-
Notifications
You must be signed in to change notification settings - Fork 0
/
fs.c
125 lines (105 loc) · 3.56 KB
/
fs.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
#define _GNU_SOURCE
#include <errno.h>
#include <fcntl.h>
#include <stdio.h>
#include <string.h>
#include <sys/mount.h>
#include <sys/wait.h>
#include <syscall.h>
#include <unistd.h>
#include <sched.h>
#include "container.h"
static int update_map(char *path, char *buf, size_t size) {
int fd = open(path, O_WRONLY | O_CLOEXEC);
if (fd == -1) {
pr_err("error in opening file (%s): %s\n", path, strerror(errno));
return -1;
}
if (write(fd, buf, size) < 0) {
pr_err("error in writing to file (%s): %s\n", path, strerror(errno));
close(fd);
return -1;
}
close(fd);
return 0;
}
int setup_uid_gid_map(container_ctx *ctx)
{
// open the uid_map file and write the string
// we will use hardcoded value from /proc/$$/uid_map
char uid_map_path[256];
char gid_map_path[256];
char *map_buf = "0 0 4294967295";
snprintf(uid_map_path, 255, "/proc/%d/uid_map", ctx->child_pid);
snprintf(gid_map_path, 255, "/proc/%d/gid_map", ctx->child_pid);
if (update_map(uid_map_path, map_buf, strlen(map_buf)) < 0) return -1;
if (update_map(gid_map_path, map_buf, strlen(map_buf)) < 0) return -1;
return 0;
}
/* sets up the filesystem, called from the child process */
int setup_rootfs_childns(container_ctx* ctx)
{
int ret = 1;
// mount the current fs as MS_PRIVATE to prevent child mounts from propagating
if (mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL) == -1) {
pr_err("mount: %s\n", strerror(errno));
return -1;
}
// ensure the new root mount point is a mount point, by doing a MS_BIND mount
if (mount(ctx->rootfs, ctx->rootfs, NULL, MS_BIND, NULL) == -1) {
pr_err("mount: %s\n", strerror(errno));
return -1;
}
// get handles for oldroot and newroot
int oldroot = open("/", O_DIRECTORY | O_RDONLY, 0);
if (oldroot == -1) {
pr_err("oldroot open: %s\n", strerror(errno));
return -1;
}
pr_info("opening rootfs: %s\n", ctx->rootfs);
int newroot = open(ctx->rootfs, O_DIRECTORY | O_RDONLY, 0);
if (newroot == -1) {
pr_err("newroot open: %s\n", strerror(errno));
goto close_old;
}
// change directory to the new root to perform pivot
if (fchdir(newroot) == -1) {
pr_err("fchdir: %s\n", strerror(errno));
goto close_new;
}
// perform pivot root
if (syscall(SYS_pivot_root, ".", ".") == -1) {
pr_err("pivot_root: %s\n", strerror(errno));
goto close_new;
}
// mount the procfs before we unmount the oldroot
if (mount("proc", "/proc", "proc", MS_NOSUID|MS_NOEXEC|MS_NODEV, NULL) < 0) {
pr_err("error in mounting procfs: %s\n", strerror(errno));
return -1;
}
/**
* go back to oldroot. Why ?? : we need to unmount the oldroot,
* acccording to pivot_root, oldroot is underneath the newroot,
* so we need to be out of oldroot to unmount it.
**/
if (fchdir(oldroot) == -1) {
pr_err("oldroot fchdir: %s\n", strerror(errno));
goto close_new;
}
// unmount the old one
if (umount2(".", MNT_DETACH) == -1) {
pr_err("umount: %s\n", strerror(errno));
goto close_new;
}
// go to the new root
if (chdir("/") == -1) {
pr_err("chrdir: %s\n", strerror(errno));
goto close_new;
}
ret = 0;
close_new:
close(newroot);
close_old:
close(oldroot);
return ret;
}