systemd/src/core/namespace.h

/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/

#pragma once

/***
  This file is part of systemd.

  Copyright 2010 Lennart Poettering

  systemd is free software; you can redistribute it and/or modify it
  under the terms of the GNU Lesser General Public License as published by
  the Free Software Foundation; either version 2.1 of the License, or
  (at your option) any later version.

  systemd is distributed in the hope that it will be useful, but
  WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  Lesser General Public License for more details.

  You should have received a copy of the GNU Lesser General Public License
  along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/

#include <stdbool.h>

#include "macro.h"

typedef enum ProtectHome {
        PROTECT_HOME_NO,
        PROTECT_HOME_YES,
        PROTECT_HOME_READ_ONLY,
        _PROTECT_HOME_MAX,
        _PROTECT_HOME_INVALID = -1
} ProtectHome;

typedef enum ProtectSystem {
        PROTECT_SYSTEM_NO,
        PROTECT_SYSTEM_YES,
        PROTECT_SYSTEM_FULL,
        _PROTECT_SYSTEM_MAX,
        _PROTECT_SYSTEM_INVALID = -1
} ProtectSystem;

int setup_namespace(const char *chroot,
                    char **read_write_dirs,
                    char **read_only_dirs,
                    char **inaccessible_dirs,
                    const char *tmp_dir,
                    const char *var_tmp_dir,
                    const char *endpoint_path,
                    bool private_dev,
                    ProtectHome protect_home,
                    ProtectSystem protect_system,
                    unsigned long mount_flags);

int setup_tmp_dirs(const char *id,
                  char **tmp_dir,
                  char **var_tmp_dir);

int setup_netns(int netns_storage_socket[2]);

const char* protect_home_to_string(ProtectHome p) _const_;
ProtectHome protect_home_from_string(const char *s) _pure_;

const char* protect_system_to_string(ProtectSystem p) _const_;
ProtectSystem protect_system_from_string(const char *s) _pure_;
emacs: disable tabs in .h files, too 2010-08-17 05:33:07 +04:00			`/-- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil --/`
execute: support basic filesystem namespacing 2010-04-22 00:15:06 +04:00
use #pragma once instead of foo*foo #define guards #pragma once has been "un-deprecated" in gcc since 3.3, and is widely supported in other compilers. I've been using and maintaining (rebasing) this patch for a while now, as it annoyed me to see #ifndef fooblahfoo, etc all over the place, almost arrogant about the annoyance of having to define all these names to perform a commen but neccicary functionality, when a completely superior alternative exists. I havn't sent it till now, cause its kindof a style change, and it is bad voodoo to mess with style that has been established by more established editors. So feel free to lambast me as a crazy bafoon. v2 - preserve externally used headers 2012-07-18 21:07:51 +04:00			`#pragma once`
execute: support basic filesystem namespacing 2010-04-22 00:15:06 +04:00
			`/***`
			`This file is part of systemd.`

			`Copyright 2010 Lennart Poettering`

			`systemd is free software; you can redistribute it and/or modify it`
relicense to LGPLv2.1 (with exceptions) We finally got the OK from all contributors with non-trivial commits to relicense systemd from GPL2+ to LGPL2.1+. Some udev bits continue to be GPL2+ for now, but we are looking into relicensing them too, to allow free copy/paste of all code within systemd. The bits that used to be MIT continue to be MIT. The big benefit of the relicensing is that closed source code may now link against libsystemd-login.so and friends. 2012-04-12 02:20:58 +04:00			`under the terms of the GNU Lesser General Public License as published by`
			`the Free Software Foundation; either version 2.1 of the License, or`
execute: support basic filesystem namespacing 2010-04-22 00:15:06 +04:00			`(at your option) any later version.`

			`systemd is distributed in the hope that it will be useful, but`
			`WITHOUT ANY WARRANTY; without even the implied warranty of`
			`MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU`
relicense to LGPLv2.1 (with exceptions) We finally got the OK from all contributors with non-trivial commits to relicense systemd from GPL2+ to LGPL2.1+. Some udev bits continue to be GPL2+ for now, but we are looking into relicensing them too, to allow free copy/paste of all code within systemd. The bits that used to be MIT continue to be MIT. The big benefit of the relicensing is that closed source code may now link against libsystemd-login.so and friends. 2012-04-12 02:20:58 +04:00			`Lesser General Public License for more details.`
execute: support basic filesystem namespacing 2010-04-22 00:15:06 +04:00
relicense to LGPLv2.1 (with exceptions) We finally got the OK from all contributors with non-trivial commits to relicense systemd from GPL2+ to LGPL2.1+. Some udev bits continue to be GPL2+ for now, but we are looking into relicensing them too, to allow free copy/paste of all code within systemd. The bits that used to be MIT continue to be MIT. The big benefit of the relicensing is that closed source code may now link against libsystemd-login.so and friends. 2012-04-12 02:20:58 +04:00			`You should have received a copy of the GNU Lesser General Public License`
execute: support basic filesystem namespacing 2010-04-22 00:15:06 +04:00			`along with systemd; If not, see <http://www.gnu.org/licenses/>.`
			`***/`

			`#include <stdbool.h>`

core: add new ReadOnlySystem= and ProtectedHome= settings for service units ReadOnlySystem= uses fs namespaces to mount /usr and /boot read-only for a service. ProtectedHome= uses fs namespaces to mount /home and /run/user inaccessible or read-only for a service. This patch also enables these settings for all our long-running services. Together they should be good building block for a minimal service sandbox, removing the ability for services to modify the operating system or access the user's private data. 2014-06-04 01:41:44 +04:00			`#include "macro.h"`

core: rename ReadOnlySystem= to ProtectSystem= and add a third value for also mounting /etc read-only Also, rename ProtectedHome= to ProtectHome=, to simplify things a bit. With this in place we now have two neat options ProtectSystem= and ProtectHome= for protecting the OS itself (and optionally its configuration), and for protecting the user's data. 2014-06-04 20:07:55 +04:00			`typedef enum ProtectHome {`
			`PROTECT_HOME_NO,`
			`PROTECT_HOME_YES,`
			`PROTECT_HOME_READ_ONLY,`
			`_PROTECT_HOME_MAX,`
			`_PROTECT_HOME_INVALID = -1`
			`} ProtectHome;`

			`typedef enum ProtectSystem {`
			`PROTECT_SYSTEM_NO,`
			`PROTECT_SYSTEM_YES,`
			`PROTECT_SYSTEM_FULL,`
			`_PROTECT_SYSTEM_MAX,`
			`_PROTECT_SYSTEM_INVALID = -1`
			`} ProtectSystem;`
core: add new ReadOnlySystem= and ProtectedHome= settings for service units ReadOnlySystem= uses fs namespaces to mount /usr and /boot read-only for a service. ProtectedHome= uses fs namespaces to mount /home and /run/user inaccessible or read-only for a service. This patch also enables these settings for all our long-running services. Together they should be good building block for a minimal service sandbox, removing the ability for services to modify the operating system or access the user's private data. 2014-06-04 01:41:44 +04:00
core: Private/Protect options with RootDirectory When a service is chrooted with the option RootDirectory=/opt/..., then the options PrivateDevices, PrivateTmp, ProtectHome, ProtectSystem must mount the directories under $RootDirectory/{dev,tmp,home,usr,boot}. The test-ns tool can test setup_namespace() with and without chroot: $ sudo TEST_NS_PROJECTS=/home/lennart/projects ./test-ns $ sudo TEST_NS_CHROOT=/home/alban/debian-tree TEST_NS_PROJECTS=/home/alban/debian-tree/home/alban/Documents ./test-ns 2015-05-18 13:20:28 +03:00			`int setup_namespace(const char *chroot,`
			`char **read_write_dirs,`
core: reuse the same /tmp, /var/tmp and inaccessible dir All Execs within the service, will get mounted the same /tmp and /var/tmp directories, if service is configured with PrivateTmp=yes. Temporary directories are cleaned up by service itself in addition to systemd-tmpfiles. Directory which is mounted as inaccessible is created at runtime in /run/systemd. 2013-03-14 21:12:27 +04:00			`char **read_only_dirs,`
			`char **inaccessible_dirs,`
namespace: add missing 'const' to parameters 2014-10-17 15:48:55 +04:00			`const char *tmp_dir,`
			`const char *var_tmp_dir,`
			`const char *endpoint_path,`
exec: introduce PrivateDevices= switch to provide services with a private /dev Similar to PrivateNetwork=, PrivateTmp= introduce PrivateDevices= that sets up a private /dev with only the API pseudo-devices like /dev/null, /dev/zero, /dev/random, but not any physical devices in them. 2014-01-20 22:54:51 +04:00			`bool private_dev,`
core: rename ReadOnlySystem= to ProtectSystem= and add a third value for also mounting /etc read-only Also, rename ProtectedHome= to ProtectHome=, to simplify things a bit. With this in place we now have two neat options ProtectSystem= and ProtectHome= for protecting the OS itself (and optionally its configuration), and for protecting the user's data. 2014-06-04 20:07:55 +04:00			`ProtectHome protect_home,`
			`ProtectSystem protect_system,`
Type of mount(2) flags is unsigned long 2015-01-01 20:40:07 +03:00			`unsigned long mount_flags);`
service: add the ability for units to join other unit's PrivateNetwork= and PrivateTmp= namespaces 2013-11-27 23:23:18 +04:00
			`int setup_tmp_dirs(const char *id,`
			`char **tmp_dir,`
			`char **var_tmp_dir);`

			`int setup_netns(int netns_storage_socket[2]);`
core: add new ReadOnlySystem= and ProtectedHome= settings for service units ReadOnlySystem= uses fs namespaces to mount /usr and /boot read-only for a service. ProtectedHome= uses fs namespaces to mount /home and /run/user inaccessible or read-only for a service. This patch also enables these settings for all our long-running services. Together they should be good building block for a minimal service sandbox, removing the ability for services to modify the operating system or access the user's private data. 2014-06-04 01:41:44 +04:00
core: rename ReadOnlySystem= to ProtectSystem= and add a third value for also mounting /etc read-only Also, rename ProtectedHome= to ProtectHome=, to simplify things a bit. With this in place we now have two neat options ProtectSystem= and ProtectHome= for protecting the OS itself (and optionally its configuration), and for protecting the user's data. 2014-06-04 20:07:55 +04:00			`const char* protect_home_to_string(ProtectHome p) _const_;`
			`ProtectHome protect_home_from_string(const char *s) _pure_;`

			`const char* protect_system_to_string(ProtectSystem p) _const_;`
			`ProtectSystem protect_system_from_string(const char *s) _pure_;`