Skip to content
This repository was archived by the owner on Feb 8, 2021. It is now read-only.

Commit 2f4626d

Browse files
authored
Merge pull request #142 from laijs/enter-sandbox
enter the sandbox when hyper_setup_container_rootfs()
2 parents b28a02f + bf61d63 commit 2f4626d

File tree

6 files changed

+99
-151
lines changed

6 files changed

+99
-151
lines changed

src/container.c

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -269,8 +269,8 @@ static int container_setup_mount(struct hyper_container *container)
269269
hyper_mkdir("./dev", 0755);
270270
hyper_mkdir("./lib/modules", 0755);
271271

272-
// mount proc filesystem when the container init process running in the pidns of podinit
273-
if (mount("sysfs", "./sys", "sysfs", MS_NOSUID| MS_NODEV| MS_NOEXEC, NULL) < 0 ||
272+
if (mount("proc", "./proc", "proc", MS_NOSUID| MS_NODEV| MS_NOEXEC, NULL) < 0 ||
273+
mount("sysfs", "./sys", "sysfs", MS_NOSUID| MS_NODEV| MS_NOEXEC, NULL) < 0 ||
274274
mount("devtmpfs", "./dev", "devtmpfs", MS_NOSUID, NULL) < 0) {
275275
perror("mount basic filesystem for container failed");
276276
return -1;
@@ -512,6 +512,11 @@ static int hyper_setup_container_rootfs(void *data)
512512
int setup_dns;
513513
uint32_t type;
514514

515+
if (hyper_enter_sandbox(arg->pod, -1) < 0) {
516+
perror("enter sandbox failed");
517+
goto fail;
518+
}
519+
515520
if (hyper_rescan_scsi() < 0) {
516521
fprintf(stdout, "rescan scsi failed\n");
517522
goto fail;

src/exec.c

Lines changed: 20 additions & 94 deletions
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,6 @@
88
#include <sys/ioctl.h>
99
#include <sys/wait.h>
1010
#include <sys/socket.h>
11-
#include <sys/mount.h>
1211
#include <dirent.h>
1312
#include <sched.h>
1413
#include <errno.h>
@@ -24,6 +23,9 @@
2423
#include "parse.h"
2524
#include "syscall.h"
2625

26+
static int hyper_release_exec(struct hyper_exec *, struct hyper_pod *);
27+
static void hyper_exec_process(struct hyper_exec *exec);
28+
2729
static int send_exec_finishing(uint64_t seq, int len, int code, int block)
2830
{
2931
struct hyper_buf *buf = &ctl.tty.wbuf;
@@ -202,7 +204,7 @@ struct hyper_event_ops err_ops = {
202204
/* don't need write buff, the stderr data is one way */
203205
};
204206

205-
int hyper_setup_exec_user(struct hyper_exec *exec)
207+
static int hyper_setup_exec_user(struct hyper_exec *exec)
206208
{
207209
char *user = exec->user == NULL || strlen(exec->user) == 0 ? NULL : exec->user;
208210
char *group = exec->group == NULL || strlen(exec->group) == 0 ? NULL : exec->group;
@@ -333,7 +335,7 @@ static int hyper_setup_exec_notty(struct hyper_exec *e)
333335
return 0;
334336
}
335337

336-
int hyper_setup_exec_tty(struct hyper_exec *e)
338+
static int hyper_setup_exec_tty(struct hyper_exec *e)
337339
{
338340
int unlock = 0;
339341
int ptymaster;
@@ -410,7 +412,7 @@ int hyper_setup_exec_tty(struct hyper_exec *e)
410412
return 0;
411413
}
412414

413-
int hyper_dup_exec_tty(struct hyper_exec *e)
415+
static int hyper_dup_exec_tty(struct hyper_exec *e)
414416
{
415417
int ret = -1;
416418

@@ -457,7 +459,7 @@ int hyper_dup_exec_tty(struct hyper_exec *e)
457459
return ret;
458460
}
459461

460-
int hyper_watch_exec_pty(struct hyper_exec *exec, struct hyper_pod *pod)
462+
static int hyper_watch_exec_pty(struct hyper_exec *exec, struct hyper_pod *pod)
461463
{
462464
fprintf(stdout, "hyper_init_event container pts event %p, ops %p, fd %d\n",
463465
&exec->stdinev, &in_ops, exec->stdinev.fd);
@@ -488,107 +490,34 @@ int hyper_watch_exec_pty(struct hyper_exec *exec, struct hyper_pod *pod)
488490
return 0;
489491
}
490492

491-
static int hyper_enter_container(struct hyper_pod *pod,
492-
struct hyper_exec *exec)
493+
static int hyper_do_exec_cmd(struct hyper_exec *exec, struct hyper_pod *pod, int pipe)
493494
{
494-
int ipcns, utsns, mntns, ret;
495495
struct hyper_container *c;
496-
char path[512];
497496

498-
ret = ipcns = utsns = mntns = -1;
497+
if (hyper_enter_sandbox(pod, pipe) < 0) {
498+
perror("enter pidns of pod init failed");
499+
hyper_send_type(pipe, -1);
500+
goto out;
501+
}
499502

500503
c = hyper_find_container(pod, exec->id);
501504
if (c == NULL) {
502505
fprintf(stderr, "can not find container %s\n", exec->id);
503-
return -1;
504-
}
505-
506-
sprintf(path, "/proc/%d/ns/uts", pod->init_pid);
507-
utsns = open(path, O_RDONLY| O_CLOEXEC);
508-
if (utsns < 0) {
509-
perror("fail to open utsns of pod init");
510-
goto out;
511-
}
512-
513-
sprintf(path, "/proc/%d/ns/ipc", pod->init_pid);
514-
ipcns = open(path, O_RDONLY| O_CLOEXEC);
515-
if (ipcns < 0) {
516-
perror("fail to open ipcns of pod init");
517-
goto out;
518-
}
519-
520-
mntns = c->ns;
521-
if (mntns < 0) {
522-
perror("fail to open mntns of pod init");
523506
goto out;
524507
}
525508

526-
if (setns(utsns, CLONE_NEWUTS) < 0 ||
527-
setns(ipcns, CLONE_NEWIPC) <0 ||
528-
setns(mntns, CLONE_NEWNS) < 0) {
509+
if (setns(c->ns, CLONE_NEWNS) < 0) {
529510
perror("fail to enter container ns");
530511
goto out;
531512
}
513+
chdir("/");
532514

533515
/* TODO: merge container env to exec env in hyperd */
534516
if (hyper_setup_env(c->exec.envs, c->exec.envs_num) < 0) {
535517
fprintf(stderr, "setup container envs for exec failed\n");
536518
goto out;
537519
}
538520

539-
/* TODO: wait for container finishing setup root */
540-
chdir("/");
541-
542-
/* already in pidns & mntns of container, mount proc filesystem */
543-
if (exec->init && mount("proc", "/proc", "proc", MS_NOSUID| MS_NODEV| MS_NOEXEC, NULL) < 0) {
544-
perror("fail to mount proc filesystem for container");
545-
goto out;
546-
}
547-
548-
ret = 0;
549-
out:
550-
close(ipcns);
551-
close(utsns);
552-
553-
return ret;
554-
}
555-
556-
static int hyper_do_exec_cmd(struct hyper_exec *exec, struct hyper_pod *pod, int pipe)
557-
{
558-
int pid = -1, ret = -1;
559-
char path[512];
560-
int pidns;
561-
562-
sprintf(path, "/proc/%d/ns/pid", pod->init_pid);
563-
pidns = open(path, O_RDONLY| O_CLOEXEC);
564-
if (pidns < 0) {
565-
perror("fail to open pidns of pod init");
566-
goto out;
567-
}
568-
569-
/* enter pidns of pod init, so the children of this process will run in
570-
* pidns of pod init, see man 2 setns */
571-
if (setns(pidns, CLONE_NEWPID) < 0) {
572-
perror("enter pidns of pod init failed");
573-
goto out;
574-
}
575-
close(pidns);
576-
577-
pid = fork();
578-
if (pid < 0) {
579-
perror("fail to fork");
580-
goto out;
581-
} else if (pid > 0) {
582-
fprintf(stdout, "create exec cmd %s pid %d,ref %d\n", exec->argv[0], pid, exec->ref);
583-
ret = 0;
584-
goto out;
585-
}
586-
587-
if (hyper_enter_container(pod, exec) < 0) {
588-
fprintf(stderr, "enter container ns failed\n");
589-
goto exit;
590-
}
591-
592521
// set early env. the container env config can overwrite it
593522
setenv("HOME", "/root", 1);
594523
setenv("HOSTNAME", pod->hostname, 1);
@@ -599,15 +528,12 @@ static int hyper_do_exec_cmd(struct hyper_exec *exec, struct hyper_pod *pod, int
599528

600529
hyper_exec_process(exec);
601530

602-
exit:
603-
_exit(125);
604531
out:
605-
hyper_send_type(pipe, pid);
606-
_exit(ret);
532+
_exit(125);
607533
}
608534

609535
// do the exec, no return
610-
void hyper_exec_process(struct hyper_exec *exec)
536+
static void hyper_exec_process(struct hyper_exec *exec)
611537
{
612538
if (sigprocmask(SIG_SETMASK, &orig_mask, NULL) < 0) {
613539
perror("sigprocmask restore mask failed");
@@ -624,7 +550,7 @@ void hyper_exec_process(struct hyper_exec *exec)
624550
goto exit;
625551
}
626552

627-
// set the container env
553+
// set the process env
628554
if (hyper_setup_env(exec->envs, exec->envs_num) < 0) {
629555
fprintf(stderr, "setup env failed\n");
630556
goto exit;
@@ -773,8 +699,8 @@ static int hyper_send_pod_finished(struct hyper_pod *pod)
773699
return ret;
774700
}
775701

776-
int hyper_release_exec(struct hyper_exec *exec,
777-
struct hyper_pod *pod)
702+
static int hyper_release_exec(struct hyper_exec *exec,
703+
struct hyper_pod *pod)
778704
{
779705
if (--exec->ref != 0) {
780706
fprintf(stdout, "still have %d user of exec\n", exec->ref);

src/exec.h

Lines changed: 0 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -45,18 +45,10 @@ struct hyper_exec {
4545
struct hyper_pod;
4646

4747
int hyper_exec_cmd(char *json, int length);
48-
int hyper_release_exec(struct hyper_exec *, struct hyper_pod *);
49-
int hyper_container_execcmd(struct hyper_pod *pod);
50-
int hyper_setup_exec_tty(struct hyper_exec *e);
51-
int hyper_dup_exec_tty(struct hyper_exec *e);
5248
int hyper_run_process(struct hyper_exec *e);
53-
void hyper_exec_process(struct hyper_exec *e);
5449
struct hyper_exec *hyper_find_exec_by_pid(struct list_head *head, int pid);
5550
struct hyper_exec *hyper_find_exec_by_seq(struct hyper_pod *pod, uint64_t seq);
56-
int hyper_setup_exec_user(struct hyper_exec *e);
5751
int hyper_handle_exec_exit(struct hyper_pod *pod, int pid, uint8_t code);
58-
int hyper_watch_exec_pty(struct hyper_exec *exec, struct hyper_pod *pod);
5952
void hyper_cleanup_exec(struct hyper_pod *pod);
6053

61-
extern struct hyper_event_ops pts_ops;
6254
#endif

src/hyper.h

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -74,7 +74,6 @@ struct portmapping_white_list {
7474
};
7575

7676
struct hyper_win_size {
77-
char *tty;
7877
int row;
7978
int column;
8079
uint64_t seq;
@@ -119,8 +118,8 @@ static inline int hyper_create(char *hyper_path)
119118
}
120119

121120
int hyper_open_serial(char *tty);
122-
int hyper_start_containers(struct hyper_pod *pod);
123121
void hyper_cleanup_pod(struct hyper_pod *pod);
122+
int hyper_enter_sandbox(struct hyper_pod *pod, int pidpipe);
124123

125124
extern struct hyper_pod global_pod;
126125
extern struct hyper_ctl ctl;

0 commit comments

Comments
 (0)