ref: da7d6df6faf18e289fe0f3f61524dcc7fddeef18
dir: /appl/lib/newns.b/
implement Newns; # # Build a new namespace from a file # # new create a new namespace from current directory (use cd) # fork split the namespace before modification # nodev disallow device attaches # bind [-abrci] from to # mount [-abrci9] [net!]machine[!svc] to [spec] # import [-abrci9] [net!]machine[!svc] [remotedir] dir # unmount [-i] [from] to # cd directory # # -i to bind/mount/unmount means continue in the face of errors # include "sys.m"; sys: Sys; FD, FileIO: import Sys; stderr: ref FD; include "draw.m"; include "bufio.m"; bio: Bufio; Iobuf: import bio; include "dial.m"; dial: Dial; Connection: import dial; include "newns.m"; #include "sh.m"; include "keyring.m"; kr: Keyring; include "security.m"; au: Auth; include "factotum.m"; include "arg.m"; arg: Arg; include "string.m"; str: String; newns(user: string, file: string): string { sys = load Sys Sys->PATH; kr = load Keyring Keyring->PATH; stderr = sys->fildes(2); # Could do some authentication here, and bail if no good FIXME if(user == nil) ; bio = load Bufio Bufio->PATH; if(bio == nil) return sys->sprint("cannot load %s: %r", Bufio->PATH); arg = load Arg Arg->PATH; if (arg == nil) return sys->sprint("cannot load %s: %r", Arg->PATH); au = load Auth Auth->PATH; if(au == nil) return sys->sprint("cannot load %s: %r", Auth->PATH); err := au->init(); if(err != nil) return "Auth->init: "+err; str = load String String->PATH; # no check, because we'll live without it if(file == nil){ file = "namespace"; if(sys->stat(file).t0 < 0) file = "/lib/namespace"; } mfp := bio->open(file, bio->OREAD); if(mfp==nil) return sys->sprint("cannot open %q: %r", file); if(0 && user != nil){ sys->pctl(Sys->FORKENV, nil); setenv("user", user); setenv("home", "/usr/"+user); } facfd := sys->open("/mnt/factotum/rpc", Sys->ORDWR); return nsfile(mfp, facfd); } nsfile(b: ref Iobuf, facfd: ref Sys->FD): string { e := ""; while((l := b.gets('\n')) != nil){ if(str != nil) slist := str->unquoted(l); else (nil, slist) = sys->tokenize(l, " \t\n\r"); # old way, in absence of String if(slist == nil) continue; e = nsop(expand(slist), facfd); if(e != "") break; } return e; } expand(l: list of string): list of string { nl: list of string; for(; l != nil; l = tl l){ s := hd l; for(i := 0; i < len s; i++) if(s[i] == '$'){ for(j := i+1; j < len s; j++) if((c := s[j]) == '.' || c == '/' || c == '$') break; if(j > i+1){ (ok, v) := getenv(s[i+1:j]); if(!ok) return nil; s = s[0:i] + v + s[j:]; i = i + len v; } } nl = s :: nl; } l = nil; for(; nl != nil; nl = tl nl) l = hd nl :: l; return l; } nsop(argv: list of string, facfd: ref Sys->FD): string { # ignore comments if(argv == nil || (hd argv)[0] == '#') return nil; e := ""; c := 0; cmdstr := hd argv; case cmdstr { "." => if(tl argv == nil) return ".: needs a filename"; nsf := hd tl argv; mfp := bio->open(nsf, bio->OREAD); if(mfp==nil) return sys->sprint("can't open %q for read %r", nsf); e = nsfile(mfp, facfd); "new" => c = Sys->NEWNS | Sys->FORKENV; "clear" => if(sys->pctl(Sys->FORKNS, nil) < 0 || sys->bind("#/", "/", Sys->MREPL) < 0 || sys->chdir("/") < 0 || sys->pctl(Sys->NEWNS, nil) < 0) return sys->sprint("%r"); return nil; "fork" => c = Sys->FORKNS; "nodev" => c = Sys->NODEVS; "bind" => e = bind(argv); "mount" => e = mount(argv, facfd); "unmount" => e = unmount(argv); "import" => e = import9(argv, facfd); "cd" => if(len argv != 2) return "cd: must have one argument"; if(sys->chdir(hd tl argv) < 0) return sys->sprint("%r"); * => e = "invalid namespace command"; } if(c != 0) { if(sys->pctl(c, nil) < 0) return sys->sprint("%r"); } return e; } Moptres: adt { argv: list of string; flags: int; alg: string; keyfile: string; ignore: int; use9: int; }; mopt(argv: list of string): (ref Moptres, string) { r := ref Moptres(nil, 0, "none", nil, 0, 0); arg->init(argv); while ((opt := arg->opt()) != 0) { case opt { 'i' => r.ignore = 1; 'a' => r.flags |= sys->MAFTER; 'b' => r.flags |= sys->MBEFORE; 'c' => r.flags |= sys->MCREATE; 'r' => r.flags |= sys->MREPL; 'k' => if((r.keyfile = arg->arg()) == nil) return (nil, "mount: missing arg to -k option"); 'C' => if((r.alg = arg->arg()) == nil) return (nil, "mount: missing arg to -C option"); '9' => r.use9 = 1; * => return (nil, sys->sprint("mount: bad option -%c", opt)); } } if((r.flags & (Sys->MAFTER|Sys->MBEFORE)) == 0) r.flags |= Sys->MREPL; r.argv = arg->argv(); return (r, nil); } bind(argv: list of string): string { (r, err) := mopt(argv); if(err != nil) return err; if(len r.argv < 2) return "bind: too few args"; from := hd r.argv; r.argv = tl r.argv; todir := hd r.argv; if(sys->bind(from, todir, r.flags) < 0) return ig(r, sys->sprint("bind %s %s: %r", from, todir)); return nil; } mount(argv: list of string, facfd: ref Sys->FD): string { fd: ref Sys->FD; (r, err) := mopt(argv); if(err != nil) return err; if(len r.argv < 2) return ig(r, "mount: too few args"); if(dial == nil){ dial = load Dial Dial->PATH; if(dial == nil) return ig(r, "mount: can't load Dial"); } addr := hd r.argv; r.argv = tl r.argv; dest := dial->netmkaddr(addr, "net", "styx"); dir := hd r.argv; r.argv = tl r.argv; if(r.argv != nil) spec := hd r.argv; c := dial->dial(dest, nil); if(c == nil) return ig(r, sys->sprint("dial: %s: %r", dest)); if(r.use9){ factotum := load Factotum Factotum->PATH; if(factotum == nil) return ig(r, sys->sprint("cannot load %s: %r", Factotum->PATH)); factotum->init(); afd := sys->fauth(fd, spec); if(afd != nil) factotum->proxy(afd, facfd, "proto=p9any role=client"); # ignore result; if it fails, mount will fail if(sys->mount(fd, afd, dir, r.flags, spec) < 0) return ig(r, sys->sprint("mount %q %q: %r", addr, dir)); return nil; } user := user(); kd := "/usr/" + user + "/keyring/"; cert: string; if (r.keyfile != nil) { cert = r.keyfile; if (cert[0] != '/') cert = kd + cert; if(sys->stat(cert).t0 < 0) return ig(r, sys->sprint("cannot find certificate %q: %r", cert)); } else { cert = kd + addr; if(sys->stat(cert).t0 < 0) cert = kd + "default"; } ai := kr->readauthinfo(cert); if(ai == nil) return ig(r, sys->sprint("cannot read certificate from %q: %r", cert)); err = au->init(); if (err != nil) return ig(r, sys->sprint("auth->init: %r")); (fd, err) = au->client(r.alg, ai, c.dfd); if(fd == nil) return ig(r, sys->sprint("auth: %r")); if(sys->mount(fd, nil, dir, r.flags, spec) < 0) return ig(r, sys->sprint("mount %q %q: %r", addr, dir)); return nil; } import9(argv: list of string, facfd: ref Sys->FD): string { (r, err) := mopt(argv); if(err != nil) return err; if(len r.argv < 2) return "import: too few args"; if(facfd == nil) return ig(r, "import: no factotum"); factotum := load Factotum Factotum->PATH; if(factotum == nil) return ig(r, sys->sprint("cannot load %s: %r", Factotum->PATH)); factotum->init(); addr := hd r.argv; r.argv = tl r.argv; rdir := hd r.argv; r.argv = tl r.argv; dir := rdir; if(r.argv != nil) dir = hd r.argv; if(dial == nil){ dial = load Dial Dial->PATH; if(dial == nil) return ig(r, "import: can't load Dial"); } dest := dial->netmkaddr(addr, "net", "17007"); # exportfs; might not be in inferno's ndb yet c := dial->dial(dest, nil); if(c == nil) return ig(r, sys->sprint("import: %s: %r", dest)); fd := c.dfd; if(factotum->proxy(fd, facfd, "proto=p9any role=client") == nil) return ig(r, sys->sprint("import: %s: %r", dest)); if(sys->fprint(fd, "%s", rdir) < 0) return ig(r, sys->sprint("import: %s: %r", dest)); buf := array[256] of byte; if((n := sys->read(fd, buf, len buf)) != 2 || buf[0] != byte 'O' || buf[1] != byte 'K'){ if(n >= 4) sys->werrstr(string buf[0:n]); return ig(r, sys->sprint("import: %s: %r", dest)); } # TO DO: new style: impo aan|nofilter clear|ssl|tls\n afd := sys->fauth(fd, ""); if(afd != nil) factotum->proxy(afd, facfd, "proto=p9any role=client"); if(sys->mount(fd, afd, dir, r.flags, "") < 0) return ig(r, sys->sprint("import %q %q: %r", addr, dir)); return nil; } unmount(argv: list of string): string { (r, err) := mopt(argv); if(err != nil) return err; from, tu: string; case len r.argv { * => return "unmount: takes 1 or 2 args"; 1 => from = nil; tu = hd r.argv; 2 => from = hd r.argv; tu = hd tl r.argv; } if(sys->unmount(from, tu) < 0) return ig(r, sys->sprint("unmount: %r")); return nil; } ig(r: ref Moptres, e: string): string { if(r.ignore) return nil; return e; } user(): string { sys = load Sys Sys->PATH; fd := sys->open("/dev/user", sys->OREAD); if(fd == nil) return ""; buf := array[Sys->NAMEMAX] of byte; n := sys->read(fd, buf, len buf); if(n < 0) return ""; return string buf[0:n]; } getenv(name: string): (int, string) { fd := sys->open("#e/"+name, Sys->OREAD); if(fd == nil) return (0, nil); b := array[256] of byte; n := sys->read(fd, b, len b); if(n <= 0) return (1, ""); for(i := 0; i < n; i++) if(b[i] == byte 0 || b[i] == byte '\n') break; return (1, string b[0:i]); } setenv(name: string, val: string) { fd := sys->create("#e/"+name, Sys->OWRITE, 8r664); if(fd != nil) sys->fprint(fd, "%s", val); } newuser(user: string, cap: string, nsfile: string): string { if(cap == nil) return "no capability"; sys = load Sys Sys->PATH; fd := sys->open("#¤/capuse", Sys->OWRITE); if(fd == nil) return sys->sprint("opening #¤/capuse: %r"); b := array of byte cap; if(sys->write(fd, b, len b) < 0) return sys->sprint("writing %s to #¤/capuse: %r", cap); # mount factotum as new user (probably unhelpful if not factotum owner) sys->unmount(nil, "/mnt/factotum"); sys->bind("#sfactotum", "/mnt/factotum", Sys->MREPL); return newns(user, nsfile); }