make indent depend + style of comments
This commit is contained in:
Robert Swiecki
parent
4437810830
commit
cc4245d23a
3
Makefile
3
Makefile
@ -118,7 +118,8 @@ cpu.o: cpu.h nsjail.h logs.h util.h
|
|||||||
logs.o: logs.h macros.h util.h nsjail.h
|
logs.o: logs.h macros.h util.h nsjail.h
|
||||||
mnt.o: mnt.h nsjail.h logs.h macros.h subproc.h util.h
|
mnt.o: mnt.h nsjail.h logs.h macros.h subproc.h util.h
|
||||||
net.o: net.h nsjail.h logs.h subproc.h
|
net.o: net.h nsjail.h logs.h subproc.h
|
||||||
nsjail.o: nsjail.h cmdline.h logs.h macros.h net.h sandbox.h subproc.h util.h
|
nsjail.o: nsjail.h cgroup2.h cmdline.h logs.h macros.h net.h sandbox.h
|
||||||
|
nsjail.o: subproc.h util.h
|
||||||
pid.o: pid.h nsjail.h logs.h subproc.h
|
pid.o: pid.h nsjail.h logs.h subproc.h
|
||||||
sandbox.o: sandbox.h nsjail.h kafel/include/kafel.h logs.h util.h
|
sandbox.o: sandbox.h nsjail.h kafel/include/kafel.h logs.h util.h
|
||||||
subproc.o: subproc.h nsjail.h cgroup.h cgroup2.h contain.h logs.h macros.h
|
subproc.o: subproc.h nsjail.h cgroup.h cgroup2.h contain.h logs.h macros.h
|
||||||
|
|||||||
36
cgroup2.cc
36
cgroup2.cc
@ -24,12 +24,12 @@
|
|||||||
#include <errno.h>
|
#include <errno.h>
|
||||||
#include <fcntl.h>
|
#include <fcntl.h>
|
||||||
#include <limits.h>
|
#include <limits.h>
|
||||||
|
#include <linux/magic.h>
|
||||||
#include <stdarg.h>
|
#include <stdarg.h>
|
||||||
#include <stdio.h>
|
#include <stdio.h>
|
||||||
#include <string.h>
|
#include <string.h>
|
||||||
#include <sys/stat.h>
|
#include <sys/stat.h>
|
||||||
#include <sys/vfs.h>
|
#include <sys/vfs.h>
|
||||||
#include <linux/magic.h>
|
|
||||||
#include <unistd.h>
|
#include <unistd.h>
|
||||||
|
|
||||||
#include <fstream>
|
#include <fstream>
|
||||||
@ -60,8 +60,10 @@ static bool createCgroup(const std::string &cgroup_path, pid_t pid) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
static bool moveSelfIntoChildCgroup(nsjconf_t *nsjconf) {
|
static bool moveSelfIntoChildCgroup(nsjconf_t *nsjconf) {
|
||||||
// Move ourselves into another group to avoid the 'No internal processes' rule
|
/*
|
||||||
// https://unix.stackexchange.com/a/713343
|
* Move ourselves into another group to avoid the 'No internal processes' rule
|
||||||
|
* https://unix.stackexchange.com/a/713343
|
||||||
|
*/
|
||||||
std::string jail_cgroup_path = getJailCgroupPath(nsjconf);
|
std::string jail_cgroup_path = getJailCgroupPath(nsjconf);
|
||||||
LOG_I("nsjail is moving itself to a new child cgroup: %s\n", jail_cgroup_path.c_str());
|
LOG_I("nsjail is moving itself to a new child cgroup: %s\n", jail_cgroup_path.c_str());
|
||||||
RETURN_ON_FAILURE(createCgroup(jail_cgroup_path, getpid()));
|
RETURN_ON_FAILURE(createCgroup(jail_cgroup_path, getpid()));
|
||||||
@ -69,26 +71,30 @@ static bool moveSelfIntoChildCgroup(nsjconf_t *nsjconf) {
|
|||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
static bool enableCgroupSubtree(nsjconf_t *nsjconf, const std::string &controller, pid_t pid) {
|
static bool enableCgroupSubtree(nsjconf_t *nsjconf, const std::string &controller, pid_t pid) {
|
||||||
std::string cgroup_path = nsjconf->cgroupv2_mount;
|
std::string cgroup_path = nsjconf->cgroupv2_mount;
|
||||||
LOG_D("Enable cgroup.subtree_control +'%s' to '%s' for pid=%d", controller.c_str(), cgroup_path.c_str(), pid);
|
LOG_D("Enable cgroup.subtree_control +'%s' to '%s' for pid=%d", controller.c_str(),
|
||||||
|
cgroup_path.c_str(), pid);
|
||||||
std::string val = "+" + controller;
|
std::string val = "+" + controller;
|
||||||
|
|
||||||
// Try once without moving the nsjail process and if that fails then try moving the nsjail process
|
/* Try once without moving the nsjail process and if that fails then try moving the nsjail
|
||||||
// into a child cgroup before trying a second time.
|
* process into a child cgroup before trying a second time.
|
||||||
if (util::writeBufToFile(
|
*/
|
||||||
(cgroup_path + "/cgroup.subtree_control").c_str(), val.c_str(), val.length(), O_WRONLY, false)) {
|
if (util::writeBufToFile((cgroup_path + "/cgroup.subtree_control").c_str(), val.c_str(),
|
||||||
|
val.length(), O_WRONLY, false)) {
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
if (errno == EBUSY) {
|
if (errno == EBUSY) {
|
||||||
RETURN_ON_FAILURE(moveSelfIntoChildCgroup(nsjconf));
|
RETURN_ON_FAILURE(moveSelfIntoChildCgroup(nsjconf));
|
||||||
if (util::writeBufToFile(
|
if (util::writeBufToFile((cgroup_path + "/cgroup.subtree_control").c_str(),
|
||||||
(cgroup_path + "/cgroup.subtree_control").c_str(), val.c_str(), val.length(), O_WRONLY)) {
|
val.c_str(), val.length(), O_WRONLY)) {
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
LOG_E("Could not apply '%s' to cgroup.subtree_control in '%s'. If you are running in Docker, nsjail MUST be the root process to use cgroups.", val.c_str(), cgroup_path.c_str());
|
LOG_E(
|
||||||
|
"Could not apply '%s' to cgroup.subtree_control in '%s'. If you are running in Docker, "
|
||||||
|
"nsjail MUST be the root process to use cgroups.",
|
||||||
|
val.c_str(), cgroup_path.c_str());
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -153,7 +159,7 @@ bool setup(nsjconf_t *nsjconf) {
|
|||||||
// the controllers we need are there.
|
// the controllers we need are there.
|
||||||
auto p = nsjconf->cgroupv2_mount + "/cgroup.subtree_control";
|
auto p = nsjconf->cgroupv2_mount + "/cgroup.subtree_control";
|
||||||
char buf[SUBTREE_CONTROL_BUF_LEN];
|
char buf[SUBTREE_CONTROL_BUF_LEN];
|
||||||
int read = util::readFromFile(p.c_str(), buf, SUBTREE_CONTROL_BUF_LEN-1);
|
int read = util::readFromFile(p.c_str(), buf, SUBTREE_CONTROL_BUF_LEN - 1);
|
||||||
if (read < 0) {
|
if (read < 0) {
|
||||||
LOG_W("cgroupv2 setup: Could not read root subtree_control");
|
LOG_W("cgroupv2 setup: Could not read root subtree_control");
|
||||||
return false;
|
return false;
|
||||||
@ -162,8 +168,8 @@ bool setup(nsjconf_t *nsjconf) {
|
|||||||
|
|
||||||
// Are the controllers we need there?
|
// Are the controllers we need there?
|
||||||
bool subtree_ok = (!needMemoryController(nsjconf) || strstr(buf, "memory")) &&
|
bool subtree_ok = (!needMemoryController(nsjconf) || strstr(buf, "memory")) &&
|
||||||
(!needPidsController(nsjconf) || strstr(buf, "pids")) &&
|
(!needPidsController(nsjconf) || strstr(buf, "pids")) &&
|
||||||
(!needCpuController(nsjconf) || strstr(buf, "cpu"));
|
(!needCpuController(nsjconf) || strstr(buf, "cpu"));
|
||||||
if (!subtree_ok) {
|
if (!subtree_ok) {
|
||||||
// Now we can write to the root cgroup.subtree_control
|
// Now we can write to the root cgroup.subtree_control
|
||||||
if (needMemoryController(nsjconf)) {
|
if (needMemoryController(nsjconf)) {
|
||||||
|
|||||||
@ -32,8 +32,8 @@ namespace cgroup2 {
|
|||||||
bool initNsFromParent(nsjconf_t* nsjconf, pid_t pid);
|
bool initNsFromParent(nsjconf_t* nsjconf, pid_t pid);
|
||||||
bool initNs(void);
|
bool initNs(void);
|
||||||
void finishFromParent(nsjconf_t* nsjconf, pid_t pid);
|
void finishFromParent(nsjconf_t* nsjconf, pid_t pid);
|
||||||
bool setup(nsjconf_t *nsjconf);
|
bool setup(nsjconf_t* nsjconf);
|
||||||
bool detectCgroupv2(nsjconf_t *nsjconf);
|
bool detectCgroupv2(nsjconf_t* nsjconf);
|
||||||
|
|
||||||
} // namespace cgroup2
|
} // namespace cgroup2
|
||||||
|
|
||||||
|
|||||||
@ -39,6 +39,7 @@
|
|||||||
#include <memory>
|
#include <memory>
|
||||||
#include <vector>
|
#include <vector>
|
||||||
|
|
||||||
|
#include "cgroup2.h"
|
||||||
#include "cmdline.h"
|
#include "cmdline.h"
|
||||||
#include "logs.h"
|
#include "logs.h"
|
||||||
#include "macros.h"
|
#include "macros.h"
|
||||||
@ -46,7 +47,6 @@
|
|||||||
#include "sandbox.h"
|
#include "sandbox.h"
|
||||||
#include "subproc.h"
|
#include "subproc.h"
|
||||||
#include "util.h"
|
#include "util.h"
|
||||||
#include "cgroup2.h"
|
|
||||||
|
|
||||||
namespace nsjail {
|
namespace nsjail {
|
||||||
|
|
||||||
|
|||||||
6
util.cc
6
util.cc
@ -89,7 +89,8 @@ bool writeToFd(int fd, const void* buf, size_t len) {
|
|||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
bool writeBufToFile(const char* filename, const void* buf, size_t len, int open_flags, bool log_errors) {
|
bool writeBufToFile(
|
||||||
|
const char* filename, const void* buf, size_t len, int open_flags, bool log_errors) {
|
||||||
int fd;
|
int fd;
|
||||||
TEMP_FAILURE_RETRY(fd = open(filename, open_flags, 0644));
|
TEMP_FAILURE_RETRY(fd = open(filename, open_flags, 0644));
|
||||||
if (fd == -1) {
|
if (fd == -1) {
|
||||||
@ -101,7 +102,8 @@ bool writeBufToFile(const char* filename, const void* buf, size_t len, int open_
|
|||||||
|
|
||||||
if (!writeToFd(fd, buf, len)) {
|
if (!writeToFd(fd, buf, len)) {
|
||||||
if (log_errors) {
|
if (log_errors) {
|
||||||
PLOG_E("Couldn't write '%zu' bytes to file '%s' (fd='%d')", len, filename, fd);
|
PLOG_E(
|
||||||
|
"Couldn't write '%zu' bytes to file '%s' (fd='%d')", len, filename, fd);
|
||||||
}
|
}
|
||||||
close(fd);
|
close(fd);
|
||||||
if (open_flags & O_CREAT) {
|
if (open_flags & O_CREAT) {
|
||||||
|
|||||||
3
util.h
3
util.h
@ -46,7 +46,8 @@ namespace util {
|
|||||||
ssize_t readFromFd(int fd, void* buf, size_t len);
|
ssize_t readFromFd(int fd, void* buf, size_t len);
|
||||||
ssize_t readFromFile(const char* fname, void* buf, size_t len);
|
ssize_t readFromFile(const char* fname, void* buf, size_t len);
|
||||||
bool writeToFd(int fd, const void* buf, size_t len);
|
bool writeToFd(int fd, const void* buf, size_t len);
|
||||||
bool writeBufToFile(const char* filename, const void* buf, size_t len, int open_flags, bool log_errors = true);
|
bool writeBufToFile(
|
||||||
|
const char* filename, const void* buf, size_t len, int open_flags, bool log_errors = true);
|
||||||
bool createDirRecursively(const char* dir);
|
bool createDirRecursively(const char* dir);
|
||||||
std::string* StrAppend(std::string* str, const char* format, ...)
|
std::string* StrAppend(std::string* str, const char* format, ...)
|
||||||
__attribute__((format(printf, 2, 3)));
|
__attribute__((format(printf, 2, 3)));
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user