2 * Copyright (C) 2015 John Crispin <blogic@openwrt.org>
3 * Copyright (C) 2020 Daniel Golle <daniel@makrotopia.org>
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU Lesser General Public License version 2.1
7 * as published by the Free Software Foundation
9 * This program is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 * GNU General Public License for more details.
16 #include <sys/mount.h>
17 #include <sys/prctl.h>
19 #include <sys/types.h>
21 #include <sys/resource.h>
23 #include <sys/sysmacros.h>
25 /* musl only defined 15 limit types, make sure all 16 are supported */
27 #define RLIMIT_RTTIME 15
29 #define RLIMIT_NLIMITS 16
31 #define RLIM_NLIMITS 16
42 #include <linux/filter.h>
43 #include <linux/limits.h>
44 #include <linux/nsfs.h>
48 #include "capabilities.h"
53 #include "seccomp-oci.h"
55 #include <libubox/utils.h>
56 #include <libubox/blobmsg.h>
57 #include <libubox/blobmsg_json.h>
58 #include <libubox/list.h>
59 #include <libubox/vlist.h>
60 #include <libubox/uloop.h>
63 #ifndef CLONE_NEWCGROUP
64 #define CLONE_NEWCGROUP 0x02000000
67 #define STACK_SIZE (1024 * 1024)
68 #define OPT_ARGS "S:C:n:h:r:w:d:psulocU:G:NR:fFO:T:EyJ:"
96 struct sock_fprog
*ociseccomp
;
98 struct jail_capset capset
;
103 char *tmpoverlaysize
;
107 struct sysctl_val
**sysctl
;
129 gid_t
*additional_gids
;
130 size_t num_additional_gids
;
135 struct hook_execvpe
**createRuntime
;
136 struct hook_execvpe
**createContainer
;
137 struct hook_execvpe
**startContainer
;
138 struct hook_execvpe
**poststart
;
139 struct hook_execvpe
**poststop
;
141 struct rlimit
*rlimits
[RLIM_NLIMITS
];
143 bool set_oom_score_adj
;
144 struct mknod_args
**devices
;
147 static inline bool has_namespaces(void)
149 return ((opts
.setns
.pid
!= -1) ||
150 (opts
.setns
.net
!= -1) ||
151 (opts
.setns
.ns
!= -1) ||
152 (opts
.setns
.ipc
!= -1) ||
153 (opts
.setns
.uts
!= -1) ||
154 (opts
.setns
.user
!= -1) ||
155 (opts
.setns
.cgroup
!= -1) ||
157 (opts
.setns
.time
!= -1) ||
162 static void free_hooklist(struct hook_execvpe
**hooklist
)
164 struct hook_execvpe
*cur
;
189 static void free_sysctl(void) {
190 struct sysctl_val
*cur
;
201 static void free_devices(void) {
202 struct mknod_args
**cur
;
216 static void free_rlimits(void) {
219 for (type
= 0; type
< RLIM_NLIMITS
; ++type
)
220 free(opts
.rlimits
[type
]);
223 static void free_opts(bool child
) {
226 /* we need to keep argv, envp and seccomp filter in child */
228 if (opts
.ociseccomp
) {
229 free(opts
.ociseccomp
->filter
);
230 free(opts
.ociseccomp
);
233 tmp
= opts
.jail_argv
;
237 free(opts
.jail_argv
);
254 free_hooklist(opts
.hooks
.createRuntime
);
255 free_hooklist(opts
.hooks
.createContainer
);
256 free_hooklist(opts
.hooks
.startContainer
);
257 free_hooklist(opts
.hooks
.poststart
);
258 free_hooklist(opts
.hooks
.poststop
);
261 static struct blob_buf ocibuf
;
263 extern int pivot_root(const char *new_root
, const char *put_old
);
267 static char child_stack
[STACK_SIZE
];
271 static int mount_overlay(char *jail_root
, char *overlaydir
) {
272 char *upperdir
, *workdir
, *optsstr
, *upperetc
, *upperresolvconf
;
273 const char mountoptsformat
[] = "lowerdir=%s,upperdir=%s,workdir=%s";
276 if (asprintf(&upperdir
, "%s%s", overlaydir
, "/upper") < 0)
279 if (asprintf(&workdir
, "%s%s", overlaydir
, "/work") < 0)
282 if (asprintf(&optsstr
, mountoptsformat
, jail_root
, upperdir
, workdir
) < 0)
285 if (mkdir_p(upperdir
, 0755) || mkdir_p(workdir
, 0755))
289 * make sure /etc/resolv.conf exists in overlay and is owned by jail userns root
290 * this is to work-around a bug in overlayfs described in the overlayfs-userns
292 * 3. modification of a file 'hithere' which is in l but not yet
293 * in u, and which is not owned by T, is not allowed, even if
294 * writes to u are allowed. This may be a bug in overlayfs,
295 * but it is safe behavior.
297 if (asprintf(&upperetc
, "%s/etc", upperdir
) < 0)
300 if (mkdir_p(upperetc
, 0755))
301 goto upper_etc_printf
;
303 if (asprintf(&upperresolvconf
, "%s/resolv.conf", upperetc
) < 0)
304 goto upper_etc_printf
;
306 fd
= creat(upperresolvconf
, 0644);
308 ERROR("creat(%s) failed: %m\n", upperresolvconf
);
309 goto upper_resolvconf_printf
;
313 DEBUG("mount -t overlay %s %s (%s)\n", jail_root
, jail_root
, optsstr
);
315 if (mount(jail_root
, jail_root
, "overlay", MS_NOATIME
, optsstr
))
320 upper_resolvconf_printf
:
321 free(upperresolvconf
);
334 static void pass_console(int console_fd
)
336 struct ubus_context
*ctx
= ubus_connect(NULL
);
337 static struct blob_buf req
;
343 blob_buf_init(&req
, 0);
344 blobmsg_add_string(&req
, "name", opts
.name
);
346 if (ubus_lookup_id(ctx
, "container", &id
) ||
347 ubus_invoke_fd(ctx
, id
, "console_set", req
.head
, NULL
, NULL
, 3000, console_fd
))
348 INFO("ubus request failed\n");
356 static int create_dev_console(const char *jail_root
)
359 char dev_console_path
[PATH_MAX
];
360 int slave_console_fd
;
362 /* Open UNIX/98 virtual console */
363 console_fd
= posix_openpt(O_RDWR
| O_NOCTTY
);
364 if (console_fd
== -1)
367 console_fname
= ptsname(console_fd
);
368 DEBUG("got console fd %d and PTS client name %s\n", console_fd
, console_fname
);
373 unlockpt(console_fd
);
375 /* pass PTY master to procd */
376 pass_console(console_fd
);
378 /* mount-bind PTY slave to /dev/console in jail */
379 snprintf(dev_console_path
, sizeof(dev_console_path
), "%s/dev/console", jail_root
);
380 close(creat(dev_console_path
, 0620));
382 if (mount(console_fname
, dev_console_path
, NULL
, MS_BIND
, NULL
))
385 /* use PTY slave for stdio */
386 slave_console_fd
= open(console_fname
, O_RDWR
); /* | O_NOCTTY */
387 dup2(slave_console_fd
, 0);
388 dup2(slave_console_fd
, 1);
389 dup2(slave_console_fd
, 2);
390 close(slave_console_fd
);
392 INFO("using guest console %s\n", console_fname
);
401 static int hook_running
= 0;
402 static int hook_return_code
= 0;
404 static void hook_process_timeout_cb(struct uloop_timeout
*t
);
405 static struct uloop_timeout hook_process_timeout
= {
406 .cb
= hook_process_timeout_cb
,
409 static void hook_process_handler(struct uloop_process
*c
, int ret
)
411 uloop_timeout_cancel(&hook_process_timeout
);
412 if (WIFEXITED(ret
)) {
413 hook_return_code
= WEXITSTATUS(ret
);
414 DEBUG("hook (%d) exited with exit: %d\n", c
->pid
, hook_return_code
);
416 hook_return_code
= WTERMSIG(ret
);
417 DEBUG("hook (%d) exited with signal: %d\n", c
->pid
, hook_return_code
);
423 static struct uloop_process hook_process
= {
424 .cb
= hook_process_handler
,
427 static void hook_process_timeout_cb(struct uloop_timeout
*t
)
429 DEBUG("hook process failed to stop, sending SIGKILL\n");
430 kill(hook_process
.pid
, SIGKILL
);
433 static int run_hook(struct hook_execvpe
*hook
)
437 DEBUG("executing hook %s\n", hook
->file
);
439 if (stat(hook
->file
, &s
))
442 if (!((unsigned long)s
.st_mode
& (S_IXUSR
| S_IXGRP
| S_IXOTH
)))
445 if (!((unsigned long)s
.st_mode
& (S_IRUSR
| S_IRGRP
| S_IROTH
)))
451 hook_process
.pid
= fork();
452 if (hook_process
.pid
> 0) {
454 uloop_process_add(&hook_process
);
456 if (hook
->timeout
> 0)
457 uloop_timeout_set(&hook_process_timeout
, 1000 * hook
->timeout
);
461 DEBUG("uloop interrupted, killing hook process\n");
462 kill(hook_process
.pid
, SIGTERM
);
463 uloop_timeout_set(&hook_process_timeout
, 1000);
468 waitpid(hook_process
.pid
, NULL
, WCONTINUED
);
470 return hook_return_code
;
471 } else if (hook_process
.pid
== 0) {
473 execvpe(hook
->file
, hook
->argv
, hook
->envp
);
483 static int run_hooks(struct hook_execvpe
**hooklist
)
485 struct hook_execvpe
**cur
;
489 return 0; /* Nothing to do */
494 res
= run_hook(*cur
);
496 DEBUG(" error running hook %s\n", (*cur
)->file
);
498 DEBUG(" success running hook %s\n", (*cur
)->file
);
506 static int apply_sysctl(const char *jail_root
)
508 struct sysctl_val
**cur
;
509 char *procdir
, *fname
;
515 asprintf(&procdir
, "%s/proc", jail_root
);
519 mkdir(procdir
, 0700);
520 if (mount("proc", procdir
, "proc", MS_NOATIME
| MS_NODEV
| MS_NOEXEC
| MS_NOSUID
, 0))
526 asprintf(&fname
, "%s/sys/%s", procdir
, (*cur
)->entry
);
530 DEBUG("sysctl: writing '%s' to %s\n", (*cur
)->value
, fname
);
532 f
= open(fname
, O_WRONLY
);
534 ERROR("sysctl: can't open %s\n", fname
);
537 write(f
, (*cur
)->value
, strlen((*cur
)->value
));
550 static struct mknod_args default_devices
[] = {
551 { .path
= "/dev/null", .mode
= (S_IFCHR
|S_IRUSR
|S_IWUSR
|S_IRGRP
|S_IWGRP
|S_IROTH
|S_IWOTH
), .dev
= makedev(1, 3) },
552 { .path
= "/dev/zero", .mode
= (S_IFCHR
|S_IRUSR
|S_IWUSR
|S_IRGRP
|S_IWGRP
|S_IROTH
|S_IWOTH
), .dev
= makedev(1, 5) },
553 { .path
= "/dev/full", .mode
= (S_IFCHR
|S_IRUSR
|S_IWUSR
|S_IRGRP
|S_IWGRP
|S_IROTH
|S_IWOTH
), .dev
= makedev(1, 7) },
554 { .path
= "/dev/random", .mode
= (S_IFCHR
|S_IRUSR
|S_IWUSR
|S_IRGRP
|S_IWGRP
|S_IROTH
|S_IWOTH
), .dev
= makedev(1, 8) },
555 { .path
= "/dev/urandom", .mode
= (S_IFCHR
|S_IRUSR
|S_IWUSR
|S_IRGRP
|S_IWGRP
|S_IROTH
|S_IWOTH
), .dev
= makedev(1, 9) },
556 { .path
= "/dev/tty", .mode
= (S_IFCHR
|S_IRUSR
|S_IWUSR
|S_IRGRP
|S_IWGRP
), .dev
= makedev(5, 0), .gid
= 5 },
560 static int create_devices(void)
562 struct mknod_args
**cur
, *curdef
;
565 goto only_default_devices
;
570 DEBUG("creating %s (mode=%08o)\n", (*cur
)->path
, (*cur
)->mode
);
571 if (mknod((*cur
)->path
, (*cur
)->mode
, (*cur
)->dev
))
574 if (((*cur
)->uid
|| (*cur
)->gid
) &&
575 chown((*cur
)->path
, (*cur
)->uid
, (*cur
)->gid
))
581 only_default_devices
:
582 curdef
= default_devices
;
583 while(curdef
->path
) {
584 DEBUG("creating %s (mode=%08o)\n", curdef
->path
, curdef
->mode
);
585 if (mknod(curdef
->path
, curdef
->mode
, curdef
->dev
)) {
587 continue; /* may already exist, eg. due to a bind-mount */
589 if ((curdef
->uid
|| curdef
->gid
) &&
590 chown(curdef
->path
, curdef
->uid
, curdef
->gid
))
596 /* Dev symbolic links as defined in OCI spec */
597 symlink("/dev/pts/ptmx", "/dev/ptmx");
598 symlink("/proc/self/fd", "/dev/fd");
599 symlink("/proc/self/fd/0", "/dev/stdin");
600 symlink("/proc/self/fd/1", "/dev/stdout");
601 symlink("/proc/self/fd/2", "/dev/stderr");
606 static int build_jail_fs(void)
608 char jail_root
[] = "/tmp/ujail-XXXXXX";
609 char tmpovdir
[] = "/tmp/ujail-overlay-XXXXXX";
610 char *overlaydir
= NULL
;
613 old_umask
= umask(0);
615 if (mkdtemp(jail_root
) == NULL
) {
616 ERROR("mkdtemp(%s) failed: %m\n", jail_root
);
620 if (apply_sysctl(jail_root
)) {
621 ERROR("failed to apply sysctl values\n");
625 /* oldroot can't be MS_SHARED else pivot_root() fails */
626 if (mount("none", "/", NULL
, MS_REC
|MS_PRIVATE
, NULL
)) {
627 ERROR("private mount failed %m\n");
632 if (mount(opts
.extroot
, jail_root
, NULL
, MS_BIND
, NULL
)) {
633 ERROR("extroot mount failed %m\n");
637 if (mount("tmpfs", jail_root
, "tmpfs", MS_NOATIME
, "mode=0755")) {
638 ERROR("tmpfs mount failed %m\n");
643 if (opts
.tmpoverlaysize
) {
644 char mountoptsstr
[] = "mode=0755,size=XXXXXXXX";
646 snprintf(mountoptsstr
, sizeof(mountoptsstr
),
647 "mode=0755,size=%s", opts
.tmpoverlaysize
);
648 if (mkdtemp(tmpovdir
) == NULL
) {
649 ERROR("mkdtemp(%s) failed: %m\n", jail_root
);
652 if (mount("tmpfs", tmpovdir
, "tmpfs", MS_NOATIME
,
654 ERROR("failed to mount tmpfs for overlay (size=%s)\n", opts
.tmpoverlaysize
);
657 overlaydir
= tmpovdir
;
661 overlaydir
= opts
.overlaydir
;
664 mount_overlay(jail_root
, overlaydir
);
666 if (chdir(jail_root
)) {
667 ERROR("chdir(%s) (jail_root) failed: %m\n", jail_root
);
671 if (mount_all(jail_root
)) {
672 ERROR("mount_all() failed\n");
677 create_dev_console(jail_root
);
679 /* make sure /etc/resolv.conf exists if in new network namespace */
680 if (opts
.namespace & CLONE_NEWNET
) {
681 char jailetc
[PATH_MAX
], jaillink
[PATH_MAX
];
683 snprintf(jailetc
, PATH_MAX
, "%s/etc", jail_root
);
684 mkdir_p(jailetc
, 0755);
685 snprintf(jaillink
, PATH_MAX
, "%s/etc/resolv.conf", jail_root
);
689 symlink("../dev/resolv.conf.d/resolv.conf.auto", jaillink
);
692 run_hooks(opts
.hooks
.createContainer
);
694 char dirbuf
[sizeof(jail_root
) + 4];
695 snprintf(dirbuf
, sizeof(dirbuf
), "%s/old", jail_root
);
698 if (pivot_root(jail_root
, dirbuf
) == -1) {
699 ERROR("pivot_root(%s, %s) failed: %m\n", jail_root
, dirbuf
);
703 ERROR("chdir(/) (after pivot_root) failed: %m\n");
707 snprintf(dirbuf
, sizeof(dirbuf
), "/old%s", jail_root
);
708 umount2(dirbuf
, MNT_DETACH
);
710 if (opts
.tmpoverlaysize
) {
711 char tmpdirbuf
[sizeof(tmpovdir
) + 4];
712 snprintf(tmpdirbuf
, sizeof(tmpdirbuf
), "/old%s", tmpovdir
);
713 umount2(tmpdirbuf
, MNT_DETACH
);
717 umount2("/old", MNT_DETACH
);
720 if (create_devices()) {
721 ERROR("create_devices() failed\n");
725 mount(NULL
, "/", NULL
, MS_REMOUNT
| MS_BIND
| MS_RDONLY
, 0);
732 static int write_uid_gid_map(pid_t child_pid
, bool gidmap
, char *mapstr
)
737 if (snprintf(map_path
, sizeof(map_path
), "/proc/%d/%s",
738 child_pid
, gidmap
?"gid_map":"uid_map") < 0)
741 if ((map_file
= open(map_path
, O_WRONLY
)) == -1)
744 if (dprintf(map_file
, "%s", mapstr
)) {
754 static int write_single_uid_gid_map(pid_t child_pid
, bool gidmap
, int id
)
758 const char *map_format
= "%d %d %d\n";
759 if (snprintf(map_path
, sizeof(map_path
), "/proc/%d/%s",
760 child_pid
, gidmap
?"gid_map":"uid_map") < 0)
763 if ((map_file
= open(map_path
, O_WRONLY
)) == -1)
766 if (dprintf(map_file
, map_format
, 0, id
, 1) == -1) {
775 static int write_setgroups(pid_t child_pid
, bool allow
)
778 char setgroups_path
[64];
780 if (snprintf(setgroups_path
, sizeof(setgroups_path
), "/proc/%d/setgroups",
785 if ((setgroups_file
= open(setgroups_path
, O_WRONLY
)) == -1) {
789 if (dprintf(setgroups_file
, "%s", allow
?"allow":"deny") == -1) {
790 close(setgroups_file
);
794 close(setgroups_file
);
798 static void get_jail_user(int *user
, int *user_gid
, int *gr_gid
)
800 struct passwd
*p
= NULL
;
801 struct group
*g
= NULL
;
804 p
= getpwnam(opts
.user
);
806 ERROR("failed to get uid/gid for user %s: %d (%s)\n",
807 opts
.user
, errno
, strerror(errno
));
811 *user_gid
= p
->pw_gid
;
818 g
= getgrnam(opts
.group
);
820 ERROR("failed to get gid for group %s: %m\n", opts
.group
);
829 static void set_jail_user(int pw_uid
, int user_gid
, int gr_gid
)
831 if (opts
.user
&& (user_gid
!= -1) && initgroups(opts
.user
, user_gid
)) {
832 ERROR("failed to initgroups() for user %s: %m\n", opts
.user
);
836 if ((gr_gid
!= -1) && setregid(gr_gid
, gr_gid
)) {
837 ERROR("failed to set group id %d: %m\n", gr_gid
);
841 if ((pw_uid
!= -1) && setreuid(pw_uid
, pw_uid
)) {
842 ERROR("failed to set user id %d: %m\n", pw_uid
);
847 static int apply_rlimits(void)
851 for (resource
= 0; resource
< RLIM_NLIMITS
; ++resource
) {
852 if (opts
.rlimits
[resource
])
853 DEBUG("applying limits to resource %u\n", resource
);
855 if (opts
.rlimits
[resource
] &&
856 setrlimit(resource
, opts
.rlimits
[resource
]))
864 static char** build_envp(const char *seccomp
, char **ocienvp
)
866 static char *envp
[MAX_ENVP
];
867 static char preload_var
[PATH_MAX
];
868 static char seccomp_var
[PATH_MAX
];
869 static char debug_var
[] = "LD_DEBUG=all";
870 static char container_var
[] = "container=ujail";
871 const char *preload_lib
= find_lib("libpreload-seccomp.so");
876 if (seccomp
&& !preload_lib
) {
877 ERROR("failed to add preload-lib to env\n");
881 snprintf(seccomp_var
, sizeof(seccomp_var
), "SECCOMP_FILE=%s", seccomp
);
882 envp
[count
++] = seccomp_var
;
883 snprintf(preload_var
, sizeof(preload_var
), "LD_PRELOAD=%s", preload_lib
);
884 envp
[count
++] = preload_var
;
887 envp
[count
++] = container_var
;
890 envp
[count
++] = debug_var
;
893 while (addenv
&& *addenv
) {
894 envp
[count
++] = *(addenv
++);
895 if (count
>= MAX_ENVP
) {
896 ERROR("environment limited to %d extra records, truncating\n", MAX_ENVP
);
903 static void usage(void)
905 fprintf(stderr
, "ujail <options> -- <binary> <params ...>\n");
906 fprintf(stderr
, " -d <num>\tshow debug log (increase num to increase verbosity)\n");
907 fprintf(stderr
, " -S <file>\tseccomp filter config\n");
908 fprintf(stderr
, " -C <file>\tcapabilities drop config\n");
909 fprintf(stderr
, " -c\t\tset PR_SET_NO_NEW_PRIVS\n");
910 fprintf(stderr
, " -n <name>\tthe name of the jail\n");
911 fprintf(stderr
, "namespace jail options:\n");
912 fprintf(stderr
, " -h <hostname>\tchange the hostname of the jail\n");
913 fprintf(stderr
, " -N\t\tjail has network namespace\n");
914 fprintf(stderr
, " -f\t\tjail has user namespace\n");
915 fprintf(stderr
, " -F\t\tjail has cgroups namespace\n");
916 fprintf(stderr
, " -r <file>\treadonly files that should be staged\n");
917 fprintf(stderr
, " -w <file>\twriteable files that should be staged\n");
918 fprintf(stderr
, " -p\t\tjail has /proc\n");
919 fprintf(stderr
, " -s\t\tjail has /sys\n");
920 fprintf(stderr
, " -l\t\tjail has /dev/log\n");
921 fprintf(stderr
, " -u\t\tjail has a ubus socket\n");
922 fprintf(stderr
, " -U <name>\tuser to run jailed process\n");
923 fprintf(stderr
, " -G <name>\tgroup to run jailed process\n");
924 fprintf(stderr
, " -o\t\tremont jail root (/) read only\n");
925 fprintf(stderr
, " -R <dir>\texternal jail rootfs (system container)\n");
926 fprintf(stderr
, " -O <dir>\tdirectory for r/w overlayfs\n");
927 fprintf(stderr
, " -T <size>\tuse tmpfs r/w overlayfs with <size>\n");
928 fprintf(stderr
, " -E\t\tfail if jail cannot be setup\n");
929 fprintf(stderr
, " -y\t\tprovide jail console\n");
930 fprintf(stderr
, " -J <dir>\tstart OCI bundle\n");
931 fprintf(stderr
, "\nWarning: by default root inside the jail is the same\n\
932 and he has the same powers as root outside the jail,\n\
933 thus he can escape the jail and/or break stuff.\n\
934 Please use seccomp/capabilities (-S/-C) to restrict his powers\n\n\
935 If you use none of the namespace jail options,\n\
936 ujail will not use namespace/build a jail,\n\
937 and will only drop capabilities/apply seccomp filter.\n\n");
940 static int* get_namespace_fd(const unsigned int nstype
)
944 return &opts
.setns
.pid
;
946 return &opts
.setns
.net
;
948 return &opts
.setns
.ns
;
950 return &opts
.setns
.ipc
;
952 return &opts
.setns
.uts
;
954 return &opts
.setns
.user
;
955 case CLONE_NEWCGROUP
:
956 return &opts
.setns
.cgroup
;
959 return &opts
.setns
.time
;
966 static int setns_open(unsigned long nstype
)
968 int *fd
= get_namespace_fd(nstype
);
976 if (setns(*fd
, nstype
) == -1) {
985 static int exec_jail(void *pipes_ptr
)
987 int *pipes
= (int*)pipes_ptr
;
989 int pw_uid
, pw_gid
, gr_gid
;
994 setns_open(CLONE_NEWUSER
);
995 setns_open(CLONE_NEWNET
);
996 setns_open(CLONE_NEWNS
);
997 setns_open(CLONE_NEWIPC
);
998 setns_open(CLONE_NEWUTS
);
1000 setns_open(CLONE_NEWTIME
);
1004 if (write(pipes
[1], buf
, 1) < 1) {
1005 ERROR("can't write to parent\n");
1008 if (read(pipes
[2], buf
, 1) < 1) {
1009 ERROR("can't read from parent\n");
1012 if (buf
[0] != 'O') {
1013 ERROR("parent had an error, child exiting\n");
1020 if ((opts
.namespace & CLONE_NEWUSER
) || (opts
.setns
.user
!= -1)) {
1021 if (setregid(0, 0) < 0) {
1025 if (setreuid(0, 0) < 0) {
1029 if (setgroups(0, NULL
) < 0) {
1030 ERROR("setgroups\n");
1035 if (opts
.namespace && opts
.hostname
&& strlen(opts
.hostname
) > 0
1036 && sethostname(opts
.hostname
, strlen(opts
.hostname
))) {
1037 ERROR("sethostname(%s) failed: %m\n", opts
.hostname
);
1041 if ((opts
.namespace & CLONE_NEWNS
) && build_jail_fs()) {
1042 ERROR("failed to build jail fs\n");
1045 run_hooks(opts
.hooks
.startContainer
);
1047 if (!(opts
.namespace & CLONE_NEWUSER
) && (opts
.setns
.user
== -1)) {
1048 get_jail_user(&pw_uid
, &pw_gid
, &gr_gid
);
1050 set_jail_user(opts
.pw_uid
?:pw_uid
, opts
.pw_gid
?:pw_gid
, opts
.gr_gid
?:gr_gid
);
1053 if (opts
.additional_gids
&&
1054 (setgroups(opts
.num_additional_gids
, opts
.additional_gids
) < 0)) {
1055 ERROR("setgroups failed: %m\n");
1062 if (applyOCIcapabilities(opts
.capset
))
1065 if (opts
.capabilities
&& drop_capabilities(opts
.capabilities
))
1068 if (opts
.no_new_privs
&& prctl(PR_SET_NO_NEW_PRIVS
, 1, 0, 0, 0)) {
1069 ERROR("prctl(PR_SET_NO_NEW_PRIVS) failed: %m\n");
1073 char **envp
= build_envp(opts
.seccomp
, opts
.envp
);
1077 if (opts
.cwd
&& chdir(opts
.cwd
))
1080 if (opts
.ociseccomp
&& applyOCIlinuxseccomp(opts
.ociseccomp
))
1085 INFO("exec-ing %s\n", *opts
.jail_argv
);
1086 if (opts
.envp
) /* respect PATH if potentially set in ENV */
1087 execvpe(*opts
.jail_argv
, opts
.jail_argv
, envp
);
1089 execve(*opts
.jail_argv
, opts
.jail_argv
, envp
);
1091 /* we get there only if execve fails */
1092 ERROR("failed to execve %s: %m\n", *opts
.jail_argv
);
1096 static int jail_running
= 0;
1097 static int jail_return_code
= 0;
1099 static void jail_process_timeout_cb(struct uloop_timeout
*t
);
1100 static struct uloop_timeout jail_process_timeout
= {
1101 .cb
= jail_process_timeout_cb
,
1104 static void jail_process_handler(struct uloop_process
*c
, int ret
)
1106 uloop_timeout_cancel(&jail_process_timeout
);
1107 if (WIFEXITED(ret
)) {
1108 jail_return_code
= WEXITSTATUS(ret
);
1109 INFO("jail (%d) exited with exit: %d\n", c
->pid
, jail_return_code
);
1111 jail_return_code
= WTERMSIG(ret
);
1112 INFO("jail (%d) exited with signal: %d\n", c
->pid
, jail_return_code
);
1118 static struct uloop_process jail_process
= {
1119 .cb
= jail_process_handler
,
1122 static void jail_process_timeout_cb(struct uloop_timeout
*t
)
1124 DEBUG("jail process failed to stop, sending SIGKILL\n");
1125 kill(jail_process
.pid
, SIGKILL
);
1128 static void jail_handle_signal(int signo
)
1131 DEBUG("forwarding signal %d to the hook process\n", signo
);
1132 kill(hook_process
.pid
, signo
);
1136 DEBUG("forwarding signal %d to the jailed process\n", signo
);
1137 kill(jail_process
.pid
, signo
);
1141 static int netns_open_pid(const pid_t target_ns
)
1143 char pid_net_path
[PATH_MAX
];
1145 snprintf(pid_net_path
, sizeof(pid_net_path
), "/proc/%u/ns/net", target_ns
);
1147 return open(pid_net_path
, O_RDONLY
);
1150 static int pidns_open_pid(const pid_t target_ns
)
1152 char pid_pid_path
[PATH_MAX
];
1154 snprintf(pid_pid_path
, sizeof(pid_pid_path
), "/proc/%u/ns/pid", target_ns
);
1156 return open(pid_pid_path
, O_RDONLY
);
1159 static void netns_updown(pid_t pid
, bool start
)
1161 struct ubus_context
*ctx
= ubus_connect(NULL
);
1162 static struct blob_buf req
;
1168 blob_buf_init(&req
, 0);
1169 blobmsg_add_string(&req
, "jail", opts
.name
);
1170 blobmsg_add_u32(&req
, "pid", pid
);
1171 blobmsg_add_u8(&req
, "start", start
);
1173 if (ubus_lookup_id(ctx
, "network", &id
) ||
1174 ubus_invoke(ctx
, id
, "netns_updown", req
.head
, NULL
, NULL
, 3000))
1175 INFO("ubus request failed\n");
1177 blob_buf_free(&req
);
1181 static int parseOCIenvarray(struct blob_attr
*msg
, char ***envp
)
1183 struct blob_attr
*cur
;
1186 blobmsg_for_each_attr(cur
, msg
, rem
)
1190 *envp
= calloc(1 + sz
, sizeof(char*));
1199 blobmsg_for_each_attr(cur
, msg
, rem
)
1200 (*envp
)[sz
++] = strdup(blobmsg_get_string(cur
));
1214 static const struct blobmsg_policy oci_root_policy
[] = {
1215 [OCI_ROOT_PATH
] = { "path", BLOBMSG_TYPE_STRING
},
1216 [OCI_ROOT_READONLY
] = { "readonly", BLOBMSG_TYPE_BOOL
},
1219 static int parseOCIroot(const char *jsonfile
, struct blob_attr
*msg
)
1221 static char rootpath
[PATH_MAX
] = { 0 };
1222 struct blob_attr
*tb
[__OCI_ROOT_MAX
];
1225 blobmsg_parse(oci_root_policy
, __OCI_ROOT_MAX
, tb
, blobmsg_data(msg
), blobmsg_len(msg
));
1227 if (!tb
[OCI_ROOT_PATH
])
1230 strncpy(rootpath
, jsonfile
, PATH_MAX
);
1231 cur
= strrchr(rootpath
, '/');
1237 strncat(rootpath
, blobmsg_get_string(tb
[OCI_ROOT_PATH
]), PATH_MAX
- (strlen(rootpath
) + 1));
1239 opts
.extroot
= rootpath
;
1241 opts
.ronly
= blobmsg_get_bool(tb
[OCI_ROOT_READONLY
]);
1255 static const struct blobmsg_policy oci_hook_policy
[] = {
1256 [OCI_HOOK_PATH
] = { "path", BLOBMSG_TYPE_STRING
},
1257 [OCI_HOOK_ARGS
] = { "args", BLOBMSG_TYPE_ARRAY
},
1258 [OCI_HOOK_ENV
] = { "env", BLOBMSG_TYPE_ARRAY
},
1259 [OCI_HOOK_TIMEOUT
] = { "timeout", BLOBMSG_TYPE_INT32
},
1263 static int parseOCIhook(struct hook_execvpe
***hooklist
, struct blob_attr
*msg
)
1265 struct blob_attr
*tb
[__OCI_HOOK_MAX
];
1266 struct blob_attr
*cur
;
1270 blobmsg_for_each_attr(cur
, msg
, rem
)
1276 *hooklist
= calloc(idx
+ 1, sizeof(struct hook_execvpe
*));
1282 blobmsg_for_each_attr(cur
, msg
, rem
) {
1283 blobmsg_parse(oci_hook_policy
, __OCI_HOOK_MAX
, tb
, blobmsg_data(cur
), blobmsg_len(cur
));
1285 if (!tb
[OCI_HOOK_PATH
]) {
1290 (*hooklist
)[idx
] = malloc(sizeof(struct hook_execvpe
));
1291 if (tb
[OCI_HOOK_ARGS
]) {
1292 ret
= parseOCIenvarray(tb
[OCI_HOOK_ARGS
], &((*hooklist
)[idx
]->argv
));
1296 (*hooklist
)[idx
]->argv
= calloc(2, sizeof(char *));
1297 ((*hooklist
)[idx
]->argv
)[0] = strdup(blobmsg_get_string(tb
[OCI_HOOK_PATH
]));
1298 ((*hooklist
)[idx
]->argv
)[1] = NULL
;
1302 if (tb
[OCI_HOOK_ENV
]) {
1303 ret
= parseOCIenvarray(tb
[OCI_HOOK_ENV
], &((*hooklist
)[idx
]->envp
));
1308 if (tb
[OCI_HOOK_TIMEOUT
])
1309 (*hooklist
)[idx
]->timeout
= blobmsg_get_u32(tb
[OCI_HOOK_TIMEOUT
]);
1311 (*hooklist
)[idx
]->file
= strdup(blobmsg_get_string(tb
[OCI_HOOK_PATH
]));
1316 (*hooklist
)[idx
] = NULL
;
1318 DEBUG("added %d hooks\n", idx
);
1323 free_hooklist(*hooklist
);
1332 OCI_HOOKS_CREATERUNTIME
,
1333 OCI_HOOKS_CREATECONTAINER
,
1334 OCI_HOOKS_STARTCONTAINER
,
1335 OCI_HOOKS_POSTSTART
,
1340 static const struct blobmsg_policy oci_hooks_policy
[] = {
1341 [OCI_HOOKS_PRESTART
] = { "prestart", BLOBMSG_TYPE_ARRAY
},
1342 [OCI_HOOKS_CREATERUNTIME
] = { "createRuntime", BLOBMSG_TYPE_ARRAY
},
1343 [OCI_HOOKS_CREATECONTAINER
] = { "createContainer", BLOBMSG_TYPE_ARRAY
},
1344 [OCI_HOOKS_STARTCONTAINER
] = { "startContainer", BLOBMSG_TYPE_ARRAY
},
1345 [OCI_HOOKS_POSTSTART
] = { "poststart", BLOBMSG_TYPE_ARRAY
},
1346 [OCI_HOOKS_POSTSTOP
] = { "poststop", BLOBMSG_TYPE_ARRAY
},
1349 static int parseOCIhooks(struct blob_attr
*msg
)
1351 struct blob_attr
*tb
[__OCI_HOOKS_MAX
];
1354 blobmsg_parse(oci_hooks_policy
, __OCI_HOOKS_MAX
, tb
, blobmsg_data(msg
), blobmsg_len(msg
));
1356 if (tb
[OCI_HOOKS_PRESTART
])
1357 INFO("warning: ignoring deprecated prestart hook\n");
1359 if (tb
[OCI_HOOKS_CREATERUNTIME
]) {
1360 ret
= parseOCIhook(&opts
.hooks
.createRuntime
, tb
[OCI_HOOKS_CREATERUNTIME
]);
1365 if (tb
[OCI_HOOKS_CREATECONTAINER
]) {
1366 ret
= parseOCIhook(&opts
.hooks
.createContainer
, tb
[OCI_HOOKS_CREATECONTAINER
]);
1368 goto out_createruntime
;
1371 if (tb
[OCI_HOOKS_STARTCONTAINER
]) {
1372 ret
= parseOCIhook(&opts
.hooks
.startContainer
, tb
[OCI_HOOKS_STARTCONTAINER
]);
1374 goto out_createcontainer
;
1377 if (tb
[OCI_HOOKS_POSTSTART
]) {
1378 ret
= parseOCIhook(&opts
.hooks
.poststart
, tb
[OCI_HOOKS_POSTSTART
]);
1380 goto out_startcontainer
;
1383 if (tb
[OCI_HOOKS_POSTSTOP
]) {
1384 ret
= parseOCIhook(&opts
.hooks
.poststop
, tb
[OCI_HOOKS_POSTSTOP
]);
1392 free_hooklist(opts
.hooks
.poststart
);
1394 free_hooklist(opts
.hooks
.startContainer
);
1395 out_createcontainer
:
1396 free_hooklist(opts
.hooks
.createContainer
);
1398 free_hooklist(opts
.hooks
.createRuntime
);
1405 OCI_PROCESS_USER_UID
,
1406 OCI_PROCESS_USER_GID
,
1407 OCI_PROCESS_USER_UMASK
,
1408 OCI_PROCESS_USER_ADDITIONALGIDS
,
1409 __OCI_PROCESS_USER_MAX
,
1412 static const struct blobmsg_policy oci_process_user_policy
[] = {
1413 [OCI_PROCESS_USER_UID
] = { "uid", BLOBMSG_TYPE_INT32
},
1414 [OCI_PROCESS_USER_GID
] = { "gid", BLOBMSG_TYPE_INT32
},
1415 [OCI_PROCESS_USER_UMASK
] = { "umask", BLOBMSG_TYPE_INT32
},
1416 [OCI_PROCESS_USER_ADDITIONALGIDS
] = { "additionalGids", BLOBMSG_TYPE_ARRAY
},
1419 static int parseOCIprocessuser(struct blob_attr
*msg
) {
1420 struct blob_attr
*tb
[__OCI_PROCESS_USER_MAX
];
1421 struct blob_attr
*cur
;
1425 blobmsg_parse(oci_process_user_policy
, __OCI_PROCESS_USER_MAX
, tb
, blobmsg_data(msg
), blobmsg_len(msg
));
1427 if (tb
[OCI_PROCESS_USER_UID
])
1428 opts
.pw_uid
= blobmsg_get_u32(tb
[OCI_PROCESS_USER_UID
]);
1430 if (tb
[OCI_PROCESS_USER_GID
]) {
1431 opts
.pw_gid
= blobmsg_get_u32(tb
[OCI_PROCESS_USER_GID
]);
1432 opts
.gr_gid
= blobmsg_get_u32(tb
[OCI_PROCESS_USER_GID
]);
1436 if (tb
[OCI_PROCESS_USER_ADDITIONALGIDS
]) {
1439 blobmsg_for_each_attr(cur
, tb
[OCI_PROCESS_USER_ADDITIONALGIDS
], rem
) {
1441 if (has_gid
&& (blobmsg_get_u32(cur
) == opts
.gr_gid
))
1446 opts
.additional_gids
= calloc(gidcnt
+ has_gid
, sizeof(gid_t
));
1449 /* always add primary GID to set of GIDs if set */
1451 opts
.additional_gids
[gidcnt
++] = opts
.gr_gid
;
1453 blobmsg_for_each_attr(cur
, tb
[OCI_PROCESS_USER_ADDITIONALGIDS
], rem
) {
1454 if (has_gid
&& (blobmsg_get_u32(cur
) == opts
.gr_gid
))
1456 opts
.additional_gids
[gidcnt
++] = blobmsg_get_u32(cur
);
1458 opts
.num_additional_gids
= gidcnt
;
1460 DEBUG("read %zu additional groups\n", gidcnt
);
1463 if (tb
[OCI_PROCESS_USER_UMASK
]) {
1464 opts
.umask
= blobmsg_get_u32(tb
[OCI_PROCESS_USER_UMASK
]);
1465 opts
.set_umask
= true;
1471 /* from manpage GETRLIMIT(2) */
1472 static const char* const rlimit_names
[RLIM_NLIMITS
] = {
1474 [RLIMIT_CORE
] = "CORE",
1475 [RLIMIT_CPU
] = "CPU",
1476 [RLIMIT_DATA
] = "DATA",
1477 [RLIMIT_FSIZE
] = "FSIZE",
1478 [RLIMIT_LOCKS
] = "LOCKS",
1479 [RLIMIT_MEMLOCK
] = "MEMLOCK",
1480 [RLIMIT_MSGQUEUE
] = "MSGQUEUE",
1481 [RLIMIT_NICE
] = "NICE",
1482 [RLIMIT_NOFILE
] = "NOFILE",
1483 [RLIMIT_NPROC
] = "NPROC",
1484 [RLIMIT_RSS
] = "RSS",
1485 [RLIMIT_RTPRIO
] = "RTPRIO",
1486 [RLIMIT_RTTIME
] = "RTTIME",
1487 [RLIMIT_SIGPENDING
] = "SIGPENDING",
1488 [RLIMIT_STACK
] = "STACK",
1491 static int resolve_rlimit(char *type
) {
1492 unsigned int rltype
;
1494 for (rltype
= 0; rltype
< RLIM_NLIMITS
; ++rltype
)
1495 if (rlimit_names
[rltype
] &&
1496 !strncmp("RLIMIT_", type
, 7) &&
1497 !strcmp(rlimit_names
[rltype
], type
+ 7))
1504 static int parseOCIrlimits(struct blob_attr
*msg
)
1506 struct blob_attr
*cur
, *cure
;
1509 struct rlimit
*curlim
;
1511 bool sethard
= false, setsoft
= false;
1513 blobmsg_for_each_attr(cur
, msg
, rem
) {
1514 blobmsg_for_each_attr(cure
, cur
, reme
) {
1515 if (!strcmp(blobmsg_name(cure
), "type") && (blobmsg_type(cure
) == BLOBMSG_TYPE_STRING
)) {
1516 limtype
= resolve_rlimit(blobmsg_get_string(cure
));
1517 } else if (!strcmp(blobmsg_name(cure
), "soft")) {
1518 switch (blobmsg_type(cure
)) {
1519 case BLOBMSG_TYPE_INT32
:
1520 soft
= blobmsg_get_u32(cure
);
1522 case BLOBMSG_TYPE_INT64
:
1523 soft
= blobmsg_get_u64(cure
);
1529 } else if (!strcmp(blobmsg_name(cure
), "hard")) {
1530 switch (blobmsg_type(cure
)) {
1531 case BLOBMSG_TYPE_INT32
:
1532 hard
= blobmsg_get_u32(cure
);
1534 case BLOBMSG_TYPE_INT64
:
1535 hard
= blobmsg_get_u64(cure
);
1549 if (opts
.rlimits
[limtype
])
1552 if (!sethard
|| !setsoft
)
1555 curlim
= malloc(sizeof(struct rlimit
));
1556 curlim
->rlim_cur
= soft
;
1557 curlim
->rlim_max
= hard
;
1559 opts
.rlimits
[limtype
] = curlim
;
1567 OCI_PROCESS_CAPABILITIES
,
1570 OCI_PROCESS_OOMSCOREADJ
,
1571 OCI_PROCESS_NONEWPRIVILEGES
,
1572 OCI_PROCESS_RLIMITS
,
1573 OCI_PROCESS_TERMINAL
,
1578 static const struct blobmsg_policy oci_process_policy
[] = {
1579 [OCI_PROCESS_ARGS
] = { "args", BLOBMSG_TYPE_ARRAY
},
1580 [OCI_PROCESS_CAPABILITIES
] = { "capabilities", BLOBMSG_TYPE_TABLE
},
1581 [OCI_PROCESS_CWD
] = { "cwd", BLOBMSG_TYPE_STRING
},
1582 [OCI_PROCESS_ENV
] = { "env", BLOBMSG_TYPE_ARRAY
},
1583 [OCI_PROCESS_OOMSCOREADJ
] = { "oomScoreAdj", BLOBMSG_TYPE_INT32
},
1584 [OCI_PROCESS_NONEWPRIVILEGES
] = { "noNewPrivileges", BLOBMSG_TYPE_BOOL
},
1585 [OCI_PROCESS_RLIMITS
] = { "rlimits", BLOBMSG_TYPE_ARRAY
},
1586 [OCI_PROCESS_TERMINAL
] = { "terminal", BLOBMSG_TYPE_BOOL
},
1587 [OCI_PROCESS_USER
] = { "user", BLOBMSG_TYPE_TABLE
},
1591 static int parseOCIprocess(struct blob_attr
*msg
)
1593 struct blob_attr
*tb
[__OCI_PROCESS_MAX
];
1596 blobmsg_parse(oci_process_policy
, __OCI_PROCESS_MAX
, tb
, blobmsg_data(msg
), blobmsg_len(msg
));
1598 if (!tb
[OCI_PROCESS_ARGS
])
1601 res
= parseOCIenvarray(tb
[OCI_PROCESS_ARGS
], &opts
.jail_argv
);
1605 opts
.console
= blobmsg_get_bool(tb
[OCI_PROCESS_TERMINAL
]);
1606 opts
.no_new_privs
= blobmsg_get_bool(tb
[OCI_PROCESS_NONEWPRIVILEGES
]);
1608 if (tb
[OCI_PROCESS_CWD
])
1609 opts
.cwd
= strdup(blobmsg_get_string(tb
[OCI_PROCESS_CWD
]));
1611 if (tb
[OCI_PROCESS_ENV
]) {
1612 res
= parseOCIenvarray(tb
[OCI_PROCESS_ENV
], &opts
.envp
);
1617 if (tb
[OCI_PROCESS_USER
] && (res
= parseOCIprocessuser(tb
[OCI_PROCESS_USER
])))
1620 if (tb
[OCI_PROCESS_CAPABILITIES
] &&
1621 (res
= parseOCIcapabilities(&opts
.capset
, tb
[OCI_PROCESS_CAPABILITIES
])))
1624 if (tb
[OCI_PROCESS_RLIMITS
] &&
1625 (res
= parseOCIrlimits(tb
[OCI_PROCESS_RLIMITS
])))
1628 if (tb
[OCI_PROCESS_OOMSCOREADJ
]) {
1629 opts
.oom_score_adj
= blobmsg_get_u32(tb
[OCI_PROCESS_OOMSCOREADJ
]);
1630 opts
.set_oom_score_adj
= true;
1637 OCI_LINUX_NAMESPACE_TYPE
,
1638 OCI_LINUX_NAMESPACE_PATH
,
1639 __OCI_LINUX_NAMESPACE_MAX
,
1642 static const struct blobmsg_policy oci_linux_namespace_policy
[] = {
1643 [OCI_LINUX_NAMESPACE_TYPE
] = { "type", BLOBMSG_TYPE_STRING
},
1644 [OCI_LINUX_NAMESPACE_PATH
] = { "path", BLOBMSG_TYPE_STRING
},
1647 static int resolve_nstype(char *type
) {
1648 if (!strcmp("pid", type
))
1649 return CLONE_NEWPID
;
1650 else if (!strcmp("network", type
))
1651 return CLONE_NEWNET
;
1652 else if (!strcmp("mount", type
))
1654 else if (!strcmp("ipc", type
))
1655 return CLONE_NEWIPC
;
1656 else if (!strcmp("uts", type
))
1657 return CLONE_NEWUTS
;
1658 else if (!strcmp("user", type
))
1659 return CLONE_NEWUSER
;
1660 else if (!strcmp("cgroup", type
))
1661 return CLONE_NEWCGROUP
;
1662 #ifdef CLONE_NEWTIME
1663 else if (!strcmp("time", type
))
1664 return CLONE_NEWTIME
;
1670 static int parseOCIlinuxns(struct blob_attr
*msg
)
1672 struct blob_attr
*tb
[__OCI_LINUX_NAMESPACE_MAX
];
1677 blobmsg_parse(oci_linux_namespace_policy
, __OCI_LINUX_NAMESPACE_MAX
, tb
, blobmsg_data(msg
), blobmsg_len(msg
));
1679 if (!tb
[OCI_LINUX_NAMESPACE_TYPE
])
1682 nstype
= resolve_nstype(blobmsg_get_string(tb
[OCI_LINUX_NAMESPACE_TYPE
]));
1686 if (opts
.namespace & nstype
)
1689 setns
= get_namespace_fd(nstype
);
1697 if (tb
[OCI_LINUX_NAMESPACE_PATH
]) {
1698 DEBUG("opening existing %s namespace from path %s\n",
1699 blobmsg_get_string(tb
[OCI_LINUX_NAMESPACE_TYPE
]),
1700 blobmsg_get_string(tb
[OCI_LINUX_NAMESPACE_PATH
]));
1702 fd
= open(blobmsg_get_string(tb
[OCI_LINUX_NAMESPACE_PATH
]), O_RDONLY
);
1704 return errno
?:ESTALE
;
1706 if (ioctl(fd
, NS_GET_NSTYPE
) != nstype
)
1709 DEBUG("opened existing %s namespace got filehandler %u\n",
1710 blobmsg_get_string(tb
[OCI_LINUX_NAMESPACE_TYPE
]),
1715 opts
.namespace |= nstype
;
1723 OCI_LINUX_UIDGIDMAP_CONTAINERID
,
1724 OCI_LINUX_UIDGIDMAP_HOSTID
,
1725 OCI_LINUX_UIDGIDMAP_SIZE
,
1726 __OCI_LINUX_UIDGIDMAP_MAX
,
1729 static const struct blobmsg_policy oci_linux_uidgidmap_policy
[] = {
1730 [OCI_LINUX_UIDGIDMAP_CONTAINERID
] = { "containerID", BLOBMSG_TYPE_INT32
},
1731 [OCI_LINUX_UIDGIDMAP_HOSTID
] = { "hostID", BLOBMSG_TYPE_INT32
},
1732 [OCI_LINUX_UIDGIDMAP_SIZE
] = { "size", BLOBMSG_TYPE_INT32
},
1735 static int parseOCIuidgidmappings(struct blob_attr
*msg
, bool is_gidmap
)
1737 const char *map_format
= "%d %d %d\n";
1738 struct blob_attr
*tb
[__OCI_LINUX_UIDGIDMAP_MAX
];
1739 struct blob_attr
*cur
;
1743 unsigned int cnt
= 0;
1744 size_t totallen
= 0;
1746 /* count number of mappings */
1747 blobmsg_for_each_attr(cur
, msg
, rem
)
1753 /* allocate array for mappings */
1754 mappings
= calloc(1 + cnt
, sizeof(char*));
1758 mappings
[cnt
] = NULL
;
1761 blobmsg_for_each_attr(cur
, msg
, rem
) {
1762 blobmsg_parse(oci_linux_uidgidmap_policy
, __OCI_LINUX_UIDGIDMAP_MAX
, tb
, blobmsg_data(cur
), blobmsg_len(cur
));
1764 if (!tb
[OCI_LINUX_UIDGIDMAP_CONTAINERID
] ||
1765 !tb
[OCI_LINUX_UIDGIDMAP_HOSTID
] ||
1766 !tb
[OCI_LINUX_UIDGIDMAP_SIZE
])
1769 /* write mapping line into allocated string */
1770 len
= asprintf(&mappings
[cnt
++], map_format
,
1771 blobmsg_get_u32(tb
[OCI_LINUX_UIDGIDMAP_CONTAINERID
]),
1772 blobmsg_get_u32(tb
[OCI_LINUX_UIDGIDMAP_HOSTID
]),
1773 blobmsg_get_u32(tb
[OCI_LINUX_UIDGIDMAP_SIZE
]));
1781 /* allocate combined mapping string */
1782 map
= calloc(1 + totallen
, sizeof(char));
1788 /* concatenate mapping strings into combined string */
1789 curstr
= mappings
[0];
1791 strcat(map
, curstr
);
1809 OCI_DEVICES_FILEMODE
,
1815 static const struct blobmsg_policy oci_devices_policy
[] = {
1816 [OCI_DEVICES_TYPE
] = { "type", BLOBMSG_TYPE_STRING
},
1817 [OCI_DEVICES_PATH
] = { "path", BLOBMSG_TYPE_STRING
},
1818 [OCI_DEVICES_MAJOR
] = { "major", BLOBMSG_TYPE_INT32
},
1819 [OCI_DEVICES_MINOR
] = { "minor", BLOBMSG_TYPE_INT32
},
1820 [OCI_DEVICES_FILEMODE
] = { "fileMode", BLOBMSG_TYPE_INT32
},
1821 [OCI_DEVICES_UID
] = { "uid", BLOBMSG_TYPE_INT32
},
1822 [OCI_DEVICES_GID
] = { "uid", BLOBMSG_TYPE_INT32
},
1825 static mode_t
resolve_devtype(char *tstr
)
1827 if (!strcmp("c", tstr
) ||
1830 else if (!strcmp("b", tstr
))
1832 else if (!strcmp("p", tstr
))
1838 static int parseOCIdevices(struct blob_attr
*msg
)
1840 struct blob_attr
*tb
[__OCI_DEVICES_MAX
];
1841 struct blob_attr
*cur
;
1844 struct mknod_args
*tmp
;
1846 blobmsg_for_each_attr(cur
, msg
, rem
)
1849 opts
.devices
= calloc(cnt
+ 1, sizeof(struct mknod_args
*));
1852 blobmsg_for_each_attr(cur
, msg
, rem
) {
1853 blobmsg_parse(oci_devices_policy
, __OCI_DEVICES_MAX
, tb
, blobmsg_data(cur
), blobmsg_len(cur
));
1854 if (!tb
[OCI_DEVICES_TYPE
] ||
1855 !tb
[OCI_DEVICES_PATH
])
1858 tmp
= calloc(1, sizeof(struct mknod_args
));
1862 tmp
->mode
= resolve_devtype(blobmsg_get_string(tb
[OCI_DEVICES_TYPE
]));
1866 if (tmp
->mode
!= S_IFIFO
) {
1867 if (!tb
[OCI_DEVICES_MAJOR
] || !tb
[OCI_DEVICES_MINOR
])
1870 tmp
->dev
= makedev(blobmsg_get_u32(tb
[OCI_DEVICES_MAJOR
]),
1871 blobmsg_get_u32(tb
[OCI_DEVICES_MINOR
]));
1874 if (tb
[OCI_DEVICES_FILEMODE
]) {
1875 if (~(S_IRWXU
|S_IRWXG
|S_IRWXO
) & blobmsg_get_u32(tb
[OCI_DEVICES_FILEMODE
]))
1878 tmp
->mode
|= blobmsg_get_u32(tb
[OCI_DEVICES_FILEMODE
]);
1880 tmp
->mode
|= (S_IRUSR
|S_IWUSR
); /* 0600 */
1883 tmp
->path
= strdup(blobmsg_get_string(tb
[OCI_DEVICES_PATH
]));
1885 if (tb
[OCI_DEVICES_UID
])
1886 tmp
->uid
= blobmsg_get_u32(tb
[OCI_DEVICES_UID
]);
1890 if (tb
[OCI_DEVICES_GID
])
1891 tmp
->gid
= blobmsg_get_u32(tb
[OCI_DEVICES_GID
]);
1895 DEBUG("read device %s (%s)\n", blobmsg_get_string(tb
[OCI_DEVICES_PATH
]), blobmsg_get_string(tb
[OCI_DEVICES_TYPE
]));
1896 opts
.devices
[cnt
++] = tmp
;
1899 opts
.devices
[cnt
] = NULL
;
1905 OCI_LINUX_RESOURCES
,
1908 OCI_LINUX_NAMESPACES
,
1910 OCI_LINUX_UIDMAPPINGS
,
1911 OCI_LINUX_GIDMAPPINGS
,
1912 OCI_LINUX_MASKEDPATHS
,
1913 OCI_LINUX_READONLYPATHS
,
1914 OCI_LINUX_ROOTFSPROPAGATION
,
1918 static const struct blobmsg_policy oci_linux_policy
[] = {
1919 [OCI_LINUX_RESOURCES
] = { "resources", BLOBMSG_TYPE_TABLE
},
1920 [OCI_LINUX_SECCOMP
] = { "seccomp", BLOBMSG_TYPE_TABLE
},
1921 [OCI_LINUX_SYSCTL
] = { "sysctl", BLOBMSG_TYPE_TABLE
},
1922 [OCI_LINUX_NAMESPACES
] = { "namespaces", BLOBMSG_TYPE_ARRAY
},
1923 [OCI_LINUX_DEVICES
] = { "devices", BLOBMSG_TYPE_ARRAY
},
1924 [OCI_LINUX_UIDMAPPINGS
] = { "uidMappings", BLOBMSG_TYPE_ARRAY
},
1925 [OCI_LINUX_GIDMAPPINGS
] = { "gidMappings", BLOBMSG_TYPE_ARRAY
},
1926 [OCI_LINUX_MASKEDPATHS
] = { "maskedPaths", BLOBMSG_TYPE_ARRAY
},
1927 [OCI_LINUX_READONLYPATHS
] = { "readonlyPaths", BLOBMSG_TYPE_ARRAY
},
1928 [OCI_LINUX_ROOTFSPROPAGATION
] = { "rootfsPropagation", BLOBMSG_TYPE_STRING
},
1931 static int parseOCIsysctl(struct blob_attr
*msg
)
1933 struct blob_attr
*cur
;
1938 blobmsg_for_each_attr(cur
, msg
, rem
) {
1939 if (!blobmsg_name(cur
) || !blobmsg_get_string(cur
))
1948 opts
.sysctl
= calloc(cnt
+ 1, sizeof(struct sysctl_val
*));
1953 blobmsg_for_each_attr(cur
, msg
, rem
) {
1954 opts
.sysctl
[cnt
] = malloc(sizeof(struct sysctl_val
));
1955 if (!opts
.sysctl
[cnt
])
1958 /* replace '.' with '/' in entry name */
1959 tc
= tmp
= strdup(blobmsg_name(cur
));
1960 while ((tc
= strchr(tc
, '.')))
1963 opts
.sysctl
[cnt
]->value
= strdup(blobmsg_get_string(cur
));
1964 opts
.sysctl
[cnt
]->entry
= tmp
;
1969 opts
.sysctl
[cnt
] = NULL
;
1974 static int parseOCIlinux(struct blob_attr
*msg
)
1976 struct blob_attr
*tb
[__OCI_LINUX_MAX
];
1977 struct blob_attr
*cur
;
1981 blobmsg_parse(oci_linux_policy
, __OCI_LINUX_MAX
, tb
, blobmsg_data(msg
), blobmsg_len(msg
));
1983 if (tb
[OCI_LINUX_NAMESPACES
]) {
1984 blobmsg_for_each_attr(cur
, tb
[OCI_LINUX_NAMESPACES
], rem
) {
1985 res
= parseOCIlinuxns(cur
);
1991 if (tb
[OCI_LINUX_UIDMAPPINGS
]) {
1992 res
= parseOCIuidgidmappings(tb
[OCI_LINUX_GIDMAPPINGS
], 0);
1997 if (tb
[OCI_LINUX_GIDMAPPINGS
]) {
1998 res
= parseOCIuidgidmappings(tb
[OCI_LINUX_GIDMAPPINGS
], 1);
2003 if (tb
[OCI_LINUX_READONLYPATHS
]) {
2004 blobmsg_for_each_attr(cur
, tb
[OCI_LINUX_READONLYPATHS
], rem
) {
2005 res
= add_mount(NULL
, blobmsg_get_string(cur
), NULL
, MS_BIND
| MS_REC
| MS_RDONLY
, NULL
, 0);
2011 if (tb
[OCI_LINUX_MASKEDPATHS
]) {
2012 blobmsg_for_each_attr(cur
, tb
[OCI_LINUX_MASKEDPATHS
], rem
) {
2013 res
= add_mount((void *)(-1), blobmsg_get_string(cur
), NULL
, 0, NULL
, 1);
2019 if (tb
[OCI_LINUX_SYSCTL
]) {
2020 res
= parseOCIsysctl(tb
[OCI_LINUX_SYSCTL
]);
2025 if (tb
[OCI_LINUX_SECCOMP
]) {
2026 opts
.ociseccomp
= parseOCIlinuxseccomp(tb
[OCI_LINUX_SECCOMP
]);
2027 if (!opts
.ociseccomp
)
2031 if (tb
[OCI_LINUX_DEVICES
]) {
2032 res
= parseOCIdevices(tb
[OCI_LINUX_DEVICES
]);
2051 static const struct blobmsg_policy oci_policy
[] = {
2052 [OCI_VERSION
] = { "ociVersion", BLOBMSG_TYPE_STRING
},
2053 [OCI_HOSTNAME
] = { "hostname", BLOBMSG_TYPE_STRING
},
2054 [OCI_PROCESS
] = { "process", BLOBMSG_TYPE_TABLE
},
2055 [OCI_ROOT
] = { "root", BLOBMSG_TYPE_TABLE
},
2056 [OCI_MOUNTS
] = { "mounts", BLOBMSG_TYPE_ARRAY
},
2057 [OCI_HOOKS
] = { "hooks", BLOBMSG_TYPE_TABLE
},
2058 [OCI_LINUX
] = { "linux", BLOBMSG_TYPE_TABLE
},
2061 static int parseOCI(const char *jsonfile
)
2063 struct blob_attr
*tb
[__OCI_MAX
];
2064 struct blob_attr
*cur
;
2068 blob_buf_init(&ocibuf
, 0);
2069 if (!blobmsg_add_json_from_file(&ocibuf
, jsonfile
))
2072 blobmsg_parse(oci_policy
, __OCI_MAX
, tb
, blob_data(ocibuf
.head
), blob_len(ocibuf
.head
));
2074 if (!tb
[OCI_VERSION
])
2077 if (strncmp("1.0", blobmsg_get_string(tb
[OCI_VERSION
]), 3)) {
2078 ERROR("unsupported ociVersion %s\n", blobmsg_get_string(tb
[OCI_VERSION
]));
2082 if (tb
[OCI_HOSTNAME
])
2083 opts
.hostname
= strdup(blobmsg_get_string(tb
[OCI_HOSTNAME
]));
2085 if (!tb
[OCI_PROCESS
])
2088 if ((res
= parseOCIprocess(tb
[OCI_PROCESS
])))
2094 if ((res
= parseOCIroot(jsonfile
, tb
[OCI_ROOT
])))
2097 if (!tb
[OCI_MOUNTS
])
2100 blobmsg_for_each_attr(cur
, tb
[OCI_MOUNTS
], rem
)
2101 if ((res
= parseOCImount(cur
)))
2104 if (tb
[OCI_LINUX
] && (res
= parseOCIlinux(tb
[OCI_LINUX
])))
2107 if (tb
[OCI_HOOKS
] && (res
= parseOCIhooks(tb
[OCI_HOOKS
])))
2110 blob_buf_free(&ocibuf
);
2115 static int set_oom_score_adj(void)
2120 if (!opts
.set_oom_score_adj
)
2123 snprintf(fname
, sizeof(fname
), "/proc/%u/oom_score_adj", jail_process
.pid
);
2124 f
= open(fname
, O_WRONLY
| O_TRUNC
);
2128 dprintf(f
, "%d", opts
.oom_score_adj
);
2135 int main(int argc
, char **argv
)
2138 uid_t uid
= getuid();
2139 const char log
[] = "/dev/log";
2140 const char ubus
[] = "/var/run/ubus.sock";
2141 char *jsonfile
= NULL
;
2149 ERROR("not root, aborting: %m\n");
2150 return EXIT_FAILURE
;
2155 init_library_search();
2157 while ((ch
= getopt(argc
, argv
, OPT_ARGS
)) != -1) {
2160 debug
= atoi(optarg
);
2163 opts
.namespace |= CLONE_NEWNS
;
2167 opts
.namespace |= CLONE_NEWNS
;
2171 opts
.namespace |= CLONE_NEWUSER
;
2174 opts
.namespace |= CLONE_NEWCGROUP
;
2177 opts
.extroot
= strdup(optarg
);
2180 opts
.namespace |= CLONE_NEWNS
;
2184 opts
.seccomp
= optarg
;
2185 add_mount_bind(optarg
, 1, -1);
2188 opts
.capabilities
= optarg
;
2191 opts
.no_new_privs
= 1;
2197 opts
.namespace |= CLONE_NEWNET
;
2200 opts
.namespace |= CLONE_NEWUTS
;
2201 opts
.hostname
= strdup(optarg
);
2204 opts
.namespace |= CLONE_NEWNS
;
2205 add_path_and_deps(optarg
, 1, 0, 0);
2208 opts
.namespace |= CLONE_NEWNS
;
2209 add_path_and_deps(optarg
, 0, 0, 0);
2212 opts
.namespace |= CLONE_NEWNS
;
2213 add_mount_bind(ubus
, 0, -1);
2216 opts
.namespace |= CLONE_NEWNS
;
2217 add_mount_bind(log
, 0, -1);
2223 opts
.group
= optarg
;
2226 opts
.overlaydir
= optarg
;
2229 opts
.tmpoverlaysize
= optarg
;
2232 opts
.require_jail
= 1;
2238 asprintf(&jsonfile
, "%s/config.json", optarg
);
2243 if (opts
.namespace && !jsonfile
)
2244 opts
.namespace |= CLONE_NEWIPC
| CLONE_NEWPID
;
2246 /* those are filehandlers, so -1 indicates unused */
2247 opts
.setns
.pid
= -1;
2248 opts
.setns
.net
= -1;
2250 opts
.setns
.ipc
= -1;
2251 opts
.setns
.uts
= -1;
2252 opts
.setns
.user
= -1;
2253 opts
.setns
.cgroup
= -1;
2254 #ifdef CLONE_NEWTIME
2255 opts
.setns
.time
= -1;
2260 ocires
= parseOCI(jsonfile
);
2263 ERROR("parsing of OCI JSON spec has failed: %s (%d)\n", strerror(ocires
), ocires
);
2268 if (opts
.tmpoverlaysize
&& strlen(opts
.tmpoverlaysize
) > 8) {
2269 ERROR("size parameter too long: \"%s\"\n", opts
.tmpoverlaysize
);
2273 /* no <binary> param found */
2274 if (!jsonfile
&& (argc
- optind
< 1)) {
2276 return EXIT_FAILURE
;
2278 if (!(jsonfile
||opts
.namespace||opts
.capabilities
||opts
.seccomp
)) {
2279 ERROR("Not using namespaces, capabilities or seccomp !!!\n\n");
2281 return EXIT_FAILURE
;
2283 DEBUG("Using namespaces(0x%08x), capabilities(%d), seccomp(%d)\n",
2285 opts
.capabilities
!= 0 || opts
.capset
.apply
,
2286 opts
.seccomp
!= 0 || opts
.ociseccomp
!= 0);
2289 /* allocate NULL-terminated array for argv */
2290 opts
.jail_argv
= calloc(1 + argc
- optind
, sizeof(char**));
2291 if (!opts
.jail_argv
)
2292 return EXIT_FAILURE
;
2294 for (size_t s
= optind
; s
< argc
; s
++)
2295 opts
.jail_argv
[s
- optind
] = strdup(argv
[s
]);
2297 if (opts
.namespace & CLONE_NEWUSER
)
2298 get_jail_user(&opts
.pw_uid
, &opts
.pw_gid
, &opts
.gr_gid
);
2301 if (!opts
.extroot
) {
2302 if (opts
.namespace && add_path_and_deps(*opts
.jail_argv
, 1, -1, 0)) {
2303 ERROR("failed to load dependencies\n");
2308 if (opts
.namespace && opts
.seccomp
&& add_path_and_deps("libpreload-seccomp.so", 1, -1, 1)) {
2309 ERROR("failed to load libpreload-seccomp.so\n");
2311 if (opts
.require_jail
)
2315 if (apply_rlimits()) {
2316 ERROR("error applying resource limits\n");
2321 prctl(PR_SET_NAME
, opts
.name
, NULL
, NULL
, NULL
);
2323 sigfillset(&sigmask
);
2324 for (i
= 0; i
< _NSIG
; i
++) {
2325 struct sigaction s
= { 0 };
2327 if (!sigismember(&sigmask
, i
))
2329 if ((i
== SIGCHLD
) || (i
== SIGPIPE
) || (i
== SIGSEGV
))
2332 s
.sa_handler
= jail_handle_signal
;
2333 sigaction(i
, &s
, NULL
);
2336 if (pipe(&pipes
[0]) < 0 || pipe(&pipes
[2]) < 0)
2339 if (has_namespaces()) {
2340 if (opts
.namespace & CLONE_NEWNS
) {
2341 if (!opts
.extroot
&& (opts
.user
|| opts
.group
)) {
2342 add_mount_bind("/etc/passwd", 0, -1);
2343 add_mount_bind("/etc/group", 0, -1);
2346 #if defined(__GLIBC__)
2348 add_mount_bind("/etc/nsswitch.conf", 0, -1);
2351 if (!(opts
.namespace & CLONE_NEWNET
)) {
2352 add_mount_bind("/etc/resolv.conf", 0, -1);
2353 } else if (opts
.setns
.net
== -1) {
2354 char hostdir
[PATH_MAX
];
2356 snprintf(hostdir
, PATH_MAX
, "/tmp/resolv.conf-%s.d", opts
.name
);
2357 mkdir_p(hostdir
, 0755);
2358 add_mount(hostdir
, "/dev/resolv.conf.d", NULL
, MS_BIND
| MS_NOEXEC
| MS_NOATIME
| MS_NOSUID
| MS_NODEV
| MS_RDONLY
, NULL
, -1);
2361 /* default mounts */
2362 add_mount(NULL
, "/dev", "tmpfs", MS_NOATIME
| MS_NOEXEC
| MS_NOSUID
, "size=1M", -1);
2363 add_mount(NULL
, "/dev/pts", "devpts", MS_NOATIME
| MS_NOEXEC
| MS_NOSUID
, "newinstance,ptmxmode=0666,mode=0620,gid=5", 0);
2365 if (opts
.procfs
|| jsonfile
) {
2366 add_mount("proc", "/proc", "proc", MS_NOATIME
| MS_NODEV
| MS_NOEXEC
| MS_NOSUID
, NULL
, -1);
2369 * hack to make /proc/sys/net read-write while the rest of /proc/sys is read-only
2370 * which cannot be expressed with OCI spec, but happends to be very useful.
2371 * Only apply it if '/proc/sys' is not already listed as mount, maskedPath or
2373 * If not running in a new network namespace, only make /proc/sys read-only.
2374 * If running in a new network namespace, temporarily stash (ie. mount-bind)
2375 * /proc/sys/net into (totally unrelated, but surely existing) /proc/self/net.
2376 * Then we mount-bind /proc/sys read-only and then mount-move /proc/self/net into
2378 * This works because mounts are executed in incrementing strcmp() order and
2379 * /proc/self/net appears there before /proc/sys/net and hence the operation
2380 * succeeds as the bind-mount of /proc/self/net is performed first and then
2381 * move-mount of /proc/sys/net follows because 'e' preceeds 'y' in the ASCII
2382 * table (and in the alphabet).
2384 if (!add_mount(NULL
, "/proc/sys", NULL
, MS_BIND
| MS_RDONLY
, NULL
, -1))
2385 if (opts
.namespace & CLONE_NEWNET
)
2386 if (!add_mount_inner("/proc/self/net", "/proc/sys/net", NULL
, MS_MOVE
, NULL
, -1))
2387 add_mount_inner("/proc/sys/net", "/proc/self/net", NULL
, MS_BIND
, NULL
, -1);
2390 if (opts
.sysfs
|| jsonfile
)
2391 add_mount("sysfs", "/sys", "sysfs", MS_NOATIME
| MS_NODEV
| MS_NOEXEC
| MS_NOSUID
| MS_RDONLY
, NULL
, -1);
2394 add_mount("shm", "/dev/shm", "tmpfs", MS_NOSUID
| MS_NOEXEC
| MS_NODEV
, "mode=1777", -1);
2398 if (opts
.setns
.pid
!= -1) {
2399 pidns_fd
= pidns_open_pid(getpid());
2400 setns_open(CLONE_NEWPID
);
2405 jail_process
.pid
= clone(exec_jail
, child_stack
+ STACK_SIZE
, SIGCHLD
| opts
.namespace, &pipes
);
2407 jail_process
.pid
= fork();
2410 if (jail_process
.pid
> 0) {
2411 /* parent process */
2414 if (pidns_fd
!= -1) {
2415 setns(pidns_fd
, CLONE_NEWPID
);
2418 if (opts
.setns
.net
!= -1)
2419 close(opts
.setns
.net
);
2420 if (opts
.setns
.ns
!= -1)
2421 close(opts
.setns
.ns
);
2422 if (opts
.setns
.ipc
!= -1)
2423 close(opts
.setns
.ipc
);
2424 if (opts
.setns
.uts
!= -1)
2425 close(opts
.setns
.uts
);
2426 if (opts
.setns
.user
!= -1)
2427 close(opts
.setns
.user
);
2428 if (opts
.setns
.cgroup
!= -1)
2429 close(opts
.setns
.cgroup
);
2430 #ifdef CLONE_NEWTIME
2431 if (opts
.setns
.time
!= -1)
2432 close(opts
.setns
.time
);
2436 run_hooks(opts
.hooks
.createRuntime
);
2437 if (read(pipes
[0], sig_buf
, 1) < 1) {
2438 ERROR("can't read from child\n");
2442 set_oom_score_adj();
2444 if (opts
.namespace & CLONE_NEWUSER
) {
2445 if (write_setgroups(jail_process
.pid
, true)) {
2446 ERROR("can't write setgroups\n");
2450 bool has_gr
= (opts
.gr_gid
!= -1);
2451 if (opts
.pw_uid
!= -1) {
2452 write_single_uid_gid_map(jail_process
.pid
, 0, opts
.pw_uid
);
2453 write_single_uid_gid_map(jail_process
.pid
, 1, has_gr
?opts
.gr_gid
:opts
.pw_gid
);
2455 write_single_uid_gid_map(jail_process
.pid
, 0, 65534);
2456 write_single_uid_gid_map(jail_process
.pid
, 1, has_gr
?opts
.gr_gid
:65534);
2459 write_uid_gid_map(jail_process
.pid
, 0, opts
.uidmap
);
2461 write_uid_gid_map(jail_process
.pid
, 1, opts
.gidmap
);
2465 if (opts
.namespace & CLONE_NEWNET
) {
2467 ERROR("netns needs a named jail\n");
2470 netns_fd
= netns_open_pid(jail_process
.pid
);
2471 netns_updown(jail_process
.pid
, true);
2475 if (write(pipes
[3], sig_buf
, 1) < 0) {
2476 ERROR("can't write to child\n");
2480 run_hooks(opts
.hooks
.poststart
);
2483 uloop_process_add(&jail_process
);
2486 DEBUG("uloop interrupted, killing jail process\n");
2487 kill(jail_process
.pid
, SIGTERM
);
2488 uloop_timeout_set(&jail_process_timeout
, 1000);
2492 if (opts
.namespace & CLONE_NEWNET
) {
2493 setns(netns_fd
, CLONE_NEWNET
);
2494 netns_updown(getpid(), false);
2497 run_hooks(opts
.hooks
.poststop
);
2499 return jail_return_code
;
2500 } else if (jail_process
.pid
== 0) {
2501 /* fork child process */
2502 return exec_jail(&pipes
);
2504 ERROR("failed to clone/fork: %m\n");
2505 return EXIT_FAILURE
;