Gitiles
Code Review Sign In
gerrit.openfyde.cn / chromium.googlesource.com / chromiumos / platform2 / 25f969a7e2699361848d7601086f4c94b176bb2e / . / libcontainer / libcontainer_util.cc
blob: fab073b8ee17cd0ea4aa498860345174d3577f13 [file] [log] [blame]
Luis Hector Chavez81efb332017-09-18 14:01:29 -0700[diff] [blame]1// Copyright 2017 The Chromium OS Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5#include "libcontainer/libcontainer_util.h"
6
7#include <errno.h>
8#include <fcntl.h>
9#if USE_device_mapper
10#include <libdevmapper.h>
11#endif
12#include <linux/loop.h>
Luis Hector Chavez644d2042017-09-19 18:56:44 -0700[diff] [blame]13#include <sched.h>
Luis Hector Chavez81efb332017-09-18 14:01:29 -0700[diff] [blame]14#include <sys/mount.h>
15#include <sys/stat.h>
Luis Hector Chavez644d2042017-09-19 18:56:44 -0700[diff] [blame]16#include <sys/wait.h>
Luis Hector Chavez92278e82017-10-16 11:30:27 -0700[diff] [blame]17#include <unistd.h>
Luis Hector Chavez81efb332017-09-18 14:01:29 -0700[diff] [blame]18
19#include <memory>
Luis Hector Chavez644d2042017-09-19 18:56:44 -0700[diff] [blame]20#include <utility>
Luis Hector Chavez81efb332017-09-18 14:01:29 -0700[diff] [blame]21#include <vector>
22
23#include <base/bind.h>
24#include <base/bind_helpers.h>
25#include <base/callback_helpers.h>
Luis Hector Chavez92278e82017-10-16 11:30:27 -0700[diff] [blame]26#include <base/files/file_util.h>
Luis Hector Chavez81efb332017-09-18 14:01:29 -0700[diff] [blame]27#include <base/files/scoped_file.h>
Luis Hector Chavez835d39e2017-09-19 15:16:31 -0700[diff] [blame]28#include <base/logging.h>
Luis Hector Chavez644d2042017-09-19 18:56:44 -0700[diff] [blame]29#include <base/macros.h>
30#include <base/posix/eintr_wrapper.h>
Luis Hector Chavez81efb332017-09-18 14:01:29 -0700[diff] [blame]31#include <base/strings/string_number_conversions.h>
32#include <base/strings/string_split.h>
33#include <base/strings/string_util.h>
34#include <base/strings/stringprintf.h>
35
Luis Hector Chavez644d2042017-09-19 18:56:44 -0700[diff] [blame]36// New cgroup namespace might not be in linux-headers yet.
37#ifndef CLONE_NEWCGROUP
38#define CLONE_NEWCGROUP 0x02000000
39#endif
40
Luis Hector Chavez81efb332017-09-18 14:01:29 -0700[diff] [blame]41namespace libcontainer {
42
43namespace {
44
Satoru Takabayashicf730fb2018-08-03 16:42:36 +0900[diff] [blame]45constexpr char kLoopdevCtlPath[] = "/dev/loop-control";
Luis Hector Chavez81efb332017-09-18 14:01:29 -0700[diff] [blame]46#if USE_device_mapper
Satoru Takabayashicf730fb2018-08-03 16:42:36 +0900[diff] [blame]47constexpr char kDevMapperPath[] = "/dev/mapper/";
Luis Hector Chavez81efb332017-09-18 14:01:29 -0700[diff] [blame]48#endif
49
Luis Hector Chavez644d2042017-09-19 18:56:44 -0700[diff] [blame]50// Gets the namespace name for |nstype|.
51std::string GetNamespaceNameForType(int nstype) {
52 switch (nstype) {
53 case CLONE_NEWCGROUP:
54 return "cgroup";
55 case CLONE_NEWIPC:
56 return "ipc";
57 case CLONE_NEWNET:
58 return "net";
59 case CLONE_NEWNS:
60 return "mnt";
61 case CLONE_NEWPID:
62 return "pid";
63 case CLONE_NEWUSER:
64 return "user";
65 case CLONE_NEWUTS:
66 return "uts";
67 }
68 return std::string();
69}
70
71// Helper function that runs |callback| in all the namespaces identified by
72// |nstypes|.
73bool RunInNamespacesHelper(HookCallback callback,
74 std::vector<int> nstypes,
75 pid_t container_pid) {
76 pid_t child = fork();
77 if (child < 0) {
Luis Hector Chavezdc61f8d2017-10-02 11:12:46 -0700[diff] [blame]78 PLOG(ERROR) << "Failed to fork()";
Luis Hector Chavez644d2042017-09-19 18:56:44 -0700[diff] [blame]79 return false;
80 }
81
82 if (child == 0) {
83 for (const int nstype : nstypes) {
84 std::string nstype_name = GetNamespaceNameForType(nstype);
85 if (nstype_name.empty()) {
86 LOG(ERROR) << "Invalid namespace type " << nstype;
87 _exit(-1);
88 }
89 base::FilePath ns_path = base::FilePath(base::StringPrintf(
90 "/proc/%d/ns/%s", container_pid, nstype_name.c_str()));
91 base::ScopedFD ns_fd(open(ns_path.value().c_str(), O_RDONLY));
92 if (!ns_fd.is_valid()) {
Luis Hector Chavezdc61f8d2017-10-02 11:12:46 -0700[diff] [blame]93 PLOG(ERROR) << "Failed to open " << ns_path.value();
Luis Hector Chavez644d2042017-09-19 18:56:44 -0700[diff] [blame]94 _exit(-1);
95 }
96 if (setns(ns_fd.get(), nstype)) {
Luis Hector Chavezdc61f8d2017-10-02 11:12:46 -0700[diff] [blame]97 PLOG(ERROR) << "Failed to enter PID " << container_pid << "'s "
98 << nstype_name << " namespace";
Luis Hector Chavez644d2042017-09-19 18:56:44 -0700[diff] [blame]99 _exit(-1);
100 }
101 }
102
103 // Preserve normal POSIX semantics of calling exit(2) with 0 for success and
104 // non-zero for failure.
105 _exit(callback.Run(container_pid) ? 0 : 1);
106 }
107
108 int status;
109 if (HANDLE_EINTR(waitpid(child, &status, 0)) < 0) {
Luis Hector Chavezdc61f8d2017-10-02 11:12:46 -0700[diff] [blame]110 PLOG(ERROR) << "Failed to wait for callback";
Luis Hector Chavez644d2042017-09-19 18:56:44 -0700[diff] [blame]111 return false;
112 }
113 if (!WIFEXITED(status)) {
114 LOG(ERROR) << "Callback terminated abnormally: " << std::hex << status;
115 return false;
116 }
117 return static_cast<int8_t>(WEXITSTATUS(status)) == 0;
118}
119
Luis Hector Chaveze03926a2017-09-28 17:28:49 -0700[diff] [blame]120// Helper function that runs a program execve(2)-style.
121bool ExecveCallbackHelper(base::FilePath filename,
122 std::vector<std::string> args,
123 base::ScopedFD stdin_fd,
124 base::ScopedFD stdout_fd,
125 base::ScopedFD stderr_fd,
126 pid_t container_pid) {
127 pid_t child = fork();
128 if (child < 0) {
129 PLOG(ERROR) << "Failed to fork()";
130 return false;
131 }
132
133 if (child == 0) {
134 if (stdin_fd.is_valid()) {
135 if (dup2(stdin_fd.get(), STDIN_FILENO) == -1) {
136 PLOG(ERROR) << "Failed to dup2() stdin fd";
137 _exit(-1);
138 }
139 }
140 if (stdout_fd.is_valid()) {
141 if (dup2(stdout_fd.get(), STDOUT_FILENO) == -1) {
142 PLOG(ERROR) << "Failed to dup2() stdout fd";
143 _exit(-1);
144 }
145 }
146 if (stderr_fd.is_valid()) {
147 if (dup2(stderr_fd.get(), STDERR_FILENO) == -1) {
148 PLOG(ERROR) << "Failed to dup2() stderr fd";
149 _exit(-1);
150 }
151 }
152
Qijiang Fan26fd9222020-03-31 20:16:40 +0900[diff] [blame]153 std::string pid_str = base::NumberToString(container_pid);
Luis Hector Chaveze03926a2017-09-28 17:28:49 -0700[diff] [blame]154 std::vector<const char*> argv;
155 argv.reserve(args.size() + 1);
156 for (const auto& arg : args) {
157 if (arg == "$PID") {
158 argv.emplace_back(pid_str.c_str());
159 continue;
160 }
161 argv.emplace_back(arg.c_str());
162 }
163 argv.emplace_back(nullptr);
164
165 execve(filename.value().c_str(), const_cast<char**>(argv.data()), environ);
166
167 // Only happens when execve(2) fails.
168 _exit(-1);
169 }
170
171 int status;
172 if (HANDLE_EINTR(waitpid(child, &status, 0)) < 0) {
173 PLOG(ERROR) << "Failed to wait for hook";
174 return false;
175 }
176 if (!WIFEXITED(status)) {
177 LOG(ERROR) << "Hook terminated abnormally: " << std::hex << status;
178 return false;
179 }
180 return static_cast<int8_t>(WEXITSTATUS(status)) == 0;
181}
182
Luis Hector Chavez5cf71ed2018-05-07 14:45:43 -0700[diff] [blame]183// Immediately removes the loop device from the system.
184void RemoveLoopDevice(int control_fd, int32_t device) {
185 if (ioctl(control_fd, LOOP_CTL_REMOVE, device) < 0)
186 PLOG(ERROR) << "Failed to free /dev/loop" << device;
187}
188
Luis Hector Chavez81efb332017-09-18 14:01:29 -0700[diff] [blame]189} // namespace
190
Luis Hector Chavez644d2042017-09-19 18:56:44 -0700[diff] [blame]191WaitablePipe::WaitablePipe() {
Luis Hector Chavez1f7e60c2017-09-27 22:03:48 -0700[diff] [blame]192 if (pipe2(pipe_fds, O_CLOEXEC) < 0)
Luis Hector Chavez644d2042017-09-19 18:56:44 -0700[diff] [blame]193 PLOG(FATAL) << "Failed to create pipe";
194}
195
196WaitablePipe::~WaitablePipe() {
197 if (pipe_fds[0] != -1)
198 close(pipe_fds[0]);
199 if (pipe_fds[1] != -1)
200 close(pipe_fds[1]);
201}
202
203WaitablePipe::WaitablePipe(WaitablePipe&& other) {
204 pipe_fds[0] = pipe_fds[1] = -1;
205 std::swap(pipe_fds, other.pipe_fds);
206}
207
208void WaitablePipe::Wait() {
209 char buf;
210
211 close(pipe_fds[1]);
212 HANDLE_EINTR(read(pipe_fds[0], &buf, sizeof(buf)));
213 close(pipe_fds[0]);
214
215 pipe_fds[0] = pipe_fds[1] = -1;
216}
217
218void WaitablePipe::Signal() {
219 close(pipe_fds[0]);
220 close(pipe_fds[1]);
221
222 pipe_fds[0] = pipe_fds[1] = -1;
223}
224
225HookState::HookState() = default;
226HookState::~HookState() = default;
227
228HookState::HookState(HookState&& state) = default;
229
230bool HookState::InstallHook(struct minijail* j, minijail_hook_event_t event) {
231 if (installed_) {
232 LOG(ERROR) << "Failed to install hook: already installed";
233 return false;
234 }
235
236 // All these fds will be closed in WaitHook in the child process.
237 for (size_t i = 0; i < 2; ++i) {
Luis Hector Chavez1f7e60c2017-09-27 22:03:48 -0700[diff] [blame]238 if (minijail_preserve_fd(j, reached_pipe_.pipe_fds[i],
239 reached_pipe_.pipe_fds[i]) != 0) {
Luis Hector Chavez644d2042017-09-19 18:56:44 -0700[diff] [blame]240 LOG(ERROR) << "Failed to preserve reached pipe FDs to install hook";
241 return false;
242 }
Luis Hector Chavez1f7e60c2017-09-27 22:03:48 -0700[diff] [blame]243 if (minijail_preserve_fd(j, ready_pipe_.pipe_fds[i],
244 ready_pipe_.pipe_fds[i]) != 0) {
Luis Hector Chavez644d2042017-09-19 18:56:44 -0700[diff] [blame]245 LOG(ERROR) << "Failed to preserve ready pipe FDs to install hook";
246 return false;
247 }
248 }
249
Luis Hector Chavez1f7e60c2017-09-27 22:03:48 -0700[diff] [blame]250 if (minijail_add_hook(j, &HookState::WaitHook, this, event) != 0) {
Luis Hector Chavez644d2042017-09-19 18:56:44 -0700[diff] [blame]251 LOG(ERROR) << "Failed to add hook";
252 return false;
253 }
254
255 installed_ = true;
256 return true;
257}
258
259bool HookState::WaitForHookAndRun(const std::vector<HookCallback>& callbacks,
260 pid_t container_pid) {
261 if (!installed_) {
262 LOG(ERROR) << "Failed to wait for hook: not installed";
263 return false;
264 }
265 reached_pipe_.Wait();
Luis Hector Chavez644d2042017-09-19 18:56:44 -0700[diff] [blame]266
267 for (auto& callback : callbacks) {
268 bool success = callback.Run(container_pid);
269 if (!success)
270 return false;
271 }
Chris Morina8cff682019-02-27 20:08:00 -0800[diff] [blame]272
273 ready_pipe_.Signal();
Luis Hector Chavez644d2042017-09-19 18:56:44 -0700[diff] [blame]274 return true;
275}
276
277// static
278int HookState::WaitHook(void* payload) {
279 HookState* self = reinterpret_cast<HookState*>(payload);
280
281 self->reached_pipe_.Signal();
282 self->ready_pipe_.Wait();
283
284 return 0;
285}
286
Luis Hector Chavez1f7e60c2017-09-27 22:03:48 -0700[diff] [blame]287bool GetUsernsOutsideId(const std::string& map, int id, int* id_out) {
288 if (map.empty()) {
289 if (id_out)
290 *id_out = id;
291 return true;
292 }
Luis Hector Chavez81efb332017-09-18 14:01:29 -0700[diff] [blame]293
294 std::string map_copy = map;
295 base::StringPiece map_piece(map_copy);
296
297 for (const auto& mapping : base::SplitStringPiece(
298 map_piece, ",", base::KEEP_WHITESPACE, base::SPLIT_WANT_ALL)) {
299 std::vector<base::StringPiece> tokens = base::SplitStringPiece(
300 mapping, " ", base::TRIM_WHITESPACE, base::SPLIT_WANT_NONEMPTY);
301
Luis Hector Chavez835d39e2017-09-19 15:16:31 -0700[diff] [blame]302 if (tokens.size() != 3) {
303 LOG(ERROR) << "Malformed ugid mapping: '" << mapping << "'";
Luis Hector Chavez1f7e60c2017-09-27 22:03:48 -0700[diff] [blame]304 return false;
Luis Hector Chavez835d39e2017-09-19 15:16:31 -0700[diff] [blame]305 }
Luis Hector Chavez81efb332017-09-18 14:01:29 -0700[diff] [blame]306
307 uint32_t inside, outside, length;
308 if (!base::StringToUint(tokens[0], &inside) ||
309 !base::StringToUint(tokens[1], &outside) ||
310 !base::StringToUint(tokens[2], &length)) {
Luis Hector Chavez835d39e2017-09-19 15:16:31 -0700[diff] [blame]311 LOG(ERROR) << "Malformed ugid mapping: '" << mapping << "'";
Luis Hector Chavez1f7e60c2017-09-27 22:03:48 -0700[diff] [blame]312 return false;
Luis Hector Chavez81efb332017-09-18 14:01:29 -0700[diff] [blame]313 }
314
315 if (id >= inside && id <= (inside + length)) {
Luis Hector Chavez1f7e60c2017-09-27 22:03:48 -0700[diff] [blame]316 if (id_out)
317 *id_out = (id - inside) + outside;
318 return true;
Luis Hector Chavez81efb332017-09-18 14:01:29 -0700[diff] [blame]319 }
320 }
Luis Hector Chavez835d39e2017-09-19 15:16:31 -0700[diff] [blame]321 VLOG(1) << "ugid " << id << " not found in mapping";
Luis Hector Chavez81efb332017-09-18 14:01:29 -0700[diff] [blame]322
Luis Hector Chavez1f7e60c2017-09-27 22:03:48 -0700[diff] [blame]323 return false;
Luis Hector Chavez81efb332017-09-18 14:01:29 -0700[diff] [blame]324}
325
Luis Hector Chavez1f7e60c2017-09-27 22:03:48 -0700[diff] [blame]326bool MakeDir(const base::FilePath& path, int uid, int gid, int mode) {
Luis Hector Chavez835d39e2017-09-19 15:16:31 -0700[diff] [blame]327 if (mkdir(path.value().c_str(), mode)) {
Luis Hector Chavezdc61f8d2017-10-02 11:12:46 -0700[diff] [blame]328 PLOG(ERROR) << "Failed to mkdir " << path.value();
Luis Hector Chavez1f7e60c2017-09-27 22:03:48 -0700[diff] [blame]329 return false;
Luis Hector Chavez835d39e2017-09-19 15:16:31 -0700[diff] [blame]330 }
331 if (chmod(path.value().c_str(), mode)) {
Luis Hector Chavezdc61f8d2017-10-02 11:12:46 -0700[diff] [blame]332 PLOG(ERROR) << "Failed to chmod " << path.value();
Luis Hector Chavez1f7e60c2017-09-27 22:03:48 -0700[diff] [blame]333 return false;
Luis Hector Chavez835d39e2017-09-19 15:16:31 -0700[diff] [blame]334 }
335 if (chown(path.value().c_str(), uid, gid)) {
Luis Hector Chavezdc61f8d2017-10-02 11:12:46 -0700[diff] [blame]336 PLOG(ERROR) << "Failed to chown " << path.value();
Luis Hector Chavez1f7e60c2017-09-27 22:03:48 -0700[diff] [blame]337 return false;
Luis Hector Chavez835d39e2017-09-19 15:16:31 -0700[diff] [blame]338 }
Luis Hector Chavez1f7e60c2017-09-27 22:03:48 -0700[diff] [blame]339 return true;
Luis Hector Chavez81efb332017-09-18 14:01:29 -0700[diff] [blame]340}
341
Luis Hector Chavez1f7e60c2017-09-27 22:03:48 -0700[diff] [blame]342bool TouchFile(const base::FilePath& path, int uid, int gid, int mode) {
Luis Hector Chavez81efb332017-09-18 14:01:29 -0700[diff] [blame]343 base::ScopedFD fd(open(path.value().c_str(), O_RDWR | O_CREAT, mode));
Luis Hector Chavez835d39e2017-09-19 15:16:31 -0700[diff] [blame]344 if (!fd.is_valid()) {
Luis Hector Chavezdc61f8d2017-10-02 11:12:46 -0700[diff] [blame]345 PLOG(ERROR) << "Failed to create " << path.value();
Luis Hector Chavez1f7e60c2017-09-27 22:03:48 -0700[diff] [blame]346 return false;
Luis Hector Chavez835d39e2017-09-19 15:16:31 -0700[diff] [blame]347 }
348 if (fchown(fd.get(), uid, gid)) {
Luis Hector Chavezdc61f8d2017-10-02 11:12:46 -0700[diff] [blame]349 PLOG(ERROR) << "Failed to chown " << path.value();
Luis Hector Chavez1f7e60c2017-09-27 22:03:48 -0700[diff] [blame]350 return false;
Luis Hector Chavez835d39e2017-09-19 15:16:31 -0700[diff] [blame]351 }
Luis Hector Chavez1f7e60c2017-09-27 22:03:48 -0700[diff] [blame]352 return true;
Luis Hector Chavez81efb332017-09-18 14:01:29 -0700[diff] [blame]353}
354
Luis Hector Chavez5cf71ed2018-05-07 14:45:43 -0700[diff] [blame]355bool LoopdevSetup(const base::FilePath& source, Loopdev* loopdev_out) {
Luis Hector Chavez81efb332017-09-18 14:01:29 -0700[diff] [blame]356 base::ScopedFD source_fd(open(source.value().c_str(), O_RDONLY | O_CLOEXEC));
Luis Hector Chavez835d39e2017-09-19 15:16:31 -0700[diff] [blame]357 if (!source_fd.is_valid()) {
Luis Hector Chavezdc61f8d2017-10-02 11:12:46 -0700[diff] [blame]358 PLOG(ERROR) << "Failed to open " << source.value();
Luis Hector Chavez1f7e60c2017-09-27 22:03:48 -0700[diff] [blame]359 return false;
Luis Hector Chavez835d39e2017-09-19 15:16:31 -0700[diff] [blame]360 }
Luis Hector Chavez81efb332017-09-18 14:01:29 -0700[diff] [blame]361
362 base::ScopedFD control_fd(
363 open(kLoopdevCtlPath, O_RDWR | O_NOFOLLOW | O_CLOEXEC));
Luis Hector Chavez835d39e2017-09-19 15:16:31 -0700[diff] [blame]364 if (!control_fd.is_valid()) {
Luis Hector Chavezdc61f8d2017-10-02 11:12:46 -0700[diff] [blame]365 PLOG(ERROR) << "Failed to open " << source.value();
Luis Hector Chavez1f7e60c2017-09-27 22:03:48 -0700[diff] [blame]366 return false;
Luis Hector Chavez835d39e2017-09-19 15:16:31 -0700[diff] [blame]367 }
Luis Hector Chavez81efb332017-09-18 14:01:29 -0700[diff] [blame]368
369 while (true) {
370 int num = ioctl(control_fd.get(), LOOP_CTL_GET_FREE);
Luis Hector Chavez835d39e2017-09-19 15:16:31 -0700[diff] [blame]371 if (num < 0) {
Luis Hector Chavezdc61f8d2017-10-02 11:12:46 -0700[diff] [blame]372 PLOG(ERROR) << "Failed to open " << source.value();
Luis Hector Chavez1f7e60c2017-09-27 22:03:48 -0700[diff] [blame]373 return false;
Luis Hector Chavez835d39e2017-09-19 15:16:31 -0700[diff] [blame]374 }
Luis Hector Chavez81efb332017-09-18 14:01:29 -0700[diff] [blame]375
Luis Hector Chavez5cf71ed2018-05-07 14:45:43 -0700[diff] [blame]376 // Cleanup in case the setup fails. This frees |num| altogether.
377 base::ScopedClosureRunner loop_device_cleanup(
378 base::Bind(&RemoveLoopDevice, control_fd.get(), num));
379
Luis Hector Chavez81efb332017-09-18 14:01:29 -0700[diff] [blame]380 base::FilePath loopdev_path(base::StringPrintf("/dev/loop%i", num));
381 base::ScopedFD loop_fd(
382 open(loopdev_path.value().c_str(), O_RDONLY | O_NOFOLLOW | O_CLOEXEC));
Luis Hector Chavez835d39e2017-09-19 15:16:31 -0700[diff] [blame]383 if (!loop_fd.is_valid()) {
Luis Hector Chavezdc61f8d2017-10-02 11:12:46 -0700[diff] [blame]384 PLOG(ERROR) << "Failed to open " << loopdev_path.value();
Luis Hector Chavez1f7e60c2017-09-27 22:03:48 -0700[diff] [blame]385 return false;
Luis Hector Chavez835d39e2017-09-19 15:16:31 -0700[diff] [blame]386 }
Luis Hector Chavez81efb332017-09-18 14:01:29 -0700[diff] [blame]387
Luis Hector Chavez5cf71ed2018-05-07 14:45:43 -0700[diff] [blame]388 if (ioctl(loop_fd.get(), LOOP_SET_FD, source_fd.get()) < 0) {
389 if (errno != EBUSY) {
390 PLOG(ERROR) << "Failed to ioctl(LOOP_SET_FD) " << loopdev_path.value();
391 return false;
392 }
393 continue;
Luis Hector Chavez81efb332017-09-18 14:01:29 -0700[diff] [blame]394 }
395
Luis Hector Chavez5cf71ed2018-05-07 14:45:43 -0700[diff] [blame]396 // Set the autoclear flag on the loop device, which will release it when
397 // there are no more references to it.
398 struct loop_info64 loop_info = {};
399 if (ioctl(loop_fd.get(), LOOP_GET_STATUS64, &loop_info) < 0) {
400 PLOG(ERROR) << "Failed to ioctl(LOOP_GET_STATUS64) "
401 << loopdev_path.value();
Luis Hector Chavez1f7e60c2017-09-27 22:03:48 -0700[diff] [blame]402 return false;
Luis Hector Chavez835d39e2017-09-19 15:16:31 -0700[diff] [blame]403 }
Luis Hector Chavez5cf71ed2018-05-07 14:45:43 -0700[diff] [blame]404 loop_info.lo_flags |= LO_FLAGS_AUTOCLEAR;
405 if (ioctl(loop_fd.get(), LOOP_SET_STATUS64, &loop_info) < 0) {
406 PLOG(ERROR) << "Failed to ioctl(LOOP_SET_STATUS64, LO_FLAGS_AUTOCLEAR) "
407 << loopdev_path.value();
408 return false;
409 }
410
411 ignore_result(loop_device_cleanup.Release());
412 loopdev_out->path = loopdev_path;
413 loopdev_out->fd = std::move(loop_fd);
414 loopdev_out->info = loop_info;
415 break;
Luis Hector Chavez81efb332017-09-18 14:01:29 -0700[diff] [blame]416 }
417
Luis Hector Chavez1f7e60c2017-09-27 22:03:48 -0700[diff] [blame]418 return true;
Luis Hector Chavez81efb332017-09-18 14:01:29 -0700[diff] [blame]419}
420
Luis Hector Chavez5cf71ed2018-05-07 14:45:43 -0700[diff] [blame]421bool LoopdevDetach(Loopdev* loopdev) {
422 if (ioctl(loopdev->fd.get(), LOOP_CLR_FD) < 0) {
423 PLOG(ERROR) << "Failed to ioctl(LOOP_CLR_FD) for " << loopdev->path.value();
Luis Hector Chavez1f7e60c2017-09-27 22:03:48 -0700[diff] [blame]424 return false;
Luis Hector Chavez835d39e2017-09-19 15:16:31 -0700[diff] [blame]425 }
Luis Hector Chavez81efb332017-09-18 14:01:29 -0700[diff] [blame]426
Luis Hector Chavez1f7e60c2017-09-27 22:03:48 -0700[diff] [blame]427 return true;
Luis Hector Chavez81efb332017-09-18 14:01:29 -0700[diff] [blame]428}
429
Luis Hector Chavez1f7e60c2017-09-27 22:03:48 -0700[diff] [blame]430bool DeviceMapperSetup(const base::FilePath& source,
431 const std::string& verity_cmdline,
432 base::FilePath* dm_path_out,
433 std::string* dm_name_out) {
Luis Hector Chavez81efb332017-09-18 14:01:29 -0700[diff] [blame]434#if USE_device_mapper
435 // Normalize the name into something unique-esque.
436 std::string dm_name =
437 base::StringPrintf("cros-containers-%s", source.value().c_str());
438 base::ReplaceChars(dm_name, "/", "_", &dm_name);
439
440 // Get the /dev path for the higher levels to mount.
441 base::FilePath dm_path = base::FilePath(kDevMapperPath).Append(dm_name);
442
443 // Insert the source path in the verity command line.
444 std::string verity = verity_cmdline;
445 base::ReplaceSubstringsAfterOffset(&verity, 0, "@DEV@", source.value());
446
447 // Extract the first three parameters for dm-verity settings.
448 char ttype[20];
449 unsigned long long start, size;
450 int n;
451 if (sscanf(verity.c_str(), "%llu %llu %10s %n", &start, &size, ttype, &n) !=
452 3) {
Luis Hector Chavezdc61f8d2017-10-02 11:12:46 -0700[diff] [blame]453 PLOG(ERROR) << "Malformed verity string " << verity;
Luis Hector Chavez1f7e60c2017-09-27 22:03:48 -0700[diff] [blame]454 return false;
Luis Hector Chavez81efb332017-09-18 14:01:29 -0700[diff] [blame]455 }
456
457 /* Finally create the device mapper. */
458 std::unique_ptr<struct dm_task, decltype(&dm_task_destroy)> dmt(
459 dm_task_create(DM_DEVICE_CREATE), &dm_task_destroy);
Luis Hector Chavez835d39e2017-09-19 15:16:31 -0700[diff] [blame]460 if (dmt == nullptr) {
Luis Hector Chavezdc61f8d2017-10-02 11:12:46 -0700[diff] [blame]461 PLOG(ERROR) << "Failed to dm_task_create() for " << source.value();
Luis Hector Chavez1f7e60c2017-09-27 22:03:48 -0700[diff] [blame]462 return false;
Luis Hector Chavez835d39e2017-09-19 15:16:31 -0700[diff] [blame]463 }
Luis Hector Chavez81efb332017-09-18 14:01:29 -0700[diff] [blame]464
Luis Hector Chavez1f7e60c2017-09-27 22:03:48 -0700[diff] [blame]465 if (dm_task_set_name(dmt.get(), dm_name.c_str()) != 0) {
Luis Hector Chavezdc61f8d2017-10-02 11:12:46 -0700[diff] [blame]466 PLOG(ERROR) << "Failed to dm_task_set_name() for " << source.value();
Luis Hector Chavez1f7e60c2017-09-27 22:03:48 -0700[diff] [blame]467 return false;
Luis Hector Chavez835d39e2017-09-19 15:16:31 -0700[diff] [blame]468 }
Luis Hector Chavez81efb332017-09-18 14:01:29 -0700[diff] [blame]469
Luis Hector Chavez1f7e60c2017-09-27 22:03:48 -0700[diff] [blame]470 if (dm_task_set_ro(dmt.get()) != 0) {
Luis Hector Chavezdc61f8d2017-10-02 11:12:46 -0700[diff] [blame]471 PLOG(ERROR) << "Failed to dm_task_set_ro() for " << source.value();
Luis Hector Chavez1f7e60c2017-09-27 22:03:48 -0700[diff] [blame]472 return false;
Luis Hector Chavez835d39e2017-09-19 15:16:31 -0700[diff] [blame]473 }
Luis Hector Chavez81efb332017-09-18 14:01:29 -0700[diff] [blame]474
Luis Hector Chavez1f7e60c2017-09-27 22:03:48 -0700[diff] [blame]475 if (dm_task_add_target(dmt.get(), start, size, ttype, verity.c_str() + n) !=
476 0) {
Luis Hector Chavezdc61f8d2017-10-02 11:12:46 -0700[diff] [blame]477 PLOG(ERROR) << "Failed to dm_task_add_target() for " << source.value();
Luis Hector Chavez1f7e60c2017-09-27 22:03:48 -0700[diff] [blame]478 return false;
Luis Hector Chavez835d39e2017-09-19 15:16:31 -0700[diff] [blame]479 }
Luis Hector Chavez81efb332017-09-18 14:01:29 -0700[diff] [blame]480
481 uint32_t cookie = 0;
Luis Hector Chavez1f7e60c2017-09-27 22:03:48 -0700[diff] [blame]482 if (dm_task_set_cookie(dmt.get(), &cookie, 0) != 0) {
Luis Hector Chavezdc61f8d2017-10-02 11:12:46 -0700[diff] [blame]483 PLOG(ERROR) << "Failed to dm_task_set_cookie() for " << source.value();
Luis Hector Chavez1f7e60c2017-09-27 22:03:48 -0700[diff] [blame]484 return false;
Luis Hector Chavez835d39e2017-09-19 15:16:31 -0700[diff] [blame]485 }
Luis Hector Chavez81efb332017-09-18 14:01:29 -0700[diff] [blame]486
Luis Hector Chavez1f7e60c2017-09-27 22:03:48 -0700[diff] [blame]487 if (dm_task_run(dmt.get()) != 0) {
Luis Hector Chavezdc61f8d2017-10-02 11:12:46 -0700[diff] [blame]488 PLOG(ERROR) << "Failed to dm_task_run() for " << source.value();
Luis Hector Chavez1f7e60c2017-09-27 22:03:48 -0700[diff] [blame]489 return false;
Luis Hector Chavez835d39e2017-09-19 15:16:31 -0700[diff] [blame]490 }
Luis Hector Chavez81efb332017-09-18 14:01:29 -0700[diff] [blame]491
492 /* Make sure the node exists before we continue. */
493 dm_udev_wait(cookie);
494
495 *dm_path_out = dm_path;
496 *dm_name_out = dm_name;
497#endif
Luis Hector Chavez1f7e60c2017-09-27 22:03:48 -0700[diff] [blame]498 return true;
Luis Hector Chavez81efb332017-09-18 14:01:29 -0700[diff] [blame]499}
500
501// Tear down the device mapper target.
Luis Hector Chavez1f7e60c2017-09-27 22:03:48 -0700[diff] [blame]502bool DeviceMapperDetach(const std::string& dm_name) {
Luis Hector Chavez81efb332017-09-18 14:01:29 -0700[diff] [blame]503#if USE_device_mapper
504 struct dm_task* dmt = dm_task_create(DM_DEVICE_REMOVE);
Luis Hector Chavez835d39e2017-09-19 15:16:31 -0700[diff] [blame]505 if (dmt == nullptr) {
Luis Hector Chavezdc61f8d2017-10-02 11:12:46 -0700[diff] [blame]506 PLOG(ERROR) << "Failed to dm_task_run() for " << dm_name;
Luis Hector Chavez1f7e60c2017-09-27 22:03:48 -0700[diff] [blame]507 return false;
Luis Hector Chavez835d39e2017-09-19 15:16:31 -0700[diff] [blame]508 }
Luis Hector Chavez81efb332017-09-18 14:01:29 -0700[diff] [blame]509
510 base::ScopedClosureRunner teardown(
511 base::Bind(base::IgnoreResult(&dm_task_destroy), base::Unretained(dmt)));
512
Luis Hector Chavez1f7e60c2017-09-27 22:03:48 -0700[diff] [blame]513 if (dm_task_set_name(dmt, dm_name.c_str()) != 0) {
Luis Hector Chavezdc61f8d2017-10-02 11:12:46 -0700[diff] [blame]514 PLOG(ERROR) << "Failed to dm_task_set_name() for " << dm_name;
Luis Hector Chavez1f7e60c2017-09-27 22:03:48 -0700[diff] [blame]515 return false;
Luis Hector Chavez835d39e2017-09-19 15:16:31 -0700[diff] [blame]516 }
Luis Hector Chavez81efb332017-09-18 14:01:29 -0700[diff] [blame]517
Luis Hector Chavez1f7e60c2017-09-27 22:03:48 -0700[diff] [blame]518 if (dm_task_run(dmt) != 0) {
Luis Hector Chavezdc61f8d2017-10-02 11:12:46 -0700[diff] [blame]519 PLOG(ERROR) << "Failed to dm_task_run() for " << dm_name;
Luis Hector Chavez1f7e60c2017-09-27 22:03:48 -0700[diff] [blame]520 return false;
Luis Hector Chavez835d39e2017-09-19 15:16:31 -0700[diff] [blame]521 }
Luis Hector Chavez81efb332017-09-18 14:01:29 -0700[diff] [blame]522#endif
Luis Hector Chavez1f7e60c2017-09-27 22:03:48 -0700[diff] [blame]523 return true;
Luis Hector Chavez81efb332017-09-18 14:01:29 -0700[diff] [blame]524}
525
Luis Hector Chavez1f7e60c2017-09-27 22:03:48 -0700[diff] [blame]526bool MountExternal(const std::string& src,
527 const std::string& dest,
528 const std::string& type,
529 unsigned long flags,
530 const std::string& data) {
Luis Hector Chavez81efb332017-09-18 14:01:29 -0700[diff] [blame]531 bool remount_ro = false;
532
533 // R/O bind mounts have to be remounted since 'bind' and 'ro' can't both be
534 // specified in the original bind mount. Remount R/O after the initial mount.
535 if ((flags & MS_BIND) && (flags & MS_RDONLY)) {
536 remount_ro = true;
537 flags &= ~MS_RDONLY;
538 }
539
Luis Hector Chavez1f7e60c2017-09-27 22:03:48 -0700[diff] [blame]540 if (mount(src.c_str(), dest.c_str(), type.c_str(), flags,
541 data.empty() ? nullptr : data.c_str()) != 0) {
Luis Hector Chavezdc61f8d2017-10-02 11:12:46 -0700[diff] [blame]542 PLOG(ERROR) << "Failed to mount " << src << " to " << dest;
Luis Hector Chavez1f7e60c2017-09-27 22:03:48 -0700[diff] [blame]543 return false;
Luis Hector Chavez81efb332017-09-18 14:01:29 -0700[diff] [blame]544 }
545
546 if (remount_ro) {
547 flags |= MS_RDONLY;
Luis Hector Chavez1f7e60c2017-09-27 22:03:48 -0700[diff] [blame]548 if (mount(src.c_str(), dest.c_str(), nullptr, flags | MS_REMOUNT,
549 data.empty() ? nullptr : data.c_str()) != 0) {
Luis Hector Chavezdc61f8d2017-10-02 11:12:46 -0700[diff] [blame]550 PLOG(ERROR) << "Failed to remount " << src << " to " << dest;
Luis Hector Chavez1f7e60c2017-09-27 22:03:48 -0700[diff] [blame]551 return false;
Luis Hector Chavez81efb332017-09-18 14:01:29 -0700[diff] [blame]552 }
553 }
554
Luis Hector Chavez1f7e60c2017-09-27 22:03:48 -0700[diff] [blame]555 return true;
Luis Hector Chavez81efb332017-09-18 14:01:29 -0700[diff] [blame]556}
557
Luis Hector Chaveze03926a2017-09-28 17:28:49 -0700[diff] [blame]558bool Pipe2(base::ScopedFD* read_pipe, base::ScopedFD* write_pipe, int flags) {
559 int fds[2];
560 if (pipe2(fds, flags) != 0)
561 return false;
562 read_pipe->reset(fds[0]);
563 write_pipe->reset(fds[1]);
564 return true;
565}
566
567HookCallback CreateExecveCallback(base::FilePath filename,
568 std::vector<std::string> args,
569 base::ScopedFD stdin_fd,
570 base::ScopedFD stdout_fd,
571 base::ScopedFD stderr_fd) {
572 return base::Bind(
573 &ExecveCallbackHelper, filename, args, base::Passed(std::move(stdin_fd)),
574 base::Passed(std::move(stdout_fd)), base::Passed(std::move(stderr_fd)));
575}
576
Luis Hector Chavez644d2042017-09-19 18:56:44 -0700[diff] [blame]577HookCallback AdaptCallbackToRunInNamespaces(HookCallback callback,
578 std::vector<int> nstypes) {
Tom Hughes25f969a2020-08-27 15:57:27 -0700[diff] [blame^]579 return base::Bind(&RunInNamespacesHelper, base::Passed(std::move(callback)),
Luis Hector Chavez644d2042017-09-19 18:56:44 -0700[diff] [blame]580 base::Passed(std::move(nstypes)));
581}
582
Luis Hector Chavez92278e82017-10-16 11:30:27 -0700[diff] [blame]583bool CreateDirectoryOwnedBy(const base::FilePath& full_path,
584 mode_t mode,
585 uid_t uid,
586 gid_t gid) {
587 if (base::DirectoryExists(full_path))
588 return true;
589
590 // Collect a list of all missing directories.
591 base::FilePath last_path = full_path;
592 std::vector<base::FilePath> missing_subpaths{full_path};
593 for (base::FilePath path = full_path.DirName();
594 path != last_path && !base::DirectoryExists(path);
595 path = path.DirName()) {
596 missing_subpaths.push_back(path);
597 last_path = path;
598 }
599
600 // Iterate through the missing parents, creating them.
601 for (std::vector<base::FilePath>::reverse_iterator i =
602 missing_subpaths.rbegin();
603 i != missing_subpaths.rend(); ++i) {
604 if (mkdir(i->value().c_str(), mode) != 0)
605 return false;
606 if (chown(i->value().c_str(), uid, gid) != 0)
607 return false;
608 }
609 return true;
610}
611
Luis Hector Chavez81efb332017-09-18 14:01:29 -0700[diff] [blame]612} // namespace libcontainer