]>
Commit | Line | Data |
---|---|---|
cc73685d | 1 | /* SPDX-License-Identifier: LGPL-2.1+ */ |
724e753c | 2 | |
d38dd64a CB |
3 | #ifndef _GNU_SOURCE |
4 | #define _GNU_SOURCE 1 | |
5 | #endif | |
cf685555 | 6 | #include <caps.h> |
724e753c | 7 | #include <errno.h> |
91480a0f | 8 | #include <fcntl.h> |
fe84a562 | 9 | #include <malloc.h> |
37515ebd | 10 | #include <poll.h> |
fe84a562 CB |
11 | #include <signal.h> |
12 | #include <stdio.h> | |
13 | #include <stdlib.h> | |
fe84a562 | 14 | #include <sys/param.h> |
724e753c MN |
15 | #include <sys/socket.h> |
16 | #include <sys/un.h> | |
d38dd64a | 17 | #include <unistd.h> |
724e753c | 18 | |
fe84a562 | 19 | #include "af_unix.h" |
5f126977 | 20 | #include "cgroups/cgroup.h" |
2a63b5cb | 21 | #include "cgroups/cgroup2_devices.h" |
724e753c | 22 | #include "commands.h" |
bbf5cf35 | 23 | #include "commands_utils.h" |
fe84a562 | 24 | #include "conf.h" |
d38dd64a | 25 | #include "config.h" |
ef6e34ee | 26 | #include "confile.h" |
fe84a562 CB |
27 | #include "log.h" |
28 | #include "lxc.h" | |
dbc9832d | 29 | #include "lxclock.h" |
cdb2a47f | 30 | #include "lxcseccomp.h" |
724e753c | 31 | #include "mainloop.h" |
5265a60c | 32 | #include "memory_utils.h" |
dbc9832d | 33 | #include "monitor.h" |
fe84a562 | 34 | #include "start.h" |
0ed9b1bc | 35 | #include "terminal.h" |
fe84a562 | 36 | #include "utils.h" |
724e753c | 37 | |
ded1d23f | 38 | /* |
fe84a562 CB |
39 | * This file provides the different functions for clients to query/command the |
40 | * server. The client is typically some lxc tool and the server is typically the | |
41 | * container (ie. lxc-start). | |
ded1d23f | 42 | * |
fe84a562 CB |
43 | * Each command is transactional, the clients send a request to the server and |
44 | * the server answers the request with a message giving the request's status | |
45 | * (zero or a negative errno value). Both the request and response may contain | |
46 | * additional data. | |
ded1d23f | 47 | * |
fe84a562 CB |
48 | * Each command is wrapped in a ancillary message in order to pass a credential |
49 | * making possible to the server to check if the client is allowed to ask for | |
50 | * this command or not. | |
80bcb053 | 51 | * |
fe84a562 CB |
52 | * IMPORTANTLY: Note that semantics for current commands are fixed. If you wish |
53 | * to make any changes to how, say, LXC_CMD_GET_CONFIG_ITEM works by adding | |
54 | * information to the end of cmd.data, then you must introduce a new | |
55 | * LXC_CMD_GET_CONFIG_ITEM_V2 define with a new number. You may wish to also | |
56 | * mark LXC_CMD_GET_CONFIG_ITEM deprecated in commands.h. | |
80bcb053 SH |
57 | * |
58 | * This is necessary in order to avoid having a newly compiled lxc command | |
59 | * communicating with a running (old) monitor from crashing the running | |
60 | * container. | |
ded1d23f DL |
61 | */ |
62 | ||
ac2cecc4 | 63 | lxc_log_define(commands, lxc); |
724e753c | 64 | |
ef6e34ee | 65 | static const char *lxc_cmd_str(lxc_cmd_t cmd) |
724e753c | 66 | { |
fe84a562 | 67 | static const char *const cmdname[LXC_CMD_MAX] = { |
2a63b5cb CB |
68 | [LXC_CMD_CONSOLE] = "console", |
69 | [LXC_CMD_TERMINAL_WINCH] = "terminal_winch", | |
70 | [LXC_CMD_STOP] = "stop", | |
71 | [LXC_CMD_GET_STATE] = "get_state", | |
72 | [LXC_CMD_GET_INIT_PID] = "get_init_pid", | |
73 | [LXC_CMD_GET_CLONE_FLAGS] = "get_clone_flags", | |
74 | [LXC_CMD_GET_CGROUP] = "get_cgroup", | |
75 | [LXC_CMD_GET_CONFIG_ITEM] = "get_config_item", | |
76 | [LXC_CMD_GET_NAME] = "get_name", | |
77 | [LXC_CMD_GET_LXCPATH] = "get_lxcpath", | |
78 | [LXC_CMD_ADD_STATE_CLIENT] = "add_state_client", | |
79 | [LXC_CMD_CONSOLE_LOG] = "console_log", | |
80 | [LXC_CMD_SERVE_STATE_CLIENTS] = "serve_state_clients", | |
81 | [LXC_CMD_SECCOMP_NOTIFY_ADD_LISTENER] = "seccomp_notify_add_listener", | |
82 | [LXC_CMD_ADD_BPF_DEVICE_CGROUP] = "add_bpf_device_cgroup", | |
018051e3 CB |
83 | [LXC_CMD_FREEZE] = "freeze", |
84 | [LXC_CMD_UNFREEZE] = "unfreeze", | |
bad788b0 | 85 | [LXC_CMD_GET_CGROUP2_FD] = "get_cgroup2_fd", |
746aab51 | 86 | [LXC_CMD_GET_INIT_PIDFD] = "get_init_pidfd", |
a900cbaf WB |
87 | [LXC_CMD_GET_LIMITING_CGROUP] = "get_limiting_cgroup", |
88 | [LXC_CMD_GET_LIMITING_CGROUP2_FD] = "get_limiting_cgroup2_fd", | |
f797f05e | 89 | [LXC_CMD_GET_DEVPTS_FD] = "get_devpts_fd", |
21405769 | 90 | [LXC_CMD_GET_SECCOMP_NOTIFY_FD] = "get_seccomp_notify_fd", |
ef6e048a | 91 | [LXC_CMD_GET_CGROUP_CTX] = "get_cgroup_ctx", |
ef6e34ee | 92 | }; |
724e753c | 93 | |
f371aca9 | 94 | if (cmd >= LXC_CMD_MAX) |
a8007512 | 95 | return "Invalid request"; |
fe84a562 | 96 | |
ef6e34ee DE |
97 | return cmdname[cmd]; |
98 | } | |
99 | ||
ef6e048a CB |
100 | static int __transfer_cgroup_ctx_fds(struct unix_fds *fds, struct cgroup_ctx *ctx) |
101 | { | |
102 | /* This shouldn't be able to happen but better safe than sorry. */ | |
103 | if (ctx->fd_len != fds->fd_count_ret || | |
104 | fds->fd_count_ret > CGROUP_CTX_MAX_FD) | |
105 | return syswarn_set(-EINVAL, "Unexpected number of file descriptors received %u != %u", | |
106 | ctx->fd_len, fds->fd_count_ret); | |
107 | ||
108 | memcpy(ctx->fd, fds->fd, ctx->fd_len * sizeof(__s32)); | |
109 | fds->fd_count_ret = 0; | |
110 | return 0; | |
111 | } | |
112 | ||
ef6e34ee DE |
113 | /* |
114 | * lxc_cmd_rsp_recv: Receive a response to a command | |
115 | * | |
116 | * @sock : the socket connected to the container | |
117 | * @cmd : command to put response in | |
118 | * | |
119 | * Returns the size of the response message or < 0 on failure | |
120 | * | |
121 | * Note that if the command response datalen > 0, then data is | |
122 | * a malloc()ed buffer and should be free()ed by the caller. If | |
123 | * the response data is <= a void * worth of data, it will be | |
124 | * stored directly in data and datalen will be 0. | |
125 | * | |
126 | * As a special case, the response for LXC_CMD_CONSOLE is created | |
36a94ce8 | 127 | * here as it contains an fd for the ptx pty passed through the |
0115f8fd | 128 | * unix socket. |
ef6e34ee DE |
129 | */ |
130 | static int lxc_cmd_rsp_recv(int sock, struct lxc_cmd_rr *cmd) | |
131 | { | |
f8cc4ae8 | 132 | call_cleaner(put_unix_fds) struct unix_fds *fds = &(struct unix_fds){}; |
ef6e34ee | 133 | struct lxc_cmd_rsp *rsp = &cmd->rsp; |
1454e5d9 CB |
134 | int cur_cmd = cmd->req.cmd; |
135 | const char *cur_cmdstr; | |
00df5330 | 136 | int fret = 0; |
f8cc4ae8 | 137 | int ret; |
ef6e34ee | 138 | |
1454e5d9 CB |
139 | cur_cmdstr = lxc_cmd_str(cur_cmd); |
140 | switch (cur_cmd) { | |
f8cc4ae8 CB |
141 | case LXC_CMD_GET_CGROUP2_FD: |
142 | __fallthrough; | |
143 | case LXC_CMD_GET_LIMITING_CGROUP2_FD: | |
144 | __fallthrough; | |
145 | case LXC_CMD_GET_INIT_PIDFD: | |
146 | __fallthrough; | |
147 | case LXC_CMD_GET_SECCOMP_NOTIFY_FD: | |
148 | __fallthrough; | |
149 | case LXC_CMD_GET_DEVPTS_FD: | |
150 | __fallthrough; | |
151 | case LXC_CMD_CONSOLE: | |
152 | fds->fd_count_max = 1; | |
153 | break; | |
ef6e048a CB |
154 | case LXC_CMD_GET_CGROUP_CTX: |
155 | fds->fd_count_max = CGROUP_CTX_MAX_FD; | |
f8cc4ae8 CB |
156 | break; |
157 | default: | |
158 | fds->fd_count_max = 0; | |
ef6e048a | 159 | break; |
f8cc4ae8 | 160 | } |
d17c815d | 161 | ret = lxc_abstract_unix_recv_fds(sock, fds, rsp, sizeof(*rsp)); |
23a917e5 | 162 | if (ret < 0) |
1454e5d9 | 163 | return syserrno(ret, "Failed to receive response for command \"%s\"", cur_cmdstr); |
00df5330 CB |
164 | |
165 | if (fds->fd_count_max == 0) { | |
1454e5d9 | 166 | TRACE("Command \"%s\" received response with %u file descriptors", cur_cmdstr, fds->fd_count_ret); |
00df5330 | 167 | } else if (fds->fd_count_ret == 0) { |
1454e5d9 | 168 | WARN("Command \"%s\" received response without expected file descriptors", cur_cmdstr); |
00df5330 CB |
169 | fret = -EBADF; |
170 | } | |
ef6e34ee | 171 | |
1454e5d9 | 172 | if (cur_cmd == LXC_CMD_CONSOLE) { |
ef6e34ee DE |
173 | struct lxc_cmd_console_rsp_data *rspdata; |
174 | ||
0115f8fd DE |
175 | /* recv() returns 0 bytes when a tty cannot be allocated, |
176 | * rsp->ret is < 0 when the peer permission check failed | |
177 | */ | |
178 | if (ret == 0 || rsp->ret < 0) | |
179 | return 0; | |
180 | ||
ef6e34ee | 181 | rspdata = malloc(sizeof(*rspdata)); |
23a917e5 | 182 | if (!rspdata) |
5dc24a8c | 183 | return syserrno_set(fret ?: -ENOMEM, "Failed to receive response for command \"%s\"", cur_cmdstr); |
2a850b2c | 184 | |
d17c815d | 185 | rspdata->ptxfd = move_fd(fds->fd[0]); |
ef6e34ee DE |
186 | rspdata->ttynum = PTR_TO_INT(rsp->data); |
187 | rsp->data = rspdata; | |
188 | } | |
189 | ||
1454e5d9 | 190 | switch (cur_cmd) { |
2092492c CB |
191 | case LXC_CMD_GET_CGROUP2_FD: |
192 | __fallthrough; | |
193 | case LXC_CMD_GET_LIMITING_CGROUP2_FD: | |
194 | __fallthrough; | |
195 | case LXC_CMD_GET_INIT_PIDFD: | |
196 | __fallthrough; | |
197 | case LXC_CMD_GET_DEVPTS_FD: | |
198 | __fallthrough; | |
199 | case LXC_CMD_GET_SECCOMP_NOTIFY_FD: | |
200 | rsp->data = INT_TO_PTR(move_fd(fds->fd[0])); | |
1454e5d9 | 201 | return log_debug(fret ?: ret, "Finished processing \"%s\"", cur_cmdstr); |
ef6e048a | 202 | case LXC_CMD_GET_CGROUP_CTX: |
7ec5eee4 | 203 | if ((rsp->datalen == 0) || (rsp->datalen > sizeof(struct cgroup_ctx))) |
1454e5d9 | 204 | return syserrno_set(fret ?: -EINVAL, "Invalid response size from server for \"%s\"", cur_cmdstr); |
ef6e048a CB |
205 | |
206 | /* Don't pointlessly allocate. */ | |
207 | rsp->data = (void *)cmd->req.data; | |
2092492c CB |
208 | break; |
209 | default: | |
210 | break; | |
21405769 CB |
211 | } |
212 | ||
23a917e5 | 213 | if (rsp->datalen == 0) |
1454e5d9 | 214 | return log_debug(fret ?: ret, "Response data length for command \"%s\" is 0", cur_cmdstr); |
23a917e5 | 215 | |
191d43cc | 216 | if ((rsp->datalen > LXC_CMD_DATA_MAX) && |
1454e5d9 | 217 | (cur_cmd != LXC_CMD_CONSOLE_LOG)) |
5dc24a8c | 218 | return syserrno_set(fret ?: -E2BIG, "Response data for command \"%s\" is too long: %d bytes > %d", |
1454e5d9 | 219 | cur_cmdstr, rsp->datalen, LXC_CMD_DATA_MAX); |
ef6e34ee | 220 | |
1454e5d9 | 221 | if (cur_cmd == LXC_CMD_CONSOLE_LOG) |
ef6e048a | 222 | rsp->data = zalloc(rsp->datalen + 1); |
1454e5d9 | 223 | else if (cur_cmd != LXC_CMD_GET_CGROUP_CTX) |
191d43cc | 224 | rsp->data = malloc(rsp->datalen); |
23a917e5 | 225 | if (!rsp->data) |
5dc24a8c | 226 | return syserrno_set(fret ?: -ENOMEM, "Failed to allocate response buffer for command \"%s\"", cur_cmdstr); |
fe84a562 | 227 | |
2a850b2c | 228 | ret = lxc_recv_nointr(sock, rsp->data, rsp->datalen, 0); |
23a917e5 | 229 | if (ret != rsp->datalen) |
1454e5d9 | 230 | return syserrno(-errno, "Failed to receive response data for command \"%s\"", cur_cmdstr); |
ef6e048a | 231 | |
1454e5d9 | 232 | if (cur_cmd == LXC_CMD_GET_CGROUP_CTX) { |
ef6e048a CB |
233 | ret = __transfer_cgroup_ctx_fds(fds, rsp->data); |
234 | if (ret < 0) | |
1454e5d9 | 235 | return syserrno(ret, "Failed to transfer file descriptors for \"%s\"", cur_cmdstr); |
ef6e048a | 236 | } |
724e753c | 237 | |
00df5330 | 238 | return fret ?: ret; |
724e753c MN |
239 | } |
240 | ||
ef6e34ee DE |
241 | /* |
242 | * lxc_cmd_rsp_send: Send a command response | |
243 | * | |
244 | * @fd : file descriptor of socket to send response on | |
245 | * @rsp : response to send | |
246 | * | |
247 | * Returns 0 on success, < 0 on failure | |
248 | */ | |
4b5f4bdc | 249 | static int __lxc_cmd_rsp_send(int fd, struct lxc_cmd_rsp *rsp) |
ef6e34ee | 250 | { |
fe84a562 | 251 | ssize_t ret; |
ef6e34ee | 252 | |
7fbb15ec | 253 | ret = lxc_send_nointr(fd, rsp, sizeof(*rsp), MSG_NOSIGNAL); |
6c6497ea | 254 | if (ret < 0 || (size_t)ret != sizeof(*rsp)) |
4b5f4bdc | 255 | return syserrno(-errno, "Failed to send command response %zd", ret); |
ef6e34ee | 256 | |
a674dfe1 | 257 | if (!rsp->data || rsp->datalen <= 0) |
fe84a562 CB |
258 | return 0; |
259 | ||
7fbb15ec | 260 | ret = lxc_send_nointr(fd, rsp->data, rsp->datalen, MSG_NOSIGNAL); |
6c6497ea | 261 | if (ret < 0 || ret != (ssize_t)rsp->datalen) |
4b5f4bdc | 262 | return syswarn(-errno, "Failed to send command response %zd", ret); |
fe84a562 | 263 | |
ef6e34ee DE |
264 | return 0; |
265 | } | |
266 | ||
4b5f4bdc CB |
267 | static inline int lxc_cmd_rsp_send_reap(int fd, struct lxc_cmd_rsp *rsp) |
268 | { | |
269 | int ret; | |
270 | ||
271 | ret = __lxc_cmd_rsp_send(fd, rsp); | |
272 | if (ret < 0) | |
273 | return ret; | |
274 | ||
275 | return LXC_CMD_REAP_CLIENT_FD; | |
276 | } | |
277 | ||
254a22e1 CB |
278 | static inline int lxc_cmd_rsp_send_keep(int fd, struct lxc_cmd_rsp *rsp) |
279 | { | |
280 | int ret; | |
281 | ||
282 | ret = __lxc_cmd_rsp_send(fd, rsp); | |
283 | if (ret < 0) | |
284 | return ret; | |
285 | ||
286 | return 0; | |
287 | } | |
288 | ||
c2f40088 CB |
289 | static inline int rsp_one_fd(int fd, int fd_send, struct lxc_cmd_rsp *rsp) |
290 | { | |
291 | int ret; | |
292 | ||
293 | ret = lxc_abstract_unix_send_fds(fd, &fd_send, 1, rsp, sizeof(*rsp)); | |
294 | if (ret < 0) | |
295 | return ret; | |
296 | ||
297 | return LXC_CMD_REAP_CLIENT_FD; | |
298 | } | |
299 | ||
ef6e048a CB |
300 | static inline int rsp_many_fds(int fd, __u32 fds_len, |
301 | const __s32 fds[KERNEL_SCM_MAX_FD], | |
302 | struct lxc_cmd_rsp *rsp) | |
9c3eb8d5 | 303 | { |
ef6e048a CB |
304 | ssize_t ret; |
305 | ||
306 | if (fds_len > KERNEL_SCM_MAX_FD) { | |
307 | rsp->ret = -E2BIG; | |
308 | return lxc_cmd_rsp_send_reap(fd, rsp); | |
309 | } else if (fds_len == 0) { | |
310 | rsp->ret = -ENOENT; | |
311 | return lxc_cmd_rsp_send_reap(fd, rsp); | |
312 | } | |
9c3eb8d5 | 313 | |
ef6e048a | 314 | ret = lxc_abstract_unix_send_fds(fd, fds, fds_len, rsp, sizeof(*rsp)); |
9c3eb8d5 CB |
315 | if (ret < 0) |
316 | return ret; | |
317 | ||
ef6e048a CB |
318 | if (rsp->data && rsp->datalen > 0) { |
319 | ret = lxc_send_nointr(fd, rsp->data, rsp->datalen, MSG_NOSIGNAL); | |
320 | if (ret < 0 || ret != (ssize_t)rsp->datalen) | |
321 | return syswarn(-errno, "Failed to send command response %zd", ret); | |
322 | } | |
323 | ||
9c3eb8d5 CB |
324 | return LXC_CMD_REAP_CLIENT_FD; |
325 | } | |
326 | ||
c01c2be6 | 327 | static int lxc_cmd_send(const char *name, struct lxc_cmd_rr *cmd, |
fe84a562 | 328 | const char *lxcpath, const char *hashed_sock_name) |
c01c2be6 | 329 | { |
f62cf1d4 | 330 | __do_close int client_fd = -EBADF; |
fe84a562 | 331 | ssize_t ret = -1; |
c01c2be6 | 332 | |
9dfa4041 | 333 | client_fd = lxc_cmd_connect(name, lxcpath, hashed_sock_name, "command"); |
2a850b2c | 334 | if (client_fd < 0) |
fe84a562 | 335 | return -1; |
c01c2be6 | 336 | |
fe84a562 CB |
337 | ret = lxc_abstract_unix_send_credential(client_fd, &cmd->req, |
338 | sizeof(cmd->req)); | |
2a850b2c | 339 | if (ret < 0 || (size_t)ret != sizeof(cmd->req)) |
e96f9291 | 340 | return -1; |
9044b79e | 341 | |
cdb2a47f CB |
342 | if (cmd->req.cmd == LXC_CMD_SECCOMP_NOTIFY_ADD_LISTENER) { |
343 | int notify_fd = PTR_TO_INT(cmd->req.data); | |
344 | ret = lxc_abstract_unix_send_fds(client_fd, ¬ify_fd, 1, NULL, 0); | |
345 | if (ret <= 0) | |
346 | return -1; | |
347 | } else { | |
348 | if (cmd->req.datalen <= 0) | |
349 | return move_fd(client_fd); | |
c01c2be6 | 350 | |
cdb2a47f CB |
351 | errno = EMSGSIZE; |
352 | ret = lxc_send_nointr(client_fd, (void *)cmd->req.data, | |
353 | cmd->req.datalen, MSG_NOSIGNAL); | |
354 | if (ret < 0 || ret != (ssize_t)cmd->req.datalen) | |
355 | return -1; | |
356 | } | |
c01c2be6 | 357 | |
240fecd0 | 358 | return move_fd(client_fd); |
c01c2be6 CB |
359 | } |
360 | ||
ef6e34ee DE |
361 | /* |
362 | * lxc_cmd: Connect to the specified running container, send it a command | |
363 | * request and collect the response | |
364 | * | |
365 | * @name : name of container to connect to | |
1e8cfdf6 | 366 | * @cmd : command with initialized request to send |
ef6e34ee DE |
367 | * @stopped : output indicator if the container was not running |
368 | * @lxcpath : the lxcpath in which the container is running | |
369 | * | |
370 | * Returns the size of the response message on success, < 0 on failure | |
371 | * | |
372 | * Note that there is a special case for LXC_CMD_CONSOLE. For this command | |
373 | * the fd cannot be closed because it is used as a placeholder to indicate | |
374 | * that a particular tty slot is in use. The fd is also used as a signal to | |
375 | * the container that when the caller dies or closes the fd, the container | |
0115f8fd DE |
376 | * will notice the fd on its side of the socket in its mainloop select and |
377 | * then free the slot with lxc_cmd_fd_cleanup(). The socket fd will be | |
378 | * returned in the cmd response structure. | |
ef6e34ee DE |
379 | */ |
380 | static int lxc_cmd(const char *name, struct lxc_cmd_rr *cmd, int *stopped, | |
88556fd7 | 381 | const char *lxcpath, const char *hashed_sock_name) |
724e753c | 382 | { |
f62cf1d4 | 383 | __do_close int client_fd = -EBADF; |
fe84a562 | 384 | int ret = -1; |
dbc9832d CB |
385 | bool stay_connected = false; |
386 | ||
387 | if (cmd->req.cmd == LXC_CMD_CONSOLE || | |
54446942 | 388 | cmd->req.cmd == LXC_CMD_ADD_STATE_CLIENT) |
dbc9832d | 389 | stay_connected = true; |
724e753c | 390 | |
0ecf64b5 SH |
391 | *stopped = 0; |
392 | ||
c01c2be6 CB |
393 | client_fd = lxc_cmd_send(name, cmd, lxcpath, hashed_sock_name); |
394 | if (client_fd < 0) { | |
00e5ca13 | 395 | if (errno == ECONNREFUSED || errno == EPIPE) |
ef6e34ee | 396 | *stopped = 1; |
3f903c04 | 397 | |
6c6497ea CB |
398 | return log_trace_errno(-1, errno, "Command \"%s\" failed to connect command socket", |
399 | lxc_cmd_str(cmd->req.cmd)); | |
724e753c MN |
400 | } |
401 | ||
c01c2be6 | 402 | ret = lxc_cmd_rsp_recv(client_fd, cmd); |
2a850b2c | 403 | if (ret < 0 && errno == ECONNRESET) |
6b7f85cb | 404 | *stopped = 1; |
6a93ae77 | 405 | |
ea2a070b CB |
406 | TRACE("Opened new command socket connection fd %d for command \"%s\"", |
407 | client_fd, lxc_cmd_str(cmd->req.cmd)); | |
408 | ||
c34ff119 | 409 | if (stay_connected && ret > 0) |
240fecd0 | 410 | cmd->rsp.ret = move_fd(client_fd); |
43eb6f29 | 411 | |
1362f2eb | 412 | return ret; |
724e753c MN |
413 | } |
414 | ||
b494d2dd SH |
415 | int lxc_try_cmd(const char *name, const char *lxcpath) |
416 | { | |
0ecf64b5 | 417 | int stopped, ret; |
b494d2dd SH |
418 | struct lxc_cmd_rr cmd = { |
419 | .req = { .cmd = LXC_CMD_GET_INIT_PID }, | |
420 | }; | |
421 | ||
88556fd7 | 422 | ret = lxc_cmd(name, &cmd, &stopped, lxcpath, NULL); |
b494d2dd SH |
423 | if (stopped) |
424 | return 0; | |
425 | if (ret > 0 && cmd.rsp.ret < 0) { | |
426 | errno = cmd.rsp.ret; | |
427 | return -1; | |
428 | } | |
429 | if (ret > 0) | |
430 | return 0; | |
431 | ||
fe84a562 CB |
432 | /* At this point we weren't denied access, and the container *was* |
433 | * started. There was some inexplicable error in the protocol. I'm not | |
434 | * clear on whether we should return -1 here, but we didn't receive a | |
435 | * -EACCES, so technically it's not that we're not allowed to control | |
436 | * the container - it's just not behaving. | |
b494d2dd SH |
437 | */ |
438 | return 0; | |
439 | } | |
440 | ||
e6bc68d6 WB |
441 | /* |
442 | * Validate that the input is a proper string parameter. If not, | |
443 | * send an EINVAL response and return -1. | |
444 | * | |
445 | * Precondition: there is non-zero-length data available. | |
446 | */ | |
447 | static int validate_string_request(int fd, const struct lxc_cmd_req *req) | |
448 | { | |
e6bc68d6 WB |
449 | size_t maxlen = req->datalen - 1; |
450 | const char *data = req->data; | |
451 | ||
452 | if (data[maxlen] == 0 && strnlen(data, maxlen) == maxlen) | |
453 | return 0; | |
454 | ||
455 | struct lxc_cmd_rsp rsp = { | |
da63ea6b CB |
456 | .ret = -EINVAL, |
457 | .datalen = 0, | |
458 | .data = NULL, | |
e6bc68d6 WB |
459 | }; |
460 | ||
4b5f4bdc | 461 | return lxc_cmd_rsp_send_reap(fd, &rsp); |
e6bc68d6 WB |
462 | } |
463 | ||
cc4c0832 | 464 | /* Implementations of the commands and their callbacks */ |
ef6e34ee DE |
465 | |
466 | /* | |
467 | * lxc_cmd_get_init_pid: Get pid of the container's init process | |
468 | * | |
469 | * @name : name of container to connect to | |
470 | * @lxcpath : the lxcpath in which the container is running | |
471 | * | |
472 | * Returns the pid on success, < 0 on failure | |
473 | */ | |
474 | pid_t lxc_cmd_get_init_pid(const char *name, const char *lxcpath) | |
43eb6f29 | 475 | { |
0ecf64b5 | 476 | int ret, stopped; |
565eb353 | 477 | pid_t pid = -1; |
ef6e34ee | 478 | struct lxc_cmd_rr cmd = { |
e8cd1208 CB |
479 | .req = { |
480 | .cmd = LXC_CMD_GET_INIT_PID | |
481 | }, | |
482 | .rsp = { | |
565eb353 | 483 | .data = PID_TO_PTR(pid) |
e8cd1208 | 484 | } |
ef6e34ee DE |
485 | }; |
486 | ||
88556fd7 | 487 | ret = lxc_cmd(name, &cmd, &stopped, lxcpath, NULL); |
ef6e34ee | 488 | if (ret < 0) |
8ed8a626 | 489 | return -1; |
ef6e34ee | 490 | |
565eb353 | 491 | pid = PTR_TO_PID(cmd.rsp.data); |
9234406b CB |
492 | if (pid < 0) |
493 | return -1; | |
494 | ||
495 | /* We need to assume that pid_t can actually hold any pid given to us | |
496 | * by the kernel. If it can't it's a libc bug. | |
497 | */ | |
498 | return (pid_t)pid; | |
43eb6f29 DL |
499 | } |
500 | ||
ef6e34ee | 501 | static int lxc_cmd_get_init_pid_callback(int fd, struct lxc_cmd_req *req, |
cdb2a47f CB |
502 | struct lxc_handler *handler, |
503 | struct lxc_epoll_descr *descr) | |
43eb6f29 | 504 | { |
9234406b | 505 | struct lxc_cmd_rsp rsp = { |
4b5f4bdc | 506 | .data = PID_TO_PTR(handler->pid), |
9234406b | 507 | }; |
ef6e34ee | 508 | |
4b5f4bdc | 509 | return lxc_cmd_rsp_send_reap(fd, &rsp); |
43eb6f29 DL |
510 | } |
511 | ||
746aab51 CB |
512 | int lxc_cmd_get_init_pidfd(const char *name, const char *lxcpath) |
513 | { | |
8a95cd82 | 514 | int pidfd; |
746aab51 CB |
515 | int ret, stopped; |
516 | struct lxc_cmd_rr cmd = { | |
517 | .req = { | |
518 | .cmd = LXC_CMD_GET_INIT_PIDFD, | |
519 | }, | |
8a95cd82 CB |
520 | .rsp = { |
521 | .data = INT_TO_PTR(-EBADF), | |
522 | .ret = ENOSYS, | |
523 | }, | |
746aab51 CB |
524 | }; |
525 | ||
526 | ret = lxc_cmd(name, &cmd, &stopped, lxcpath, NULL); | |
527 | if (ret < 0) | |
528 | return log_debug_errno(-1, errno, "Failed to process init pidfd command"); | |
529 | ||
530 | if (cmd.rsp.ret < 0) | |
8a95cd82 | 531 | return syserrno_set(cmd.rsp.ret, "Failed to receive init pidfd"); |
746aab51 | 532 | |
8a95cd82 CB |
533 | pidfd = PTR_TO_INT(cmd.rsp.data); |
534 | if (pidfd < 0) | |
535 | return syserrno_set(pidfd, "Failed to receive init pidfd"); | |
536 | ||
537 | return pidfd; | |
746aab51 CB |
538 | } |
539 | ||
540 | static int lxc_cmd_get_init_pidfd_callback(int fd, struct lxc_cmd_req *req, | |
541 | struct lxc_handler *handler, | |
542 | struct lxc_epoll_descr *descr) | |
543 | { | |
544 | struct lxc_cmd_rsp rsp = { | |
4b5f4bdc | 545 | .ret = -EBADF, |
746aab51 | 546 | }; |
746aab51 CB |
547 | |
548 | if (handler->pidfd < 0) | |
4b5f4bdc CB |
549 | return lxc_cmd_rsp_send_reap(fd, &rsp); |
550 | ||
551 | rsp.ret = 0; | |
c2f40088 | 552 | return rsp_one_fd(fd, handler->pidfd, &rsp); |
746aab51 CB |
553 | } |
554 | ||
f797f05e CB |
555 | int lxc_cmd_get_devpts_fd(const char *name, const char *lxcpath) |
556 | { | |
557 | int ret, stopped; | |
558 | struct lxc_cmd_rr cmd = { | |
559 | .req = { | |
560 | .cmd = LXC_CMD_GET_DEVPTS_FD, | |
561 | }, | |
562 | }; | |
563 | ||
564 | ret = lxc_cmd(name, &cmd, &stopped, lxcpath, NULL); | |
565 | if (ret < 0) | |
566 | return log_debug_errno(-1, errno, "Failed to process devpts fd command"); | |
567 | ||
568 | if (cmd.rsp.ret < 0) | |
569 | return log_debug_errno(-EBADF, errno, "Failed to receive devpts fd"); | |
570 | ||
571 | return PTR_TO_INT(cmd.rsp.data); | |
572 | } | |
573 | ||
574 | static int lxc_cmd_get_devpts_fd_callback(int fd, struct lxc_cmd_req *req, | |
575 | struct lxc_handler *handler, | |
576 | struct lxc_epoll_descr *descr) | |
577 | { | |
578 | struct lxc_cmd_rsp rsp = { | |
4b5f4bdc | 579 | .ret = -EBADF, |
f797f05e | 580 | }; |
f797f05e | 581 | |
4b5f4bdc CB |
582 | if (!handler->conf || handler->conf->devpts_fd < 0) |
583 | return lxc_cmd_rsp_send_reap(fd, &rsp); | |
584 | ||
585 | rsp.ret = 0; | |
c2f40088 | 586 | return rsp_one_fd(fd, handler->conf->devpts_fd, &rsp); |
f797f05e CB |
587 | } |
588 | ||
21405769 CB |
589 | int lxc_cmd_get_seccomp_notify_fd(const char *name, const char *lxcpath) |
590 | { | |
a342b11f | 591 | #ifdef HAVE_SECCOMP_NOTIFY |
21405769 CB |
592 | int ret, stopped; |
593 | struct lxc_cmd_rr cmd = { | |
594 | .req = { | |
595 | .cmd = LXC_CMD_GET_SECCOMP_NOTIFY_FD, | |
596 | }, | |
597 | }; | |
598 | ||
599 | ret = lxc_cmd(name, &cmd, &stopped, lxcpath, NULL); | |
600 | if (ret < 0) | |
601 | return log_debug_errno(-1, errno, "Failed to process seccomp notify fd command"); | |
602 | ||
603 | if (cmd.rsp.ret < 0) | |
604 | return log_debug_errno(-EBADF, errno, "Failed to receive seccomp notify fd"); | |
605 | ||
606 | return PTR_TO_INT(cmd.rsp.data); | |
607 | #else | |
608 | return ret_errno(EOPNOTSUPP); | |
609 | #endif | |
610 | } | |
611 | ||
612 | static int lxc_cmd_get_seccomp_notify_fd_callback(int fd, struct lxc_cmd_req *req, | |
613 | struct lxc_handler *handler, | |
614 | struct lxc_epoll_descr *descr) | |
615 | { | |
a342b11f | 616 | #ifdef HAVE_SECCOMP_NOTIFY |
21405769 | 617 | struct lxc_cmd_rsp rsp = { |
4b5f4bdc | 618 | .ret = -EBADF, |
21405769 | 619 | }; |
21405769 CB |
620 | |
621 | if (!handler->conf || handler->conf->seccomp.notifier.notify_fd < 0) | |
4b5f4bdc CB |
622 | return lxc_cmd_rsp_send_reap(fd, &rsp); |
623 | ||
624 | rsp.ret = 0; | |
c2f40088 | 625 | return rsp_one_fd(fd, handler->conf->seccomp.notifier.notify_fd, &rsp); |
21405769 | 626 | #else |
4b5f4bdc | 627 | return syserrno_set(-EOPNOTSUPP, "Seccomp notifier not supported"); |
21405769 CB |
628 | #endif |
629 | } | |
630 | ||
ef6e048a CB |
631 | int lxc_cmd_get_cgroup_ctx(const char *name, const char *lxcpath, |
632 | const char *controller, bool batch, | |
633 | size_t size_ret_ctx, struct cgroup_ctx *ret_ctx) | |
9c3eb8d5 | 634 | { |
9c3eb8d5 CB |
635 | struct lxc_cmd_rr cmd = { |
636 | .req = { | |
ef6e048a CB |
637 | .cmd = LXC_CMD_GET_CGROUP_CTX, |
638 | .datalen = size_ret_ctx, | |
639 | .data = ret_ctx, | |
9c3eb8d5 | 640 | }, |
d3be623e CB |
641 | .rsp = { |
642 | .ret = -ENOSYS, | |
643 | }, | |
9c3eb8d5 | 644 | }; |
ef6e048a | 645 | int ret, stopped; |
9c3eb8d5 CB |
646 | |
647 | if (batch && !is_empty_string(controller)) | |
648 | return ret_errno(EINVAL); | |
649 | ||
650 | ret = lxc_cmd(name, &cmd, &stopped, lxcpath, NULL); | |
651 | if (ret < 0) | |
d3be623e | 652 | return log_debug_errno(-1, errno, "Failed to process cgroup context command"); |
9c3eb8d5 CB |
653 | |
654 | if (cmd.rsp.ret < 0) | |
655 | return log_debug_errno(-EBADF, errno, "Failed to receive cgroup fds"); | |
656 | ||
657 | return 0; | |
658 | } | |
659 | ||
ef6e048a CB |
660 | static int lxc_cmd_get_cgroup_ctx_callback(int fd, struct lxc_cmd_req *req, |
661 | struct lxc_handler *handler, | |
662 | struct lxc_epoll_descr *descr) | |
9c3eb8d5 | 663 | { |
f8cc4ae8 | 664 | struct lxc_cmd_rsp rsp = { |
ef6e048a | 665 | .ret = EINVAL, |
f8cc4ae8 | 666 | }; |
9c3eb8d5 | 667 | struct cgroup_ops *cgroup_ops = handler->cgroup_ops; |
ef6e048a | 668 | struct cgroup_ctx ctx_server = {}; |
f8cc4ae8 CB |
669 | int ret; |
670 | ||
ef6e048a CB |
671 | ret = copy_struct_from_client(sizeof(struct cgroup_ctx), &ctx_server, |
672 | req->datalen, req->data); | |
f8cc4ae8 | 673 | if (ret < 0) |
ef6e048a CB |
674 | return lxc_cmd_rsp_send_reap(fd, &rsp); |
675 | ||
676 | ret = prepare_cgroup_ctx(cgroup_ops, &ctx_server); | |
677 | if (ret < 0) { | |
678 | rsp.ret = ret; | |
679 | return lxc_cmd_rsp_send_reap(fd, &rsp); | |
680 | } | |
9c3eb8d5 | 681 | |
ef6e048a CB |
682 | rsp.data = &ctx_server; |
683 | rsp.datalen = min(sizeof(struct cgroup_ctx), (size_t)req->datalen); | |
684 | return rsp_many_fds(fd, ctx_server.fd_len, ctx_server.fd, &rsp); | |
9c3eb8d5 CB |
685 | } |
686 | ||
ef6e34ee DE |
687 | /* |
688 | * lxc_cmd_get_clone_flags: Get clone flags container was spawned with | |
689 | * | |
690 | * @name : name of container to connect to | |
691 | * @lxcpath : the lxcpath in which the container is running | |
692 | * | |
693 | * Returns the clone flags on success, < 0 on failure | |
694 | */ | |
695 | int lxc_cmd_get_clone_flags(const char *name, const char *lxcpath) | |
696 | { | |
0ecf64b5 | 697 | int ret, stopped; |
ef6e34ee | 698 | struct lxc_cmd_rr cmd = { |
6c6497ea CB |
699 | .req = { |
700 | .cmd = LXC_CMD_GET_CLONE_FLAGS, | |
701 | }, | |
ef6e34ee DE |
702 | }; |
703 | ||
88556fd7 | 704 | ret = lxc_cmd(name, &cmd, &stopped, lxcpath, NULL); |
ef6e34ee DE |
705 | if (ret < 0) |
706 | return ret; | |
43eb6f29 | 707 | |
ef6e34ee DE |
708 | return PTR_TO_INT(cmd.rsp.data); |
709 | } | |
710 | ||
711 | static int lxc_cmd_get_clone_flags_callback(int fd, struct lxc_cmd_req *req, | |
cdb2a47f CB |
712 | struct lxc_handler *handler, |
713 | struct lxc_epoll_descr *descr) | |
26b2d152 | 714 | { |
6c6497ea CB |
715 | struct lxc_cmd_rsp rsp = { |
716 | .data = INT_TO_PTR(handler->ns_clone_flags), | |
717 | }; | |
ef6e34ee | 718 | |
4b5f4bdc | 719 | return lxc_cmd_rsp_send_reap(fd, &rsp); |
ef6e34ee DE |
720 | } |
721 | ||
a900cbaf WB |
722 | static char *lxc_cmd_get_cgroup_path_do(const char *name, const char *lxcpath, |
723 | const char *subsystem, | |
724 | lxc_cmd_t command) | |
ef6e34ee | 725 | { |
0ecf64b5 | 726 | int ret, stopped; |
ef6e34ee | 727 | struct lxc_cmd_rr cmd = { |
b98f7d6e | 728 | .req = { |
a900cbaf | 729 | .cmd = command, |
b98f7d6e | 730 | .data = subsystem, |
c2aed66d | 731 | .datalen = 0, |
b98f7d6e | 732 | }, |
26b2d152 MN |
733 | }; |
734 | ||
c2aed66d CB |
735 | cmd.req.data = subsystem; |
736 | cmd.req.datalen = 0; | |
737 | if (subsystem) | |
738 | cmd.req.datalen = strlen(subsystem) + 1; | |
739 | ||
88556fd7 | 740 | ret = lxc_cmd(name, &cmd, &stopped, lxcpath, NULL); |
fe84a562 | 741 | if (ret < 0) |
ef6e34ee DE |
742 | return NULL; |
743 | ||
400d579e WB |
744 | if (ret == 0) { |
745 | if (command == LXC_CMD_GET_LIMITING_CGROUP) { | |
746 | /* | |
747 | * This may indicate that the container was started | |
748 | * under an ealier version before | |
749 | * `cgroup_advanced_isolation` as implemented, there | |
750 | * it sees an unknown command and just closes the | |
751 | * socket, sending us an EOF. | |
752 | */ | |
753 | return lxc_cmd_get_cgroup_path_do(name, lxcpath, | |
754 | subsystem, | |
755 | LXC_CMD_GET_CGROUP); | |
756 | } | |
ef6e34ee | 757 | return NULL; |
400d579e | 758 | } |
ef6e34ee | 759 | |
fe84a562 | 760 | if (cmd.rsp.ret < 0 || cmd.rsp.datalen < 0) |
ef6e34ee | 761 | return NULL; |
3f903c04 | 762 | |
ef6e34ee DE |
763 | return cmd.rsp.data; |
764 | } | |
765 | ||
a900cbaf WB |
766 | /* |
767 | * lxc_cmd_get_cgroup_path: Calculate a container's cgroup path for a | |
768 | * particular subsystem. This is the cgroup path relative to the root | |
769 | * of the cgroup filesystem. | |
770 | * | |
771 | * @name : name of container to connect to | |
772 | * @lxcpath : the lxcpath in which the container is running | |
773 | * @subsystem : the subsystem being asked about | |
774 | * | |
775 | * Returns the path on success, NULL on failure. The caller must free() the | |
776 | * returned path. | |
777 | */ | |
778 | char *lxc_cmd_get_cgroup_path(const char *name, const char *lxcpath, | |
779 | const char *subsystem) | |
780 | { | |
781 | return lxc_cmd_get_cgroup_path_do(name, lxcpath, subsystem, | |
782 | LXC_CMD_GET_CGROUP); | |
783 | } | |
784 | ||
785 | /* | |
786 | * lxc_cmd_get_limiting_cgroup_path: Calculate a container's limiting cgroup | |
787 | * path for a particular subsystem. This is the cgroup path relative to the | |
788 | * root of the cgroup filesystem. This may be the same as the path returned by | |
789 | * lxc_cmd_get_cgroup_path if the container doesn't have a limiting path prefix | |
790 | * set. | |
791 | * | |
792 | * @name : name of container to connect to | |
793 | * @lxcpath : the lxcpath in which the container is running | |
794 | * @subsystem : the subsystem being asked about | |
795 | * | |
796 | * Returns the path on success, NULL on failure. The caller must free() the | |
797 | * returned path. | |
798 | */ | |
799 | char *lxc_cmd_get_limiting_cgroup_path(const char *name, const char *lxcpath, | |
800 | const char *subsystem) | |
801 | { | |
802 | return lxc_cmd_get_cgroup_path_do(name, lxcpath, subsystem, | |
803 | LXC_CMD_GET_LIMITING_CGROUP); | |
804 | } | |
805 | ||
806 | static int lxc_cmd_get_cgroup_callback_do(int fd, struct lxc_cmd_req *req, | |
807 | struct lxc_handler *handler, | |
808 | struct lxc_epoll_descr *descr, | |
809 | bool limiting_cgroup) | |
ef6e34ee | 810 | { |
ea2a070b | 811 | int ret; |
4fb3cba5 | 812 | const char *path; |
a900cbaf | 813 | const void *reqdata; |
fe84a562 | 814 | struct lxc_cmd_rsp rsp; |
2202afc9 | 815 | struct cgroup_ops *cgroup_ops = handler->cgroup_ops; |
a900cbaf | 816 | const char *(*get_fn)(struct cgroup_ops *ops, const char *controller); |
b98f7d6e | 817 | |
e6bc68d6 WB |
818 | if (req->datalen > 0) { |
819 | ret = validate_string_request(fd, req); | |
820 | if (ret != 0) | |
821 | return ret; | |
a900cbaf | 822 | reqdata = req->data; |
e6bc68d6 | 823 | } else { |
a900cbaf | 824 | reqdata = NULL; |
e6bc68d6 | 825 | } |
a900cbaf | 826 | |
29d652a9 WB |
827 | get_fn = (limiting_cgroup ? cgroup_ops->get_limiting_cgroup |
828 | : cgroup_ops->get_cgroup); | |
a900cbaf WB |
829 | |
830 | path = get_fn(cgroup_ops, reqdata); | |
831 | ||
b98f7d6e SH |
832 | if (!path) |
833 | return -1; | |
fe84a562 | 834 | |
4f17323e | 835 | rsp.ret = 0; |
fe84a562 CB |
836 | rsp.datalen = strlen(path) + 1; |
837 | rsp.data = (char *)path; | |
ef6e34ee | 838 | |
4b5f4bdc | 839 | return lxc_cmd_rsp_send_reap(fd, &rsp); |
ef6e34ee DE |
840 | } |
841 | ||
a900cbaf WB |
842 | static int lxc_cmd_get_cgroup_callback(int fd, struct lxc_cmd_req *req, |
843 | struct lxc_handler *handler, | |
844 | struct lxc_epoll_descr *descr) | |
845 | { | |
846 | return lxc_cmd_get_cgroup_callback_do(fd, req, handler, descr, false); | |
847 | } | |
848 | ||
849 | static int lxc_cmd_get_limiting_cgroup_callback(int fd, struct lxc_cmd_req *req, | |
850 | struct lxc_handler *handler, | |
851 | struct lxc_epoll_descr *descr) | |
852 | { | |
853 | return lxc_cmd_get_cgroup_callback_do(fd, req, handler, descr, true); | |
854 | } | |
855 | ||
ef6e34ee DE |
856 | /* |
857 | * lxc_cmd_get_config_item: Get config item the running container | |
858 | * | |
859 | * @name : name of container to connect to | |
7fa3f2e9 | 860 | * @item : the configuration item to retrieve (ex: lxc.net.0.veth.pair) |
ef6e34ee DE |
861 | * @lxcpath : the lxcpath in which the container is running |
862 | * | |
863 | * Returns the item on success, NULL on failure. The caller must free() the | |
864 | * returned item. | |
865 | */ | |
866 | char *lxc_cmd_get_config_item(const char *name, const char *item, | |
867 | const char *lxcpath) | |
868 | { | |
0ecf64b5 | 869 | int ret, stopped; |
ef6e34ee DE |
870 | struct lxc_cmd_rr cmd = { |
871 | .req = { .cmd = LXC_CMD_GET_CONFIG_ITEM, | |
872 | .data = item, | |
fe84a562 | 873 | .datalen = strlen(item) + 1, |
ef6e34ee DE |
874 | }, |
875 | }; | |
876 | ||
88556fd7 | 877 | ret = lxc_cmd(name, &cmd, &stopped, lxcpath, NULL); |
ef6e34ee DE |
878 | if (ret < 0) |
879 | return NULL; | |
880 | ||
881 | if (cmd.rsp.ret == 0) | |
882 | return cmd.rsp.data; | |
fe84a562 | 883 | |
ef6e34ee DE |
884 | return NULL; |
885 | } | |
886 | ||
887 | static int lxc_cmd_get_config_item_callback(int fd, struct lxc_cmd_req *req, | |
cdb2a47f CB |
888 | struct lxc_handler *handler, |
889 | struct lxc_epoll_descr *descr) | |
ef6e34ee | 890 | { |
5265a60c | 891 | __do_free char *cidata = NULL; |
ef6e34ee | 892 | int cilen; |
30aec088 | 893 | struct lxc_config_t *item; |
fe84a562 | 894 | struct lxc_cmd_rsp rsp; |
ef6e34ee DE |
895 | |
896 | memset(&rsp, 0, sizeof(rsp)); | |
300df83e | 897 | item = lxc_get_config(req->data); |
30aec088 CB |
898 | if (!item) |
899 | goto err1; | |
fe84a562 | 900 | |
cccd2219 | 901 | cilen = item->get(req->data, NULL, 0, handler->conf, NULL); |
ef6e34ee DE |
902 | if (cilen <= 0) |
903 | goto err1; | |
904 | ||
5265a60c | 905 | cidata = must_realloc(NULL, cilen + 1); |
cccd2219 | 906 | if (item->get(req->data, cidata, cilen + 1, handler->conf, NULL) != cilen) |
ef6e34ee | 907 | goto err1; |
fe84a562 | 908 | |
ef6e34ee DE |
909 | cidata[cilen] = '\0'; |
910 | rsp.data = cidata; | |
911 | rsp.datalen = cilen + 1; | |
912 | rsp.ret = 0; | |
913 | goto out; | |
914 | ||
915 | err1: | |
916 | rsp.ret = -1; | |
917 | out: | |
4b5f4bdc | 918 | return lxc_cmd_rsp_send_reap(fd, &rsp); |
ef6e34ee DE |
919 | } |
920 | ||
921 | /* | |
922 | * lxc_cmd_get_state: Get current state of the container | |
923 | * | |
924 | * @name : name of container to connect to | |
925 | * @lxcpath : the lxcpath in which the container is running | |
926 | * | |
927 | * Returns the state on success, < 0 on failure | |
928 | */ | |
dbc9832d | 929 | int lxc_cmd_get_state(const char *name, const char *lxcpath) |
ef6e34ee | 930 | { |
0ecf64b5 | 931 | int ret, stopped; |
ef6e34ee | 932 | struct lxc_cmd_rr cmd = { |
6c6497ea CB |
933 | .req = { |
934 | .cmd = LXC_CMD_GET_STATE, | |
935 | }, | |
ef6e34ee | 936 | }; |
26b2d152 | 937 | |
88556fd7 | 938 | ret = lxc_cmd(name, &cmd, &stopped, lxcpath, NULL); |
ebdd307d | 939 | if (ret < 0 && stopped) |
ef6e34ee DE |
940 | return STOPPED; |
941 | ||
942 | if (ret < 0) | |
26b2d152 | 943 | return -1; |
26b2d152 | 944 | |
6c6497ea CB |
945 | if (!ret) |
946 | return log_warn(-1, "Container \"%s\" has stopped before sending its state", name); | |
fe84a562 | 947 | |
6c6497ea CB |
948 | return log_debug(PTR_TO_INT(cmd.rsp.data), |
949 | "Container \"%s\" is in \"%s\" state", name, | |
950 | lxc_state2str(PTR_TO_INT(cmd.rsp.data))); | |
ef6e34ee DE |
951 | } |
952 | ||
953 | static int lxc_cmd_get_state_callback(int fd, struct lxc_cmd_req *req, | |
cdb2a47f CB |
954 | struct lxc_handler *handler, |
955 | struct lxc_epoll_descr *descr) | |
ef6e34ee | 956 | { |
6c6497ea CB |
957 | struct lxc_cmd_rsp rsp = { |
958 | .data = INT_TO_PTR(handler->state), | |
959 | }; | |
ef6e34ee | 960 | |
4b5f4bdc | 961 | return lxc_cmd_rsp_send_reap(fd, &rsp); |
ef6e34ee DE |
962 | } |
963 | ||
964 | /* | |
965 | * lxc_cmd_stop: Stop the container previously started with lxc_start. All | |
966 | * the processes running inside this container will be killed. | |
967 | * | |
968 | * @name : name of container to connect to | |
969 | * @lxcpath : the lxcpath in which the container is running | |
970 | * | |
971 | * Returns 0 on success, < 0 on failure | |
972 | */ | |
973 | int lxc_cmd_stop(const char *name, const char *lxcpath) | |
974 | { | |
0ecf64b5 | 975 | int ret, stopped; |
ef6e34ee | 976 | struct lxc_cmd_rr cmd = { |
6c6497ea CB |
977 | .req = { |
978 | .cmd = LXC_CMD_STOP, | |
979 | }, | |
ef6e34ee DE |
980 | }; |
981 | ||
88556fd7 | 982 | ret = lxc_cmd(name, &cmd, &stopped, lxcpath, NULL); |
26b2d152 | 983 | if (ret < 0) { |
6c6497ea CB |
984 | if (stopped) |
985 | return log_info(0, "Container \"%s\" is already stopped", name); | |
fe84a562 | 986 | |
26b2d152 MN |
987 | return -1; |
988 | } | |
989 | ||
fe84a562 CB |
990 | /* We do not expect any answer, because we wait for the connection to be |
991 | * closed. | |
95d5b147 | 992 | */ |
6c6497ea CB |
993 | if (ret > 0) |
994 | return log_error_errno(-1, -cmd.rsp.ret, "Failed to stop container \"%s\"", name); | |
26b2d152 | 995 | |
6c6497ea | 996 | return log_info(0, "Container \"%s\" has stopped", name); |
26b2d152 MN |
997 | } |
998 | ||
ef6e34ee | 999 | static int lxc_cmd_stop_callback(int fd, struct lxc_cmd_req *req, |
cdb2a47f CB |
1000 | struct lxc_handler *handler, |
1001 | struct lxc_epoll_descr *descr) | |
d5088cf2 | 1002 | { |
ef6e34ee | 1003 | struct lxc_cmd_rsp rsp; |
ef6e34ee | 1004 | int stopsignal = SIGKILL; |
2202afc9 | 1005 | struct cgroup_ops *cgroup_ops = handler->cgroup_ops; |
ea2a070b | 1006 | int ret; |
ef6e34ee DE |
1007 | |
1008 | if (handler->conf->stopsignal) | |
1009 | stopsignal = handler->conf->stopsignal; | |
1010 | memset(&rsp, 0, sizeof(rsp)); | |
9837ee46 | 1011 | |
8ad4fa68 | 1012 | if (handler->pidfd >= 0) |
9837ee46 CB |
1013 | rsp.ret = lxc_raw_pidfd_send_signal(handler->pidfd, stopsignal, NULL, 0); |
1014 | else | |
1015 | rsp.ret = kill(handler->pid, stopsignal); | |
ef6e34ee | 1016 | if (!rsp.ret) { |
9837ee46 CB |
1017 | if (handler->pidfd >= 0) |
1018 | TRACE("Sent signal %d to pidfd %d", stopsignal, handler->pidfd); | |
1019 | else | |
1020 | TRACE("Sent signal %d to pidfd %d", stopsignal, handler->pid); | |
1021 | ||
9d47970b | 1022 | if (pure_unified_layout(cgroup_ops)) |
c0af7b1c | 1023 | ret = __cgroup_unfreeze(cgroup_ops->unified->dfd_lim, -1); |
9d47970b CB |
1024 | else |
1025 | ret = cgroup_ops->unfreeze(cgroup_ops, -1); | |
8db8adea CB |
1026 | if (ret) |
1027 | WARN("Failed to unfreeze container \"%s\"", handler->name); | |
fe84a562 | 1028 | |
8db8adea | 1029 | return 0; |
018051e3 CB |
1030 | } else { |
1031 | rsp.ret = -errno; | |
ef6e34ee DE |
1032 | } |
1033 | ||
4b5f4bdc | 1034 | return lxc_cmd_rsp_send_reap(fd, &rsp); |
ef6e34ee | 1035 | } |
d5088cf2 | 1036 | |
b5159817 | 1037 | /* |
2bd158cc | 1038 | * lxc_cmd_terminal_winch: noop |
b5159817 DE |
1039 | * |
1040 | * @name : name of container to connect to | |
1041 | * @lxcpath : the lxcpath in which the container is running | |
1042 | * | |
1043 | * Returns 0 on success, < 0 on failure | |
1044 | */ | |
8ccbbf94 | 1045 | int lxc_cmd_terminal_winch(const char *name, const char *lxcpath) |
b5159817 | 1046 | { |
b5159817 DE |
1047 | return 0; |
1048 | } | |
1049 | ||
8ccbbf94 | 1050 | static int lxc_cmd_terminal_winch_callback(int fd, struct lxc_cmd_req *req, |
cdb2a47f CB |
1051 | struct lxc_handler *handler, |
1052 | struct lxc_epoll_descr *descr) | |
b5159817 | 1053 | { |
2bd158cc | 1054 | /* should never be called */ |
6c6497ea | 1055 | return log_error_errno(-1, ENOSYS, "Called lxc_cmd_terminal_winch_callback()"); |
b5159817 DE |
1056 | } |
1057 | ||
ef6e34ee DE |
1058 | /* |
1059 | * lxc_cmd_console: Open an fd to a tty in the container | |
1060 | * | |
1061 | * @name : name of container to connect to | |
1062 | * @ttynum : in: the tty to open or -1 for next available | |
1063 | * : out: the tty allocated | |
36a94ce8 | 1064 | * @fd : out: file descriptor for ptx side of pty |
ef6e34ee DE |
1065 | * @lxcpath : the lxcpath in which the container is running |
1066 | * | |
0115f8fd | 1067 | * Returns fd holding tty allocated on success, < 0 on failure |
ef6e34ee DE |
1068 | */ |
1069 | int lxc_cmd_console(const char *name, int *ttynum, int *fd, const char *lxcpath) | |
1070 | { | |
8259d86d | 1071 | __do_free struct lxc_cmd_console_rsp_data *rspdata = NULL; |
0ecf64b5 | 1072 | int ret, stopped; |
ef6e34ee | 1073 | struct lxc_cmd_rr cmd = { |
6c6497ea CB |
1074 | .req = { |
1075 | .cmd = LXC_CMD_CONSOLE, | |
1076 | .data = INT_TO_PTR(*ttynum), | |
1077 | }, | |
ef6e34ee | 1078 | }; |
d5088cf2 | 1079 | |
88556fd7 | 1080 | ret = lxc_cmd(name, &cmd, &stopped, lxcpath, NULL); |
ef6e34ee DE |
1081 | if (ret < 0) |
1082 | return ret; | |
0115f8fd | 1083 | |
8259d86d | 1084 | rspdata = cmd.rsp.data; |
6c6497ea CB |
1085 | if (cmd.rsp.ret < 0) |
1086 | return log_error_errno(-1, -cmd.rsp.ret, "Denied access to tty"); | |
d5088cf2 | 1087 | |
6c6497ea CB |
1088 | if (ret == 0) |
1089 | return log_error(-1, "tty number %d invalid, busy or all ttys busy", *ttynum); | |
ef6e34ee | 1090 | |
36a94ce8 | 1091 | if (rspdata->ptxfd < 0) |
6c6497ea | 1092 | return log_error(-1, "Unable to allocate fd for tty %d", rspdata->ttynum); |
ef6e34ee | 1093 | |
fe84a562 | 1094 | ret = cmd.rsp.ret; /* socket fd */ |
36a94ce8 | 1095 | *fd = rspdata->ptxfd; |
ef6e34ee | 1096 | *ttynum = rspdata->ttynum; |
fe84a562 | 1097 | |
6c6497ea | 1098 | return log_info(ret, "Alloced fd %d for tty %d via socket %d", *fd, rspdata->ttynum, ret); |
ef6e34ee DE |
1099 | } |
1100 | ||
1101 | static int lxc_cmd_console_callback(int fd, struct lxc_cmd_req *req, | |
cdb2a47f CB |
1102 | struct lxc_handler *handler, |
1103 | struct lxc_epoll_descr *descr) | |
ef6e34ee | 1104 | { |
36a94ce8 | 1105 | int ptxfd, ret; |
4b5f4bdc CB |
1106 | struct lxc_cmd_rsp rsp = { |
1107 | .ret = -EBADF, | |
1108 | }; | |
fe84a562 | 1109 | int ttynum = PTR_TO_INT(req->data); |
ef6e34ee | 1110 | |
36a94ce8 CB |
1111 | ptxfd = lxc_terminal_allocate(handler->conf, fd, &ttynum); |
1112 | if (ptxfd < 0) | |
4b5f4bdc | 1113 | return lxc_cmd_rsp_send_reap(fd, &rsp); |
ef6e34ee | 1114 | |
4b5f4bdc | 1115 | rsp.ret = 0; |
ef6e34ee | 1116 | rsp.data = INT_TO_PTR(ttynum); |
36a94ce8 | 1117 | ret = lxc_abstract_unix_send_fds(fd, &ptxfd, 1, &rsp, sizeof(rsp)); |
fe84a562 | 1118 | if (ret < 0) { |
3dfe6f8d | 1119 | lxc_terminal_free(handler->conf, fd); |
4b5f4bdc | 1120 | return ret; |
ef6e34ee DE |
1121 | } |
1122 | ||
4b5f4bdc | 1123 | return log_debug(0, "Send tty to client"); |
d5088cf2 CS |
1124 | } |
1125 | ||
88556fd7 ÇO |
1126 | /* |
1127 | * lxc_cmd_get_name: Returns the name of the container | |
1128 | * | |
1129 | * @hashed_sock_name: hashed socket name | |
1130 | * | |
1131 | * Returns the name on success, NULL on failure. | |
1132 | */ | |
1133 | char *lxc_cmd_get_name(const char *hashed_sock_name) | |
1134 | { | |
1135 | int ret, stopped; | |
1136 | struct lxc_cmd_rr cmd = { | |
6c6497ea CB |
1137 | .req = { |
1138 | .cmd = LXC_CMD_GET_NAME, | |
1139 | }, | |
88556fd7 ÇO |
1140 | }; |
1141 | ||
1142 | ret = lxc_cmd(NULL, &cmd, &stopped, NULL, hashed_sock_name); | |
fe84a562 | 1143 | if (ret < 0) |
88556fd7 | 1144 | return NULL; |
88556fd7 ÇO |
1145 | |
1146 | if (cmd.rsp.ret == 0) | |
1147 | return cmd.rsp.data; | |
fe84a562 | 1148 | |
88556fd7 ÇO |
1149 | return NULL; |
1150 | } | |
1151 | ||
1152 | static int lxc_cmd_get_name_callback(int fd, struct lxc_cmd_req *req, | |
cdb2a47f CB |
1153 | struct lxc_handler *handler, |
1154 | struct lxc_epoll_descr *descr) | |
88556fd7 ÇO |
1155 | { |
1156 | struct lxc_cmd_rsp rsp; | |
1157 | ||
1158 | memset(&rsp, 0, sizeof(rsp)); | |
1159 | ||
f0ecc19d | 1160 | rsp.data = (char *)handler->name; |
88556fd7 ÇO |
1161 | rsp.datalen = strlen(handler->name) + 1; |
1162 | rsp.ret = 0; | |
1163 | ||
4b5f4bdc | 1164 | return lxc_cmd_rsp_send_reap(fd, &rsp); |
88556fd7 ÇO |
1165 | } |
1166 | ||
1167 | /* | |
1168 | * lxc_cmd_get_lxcpath: Returns the lxcpath of the container | |
1169 | * | |
1170 | * @hashed_sock_name: hashed socket name | |
1171 | * | |
1172 | * Returns the lxcpath on success, NULL on failure. | |
1173 | */ | |
1174 | char *lxc_cmd_get_lxcpath(const char *hashed_sock_name) | |
1175 | { | |
1176 | int ret, stopped; | |
1177 | struct lxc_cmd_rr cmd = { | |
6c6497ea CB |
1178 | .req = { |
1179 | .cmd = LXC_CMD_GET_LXCPATH, | |
1180 | }, | |
88556fd7 | 1181 | }; |
724e753c | 1182 | |
88556fd7 | 1183 | ret = lxc_cmd(NULL, &cmd, &stopped, NULL, hashed_sock_name); |
fe84a562 | 1184 | if (ret < 0) |
88556fd7 | 1185 | return NULL; |
88556fd7 ÇO |
1186 | |
1187 | if (cmd.rsp.ret == 0) | |
1188 | return cmd.rsp.data; | |
fe84a562 | 1189 | |
88556fd7 ÇO |
1190 | return NULL; |
1191 | } | |
1192 | ||
1193 | static int lxc_cmd_get_lxcpath_callback(int fd, struct lxc_cmd_req *req, | |
cdb2a47f CB |
1194 | struct lxc_handler *handler, |
1195 | struct lxc_epoll_descr *descr) | |
88556fd7 | 1196 | { |
6c6497ea CB |
1197 | struct lxc_cmd_rsp rsp = { |
1198 | .ret = 0, | |
1199 | .data = (char *)handler->lxcpath, | |
1200 | .datalen = strlen(handler->lxcpath) + 1, | |
1201 | }; | |
88556fd7 | 1202 | |
4b5f4bdc | 1203 | return lxc_cmd_rsp_send_reap(fd, &rsp); |
88556fd7 | 1204 | } |
ef6e34ee | 1205 | |
54446942 | 1206 | int lxc_cmd_add_state_client(const char *name, const char *lxcpath, |
92e35018 CB |
1207 | lxc_state_t states[MAX_STATE], |
1208 | int *state_client_fd) | |
dbc9832d | 1209 | { |
f62cf1d4 | 1210 | __do_close int clientfd = -EBADF; |
bc631984 | 1211 | int state, stopped; |
dbc9832d | 1212 | ssize_t ret; |
dbc9832d | 1213 | struct lxc_cmd_rr cmd = { |
6c6497ea CB |
1214 | .req = { |
1215 | .cmd = LXC_CMD_ADD_STATE_CLIENT, | |
1216 | .data = states, | |
1217 | .datalen = (sizeof(lxc_state_t) * MAX_STATE) | |
1218 | }, | |
dbc9832d CB |
1219 | }; |
1220 | ||
dbc9832d | 1221 | ret = lxc_cmd(name, &cmd, &stopped, lxcpath, NULL); |
bc631984 CB |
1222 | if (states[STOPPED] != 0 && stopped != 0) |
1223 | return STOPPED; | |
1224 | ||
dbc9832d | 1225 | if (ret < 0) { |
f577e061 | 1226 | if (errno != ECONNREFUSED) |
6d1400b5 | 1227 | SYSERROR("Failed to execute command"); |
1228 | ||
dbc9832d CB |
1229 | return -1; |
1230 | } | |
fe84a562 | 1231 | |
dbc9832d CB |
1232 | /* We should now be guaranteed to get an answer from the state sending |
1233 | * function. | |
1234 | */ | |
cd889e57 | 1235 | clientfd = cmd.rsp.ret; |
6c6497ea CB |
1236 | if (clientfd < 0) |
1237 | return log_error_errno(-1, -clientfd, "Failed to receive socket fd"); | |
dbc9832d | 1238 | |
bc631984 | 1239 | state = PTR_TO_INT(cmd.rsp.data); |
6c6497ea CB |
1240 | if (state < MAX_STATE) |
1241 | return log_trace(state, "Container is already in requested state %s", lxc_state2str(state)); | |
bc631984 | 1242 | |
240fecd0 | 1243 | *state_client_fd = move_fd(clientfd); |
ea2a070b CB |
1244 | TRACE("State connection fd %d ready to listen for container state changes", *state_client_fd); |
1245 | return MAX_STATE; | |
dbc9832d CB |
1246 | } |
1247 | ||
ebbca852 | 1248 | static int lxc_cmd_add_state_client_callback(__owns int fd, struct lxc_cmd_req *req, |
cdb2a47f CB |
1249 | struct lxc_handler *handler, |
1250 | struct lxc_epoll_descr *descr) | |
dbc9832d | 1251 | { |
4b5f4bdc CB |
1252 | struct lxc_cmd_rsp rsp = { |
1253 | .ret = -EINVAL, | |
1254 | }; | |
dbc9832d | 1255 | |
fe84a562 | 1256 | if (req->datalen < 0) |
254a22e1 | 1257 | goto reap_fd; |
dbc9832d | 1258 | |
71fc9c04 | 1259 | if (req->datalen != (sizeof(lxc_state_t) * MAX_STATE)) |
254a22e1 | 1260 | goto reap_fd; |
dbc9832d | 1261 | |
fe84a562 | 1262 | if (!req->data) |
254a22e1 | 1263 | goto reap_fd; |
dbc9832d | 1264 | |
c01c2be6 | 1265 | rsp.ret = lxc_add_state_client(fd, handler, (lxc_state_t *)req->data); |
44552fb2 | 1266 | if (rsp.ret < 0) |
254a22e1 | 1267 | goto reap_fd; |
44552fb2 | 1268 | |
bc631984 | 1269 | rsp.data = INT_TO_PTR(rsp.ret); |
dbc9832d | 1270 | |
254a22e1 CB |
1271 | return lxc_cmd_rsp_send_keep(fd, &rsp); |
1272 | ||
1273 | reap_fd: | |
4b5f4bdc | 1274 | return lxc_cmd_rsp_send_reap(fd, &rsp); |
dbc9832d CB |
1275 | } |
1276 | ||
2a63b5cb CB |
1277 | int lxc_cmd_add_bpf_device_cgroup(const char *name, const char *lxcpath, |
1278 | struct device_item *device) | |
1279 | { | |
2a63b5cb CB |
1280 | int stopped = 0; |
1281 | struct lxc_cmd_rr cmd = { | |
6c6497ea CB |
1282 | .req = { |
1283 | .cmd = LXC_CMD_ADD_BPF_DEVICE_CGROUP, | |
1284 | .data = device, | |
1285 | .datalen = sizeof(struct device_item), | |
1286 | }, | |
2a63b5cb CB |
1287 | }; |
1288 | int ret; | |
1289 | ||
1290 | if (strlen(device->access) > STRLITERALLEN("rwm")) | |
3d0327ed | 1291 | return log_error_errno(-1, EINVAL, "Invalid access mode specified %s", |
2a63b5cb CB |
1292 | device->access); |
1293 | ||
1294 | ret = lxc_cmd(name, &cmd, &stopped, lxcpath, NULL); | |
1295 | if (ret < 0 || cmd.rsp.ret < 0) | |
3d0327ed | 1296 | return log_error_errno(-1, errno, "Failed to add new bpf device cgroup rule"); |
2a63b5cb CB |
1297 | |
1298 | return 0; | |
2a63b5cb CB |
1299 | } |
1300 | ||
1301 | static int lxc_cmd_add_bpf_device_cgroup_callback(int fd, struct lxc_cmd_req *req, | |
1302 | struct lxc_handler *handler, | |
1303 | struct lxc_epoll_descr *descr) | |
1304 | { | |
4b5f4bdc CB |
1305 | struct lxc_cmd_rsp rsp = { |
1306 | .ret = -EINVAL, | |
1307 | }; | |
0a150695 | 1308 | struct lxc_conf *conf; |
2a63b5cb CB |
1309 | |
1310 | if (req->datalen <= 0) | |
4b5f4bdc | 1311 | goto out; |
2a63b5cb CB |
1312 | |
1313 | if (req->datalen != sizeof(struct device_item)) | |
4b5f4bdc | 1314 | goto out; |
2a63b5cb CB |
1315 | |
1316 | if (!req->data) | |
4b5f4bdc | 1317 | goto out; |
2a63b5cb | 1318 | |
0a150695 | 1319 | conf = handler->conf; |
a134099d CB |
1320 | if (!bpf_cgroup_devices_update(handler->cgroup_ops, |
1321 | &conf->bpf_devices, | |
1322 | (struct device_item *)req->data)) | |
0a150695 CB |
1323 | rsp.ret = -1; |
1324 | else | |
1325 | rsp.ret = 0; | |
2a63b5cb | 1326 | |
4b5f4bdc CB |
1327 | out: |
1328 | return lxc_cmd_rsp_send_reap(fd, &rsp); | |
2a63b5cb CB |
1329 | } |
1330 | ||
191d43cc CB |
1331 | int lxc_cmd_console_log(const char *name, const char *lxcpath, |
1332 | struct lxc_console_log *log) | |
1333 | { | |
1334 | int ret, stopped; | |
1335 | struct lxc_cmd_console_log data; | |
1336 | struct lxc_cmd_rr cmd; | |
1337 | ||
1338 | data.clear = log->clear; | |
1339 | data.read = log->read; | |
1340 | data.read_max = *log->read_max; | |
1341 | ||
1342 | cmd.req.cmd = LXC_CMD_CONSOLE_LOG; | |
1343 | cmd.req.data = &data; | |
1344 | cmd.req.datalen = sizeof(struct lxc_cmd_console_log); | |
1345 | ||
1346 | ret = lxc_cmd(name, &cmd, &stopped, lxcpath, NULL); | |
1347 | if (ret < 0) | |
1348 | return ret; | |
1349 | ||
1350 | /* There is nothing to be read from the buffer. So clear any values we | |
1351 | * where passed to clearly indicate to the user that nothing went wrong. | |
1352 | */ | |
63b74cda | 1353 | if (cmd.rsp.ret == -ENODATA || cmd.rsp.ret == -EFAULT || cmd.rsp.ret == -ENOENT) { |
191d43cc CB |
1354 | *log->read_max = 0; |
1355 | log->data = NULL; | |
1356 | } | |
1357 | ||
1358 | /* This is a proper error so don't touch any values we were passed. */ | |
1359 | if (cmd.rsp.ret < 0) | |
1360 | return cmd.rsp.ret; | |
1361 | ||
1362 | *log->read_max = cmd.rsp.datalen; | |
1363 | log->data = cmd.rsp.data; | |
1364 | ||
1365 | return 0; | |
1366 | } | |
1367 | ||
1368 | static int lxc_cmd_console_log_callback(int fd, struct lxc_cmd_req *req, | |
cdb2a47f CB |
1369 | struct lxc_handler *handler, |
1370 | struct lxc_epoll_descr *descr) | |
191d43cc CB |
1371 | { |
1372 | struct lxc_cmd_rsp rsp; | |
28f3b1cd | 1373 | uint64_t buffer_size = handler->conf->console.buffer_size; |
191d43cc CB |
1374 | const struct lxc_cmd_console_log *log = req->data; |
1375 | struct lxc_ringbuf *buf = &handler->conf->console.ringbuf; | |
1376 | ||
1377 | rsp.ret = -EFAULT; | |
1378 | rsp.datalen = 0; | |
1379 | rsp.data = NULL; | |
28f3b1cd | 1380 | if (buffer_size <= 0) |
191d43cc CB |
1381 | goto out; |
1382 | ||
5928191e CB |
1383 | if (log->read || log->write_logfile) |
1384 | rsp.datalen = lxc_ringbuf_used(buf); | |
1385 | ||
191d43cc CB |
1386 | if (log->read) |
1387 | rsp.data = lxc_ringbuf_get_read_addr(buf); | |
1388 | ||
1389 | if (log->read_max > 0 && (log->read_max <= rsp.datalen)) | |
1390 | rsp.datalen = log->read_max; | |
1391 | ||
1392 | /* there's nothing to read */ | |
63b74cda | 1393 | rsp.ret = -ENODATA; |
191d43cc | 1394 | if (log->read && (buf->r_off == buf->w_off)) |
63b74cda CB |
1395 | goto out; |
1396 | ||
63b74cda | 1397 | rsp.ret = 0; |
23e0d9af | 1398 | if (log->clear) |
43366ca2 | 1399 | lxc_ringbuf_clear(buf); /* clear the ringbuffer */ |
23e0d9af | 1400 | else if (rsp.datalen > 0) |
191d43cc CB |
1401 | lxc_ringbuf_move_read_addr(buf, rsp.datalen); |
1402 | ||
1403 | out: | |
4b5f4bdc | 1404 | return lxc_cmd_rsp_send_reap(fd, &rsp); |
191d43cc CB |
1405 | } |
1406 | ||
974a8aba CB |
1407 | int lxc_cmd_serve_state_clients(const char *name, const char *lxcpath, |
1408 | lxc_state_t state) | |
1409 | { | |
1410 | int stopped; | |
1411 | ssize_t ret; | |
1412 | struct lxc_cmd_rr cmd = { | |
6c6497ea CB |
1413 | .req = { |
1414 | .cmd = LXC_CMD_SERVE_STATE_CLIENTS, | |
1415 | .data = INT_TO_PTR(state) | |
1416 | }, | |
974a8aba CB |
1417 | }; |
1418 | ||
1419 | ret = lxc_cmd(name, &cmd, &stopped, lxcpath, NULL); | |
6c6497ea CB |
1420 | if (ret < 0) |
1421 | return log_error_errno(-1, errno, "Failed to serve state clients"); | |
974a8aba CB |
1422 | |
1423 | return 0; | |
1424 | } | |
1425 | ||
1426 | static int lxc_cmd_serve_state_clients_callback(int fd, struct lxc_cmd_req *req, | |
cdb2a47f CB |
1427 | struct lxc_handler *handler, |
1428 | struct lxc_epoll_descr *descr) | |
974a8aba CB |
1429 | { |
1430 | int ret; | |
1431 | lxc_state_t state = PTR_TO_INT(req->data); | |
1432 | struct lxc_cmd_rsp rsp = {0}; | |
1433 | ||
1434 | ret = lxc_serve_state_clients(handler->name, handler, state); | |
1435 | if (ret < 0) | |
4b5f4bdc | 1436 | return ret; |
974a8aba | 1437 | |
4b5f4bdc | 1438 | return lxc_cmd_rsp_send_reap(fd, &rsp); |
974a8aba CB |
1439 | } |
1440 | ||
cdb2a47f CB |
1441 | int lxc_cmd_seccomp_notify_add_listener(const char *name, const char *lxcpath, |
1442 | int fd, | |
1443 | /* unused */ unsigned int command, | |
1444 | /* unused */ unsigned int flags) | |
1445 | { | |
1446 | ||
c3e3c21a | 1447 | #ifdef HAVE_SECCOMP_NOTIFY |
cdb2a47f CB |
1448 | int ret, stopped; |
1449 | struct lxc_cmd_rr cmd = { | |
1450 | .req = { | |
1451 | .cmd = LXC_CMD_SECCOMP_NOTIFY_ADD_LISTENER, | |
1452 | .data = INT_TO_PTR(fd), | |
1453 | }, | |
1454 | }; | |
1455 | ||
1456 | ret = lxc_cmd(name, &cmd, &stopped, lxcpath, NULL); | |
6c6497ea CB |
1457 | if (ret < 0) |
1458 | return log_error_errno(-1, errno, "Failed to add seccomp listener"); | |
cdb2a47f CB |
1459 | |
1460 | return cmd.rsp.ret; | |
1461 | #else | |
3d0327ed | 1462 | return ret_set_errno(-1, ENOSYS); |
cdb2a47f CB |
1463 | #endif |
1464 | } | |
1465 | ||
1466 | static int lxc_cmd_seccomp_notify_add_listener_callback(int fd, | |
1467 | struct lxc_cmd_req *req, | |
1468 | struct lxc_handler *handler, | |
1469 | struct lxc_epoll_descr *descr) | |
1470 | { | |
1471 | struct lxc_cmd_rsp rsp = {0}; | |
cdb2a47f | 1472 | |
c3e3c21a CB |
1473 | #ifdef HAVE_SECCOMP_NOTIFY |
1474 | int ret; | |
f62cf1d4 | 1475 | __do_close int recv_fd = -EBADF; |
cdb2a47f | 1476 | |
d17c815d | 1477 | ret = lxc_abstract_unix_recv_one_fd(fd, &recv_fd, NULL, 0); |
c3e3c21a CB |
1478 | if (ret <= 0) { |
1479 | rsp.ret = -errno; | |
1480 | goto out; | |
cdb2a47f CB |
1481 | } |
1482 | ||
c3e3c21a CB |
1483 | if (!handler->conf->seccomp.notifier.wants_supervision || |
1484 | handler->conf->seccomp.notifier.proxy_fd < 0) { | |
1485 | SYSERROR("No seccomp proxy fd specified"); | |
1486 | rsp.ret = -EINVAL; | |
1487 | goto out; | |
1488 | } | |
cdb2a47f | 1489 | |
c3e3c21a | 1490 | ret = lxc_mainloop_add_handler(descr, recv_fd, seccomp_notify_handler, |
cdb2a47f | 1491 | handler); |
c3e3c21a CB |
1492 | if (ret < 0) { |
1493 | rsp.ret = -errno; | |
1494 | goto out; | |
1495 | } | |
68a9e3eb | 1496 | move_fd(recv_fd); |
cdb2a47f | 1497 | |
c3e3c21a | 1498 | out: |
cdb2a47f CB |
1499 | #else |
1500 | rsp.ret = -ENOSYS; | |
cdb2a47f | 1501 | |
c3e3c21a | 1502 | #endif |
4b5f4bdc | 1503 | return lxc_cmd_rsp_send_reap(fd, &rsp); |
cdb2a47f CB |
1504 | } |
1505 | ||
018051e3 CB |
1506 | int lxc_cmd_freeze(const char *name, const char *lxcpath, int timeout) |
1507 | { | |
1508 | int ret, stopped; | |
1509 | struct lxc_cmd_rr cmd = { | |
1510 | .req = { | |
1511 | .cmd = LXC_CMD_FREEZE, | |
1512 | .data = INT_TO_PTR(timeout), | |
1513 | }, | |
1514 | }; | |
1515 | ||
1516 | ret = lxc_cmd(name, &cmd, &stopped, lxcpath, NULL); | |
1517 | if (ret <= 0 || cmd.rsp.ret < 0) | |
3d0327ed | 1518 | return log_error_errno(-1, errno, "Failed to freeze container"); |
018051e3 CB |
1519 | |
1520 | return cmd.rsp.ret; | |
1521 | } | |
1522 | ||
1523 | static int lxc_cmd_freeze_callback(int fd, struct lxc_cmd_req *req, | |
1524 | struct lxc_handler *handler, | |
1525 | struct lxc_epoll_descr *descr) | |
1526 | { | |
1527 | int timeout = PTR_TO_INT(req->data); | |
1528 | struct lxc_cmd_rsp rsp = { | |
6c6497ea | 1529 | .ret = -ENOENT, |
018051e3 CB |
1530 | }; |
1531 | struct cgroup_ops *ops = handler->cgroup_ops; | |
1532 | ||
1973b62a | 1533 | if (pure_unified_layout(ops)) |
018051e3 CB |
1534 | rsp.ret = ops->freeze(ops, timeout); |
1535 | ||
4b5f4bdc | 1536 | return lxc_cmd_rsp_send_reap(fd, &rsp); |
018051e3 CB |
1537 | } |
1538 | ||
1539 | int lxc_cmd_unfreeze(const char *name, const char *lxcpath, int timeout) | |
1540 | { | |
1541 | int ret, stopped; | |
1542 | struct lxc_cmd_rr cmd = { | |
1543 | .req = { | |
1544 | .cmd = LXC_CMD_UNFREEZE, | |
1545 | .data = INT_TO_PTR(timeout), | |
1546 | }, | |
1547 | }; | |
1548 | ||
1549 | ret = lxc_cmd(name, &cmd, &stopped, lxcpath, NULL); | |
1550 | if (ret <= 0 || cmd.rsp.ret < 0) | |
3d0327ed | 1551 | return log_error_errno(-1, errno, "Failed to unfreeze container"); |
018051e3 CB |
1552 | |
1553 | return cmd.rsp.ret; | |
1554 | } | |
1555 | ||
1556 | static int lxc_cmd_unfreeze_callback(int fd, struct lxc_cmd_req *req, | |
1557 | struct lxc_handler *handler, | |
1558 | struct lxc_epoll_descr *descr) | |
1559 | { | |
1560 | int timeout = PTR_TO_INT(req->data); | |
1561 | struct lxc_cmd_rsp rsp = { | |
6c6497ea | 1562 | .ret = -ENOENT, |
018051e3 CB |
1563 | }; |
1564 | struct cgroup_ops *ops = handler->cgroup_ops; | |
1565 | ||
1973b62a | 1566 | if (pure_unified_layout(ops)) |
018051e3 CB |
1567 | rsp.ret = ops->unfreeze(ops, timeout); |
1568 | ||
4b5f4bdc | 1569 | return lxc_cmd_rsp_send_reap(fd, &rsp); |
018051e3 CB |
1570 | } |
1571 | ||
bad788b0 CB |
1572 | int lxc_cmd_get_cgroup2_fd(const char *name, const char *lxcpath) |
1573 | { | |
1574 | int ret, stopped; | |
1575 | struct lxc_cmd_rr cmd = { | |
1576 | .req = { | |
1577 | .cmd = LXC_CMD_GET_CGROUP2_FD, | |
1578 | }, | |
d3be623e CB |
1579 | .rsp = { |
1580 | ret = -ENOSYS, | |
1581 | }, | |
bad788b0 CB |
1582 | }; |
1583 | ||
1584 | ret = lxc_cmd(name, &cmd, &stopped, lxcpath, NULL); | |
23a917e5 CB |
1585 | if (ret < 0) |
1586 | return -1; | |
1587 | ||
1588 | if (cmd.rsp.ret < 0) | |
a5263e59 | 1589 | return log_debug_errno(cmd.rsp.ret, -cmd.rsp.ret, "Failed to receive cgroup2 fd"); |
6f7f2966 CB |
1590 | |
1591 | return PTR_TO_INT(cmd.rsp.data); | |
1592 | } | |
1593 | ||
1594 | int lxc_cmd_get_limiting_cgroup2_fd(const char *name, const char *lxcpath) | |
1595 | { | |
1596 | int ret, stopped; | |
1597 | struct lxc_cmd_rr cmd = { | |
1598 | .req = { | |
1599 | .cmd = LXC_CMD_GET_LIMITING_CGROUP2_FD, | |
1600 | }, | |
d3be623e CB |
1601 | .rsp = { |
1602 | .ret = -ENOSYS, | |
1603 | }, | |
6f7f2966 CB |
1604 | }; |
1605 | ||
1606 | ret = lxc_cmd(name, &cmd, &stopped, lxcpath, NULL); | |
1607 | if (ret < 0) | |
1608 | return -1; | |
1609 | ||
1610 | if (cmd.rsp.ret < 0) | |
d3be623e | 1611 | return syswarn_set(cmd.rsp.ret, "Failed to receive cgroup2 limit fd"); |
bad788b0 CB |
1612 | |
1613 | return PTR_TO_INT(cmd.rsp.data); | |
1614 | } | |
1615 | ||
a900cbaf WB |
1616 | static int lxc_cmd_get_cgroup2_fd_callback_do(int fd, struct lxc_cmd_req *req, |
1617 | struct lxc_handler *handler, | |
1618 | struct lxc_epoll_descr *descr, | |
1619 | bool limiting_cgroup) | |
bad788b0 CB |
1620 | { |
1621 | struct lxc_cmd_rsp rsp = { | |
1622 | .ret = -EINVAL, | |
1623 | }; | |
1624 | struct cgroup_ops *ops = handler->cgroup_ops; | |
c2f40088 | 1625 | int send_fd; |
bad788b0 | 1626 | |
1973b62a | 1627 | if (!pure_unified_layout(ops) || !ops->unified) |
4b5f4bdc | 1628 | return lxc_cmd_rsp_send_reap(fd, &rsp); |
bad788b0 | 1629 | |
c0af7b1c | 1630 | send_fd = limiting_cgroup ? ops->unified->dfd_lim |
e33870e5 | 1631 | : ops->unified->dfd_con; |
a900cbaf | 1632 | |
4b5f4bdc CB |
1633 | if (send_fd < 0) { |
1634 | rsp.ret = -EBADF; | |
1635 | return lxc_cmd_rsp_send_reap(fd, &rsp); | |
1636 | } | |
1637 | ||
bad788b0 | 1638 | rsp.ret = 0; |
c2f40088 | 1639 | return rsp_one_fd(fd, send_fd, &rsp); |
bad788b0 CB |
1640 | } |
1641 | ||
a900cbaf WB |
1642 | static int lxc_cmd_get_cgroup2_fd_callback(int fd, struct lxc_cmd_req *req, |
1643 | struct lxc_handler *handler, | |
1644 | struct lxc_epoll_descr *descr) | |
1645 | { | |
1646 | return lxc_cmd_get_cgroup2_fd_callback_do(fd, req, handler, descr, | |
1647 | false); | |
1648 | } | |
1649 | ||
1650 | static int lxc_cmd_get_limiting_cgroup2_fd_callback(int fd, | |
1651 | struct lxc_cmd_req *req, | |
1652 | struct lxc_handler *handler, | |
1653 | struct lxc_epoll_descr *descr) | |
1654 | { | |
1655 | return lxc_cmd_get_cgroup2_fd_callback_do(fd, req, handler, descr, | |
1656 | true); | |
1657 | } | |
1658 | ||
ebc548a1 CB |
1659 | static int lxc_cmd_rsp_send_enosys(int fd, int id) |
1660 | { | |
1661 | struct lxc_cmd_rsp rsp = { | |
1662 | .ret = -ENOSYS, | |
1663 | }; | |
1664 | ||
1665 | __lxc_cmd_rsp_send(fd, &rsp); | |
1666 | return syserrno_set(-ENOSYS, "Invalid command id %d", id); | |
1667 | } | |
1668 | ||
ef6e34ee | 1669 | static int lxc_cmd_process(int fd, struct lxc_cmd_req *req, |
cdb2a47f CB |
1670 | struct lxc_handler *handler, |
1671 | struct lxc_epoll_descr *descr) | |
724e753c | 1672 | { |
cdb2a47f CB |
1673 | typedef int (*callback)(int, struct lxc_cmd_req *, struct lxc_handler *, |
1674 | struct lxc_epoll_descr *); | |
ef6e34ee DE |
1675 | |
1676 | callback cb[LXC_CMD_MAX] = { | |
2a63b5cb CB |
1677 | [LXC_CMD_CONSOLE] = lxc_cmd_console_callback, |
1678 | [LXC_CMD_TERMINAL_WINCH] = lxc_cmd_terminal_winch_callback, | |
1679 | [LXC_CMD_STOP] = lxc_cmd_stop_callback, | |
1680 | [LXC_CMD_GET_STATE] = lxc_cmd_get_state_callback, | |
1681 | [LXC_CMD_GET_INIT_PID] = lxc_cmd_get_init_pid_callback, | |
1682 | [LXC_CMD_GET_CLONE_FLAGS] = lxc_cmd_get_clone_flags_callback, | |
1683 | [LXC_CMD_GET_CGROUP] = lxc_cmd_get_cgroup_callback, | |
1684 | [LXC_CMD_GET_CONFIG_ITEM] = lxc_cmd_get_config_item_callback, | |
1685 | [LXC_CMD_GET_NAME] = lxc_cmd_get_name_callback, | |
1686 | [LXC_CMD_GET_LXCPATH] = lxc_cmd_get_lxcpath_callback, | |
1687 | [LXC_CMD_ADD_STATE_CLIENT] = lxc_cmd_add_state_client_callback, | |
1688 | [LXC_CMD_CONSOLE_LOG] = lxc_cmd_console_log_callback, | |
1689 | [LXC_CMD_SERVE_STATE_CLIENTS] = lxc_cmd_serve_state_clients_callback, | |
1690 | [LXC_CMD_SECCOMP_NOTIFY_ADD_LISTENER] = lxc_cmd_seccomp_notify_add_listener_callback, | |
1691 | [LXC_CMD_ADD_BPF_DEVICE_CGROUP] = lxc_cmd_add_bpf_device_cgroup_callback, | |
018051e3 CB |
1692 | [LXC_CMD_FREEZE] = lxc_cmd_freeze_callback, |
1693 | [LXC_CMD_UNFREEZE] = lxc_cmd_unfreeze_callback, | |
bad788b0 | 1694 | [LXC_CMD_GET_CGROUP2_FD] = lxc_cmd_get_cgroup2_fd_callback, |
746aab51 | 1695 | [LXC_CMD_GET_INIT_PIDFD] = lxc_cmd_get_init_pidfd_callback, |
a900cbaf WB |
1696 | [LXC_CMD_GET_LIMITING_CGROUP] = lxc_cmd_get_limiting_cgroup_callback, |
1697 | [LXC_CMD_GET_LIMITING_CGROUP2_FD] = lxc_cmd_get_limiting_cgroup2_fd_callback, | |
f797f05e | 1698 | [LXC_CMD_GET_DEVPTS_FD] = lxc_cmd_get_devpts_fd_callback, |
21405769 | 1699 | [LXC_CMD_GET_SECCOMP_NOTIFY_FD] = lxc_cmd_get_seccomp_notify_fd_callback, |
ef6e048a | 1700 | [LXC_CMD_GET_CGROUP_CTX] = lxc_cmd_get_cgroup_ctx_callback, |
724e753c MN |
1701 | }; |
1702 | ||
23a917e5 | 1703 | if (req->cmd >= LXC_CMD_MAX) |
ebc548a1 | 1704 | return lxc_cmd_rsp_send_enosys(fd, req->cmd); |
23a917e5 | 1705 | |
cdb2a47f | 1706 | return cb[req->cmd](fd, req, handler, descr); |
724e753c MN |
1707 | } |
1708 | ||
ef6e34ee | 1709 | static void lxc_cmd_fd_cleanup(int fd, struct lxc_handler *handler, |
cdb2a47f | 1710 | struct lxc_epoll_descr *descr, const lxc_cmd_t cmd) |
724e753c | 1711 | { |
3dfe6f8d | 1712 | lxc_terminal_free(handler->conf, fd); |
724e753c | 1713 | lxc_mainloop_del_handler(descr, fd); |
f6fc1565 | 1714 | |
cd5369b0 | 1715 | if (cmd == LXC_CMD_ADD_STATE_CLIENT) { |
ab92468c CB |
1716 | struct lxc_list *cur, *next; |
1717 | ||
cdb2a47f CB |
1718 | lxc_list_for_each_safe(cur, &handler->conf->state_clients, next) { |
1719 | struct lxc_state_client *client = cur->elem; | |
1720 | ||
1721 | if (client->clientfd != fd) | |
1722 | continue; | |
1723 | ||
ab92468c CB |
1724 | /* |
1725 | * Only kick client from list so it can't be found | |
1726 | * anymore. The actual close happens, as for all other | |
1727 | * file descriptors, below. | |
1728 | */ | |
cdb2a47f | 1729 | lxc_list_del(cur); |
cdb2a47f CB |
1730 | free(cur->elem); |
1731 | free(cur); | |
ab92468c | 1732 | |
39e2a438 CB |
1733 | /* |
1734 | * No need to walk the whole list. If we found the state | |
cdb2a47f CB |
1735 | * client fd there can't be a second one. |
1736 | */ | |
ea2a070b | 1737 | TRACE("Found state client fd %d in state client list for command \"%s\"", fd, lxc_cmd_str(cmd)); |
ab92468c | 1738 | break; |
cdb2a47f | 1739 | } |
39e2a438 CB |
1740 | |
1741 | /* | |
1742 | * We didn't add the state client to the list. Either because | |
1743 | * we failed to allocate memory (unlikely) or because the state | |
1744 | * was already reached by the time we were ready to add it. So | |
1745 | * fallthrough and clean it up. | |
1746 | */ | |
ea2a070b | 1747 | TRACE("Closing state client fd %d for command \"%s\"", fd, lxc_cmd_str(cmd)); |
f6fc1565 | 1748 | } |
cd5369b0 | 1749 | |
ea2a070b | 1750 | TRACE("Closing client fd %d for command \"%s\"", fd, lxc_cmd_str(cmd)); |
cd5369b0 | 1751 | close(fd); |
724e753c MN |
1752 | } |
1753 | ||
84c92abd DE |
1754 | static int lxc_cmd_handler(int fd, uint32_t events, void *data, |
1755 | struct lxc_epoll_descr *descr) | |
724e753c | 1756 | { |
5265a60c | 1757 | __do_free void *reqdata = NULL; |
724e753c | 1758 | int ret; |
ef6e34ee | 1759 | struct lxc_cmd_req req; |
724e753c MN |
1760 | struct lxc_handler *handler = data; |
1761 | ||
aae93dd3 | 1762 | ret = lxc_abstract_unix_rcv_credential(fd, &req, sizeof(req)); |
ded1d23f | 1763 | if (ret < 0) { |
ea2a070b | 1764 | SYSERROR("Failed to receive data on command socket for command \"%s\"", lxc_cmd_str(req.cmd)); |
9044b79e | 1765 | |
1766 | if (errno == EACCES) { | |
1767 | /* We don't care for the peer, just send and close. */ | |
ea2a070b | 1768 | struct lxc_cmd_rsp rsp = { |
f7a97743 | 1769 | .ret = -EPERM, |
ea2a070b | 1770 | }; |
9044b79e | 1771 | |
4b5f4bdc | 1772 | __lxc_cmd_rsp_send(fd, &rsp); |
9044b79e | 1773 | } |
1774 | ||
724e753c MN |
1775 | goto out_close; |
1776 | } | |
1777 | ||
fe84a562 | 1778 | if (ret == 0) |
724e753c | 1779 | goto out_close; |
724e753c | 1780 | |
ef6e34ee | 1781 | if (ret != sizeof(req)) { |
ea2a070b | 1782 | WARN("Failed to receive full command request. Ignoring request for \"%s\"", lxc_cmd_str(req.cmd)); |
ef6e34ee DE |
1783 | goto out_close; |
1784 | } | |
1785 | ||
ea2a070b CB |
1786 | if ((req.datalen > LXC_CMD_DATA_MAX) && (req.cmd != LXC_CMD_CONSOLE_LOG)) { |
1787 | ERROR("Received command data length %d is too large for command \"%s\"", req.datalen, lxc_cmd_str(req.cmd)); | |
724e753c MN |
1788 | goto out_close; |
1789 | } | |
1790 | ||
ef6e34ee | 1791 | if (req.datalen > 0) { |
5265a60c | 1792 | reqdata = must_realloc(NULL, req.datalen); |
e3233f26 | 1793 | ret = lxc_recv_nointr(fd, reqdata, req.datalen, 0); |
ef6e34ee | 1794 | if (ret != req.datalen) { |
ea2a070b | 1795 | WARN("Failed to receive full command request. Ignoring request for \"%s\"", lxc_cmd_str(req.cmd)); |
ef6e34ee DE |
1796 | goto out_close; |
1797 | } | |
fe84a562 | 1798 | |
ef6e34ee DE |
1799 | req.data = reqdata; |
1800 | } | |
1801 | ||
cdb2a47f | 1802 | ret = lxc_cmd_process(fd, &req, handler, descr); |
32fd8d4f CB |
1803 | if (ret < 0) { |
1804 | DEBUG("Failed to process command %s; cleaning up client fd %d", lxc_cmd_str(req.cmd), fd); | |
1805 | goto out_close; | |
1806 | } else if (ret == LXC_CMD_REAP_CLIENT_FD) { | |
1807 | TRACE("Processed command %s; cleaning up client fd %d", lxc_cmd_str(req.cmd), fd); | |
724e753c | 1808 | goto out_close; |
32fd8d4f CB |
1809 | } else { |
1810 | TRACE("Processed command %s; keeping client fd %d", lxc_cmd_str(req.cmd), fd); | |
724e753c MN |
1811 | } |
1812 | ||
1813 | out: | |
f7a97743 | 1814 | return LXC_MAINLOOP_CONTINUE; |
fe84a562 | 1815 | |
724e753c | 1816 | out_close: |
f6fc1565 | 1817 | lxc_cmd_fd_cleanup(fd, handler, descr, req.cmd); |
724e753c MN |
1818 | goto out; |
1819 | } | |
1820 | ||
84c92abd DE |
1821 | static int lxc_cmd_accept(int fd, uint32_t events, void *data, |
1822 | struct lxc_epoll_descr *descr) | |
724e753c | 1823 | { |
f62cf1d4 | 1824 | __do_close int connection = -EBADF; |
fe84a562 | 1825 | int opt = 1, ret = -1; |
724e753c MN |
1826 | |
1827 | connection = accept(fd, NULL, 0); | |
6c6497ea CB |
1828 | if (connection < 0) |
1829 | return log_error_errno(LXC_MAINLOOP_ERROR, errno, "Failed to accept connection to run command"); | |
724e753c | 1830 | |
fe84a562 | 1831 | ret = fcntl(connection, F_SETFD, FD_CLOEXEC); |
6c6497ea CB |
1832 | if (ret < 0) |
1833 | return log_error_errno(ret, errno, "Failed to set close-on-exec on incoming command connection"); | |
9ccb2dbc | 1834 | |
fe84a562 | 1835 | ret = setsockopt(connection, SOL_SOCKET, SO_PASSCRED, &opt, sizeof(opt)); |
6c6497ea CB |
1836 | if (ret < 0) |
1837 | return log_error_errno(ret, errno, "Failed to enable necessary credentials on command socket"); | |
724e753c | 1838 | |
ef6e34ee | 1839 | ret = lxc_mainloop_add_handler(descr, connection, lxc_cmd_handler, data); |
6c6497ea CB |
1840 | if (ret) |
1841 | return log_error(ret, "Failed to add command handler"); | |
724e753c | 1842 | |
ea2a070b | 1843 | TRACE("Accepted new client as fd %d on command server fd %d", connection, fd); |
240fecd0 | 1844 | move_fd(connection); |
724e753c | 1845 | return ret; |
724e753c MN |
1846 | } |
1847 | ||
9dfa4041 | 1848 | int lxc_cmd_init(const char *name, const char *lxcpath, const char *suffix) |
724e753c | 1849 | { |
f62cf1d4 | 1850 | __do_close int fd = -EBADF; |
c13e7111 | 1851 | int ret; |
b1234129 | 1852 | char path[LXC_AUDS_ADDR_LEN] = {0}; |
724e753c | 1853 | |
5b46db1a | 1854 | ret = lxc_make_abstract_socket_name(path, sizeof(path), name, lxcpath, NULL, suffix); |
fe84a562 | 1855 | if (ret < 0) |
9ba8130c | 1856 | return -1; |
724e753c | 1857 | |
aae93dd3 | 1858 | fd = lxc_abstract_unix_open(path, SOCK_STREAM, 0); |
724e753c | 1859 | if (fd < 0) { |
08aa08fe | 1860 | if (errno == EADDRINUSE) |
fe84a562 | 1861 | ERROR("Container \"%s\" appears to be already running", name); |
6d1400b5 | 1862 | |
6c6497ea | 1863 | return log_error_errno(-1, errno, "Failed to create command socket %s", &path[1]); |
724e753c MN |
1864 | } |
1865 | ||
fe84a562 | 1866 | ret = fcntl(fd, F_SETFD, FD_CLOEXEC); |
6c6497ea CB |
1867 | if (ret < 0) |
1868 | return log_error_errno(-1, errno, "Failed to set FD_CLOEXEC on command socket file descriptor"); | |
91480a0f | 1869 | |
6c6497ea | 1870 | return log_trace(move_fd(fd), "Created abstract unix socket \"%s\"", &path[1]); |
d2e30e99 DE |
1871 | } |
1872 | ||
fe84a562 | 1873 | int lxc_cmd_mainloop_add(const char *name, struct lxc_epoll_descr *descr, |
ef6e34ee | 1874 | struct lxc_handler *handler) |
d2e30e99 | 1875 | { |
fe84a562 | 1876 | int ret; |
d2e30e99 | 1877 | |
ea2a070b | 1878 | ret = lxc_mainloop_add_handler(descr, handler->conf->maincmd_fd, lxc_cmd_accept, handler); |
6c6497ea | 1879 | if (ret < 0) |
ea2a070b | 1880 | return log_error(ret, "Failed to add handler for command socket fd %d", handler->conf->maincmd_fd); |
724e753c MN |
1881 | |
1882 | return ret; | |
1883 | } |