1 Star 0 Fork 44

firstadream/lxc

forked from src-openEuler/lxc 
加入 Gitee
与超过 1200万 开发者一起发现、参与优秀开源项目,私有仓库也完全免费 :)
免费加入
文件
该仓库未声明开源许可证文件(LICENSE),使用请关注具体项目描述及其代码上游依赖。
克隆/下载
0005-refactor-patch-code-of-attach-and-seccomp.patch 43.37 KB
一键复制 编辑 原始数据 按行查看 历史
12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496149714981499150015011502150315041505150615071508150915101511151215131514151515161517
From ad33756d6190df4f1aad9b6468b0b59086e916b5 Mon Sep 17 00:00:00 2001
From: zhangxiaoyu <[email protected]>
Date: Tue, 19 Jul 2022 15:23:34 +0800
Subject: [PATCH] refactor patch code of attach and seccomp
Signed-off-by: zhangxiaoyu <[email protected]>
---
src/lxc/attach.c | 517 +++++++++++++++++++++++++++++++++++++++
src/lxc/lsm/nop.c | 14 ++
src/lxc/seccomp.c | 555 ++++++++++++++++++++++++++++++++++++++++++
src/lxc/storage/zfs.c | 9 +
4 files changed, 1095 insertions(+)
diff --git a/src/lxc/attach.c b/src/lxc/attach.c
index 38e16f2..8a2c52a 100644
--- a/src/lxc/attach.c
+++ b/src/lxc/attach.c
@@ -49,6 +49,25 @@
#include <sys/personality.h>
#endif
+#ifdef HAVE_ISULAD
+#include "exec_commands.h"
+
+typedef enum {
+ ATTACH_INIT,
+ ATTACH_TIMEOUT,
+ ATTACH_MAX,
+} attach_timeout_t;
+
+static volatile attach_timeout_t g_attach_timeout_state = ATTACH_INIT;
+
+struct attach_timeout_conf {
+ int64_t timeout;
+ unsigned long long start_time;
+ pid_t pid;
+};
+
+#endif
+
lxc_log_define(attach, lxc);
/* Define default options if no options are supplied by the user. */
@@ -630,6 +649,9 @@ struct attach_clone_payload {
struct lxc_proc_context_info *init_ctx;
lxc_attach_exec_t exec_function;
void *exec_payload;
+#ifdef HAVE_ISULAD
+ struct lxc_terminal *terminal;
+#endif
};
static void lxc_put_attach_clone_payload(struct attach_clone_payload *p)
@@ -642,6 +664,48 @@ static void lxc_put_attach_clone_payload(struct attach_clone_payload *p)
}
}
+#ifdef HAVE_ISULAD
+static int isulad_set_attach_pipes(struct lxc_terminal *terminal)
+{
+ int ret = 0;
+ if (terminal->pipes[0][1] >= 0) {
+ close(terminal->pipes[0][1]);
+ terminal->pipes[0][1] = -1;
+ }
+
+ if (terminal->pipes[0][0] >= 0) {
+ ret = dup2(terminal->pipes[0][0], STDIN_FILENO);
+ if (ret < 0)
+ goto out;
+ }
+
+ if (terminal->pipes[1][0] >= 0) {
+ close(terminal->pipes[1][0]);
+ terminal->pipes[1][0] = -1;
+ }
+
+ if (terminal->pipes[1][1] >= 0) {
+ ret = dup2(terminal->pipes[1][1], STDOUT_FILENO);
+ if (ret < 0)
+ goto out;
+ }
+ if (terminal->pipes[2][0] >= 0) {
+ close(terminal->pipes[2][0]);
+ terminal->pipes[2][0] = -1;
+ }
+
+ if (terminal->pipes[2][1] >= 0) {
+ ret = dup2(terminal->pipes[2][1], STDERR_FILENO);
+ if (ret < 0)
+ goto out;
+ }
+
+ setsid();
+out:
+ return ret;
+}
+#endif
+
static int attach_child_main(struct attach_clone_payload *payload)
{
int lsm_fd, ret;
@@ -654,6 +718,31 @@ static int attach_child_main(struct attach_clone_payload *payload)
bool needs_lsm = (options->namespaces & CLONE_NEWNS) &&
(options->attach_flags & LXC_ATTACH_LSM) &&
init_ctx->lsm_label;
+#ifdef HAVE_ISULAD
+ int msg_fd = -1;
+ sigset_t mask;
+
+ /*isulad: record errpipe fd*/
+ msg_fd = init_ctx->container->lxc_conf->errpipe[1];
+ init_ctx->container->lxc_conf->errpipe[1] = -1;
+ /*isulad: set system umask */
+ umask(init_ctx->container->lxc_conf->umask);
+
+ /*isulad: restore default signal handlers and unblock all signals*/
+ for (int i = 1; i < NSIG; i++)
+ signal(i, SIG_DFL);
+
+ ret = sigfillset(&mask);
+ if (ret < 0) {
+ SYSERROR("Failed to fill signal mask");
+ goto on_error;;
+ }
+ ret = sigprocmask(SIG_UNBLOCK, &mask, NULL);
+ if (ret < 0) {
+ SYSERROR("Failed to set signal mask");
+ goto on_error;
+ }
+#endif
/* A description of the purpose of this functionality is provided in the
* lxc-attach(1) manual page. We have to remount here and not in the
@@ -695,6 +784,28 @@ static int attach_child_main(struct attach_clone_payload *payload)
TRACE("Dropped capabilities");
}
+#ifdef HAVE_ISULAD
+ /* isulad: set workdir */
+ if (options->initial_cwd || init_ctx->container->lxc_conf->init_cwd) {
+ char *init_cwd;
+ init_cwd = options->initial_cwd ? options->initial_cwd : init_ctx->container->lxc_conf->init_cwd;
+ /* try to create workdir if not exist */
+ struct stat st;
+ if (stat(init_cwd, &st) < 0 && mkdir_p(init_cwd, 0750) < 0) {
+ SYSERROR("Try to create directory \"%s\" as workdir failed when attach", init_cwd);
+ lxc_write_error_message(msg_fd, "Try to create directory \"%s\" as workdir failed when attach: %s",
+ init_cwd, strerror(errno));
+ goto on_error;
+ }
+ if (chdir(init_cwd)) {
+ SYSERROR("Could not change directory to \"%s\" when attach", init_cwd);
+ lxc_write_error_message(msg_fd, "Could not change directory to \"%s\" when attach: %s",
+ init_cwd, strerror(errno));
+ goto on_error;
+ }
+ }
+#endif
+
/* Always set the environment (specify (LXC_ATTACH_KEEP_ENV, NULL, NULL)
* if you want this to be a no-op).
*/
@@ -736,8 +847,10 @@ static int attach_child_main(struct attach_clone_payload *payload)
goto on_error;
}
+#ifndef HAVE_ISULAD
if (!lxc_setgroups(0, NULL) && errno != EPERM)
goto on_error;
+#endif
if (options->namespaces & CLONE_NEWUSER) {
/* Check whether nsuid 0 has a mapping. */
@@ -770,6 +883,13 @@ static int attach_child_main(struct attach_clone_payload *payload)
else
new_gid = ns_root_gid;
+#ifdef HAVE_ISULAD
+ // isulad: set env home in container
+ if (lxc_setup_env_home(new_uid) < 0) {
+ goto on_error;
+ }
+#endif
+
if ((init_ctx->container && init_ctx->container->lxc_conf &&
init_ctx->container->lxc_conf->no_new_privs) ||
(options->attach_flags & LXC_ATTACH_NO_NEW_PRIVS)) {
@@ -810,10 +930,12 @@ static int attach_child_main(struct attach_clone_payload *payload)
goto on_error;
}
+#ifndef HAVE_ISULAD
close(payload->ipc_socket);
payload->ipc_socket = -EBADF;
lxc_proc_put_context_info(init_ctx);
payload->init_ctx = NULL;
+#endif
/* The following is done after the communication socket is shut down.
* That way, all errors that might (though unlikely) occur up until this
@@ -856,6 +978,24 @@ static int attach_child_main(struct attach_clone_payload *payload)
}
if (options->attach_flags & LXC_ATTACH_TERMINAL) {
+#ifdef HAVE_ISULAD
+ /* isulad: dup2 pipe[0][0] to container stdin, pipe[1][1] to container stdout, pipe[2][1] to container stderr */
+ if (payload->terminal->disable_pty) {
+ ret = isulad_set_attach_pipes(payload->terminal);
+ if (ret < 0) {
+ SYSERROR("Failed to prepare terminal file pipes");
+ goto on_error;
+ }
+ }
+
+ if(!payload->terminal->disable_pty && payload->terminal_pts_fd >= 0) {
+ ret = lxc_terminal_prepare_login(payload->terminal_pts_fd);
+ if (ret < 0) {
+ SYSERROR("Failed to prepare terminal file descriptor %d", payload->terminal_pts_fd);
+ goto on_error;
+ }
+ }
+#else
ret = lxc_terminal_prepare_login(payload->terminal_pts_fd);
if (ret < 0) {
SYSERROR("Failed to prepare terminal file descriptor %d", payload->terminal_pts_fd);
@@ -863,6 +1003,7 @@ static int attach_child_main(struct attach_clone_payload *payload)
}
TRACE("Prepared terminal file descriptor %d", payload->terminal_pts_fd);
+#endif
}
/* Avoid unnecessary syscalls. */
@@ -872,6 +1013,17 @@ static int attach_child_main(struct attach_clone_payload *payload)
if (new_gid == ns_root_gid)
new_gid = LXC_INVALID_GID;
+#ifdef HAVE_ISULAD
+ if (prctl(PR_SET_KEEPCAPS, 1) < 0) {
+ SYSERROR("Failed to keep permitted capabilities");
+ goto on_error;
+ }
+
+ if (!lxc_setgroups(init_ctx->container->lxc_conf->init_groups_len,
+ init_ctx->container->lxc_conf->init_groups))
+ goto on_error;
+#endif
+
/* Make sure that the processes STDIO is correctly owned by the user that we are switching to */
ret = fix_stdio_permissions(new_uid);
if (ret)
@@ -880,21 +1032,63 @@ static int attach_child_main(struct attach_clone_payload *payload)
if (!lxc_switch_uid_gid(new_uid, new_gid))
goto on_error;
+#ifdef HAVE_ISULAD
+ if (prctl(PR_SET_KEEPCAPS, 0) < 0) {
+ SYSERROR("Failed to clear permitted capabilities");
+ goto on_error;
+ }
+
+ if (lxc_drop_caps(init_ctx->container->lxc_conf) != 0) {
+ ERROR("Failed to drop caps.");
+ goto on_error;
+ }
+
+ close(payload->ipc_socket);
+ payload->ipc_socket = -EBADF;
+ lxc_proc_put_context_info(init_ctx);
+ payload->init_ctx = NULL;
+ _exit(payload->exec_function(payload->exec_payload, msg_fd));
+#else
/* We're done, so we can now do whatever the user intended us to do. */
_exit(payload->exec_function(payload->exec_payload));
+#endif
on_error:
lxc_put_attach_clone_payload(payload);
_exit(EXIT_FAILURE);
}
+#ifdef HAVE_ISULAD
+static int lxc_attach_terminal(struct lxc_conf *conf,
+ struct lxc_terminal *terminal, lxc_attach_options_t *options)
+#else
static int lxc_attach_terminal(struct lxc_conf *conf,
struct lxc_terminal *terminal)
+#endif
{
int ret;
lxc_terminal_init(terminal);
+#ifdef HAVE_ISULAD
+ /* isulad: if we pass fifo in option, use them as init fifos */
+ if (options->init_fifo[0]) {
+ free(terminal->init_fifo[0]);
+ terminal->init_fifo[0] = safe_strdup(options->init_fifo[0]);
+ }
+ if (options->init_fifo[1]) {
+ free(terminal->init_fifo[1]);
+ terminal->init_fifo[1] = safe_strdup(options->init_fifo[1]);
+ }
+ if (options->init_fifo[2]) {
+ free(terminal->init_fifo[2]);
+ terminal->init_fifo[2] = safe_strdup(options->init_fifo[2]);
+ }
+
+ terminal->disable_pty = options->disable_pty;
+ terminal->open_stdin = options->open_stdin;
+#endif
+
ret = lxc_terminal_create(terminal);
if (ret < 0)
return log_error(-1, "Failed to create terminal");
@@ -952,9 +1146,126 @@ static inline void lxc_attach_terminal_close_log(struct lxc_terminal *terminal)
close_prot_errno_disarm(terminal->log_fd);
}
+#ifdef HAVE_ISULAD
+/* isulad: attach timeout thread function */
+static void* wait_attach_timeout(void *arg)
+{
+ struct attach_timeout_conf *conf = (struct attach_timeout_conf *)arg;
+
+ if (!conf || conf->timeout < 1)
+ goto out;
+ sleep(conf->timeout);
+ if (lxc_process_alive(conf->pid, conf->start_time)) {
+ g_attach_timeout_state = ATTACH_TIMEOUT;
+ if (kill(conf->pid, SIGKILL) < 0) {
+ ERROR("Failed to send signal %d to pid %d", SIGKILL, conf->pid);
+ }
+ }
+
+out:
+ free(conf);
+ return ((void *)0);
+}
+
+/* isulad: create attach timeout thread */
+static int create_attach_timeout_thread(int64_t attach_timeout, pid_t pid)
+{
+ int ret = 0;
+ pthread_t ptid;
+ pthread_attr_t attr;
+ struct attach_timeout_conf *timeout_conf = NULL;
+
+ timeout_conf = malloc(sizeof(struct attach_timeout_conf));
+ if (timeout_conf == NULL) {
+ ERROR("Failed to malloc attach timeout conf");
+ ret = -1;
+ goto out;
+ }
+
+ memset(timeout_conf, 0, sizeof(struct attach_timeout_conf));
+ timeout_conf->timeout = attach_timeout;
+ timeout_conf->pid = pid;
+ timeout_conf->start_time = lxc_get_process_startat(pid);
+
+ pthread_attr_init(&attr);
+ pthread_attr_setdetachstate(&attr, PTHREAD_CREATE_DETACHED);
+ ret = pthread_create(&ptid, &attr, wait_attach_timeout, timeout_conf);
+ pthread_attr_destroy(&attr);
+ if (ret != 0) {
+ ERROR("Create attach wait timeout thread failed");
+ free(timeout_conf);
+ goto out;
+ }
+
+out:
+ return ret;
+}
+
+static int attach_signal_handler(int fd, uint32_t events, void *data,
+ struct lxc_epoll_descr *descr)
+{
+ int ret;
+ siginfo_t info;
+ struct signalfd_siginfo siginfo;
+ pid_t *pid = data;
+
+ ret = lxc_read_nointr(fd, &siginfo, sizeof(siginfo));
+ if (ret < 0)
+ return log_error(LXC_MAINLOOP_ERROR, "Failed to read signal info from signal file descriptor %d", fd);
+
+ if (ret != sizeof(siginfo))
+ return log_error(LXC_MAINLOOP_ERROR, "Unexpected size for struct signalfd_siginfo");
+
+ /* Check whether init is running. */
+ info.si_pid = 0;
+ ret = waitid(P_PID, *pid, &info, WEXITED | WNOWAIT | WNOHANG);
+ if (ret == 0 && info.si_pid == *pid) {
+ return log_warn(LXC_MAINLOOP_CLOSE, "Container attach init process %d exited", *pid);
+ }
+
+ return LXC_MAINLOOP_CONTINUE;
+}
+
+static int isulad_setup_signal_fd(sigset_t *oldmask)
+{
+ int ret;
+ sigset_t mask;
+ const int signals[] = {SIGBUS, SIGILL, SIGSEGV, SIGWINCH, SIGTERM};
+
+ /* Block everything except serious error signals. */
+ ret = sigfillset(&mask);
+ if (ret < 0)
+ return -EBADF;
+
+ for (int sig = 0; sig < (sizeof(signals) / sizeof(signals[0])); sig++) {
+ ret = sigdelset(&mask, signals[sig]);
+ if (ret < 0)
+ return -EBADF;
+ }
+
+ ret = pthread_sigmask(SIG_BLOCK, &mask, oldmask);
+ if (ret < 0)
+ return log_error_errno(-EBADF, errno,
+ "Failed to set signal mask");
+
+ ret = signalfd(-1, &mask, SFD_CLOEXEC);
+ if (ret < 0)
+ return log_error_errno(-EBADF,
+ errno, "Failed to create signal file descriptor");
+
+ TRACE("Created signal file descriptor %d", ret);
+
+ return ret;
+}
+
+int lxc_attach(struct lxc_container *container, lxc_attach_exec_t exec_function,
+ void *exec_payload, lxc_attach_options_t *options,
+ pid_t *attached_process, char **err_msg)
+#else
int lxc_attach(struct lxc_container *container, lxc_attach_exec_t exec_function,
void *exec_payload, lxc_attach_options_t *options,
pid_t *attached_process)
+#endif
{
int i, ret, status;
int ipc_sockets[2];
@@ -966,6 +1277,13 @@ int lxc_attach(struct lxc_container *container, lxc_attach_exec_t exec_function,
struct lxc_conf *conf;
char *name, *lxcpath;
struct attach_clone_payload payload = {0};
+#ifdef HAVE_ISULAD
+ struct lxc_exec_command_handler exec_command;
+ const char *suffix = options->suffix;
+
+ exec_command.maincmd_fd = -1;
+ exec_command.terminal = &terminal;
+#endif
ret = access("/proc/self/ns", X_OK);
if (ret)
@@ -1017,6 +1335,14 @@ int lxc_attach(struct lxc_container *container, lxc_attach_exec_t exec_function,
if (!conf)
return log_error_errno(-EINVAL, EINVAL, "Missing container confifg");
+#ifdef HAVE_ISULAD
+ // always switch uid and gid for attach
+ if (options->uid == -1)
+ options->uid = init_ctx->container->lxc_conf->init_uid;
+ if (options->gid == -1)
+ options->gid = init_ctx->container->lxc_conf->init_gid;
+#endif
+
if (!fetch_seccomp(init_ctx->container, options))
WARN("Failed to get seccomp policy");
@@ -1090,7 +1416,11 @@ int lxc_attach(struct lxc_container *container, lxc_attach_exec_t exec_function,
}
if (options->attach_flags & LXC_ATTACH_TERMINAL) {
+#ifdef HAVE_ISULAD
+ ret = lxc_attach_terminal(conf, &terminal, options);
+#else
ret = lxc_attach_terminal(conf, &terminal);
+#endif
if (ret < 0) {
ERROR("Failed to setup new terminal");
free(cwd);
@@ -1099,6 +1429,12 @@ int lxc_attach(struct lxc_container *container, lxc_attach_exec_t exec_function,
}
terminal.log_fd = options->log_fd;
+#ifdef HAVE_ISULAD
+ if (suffix != NULL) {
+ exec_command.maincmd_fd = lxc_exec_cmd_init(name, lxcpath, suffix);
+ exec_command.terminal = &terminal;
+ }
+#endif
} else {
lxc_terminal_init(&terminal);
}
@@ -1139,10 +1475,40 @@ int lxc_attach(struct lxc_container *container, lxc_attach_exec_t exec_function,
ret = socketpair(PF_LOCAL, SOCK_STREAM | SOCK_CLOEXEC, 0, ipc_sockets);
if (ret < 0) {
SYSERROR("Could not set up required IPC mechanism for attaching");
+#ifdef HAVE_ISULAD
+ if (options->attach_flags & LXC_ATTACH_TERMINAL) {
+ lxc_terminal_delete(&terminal);
+ lxc_terminal_conf_free(&terminal);
+ if (exec_command.maincmd_fd != -1) {
+ close(exec_command.maincmd_fd);
+ }
+ lxc_exec_unix_sock_delete(name, suffix);
+ }
+#endif
+ free(cwd);
+ lxc_proc_put_context_info(init_ctx);
+ return -1;
+ }
+
+#ifdef HAVE_ISULAD
+ /* isulad: pipdfd for get error message of child or grandchild process. */
+ if (pipe2(conf->errpipe, O_CLOEXEC) != 0) {
+ SYSERROR("Failed to init errpipe");
+ if (options->attach_flags & LXC_ATTACH_TERMINAL) {
+ lxc_terminal_delete(&terminal);
+ lxc_terminal_conf_free(&terminal);
+ if (exec_command.maincmd_fd != -1) {
+ close(exec_command.maincmd_fd);
+ }
+ lxc_exec_unix_sock_delete(name, suffix);
+ }
+ close(ipc_sockets[0]);
+ close(ipc_sockets[1]);
free(cwd);
lxc_proc_put_context_info(init_ctx);
return -1;
}
+#endif
/* Create intermediate subprocess, two reasons:
* 1. We can't setns() in the child itself, since we want to make
@@ -1154,6 +1520,18 @@ int lxc_attach(struct lxc_container *container, lxc_attach_exec_t exec_function,
pid = fork();
if (pid < 0) {
SYSERROR("Failed to create first subprocess");
+#ifdef HAVE_ISULAD
+ if (options->attach_flags & LXC_ATTACH_TERMINAL) {
+ lxc_terminal_delete(&terminal);
+ lxc_terminal_conf_free(&terminal);
+ if (exec_command.maincmd_fd != -1) {
+ close(exec_command.maincmd_fd);
+ }
+ lxc_exec_unix_sock_delete(name, suffix);
+ }
+ close(ipc_sockets[0]);
+ close(ipc_sockets[1]);
+#endif
free(cwd);
lxc_proc_put_context_info(init_ctx);
return -1;
@@ -1163,10 +1541,35 @@ int lxc_attach(struct lxc_container *container, lxc_attach_exec_t exec_function,
int ret_parent = -1;
pid_t to_cleanup_pid = pid;
struct lxc_epoll_descr descr = {0};
+#ifdef HAVE_ISULAD
+ int isulad_sigfd;
+ sigset_t isulad_oldmask;
+ struct lxc_epoll_descr isulad_descr = {0};
+#endif
/* close unneeded file descriptors */
close(ipc_sockets[1]);
free(cwd);
+#ifdef HAVE_ISULAD
+ /* isulad: close errpipe */
+ close(conf->errpipe[1]);
+ conf->errpipe[1] = -1;
+ /* isulad: close pipe after clone */
+ if (terminal.pipes[0][0] >= 0) {
+ close(terminal.pipes[0][0]);
+ terminal.pipes[0][0] = -1;
+ }
+
+ if (terminal.pipes[1][1] >= 0) {
+ close(terminal.pipes[1][1]);
+ terminal.pipes[1][1] = -1;
+ }
+
+ if (terminal.pipes[2][1] >= 0) {
+ close(terminal.pipes[2][1]);
+ terminal.pipes[2][1] = -1;
+ }
+#endif
lxc_proc_close_ns_fd(init_ctx);
if (options->attach_flags & LXC_ATTACH_TERMINAL)
lxc_attach_terminal_close_pts(&terminal);
@@ -1200,7 +1603,11 @@ int lxc_attach(struct lxc_container *container, lxc_attach_exec_t exec_function,
/* Setup resource limits */
if (!lxc_list_empty(&conf->limits)) {
+#ifdef HAVE_ISULAD
+ ret = setup_resource_limits(&conf->limits, pid, -1);
+#else
ret = setup_resource_limits(&conf->limits, pid);
+#endif
if (ret < 0)
goto on_error;
}
@@ -1210,9 +1617,28 @@ int lxc_attach(struct lxc_container *container, lxc_attach_exec_t exec_function,
if (ret < 0)
goto on_error;
+#ifdef HAVE_ISULAD
+ ret = lxc_attach_terminal_mainloop_init(&terminal, &isulad_descr);
+ if (ret < 0)
+ goto on_error;
+
+ if (suffix != NULL) {
+ (void)lxc_exec_cmd_mainloop_add(&descr, &exec_command);
+ }
+#endif
TRACE("Initialized terminal mainloop");
}
+#ifdef HAVE_ISULAD
+ /* The signal fd has to be created before forking otherwise if the child
+ * process exits before we setup the signal fd, the event will be lost
+ * and the command will be stuck.
+ */
+ isulad_sigfd = isulad_setup_signal_fd(&isulad_oldmask);
+ if (isulad_sigfd < 0)
+ goto close_mainloop;
+#endif
+
/* Let the child process know to go ahead. */
status = 0;
ret = lxc_write_nointr(ipc_sockets[0], &status, sizeof(status));
@@ -1290,6 +1716,34 @@ int lxc_attach(struct lxc_container *container, lxc_attach_exec_t exec_function,
*attached_process = attached_pid;
+#ifdef HAVE_ISULAD
+ if (options->timeout > 0) {
+ ret = create_attach_timeout_thread(options->timeout, *attached_process);
+ if (ret) {
+ ERROR("Failed to create attach timeout thread for container.");
+ goto close_mainloop;
+ }
+ }
+ /* isulad: read error msg from pipe */
+ ssize_t size_read;
+ char errbuf[BUFSIZ + 1] = {0};
+ pid_t tmp_pid = *attached_process;
+
+ size_read = read(conf->errpipe[0], errbuf, BUFSIZ);
+ if (size_read > 0) {
+ if (err_msg)
+ *err_msg = safe_strdup(errbuf);
+ goto close_mainloop;
+ }
+ if (options->attach_flags & LXC_ATTACH_TERMINAL) {
+ ret = lxc_mainloop_add_handler(&descr, isulad_sigfd, attach_signal_handler, &tmp_pid);
+ if (ret < 0) {
+ ERROR("Failed to add signal handler for %d to mainloop", tmp_pid);
+ goto close_mainloop;
+ }
+ }
+#endif
+
/* Now shut down communication with child, we're done. */
shutdown(ipc_sockets[0], SHUT_RDWR);
close(ipc_sockets[0]);
@@ -1298,17 +1752,44 @@ int lxc_attach(struct lxc_container *container, lxc_attach_exec_t exec_function,
ret_parent = 0;
to_cleanup_pid = -1;
+#ifdef HAVE_ISULAD
+ // iSulad: close stdin pipe if we do not want open_stdin with container stdin
+ if (!terminal.open_stdin) {
+ if (terminal.pipes[0][1] > 0) {
+ close(terminal.pipes[0][1]);
+ terminal.pipes[0][1] = -1;
+ }
+ }
+#endif
if (options->attach_flags & LXC_ATTACH_TERMINAL) {
+#ifdef HAVE_ISULAD
+ ret = isulad_safe_mainloop(&descr, -1);
+#else
ret = lxc_mainloop(&descr, -1);
+#endif
if (ret < 0) {
ret_parent = -1;
to_cleanup_pid = attached_pid;
}
}
+#ifdef HAVE_ISULAD
+ // do lxc_mainloop to make sure we do not lose any output
+ (void)isulad_safe_mainloop(&isulad_descr, 100);
+ if (g_attach_timeout_state == ATTACH_TIMEOUT && err_msg != NULL && *err_msg == NULL) {
+ *err_msg = safe_strdup("Attach exceeded timeout");
+ }
+#endif
close_mainloop:
+#ifdef HAVE_ISULAD
+ if (options->attach_flags & LXC_ATTACH_TERMINAL) {
+ lxc_mainloop_close(&isulad_descr);
+ lxc_mainloop_close(&descr);
+ }
+#else
if (options->attach_flags & LXC_ATTACH_TERMINAL)
lxc_mainloop_close(&descr);
+#endif
on_error:
if (ipc_sockets[0] >= 0) {
@@ -1322,6 +1803,12 @@ int lxc_attach(struct lxc_container *container, lxc_attach_exec_t exec_function,
if (options->attach_flags & LXC_ATTACH_TERMINAL) {
lxc_terminal_delete(&terminal);
lxc_terminal_conf_free(&terminal);
+#ifdef HAVE_ISULAD
+ if (exec_command.maincmd_fd != -1) {
+ close(exec_command.maincmd_fd);
+ }
+ lxc_exec_unix_sock_delete(name, suffix);
+#endif
}
lxc_proc_put_context_info(init_ctx);
@@ -1331,10 +1818,21 @@ int lxc_attach(struct lxc_container *container, lxc_attach_exec_t exec_function,
/* close unneeded file descriptors */
close_prot_errno_disarm(ipc_sockets[0]);
+#ifdef HAVE_ISULAD
+ /* isulad: close errpipe */
+ close(conf->errpipe[0]);
+ conf->errpipe[0] = -1;
+#endif
+
if (options->attach_flags & LXC_ATTACH_TERMINAL) {
lxc_attach_terminal_close_ptmx(&terminal);
lxc_attach_terminal_close_peer(&terminal);
lxc_attach_terminal_close_log(&terminal);
+#ifdef HAVE_ISULAD
+ if (exec_command.maincmd_fd != -1) {
+ close(exec_command.maincmd_fd);
+ }
+#endif
}
/* Wait for the parent to have setup cgroups. */
@@ -1380,6 +1878,9 @@ int lxc_attach(struct lxc_container *container, lxc_attach_exec_t exec_function,
payload.terminal_pts_fd = terminal.pts;
payload.exec_function = exec_function;
payload.exec_payload = exec_payload;
+#ifdef HAVE_ISULAD
+ payload.terminal = &terminal;
+#endif
pid = lxc_raw_clone(CLONE_PARENT, NULL);
if (pid < 0) {
@@ -1390,7 +1891,11 @@ int lxc_attach(struct lxc_container *container, lxc_attach_exec_t exec_function,
}
if (pid == 0) {
+#ifdef HAVE_ISULAD
+ if (options->attach_flags & LXC_ATTACH_TERMINAL && terminal.tty_state) {
+#else
if (options->attach_flags & LXC_ATTACH_TERMINAL) {
+#endif
ret = pthread_sigmask(SIG_SETMASK,
&terminal.tty_state->oldmask, NULL);
if (ret < 0) {
@@ -1430,7 +1935,11 @@ int lxc_attach(struct lxc_container *container, lxc_attach_exec_t exec_function,
_exit(EXIT_SUCCESS);
}
+#ifdef HAVE_ISULAD
+int lxc_attach_run_command(void *payload, int msg_fd)
+#else
int lxc_attach_run_command(void *payload)
+#endif
{
int ret = -1;
lxc_attach_command_t *cmd = payload;
@@ -1446,11 +1955,19 @@ int lxc_attach_run_command(void *payload)
break;
}
}
+#ifdef HAVE_ISULAD
+ /* isulad: write error messages */
+ lxc_write_error_message(msg_fd, "exec: \"%s\": %s.", cmd->program, strerror(errno));
+#endif
return log_error_errno(ret, errno, "Failed to exec \"%s\"", cmd->program);
}
+#ifdef HAVE_ISULAD
+int lxc_attach_run_shell(void* payload, int msg_fd)
+#else
int lxc_attach_run_shell(void* payload)
+#endif
{
__do_free char *buf = NULL;
uid_t uid;
diff --git a/src/lxc/lsm/nop.c b/src/lxc/lsm/nop.c
index 5b345b9..188945d 100644
--- a/src/lxc/lsm/nop.c
+++ b/src/lxc/lsm/nop.c
@@ -24,11 +24,25 @@ static int nop_enabled(void)
return 0;
}
+#ifdef HAVE_ISULAD
+static int nop_file_label_set(const char *path, const char *label) {
+ return 0;
+}
+
+static int nop_relabel(const char *path, const char *label, bool shared) {
+ return 0;
+}
+#endif
+
static struct lsm_drv nop_drv = {
.name = "nop",
.enabled = nop_enabled,
.process_label_get = nop_process_label_get,
.process_label_set = nop_process_label_set,
+#ifdef HAVE_ISULAD
+ .file_label_set = nop_file_label_set,
+ .relabel = nop_relabel,
+#endif
};
struct lsm_drv *lsm_nop_drv_init(void)
diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c
index 7820db8..a6e6d42 100644
--- a/src/lxc/seccomp.c
+++ b/src/lxc/seccomp.c
@@ -351,8 +351,13 @@ int get_hostarch(void)
return lxc_seccomp_arch_unknown;
}
+#ifdef HAVE_ISULAD
+scmp_filter_ctx get_new_ctx(enum lxc_hostarch_t n_arch,
+ uint32_t default_policy_action, uint32_t *architectures)
+#else
scmp_filter_ctx get_new_ctx(enum lxc_hostarch_t n_arch,
uint32_t default_policy_action, bool *needs_merge)
+#endif
{
int ret;
uint32_t arch;
@@ -476,9 +481,17 @@ scmp_filter_ctx get_new_ctx(enum lxc_hostarch_t n_arch,
}
TRACE("Removed native arch from main seccomp context");
+#ifdef HAVE_ISULAD
+ *architectures = arch;
+#else
*needs_merge = true;
+#endif
} else {
+#ifdef HAVE_ISULAD
+ *architectures = SCMP_ARCH_NATIVE;
+#else
*needs_merge = false;
+#endif
TRACE("Arch %d already present in main seccomp context", (int)n_arch);
}
@@ -510,7 +523,11 @@ bool do_resolve_add_rule(uint32_t arch, char *line, scmp_filter_ctx ctx,
if (ret < 0) {
errno = -ret;
SYSERROR("Failed loading rule to reject force umount");
+#ifdef HAVE_ISULAD
+ return true;
+#else
return false;
+#endif
}
INFO("Set seccomp rule to reject force umounts");
@@ -519,24 +536,42 @@ bool do_resolve_add_rule(uint32_t arch, char *line, scmp_filter_ctx ctx,
nr = seccomp_syscall_resolve_name(line);
if (nr == __NR_SCMP_ERROR) {
+#ifdef HAVE_ISULAD
+ DEBUG("Failed to resolve syscall \"%s\"", line);
+ DEBUG("This syscall will NOT be handled by seccomp");
+#else
WARN("Failed to resolve syscall \"%s\"", line);
WARN("This syscall will NOT be handled by seccomp");
+#endif
return true;
}
if (nr < 0) {
+#ifdef HAVE_ISULAD
+ DEBUG("Got negative return value %d for syscall \"%s\"", nr, line);
+ DEBUG("This syscall will NOT be handled by seccomp");
+#else
WARN("Got negative return value %d for syscall \"%s\"", nr, line);
WARN("This syscall will NOT be handled by seccomp");
+#endif
return true;
}
memset(&arg_cmp, 0, sizeof(arg_cmp));
for (i = 0; i < rule->args_num; i++) {
+#ifdef HAVE_ISULAD
+ DEBUG("arg_cmp[%d]: SCMP_CMP(%u, %llu, %llu, %llu)", i,
+ rule->args_value[i].index,
+ (long long unsigned int)rule->args_value[i].op,
+ (long long unsigned int)rule->args_value[i].mask,
+ (long long unsigned int)rule->args_value[i].value);
+#else
INFO("arg_cmp[%d]: SCMP_CMP(%u, %llu, %llu, %llu)", i,
rule->args_value[i].index,
(long long unsigned int)rule->args_value[i].op,
(long long unsigned int)rule->args_value[i].mask,
(long long unsigned int)rule->args_value[i].value);
+#endif
if (SCMP_CMP_MASKED_EQ == rule->args_value[i].op)
arg_cmp[i] = SCMP_CMP(rule->args_value[i].index,
@@ -553,14 +588,43 @@ bool do_resolve_add_rule(uint32_t arch, char *line, scmp_filter_ctx ctx,
rule->args_num, arg_cmp);
if (ret < 0) {
errno = -ret;
+#ifdef HAVE_ISULAD
+ DEBUG("Failed loading rule for %s (nr %d action %d (%s))",
+ line, nr, rule->action, get_action_name(rule->action));
+ return true;
+#else
SYSERROR("Failed loading rule for %s (nr %d action %d (%s))",
line, nr, rule->action, get_action_name(rule->action));
return false;
+#endif
}
return true;
}
+#ifdef HAVE_ISULAD
+#define SCMP_ARCH_INDEX_MAX 3
+
+struct scmp_ctx_info {
+ uint32_t architectures[SCMP_ARCH_INDEX_MAX];
+ enum lxc_hostarch_t lxc_arch[SCMP_ARCH_INDEX_MAX];
+ scmp_filter_ctx contexts[SCMP_ARCH_INDEX_MAX];
+ bool needs_merge[SCMP_ARCH_INDEX_MAX];
+};
+
+static int get_arch_index(enum lxc_hostarch_t arch, struct scmp_ctx_info *ctx)
+{
+ int i;
+
+ for (i = 0; i < SCMP_ARCH_INDEX_MAX; i++) {
+ if (ctx->lxc_arch[i] == arch)
+ return i;
+ }
+
+ return -1;
+}
+#endif
+
/*
* v2 consists of
* [x86]
@@ -575,6 +639,494 @@ bool do_resolve_add_rule(uint32_t arch, char *line, scmp_filter_ctx ctx,
* write
* close
*/
+#ifdef HAVE_ISULAD
+static int parse_config_v2(FILE *f, char *line, size_t *line_bufsz, struct lxc_conf *conf)
+{
+ int ret;
+ char *p;
+ enum lxc_hostarch_t cur_rule_arch, native_arch;
+ bool blacklist = false;
+ uint32_t default_policy_action = -1, default_rule_action = -1;
+ struct seccomp_v2_rule rule;
+ struct scmp_ctx_info ctx;
+
+ if (strncmp(line, "blacklist", 9) == 0)
+ blacklist = true;
+ else if (strncmp(line, "whitelist", 9) != 0) {
+ ERROR("Bad seccomp policy style \"%s\"", line);
+ return -1;
+ }
+
+ p = strchr(line, ' ');
+ if (p) {
+ default_policy_action = get_v2_default_action(p + 1);
+ if (default_policy_action == -2)
+ return -1;
+ }
+
+ /* for blacklist, allow any syscall which has no rule */
+ if (blacklist) {
+ if (default_policy_action == -1)
+ default_policy_action = SCMP_ACT_ALLOW;
+
+ if (default_rule_action == -1)
+ default_rule_action = SCMP_ACT_KILL;
+ } else {
+ if (default_policy_action == -1)
+ default_policy_action = SCMP_ACT_KILL;
+
+ if (default_rule_action == -1)
+ default_rule_action = SCMP_ACT_ALLOW;
+ }
+
+ memset(&ctx, 0, sizeof(ctx));
+ ctx.architectures[0] = SCMP_ARCH_NATIVE;
+ ctx.architectures[1] = SCMP_ARCH_NATIVE;
+ ctx.architectures[2] = SCMP_ARCH_NATIVE;
+ native_arch = get_hostarch();
+ cur_rule_arch = native_arch;
+ if (native_arch == lxc_seccomp_arch_amd64) {
+ cur_rule_arch = lxc_seccomp_arch_all;
+
+ ctx.lxc_arch[0] = lxc_seccomp_arch_i386;
+ ctx.contexts[0] = get_new_ctx(lxc_seccomp_arch_i386,
+ default_policy_action, &ctx.architectures[0]);
+ if (!ctx.contexts[0])
+ goto bad;
+
+ ctx.lxc_arch[1] = lxc_seccomp_arch_x32;
+ ctx.contexts[1] = get_new_ctx(lxc_seccomp_arch_x32,
+ default_policy_action, &ctx.architectures[1]);
+ if (!ctx.contexts[1])
+ goto bad;
+
+ ctx.lxc_arch[2] = lxc_seccomp_arch_amd64;
+ ctx.contexts[2] = get_new_ctx(lxc_seccomp_arch_amd64,
+ default_policy_action, &ctx.architectures[2]);
+ if (!ctx.contexts[2])
+ goto bad;
+#ifdef SCMP_ARCH_PPC
+ } else if (native_arch == lxc_seccomp_arch_ppc64) {
+ cur_rule_arch = lxc_seccomp_arch_all;
+
+ ctx.lxc_arch[0] = lxc_seccomp_arch_ppc;
+ ctx.contexts[0] = get_new_ctx(lxc_seccomp_arch_ppc,
+ default_policy_action, &ctx.architectures[0]);
+ if (!ctx.contexts[0])
+ goto bad;
+
+ ctx.lxc_arch[1] = lxc_seccomp_arch_ppc64;
+ ctx.contexts[1] = get_new_ctx(lxc_seccomp_arch_ppc64,
+ default_policy_action, &ctx.architectures[1]);
+ if (!ctx.contexts[1])
+ goto bad;
+#endif
+#ifdef SCMP_ARCH_ARM
+ } else if (native_arch == lxc_seccomp_arch_arm64) {
+ cur_rule_arch = lxc_seccomp_arch_all;
+
+ ctx.lxc_arch[0] = lxc_seccomp_arch_arm;
+ ctx.contexts[0] = get_new_ctx(lxc_seccomp_arch_arm,
+ default_policy_action, &ctx.architectures[0]);
+ if (!ctx.contexts[0])
+ goto bad;
+
+#ifdef SCMP_ARCH_AARCH64
+ ctx.lxc_arch[1] = lxc_seccomp_arch_arm64;
+ ctx.contexts[1] = get_new_ctx(lxc_seccomp_arch_arm64,
+ default_policy_action, &ctx.architectures[1]);
+ if (!ctx.contexts[1])
+ goto bad;
+#endif
+#endif
+#ifdef SCMP_ARCH_MIPS
+ } else if (native_arch == lxc_seccomp_arch_mips64) {
+ cur_rule_arch = lxc_seccomp_arch_all;
+
+ ctx.lxc_arch[0] = lxc_seccomp_arch_mips;
+ ctx.contexts[0] = get_new_ctx(lxc_seccomp_arch_mips,
+ default_policy_action, &ctx.architectures[0]);
+ if (!ctx.contexts[0])
+ goto bad;
+
+ ctx.lxc_arch[1] = lxc_seccomp_arch_mips64n32;
+ ctx.contexts[1] = get_new_ctx(lxc_seccomp_arch_mips64n32,
+ default_policy_action, &ctx.architectures[1]);
+ if (!ctx.contexts[1])
+ goto bad;
+
+ ctx.lxc_arch[2] = lxc_seccomp_arch_mips64;
+ ctx.contexts[2] = get_new_ctx(lxc_seccomp_arch_mips64,
+ default_policy_action, &ctx.architectures[2]);
+ if (!ctx.contexts[2])
+ goto bad;
+ } else if (native_arch == lxc_seccomp_arch_mipsel64) {
+ cur_rule_arch = lxc_seccomp_arch_all;
+ ctx.lxc_arch[0] = lxc_seccomp_arch_mipsel;
+ ctx.contexts[0] = get_new_ctx(lxc_seccomp_arch_mipsel,
+ default_policy_action, &ctx.architectures[0]);
+ if (!ctx.contexts[0])
+ goto bad;
+
+ ctx.lxc_arch[1] = lxc_seccomp_arch_mipsel64n32;
+ ctx.contexts[1] = get_new_ctx(lxc_seccomp_arch_mipsel64n32,
+ default_policy_action, &ctx.architectures[1]);
+ if (!ctx.contexts[1])
+ goto bad;
+
+ ctx.lxc_arch[2] = lxc_seccomp_arch_mipsel64;
+ ctx.contexts[2] = get_new_ctx(lxc_seccomp_arch_mipsel64,
+ default_policy_action, &ctx.architectures[2]);
+ if (!ctx.contexts[2])
+ goto bad;
+#endif
+ }
+
+ if (default_policy_action != SCMP_ACT_KILL) {
+ ret = seccomp_reset(conf->seccomp.seccomp_ctx, default_policy_action);
+ if (ret != 0) {
+ ERROR("Error re-initializing Seccomp");
+ return -1;
+ }
+
+ ret = seccomp_attr_set(conf->seccomp.seccomp_ctx, SCMP_FLTATR_CTL_NNP, 0);
+ if (ret < 0) {
+ errno = -ret;
+ SYSERROR("Failed to turn off no-new-privs");
+ return -1;
+ }
+
+#ifdef SCMP_FLTATR_ATL_TSKIP
+ ret = seccomp_attr_set(conf->seccomp.seccomp_ctx, SCMP_FLTATR_ATL_TSKIP, 1);
+ if (ret < 0) {
+ errno = -ret;
+ SYSWARN("Failed to turn on seccomp nop-skip, continuing");
+ }
+#endif
+ }
+
+ while (getline(&line, line_bufsz, f) != -1) {
+ if (line[0] == '#')
+ continue;
+
+ if (line[0] == '\0')
+ continue;
+
+ remove_trailing_newlines(line);
+
+ DEBUG("Processing \"%s\"", line);
+
+ if (line[0] == '[') {
+ /* Read the architecture for next set of rules. */
+ if (strcmp(line, "[x86]") == 0 ||
+ strcmp(line, "[X86]") == 0) {
+ if (native_arch != lxc_seccomp_arch_i386 &&
+ native_arch != lxc_seccomp_arch_amd64) {
+ cur_rule_arch = lxc_seccomp_arch_unknown;
+ continue;
+ }
+
+ cur_rule_arch = lxc_seccomp_arch_i386;
+ } else if (strcmp(line, "[x32]") == 0 ||
+ strcmp(line, "[X32]") == 0) {
+ if (native_arch != lxc_seccomp_arch_amd64) {
+ cur_rule_arch = lxc_seccomp_arch_unknown;
+ continue;
+ }
+
+ cur_rule_arch = lxc_seccomp_arch_x32;
+ } else if (strcmp(line, "[X86_64]") == 0 ||
+ strcmp(line, "[x86_64]") == 0) {
+ if (native_arch != lxc_seccomp_arch_amd64) {
+ cur_rule_arch = lxc_seccomp_arch_unknown;
+ continue;
+ }
+
+ cur_rule_arch = lxc_seccomp_arch_amd64;
+ } else if (strcmp(line, "[all]") == 0 ||
+ strcmp(line, "[ALL]") == 0) {
+ cur_rule_arch = lxc_seccomp_arch_all;
+ }
+#ifdef SCMP_ARCH_ARM
+ else if (strcmp(line, "[arm]") == 0 ||
+ strcmp(line, "[ARM]") == 0) {
+ if (native_arch != lxc_seccomp_arch_arm &&
+ native_arch != lxc_seccomp_arch_arm64) {
+ cur_rule_arch = lxc_seccomp_arch_unknown;
+ continue;
+ }
+
+ cur_rule_arch = lxc_seccomp_arch_arm;
+ }
+#endif
+#ifdef SCMP_ARCH_AARCH64
+ else if (strcmp(line, "[arm64]") == 0 ||
+ strcmp(line, "[ARM64]") == 0) {
+ if (native_arch != lxc_seccomp_arch_arm64) {
+ cur_rule_arch = lxc_seccomp_arch_unknown;
+ continue;
+ }
+
+ cur_rule_arch = lxc_seccomp_arch_arm64;
+ }
+#endif
+#ifdef SCMP_ARCH_PPC64LE
+ else if (strcmp(line, "[ppc64le]") == 0 ||
+ strcmp(line, "[PPC64LE]") == 0) {
+ if (native_arch != lxc_seccomp_arch_ppc64le) {
+ cur_rule_arch = lxc_seccomp_arch_unknown;
+ continue;
+ }
+
+ cur_rule_arch = lxc_seccomp_arch_ppc64le;
+ }
+#endif
+#ifdef SCMP_ARCH_PPC64
+ else if (strcmp(line, "[ppc64]") == 0 ||
+ strcmp(line, "[PPC64]") == 0) {
+ if (native_arch != lxc_seccomp_arch_ppc64) {
+ cur_rule_arch = lxc_seccomp_arch_unknown;
+ continue;
+ }
+
+ cur_rule_arch = lxc_seccomp_arch_ppc64;
+ }
+#endif
+#ifdef SCMP_ARCH_PPC
+ else if (strcmp(line, "[ppc]") == 0 ||
+ strcmp(line, "[PPC]") == 0) {
+ if (native_arch != lxc_seccomp_arch_ppc &&
+ native_arch != lxc_seccomp_arch_ppc64) {
+ cur_rule_arch = lxc_seccomp_arch_unknown;
+ continue;
+ }
+
+ cur_rule_arch = lxc_seccomp_arch_ppc;
+ }
+#endif
+#ifdef SCMP_ARCH_MIPS
+ else if (strcmp(line, "[mips64]") == 0 ||
+ strcmp(line, "[MIPS64]") == 0) {
+ if (native_arch != lxc_seccomp_arch_mips64) {
+ cur_rule_arch = lxc_seccomp_arch_unknown;
+ continue;
+ }
+
+ cur_rule_arch = lxc_seccomp_arch_mips64;
+ } else if (strcmp(line, "[mips64n32]") == 0 ||
+ strcmp(line, "[MIPS64N32]") == 0) {
+ if (native_arch != lxc_seccomp_arch_mips64) {
+ cur_rule_arch = lxc_seccomp_arch_unknown;
+ continue;
+ }
+
+ cur_rule_arch = lxc_seccomp_arch_mips64n32;
+ } else if (strcmp(line, "[mips]") == 0 ||
+ strcmp(line, "[MIPS]") == 0) {
+ if (native_arch != lxc_seccomp_arch_mips &&
+ native_arch != lxc_seccomp_arch_mips64) {
+ cur_rule_arch = lxc_seccomp_arch_unknown;
+ continue;
+ }
+
+ cur_rule_arch = lxc_seccomp_arch_mips;
+ } else if (strcmp(line, "[mipsel64]") == 0 ||
+ strcmp(line, "[MIPSEL64]") == 0) {
+ if (native_arch != lxc_seccomp_arch_mipsel64) {
+ cur_rule_arch = lxc_seccomp_arch_unknown;
+ continue;
+ }
+
+ cur_rule_arch = lxc_seccomp_arch_mipsel64;
+ } else if (strcmp(line, "[mipsel64n32]") == 0 ||
+ strcmp(line, "[MIPSEL64N32]") == 0) {
+ if (native_arch != lxc_seccomp_arch_mipsel64) {
+ cur_rule_arch = lxc_seccomp_arch_unknown;
+ continue;
+ }
+
+ cur_rule_arch = lxc_seccomp_arch_mipsel64n32;
+ } else if (strcmp(line, "[mipsel]") == 0 ||
+ strcmp(line, "[MIPSEL]") == 0) {
+ if (native_arch != lxc_seccomp_arch_mipsel &&
+ native_arch != lxc_seccomp_arch_mipsel64) {
+ cur_rule_arch = lxc_seccomp_arch_unknown;
+ continue;
+ }
+
+ cur_rule_arch = lxc_seccomp_arch_mipsel;
+ }
+#endif
+#ifdef SCMP_ARCH_S390X
+ else if (strcmp(line, "[s390x]") == 0 ||
+ strcmp(line, "[S390X]") == 0) {
+ if (native_arch != lxc_seccomp_arch_s390x) {
+ cur_rule_arch = lxc_seccomp_arch_unknown;
+ continue;
+ }
+
+ cur_rule_arch = lxc_seccomp_arch_s390x;
+ }
+#endif
+ else {
+ goto bad_arch;
+ }
+
+ continue;
+ }
+
+ /* irrelevant arch - i.e. arm on i386 */
+ if (cur_rule_arch == lxc_seccomp_arch_unknown)
+ continue;
+
+ memset(&rule, 0, sizeof(rule));
+ /* read optional action which follows the syscall */
+ ret = parse_v2_rules(line, default_rule_action, &rule);
+ if (ret != 0) {
+ ERROR("Failed to interpret seccomp rule");
+ goto bad_rule;
+ }
+
+ if (cur_rule_arch == native_arch) {
+ /* add for native arch */
+ if (!do_resolve_add_rule(SCMP_ARCH_NATIVE, line,
+ conf->seccomp.seccomp_ctx, &rule))
+ goto bad_rule;
+
+ DEBUG("Added native rule for arch %d for %s action %d(%s)",
+ SCMP_ARCH_NATIVE, line, rule.action,
+ get_action_name(rule.action));
+ } else if (cur_rule_arch != lxc_seccomp_arch_all) {
+ /* add for compat specified arch */
+ int arch_index = get_arch_index(cur_rule_arch, &ctx);
+ if (arch_index < 0)
+ goto bad_arch;
+
+ if (!do_resolve_add_rule(ctx.architectures[arch_index], line,
+ ctx.contexts[arch_index], &rule))
+ goto bad_rule;
+
+ DEBUG("Added compat rule for arch %d for %s action %d(%s)",
+ ctx.architectures[arch_index], line, rule.action,
+ get_action_name(rule.action));
+ ctx.needs_merge[arch_index] = true;
+ } else {
+ /* add for all compat archs */
+ if (!do_resolve_add_rule(SCMP_ARCH_NATIVE, line,
+ conf->seccomp.seccomp_ctx, &rule))
+ goto bad_rule;
+
+ DEBUG("Added native rule for arch %d for %s action %d(%s)",
+ SCMP_ARCH_NATIVE, line, rule.action,
+ get_action_name(rule.action));
+
+ if (ctx.architectures[0] != SCMP_ARCH_NATIVE) {
+ if (!do_resolve_add_rule(ctx.architectures[0], line,
+ ctx.contexts[0], &rule))
+ goto bad_rule;
+
+ DEBUG("Added compat rule for arch %d for %s action %d(%s)",
+ ctx.architectures[0], line, rule.action,
+ get_action_name(rule.action));
+ ctx.needs_merge[0] = true;
+ }
+
+ if (ctx.architectures[1] != SCMP_ARCH_NATIVE) {
+ if (!do_resolve_add_rule(ctx.architectures[1], line,
+ ctx.contexts[1], &rule))
+ goto bad_rule;
+
+ DEBUG("Added compat rule for arch %d for %s action %d(%s)",
+ ctx.architectures[1], line, rule.action,
+ get_action_name(rule.action));
+ ctx.needs_merge[1] = true;
+ }
+
+ if (ctx.architectures[2] != SCMP_ARCH_NATIVE) {
+ if (!do_resolve_add_rule(ctx.architectures[2], line,
+ ctx.contexts[2], &rule))
+ goto bad_rule;
+
+ DEBUG("Added native rule for arch %d for %s action %d(%s)",
+ ctx.architectures[2], line, rule.action,
+ get_action_name(rule.action));
+ ctx.needs_merge[2] = true;
+ }
+ }
+
+ }
+
+ INFO("Merging compat seccomp contexts into main context");
+ if (ctx.contexts[0]) {
+ if (ctx.needs_merge[0]) {
+ ret = seccomp_merge(conf->seccomp.seccomp_ctx, ctx.contexts[0]);
+ if (ret < 0) {
+ ERROR("%s - Failed to merge first compat seccomp "
+ "context into main context", strerror(-ret));
+ goto bad;
+ }
+
+ TRACE("Merged first compat seccomp context into main context");
+ } else {
+ seccomp_release(ctx.contexts[0]);
+ ctx.contexts[0] = NULL;
+ }
+ }
+
+ if (ctx.contexts[1]) {
+ if (ctx.needs_merge[1]) {
+ ret = seccomp_merge(conf->seccomp.seccomp_ctx, ctx.contexts[1]);
+ if (ret < 0) {
+ ERROR("%s - Failed to merge second compat seccomp "
+ "context into main context", strerror(-ret));
+ goto bad;
+ }
+
+ TRACE("Merged second compat seccomp context into main context");
+ } else {
+ seccomp_release(ctx.contexts[1]);
+ ctx.contexts[1] = NULL;
+ }
+ }
+
+ if (ctx.contexts[2]) {
+ if (ctx.needs_merge[2]) {
+ ret = seccomp_merge(conf->seccomp.seccomp_ctx, ctx.contexts[2]);
+ if (ret < 0) {
+ ERROR("%s - Failed to merge third compat seccomp "
+ "context into main context", strerror(-ret));
+ goto bad;
+ }
+
+ TRACE("Merged third compat seccomp context into main context");
+ } else {
+ seccomp_release(ctx.contexts[2]);
+ ctx.contexts[2] = NULL;
+ }
+ }
+
+ free(line);
+ return 0;
+
+bad_arch:
+ ERROR("Unsupported architecture \"%s\"", line);
+
+bad_rule:
+bad:
+ if (ctx.contexts[0])
+ seccomp_release(ctx.contexts[0]);
+
+ if (ctx.contexts[1])
+ seccomp_release(ctx.contexts[1]);
+
+ if (ctx.contexts[2])
+ seccomp_release(ctx.contexts[2]);
+
+ free(line);
+
+ return -1;
+}
+#else
static int parse_config_v2(FILE *f, char *line, size_t *line_bufsz, struct lxc_conf *conf)
{
int ret;
@@ -1067,6 +1619,7 @@ bad:
return -1;
}
+#endif
#else /* HAVE_DECL_SECCOMP_SYSCALL_RESOLVE_NAME_ARCH */
static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf)
{
@@ -1288,6 +1841,7 @@ void lxc_seccomp_free(struct lxc_seccomp *seccomp)
seccomp_notify_free(seccomp->notifier.req_buf, seccomp->notifier.rsp_buf);
seccomp->notifier.req_buf = NULL;
seccomp->notifier.rsp_buf = NULL;
+ free_disarm(seccomp->notifier.cookie);
#endif
}
@@ -1498,6 +2052,7 @@ void seccomp_conf_init(struct lxc_conf *conf)
sizeof(conf->seccomp.notifier.proxy_addr));
conf->seccomp.notifier.req_buf = NULL;
conf->seccomp.notifier.rsp_buf = NULL;
+ conf->seccomp.notifier.cookie = NULL;
#endif
}
diff --git a/src/lxc/storage/zfs.c b/src/lxc/storage/zfs.c
index ee9e32d..903937a 100644
--- a/src/lxc/storage/zfs.c
+++ b/src/lxc/storage/zfs.c
@@ -167,13 +167,22 @@ int zfs_mount(struct lxc_storage *bdev)
const char *src;
char cmd_output[PATH_MAX] = {0};
+#ifdef HAVE_ISULAD
+ unsigned long pflags = 0;
+#endif
+
if (strcmp(bdev->type, "zfs"))
return -22;
if (!bdev->src || !bdev->dest)
return -22;
+#ifdef HAVE_ISULAD
+ ret = parse_mntopts(bdev->mntopts, &mntflags, &pflags, &mntdata);
+#else
ret = parse_mntopts(bdev->mntopts, &mntflags, &mntdata);
+#endif
+
if (ret < 0) {
ERROR("Failed to parse mount options");
return -22;
--
2.25.1
Loading...
马建仓 AI 助手
尝试更多
代码解读
代码找茬
代码优化
1
https://gitee.com/firstadream/lxc.git
[email protected]:firstadream/lxc.git
firstadream
lxc
lxc
master

搜索帮助