int singularity_ns_ipc_unshare(void) { singularity_config_rewind(); if ( singularity_config_get_bool("allow ipc ns", 1) <= 0 ) { singularity_message(VERBOSE2, "Not virtualizing IPC namespace by configuration\n"); return(0); } if ( envar_defined("SINGULARITY_UNSHARE_IPC") == FALSE ) { singularity_message(VERBOSE2, "Not virtualizing IPC namespace on user request\n"); return(0); } #ifdef NS_CLONE_NEWIPC singularity_message(DEBUG, "Using IPC namespace: CLONE_NEWIPC\n"); singularity_priv_escalate(); singularity_message(DEBUG, "Virtualizing IPC namespace\n"); if ( unshare(CLONE_NEWIPC) < 0 ) { singularity_message(ERROR, "Could not virtualize IPC namespace: %s\n", strerror(errno)); ABORT(255); } singularity_priv_drop(); enabled = 0; #else singularity_message(WARNING, "Skipping IPC namespace creation, support not available on host\n"); return(0); #endif return(0); }
int singularity_mount_tmp(void) { char *container_dir = singularity_rootfs_dir(); char *tmp_source; char *vartmp_source; char *tmpdirpath; singularity_config_rewind(); if ( singularity_config_get_bool("mount tmp", 1) <= 0 ) { singularity_message(VERBOSE, "Skipping tmp dir mounting (per config)\n"); return(0); } if ( ( tmpdirpath = getenv("SINGULARITY_WORKDIR") ) != NULL ) { // Flawfinder: ignore singularity_config_rewind(); if ( singularity_config_get_bool("user bind control", 1) <= 0 ) { singularity_message(ERROR, "User bind control is disabled by system administrator\n"); ABORT(5); } tmp_source = joinpath(tmpdirpath, "/tmp"); vartmp_source = joinpath(tmpdirpath, "/var_tmp"); } else if ( getenv("SINGULARITY_CONTAIN") != NULL ) { // Flawfinder: ignore char *sessiondir = singularity_sessiondir_get(); tmp_source = joinpath(sessiondir, "/tmp"); vartmp_source = joinpath(sessiondir, "/var_tmp"); } else { tmp_source = strdup("/tmp"); vartmp_source = strdup("/var/tmp"); } if ( s_mkpath(tmp_source, 0755) < 0 ) { singularity_message(ERROR, "Could not create tmp directory %s: %s\n", tmp_source, strerror(errno)); ABORT(255); } if ( s_mkpath(vartmp_source, 0755) < 0 ) { singularity_message(ERROR, "Could not create vartmp directory %s: %s\n", vartmp_source, strerror(errno)); ABORT(255); } if ( is_dir(tmp_source) == 0 ) { if ( is_dir(joinpath(container_dir, "/tmp")) == 0 ) { singularity_priv_escalate(); singularity_message(VERBOSE, "Mounting directory: /tmp\n"); if ( mount(tmp_source, joinpath(container_dir, "/tmp"), NULL, MS_BIND|MS_NOSUID|MS_REC, NULL) < 0 ) { singularity_message(ERROR, "Failed to mount %s -> /tmp: %s\n", tmp_source, strerror(errno)); ABORT(255); } singularity_priv_drop(); } else { singularity_message(VERBOSE, "Could not mount container's /tmp directory: does not exist\n"); } } else { singularity_message(VERBOSE, "Could not mount host's /tmp directory (%s): does not exist\n", tmp_source); } if ( is_dir(vartmp_source) == 0 ) { if ( is_dir(joinpath(container_dir, "/var/tmp")) == 0 ) { singularity_priv_escalate(); singularity_message(VERBOSE, "Mounting directory: /var/tmp\n"); if ( mount(vartmp_source, joinpath(container_dir, "/var/tmp"), NULL, MS_BIND|MS_NOSUID|MS_REC, NULL) < 0 ) { singularity_message(ERROR, "Failed to mount %s -> /var/tmp: %s\n", vartmp_source, strerror(errno)); ABORT(255); } singularity_priv_drop(); } else { singularity_message(VERBOSE, "Could not mount container's /var/tmp directory: does not exist\n"); } } else { singularity_message(VERBOSE, "Could not mount host's /var/tmp directory (%s): does not exist\n", vartmp_source); } free(tmp_source); free(vartmp_source); return(0); }
int singularity_mount_kernelfs(void) { char *container_dir = singularity_rootfs_dir(); // Mount /proc if we are configured singularity_message(DEBUG, "Checking configuration file for 'mount proc'\n"); singularity_config_rewind(); if ( singularity_config_get_bool("mount proc", 1) > 0 ) { if ( is_dir(joinpath(container_dir, "/proc")) == 0 ) { if ( singularity_ns_pid_enabled() >= 0 ) { singularity_priv_escalate(); singularity_message(VERBOSE, "Mounting /proc\n"); if ( mount("proc", joinpath(container_dir, "/proc"), "proc", 0, NULL) < 0 ) { singularity_message(ERROR, "Could not mount /proc into container: %s\n", strerror(errno)); ABORT(255); } singularity_priv_drop(); } else { singularity_priv_escalate(); singularity_message(VERBOSE, "Bind mounting /proc\n"); if ( mount("/proc", joinpath(container_dir, "/proc"), NULL, MS_BIND|MS_NOSUID|MS_REC, NULL) < 0 ) { singularity_message(ERROR, "Could not bind mount container's /proc: %s\n", strerror(errno)); ABORT(255); } singularity_priv_drop(); } } else { singularity_message(WARNING, "Not mounting /proc, container has no bind directory\n"); } } else { singularity_message(VERBOSE, "Skipping /proc mount\n"); } // Mount /sys if we are configured singularity_message(DEBUG, "Checking configuration file for 'mount sys'\n"); singularity_config_rewind(); if ( singularity_config_get_bool("mount sys", 1) > 0 ) { if ( is_dir(joinpath(container_dir, "/sys")) == 0 ) { if ( singularity_ns_user_enabled() < 0 ) { singularity_priv_escalate(); singularity_message(VERBOSE, "Mounting /sys\n"); if ( mount("sysfs", joinpath(container_dir, "/sys"), "sysfs", 0, NULL) < 0 ) { singularity_message(ERROR, "Could not mount /sys into container: %s\n", strerror(errno)); ABORT(255); } singularity_priv_drop(); } else { singularity_priv_escalate(); singularity_message(VERBOSE, "Bind mounting /sys\n"); if ( mount("/sys", joinpath(container_dir, "/sys"), NULL, MS_BIND|MS_NOSUID|MS_REC, NULL) < 0 ) { singularity_message(ERROR, "Could not bind mount container's /sys: %s\n", strerror(errno)); ABORT(255); } singularity_priv_drop(); } } else { singularity_message(WARNING, "Not mounting /sys, container has no bind directory\n"); } } else { singularity_message(VERBOSE, "Skipping /sys mount\n"); } return(0); }