2015-05-15 05:44:48 +08:00
|
|
|
/*
|
|
|
|
|
|
|
|
nsjail - subprocess management
|
|
|
|
-----------------------------------------
|
|
|
|
|
|
|
|
Copyright 2014 Google Inc. All Rights Reserved.
|
|
|
|
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
you may not use this file except in compliance with the License.
|
|
|
|
You may obtain a copy of the License at
|
|
|
|
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
See the License for the specific language governing permissions and
|
|
|
|
limitations under the License.
|
|
|
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
#include "subproc.h"
|
|
|
|
|
|
|
|
#include <arpa/inet.h>
|
|
|
|
#include <errno.h>
|
2015-05-15 22:02:15 +08:00
|
|
|
#include <fcntl.h>
|
2016-07-21 21:48:47 +08:00
|
|
|
#include <linux/sched.h>
|
2015-05-15 05:44:48 +08:00
|
|
|
#include <netinet/in.h>
|
|
|
|
#include <sched.h>
|
2016-10-15 08:42:01 +08:00
|
|
|
#include <setjmp.h>
|
2015-05-15 05:44:48 +08:00
|
|
|
#include <signal.h>
|
|
|
|
#include <stdint.h>
|
2017-09-14 04:03:21 +08:00
|
|
|
#include <stdio.h>
|
2015-05-15 05:44:48 +08:00
|
|
|
#include <stdlib.h>
|
|
|
|
#include <string.h>
|
|
|
|
#include <sys/prctl.h>
|
|
|
|
#include <sys/queue.h>
|
|
|
|
#include <sys/syscall.h>
|
|
|
|
#include <sys/types.h>
|
|
|
|
#include <sys/wait.h>
|
|
|
|
#include <time.h>
|
|
|
|
#include <unistd.h>
|
|
|
|
|
2016-06-19 21:50:25 +08:00
|
|
|
#include "cgroup.h"
|
2017-09-14 04:03:21 +08:00
|
|
|
#include "common.h"
|
2015-05-15 05:44:48 +08:00
|
|
|
#include "contain.h"
|
|
|
|
#include "log.h"
|
|
|
|
#include "net.h"
|
|
|
|
#include "sandbox.h"
|
2016-03-03 22:54:15 +08:00
|
|
|
#include "user.h"
|
2016-01-17 11:14:09 +08:00
|
|
|
#include "util.h"
|
2015-05-15 05:44:48 +08:00
|
|
|
|
2016-05-09 21:16:26 +08:00
|
|
|
static const char subprocDoneChar = 'D';
|
2016-02-28 09:34:43 +08:00
|
|
|
|
2017-09-14 04:03:21 +08:00
|
|
|
#define VALSTR_STRUCT(x) \
|
|
|
|
{ \
|
|
|
|
x, #x \
|
|
|
|
}
|
2017-05-22 01:44:54 +08:00
|
|
|
|
|
|
|
#if !defined(CLONE_NEWCGROUP)
|
|
|
|
#define CLONE_NEWCGROUP 0x02000000
|
|
|
|
#endif /* !defined(CLONE_NEWCGROUP) */
|
2017-05-22 03:35:02 +08:00
|
|
|
|
2017-05-22 07:10:49 +08:00
|
|
|
static const char *subprocCloneFlagsToStr(uintptr_t flags)
|
2017-05-22 01:44:54 +08:00
|
|
|
{
|
2017-05-22 07:10:49 +08:00
|
|
|
static __thread char cloneFlagName[1024];
|
|
|
|
cloneFlagName[0] = '\0';
|
2017-05-22 01:44:54 +08:00
|
|
|
|
2017-10-09 04:52:52 +08:00
|
|
|
// clang-format off
|
2017-09-14 04:03:21 +08:00
|
|
|
static struct {
|
|
|
|
const uintptr_t flag;
|
|
|
|
const char* const name;
|
|
|
|
} const cloneFlags[] = {
|
|
|
|
VALSTR_STRUCT(CLONE_VM),
|
|
|
|
VALSTR_STRUCT(CLONE_FS),
|
|
|
|
VALSTR_STRUCT(CLONE_FILES),
|
|
|
|
VALSTR_STRUCT(CLONE_SIGHAND),
|
|
|
|
VALSTR_STRUCT(CLONE_PTRACE),
|
|
|
|
VALSTR_STRUCT(CLONE_VFORK),
|
|
|
|
VALSTR_STRUCT(CLONE_PARENT),
|
|
|
|
VALSTR_STRUCT(CLONE_THREAD),
|
|
|
|
VALSTR_STRUCT(CLONE_NEWNS),
|
|
|
|
VALSTR_STRUCT(CLONE_SYSVSEM),
|
|
|
|
VALSTR_STRUCT(CLONE_SETTLS),
|
|
|
|
VALSTR_STRUCT(CLONE_PARENT_SETTID),
|
|
|
|
VALSTR_STRUCT(CLONE_CHILD_CLEARTID),
|
|
|
|
VALSTR_STRUCT(CLONE_DETACHED),
|
|
|
|
VALSTR_STRUCT(CLONE_UNTRACED),
|
|
|
|
VALSTR_STRUCT(CLONE_CHILD_SETTID),
|
|
|
|
VALSTR_STRUCT(CLONE_NEWCGROUP),
|
|
|
|
VALSTR_STRUCT(CLONE_NEWUTS),
|
|
|
|
VALSTR_STRUCT(CLONE_NEWIPC),
|
|
|
|
VALSTR_STRUCT(CLONE_NEWUSER),
|
|
|
|
VALSTR_STRUCT(CLONE_NEWPID),
|
|
|
|
VALSTR_STRUCT(CLONE_NEWNET),
|
|
|
|
VALSTR_STRUCT(CLONE_IO),
|
|
|
|
};
|
2017-10-09 04:52:52 +08:00
|
|
|
// clang-format on
|
2017-05-22 01:44:54 +08:00
|
|
|
|
|
|
|
for (size_t i = 0; i < ARRAYSIZE(cloneFlags); i++) {
|
|
|
|
if (flags & cloneFlags[i].flag) {
|
2017-05-22 07:10:49 +08:00
|
|
|
utilSSnPrintf(cloneFlagName, sizeof(cloneFlagName), "%s|",
|
|
|
|
cloneFlags[i].name);
|
2017-05-22 01:44:54 +08:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2017-05-22 03:35:02 +08:00
|
|
|
uintptr_t knownFlagMask = CSIGNAL;
|
2017-05-22 01:44:54 +08:00
|
|
|
for (size_t i = 0; i < ARRAYSIZE(cloneFlags); i++) {
|
|
|
|
knownFlagMask |= cloneFlags[i].flag;
|
|
|
|
}
|
2017-05-22 03:35:02 +08:00
|
|
|
if (flags & ~(knownFlagMask)) {
|
2017-05-22 07:10:49 +08:00
|
|
|
utilSSnPrintf(cloneFlagName, sizeof(cloneFlagName), "%#tx|",
|
|
|
|
flags & ~(knownFlagMask));
|
2017-05-22 03:35:02 +08:00
|
|
|
}
|
2017-06-20 06:16:38 +08:00
|
|
|
utilSSnPrintf(cloneFlagName, sizeof(cloneFlagName), "%s", utilSigName(flags & CSIGNAL));
|
2017-05-22 07:10:49 +08:00
|
|
|
return cloneFlagName;
|
2017-05-22 01:44:54 +08:00
|
|
|
}
|
|
|
|
|
2015-05-15 22:02:15 +08:00
|
|
|
static int subprocNewProc(struct nsjconf_t *nsjconf, int fd_in, int fd_out, int fd_err, int pipefd)
|
2015-05-15 05:44:48 +08:00
|
|
|
{
|
2016-03-16 03:42:03 +08:00
|
|
|
if (containSetupFD(nsjconf, fd_in, fd_out, fd_err) == false) {
|
2017-09-25 13:08:22 +08:00
|
|
|
exit(0xff);
|
2015-08-16 02:48:48 +08:00
|
|
|
}
|
2016-05-05 11:44:12 +08:00
|
|
|
|
|
|
|
if (pipefd == -1) {
|
2016-10-15 08:42:01 +08:00
|
|
|
if (userInitNsFromParent(nsjconf, getpid()) == false) {
|
2016-06-19 21:50:25 +08:00
|
|
|
LOG_E("Couldn't initialize net user namespace");
|
2017-09-25 13:08:22 +08:00
|
|
|
exit(0xff);
|
2016-05-05 11:44:12 +08:00
|
|
|
}
|
2016-10-15 08:42:01 +08:00
|
|
|
if (cgroupInitNsFromParent(nsjconf, getpid()) == false) {
|
2016-06-20 01:36:56 +08:00
|
|
|
LOG_E("Couldn't initialize net user namespace");
|
2017-09-25 13:08:22 +08:00
|
|
|
exit(0xff);
|
2016-06-20 01:36:56 +08:00
|
|
|
}
|
2016-05-05 11:44:12 +08:00
|
|
|
} else {
|
|
|
|
char doneChar;
|
|
|
|
if (utilReadFromFd(pipefd, &doneChar, sizeof(doneChar)) != sizeof(doneChar)) {
|
2017-09-25 13:08:22 +08:00
|
|
|
exit(0xff);
|
2016-05-05 11:44:12 +08:00
|
|
|
}
|
|
|
|
if (doneChar != subprocDoneChar) {
|
2017-09-25 13:08:22 +08:00
|
|
|
exit(0xff);
|
2016-05-05 11:44:12 +08:00
|
|
|
}
|
2016-02-28 09:34:43 +08:00
|
|
|
}
|
2016-03-08 22:57:09 +08:00
|
|
|
if (containContain(nsjconf) == false) {
|
2017-09-25 13:08:22 +08:00
|
|
|
exit(0xff);
|
2015-05-15 05:44:48 +08:00
|
|
|
}
|
2016-01-27 00:42:10 +08:00
|
|
|
if (nsjconf->keep_env == false) {
|
|
|
|
clearenv();
|
|
|
|
}
|
|
|
|
struct charptr_t *p;
|
|
|
|
TAILQ_FOREACH(p, &nsjconf->envs, pointers) {
|
2017-10-07 06:18:21 +08:00
|
|
|
putenv((char *)p->val);
|
2015-05-15 05:44:48 +08:00
|
|
|
}
|
|
|
|
|
2017-02-12 03:33:54 +08:00
|
|
|
char cs_addr[64];
|
|
|
|
netConnToText(fd_in, true /* remote */ , cs_addr, sizeof(cs_addr), NULL);
|
2017-06-09 07:57:04 +08:00
|
|
|
LOG_I("Executing '%s' for '%s'", nsjconf->exec_file, cs_addr);
|
2017-02-12 03:33:54 +08:00
|
|
|
|
2016-03-04 08:39:21 +08:00
|
|
|
for (size_t i = 0; nsjconf->argv[i]; i++) {
|
|
|
|
LOG_D(" Arg[%zu]: '%s'", i, nsjconf->argv[i]);
|
2015-05-15 05:44:48 +08:00
|
|
|
}
|
2016-03-08 22:57:09 +08:00
|
|
|
|
|
|
|
/* Should be the last one in the sequence */
|
|
|
|
if (sandboxApply(nsjconf) == false) {
|
2017-09-25 13:08:22 +08:00
|
|
|
exit(0xff);
|
2016-03-08 22:57:09 +08:00
|
|
|
}
|
2017-10-07 06:18:21 +08:00
|
|
|
execv(nsjconf->exec_file, (char *const *)&nsjconf->argv[0]);
|
2015-05-15 22:02:15 +08:00
|
|
|
|
2017-06-09 07:57:04 +08:00
|
|
|
PLOG_E("execve('%s') failed", nsjconf->exec_file);
|
2015-05-15 22:02:15 +08:00
|
|
|
|
2017-09-25 13:08:22 +08:00
|
|
|
_exit(0xff);
|
2015-05-15 05:44:48 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
static void subprocAdd(struct nsjconf_t *nsjconf, pid_t pid, int sock)
|
|
|
|
{
|
2016-02-28 09:34:43 +08:00
|
|
|
struct pids_t *p = utilMalloc(sizeof(struct pids_t));
|
2015-05-15 05:44:48 +08:00
|
|
|
p->pid = pid;
|
|
|
|
p->start = time(NULL);
|
|
|
|
netConnToText(sock, true /* remote */ , p->remote_txt, sizeof(p->remote_txt),
|
|
|
|
&p->remote_addr);
|
2016-05-08 09:09:43 +08:00
|
|
|
|
|
|
|
char fname[PATH_MAX];
|
|
|
|
snprintf(fname, sizeof(fname), "/proc/%d/syscall", (int)pid);
|
2016-09-10 09:20:32 +08:00
|
|
|
p->pid_syscall_fd = TEMP_FAILURE_RETRY(open(fname, O_RDONLY | O_CLOEXEC));
|
2016-05-08 09:09:43 +08:00
|
|
|
|
2016-01-09 23:09:05 +08:00
|
|
|
TAILQ_INSERT_HEAD(&nsjconf->pids, p, pointers);
|
2015-05-15 05:44:48 +08:00
|
|
|
|
|
|
|
LOG_D("Added pid '%d' with start time '%u' to the queue for IP: '%s'", pid,
|
|
|
|
(unsigned int)p->start, p->remote_txt);
|
|
|
|
}
|
|
|
|
|
|
|
|
static void subprocRemove(struct nsjconf_t *nsjconf, pid_t pid)
|
|
|
|
{
|
|
|
|
struct pids_t *p;
|
2016-01-09 23:09:05 +08:00
|
|
|
TAILQ_FOREACH(p, &nsjconf->pids, pointers) {
|
2015-05-15 05:44:48 +08:00
|
|
|
if (p->pid == pid) {
|
2017-06-22 00:46:19 +08:00
|
|
|
LOG_D("Removing pid '%d' from the queue (IP:'%s', start time:'%s')", p->pid,
|
|
|
|
p->remote_txt, utilTimeToStr(p->start));
|
2016-07-29 21:38:22 +08:00
|
|
|
close(p->pid_syscall_fd);
|
2016-01-09 23:09:05 +08:00
|
|
|
TAILQ_REMOVE(&nsjconf->pids, p, pointers);
|
2015-05-15 05:44:48 +08:00
|
|
|
free(p);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
LOG_W("PID: %d not found (?)", pid);
|
|
|
|
}
|
|
|
|
|
|
|
|
int subprocCount(struct nsjconf_t *nsjconf)
|
|
|
|
{
|
|
|
|
int cnt = 0;
|
|
|
|
struct pids_t *p;
|
2016-01-09 23:09:05 +08:00
|
|
|
TAILQ_FOREACH(p, &nsjconf->pids, pointers) {
|
2015-05-15 05:44:48 +08:00
|
|
|
cnt++;
|
|
|
|
}
|
|
|
|
return cnt;
|
|
|
|
}
|
|
|
|
|
|
|
|
void subprocDisplay(struct nsjconf_t *nsjconf)
|
|
|
|
{
|
|
|
|
LOG_I("Total number of spawned namespaces: %d", subprocCount(nsjconf));
|
|
|
|
time_t now = time(NULL);
|
|
|
|
struct pids_t *p;
|
2016-01-09 23:09:05 +08:00
|
|
|
TAILQ_FOREACH(p, &nsjconf->pids, pointers) {
|
2015-05-15 05:44:48 +08:00
|
|
|
time_t diff = now - p->start;
|
2015-05-15 22:02:15 +08:00
|
|
|
time_t left = nsjconf->tlimit ? nsjconf->tlimit - diff : 0;
|
2015-08-16 02:10:07 +08:00
|
|
|
LOG_I("PID: %d, Remote host: %s, Run time: %ld sec. (time left: %ld sec.)", p->pid,
|
|
|
|
p->remote_txt, (long)diff, (long)left);
|
2015-05-15 05:44:48 +08:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2016-05-08 09:09:43 +08:00
|
|
|
static struct pids_t *subprocGetPidElem(struct nsjconf_t *nsjconf, pid_t pid)
|
|
|
|
{
|
|
|
|
struct pids_t *p;
|
|
|
|
TAILQ_FOREACH(p, &nsjconf->pids, pointers) {
|
|
|
|
if (p->pid == pid) {
|
|
|
|
return p;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void subprocSeccompViolation(struct nsjconf_t *nsjconf, siginfo_t * si)
|
2016-05-05 07:58:26 +08:00
|
|
|
{
|
2017-10-08 18:00:19 +08:00
|
|
|
LOG_W("PID: %d commited a syscall/seccomp violation and exited with SIGSYS", si->si_pid);
|
2016-05-08 09:09:43 +08:00
|
|
|
|
|
|
|
struct pids_t *p = subprocGetPidElem(nsjconf, si->si_pid);
|
|
|
|
if (p == NULL) {
|
2017-10-08 21:02:41 +08:00
|
|
|
LOG_W("PID: %d, Syscall number: %d, Seccomp reason: %d", (int)si->si_pid,
|
2017-10-08 18:00:19 +08:00
|
|
|
si->si_syscall, si->si_errno);
|
2016-05-08 09:09:43 +08:00
|
|
|
LOG_E("Couldn't find pid element in the subproc list for PID: %d", (int)si->si_pid);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
char buf[4096];
|
|
|
|
ssize_t rdsize = utilReadFromFd(p->pid_syscall_fd, buf, sizeof(buf) - 1);
|
|
|
|
if (rdsize < 1) {
|
2017-10-08 21:02:41 +08:00
|
|
|
LOG_W("PID: %d, Syscall number: %d, Seccomp reason: %d", (int)si->si_pid,
|
2017-10-08 18:00:19 +08:00
|
|
|
si->si_syscall, si->si_errno);
|
2016-05-08 09:09:43 +08:00
|
|
|
return;
|
|
|
|
}
|
|
|
|
buf[rdsize - 1] = '\0';
|
|
|
|
|
2017-01-19 05:32:27 +08:00
|
|
|
uintptr_t arg1, arg2, arg3, arg4, arg5, arg6, sp, pc;
|
|
|
|
ptrdiff_t sc;
|
|
|
|
int ret =
|
|
|
|
sscanf(buf, "%td %tx %tx %tx %tx %tx %tx %tx %tx", &sc, &arg1, &arg2, &arg3, &arg4,
|
|
|
|
&arg5, &arg6, &sp, &pc);
|
|
|
|
if (ret == 9) {
|
|
|
|
LOG_W
|
2017-10-08 21:02:41 +08:00
|
|
|
("PID: %d, Syscall number: %td, Arguments: %#tx, %#tx, %#tx, %#tx, %#tx, %#tx, SP: %#tx, PC: %#tx, si_syscall: %d, si_errno: %#x",
|
2017-10-08 17:51:37 +08:00
|
|
|
(int)si->si_pid, sc, arg1, arg2, arg3, arg4, arg5, arg6, sp, pc,
|
2017-10-08 18:00:19 +08:00
|
|
|
si->si_syscall, si->si_errno);
|
2017-01-19 05:32:27 +08:00
|
|
|
} else if (ret == 3) {
|
2017-10-08 21:02:41 +08:00
|
|
|
LOG_W("PID: %d, Syscall number: %d, Seccomp reason: %d, SP: %#tx, PC: %#tx",
|
2017-10-08 18:00:19 +08:00
|
|
|
(int)si->si_pid, si->si_syscall, si->si_errno, arg1, arg2);
|
2017-01-19 05:32:27 +08:00
|
|
|
} else {
|
2017-10-08 21:02:41 +08:00
|
|
|
LOG_W("PID: %d, Syscall number: %d, Seccomp reason: %d, Syscall string '%s'",
|
2017-10-08 18:00:19 +08:00
|
|
|
(int)si->si_pid, si->si_syscall, si->si_errno, buf);
|
2016-05-08 09:36:16 +08:00
|
|
|
}
|
2016-05-05 07:58:26 +08:00
|
|
|
}
|
|
|
|
|
2015-07-08 00:33:10 +08:00
|
|
|
int subprocReap(struct nsjconf_t *nsjconf)
|
2015-05-15 05:44:48 +08:00
|
|
|
{
|
|
|
|
int status;
|
2015-07-08 00:33:10 +08:00
|
|
|
int rv = 0;
|
2016-05-05 07:58:26 +08:00
|
|
|
siginfo_t si;
|
|
|
|
|
|
|
|
for (;;) {
|
|
|
|
si.si_pid = 0;
|
|
|
|
if (waitid(P_ALL, 0, &si, WNOHANG | WNOWAIT | WEXITED) == -1) {
|
|
|
|
break;
|
2015-05-15 05:44:48 +08:00
|
|
|
}
|
2016-05-05 07:58:26 +08:00
|
|
|
if (si.si_pid == 0) {
|
|
|
|
break;
|
|
|
|
}
|
2016-05-05 11:04:01 +08:00
|
|
|
if (si.si_code == CLD_KILLED && si.si_status == SIGSYS) {
|
2016-05-08 09:09:43 +08:00
|
|
|
subprocSeccompViolation(nsjconf, &si);
|
2016-05-05 07:58:26 +08:00
|
|
|
}
|
|
|
|
|
2016-05-05 11:07:21 +08:00
|
|
|
if (wait4(si.si_pid, &status, WNOHANG, NULL) == si.si_pid) {
|
2016-06-19 22:02:00 +08:00
|
|
|
cgroupFinishFromParent(nsjconf, si.si_pid);
|
2017-06-20 00:53:29 +08:00
|
|
|
|
|
|
|
const char *remote_txt = "[UNKNOWN]";
|
|
|
|
struct pids_t *elem = subprocGetPidElem(nsjconf, si.si_pid);
|
|
|
|
if (elem) {
|
|
|
|
remote_txt = elem->remote_txt;
|
|
|
|
}
|
|
|
|
|
2016-05-05 07:58:26 +08:00
|
|
|
if (WIFEXITED(status)) {
|
2017-06-20 00:53:29 +08:00
|
|
|
LOG_I("PID: %d (%s) exited with status: %d, (PIDs left: %d)",
|
|
|
|
si.si_pid, remote_txt, WEXITSTATUS(status),
|
|
|
|
subprocCount(nsjconf) - 1);
|
2016-05-05 07:58:26 +08:00
|
|
|
subprocRemove(nsjconf, si.si_pid);
|
2016-05-05 11:12:06 +08:00
|
|
|
rv = WEXITSTATUS(status) % 100;
|
|
|
|
if (rv == 0 && WEXITSTATUS(status) != 0) {
|
|
|
|
rv = 1;
|
2016-05-05 07:58:26 +08:00
|
|
|
}
|
|
|
|
}
|
|
|
|
if (WIFSIGNALED(status)) {
|
2017-06-20 06:16:38 +08:00
|
|
|
LOG_I
|
|
|
|
("PID: %d (%s) terminated with signal: %s (%d), (PIDs left: %d)",
|
|
|
|
si.si_pid, remote_txt, utilSigName(WTERMSIG(status)),
|
|
|
|
WTERMSIG(status), subprocCount(nsjconf) - 1);
|
2016-05-05 07:58:26 +08:00
|
|
|
subprocRemove(nsjconf, si.si_pid);
|
|
|
|
rv = 100 + WTERMSIG(status);
|
|
|
|
}
|
2015-05-15 05:44:48 +08:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
time_t now = time(NULL);
|
|
|
|
struct pids_t *p;
|
2016-01-09 23:09:05 +08:00
|
|
|
TAILQ_FOREACH(p, &nsjconf->pids, pointers) {
|
2015-05-15 05:44:48 +08:00
|
|
|
if (nsjconf->tlimit == 0) {
|
|
|
|
continue;
|
|
|
|
}
|
2016-05-05 07:58:26 +08:00
|
|
|
pid_t pid = p->pid;
|
2015-05-15 05:44:48 +08:00
|
|
|
time_t diff = now - p->start;
|
|
|
|
if (diff >= nsjconf->tlimit) {
|
|
|
|
LOG_I("PID: %d run time >= time limit (%ld >= %ld) (%s). Killing it", pid,
|
|
|
|
(long)diff, (long)nsjconf->tlimit, p->remote_txt);
|
2016-10-17 21:49:20 +08:00
|
|
|
/*
|
|
|
|
* Probably a kernel bug - some processes cannot be killed with KILL if
|
|
|
|
* they're namespaced, and in a stopped state
|
|
|
|
*/
|
2015-05-15 05:44:48 +08:00
|
|
|
kill(pid, SIGCONT);
|
|
|
|
PLOG_D("Sent SIGCONT to PID: %d", pid);
|
|
|
|
kill(pid, SIGKILL);
|
|
|
|
PLOG_D("Sent SIGKILL to PID: %d", pid);
|
|
|
|
}
|
|
|
|
}
|
2015-07-08 00:33:10 +08:00
|
|
|
return rv;
|
2015-05-15 05:44:48 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
void subprocKillAll(struct nsjconf_t *nsjconf)
|
|
|
|
{
|
|
|
|
struct pids_t *p;
|
2016-01-09 23:09:05 +08:00
|
|
|
TAILQ_FOREACH(p, &nsjconf->pids, pointers) {
|
2015-05-15 05:44:48 +08:00
|
|
|
kill(p->pid, SIGKILL);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2016-02-29 06:23:24 +08:00
|
|
|
static bool subprocInitParent(struct nsjconf_t *nsjconf, pid_t pid, int pipefd)
|
|
|
|
{
|
2016-03-03 22:43:40 +08:00
|
|
|
if (netInitNsFromParent(nsjconf, pid) == false) {
|
2016-02-29 06:23:24 +08:00
|
|
|
LOG_E("Couldn't create and put MACVTAP interface into NS of PID '%d'", pid);
|
|
|
|
return false;
|
|
|
|
}
|
2016-06-19 21:50:25 +08:00
|
|
|
if (cgroupInitNsFromParent(nsjconf, pid) == false) {
|
|
|
|
LOG_E("Couldn't initialize cgroup user namespace");
|
2017-09-25 13:08:22 +08:00
|
|
|
exit(0xff);
|
2016-06-19 21:50:25 +08:00
|
|
|
}
|
2016-03-03 22:54:15 +08:00
|
|
|
if (userInitNsFromParent(nsjconf, pid) == false) {
|
2016-02-29 06:23:24 +08:00
|
|
|
LOG_E("Couldn't initialize user namespaces for pid %d", pid);
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
if (utilWriteToFd(pipefd, &subprocDoneChar, sizeof(subprocDoneChar)) !=
|
|
|
|
sizeof(subprocDoneChar)) {
|
|
|
|
LOG_E("Couldn't signal the new process via a socketpair");
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
2017-06-09 20:34:01 +08:00
|
|
|
/* Will be used inside the child process only, so it's save to have it in BSS */
|
2017-06-11 07:34:20 +08:00
|
|
|
static uint8_t subprocCloneStack[128 * 1024]; /* 128 KiB */
|
2017-06-09 20:34:01 +08:00
|
|
|
/* Cannot be on the stack, as the child's stack pointer will change after clone() */
|
2016-11-03 10:53:52 +08:00
|
|
|
static __thread jmp_buf env;
|
2016-10-15 08:42:01 +08:00
|
|
|
|
2016-11-03 10:53:52 +08:00
|
|
|
static int subprocCloneFunc(void *arg __attribute__ ((unused)))
|
2016-10-15 08:42:01 +08:00
|
|
|
{
|
2016-11-03 10:53:52 +08:00
|
|
|
longjmp(env, 1);
|
|
|
|
return 0;
|
2016-10-15 08:42:01 +08:00
|
|
|
}
|
|
|
|
|
2016-10-17 21:47:50 +08:00
|
|
|
/*
|
2017-06-09 20:34:01 +08:00
|
|
|
* Avoid problems with caching of PID/TID in glibc - when using syscall(__NR_clone) glibc doesn't
|
2016-10-17 21:47:50 +08:00
|
|
|
* not update internal PID/TID caches, which can lead to invalid values returned by getpid(),
|
|
|
|
* or wrong PID/TIDs being used in raise()/abort() functions
|
|
|
|
*/
|
2016-10-15 08:42:01 +08:00
|
|
|
pid_t subprocClone(uintptr_t flags)
|
|
|
|
{
|
|
|
|
if (flags & CLONE_VM) {
|
|
|
|
LOG_E("Cannot use clone(flags & CLONE_VM)");
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (setjmp(env) == 0) {
|
2017-05-22 07:10:49 +08:00
|
|
|
LOG_D("Cloning process with flags:%s", subprocCloneFlagsToStr(flags));
|
2016-10-17 21:47:50 +08:00
|
|
|
/*
|
|
|
|
* Avoid the problem of the stack growing up/down under different CPU architectures, by using
|
|
|
|
* middle of the static stack buffer (which is temporary, and used only inside of subprocCloneFunc
|
|
|
|
*/
|
|
|
|
void *stack = &subprocCloneStack[sizeof(subprocCloneStack) / 2];
|
|
|
|
/* Parent */
|
2016-11-03 10:53:52 +08:00
|
|
|
return clone(subprocCloneFunc, stack, flags, NULL, NULL, NULL);
|
2016-10-15 08:42:01 +08:00
|
|
|
}
|
2016-10-17 21:47:50 +08:00
|
|
|
/* Child */
|
2016-10-15 08:42:01 +08:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2015-05-15 05:44:48 +08:00
|
|
|
void subprocRunChild(struct nsjconf_t *nsjconf, int fd_in, int fd_out, int fd_err)
|
|
|
|
{
|
|
|
|
if (netLimitConns(nsjconf, fd_in) == false) {
|
|
|
|
return;
|
|
|
|
}
|
2016-03-04 08:39:21 +08:00
|
|
|
unsigned long flags = 0UL;
|
2015-05-15 05:44:48 +08:00
|
|
|
flags |= (nsjconf->clone_newnet ? CLONE_NEWNET : 0);
|
|
|
|
flags |= (nsjconf->clone_newuser ? CLONE_NEWUSER : 0);
|
|
|
|
flags |= (nsjconf->clone_newns ? CLONE_NEWNS : 0);
|
|
|
|
flags |= (nsjconf->clone_newpid ? CLONE_NEWPID : 0);
|
|
|
|
flags |= (nsjconf->clone_newipc ? CLONE_NEWIPC : 0);
|
|
|
|
flags |= (nsjconf->clone_newuts ? CLONE_NEWUTS : 0);
|
2016-06-19 17:55:55 +08:00
|
|
|
flags |= (nsjconf->clone_newcgroup ? CLONE_NEWCGROUP : 0);
|
2015-05-15 05:44:48 +08:00
|
|
|
|
2015-08-15 22:02:38 +08:00
|
|
|
if (nsjconf->mode == MODE_STANDALONE_EXECVE) {
|
2017-05-22 07:10:49 +08:00
|
|
|
LOG_D("Entering namespace with flags:%s", subprocCloneFlagsToStr(flags));
|
2015-08-15 22:02:38 +08:00
|
|
|
if (unshare(flags) == -1) {
|
2016-03-04 08:39:21 +08:00
|
|
|
PLOG_E("unshare(%#lx)", flags);
|
2017-09-25 13:08:22 +08:00
|
|
|
_exit(0xff);
|
2015-08-15 22:02:38 +08:00
|
|
|
}
|
|
|
|
subprocNewProc(nsjconf, fd_in, fd_out, fd_err, -1);
|
|
|
|
}
|
|
|
|
|
|
|
|
flags |= SIGCHLD;
|
2017-05-22 09:39:22 +08:00
|
|
|
LOG_D("Creating new process with clone flags:%s", subprocCloneFlagsToStr(flags));
|
2015-05-15 05:44:48 +08:00
|
|
|
|
2016-02-28 09:34:43 +08:00
|
|
|
int sv[2];
|
|
|
|
if (socketpair(AF_UNIX, SOCK_STREAM | SOCK_CLOEXEC, 0, sv) == -1) {
|
|
|
|
PLOG_E("socketpair(AF_UNIX, SOCK_STREAM | SOCK_CLOEXEC) failed");
|
2015-05-15 22:02:15 +08:00
|
|
|
return;
|
|
|
|
}
|
2016-05-10 05:16:26 +08:00
|
|
|
int child_fd = sv[0];
|
|
|
|
int parent_fd = sv[1];
|
2015-05-15 22:02:15 +08:00
|
|
|
|
2016-10-15 08:42:01 +08:00
|
|
|
pid_t pid = subprocClone(flags);
|
2015-05-15 05:44:48 +08:00
|
|
|
if (pid == 0) {
|
2016-07-29 21:38:22 +08:00
|
|
|
close(parent_fd);
|
2016-05-10 05:16:26 +08:00
|
|
|
subprocNewProc(nsjconf, fd_in, fd_out, fd_err, child_fd);
|
2015-05-15 05:44:48 +08:00
|
|
|
}
|
2016-07-29 21:38:22 +08:00
|
|
|
close(child_fd);
|
2015-05-15 05:44:48 +08:00
|
|
|
if (pid == -1) {
|
2017-05-22 09:39:22 +08:00
|
|
|
PLOG_E("clone(flags=%s) failed. You probably need root privileges if your system "
|
2015-05-15 05:44:48 +08:00
|
|
|
"doesn't support CLONE_NEWUSER. Alternatively, you might want to recompile your "
|
2015-08-12 10:32:34 +08:00
|
|
|
"kernel with support for namespaces or check the setting of the "
|
2017-05-22 09:39:22 +08:00
|
|
|
"kernel.unprivileged_userns_clone sysctl", subprocCloneFlagsToStr(flags));
|
2016-07-29 21:38:22 +08:00
|
|
|
close(parent_fd);
|
2015-05-15 05:44:48 +08:00
|
|
|
return;
|
|
|
|
}
|
2016-02-29 23:09:08 +08:00
|
|
|
subprocAdd(nsjconf, pid, fd_in);
|
2015-05-15 05:44:48 +08:00
|
|
|
|
2016-05-10 05:16:26 +08:00
|
|
|
if (subprocInitParent(nsjconf, pid, parent_fd) == false) {
|
2016-07-29 21:38:22 +08:00
|
|
|
close(parent_fd);
|
2016-02-28 23:43:35 +08:00
|
|
|
return;
|
2016-02-28 09:34:43 +08:00
|
|
|
}
|
2015-05-28 09:37:08 +08:00
|
|
|
|
2016-07-29 21:38:22 +08:00
|
|
|
close(parent_fd);
|
2015-10-18 01:11:48 +08:00
|
|
|
char cs_addr[64];
|
|
|
|
netConnToText(fd_in, true /* remote */ , cs_addr, sizeof(cs_addr), NULL);
|
2015-05-15 05:44:48 +08:00
|
|
|
}
|
2016-10-12 08:01:12 +08:00
|
|
|
|
|
|
|
int subprocSystem(const char **argv, char **env)
|
|
|
|
{
|
|
|
|
bool exec_failed = false;
|
|
|
|
|
|
|
|
int sv[2];
|
|
|
|
if (pipe2(sv, O_CLOEXEC) == -1) {
|
|
|
|
PLOG_W("pipe2(sv, O_CLOEXEC");
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
pid_t pid = fork();
|
|
|
|
if (pid == -1) {
|
|
|
|
PLOG_W("fork()");
|
|
|
|
close(sv[0]);
|
|
|
|
close(sv[1]);
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (pid == 0) {
|
|
|
|
close(sv[0]);
|
|
|
|
execve(argv[0], (char *const *)argv, (char *const *)env);
|
|
|
|
PLOG_W("execve('%s')", argv[0]);
|
|
|
|
utilWriteToFd(sv[1], "A", 1);
|
|
|
|
exit(0);
|
|
|
|
}
|
|
|
|
|
|
|
|
close(sv[1]);
|
|
|
|
char buf[1];
|
|
|
|
if (utilReadFromFd(sv[0], buf, sizeof(buf)) > 0) {
|
|
|
|
exec_failed = true;
|
|
|
|
LOG_W("Couldn't execute '%s'", argv[0]);
|
|
|
|
}
|
|
|
|
close(sv[0]);
|
|
|
|
|
|
|
|
for (;;) {
|
|
|
|
int status;
|
|
|
|
int ret = wait4(pid, &status, __WALL, NULL);
|
|
|
|
if (ret == -1 && errno == EINTR) {
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
if (ret == -1) {
|
|
|
|
PLOG_W("wait4(pid=%d)", pid);
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
if (WIFEXITED(status)) {
|
|
|
|
int exit_code = WEXITSTATUS(status);
|
|
|
|
LOG_D("PID %d exited with exit code: %d", pid, exit_code);
|
|
|
|
if (exec_failed == true) {
|
|
|
|
return -1;
|
|
|
|
} else if (exit_code == 0) {
|
|
|
|
return 0;
|
|
|
|
} else {
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if (WIFSIGNALED(status)) {
|
|
|
|
int exit_signal = WTERMSIG(status);
|
2017-06-20 06:16:38 +08:00
|
|
|
LOG_W("PID %d killed by signal: %d (%s)", pid, exit_signal,
|
|
|
|
utilSigName(exit_signal));
|
2016-10-12 08:01:12 +08:00
|
|
|
return 2;
|
|
|
|
}
|
|
|
|
LOG_W("Unknown exit status: %d", status);
|
|
|
|
}
|
|
|
|
}
|