/* vi: set sw=4 ts=4: */
/*
 * Mini unshare implementation for busybox.
 *
 * Copyright (C) 2016 by Bartosz Golaszewski <bartekgola@gmail.com>
 *
 * Licensed under GPLv2 or later, see file LICENSE in this source tree.
 */
//config:config UNSHARE
//config:       bool "unshare"
//config:       default y
//config:       depends on LONG_OPTS && !NOMMU
//config:       select PLATFORM_LINUX
//config:       help
//config:         Run program with some namespaces unshared from parent.

// depends on LONG_OPTS: it is awkward to exclude code which handles --propagation
// and --setgroups based on LONG_OPTS, so instead applet requires LONG_OPTS.
// depends on !NOMMU: we need fork()

//applet:IF_UNSHARE(APPLET(unshare, BB_DIR_USR_BIN, BB_SUID_DROP))

//kbuild:lib-$(CONFIG_UNSHARE) += unshare.o

//usage:#define unshare_trivial_usage
//usage:       "[OPTIONS] [PROG [ARGS]]"
//usage:#define unshare_full_usage "\n"
//usage:     "\n        -m, --mount[=FILE]      Unshare mount namespace"
//usage:     "\n        -u, --uts[=FILE]        Unshare UTS namespace (hostname etc.)"
//usage:     "\n        -i, --ipc[=FILE]        Unshare System V IPC namespace"
//usage:     "\n        -n, --net[=FILE]        Unshare network namespace"
//usage:     "\n        -p, --pid[=FILE]        Unshare PID namespace"
//usage:     "\n        -U, --user[=FILE}       Unshare user namespace"
//usage:     "\n        -f, --fork              Fork before execing PROG"
//usage:     "\n        -r, --map-root-user     Map current user to root (implies -u)"
//usage:     "\n        --mount-proc[=DIR]      Mount /proc filesystem first (implies -m)"
//usage:     "\n        --propagation slave|shared|private|unchanged"
//usage:     "\n                                Modify mount propagation in mount namespace"
//usage:     "\n        --setgroups allow|deny  Control the setgroups syscall in user namespaces"

#include <sched.h>
#ifndef CLONE_NEWUTS
# define CLONE_NEWUTS  0x04000000
#endif
#ifndef CLONE_NEWIPC
# define CLONE_NEWIPC  0x08000000
#endif
#ifndef CLONE_NEWUSER
# define CLONE_NEWUSER 0x10000000
#endif
#ifndef CLONE_NEWPID
# define CLONE_NEWPID  0x20000000
#endif
#ifndef CLONE_NEWNET
# define CLONE_NEWNET  0x40000000
#endif

#include <sys/mount.h>
#ifndef MS_REC
# define MS_REC     (1 << 14)
#endif
#ifndef MS_PRIVATE
# define MS_PRIVATE (1 << 18)
#endif
#ifndef MS_SLAVE
# define MS_SLAVE   (1 << 19)
#endif
#ifndef MS_SHARED
# define MS_SHARED  (1 << 20)
#endif

#include "libbb.h"

static void mount_or_die(const char *source, const char *target,
                 const char *fstype, unsigned long mountflags)
{
        if (mount(source, target, fstype, mountflags, NULL)) {
                bb_perror_msg_and_die("can't mount %s on %s (flags:0x%lx)",
                        source, target, mountflags);
                /* fstype is always either NULL or "proc".
                 * "proc" is only used to mount /proc.
                 * No need to clutter up error message with fstype,
                 * it is easily deductible.
                 */
        }
}

#define PATH_PROC_SETGROUPS     "/proc/self/setgroups"
#define PATH_PROC_UIDMAP        "/proc/self/uid_map"
#define PATH_PROC_GIDMAP        "/proc/self/gid_map"

struct namespace_descr {
        int flag;
        const char nsfile4[4];
};

struct namespace_ctx {
        char *path;
};

enum {
        OPT_mount       = 1 << 0,
        OPT_uts         = 1 << 1,
        OPT_ipc         = 1 << 2,
        OPT_net         = 1 << 3,
        OPT_pid         = 1 << 4,
        OPT_user        = 1 << 5, /* OPT_user, NS_USR_POS, and ns_list[] index must match! */
        OPT_fork        = 1 << 6,
        OPT_map_root    = 1 << 7,
        OPT_mount_proc  = 1 << 8,
        OPT_propagation = 1 << 9,
        OPT_setgroups   = 1 << 10,
};
enum {
        NS_MNT_POS = 0,
        NS_UTS_POS,
        NS_IPC_POS,
        NS_NET_POS,
        NS_PID_POS,
        NS_USR_POS, /* OPT_user, NS_USR_POS, and ns_list[] index must match! */
        NS_COUNT,
};
static const struct namespace_descr ns_list[] = {
        { CLONE_NEWNS,   "mnt"  },
        { CLONE_NEWUTS,  "uts"  },
        { CLONE_NEWIPC,  "ipc"  },
        { CLONE_NEWNET,  "net"  },
        { CLONE_NEWPID,  "pid"  },
        { CLONE_NEWUSER, "user" }, /* OPT_user, NS_USR_POS, and ns_list[] index must match! */
};

/*
 * Upstream unshare doesn't support short options for --mount-proc,
 * --propagation, --setgroups.
 * Optional arguments (namespace mountpoints) exist only for long opts,
 * we are forced to use "fake" letters for them.
 * '+': stop at first non-option.
 */
static const char opt_str[] ALIGN1 = "+muinpU""fr""\xfd::""\xfe:""\xff:";
static const char unshare_longopts[] ALIGN1 =
        "mount\0"               Optional_argument       "\xf0"
        "uts\0"                 Optional_argument       "\xf1"
        "ipc\0"                 Optional_argument       "\xf2"
        "net\0"                 Optional_argument       "\xf3"
        "pid\0"                 Optional_argument       "\xf4"
        "user\0"                Optional_argument       "\xf5"
        "fork\0"                No_argument             "f"
        "map-root-user\0"       No_argument             "r"
        "mount-proc\0"          Optional_argument       "\xfd"
        "propagation\0"         Required_argument       "\xfe"
        "setgroups\0"           Required_argument       "\xff"
;

/* Ugly-looking string reuse trick */
#define PRIVATE_STR   "private\0""unchanged\0""shared\0""slave\0"
#define PRIVATE_UNCHANGED_SHARED_SLAVE   PRIVATE_STR

static unsigned long parse_propagation(const char *prop_str)
{
        int i = index_in_strings(PRIVATE_UNCHANGED_SHARED_SLAVE, prop_str);
        if (i < 0)
                bb_error_msg_and_die("unrecognized: --%s=%s", "propagation", prop_str);
        if (i == 0)
                return MS_REC | MS_PRIVATE;
        if (i == 1)
                return 0;
        if (i == 2)
                return MS_REC | MS_SHARED;
        return MS_REC | MS_SLAVE;
}

static void mount_namespaces(pid_t pid, struct namespace_ctx *ns_ctx_list)
{
        const struct namespace_descr *ns;
        struct namespace_ctx *ns_ctx;
        int i;

        for (i = 0; i < NS_COUNT; i++) {
                char nsf[sizeof("/proc/%u/ns/AAAA") + sizeof(int)*3];

                ns = &ns_list[i];
                ns_ctx = &ns_ctx_list[i];
                if (!ns_ctx->path)
                        continue;
                sprintf(nsf, "/proc/%u/ns/%.4s", (unsigned)pid, ns->nsfile4);
                mount_or_die(nsf, ns_ctx->path, NULL, MS_BIND);
        }
}

int unshare_main(int argc, char **argv) MAIN_EXTERNALLY_VISIBLE;
int unshare_main(int argc UNUSED_PARAM, char **argv)
{
        int i;
        unsigned int opts;
        int unsflags;
        uintptr_t need_mount;
        const char *proc_mnt_target;
        const char *prop_str;
        const char *setgrp_str;
        unsigned long prop_flags;
        uid_t reuid = geteuid();
        gid_t regid = getegid();
        struct fd_pair fdp;
        pid_t child = child; /* for compiler */
        struct namespace_ctx ns_ctx_list[NS_COUNT];

        memset(ns_ctx_list, 0, sizeof(ns_ctx_list));
        proc_mnt_target = "/proc";
        prop_str = PRIVATE_STR;
        setgrp_str = NULL;

        opt_complementary =
                "\xf0""m" /* long opts (via their "fake chars") imply short opts */
                ":\xf1""u"
                ":\xf2""i"
                ":\xf3""n"
                ":\xf4""p"
                ":\xf5""U"
                ":ru"      /* --map-root-user or -r implies -u */
                ":\xfd""m" /* --mount-proc implies -m */
        ;
        applet_long_options = unshare_longopts;
        opts = getopt32(argv, opt_str,
                        &proc_mnt_target, &prop_str, &setgrp_str,
                        &ns_ctx_list[NS_MNT_POS].path,
                        &ns_ctx_list[NS_UTS_POS].path,
                        &ns_ctx_list[NS_IPC_POS].path,
                        &ns_ctx_list[NS_NET_POS].path,
                        &ns_ctx_list[NS_PID_POS].path,
                        &ns_ctx_list[NS_USR_POS].path
        );
        argv += optind;
        //bb_error_msg("opts:0x%x", opts);
        //bb_error_msg("mount:%s", ns_ctx_list[NS_MNT_POS].path);
        //bb_error_msg("proc_mnt_target:%s", proc_mnt_target);
        //bb_error_msg("prop_str:%s", prop_str);
        //bb_error_msg("setgrp_str:%s", setgrp_str);
        //exit(1);

        if (setgrp_str) {
                if (strcmp(setgrp_str, "allow") == 0) {
                        if (opts & OPT_map_root) {
                                bb_error_msg_and_die(
                                        "--setgroups=allow and --map-root-user "
                                        "are mutually exclusive"
                                );
                        }
                } else {
                        /* It's not "allow", must be "deny" */
                        if (strcmp(setgrp_str, "deny") != 0)
                                bb_error_msg_and_die("unrecognized: --%s=%s",
                                        "setgroups", setgrp_str);
                }
        }

        unsflags = 0;
        need_mount = 0;
        for (i = 0; i < NS_COUNT; i++) {
                const struct namespace_descr *ns = &ns_list[i];
                struct namespace_ctx *ns_ctx = &ns_ctx_list[i];

                if (opts & (1 << i))
                        unsflags |= ns->flag;

                need_mount |= (uintptr_t)(ns_ctx->path);
        }
        /* need_mount != 0 if at least one FILE was given */

        prop_flags = MS_REC | MS_PRIVATE;
        /* Silently ignore --propagation if --mount is not requested. */
        if (opts & OPT_mount)
                prop_flags = parse_propagation(prop_str);

        /*
         * Special case: if we were requested to unshare the mount namespace
         * AND to make any namespace persistent (by bind mounting it) we need
         * to spawn a child process which will wait for the parent to call
         * unshare(), then mount parent's namespaces while still in the
         * previous namespace.
         */
        fdp.wr = -1;
        if (need_mount && (opts & OPT_mount)) {
                /*
                 * Can't use getppid() in child, as we can be unsharing the
                 * pid namespace.
                 */
                pid_t ppid = getpid();

                xpiped_pair(fdp);

                child = xfork();
                if (child == 0) {
                        /* Child */
                        close(fdp.wr);

                        /* Wait until parent calls unshare() */
                        read(fdp.rd, ns_ctx_list, 1); /* ...using bogus buffer */
                        /*close(fdp.rd);*/

                        /* Mount parent's unshared namespaces. */
                        mount_namespaces(ppid, ns_ctx_list);
                        return EXIT_SUCCESS;
                }
                /* Parent continues */
        }

        if (unshare(unsflags) != 0)
                bb_perror_msg_and_die("unshare(0x%x)", unsflags);

        if (fdp.wr >= 0) {
                close(fdp.wr); /* Release child */
                close(fdp.rd); /* should close fd, to not confuse exec'ed PROG */
        }

        if (need_mount) {
                /* Wait for the child to finish mounting the namespaces. */
                if (opts & OPT_mount) {
                        int exit_status = wait_for_exitstatus(child);
                        if (WIFEXITED(exit_status) &&
                            WEXITSTATUS(exit_status) != EXIT_SUCCESS)
                                return WEXITSTATUS(exit_status);
                } else {
                        /*
                         * Regular way - we were requested to mount some other
                         * namespaces: mount them after the call to unshare().
                         */
                        mount_namespaces(getpid(), ns_ctx_list);
                }
        }

        /*
         * When we're unsharing the pid namespace, it's not the process that
         * calls unshare() that is put into the new namespace, but its first
         * child. The user may want to use this option to spawn a new process
         * that'll become PID 1 in this new namespace.
         */
        if (opts & OPT_fork) {
                xvfork_parent_waits_and_exits();
                /* Child continues */
        }

        if (opts & OPT_map_root) {
                char uidmap_buf[sizeof("%u 0 1") + sizeof(int)*3];

                /*
                 * Since Linux 3.19 unprivileged writing of /proc/self/gid_map
                 * has been disabled unless /proc/self/setgroups is written
                 * first to permanently disable the ability to call setgroups
                 * in that user namespace.
                 */
                xopen_xwrite_close(PATH_PROC_SETGROUPS, "deny");
                sprintf(uidmap_buf, "%u 0 1", (unsigned)reuid);
                xopen_xwrite_close(PATH_PROC_UIDMAP, uidmap_buf);
                sprintf(uidmap_buf, "%u 0 1", (unsigned)regid);
                xopen_xwrite_close(PATH_PROC_GIDMAP, uidmap_buf);
        } else
        if (setgrp_str) {
                /* Write "allow" or "deny" */
                xopen_xwrite_close(PATH_PROC_SETGROUPS, setgrp_str);
        }

        if (opts & OPT_mount) {
                mount_or_die("none", "/", NULL, prop_flags);
        }

        if (opts & OPT_mount_proc) {
                /*
                 * When creating a new pid namespace, we might want the pid
                 * subdirectories in /proc to remain consistent with the new
                 * process IDs. Without --mount-proc the pids in /proc would
                 * still reflect the old pid namespace. This is why we make
                 * /proc private here and then do a fresh mount.
                 */
                mount_or_die("none", proc_mnt_target, NULL, MS_PRIVATE | MS_REC);
                mount_or_die("proc", proc_mnt_target, "proc", MS_NOSUID | MS_NOEXEC | MS_NODEV);
        }

        exec_prog_or_SHELL(argv);
}