summaryrefslogtreecommitdiffstats
path: root/src/core/namespace.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
* core/namespace: replace MOUNT_PRIVATE_TMP_READ_ONLY with MOUNT_PRIVATE_TMP ↵Yu Watanabe2024-10-231-10/+5
| | | | with .read_only = true
* core/namespace: coding style cleanupsYu Watanabe2024-10-231-6/+6
|
* core/namespace: honor MountEntry.read_only, .options, and so on in static ↵Yu Watanabe2024-10-231-5/+10
| | | | | | | | | | | | | | | | | | | entries Otherwise, ProtectHome=tmpfs makes /home/ and friends not read-only. Also, mount options for /run/ specified in MountAPIVFS=yes are not applied. The function append_static_mounts() was introduced in 5327c910d2fc1ae91bd0b891be92b30379c7467b, but at that time, there were neither .read_only nor .options in the struct. But, when later the struct is extended, the function was not updated and they were not copied from the static table. The fields has been used in static tables since e4da7d8c796a1fd11ecfa80fb8a48eac9e823f06, and also in 94293d65cd4125347e21b3e423d0e245226b1be2. Fixes #34825.
* core: do not fail if ignorable img.v/ vpick dir is missingLuca Boccassi2024-10-151-0/+4
| | | | | | | | Do not fail if the directory is missing entirely, other than just empty Follow-up for 00f546e25e8 Follow-up for 5e79dd96a88 Follow-up for 622efc544dc
* namespace: rename drop_unused_mounts() → sort_and_drop_unused_mounts()Lennart Poettering2024-10-091-3/+3
| | | | | The function sorts the listed mounts, and that's kinda key, hence reflect that in the name.
* core: drop implicit support of PrivateTmp=offYu Watanabe2024-10-091-1/+1
| | | | | | Follow-up for 0e551b04efb911d38b586cca1a6a462c87a2cb1b. Similar to the previous commit, but for PrivateTmp=.
* core: drop implicit support of PrivateUsers=offYu Watanabe2024-10-081-1/+1
| | | | | | | | Follow-up for fa693fdc7e17618958c505af4b2f39ecd1c3363e. The documentation says the option takes a boolean or one of the "self" and "identity". But the parser uses private_users_from_string() which also accepts "off". Let's drop the implicit support of "off".
* tree-wide: replace reallocarray() with GREEDY_REALLOC()Yu Watanabe2024-10-081-12/+4
|
* core: do not fail if ignorable img.v/ vpick dir is emptyLuca Boccassi2024-09-131-6/+14
| | | | | | | | If the vpick directory is configured to be ignored if missing, do not fail and just skip ahead. Follow-up for 5e79dd96a88 Follow-up for 622efc544dc
* core: Add support for PrivateUsers=identityDaan De Meyer2024-09-091-0/+8
| | | | | This configures an indentity mapping similar to systemd-nspawn --private-users=identity.
* core: rename BindJournalSockets= to BindLogSockets=Mike Yuan2024-09-041-4/+4
| | | | Addresses https://github.com/systemd/systemd/pull/32487#issuecomment-2328465309
* core/namespace: add comment to explain the non-obvious assumption on ↵Mike Yuan2024-09-041-0/+2
| | | | | | | | /run/systemd/journal/ Follow-up for 119820f8abf587f96a11fb1f28ef854e84bc3122 Addresses https://github.com/systemd/systemd/pull/32487#discussion_r1743493196
* core/namespace: make bind mounted journal sockets nosuid + noexec + nodevMike Yuan2024-09-041-3/+7
| | | | Addresses https://github.com/systemd/systemd/pull/32487#discussion_r1743464797
* core/namespace: use GREEDY_REALLOC at one more placeMike Yuan2024-09-041-6/+2
|
* core/namespace: create /dev/log only if journal socket is presentMike Yuan2024-09-031-6/+11
|
* core: introduce BindJournalSockets=Mike Yuan2024-09-031-1/+12
| | | | Closes #32478
* namespace: Fix extension release memory leakmaia x.2024-08-201-8/+14
| | | | | | | | | In apply_one_mount(), in the MOUNT_EXTENSION_DIRECTORY case, char **extension_release was used as a return pointer twice but only cleaned up once in the end. Fix it by removing duplicate code that was causing this issue. Fixes issue introduced in 55ea4ef096543d2bceea9315868d5aca945d7a57.
* core: try again bind mounting if the destination was already createdLuca Boccassi2024-06-301-5/+5
| | | | | | | | | | If the destination mount point is on a shared filesystem and is missing on the first attempt, we try to create it, but then fail with -EEXIST if something else created it in the meanwhile. Enter the retry logic on EEXIST, as we can just use the mount point if it was already created. Fixes https://github.com/systemd/systemd/issues/29690
* core: deduplicate identical dm-verity ExtensionImages=Luca Boccassi2024-06-281-1/+46
| | | | | | | | | | | | | | | | | It turns out OverlayFS doesn't handle gracefully when the same source is specified multiple times in lowerdir= and it fails with ELOOP: Failed to mount overlay (type overlay) on /run/systemd/mount-rootfs/opt (MS_RDONLY "lowerdir=/run/systemd/unit-extensions/1/opt:/run/systemd/unit-extensions/0/opt:/run/systemd/mount-rootfs/opt"): Too many levels of symbolic links This happens even if we mount each image in a different internal mount path, as OverlayFS will resolve it and look for the backing device, which will be the same device mapper entity, and return a hard error. This error does not appear if dm-verity is not used, so it is very confusing for users, and unnecessary. When mounting ExtensionImages, check if an image is dm-veritied, and drop duplicates if the root hashes match, to avoid this user-unfriendly hard error.
* core: expose PrivateTmp=disconnectedMike Yuan2024-06-211-1/+1
| | | | | | | | | | | As discussed in https://github.com/systemd/systemd/pull/32724#discussion_r1638963071 I don't find the opposite reasoning particularly convincing. We have ProtectHome=tmpfs and friends, and those can be pretty much trivially implemented through TemporaryFileSystem= too. The new logic brings many benefits, and is completely generic, hence I see no reason not to expose it. We can even get more tests for the code path if we make it public.
* core/namespace: add assertion for PRIVATE_TMP_CONNECTEDMike Yuan2024-06-211-1/+4
|
* core/namespace: ensure private tmpfs is mounted earlierYu Watanabe2024-06-201-3/+5
| | | | | | | | | | And drop spurious assertion. Fortunately, the previous logic worked, as /run/systemd/unit-private-tmp is ordered earlier than /tmp or /var/tmp. But, let's ensure the tmpfs mounted earlier to make the logic clearer. Follow-up for 0e551b04efb911d38b586cca1a6a462c87a2cb1b.
* Merge pull request #32724 from bluca/dynamic_user_no_private_tmpLuca Boccassi2024-06-181-31/+110
|\ | | | | core: do not imply PrivateTmp with DynamicUser, create a private tmpfs instead
| * core: do not imply PrivateTmp with DynamicUser, create a private tmpfs insteadLuca Boccassi2024-06-171-31/+110
| | | | | | | | | | | | | | | | | | DynamicUser= enables PrivateTmp= implicitly to avoid files owned by reusable uids leaking into the host. Change it to instead create a fully private tmpfs instance instead, which also ensures the same result, since it has less impactful semantics with respect to PrivateTmp=yes, which links the mount namespace to the host's /tmp instead. If a user specifies PrivateTmp manually, let the existing behaviour unchanged to ensure backward compatibility is not broken.
* | fs-util: add simple open_mkdir() wrapperLennart Poettering2024-06-151-1/+1
|/
* namespace: rename 'n' to 'n_mount_images'Lennart Poettering2024-06-131-4/+4
| | | | Let's make clear what this actually counts (at least initially).
* core/namespace: take char* const* for strv, use FOREACH_ARRAYMike Yuan2024-05-091-7/+7
|
* tree-wise: several cleanups for loggingYu Watanabe2024-04-301-4/+4
| | | | | | | | | | | - drop unnecessary SYNTHETIC_ERRNO() when the logger does not propagate error code, - drop unnecessary '%m' in error message when the error code is specified with SYNTHETIC_ERRNO(), - add missing full stop at the end of log message, - use RET_GATHER(), - add missing ", ignoring.", - upeercase the first letter, etc., etc...
* core/namespace: modernize mount_private_devMike Yuan2024-04-271-60/+41
|
* core/namespace: modernize clone_device_nodeMike Yuan2024-04-271-21/+20
|
* core/namespace: use FOREACH_ARRAY at one more placeMike Yuan2024-04-271-3/+3
|
* core/namespace: check error first, add missing assertionMike Yuan2024-04-261-3/+5
|
* core: implement RootImage= via mountfsd in unprivileged environmentsLennart Poettering2024-04-061-36/+56
|
* dissect-image: add flag for explicitly enabling userspace verity signature ↵Lennart Poettering2024-02-281-1/+2
| | | | | | | | | | checking let's make userspace verity signature checking optional. This adds a dissection flag to enable the logic and patches through all our users to enable it by default, thus effectively not changing anything from the status quo ante. However, know we have a knob to turn this off in certain scenarios.
* core: add support for vpick for ExtensionDirectories=Luca Boccassi2024-02-171-5/+16
|
* core: add support for vpick for ExtensionImages=Luca Boccassi2024-02-171-1/+17
|
* mountpoint-util: introduce path_is_mount_point_fullMike Yuan2024-02-061-6/+6
|
* namespace: don't invoke loopback_setup() unless we allocate a CLONE_NEWNET ↵Lennart Poettering2024-01-311-9/+7
| | | | | | | | | namespace It doesn't really make sense to initialize the loopback device if we are not called for a network namespace. Follow-up for 54c2459d560283f556e331246f64776cebd6eba6
* simplify bitwise checking (#30722)AtariDreams2024-01-091-2/+1
| | | | | Some of these checks before bitwise operations are redundant and compilers do not always recognize them, so let's simplify the code to make the intentions clearer.
* tree-wide: drop space between variable and an increment/decrementYu Watanabe2023-12-241-4/+4
|
* core: do not make private /dev/ read-only too soonLuca Boccassi2023-12-081-5/+0
| | | | | | | | The read-only bit is flipped after setting up all the mounts, so that bind mounts can be added. Remove the early config, and add a unit test. Fixes https://github.com/systemd/systemd/issues/30372
* core: check that extensions have the hierarchies before overlayingLuca Boccassi2023-11-031-47/+62
| | | | | | | | | | | | | | Before confext was added, hierarchies always existed in extensions. Now they are optional - i.e., a sysext will not contain /etc/. So mixing a confext and a sysext fails, as we'll try to create an overlay with /etc/ from the base, the confext and the sysext, but the latter doesn't have the directory. After the source images are mounted, check that each hierarchy exists in each source image before creating the overlay, and drop them if they don't. Follow-up for 55ea4ef096543
* namespace: fix whitespace mixupLennart Poettering2023-11-031-5/+5
|
* namespace: normalize MountMode type a bitLennart Poettering2023-10-281-165/+165
| | | | | | | | Let's prefix it with a common prefix, and make sure the names are all singular and the string table actually matches the names. No change in behavour, just some rafactoring to make this enum a bit less special, and make it follow our usual coding style more closely.
* core: do not post-process skipped mountsLuca Boccassi2023-10-261-16/+51
| | | | | | | | | | | | When a mount is gracefully skipped (e.g.: BindReadOnlyPaths=-/nonexistent) we still post-process it, like making it read-only. Except if nothing has been mounted, the mount point will be made read-only for no reason. Track when mounts are skipped and avoid post-processing. One day we'll switch all of this to the new mount api and do these operations atomically or not at all. Fixes https://github.com/systemd/systemd/issues/29725
* Merge pull request #29529 from yuwata/core-namespace-check-privLuca Boccassi2023-10-261-66/+81
|\ | | | | core/namespace: check if we have enough privilege
| * core/namespace: check if we have enough privilege to mount sysfs or procfsYu Watanabe2023-10-261-14/+27
| | | | | | | | | | | | | | | | | | | | If we do not have enough privilege to mount a new instance of sysfs or procfs, units e.g. with PrivateNetwork=yes may fail. Let's first try to mount sysfs or procfs anyway to check if we have enough privilege. Fixes #29526.
| * core/namespace: unify logic of mounting /proc and /sysYu Watanabe2023-10-261-51/+40
| | | | | | | | No functional change, just refactoring.
| * core/namespace: split out create_temporary_mount_point()Yu Watanabe2023-10-191-11/+24
| | | | | | | | No functional change, preparation for later commits.
* | core/namespace: merge if blocksMike Yuan2023-10-191-6/+4
| |
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-30 03:30:47 +0100