code: 9ferno

ref: da7d6df6faf18e289fe0f3f61524dcc7fddeef18
dir: /appl/lib/newns.b/

View raw version
implement Newns;
#
# Build a new namespace from a file
#
#	new	create a new namespace from current directory (use cd)
#	fork	split the namespace before modification
#	nodev	disallow device attaches
#	bind	[-abrci] from to
#	mount	[-abrci9] [net!]machine[!svc] to [spec]
#	import [-abrci9] [net!]machine[!svc] [remotedir] dir
#	unmount	[-i] [from] to
#   	cd	directory
#
#	-i to bind/mount/unmount means continue in the face of errors
#
include "sys.m";
	sys: Sys;
	FD, FileIO: import Sys;
	stderr: ref FD;

include "draw.m";

include "bufio.m";
	bio: Bufio;
	Iobuf: import bio;

include "dial.m";
	dial: Dial;
	Connection: import dial;

include "newns.m";

#include "sh.m";

include "keyring.m";
	kr: Keyring;

include "security.m";
	au: Auth;

include "factotum.m";

include "arg.m";
	arg: Arg;

include "string.m";
	str: String;

newns(user: string, file: string): string
{
	sys = load Sys Sys->PATH;
	kr = load Keyring Keyring->PATH;
	stderr = sys->fildes(2);

	# Could do some authentication here, and bail if no good FIXME
	if(user == nil)
		;
	bio = load Bufio Bufio->PATH;
	if(bio == nil)
		return sys->sprint("cannot load %s: %r", Bufio->PATH);

	arg = load Arg Arg->PATH;
	if (arg == nil)
		return sys->sprint("cannot load %s: %r", Arg->PATH);

	au = load Auth Auth->PATH;
	if(au == nil)
		return sys->sprint("cannot load %s: %r", Auth->PATH);
	err := au->init();
	if(err != nil)
		return "Auth->init: "+err;

	str = load String String->PATH;		# no check, because we'll live without it

	if(file == nil){
		file = "namespace";
		if(sys->stat(file).t0 < 0)
			file = "/lib/namespace";
	}

	mfp := bio->open(file, bio->OREAD);
	if(mfp==nil)
      		return sys->sprint("cannot open %q: %r", file);

	if(0 && user != nil){
		sys->pctl(Sys->FORKENV, nil);
		setenv("user", user);
		setenv("home", "/usr/"+user);
	}

	facfd := sys->open("/mnt/factotum/rpc", Sys->ORDWR);
	return nsfile(mfp, facfd);
}

nsfile(b: ref Iobuf, facfd: ref Sys->FD): string
{
	e := "";
	while((l := b.gets('\n')) != nil){
		if(str != nil)
			slist := str->unquoted(l);
		else
			(nil, slist) = sys->tokenize(l, " \t\n\r");	# old way, in absence of String
		if(slist == nil)
			continue;
		e = nsop(expand(slist), facfd);
		if(e != "")
			break;
   	}
	return e;
}

expand(l: list of string): list of string
{
	nl: list of string;
	for(; l != nil; l = tl l){
		s := hd l;
		for(i := 0; i < len s; i++)
			if(s[i] == '$'){
				for(j := i+1; j < len s; j++)
					if((c := s[j]) == '.' || c == '/' || c == '$')
						break;
				if(j > i+1){
					(ok, v) := getenv(s[i+1:j]);
					if(!ok)
						return nil;
					s = s[0:i] + v + s[j:];
					i = i + len v;
				}
			}
		nl = s :: nl;
	}
	l = nil;
	for(; nl != nil; nl = tl nl)
		l = hd nl :: l;
	return l;
}

nsop(argv: list of string, facfd: ref Sys->FD): string
{
	# ignore comments 
	if(argv == nil || (hd argv)[0] == '#')
		return nil;
 
	e := "";
	c := 0;
	cmdstr := hd argv;
	case cmdstr {
	"." =>
		if(tl argv == nil)
			return ".: needs a filename";
		nsf := hd tl argv;
		mfp := bio->open(nsf, bio->OREAD);
		if(mfp==nil)
      			return sys->sprint("can't open %q for read %r", nsf);
		e = nsfile(mfp, facfd);
	"new" =>
		c = Sys->NEWNS | Sys->FORKENV;
	"clear" =>
		if(sys->pctl(Sys->FORKNS, nil) < 0 ||
		   sys->bind("#/", "/", Sys->MREPL) < 0 ||
		   sys->chdir("/") < 0 ||
		   sys->pctl(Sys->NEWNS, nil) < 0)
			return sys->sprint("%r");
		return nil;
	"fork"  =>
		c = Sys->FORKNS;
	"nodev" =>
		c = Sys->NODEVS;
	"bind" =>
		e = bind(argv);
	"mount" =>
		e = mount(argv, facfd);
	"unmount" =>
		e = unmount(argv);
	"import" =>
		e = import9(argv, facfd);
   	"cd" =>
   		if(len argv != 2)
			return "cd: must have one argument";   
		if(sys->chdir(hd tl argv) < 0)
			return sys->sprint("%r");
	* =>
      		e = "invalid namespace command";
	}
	if(c != 0) {
		if(sys->pctl(c, nil) < 0)
			return sys->sprint("%r");
	}
	return e;
}

Moptres: adt {
	argv: list of string;
	flags: int;
	alg: string;
	keyfile: string;
	ignore: int;
	use9: int;
};

mopt(argv: list of string): (ref Moptres, string)
{
	r := ref Moptres(nil, 0, "none", nil, 0, 0);

	arg->init(argv);
	while ((opt := arg->opt()) != 0) {
		case opt {
		'i' => r.ignore = 1;
		'a' => r.flags |= sys->MAFTER;
		'b' => r.flags |= sys->MBEFORE;
		'c' => r.flags |= sys->MCREATE;
		'r' => r.flags |= sys->MREPL;
		'k' =>
			if((r.keyfile = arg->arg()) == nil)
				return (nil, "mount: missing arg to -k option");
		'C' =>
			if((r.alg = arg->arg()) == nil)
				return (nil, "mount: missing arg to -C option");
		'9' =>
			r.use9 = 1;
		 *  =>
			return (nil, sys->sprint("mount: bad option -%c", opt));
		}
	}
	if((r.flags & (Sys->MAFTER|Sys->MBEFORE)) == 0)
		r.flags |= Sys->MREPL;

	r.argv = arg->argv();
	return (r, nil);
}

bind(argv: list of string): string
{
	(r, err) := mopt(argv);
	if(err != nil)
		return err;

	if(len r.argv < 2)
		return "bind: too few args";

	from := hd r.argv;
	r.argv = tl r.argv;
	todir := hd r.argv;
	if(sys->bind(from, todir, r.flags) < 0)
		return ig(r, sys->sprint("bind %s %s: %r", from, todir));

	return nil;
}

mount(argv: list of string, facfd: ref Sys->FD): string
{
	fd: ref Sys->FD;

	(r, err) := mopt(argv);
	if(err != nil)
		return err;

	if(len r.argv < 2)
		return ig(r, "mount: too few args");

	if(dial == nil){
		dial = load Dial Dial->PATH;
		if(dial == nil)
			return ig(r, "mount: can't load Dial");
	}

	addr := hd r.argv;
	r.argv = tl r.argv;
	dest := dial->netmkaddr(addr, "net", "styx");
	dir := hd r.argv;
	r.argv = tl r.argv;
	if(r.argv != nil)
		spec := hd r.argv;

	c := dial->dial(dest, nil);
	if(c == nil)
		return ig(r, sys->sprint("dial: %s: %r", dest));
	
	if(r.use9){
		factotum := load Factotum Factotum->PATH;
		if(factotum == nil)
			return ig(r, sys->sprint("cannot load %s: %r", Factotum->PATH));
		factotum->init();
		afd := sys->fauth(fd, spec);
		if(afd != nil)
			factotum->proxy(afd, facfd, "proto=p9any role=client");	# ignore result; if it fails, mount will fail
		if(sys->mount(fd, afd, dir, r.flags, spec) < 0)
			return ig(r, sys->sprint("mount %q %q: %r", addr, dir));
		return nil;
	}

	user := user();
	kd := "/usr/" + user + "/keyring/";
	cert: string;
	if (r.keyfile != nil) {
		cert = r.keyfile;
		if (cert[0] != '/')
			cert = kd + cert;
		if(sys->stat(cert).t0 < 0)
			return ig(r, sys->sprint("cannot find certificate %q: %r", cert));
	} else {
		cert = kd + addr;
		if(sys->stat(cert).t0 < 0)
			cert = kd + "default";
	}
	ai := kr->readauthinfo(cert);
	if(ai == nil)
		return ig(r, sys->sprint("cannot read certificate from %q: %r", cert));

	err = au->init();
	if (err != nil)
		return ig(r, sys->sprint("auth->init: %r"));
	(fd, err) = au->client(r.alg, ai, c.dfd);
	if(fd == nil)
		return ig(r, sys->sprint("auth: %r"));

	if(sys->mount(fd, nil, dir, r.flags, spec) < 0)
		return ig(r, sys->sprint("mount %q %q: %r", addr, dir));

	return nil;
}

import9(argv: list of string, facfd: ref Sys->FD): string
{
	(r, err) := mopt(argv);
	if(err != nil)
		return err;

	if(len r.argv < 2)
		return "import: too few args";
	if(facfd == nil)
		return ig(r, "import: no factotum");
	factotum := load Factotum Factotum->PATH;
	if(factotum == nil)
		return ig(r, sys->sprint("cannot load %s: %r", Factotum->PATH));
	factotum->init();
	addr := hd r.argv;
	r.argv = tl r.argv;
	rdir := hd r.argv;
	r.argv = tl r.argv;
	dir := rdir;
	if(r.argv != nil)
		dir = hd r.argv;

	if(dial == nil){
		dial = load Dial Dial->PATH;
		if(dial == nil)
			return ig(r, "import: can't load Dial");
	}

	dest := dial->netmkaddr(addr, "net", "17007");	# exportfs; might not be in inferno's ndb yet
	c := dial->dial(dest, nil);
	if(c == nil)
		return ig(r, sys->sprint("import: %s: %r", dest));
	fd := c.dfd;
	if(factotum->proxy(fd, facfd, "proto=p9any role=client") == nil)
		return ig(r, sys->sprint("import: %s: %r", dest));
	if(sys->fprint(fd, "%s", rdir) < 0)
		return ig(r, sys->sprint("import: %s: %r", dest));
	buf := array[256] of byte;
	if((n := sys->read(fd, buf, len buf)) != 2 || buf[0] != byte 'O' || buf[1] != byte 'K'){
		if(n >= 4)
			sys->werrstr(string buf[0:n]);
		return ig(r, sys->sprint("import: %s: %r", dest));
	}
	# TO DO: new style: impo aan|nofilter clear|ssl|tls\n
	afd := sys->fauth(fd, "");
	if(afd != nil)
		factotum->proxy(afd, facfd, "proto=p9any role=client");
	if(sys->mount(fd, afd, dir, r.flags, "") < 0)
		return ig(r, sys->sprint("import %q %q: %r", addr, dir));
	return nil;
}

unmount(argv: list of string): string
{
	(r, err) := mopt(argv);
	if(err != nil)
		return err;

	from, tu: string;
	case len r.argv {
	* =>
		return "unmount: takes 1 or 2 args";
	1 =>
		from = nil;
		tu = hd r.argv;
	2 =>
		from = hd r.argv;
		tu = hd tl r.argv;
	}

	if(sys->unmount(from, tu) < 0)
		return ig(r, sys->sprint("unmount: %r"));

	return nil;
}

ig(r: ref Moptres, e: string): string
{
	if(r.ignore)
		return nil;
	return e;
}

user(): string
{
	sys = load Sys Sys->PATH;

	fd := sys->open("/dev/user", sys->OREAD);
	if(fd == nil)
		return "";

	buf := array[Sys->NAMEMAX] of byte;
	n := sys->read(fd, buf, len buf);
	if(n < 0)
		return "";

	return string buf[0:n];	
}

getenv(name: string): (int, string)
{
	fd := sys->open("#e/"+name, Sys->OREAD);
	if(fd == nil)
		return (0, nil);
	b := array[256] of byte;
	n := sys->read(fd, b, len b);
	if(n <= 0)
		return (1, "");
	for(i := 0; i < n; i++)
		if(b[i] == byte 0 || b[i] == byte '\n')
			break;
	return (1, string b[0:i]);
}
	
setenv(name: string, val: string)
{
	fd := sys->create("#e/"+name, Sys->OWRITE, 8r664);
	if(fd != nil)
		sys->fprint(fd, "%s", val);
}

newuser(user: string, cap: string, nsfile: string): string
{
	if(cap == nil)
		return "no capability";

	sys = load Sys Sys->PATH;
	fd := sys->open("#¤/capuse", Sys->OWRITE);
	if(fd == nil)
		return sys->sprint("opening #¤/capuse: %r");

	b := array of byte cap;
	if(sys->write(fd, b, len b) < 0)
		return sys->sprint("writing %s to #¤/capuse: %r", cap);

	# mount factotum as new user (probably unhelpful if not factotum owner)
	sys->unmount(nil, "/mnt/factotum");
	sys->bind("#sfactotum", "/mnt/factotum", Sys->MREPL);

	return newns(user, nsfile);
}