015-05-18 12:20:28 +02:00
char *root_directory;
char *projects_directory;
execute: support basic filesystem namespacing
2010-04-21 22:15:06 +02:00
int r;
core: reuse the same /tmp, /var/tmp and inaccessible dir All Execs within the service, will get mounted the same /tmp and /var/tmp directories, if service is configured with PrivateTmp=yes. Temporary directories are cleaned up by service itself in addition to systemd-tmpfiles. Directory which is mounted as inaccessible is created at runtime in /run/systemd.
2013-03-14 18:12:27 +01:00
char tmp_dir[] = "/tmp/systemd-private-XXXXXX",
var_tmp_dir[] = "/var/tmp/systemd-private-XXXXXX";
execute: support basic filesystem namespacing
2010-04-21 22:15:06 +02:00
tests: use a helper function to parse environment and open logging The advantages are that we save a few lines, and that we can override logging using environment variables in more test executables.
2018-09-13 14:31:13 +02:00
test_setup_logging(LOG_DEBUG);
namespace: make sure InaccessibleDirectories= masks all mounts further down If a dir is marked to be inaccessible then everything below it should be masked by it.
2016-08-24 23:17:42 +02:00
core: reuse the same /tmp, /var/tmp and inaccessible dir All Execs within the service, will get mounted the same /tmp and /var/tmp directories, if service is configured with PrivateTmp=yes. Temporary directories are cleaned up by service itself in addition to systemd-tmpfiles. Directory which is mounted as inaccessible is created at runtime in /run/systemd.
2013-03-14 18:12:27 +01:00
assert_se(mkdtemp(tmp_dir));
assert_se(mkdtemp(var_tmp_dir));
core: Private*/Protect* options with RootDirectory When a service is chrooted with the option RootDirectory=/opt/..., then the options PrivateDevices, PrivateTmp, ProtectHome, ProtectSystem must mount the directories under $RootDirectory/{dev,tmp,home,usr,boot}. The test-ns tool can test setup_namespace() with and without chroot: $ sudo TEST_NS_PROJECTS=/home/lennart/projects ./test-ns $ sudo TEST_NS_CHROOT=/home/alban/debian-tree TEST_NS_PROJECTS=/home/alban/debian-tree/home/alban/Documents ./test-ns
2015-05-18 12:20:28 +02:00
root_directory = getenv("TEST_NS_CHROOT");
projects_directory = getenv("TEST_NS_PROJECTS");
if (projects_directory)
inaccessible[0] = projects_directory;
log_info("Inaccessible directory: '%s'", inaccessible[0]);
if (root_directory)
log_info("Chroot: '%s'", root_directory);
else
log_info("Not chrooted");
r = setup_namespace(root_directory,
service: add new RootImageOptions feature Allows to specify mount options for RootImage. In case of multi-partition images, the partition number can be prefixed followed by colon. Eg: RootImageOptions=1:ro,dev 2:nosuid nodev In absence of a partition number, 0 is assumed.
2020-06-29 14:19:31 +02:00
NULL,
core: add RootImage= setting for using a specific image file as root directory for a service This is similar to RootDirectory= but mounts the root file system from a block device or loopback file instead of another directory. This reuses the image dissector code now used by nspawn and gpt-auto-discovery.
2016-12-23 14:26:05 +01:00
NULL,
core:sandbox: lets make /lib/modules/ inaccessible on ProtectKernelModules= Lets go further and make /lib/modules/ inaccessible for services that do not have business with modules, this is a minor improvment but it may help on setups with custom modules and they are limited... in regard of kernel auto-load feature. This change introduce NameSpaceInfo struct which we may embed later inside ExecContext but for now lets just reduce the argument number to setup_namespace() and merge ProtectKernelModules feature.
2016-10-12 14:11:16 +02:00
&ns_info,
core: Private*/Protect* options with RootDirectory When a service is chrooted with the option RootDirectory=/opt/..., then the options PrivateDevices, PrivateTmp, ProtectHome, ProtectSystem must mount the directories under $RootDirectory/{dev,tmp,home,usr,boot}. The test-ns tool can test setup_namespace() with and without chroot: $ sudo TEST_NS_PROJECTS=/home/lennart/projects ./test-ns $ sudo TEST_NS_CHROOT=/home/alban/debian-tree TEST_NS_PROJECTS=/home/alban/debian-tree/home/alban/Documents ./test-ns
2015-05-18 12:20:28 +02:00
(char **) writable,
core: reuse the same /tmp, /var/tmp and inaccessible dir All Execs within the service, will get mounted the same /tmp and /var/tmp directories, if service is configured with PrivateTmp=yes. Temporary directories are cleaned up by service itself in addition to systemd-tmpfiles. Directory which is mounted as inaccessible is created at runtime in /run/systemd.
2013-03-14 18:12:27 +01:00
(char **) readonly,
(char **) inaccessible,
execute: make StateDirectory= and friends compatible with DynamicUser=1 and RootDirectory=/RootImage= Let's clean up the interaction of StateDirectory= (and friends) to DynamicUser=1: instead of creating these directories directly below /var/lib, place them in /var/lib/private instead if DynamicUser=1 is set, making that directory 0700 and owned by root:root. This way, if a dynamic UID is later reused, access to the old run's state directory is prohibited for that user. Then, use file system namespacing inside the service to make /var/lib/private a readable tmpfs, hiding all state directories that are not listed in StateDirectory=, and making access to the actual state directory possible. Mount all directories listed in StateDirectory= to the same places inside the service (which means they'll now be mounted into the tmpfs instance). Finally, add a symlink from the state directory name in /var/lib/ to the one in /var/lib/private, so that both the host and the service can access the path under the same location. Here's an example: let's say a service runs with StateDirectory=foo. When DynamicUser=0 is set, it will get the following setup, and no difference between what the unit and what the host sees: /var/lib/foo (created as directory) Now, if DynamicUser=1 is set, we'll instead get this on the host: /var/lib/private (created as directory with mode 0700, root:root) /var/lib/private/foo (created as directory) /var/lib/foo → private/foo (created as symlink) And from inside the unit: /var/lib/private (a tmpfs mount with mode 0755, root:root) /var/lib/private/foo (bind mounted from the host) /var/lib/foo → private/foo (the same symlink as above) This takes inspiration from how container trees are protected below /var/lib/machines: they generally reuse UIDs/GIDs of the host, but because /var/lib/machines itself is set to 0700 host users cannot access files in the container tree even if the UIDs/GIDs are reused. However, for this commit we add one further trick: inside and outside of the unit /var/lib/private is a different thing: outside it is a plain, inaccessible directory, and inside it is a world-readable tmpfs mount with only the whitelisted subdirs below it, bind mounte din. This means, from the outside the dir acts as an access barrier, but from the inside it does not. And the symlink created in /var/lib/foo itself points across the barrier in both cases, so that root and the unit's user always have access to these dirs without knowing the details of this mounting magic. This logic resolves a major shortcoming of DynamicUser=1 units: previously they couldn't safely store persistant data. With this change they can have their own private state, log and data directories, which they can write to, but which are protected from UID recycling. With this change, if RootDirectory= or RootImage= are used it is ensured that the specified state/log/cache directories are always mounted in from the host. This change of semantics I think is much preferable since this means the root directory/image logic can be used easily for read-only resource bundling (as all writable data resides outside of the image). Note that this is a change of behaviour, but given that we haven't released any systemd version with StateDirectory= and friends implemented this should be a safe change to make (in particular as previously it wasn't clear what would actually happen when used in combination). Moreover, by making this change we can later add a "+" modifier to these setings too working similar to the same modifier in ReadOnlyPaths= and friends, making specified paths relative to the container itself.
2017-09-28 18:55:45 +02:00
NULL,
core: add ability to define arbitrary bind mounts for services This adds two new settings BindPaths= and BindReadOnlyPaths=. They allow defining arbitrary bind mounts specific to particular services. This is particularly useful for services with RootDirectory= set as this permits making specific bits of the host directory available to chrooted services. The two new settings follow the concepts nspawn already possess in --bind= and --bind-ro=, as well as the .nspawn settings Bind= and BindReadOnly= (and these latter options should probably be renamed to BindPaths= and BindReadOnlyPaths= too). Fixes: #3439
2016-11-23 22:21:40 +01:00
&(BindMount) { .source = (char*) "/usr/bin", .destination = (char*) "/etc/systemd", .read_only = true }, 1,
core: add new setting TemporaryFileSystem= This introduces a new setting TemporaryFileSystem=. This is useful to hide files not relevant to the processes invoked by unit, while necessary files or directories can be still accessed by combining with Bind{,ReadOnly}Paths=.
2018-02-21 01:17:52 +01:00
&(TemporaryFileSystem) { .path = (char*) "/var", .options = (char*) "ro" }, 1,
core: new feature MountImages Follows the same pattern and features as RootImage, but allows an arbitrary mount point under / to be specified by the user, and multiple values - like BindPaths. Original implementation by @topimiettinen at: https://github.com/systemd/systemd/pull/14451 Reworked to use dissect's logic instead of bare libmount() calls and other review comments. Thanks Topi for the initial work to come up with and implement this useful feature.
2020-07-14 17:18:41 +02:00
NULL,
0,
core: reuse the same /tmp, /var/tmp and inaccessible dir All Execs within the service, will get mounted the same /tmp and /var/tmp directories, if service is configured with PrivateTmp=yes. Temporary directories are cleaned up by service itself in addition to systemd-tmpfiles. Directory which is mounted as inaccessible is created at runtime in /run/systemd.
2013-03-14 18:12:27 +01:00
tmp_dir,
var_tmp_dir,
core: add new LogNamespace= execution setting
2019-11-25 16:22:45 +01:00
NULL,
core: hide /run/credentials whenever namespacing is requested Ideally we would like to hide all other service's credentials for all services. That would imply for us to enable mount namespacing for all services, which is something we cannot do, both due to compatibility with the status quo ante, and because a number of services legitimately should be able to install mounts in the host hierarchy. Hence we do the second best thing, we hide the credentials automatically for all services that opt into mount namespacing otherwise. This is quite different from other mount sandboxing options: usually you have to explicitly opt into each. However, given that the credentials logic is a brand new concept we invented right here and now, and particularly security sensitive it's OK to reverse this, and by default hide credentials whenever we can (i.e. whenever mount namespacing is otherwise opt-ed in to). Long story short: if you want to hide other service's credentials, the most basic options is to just turn on PrivateMounts= and there you go, they should all be gone.
2020-08-14 15:54:48 +02:00
NULL,
core: add RootImage= setting for using a specific image file as root directory for a service This is similar to RootDirectory= but mounts the root file system from a block device or loopback file instead of another directory. This reuses the image dissector code now used by nspawn and gpt-auto-discovery.
2016-12-23 14:26:05 +01:00
0,
core: add RootHash and RootVerity service parameters Allow to explicitly pass root hash (explicitly or as a file) and verity device/file as unit options. Take precedence over implicit checks.
2020-06-03 10:50:45 +02:00
NULL,
0,
NULL,
NULL,
pid1: improve message when setting up namespace fails I covered the most obvious paths: those where there's a clear problem with a path specified by the user. Prints something like this (at error level): May 21 20:00:01.040418 systemd[125871]: bad-workdir.service: Failed to set up mount namespacing: /run/systemd/unit-root/etc/tomcat9/Catalina: No such file or directory May 21 20:00:01.040456 systemd[125871]: bad-workdir.service: Failed at step NAMESPACE spawning /bin/true: No such file or directory Fixes #10972.
2019-05-21 20:02:34 +02:00
0,
core: add RootHashSignature service parameter Allow to explicitly pass root hash signature as a unit option. Takes precedence over implicit checks.
2020-06-08 15:02:55 +02:00
NULL,
NULL,
0,
pid1: improve message when setting up namespace fails I covered the most obvious paths: those where there's a clear problem with a path specified by the user. Prints something like this (at error level): May 21 20:00:01.040418 systemd[125871]: bad-workdir.service: Failed to set up mount namespacing: /run/systemd/unit-root/etc/tomcat9/Catalina: No such file or directory May 21 20:00:01.040456 systemd[125871]: bad-workdir.service: Failed at step NAMESPACE spawning /bin/true: No such file or directory Fixes #10972.
2019-05-21 20:02:34 +02:00
NULL);
namespace: rework namespace support - don't use pivot_root() anymore, just reuse root hierarchy - first create all mounts, then mark them read-only so that we get the right behaviour when people want writable mounts inside of read-only mounts - don't pass invalid combinations of MS_ constants to the kernel
2012-08-13 15:27:04 +02:00
if (r < 0) {
tree-wide: fix spelling of lookup and setup verbs "set up" and "look up" are the verbs, "setup" and "lookup" are the nouns.
2020-03-03 15:00:53 +01:00
log_error_errno(r, "Failed to set up namespace: %m");
core: Private*/Protect* options with RootDirectory When a service is chrooted with the option RootDirectory=/opt/..., then the options PrivateDevices, PrivateTmp, ProtectHome, ProtectSystem must mount the directories under $RootDirectory/{dev,tmp,home,usr,boot}. The test-ns tool can test setup_namespace() with and without chroot: $ sudo TEST_NS_PROJECTS=/home/lennart/projects ./test-ns $ sudo TEST_NS_CHROOT=/home/alban/debian-tree TEST_NS_PROJECTS=/home/alban/debian-tree/home/alban/Documents ./test-ns
2015-05-18 12:20:28 +02:00
log_info("Usage:\n"
" sudo TEST_NS_PROJECTS=/home/lennart/projects ./test-ns\n"
" sudo TEST_NS_CHROOT=/home/alban/debian-tree TEST_NS_PROJECTS=/home/alban/debian-tree/home/alban/Documents ./test-ns");
execute: support basic filesystem namespacing
2010-04-21 22:15:06 +02:00
return 1;
}
execl("/bin/sh", "/bin/sh", NULL);
treewide: use log_*_errno whenever %m is in the format string If the format string contains %m, clearly errno must have a meaningful value, so we might as well use log_*_errno to have ERRNO= logged. Using: find . -name '*.[ch]' | xargs sed -r -i -e \ 's/log_(debug|info|notice|warning|error|emergency)\((".*%m.*")/log_\1_errno(errno, \2/' Plus some whitespace, linewrap, and indent adjustments.
2014-11-28 19:29:59 +01:00
log_error_errno(errno, "execl(): %m");
execute: support basic filesystem namespacing
2010-04-21 22:15:06 +02:00
return 1;
}
Reference in a new issue Copy permalink