]>
Commit | Line | Data |
---|---|---|
cc73685d | 1 | /* SPDX-License-Identifier: LGPL-2.1+ */ |
724e753c | 2 | |
d38dd64a CB |
3 | #ifndef _GNU_SOURCE |
4 | #define _GNU_SOURCE 1 | |
5 | #endif | |
cf685555 | 6 | #include <caps.h> |
724e753c | 7 | #include <errno.h> |
91480a0f | 8 | #include <fcntl.h> |
fe84a562 | 9 | #include <malloc.h> |
37515ebd | 10 | #include <poll.h> |
fe84a562 CB |
11 | #include <signal.h> |
12 | #include <stdio.h> | |
13 | #include <stdlib.h> | |
fe84a562 | 14 | #include <sys/param.h> |
724e753c MN |
15 | #include <sys/socket.h> |
16 | #include <sys/un.h> | |
d38dd64a | 17 | #include <unistd.h> |
724e753c | 18 | |
fe84a562 | 19 | #include "af_unix.h" |
f2363e38 | 20 | #include "cgroup.h" |
2a63b5cb | 21 | #include "cgroups/cgroup2_devices.h" |
724e753c | 22 | #include "commands.h" |
bbf5cf35 | 23 | #include "commands_utils.h" |
fe84a562 | 24 | #include "conf.h" |
d38dd64a | 25 | #include "config.h" |
ef6e34ee | 26 | #include "confile.h" |
fe84a562 CB |
27 | #include "log.h" |
28 | #include "lxc.h" | |
dbc9832d | 29 | #include "lxclock.h" |
cdb2a47f | 30 | #include "lxcseccomp.h" |
724e753c | 31 | #include "mainloop.h" |
5265a60c | 32 | #include "memory_utils.h" |
dbc9832d | 33 | #include "monitor.h" |
fe84a562 | 34 | #include "start.h" |
0ed9b1bc | 35 | #include "terminal.h" |
fe84a562 | 36 | #include "utils.h" |
724e753c | 37 | |
ded1d23f | 38 | /* |
fe84a562 CB |
39 | * This file provides the different functions for clients to query/command the |
40 | * server. The client is typically some lxc tool and the server is typically the | |
41 | * container (ie. lxc-start). | |
ded1d23f | 42 | * |
fe84a562 CB |
43 | * Each command is transactional, the clients send a request to the server and |
44 | * the server answers the request with a message giving the request's status | |
45 | * (zero or a negative errno value). Both the request and response may contain | |
46 | * additional data. | |
ded1d23f | 47 | * |
fe84a562 CB |
48 | * Each command is wrapped in a ancillary message in order to pass a credential |
49 | * making possible to the server to check if the client is allowed to ask for | |
50 | * this command or not. | |
80bcb053 | 51 | * |
fe84a562 CB |
52 | * IMPORTANTLY: Note that semantics for current commands are fixed. If you wish |
53 | * to make any changes to how, say, LXC_CMD_GET_CONFIG_ITEM works by adding | |
54 | * information to the end of cmd.data, then you must introduce a new | |
55 | * LXC_CMD_GET_CONFIG_ITEM_V2 define with a new number. You may wish to also | |
56 | * mark LXC_CMD_GET_CONFIG_ITEM deprecated in commands.h. | |
80bcb053 SH |
57 | * |
58 | * This is necessary in order to avoid having a newly compiled lxc command | |
59 | * communicating with a running (old) monitor from crashing the running | |
60 | * container. | |
ded1d23f DL |
61 | */ |
62 | ||
ac2cecc4 | 63 | lxc_log_define(commands, lxc); |
724e753c | 64 | |
ef6e34ee | 65 | static const char *lxc_cmd_str(lxc_cmd_t cmd) |
724e753c | 66 | { |
fe84a562 | 67 | static const char *const cmdname[LXC_CMD_MAX] = { |
2a63b5cb CB |
68 | [LXC_CMD_CONSOLE] = "console", |
69 | [LXC_CMD_TERMINAL_WINCH] = "terminal_winch", | |
70 | [LXC_CMD_STOP] = "stop", | |
71 | [LXC_CMD_GET_STATE] = "get_state", | |
72 | [LXC_CMD_GET_INIT_PID] = "get_init_pid", | |
73 | [LXC_CMD_GET_CLONE_FLAGS] = "get_clone_flags", | |
74 | [LXC_CMD_GET_CGROUP] = "get_cgroup", | |
75 | [LXC_CMD_GET_CONFIG_ITEM] = "get_config_item", | |
76 | [LXC_CMD_GET_NAME] = "get_name", | |
77 | [LXC_CMD_GET_LXCPATH] = "get_lxcpath", | |
78 | [LXC_CMD_ADD_STATE_CLIENT] = "add_state_client", | |
79 | [LXC_CMD_CONSOLE_LOG] = "console_log", | |
80 | [LXC_CMD_SERVE_STATE_CLIENTS] = "serve_state_clients", | |
81 | [LXC_CMD_SECCOMP_NOTIFY_ADD_LISTENER] = "seccomp_notify_add_listener", | |
82 | [LXC_CMD_ADD_BPF_DEVICE_CGROUP] = "add_bpf_device_cgroup", | |
018051e3 CB |
83 | [LXC_CMD_FREEZE] = "freeze", |
84 | [LXC_CMD_UNFREEZE] = "unfreeze", | |
bad788b0 | 85 | [LXC_CMD_GET_CGROUP2_FD] = "get_cgroup2_fd", |
ef6e34ee | 86 | }; |
724e753c | 87 | |
f371aca9 | 88 | if (cmd >= LXC_CMD_MAX) |
a8007512 | 89 | return "Invalid request"; |
fe84a562 | 90 | |
ef6e34ee DE |
91 | return cmdname[cmd]; |
92 | } | |
93 | ||
94 | /* | |
95 | * lxc_cmd_rsp_recv: Receive a response to a command | |
96 | * | |
97 | * @sock : the socket connected to the container | |
98 | * @cmd : command to put response in | |
99 | * | |
100 | * Returns the size of the response message or < 0 on failure | |
101 | * | |
102 | * Note that if the command response datalen > 0, then data is | |
103 | * a malloc()ed buffer and should be free()ed by the caller. If | |
104 | * the response data is <= a void * worth of data, it will be | |
105 | * stored directly in data and datalen will be 0. | |
106 | * | |
107 | * As a special case, the response for LXC_CMD_CONSOLE is created | |
0115f8fd DE |
108 | * here as it contains an fd for the master pty passed through the |
109 | * unix socket. | |
ef6e34ee DE |
110 | */ |
111 | static int lxc_cmd_rsp_recv(int sock, struct lxc_cmd_rr *cmd) | |
112 | { | |
23a917e5 CB |
113 | __do_close_prot_errno int fd_rsp = -EBADF; |
114 | int ret; | |
ef6e34ee DE |
115 | struct lxc_cmd_rsp *rsp = &cmd->rsp; |
116 | ||
23a917e5 CB |
117 | ret = lxc_abstract_unix_recv_fds(sock, &fd_rsp, 1, rsp, sizeof(*rsp)); |
118 | if (ret < 0) | |
119 | return log_warn_errno(-1, | |
120 | errno, "Failed to receive response for command \"%s\"", | |
121 | lxc_cmd_str(cmd->req.cmd)); | |
fe84a562 | 122 | TRACE("Command \"%s\" received response", lxc_cmd_str(cmd->req.cmd)); |
ef6e34ee DE |
123 | |
124 | if (cmd->req.cmd == LXC_CMD_CONSOLE) { | |
125 | struct lxc_cmd_console_rsp_data *rspdata; | |
126 | ||
0115f8fd DE |
127 | /* recv() returns 0 bytes when a tty cannot be allocated, |
128 | * rsp->ret is < 0 when the peer permission check failed | |
129 | */ | |
130 | if (ret == 0 || rsp->ret < 0) | |
131 | return 0; | |
132 | ||
ef6e34ee | 133 | rspdata = malloc(sizeof(*rspdata)); |
23a917e5 CB |
134 | if (!rspdata) |
135 | return log_warn_errno(-1, | |
136 | ENOMEM, "Failed to receive response for command \"%s\"", | |
137 | lxc_cmd_str(cmd->req.cmd)); | |
2a850b2c | 138 | |
23a917e5 | 139 | rspdata->masterfd = move_fd(fd_rsp); |
ef6e34ee DE |
140 | rspdata->ttynum = PTR_TO_INT(rsp->data); |
141 | rsp->data = rspdata; | |
142 | } | |
143 | ||
23a917e5 CB |
144 | if (cmd->req.cmd == LXC_CMD_GET_CGROUP2_FD) { |
145 | int cgroup2_fd = move_fd(fd_rsp); | |
146 | rsp->data = INT_TO_PTR(cgroup2_fd); | |
860e7c43 | 147 | } |
fe84a562 | 148 | |
23a917e5 CB |
149 | if (rsp->datalen == 0) |
150 | return log_debug(ret, | |
151 | "Response data length for command \"%s\" is 0", | |
152 | lxc_cmd_str(cmd->req.cmd)); | |
153 | ||
191d43cc | 154 | if ((rsp->datalen > LXC_CMD_DATA_MAX) && |
23a917e5 CB |
155 | (cmd->req.cmd != LXC_CMD_CONSOLE_LOG)) |
156 | return log_error(-1, "Response data for command \"%s\" is too long: %d bytes > %d", | |
157 | lxc_cmd_str(cmd->req.cmd), rsp->datalen, | |
158 | LXC_CMD_DATA_MAX); | |
ef6e34ee | 159 | |
191d43cc CB |
160 | if (cmd->req.cmd == LXC_CMD_CONSOLE_LOG) { |
161 | rsp->data = malloc(rsp->datalen + 1); | |
162 | ((char *)rsp->data)[rsp->datalen] = '\0'; | |
163 | } else { | |
164 | rsp->data = malloc(rsp->datalen); | |
165 | } | |
23a917e5 CB |
166 | if (!rsp->data) |
167 | return log_error_errno(-1, | |
168 | ENOMEM, "Failed to allocate response buffer for command \"%s\"", | |
169 | lxc_cmd_str(cmd->req.cmd)); | |
fe84a562 | 170 | |
2a850b2c | 171 | ret = lxc_recv_nointr(sock, rsp->data, rsp->datalen, 0); |
23a917e5 CB |
172 | if (ret != rsp->datalen) |
173 | return log_error_errno(-1, | |
174 | errno, "Failed to receive response data for command \"%s\"", | |
175 | lxc_cmd_str(cmd->req.cmd)); | |
724e753c MN |
176 | |
177 | return ret; | |
178 | } | |
179 | ||
ef6e34ee DE |
180 | /* |
181 | * lxc_cmd_rsp_send: Send a command response | |
182 | * | |
183 | * @fd : file descriptor of socket to send response on | |
184 | * @rsp : response to send | |
185 | * | |
186 | * Returns 0 on success, < 0 on failure | |
187 | */ | |
188 | static int lxc_cmd_rsp_send(int fd, struct lxc_cmd_rsp *rsp) | |
189 | { | |
fe84a562 | 190 | ssize_t ret; |
ef6e34ee | 191 | |
7fbb15ec CB |
192 | errno = EMSGSIZE; |
193 | ret = lxc_send_nointr(fd, rsp, sizeof(*rsp), MSG_NOSIGNAL); | |
fe84a562 | 194 | if (ret < 0 || (size_t)ret != sizeof(*rsp)) { |
6d1400b5 | 195 | SYSERROR("Failed to send command response %zd", ret); |
ef6e34ee DE |
196 | return -1; |
197 | } | |
198 | ||
a674dfe1 | 199 | if (!rsp->data || rsp->datalen <= 0) |
fe84a562 CB |
200 | return 0; |
201 | ||
7fbb15ec CB |
202 | errno = EMSGSIZE; |
203 | ret = lxc_send_nointr(fd, rsp->data, rsp->datalen, MSG_NOSIGNAL); | |
fe84a562 | 204 | if (ret < 0 || ret != (ssize_t)rsp->datalen) { |
a24c5678 | 205 | SYSWARN("Failed to send command response data %zd", ret); |
fe84a562 | 206 | return -1; |
ef6e34ee | 207 | } |
fe84a562 | 208 | |
ef6e34ee DE |
209 | return 0; |
210 | } | |
211 | ||
c01c2be6 | 212 | static int lxc_cmd_send(const char *name, struct lxc_cmd_rr *cmd, |
fe84a562 | 213 | const char *lxcpath, const char *hashed_sock_name) |
c01c2be6 | 214 | { |
e96f9291 | 215 | __do_close_prot_errno int client_fd = -EBADF; |
fe84a562 | 216 | ssize_t ret = -1; |
c01c2be6 | 217 | |
9dfa4041 | 218 | client_fd = lxc_cmd_connect(name, lxcpath, hashed_sock_name, "command"); |
2a850b2c | 219 | if (client_fd < 0) |
fe84a562 | 220 | return -1; |
c01c2be6 | 221 | |
fe84a562 CB |
222 | ret = lxc_abstract_unix_send_credential(client_fd, &cmd->req, |
223 | sizeof(cmd->req)); | |
2a850b2c | 224 | if (ret < 0 || (size_t)ret != sizeof(cmd->req)) |
e96f9291 | 225 | return -1; |
9044b79e | 226 | |
cdb2a47f CB |
227 | if (cmd->req.cmd == LXC_CMD_SECCOMP_NOTIFY_ADD_LISTENER) { |
228 | int notify_fd = PTR_TO_INT(cmd->req.data); | |
229 | ret = lxc_abstract_unix_send_fds(client_fd, ¬ify_fd, 1, NULL, 0); | |
230 | if (ret <= 0) | |
231 | return -1; | |
232 | } else { | |
233 | if (cmd->req.datalen <= 0) | |
234 | return move_fd(client_fd); | |
c01c2be6 | 235 | |
cdb2a47f CB |
236 | errno = EMSGSIZE; |
237 | ret = lxc_send_nointr(client_fd, (void *)cmd->req.data, | |
238 | cmd->req.datalen, MSG_NOSIGNAL); | |
239 | if (ret < 0 || ret != (ssize_t)cmd->req.datalen) | |
240 | return -1; | |
241 | } | |
c01c2be6 | 242 | |
240fecd0 | 243 | return move_fd(client_fd); |
c01c2be6 CB |
244 | } |
245 | ||
ef6e34ee DE |
246 | /* |
247 | * lxc_cmd: Connect to the specified running container, send it a command | |
248 | * request and collect the response | |
249 | * | |
250 | * @name : name of container to connect to | |
1e8cfdf6 | 251 | * @cmd : command with initialized request to send |
ef6e34ee DE |
252 | * @stopped : output indicator if the container was not running |
253 | * @lxcpath : the lxcpath in which the container is running | |
254 | * | |
255 | * Returns the size of the response message on success, < 0 on failure | |
256 | * | |
257 | * Note that there is a special case for LXC_CMD_CONSOLE. For this command | |
258 | * the fd cannot be closed because it is used as a placeholder to indicate | |
259 | * that a particular tty slot is in use. The fd is also used as a signal to | |
260 | * the container that when the caller dies or closes the fd, the container | |
0115f8fd DE |
261 | * will notice the fd on its side of the socket in its mainloop select and |
262 | * then free the slot with lxc_cmd_fd_cleanup(). The socket fd will be | |
263 | * returned in the cmd response structure. | |
ef6e34ee DE |
264 | */ |
265 | static int lxc_cmd(const char *name, struct lxc_cmd_rr *cmd, int *stopped, | |
88556fd7 | 266 | const char *lxcpath, const char *hashed_sock_name) |
724e753c | 267 | { |
c34ff119 | 268 | __do_close_prot_errno int client_fd = -EBADF; |
fe84a562 | 269 | int ret = -1; |
dbc9832d CB |
270 | bool stay_connected = false; |
271 | ||
272 | if (cmd->req.cmd == LXC_CMD_CONSOLE || | |
54446942 | 273 | cmd->req.cmd == LXC_CMD_ADD_STATE_CLIENT) |
dbc9832d | 274 | stay_connected = true; |
724e753c | 275 | |
0ecf64b5 SH |
276 | *stopped = 0; |
277 | ||
c01c2be6 CB |
278 | client_fd = lxc_cmd_send(name, cmd, lxcpath, hashed_sock_name); |
279 | if (client_fd < 0) { | |
7874d81a | 280 | SYSTRACE("Command \"%s\" failed to connect command socket", |
281 | lxc_cmd_str(cmd->req.cmd)); | |
6a93ae77 | 282 | |
00e5ca13 | 283 | if (errno == ECONNREFUSED || errno == EPIPE) |
ef6e34ee | 284 | *stopped = 1; |
3f903c04 | 285 | |
2a850b2c | 286 | return -1; |
724e753c MN |
287 | } |
288 | ||
c01c2be6 | 289 | ret = lxc_cmd_rsp_recv(client_fd, cmd); |
2a850b2c | 290 | if (ret < 0 && errno == ECONNRESET) |
6b7f85cb | 291 | *stopped = 1; |
6a93ae77 | 292 | |
c34ff119 | 293 | if (stay_connected && ret > 0) |
240fecd0 | 294 | cmd->rsp.ret = move_fd(client_fd); |
43eb6f29 | 295 | |
1362f2eb | 296 | return ret; |
724e753c MN |
297 | } |
298 | ||
b494d2dd SH |
299 | int lxc_try_cmd(const char *name, const char *lxcpath) |
300 | { | |
0ecf64b5 | 301 | int stopped, ret; |
b494d2dd SH |
302 | struct lxc_cmd_rr cmd = { |
303 | .req = { .cmd = LXC_CMD_GET_INIT_PID }, | |
304 | }; | |
305 | ||
88556fd7 | 306 | ret = lxc_cmd(name, &cmd, &stopped, lxcpath, NULL); |
b494d2dd SH |
307 | if (stopped) |
308 | return 0; | |
309 | if (ret > 0 && cmd.rsp.ret < 0) { | |
310 | errno = cmd.rsp.ret; | |
311 | return -1; | |
312 | } | |
313 | if (ret > 0) | |
314 | return 0; | |
315 | ||
fe84a562 CB |
316 | /* At this point we weren't denied access, and the container *was* |
317 | * started. There was some inexplicable error in the protocol. I'm not | |
318 | * clear on whether we should return -1 here, but we didn't receive a | |
319 | * -EACCES, so technically it's not that we're not allowed to control | |
320 | * the container - it's just not behaving. | |
b494d2dd SH |
321 | */ |
322 | return 0; | |
323 | } | |
324 | ||
cc4c0832 | 325 | /* Implementations of the commands and their callbacks */ |
ef6e34ee DE |
326 | |
327 | /* | |
328 | * lxc_cmd_get_init_pid: Get pid of the container's init process | |
329 | * | |
330 | * @name : name of container to connect to | |
331 | * @lxcpath : the lxcpath in which the container is running | |
332 | * | |
333 | * Returns the pid on success, < 0 on failure | |
334 | */ | |
335 | pid_t lxc_cmd_get_init_pid(const char *name, const char *lxcpath) | |
43eb6f29 | 336 | { |
0ecf64b5 | 337 | int ret, stopped; |
9234406b | 338 | intmax_t pid; |
ef6e34ee | 339 | struct lxc_cmd_rr cmd = { |
e8cd1208 CB |
340 | .req = { |
341 | .cmd = LXC_CMD_GET_INIT_PID | |
342 | }, | |
343 | .rsp = { | |
9234406b | 344 | .data = INTMAX_TO_PTR((intmax_t){-1}) |
e8cd1208 | 345 | } |
ef6e34ee DE |
346 | }; |
347 | ||
88556fd7 | 348 | ret = lxc_cmd(name, &cmd, &stopped, lxcpath, NULL); |
ef6e34ee | 349 | if (ret < 0) |
8ed8a626 | 350 | return -1; |
ef6e34ee | 351 | |
9234406b CB |
352 | pid = PTR_TO_INTMAX(cmd.rsp.data); |
353 | if (pid < 0) | |
354 | return -1; | |
355 | ||
356 | /* We need to assume that pid_t can actually hold any pid given to us | |
357 | * by the kernel. If it can't it's a libc bug. | |
358 | */ | |
359 | return (pid_t)pid; | |
43eb6f29 DL |
360 | } |
361 | ||
ef6e34ee | 362 | static int lxc_cmd_get_init_pid_callback(int fd, struct lxc_cmd_req *req, |
cdb2a47f CB |
363 | struct lxc_handler *handler, |
364 | struct lxc_epoll_descr *descr) | |
43eb6f29 | 365 | { |
54dcfd81 CB |
366 | intmax_t pid = handler->pid; |
367 | ||
9234406b | 368 | struct lxc_cmd_rsp rsp = { |
54dcfd81 | 369 | .data = INTMAX_TO_PTR(pid) |
9234406b | 370 | }; |
ef6e34ee DE |
371 | |
372 | return lxc_cmd_rsp_send(fd, &rsp); | |
43eb6f29 DL |
373 | } |
374 | ||
ef6e34ee DE |
375 | /* |
376 | * lxc_cmd_get_clone_flags: Get clone flags container was spawned with | |
377 | * | |
378 | * @name : name of container to connect to | |
379 | * @lxcpath : the lxcpath in which the container is running | |
380 | * | |
381 | * Returns the clone flags on success, < 0 on failure | |
382 | */ | |
383 | int lxc_cmd_get_clone_flags(const char *name, const char *lxcpath) | |
384 | { | |
0ecf64b5 | 385 | int ret, stopped; |
ef6e34ee DE |
386 | struct lxc_cmd_rr cmd = { |
387 | .req = { .cmd = LXC_CMD_GET_CLONE_FLAGS }, | |
388 | }; | |
389 | ||
88556fd7 | 390 | ret = lxc_cmd(name, &cmd, &stopped, lxcpath, NULL); |
ef6e34ee DE |
391 | if (ret < 0) |
392 | return ret; | |
43eb6f29 | 393 | |
ef6e34ee DE |
394 | return PTR_TO_INT(cmd.rsp.data); |
395 | } | |
396 | ||
397 | static int lxc_cmd_get_clone_flags_callback(int fd, struct lxc_cmd_req *req, | |
cdb2a47f CB |
398 | struct lxc_handler *handler, |
399 | struct lxc_epoll_descr *descr) | |
26b2d152 | 400 | { |
becad0ec | 401 | struct lxc_cmd_rsp rsp = { .data = INT_TO_PTR(handler->ns_clone_flags) }; |
ef6e34ee DE |
402 | |
403 | return lxc_cmd_rsp_send(fd, &rsp); | |
404 | } | |
405 | ||
406 | /* | |
407 | * lxc_cmd_get_cgroup_path: Calculate a container's cgroup path for a | |
408 | * particular subsystem. This is the cgroup path relative to the root | |
409 | * of the cgroup filesystem. | |
410 | * | |
ef6e34ee DE |
411 | * @name : name of container to connect to |
412 | * @lxcpath : the lxcpath in which the container is running | |
b98f7d6e | 413 | * @subsystem : the subsystem being asked about |
ef6e34ee DE |
414 | * |
415 | * Returns the path on success, NULL on failure. The caller must free() the | |
416 | * returned path. | |
417 | */ | |
b98f7d6e | 418 | char *lxc_cmd_get_cgroup_path(const char *name, const char *lxcpath, |
fe84a562 | 419 | const char *subsystem) |
ef6e34ee | 420 | { |
0ecf64b5 | 421 | int ret, stopped; |
ef6e34ee | 422 | struct lxc_cmd_rr cmd = { |
b98f7d6e SH |
423 | .req = { |
424 | .cmd = LXC_CMD_GET_CGROUP, | |
b98f7d6e | 425 | .data = subsystem, |
c2aed66d | 426 | .datalen = 0, |
b98f7d6e | 427 | }, |
26b2d152 MN |
428 | }; |
429 | ||
c2aed66d CB |
430 | cmd.req.data = subsystem; |
431 | cmd.req.datalen = 0; | |
432 | if (subsystem) | |
433 | cmd.req.datalen = strlen(subsystem) + 1; | |
434 | ||
88556fd7 | 435 | ret = lxc_cmd(name, &cmd, &stopped, lxcpath, NULL); |
fe84a562 | 436 | if (ret < 0) |
ef6e34ee DE |
437 | return NULL; |
438 | ||
fe84a562 | 439 | if (ret == 0) |
ef6e34ee | 440 | return NULL; |
ef6e34ee | 441 | |
fe84a562 | 442 | if (cmd.rsp.ret < 0 || cmd.rsp.datalen < 0) |
ef6e34ee | 443 | return NULL; |
3f903c04 | 444 | |
ef6e34ee DE |
445 | return cmd.rsp.data; |
446 | } | |
447 | ||
448 | static int lxc_cmd_get_cgroup_callback(int fd, struct lxc_cmd_req *req, | |
cdb2a47f CB |
449 | struct lxc_handler *handler, |
450 | struct lxc_epoll_descr *descr) | |
ef6e34ee | 451 | { |
4fb3cba5 | 452 | const char *path; |
fe84a562 | 453 | struct lxc_cmd_rsp rsp; |
2202afc9 | 454 | struct cgroup_ops *cgroup_ops = handler->cgroup_ops; |
b98f7d6e | 455 | |
c2aed66d | 456 | if (req->datalen > 0) |
2202afc9 | 457 | path = cgroup_ops->get_cgroup(cgroup_ops, req->data); |
c2aed66d | 458 | else |
2202afc9 | 459 | path = cgroup_ops->get_cgroup(cgroup_ops, NULL); |
b98f7d6e SH |
460 | if (!path) |
461 | return -1; | |
fe84a562 | 462 | |
4f17323e | 463 | rsp.ret = 0; |
fe84a562 CB |
464 | rsp.datalen = strlen(path) + 1; |
465 | rsp.data = (char *)path; | |
ef6e34ee DE |
466 | |
467 | return lxc_cmd_rsp_send(fd, &rsp); | |
468 | } | |
469 | ||
470 | /* | |
471 | * lxc_cmd_get_config_item: Get config item the running container | |
472 | * | |
473 | * @name : name of container to connect to | |
7fa3f2e9 | 474 | * @item : the configuration item to retrieve (ex: lxc.net.0.veth.pair) |
ef6e34ee DE |
475 | * @lxcpath : the lxcpath in which the container is running |
476 | * | |
477 | * Returns the item on success, NULL on failure. The caller must free() the | |
478 | * returned item. | |
479 | */ | |
480 | char *lxc_cmd_get_config_item(const char *name, const char *item, | |
481 | const char *lxcpath) | |
482 | { | |
0ecf64b5 | 483 | int ret, stopped; |
ef6e34ee DE |
484 | struct lxc_cmd_rr cmd = { |
485 | .req = { .cmd = LXC_CMD_GET_CONFIG_ITEM, | |
486 | .data = item, | |
fe84a562 | 487 | .datalen = strlen(item) + 1, |
ef6e34ee DE |
488 | }, |
489 | }; | |
490 | ||
88556fd7 | 491 | ret = lxc_cmd(name, &cmd, &stopped, lxcpath, NULL); |
ef6e34ee DE |
492 | if (ret < 0) |
493 | return NULL; | |
494 | ||
495 | if (cmd.rsp.ret == 0) | |
496 | return cmd.rsp.data; | |
fe84a562 | 497 | |
ef6e34ee DE |
498 | return NULL; |
499 | } | |
500 | ||
501 | static int lxc_cmd_get_config_item_callback(int fd, struct lxc_cmd_req *req, | |
cdb2a47f CB |
502 | struct lxc_handler *handler, |
503 | struct lxc_epoll_descr *descr) | |
ef6e34ee | 504 | { |
5265a60c | 505 | __do_free char *cidata = NULL; |
ef6e34ee | 506 | int cilen; |
30aec088 | 507 | struct lxc_config_t *item; |
fe84a562 | 508 | struct lxc_cmd_rsp rsp; |
ef6e34ee DE |
509 | |
510 | memset(&rsp, 0, sizeof(rsp)); | |
300df83e | 511 | item = lxc_get_config(req->data); |
30aec088 CB |
512 | if (!item) |
513 | goto err1; | |
fe84a562 | 514 | |
cccd2219 | 515 | cilen = item->get(req->data, NULL, 0, handler->conf, NULL); |
ef6e34ee DE |
516 | if (cilen <= 0) |
517 | goto err1; | |
518 | ||
5265a60c | 519 | cidata = must_realloc(NULL, cilen + 1); |
cccd2219 | 520 | if (item->get(req->data, cidata, cilen + 1, handler->conf, NULL) != cilen) |
ef6e34ee | 521 | goto err1; |
fe84a562 | 522 | |
ef6e34ee DE |
523 | cidata[cilen] = '\0'; |
524 | rsp.data = cidata; | |
525 | rsp.datalen = cilen + 1; | |
526 | rsp.ret = 0; | |
527 | goto out; | |
528 | ||
529 | err1: | |
530 | rsp.ret = -1; | |
531 | out: | |
532 | return lxc_cmd_rsp_send(fd, &rsp); | |
533 | } | |
534 | ||
535 | /* | |
536 | * lxc_cmd_get_state: Get current state of the container | |
537 | * | |
538 | * @name : name of container to connect to | |
539 | * @lxcpath : the lxcpath in which the container is running | |
540 | * | |
541 | * Returns the state on success, < 0 on failure | |
542 | */ | |
dbc9832d | 543 | int lxc_cmd_get_state(const char *name, const char *lxcpath) |
ef6e34ee | 544 | { |
0ecf64b5 | 545 | int ret, stopped; |
ef6e34ee DE |
546 | struct lxc_cmd_rr cmd = { |
547 | .req = { .cmd = LXC_CMD_GET_STATE } | |
548 | }; | |
26b2d152 | 549 | |
88556fd7 | 550 | ret = lxc_cmd(name, &cmd, &stopped, lxcpath, NULL); |
ebdd307d | 551 | if (ret < 0 && stopped) |
ef6e34ee DE |
552 | return STOPPED; |
553 | ||
554 | if (ret < 0) | |
26b2d152 | 555 | return -1; |
26b2d152 | 556 | |
ef6e34ee | 557 | if (!ret) { |
fe84a562 | 558 | WARN("Container \"%s\" has stopped before sending its state", name); |
ef6e34ee DE |
559 | return -1; |
560 | } | |
561 | ||
fe84a562 | 562 | DEBUG("Container \"%s\" is in \"%s\" state", name, |
ef6e34ee | 563 | lxc_state2str(PTR_TO_INT(cmd.rsp.data))); |
fe84a562 | 564 | |
ef6e34ee DE |
565 | return PTR_TO_INT(cmd.rsp.data); |
566 | } | |
567 | ||
568 | static int lxc_cmd_get_state_callback(int fd, struct lxc_cmd_req *req, | |
cdb2a47f CB |
569 | struct lxc_handler *handler, |
570 | struct lxc_epoll_descr *descr) | |
ef6e34ee DE |
571 | { |
572 | struct lxc_cmd_rsp rsp = { .data = INT_TO_PTR(handler->state) }; | |
573 | ||
574 | return lxc_cmd_rsp_send(fd, &rsp); | |
575 | } | |
576 | ||
577 | /* | |
578 | * lxc_cmd_stop: Stop the container previously started with lxc_start. All | |
579 | * the processes running inside this container will be killed. | |
580 | * | |
581 | * @name : name of container to connect to | |
582 | * @lxcpath : the lxcpath in which the container is running | |
583 | * | |
584 | * Returns 0 on success, < 0 on failure | |
585 | */ | |
586 | int lxc_cmd_stop(const char *name, const char *lxcpath) | |
587 | { | |
0ecf64b5 | 588 | int ret, stopped; |
ef6e34ee DE |
589 | struct lxc_cmd_rr cmd = { |
590 | .req = { .cmd = LXC_CMD_STOP }, | |
591 | }; | |
592 | ||
88556fd7 | 593 | ret = lxc_cmd(name, &cmd, &stopped, lxcpath, NULL); |
26b2d152 | 594 | if (ret < 0) { |
ef6e34ee | 595 | if (stopped) { |
fe84a562 | 596 | INFO("Container \"%s\" is already stopped", name); |
ef6e34ee DE |
597 | return 0; |
598 | } | |
fe84a562 | 599 | |
26b2d152 MN |
600 | return -1; |
601 | } | |
602 | ||
fe84a562 CB |
603 | /* We do not expect any answer, because we wait for the connection to be |
604 | * closed. | |
95d5b147 SH |
605 | */ |
606 | if (ret > 0) { | |
6d1400b5 | 607 | errno = -cmd.rsp.ret; |
608 | SYSERROR("Failed to stop container \"%s\"", name); | |
26b2d152 MN |
609 | return -1; |
610 | } | |
611 | ||
fe84a562 | 612 | INFO("Container \"%s\" has stopped", name); |
ef6e34ee | 613 | return 0; |
26b2d152 MN |
614 | } |
615 | ||
ef6e34ee | 616 | static int lxc_cmd_stop_callback(int fd, struct lxc_cmd_req *req, |
cdb2a47f CB |
617 | struct lxc_handler *handler, |
618 | struct lxc_epoll_descr *descr) | |
d5088cf2 | 619 | { |
ef6e34ee | 620 | struct lxc_cmd_rsp rsp; |
ef6e34ee | 621 | int stopsignal = SIGKILL; |
2202afc9 | 622 | struct cgroup_ops *cgroup_ops = handler->cgroup_ops; |
ef6e34ee DE |
623 | |
624 | if (handler->conf->stopsignal) | |
625 | stopsignal = handler->conf->stopsignal; | |
626 | memset(&rsp, 0, sizeof(rsp)); | |
627 | rsp.ret = kill(handler->pid, stopsignal); | |
628 | if (!rsp.ret) { | |
018051e3 CB |
629 | rsp.ret = cgroup_ops->unfreeze(cgroup_ops, -1); |
630 | if (!rsp.ret) | |
95d5b147 | 631 | return 0; |
fe84a562 CB |
632 | |
633 | ERROR("Failed to unfreeze container \"%s\"", handler->name); | |
018051e3 CB |
634 | rsp.ret = -errno; |
635 | } else { | |
636 | rsp.ret = -errno; | |
ef6e34ee DE |
637 | } |
638 | ||
639 | return lxc_cmd_rsp_send(fd, &rsp); | |
640 | } | |
d5088cf2 | 641 | |
b5159817 | 642 | /* |
2bd158cc | 643 | * lxc_cmd_terminal_winch: noop |
b5159817 DE |
644 | * |
645 | * @name : name of container to connect to | |
646 | * @lxcpath : the lxcpath in which the container is running | |
647 | * | |
648 | * Returns 0 on success, < 0 on failure | |
649 | */ | |
8ccbbf94 | 650 | int lxc_cmd_terminal_winch(const char *name, const char *lxcpath) |
b5159817 | 651 | { |
b5159817 DE |
652 | return 0; |
653 | } | |
654 | ||
8ccbbf94 | 655 | static int lxc_cmd_terminal_winch_callback(int fd, struct lxc_cmd_req *req, |
cdb2a47f CB |
656 | struct lxc_handler *handler, |
657 | struct lxc_epoll_descr *descr) | |
b5159817 | 658 | { |
2bd158cc CB |
659 | /* should never be called */ |
660 | return -1; | |
b5159817 DE |
661 | } |
662 | ||
ef6e34ee DE |
663 | /* |
664 | * lxc_cmd_console: Open an fd to a tty in the container | |
665 | * | |
666 | * @name : name of container to connect to | |
667 | * @ttynum : in: the tty to open or -1 for next available | |
668 | * : out: the tty allocated | |
669 | * @fd : out: file descriptor for master side of pty | |
670 | * @lxcpath : the lxcpath in which the container is running | |
671 | * | |
0115f8fd | 672 | * Returns fd holding tty allocated on success, < 0 on failure |
ef6e34ee DE |
673 | */ |
674 | int lxc_cmd_console(const char *name, int *ttynum, int *fd, const char *lxcpath) | |
675 | { | |
8259d86d | 676 | __do_free struct lxc_cmd_console_rsp_data *rspdata = NULL; |
0ecf64b5 | 677 | int ret, stopped; |
ef6e34ee DE |
678 | struct lxc_cmd_rr cmd = { |
679 | .req = { .cmd = LXC_CMD_CONSOLE, .data = INT_TO_PTR(*ttynum) }, | |
680 | }; | |
d5088cf2 | 681 | |
88556fd7 | 682 | ret = lxc_cmd(name, &cmd, &stopped, lxcpath, NULL); |
ef6e34ee DE |
683 | if (ret < 0) |
684 | return ret; | |
0115f8fd | 685 | |
8259d86d | 686 | rspdata = cmd.rsp.data; |
0115f8fd | 687 | if (cmd.rsp.ret < 0) { |
6d1400b5 | 688 | errno = -cmd.rsp.ret; |
689 | SYSERROR("Denied access to tty"); | |
8259d86d | 690 | return -1; |
ef6e34ee | 691 | } |
d5088cf2 | 692 | |
0115f8fd | 693 | if (ret == 0) { |
fe84a562 | 694 | ERROR("tty number %d invalid, busy or all ttys busy", *ttynum); |
8259d86d | 695 | return -1; |
ef6e34ee | 696 | } |
ef6e34ee | 697 | |
0115f8fd | 698 | if (rspdata->masterfd < 0) { |
fe84a562 | 699 | ERROR("Unable to allocate fd for tty %d", rspdata->ttynum); |
8259d86d | 700 | return -1; |
ef6e34ee DE |
701 | } |
702 | ||
fe84a562 | 703 | ret = cmd.rsp.ret; /* socket fd */ |
0115f8fd | 704 | *fd = rspdata->masterfd; |
ef6e34ee | 705 | *ttynum = rspdata->ttynum; |
fe84a562 CB |
706 | INFO("Alloced fd %d for tty %d via socket %d", *fd, rspdata->ttynum, ret); |
707 | ||
ef6e34ee DE |
708 | return ret; |
709 | } | |
710 | ||
711 | static int lxc_cmd_console_callback(int fd, struct lxc_cmd_req *req, | |
cdb2a47f CB |
712 | struct lxc_handler *handler, |
713 | struct lxc_epoll_descr *descr) | |
ef6e34ee | 714 | { |
fe84a562 | 715 | int masterfd, ret; |
ef6e34ee | 716 | struct lxc_cmd_rsp rsp; |
fe84a562 | 717 | int ttynum = PTR_TO_INT(req->data); |
ef6e34ee | 718 | |
c1ee47cd | 719 | masterfd = lxc_terminal_allocate(handler->conf, fd, &ttynum); |
b5159817 | 720 | if (masterfd < 0) |
ef6e34ee DE |
721 | goto out_close; |
722 | ||
ef6e34ee DE |
723 | memset(&rsp, 0, sizeof(rsp)); |
724 | rsp.data = INT_TO_PTR(ttynum); | |
fe84a562 CB |
725 | ret = lxc_abstract_unix_send_fds(fd, &masterfd, 1, &rsp, sizeof(rsp)); |
726 | if (ret < 0) { | |
9044b79e | 727 | SYSERROR("Failed to send tty to client"); |
3dfe6f8d | 728 | lxc_terminal_free(handler->conf, fd); |
ef6e34ee DE |
729 | goto out_close; |
730 | } | |
731 | ||
ef6e34ee DE |
732 | return 0; |
733 | ||
734 | out_close: | |
fe84a562 CB |
735 | /* Special indicator to lxc_cmd_handler() to close the fd and do |
736 | * related cleanup. | |
ef6e34ee DE |
737 | */ |
738 | return 1; | |
d5088cf2 CS |
739 | } |
740 | ||
88556fd7 ÇO |
741 | /* |
742 | * lxc_cmd_get_name: Returns the name of the container | |
743 | * | |
744 | * @hashed_sock_name: hashed socket name | |
745 | * | |
746 | * Returns the name on success, NULL on failure. | |
747 | */ | |
748 | char *lxc_cmd_get_name(const char *hashed_sock_name) | |
749 | { | |
750 | int ret, stopped; | |
751 | struct lxc_cmd_rr cmd = { | |
752 | .req = { .cmd = LXC_CMD_GET_NAME}, | |
753 | }; | |
754 | ||
755 | ret = lxc_cmd(NULL, &cmd, &stopped, NULL, hashed_sock_name); | |
fe84a562 | 756 | if (ret < 0) |
88556fd7 | 757 | return NULL; |
88556fd7 ÇO |
758 | |
759 | if (cmd.rsp.ret == 0) | |
760 | return cmd.rsp.data; | |
fe84a562 | 761 | |
88556fd7 ÇO |
762 | return NULL; |
763 | } | |
764 | ||
765 | static int lxc_cmd_get_name_callback(int fd, struct lxc_cmd_req *req, | |
cdb2a47f CB |
766 | struct lxc_handler *handler, |
767 | struct lxc_epoll_descr *descr) | |
88556fd7 ÇO |
768 | { |
769 | struct lxc_cmd_rsp rsp; | |
770 | ||
771 | memset(&rsp, 0, sizeof(rsp)); | |
772 | ||
f0ecc19d | 773 | rsp.data = (char *)handler->name; |
88556fd7 ÇO |
774 | rsp.datalen = strlen(handler->name) + 1; |
775 | rsp.ret = 0; | |
776 | ||
777 | return lxc_cmd_rsp_send(fd, &rsp); | |
778 | } | |
779 | ||
780 | /* | |
781 | * lxc_cmd_get_lxcpath: Returns the lxcpath of the container | |
782 | * | |
783 | * @hashed_sock_name: hashed socket name | |
784 | * | |
785 | * Returns the lxcpath on success, NULL on failure. | |
786 | */ | |
787 | char *lxc_cmd_get_lxcpath(const char *hashed_sock_name) | |
788 | { | |
789 | int ret, stopped; | |
790 | struct lxc_cmd_rr cmd = { | |
791 | .req = { .cmd = LXC_CMD_GET_LXCPATH}, | |
792 | }; | |
724e753c | 793 | |
88556fd7 | 794 | ret = lxc_cmd(NULL, &cmd, &stopped, NULL, hashed_sock_name); |
fe84a562 | 795 | if (ret < 0) |
88556fd7 | 796 | return NULL; |
88556fd7 ÇO |
797 | |
798 | if (cmd.rsp.ret == 0) | |
799 | return cmd.rsp.data; | |
fe84a562 | 800 | |
88556fd7 ÇO |
801 | return NULL; |
802 | } | |
803 | ||
804 | static int lxc_cmd_get_lxcpath_callback(int fd, struct lxc_cmd_req *req, | |
cdb2a47f CB |
805 | struct lxc_handler *handler, |
806 | struct lxc_epoll_descr *descr) | |
88556fd7 ÇO |
807 | { |
808 | struct lxc_cmd_rsp rsp; | |
809 | ||
810 | memset(&rsp, 0, sizeof(rsp)); | |
811 | ||
fe84a562 | 812 | rsp.ret = 0; |
88556fd7 ÇO |
813 | rsp.data = (char *)handler->lxcpath; |
814 | rsp.datalen = strlen(handler->lxcpath) + 1; | |
88556fd7 ÇO |
815 | |
816 | return lxc_cmd_rsp_send(fd, &rsp); | |
817 | } | |
ef6e34ee | 818 | |
54446942 | 819 | int lxc_cmd_add_state_client(const char *name, const char *lxcpath, |
92e35018 CB |
820 | lxc_state_t states[MAX_STATE], |
821 | int *state_client_fd) | |
dbc9832d | 822 | { |
cd889e57 | 823 | __do_close_prot_errno int clientfd = -EBADF; |
bc631984 | 824 | int state, stopped; |
dbc9832d | 825 | ssize_t ret; |
dbc9832d CB |
826 | struct lxc_cmd_rr cmd = { |
827 | .req = { | |
54446942 | 828 | .cmd = LXC_CMD_ADD_STATE_CLIENT, |
dbc9832d CB |
829 | .data = states, |
830 | .datalen = (sizeof(lxc_state_t) * MAX_STATE) | |
831 | }, | |
832 | }; | |
833 | ||
dbc9832d | 834 | ret = lxc_cmd(name, &cmd, &stopped, lxcpath, NULL); |
bc631984 CB |
835 | if (states[STOPPED] != 0 && stopped != 0) |
836 | return STOPPED; | |
837 | ||
dbc9832d | 838 | if (ret < 0) { |
f577e061 | 839 | if (errno != ECONNREFUSED) |
6d1400b5 | 840 | SYSERROR("Failed to execute command"); |
841 | ||
dbc9832d CB |
842 | return -1; |
843 | } | |
fe84a562 | 844 | |
dbc9832d CB |
845 | /* We should now be guaranteed to get an answer from the state sending |
846 | * function. | |
847 | */ | |
cd889e57 CB |
848 | clientfd = cmd.rsp.ret; |
849 | if (clientfd < 0) { | |
850 | errno = -clientfd; | |
6d1400b5 | 851 | SYSERROR("Failed to receive socket fd"); |
dbc9832d CB |
852 | return -1; |
853 | } | |
854 | ||
bc631984 CB |
855 | state = PTR_TO_INT(cmd.rsp.data); |
856 | if (state < MAX_STATE) { | |
44552fb2 | 857 | TRACE("Container is already in requested state %s", lxc_state2str(state)); |
bc631984 CB |
858 | return state; |
859 | } | |
860 | ||
240fecd0 | 861 | *state_client_fd = move_fd(clientfd); |
cd889e57 | 862 | TRACE("Added state client %d to state client list", *state_client_fd); |
92e35018 | 863 | return MAX_STATE; |
dbc9832d CB |
864 | } |
865 | ||
54446942 | 866 | static int lxc_cmd_add_state_client_callback(int fd, struct lxc_cmd_req *req, |
cdb2a47f CB |
867 | struct lxc_handler *handler, |
868 | struct lxc_epoll_descr *descr) | |
dbc9832d | 869 | { |
44552fb2 | 870 | int ret; |
dbc9832d | 871 | struct lxc_cmd_rsp rsp = {0}; |
dbc9832d | 872 | |
fe84a562 | 873 | if (req->datalen < 0) |
44552fb2 | 874 | goto reap_client_fd; |
dbc9832d | 875 | |
71fc9c04 | 876 | if (req->datalen != (sizeof(lxc_state_t) * MAX_STATE)) |
44552fb2 | 877 | goto reap_client_fd; |
dbc9832d | 878 | |
fe84a562 | 879 | if (!req->data) |
44552fb2 | 880 | goto reap_client_fd; |
dbc9832d | 881 | |
c01c2be6 | 882 | rsp.ret = lxc_add_state_client(fd, handler, (lxc_state_t *)req->data); |
44552fb2 CB |
883 | if (rsp.ret < 0) |
884 | goto reap_client_fd; | |
885 | ||
bc631984 | 886 | rsp.data = INT_TO_PTR(rsp.ret); |
dbc9832d | 887 | |
44552fb2 CB |
888 | ret = lxc_cmd_rsp_send(fd, &rsp); |
889 | if (ret < 0) | |
890 | goto reap_client_fd; | |
891 | ||
892 | return 0; | |
893 | ||
894 | reap_client_fd: | |
895 | /* Special indicator to lxc_cmd_handler() to close the fd and do related | |
896 | * cleanup. | |
897 | */ | |
898 | return 1; | |
dbc9832d CB |
899 | } |
900 | ||
2a63b5cb CB |
901 | int lxc_cmd_add_bpf_device_cgroup(const char *name, const char *lxcpath, |
902 | struct device_item *device) | |
903 | { | |
904 | #ifdef HAVE_STRUCT_BPF_CGROUP_DEV_CTX | |
905 | int stopped = 0; | |
906 | struct lxc_cmd_rr cmd = { | |
907 | .req = { | |
908 | .cmd = LXC_CMD_ADD_BPF_DEVICE_CGROUP, | |
909 | .data = device, | |
910 | .datalen = sizeof(struct device_item), | |
911 | }, | |
912 | }; | |
913 | int ret; | |
914 | ||
915 | if (strlen(device->access) > STRLITERALLEN("rwm")) | |
3d0327ed | 916 | return log_error_errno(-1, EINVAL, "Invalid access mode specified %s", |
2a63b5cb CB |
917 | device->access); |
918 | ||
919 | ret = lxc_cmd(name, &cmd, &stopped, lxcpath, NULL); | |
920 | if (ret < 0 || cmd.rsp.ret < 0) | |
3d0327ed | 921 | return log_error_errno(-1, errno, "Failed to add new bpf device cgroup rule"); |
2a63b5cb CB |
922 | |
923 | return 0; | |
924 | #else | |
3d0327ed | 925 | return ret_set_errno(-1, ENOSYS); |
2a63b5cb CB |
926 | #endif |
927 | } | |
928 | ||
929 | static int lxc_cmd_add_bpf_device_cgroup_callback(int fd, struct lxc_cmd_req *req, | |
930 | struct lxc_handler *handler, | |
931 | struct lxc_epoll_descr *descr) | |
932 | { | |
933 | #ifdef HAVE_STRUCT_BPF_CGROUP_DEV_CTX | |
934 | __do_bpf_program_free struct bpf_program *devices = NULL; | |
935 | struct lxc_cmd_rsp rsp = {0}; | |
936 | struct lxc_conf *conf = handler->conf; | |
937 | struct hierarchy *unified = handler->cgroup_ops->unified; | |
938 | struct lxc_list *list_elem = NULL; | |
939 | struct device_item *new_device = NULL; | |
940 | int ret; | |
941 | struct lxc_list *it; | |
942 | struct device_item *device; | |
943 | struct bpf_program *devices_old; | |
944 | ||
945 | if (req->datalen <= 0) | |
946 | goto reap_client_fd; | |
947 | ||
948 | if (req->datalen != sizeof(struct device_item)) | |
949 | goto reap_client_fd; | |
950 | ||
951 | if (!req->data) | |
952 | goto reap_client_fd; | |
953 | device = (struct device_item *)req->data; | |
954 | ||
955 | rsp.ret = -1; | |
956 | if (!unified) | |
957 | goto respond; | |
958 | ||
959 | ret = bpf_list_add_device(conf, device); | |
960 | if (ret < 0) | |
961 | goto respond; | |
962 | ||
963 | devices = bpf_program_new(BPF_PROG_TYPE_CGROUP_DEVICE); | |
964 | if (!devices) | |
965 | goto respond; | |
966 | ||
967 | ret = bpf_program_init(devices); | |
968 | if (ret) | |
969 | goto respond; | |
970 | ||
971 | lxc_list_for_each(it, &conf->devices) { | |
972 | struct device_item *cur = it->elem; | |
973 | ||
974 | ret = bpf_program_append_device(devices, cur); | |
975 | if (ret) | |
976 | goto respond; | |
977 | } | |
978 | ||
979 | ret = bpf_program_finalize(devices); | |
980 | if (ret) | |
981 | goto respond; | |
982 | ||
983 | ret = bpf_program_cgroup_attach(devices, BPF_CGROUP_DEVICE, | |
984 | unified->container_full_path, | |
985 | BPF_F_ALLOW_MULTI); | |
986 | if (ret) | |
987 | goto respond; | |
988 | ||
989 | /* Replace old bpf program. */ | |
990 | devices_old = move_ptr(conf->cgroup2_devices); | |
991 | conf->cgroup2_devices = move_ptr(devices); | |
992 | devices = move_ptr(devices_old); | |
993 | ||
994 | rsp.ret = 0; | |
995 | ||
996 | respond: | |
997 | ret = lxc_cmd_rsp_send(fd, &rsp); | |
998 | if (ret < 0) | |
999 | goto reap_client_fd; | |
1000 | ||
1001 | return 0; | |
1002 | ||
1003 | reap_client_fd: | |
1004 | /* Special indicator to lxc_cmd_handler() to close the fd and do related | |
1005 | * cleanup. | |
1006 | */ | |
1007 | return 1; | |
1008 | #else | |
3d0327ed | 1009 | return ret_set_errno(-1, ENOSYS); |
2a63b5cb CB |
1010 | #endif |
1011 | } | |
1012 | ||
191d43cc CB |
1013 | int lxc_cmd_console_log(const char *name, const char *lxcpath, |
1014 | struct lxc_console_log *log) | |
1015 | { | |
1016 | int ret, stopped; | |
1017 | struct lxc_cmd_console_log data; | |
1018 | struct lxc_cmd_rr cmd; | |
1019 | ||
1020 | data.clear = log->clear; | |
1021 | data.read = log->read; | |
1022 | data.read_max = *log->read_max; | |
1023 | ||
1024 | cmd.req.cmd = LXC_CMD_CONSOLE_LOG; | |
1025 | cmd.req.data = &data; | |
1026 | cmd.req.datalen = sizeof(struct lxc_cmd_console_log); | |
1027 | ||
1028 | ret = lxc_cmd(name, &cmd, &stopped, lxcpath, NULL); | |
1029 | if (ret < 0) | |
1030 | return ret; | |
1031 | ||
1032 | /* There is nothing to be read from the buffer. So clear any values we | |
1033 | * where passed to clearly indicate to the user that nothing went wrong. | |
1034 | */ | |
63b74cda | 1035 | if (cmd.rsp.ret == -ENODATA || cmd.rsp.ret == -EFAULT || cmd.rsp.ret == -ENOENT) { |
191d43cc CB |
1036 | *log->read_max = 0; |
1037 | log->data = NULL; | |
1038 | } | |
1039 | ||
1040 | /* This is a proper error so don't touch any values we were passed. */ | |
1041 | if (cmd.rsp.ret < 0) | |
1042 | return cmd.rsp.ret; | |
1043 | ||
1044 | *log->read_max = cmd.rsp.datalen; | |
1045 | log->data = cmd.rsp.data; | |
1046 | ||
1047 | return 0; | |
1048 | } | |
1049 | ||
1050 | static int lxc_cmd_console_log_callback(int fd, struct lxc_cmd_req *req, | |
cdb2a47f CB |
1051 | struct lxc_handler *handler, |
1052 | struct lxc_epoll_descr *descr) | |
191d43cc CB |
1053 | { |
1054 | struct lxc_cmd_rsp rsp; | |
28f3b1cd | 1055 | uint64_t buffer_size = handler->conf->console.buffer_size; |
191d43cc CB |
1056 | const struct lxc_cmd_console_log *log = req->data; |
1057 | struct lxc_ringbuf *buf = &handler->conf->console.ringbuf; | |
1058 | ||
1059 | rsp.ret = -EFAULT; | |
1060 | rsp.datalen = 0; | |
1061 | rsp.data = NULL; | |
28f3b1cd | 1062 | if (buffer_size <= 0) |
191d43cc CB |
1063 | goto out; |
1064 | ||
5928191e CB |
1065 | if (log->read || log->write_logfile) |
1066 | rsp.datalen = lxc_ringbuf_used(buf); | |
1067 | ||
191d43cc CB |
1068 | if (log->read) |
1069 | rsp.data = lxc_ringbuf_get_read_addr(buf); | |
1070 | ||
1071 | if (log->read_max > 0 && (log->read_max <= rsp.datalen)) | |
1072 | rsp.datalen = log->read_max; | |
1073 | ||
1074 | /* there's nothing to read */ | |
63b74cda | 1075 | rsp.ret = -ENODATA; |
191d43cc | 1076 | if (log->read && (buf->r_off == buf->w_off)) |
63b74cda CB |
1077 | goto out; |
1078 | ||
63b74cda | 1079 | rsp.ret = 0; |
23e0d9af | 1080 | if (log->clear) |
43366ca2 | 1081 | lxc_ringbuf_clear(buf); /* clear the ringbuffer */ |
23e0d9af | 1082 | else if (rsp.datalen > 0) |
191d43cc CB |
1083 | lxc_ringbuf_move_read_addr(buf, rsp.datalen); |
1084 | ||
1085 | out: | |
1086 | return lxc_cmd_rsp_send(fd, &rsp); | |
1087 | } | |
1088 | ||
974a8aba CB |
1089 | int lxc_cmd_serve_state_clients(const char *name, const char *lxcpath, |
1090 | lxc_state_t state) | |
1091 | { | |
1092 | int stopped; | |
1093 | ssize_t ret; | |
1094 | struct lxc_cmd_rr cmd = { | |
1095 | .req = { | |
1096 | .cmd = LXC_CMD_SERVE_STATE_CLIENTS, | |
1097 | .data = INT_TO_PTR(state) | |
1098 | }, | |
1099 | }; | |
1100 | ||
1101 | ret = lxc_cmd(name, &cmd, &stopped, lxcpath, NULL); | |
1102 | if (ret < 0) { | |
6d1400b5 | 1103 | SYSERROR("Failed to execute command"); |
974a8aba CB |
1104 | return -1; |
1105 | } | |
1106 | ||
1107 | return 0; | |
1108 | } | |
1109 | ||
1110 | static int lxc_cmd_serve_state_clients_callback(int fd, struct lxc_cmd_req *req, | |
cdb2a47f CB |
1111 | struct lxc_handler *handler, |
1112 | struct lxc_epoll_descr *descr) | |
974a8aba CB |
1113 | { |
1114 | int ret; | |
1115 | lxc_state_t state = PTR_TO_INT(req->data); | |
1116 | struct lxc_cmd_rsp rsp = {0}; | |
1117 | ||
1118 | ret = lxc_serve_state_clients(handler->name, handler, state); | |
1119 | if (ret < 0) | |
1120 | goto reap_client_fd; | |
1121 | ||
1122 | ret = lxc_cmd_rsp_send(fd, &rsp); | |
1123 | if (ret < 0) | |
1124 | goto reap_client_fd; | |
1125 | ||
1126 | return 0; | |
1127 | ||
1128 | reap_client_fd: | |
1129 | /* Special indicator to lxc_cmd_handler() to close the fd and do related | |
1130 | * cleanup. | |
1131 | */ | |
1132 | return 1; | |
1133 | } | |
1134 | ||
cdb2a47f CB |
1135 | int lxc_cmd_seccomp_notify_add_listener(const char *name, const char *lxcpath, |
1136 | int fd, | |
1137 | /* unused */ unsigned int command, | |
1138 | /* unused */ unsigned int flags) | |
1139 | { | |
1140 | ||
c3e3c21a | 1141 | #ifdef HAVE_SECCOMP_NOTIFY |
cdb2a47f CB |
1142 | int ret, stopped; |
1143 | struct lxc_cmd_rr cmd = { | |
1144 | .req = { | |
1145 | .cmd = LXC_CMD_SECCOMP_NOTIFY_ADD_LISTENER, | |
1146 | .data = INT_TO_PTR(fd), | |
1147 | }, | |
1148 | }; | |
1149 | ||
1150 | ret = lxc_cmd(name, &cmd, &stopped, lxcpath, NULL); | |
1151 | if (ret < 0) { | |
1152 | SYSERROR("Failed to execute command"); | |
1153 | return -1; | |
1154 | } | |
1155 | ||
1156 | return cmd.rsp.ret; | |
1157 | #else | |
3d0327ed | 1158 | return ret_set_errno(-1, ENOSYS); |
cdb2a47f CB |
1159 | #endif |
1160 | } | |
1161 | ||
1162 | static int lxc_cmd_seccomp_notify_add_listener_callback(int fd, | |
1163 | struct lxc_cmd_req *req, | |
1164 | struct lxc_handler *handler, | |
1165 | struct lxc_epoll_descr *descr) | |
1166 | { | |
1167 | struct lxc_cmd_rsp rsp = {0}; | |
cdb2a47f | 1168 | |
c3e3c21a CB |
1169 | #ifdef HAVE_SECCOMP_NOTIFY |
1170 | int ret; | |
cdb2a47f | 1171 | __do_close_prot_errno int recv_fd = -EBADF; |
cdb2a47f | 1172 | |
c3e3c21a CB |
1173 | ret = lxc_abstract_unix_recv_fds(fd, &recv_fd, 1, NULL, 0); |
1174 | if (ret <= 0) { | |
1175 | rsp.ret = -errno; | |
1176 | goto out; | |
cdb2a47f CB |
1177 | } |
1178 | ||
c3e3c21a CB |
1179 | if (!handler->conf->seccomp.notifier.wants_supervision || |
1180 | handler->conf->seccomp.notifier.proxy_fd < 0) { | |
1181 | SYSERROR("No seccomp proxy fd specified"); | |
1182 | rsp.ret = -EINVAL; | |
1183 | goto out; | |
1184 | } | |
cdb2a47f | 1185 | |
c3e3c21a | 1186 | ret = lxc_mainloop_add_handler(descr, recv_fd, seccomp_notify_handler, |
cdb2a47f | 1187 | handler); |
c3e3c21a CB |
1188 | if (ret < 0) { |
1189 | rsp.ret = -errno; | |
1190 | goto out; | |
1191 | } | |
68a9e3eb | 1192 | move_fd(recv_fd); |
cdb2a47f | 1193 | |
c3e3c21a | 1194 | out: |
cdb2a47f CB |
1195 | #else |
1196 | rsp.ret = -ENOSYS; | |
cdb2a47f | 1197 | |
c3e3c21a CB |
1198 | #endif |
1199 | return lxc_cmd_rsp_send(fd, &rsp); | |
cdb2a47f CB |
1200 | } |
1201 | ||
018051e3 CB |
1202 | int lxc_cmd_freeze(const char *name, const char *lxcpath, int timeout) |
1203 | { | |
1204 | int ret, stopped; | |
1205 | struct lxc_cmd_rr cmd = { | |
1206 | .req = { | |
1207 | .cmd = LXC_CMD_FREEZE, | |
1208 | .data = INT_TO_PTR(timeout), | |
1209 | }, | |
1210 | }; | |
1211 | ||
1212 | ret = lxc_cmd(name, &cmd, &stopped, lxcpath, NULL); | |
1213 | if (ret <= 0 || cmd.rsp.ret < 0) | |
3d0327ed | 1214 | return log_error_errno(-1, errno, "Failed to freeze container"); |
018051e3 CB |
1215 | |
1216 | return cmd.rsp.ret; | |
1217 | } | |
1218 | ||
1219 | static int lxc_cmd_freeze_callback(int fd, struct lxc_cmd_req *req, | |
1220 | struct lxc_handler *handler, | |
1221 | struct lxc_epoll_descr *descr) | |
1222 | { | |
1223 | int timeout = PTR_TO_INT(req->data); | |
1224 | struct lxc_cmd_rsp rsp = { | |
1225 | .ret = -ENOENT, | |
1226 | }; | |
1227 | struct cgroup_ops *ops = handler->cgroup_ops; | |
1228 | ||
1973b62a | 1229 | if (pure_unified_layout(ops)) |
018051e3 CB |
1230 | rsp.ret = ops->freeze(ops, timeout); |
1231 | ||
1232 | return lxc_cmd_rsp_send(fd, &rsp); | |
1233 | } | |
1234 | ||
1235 | int lxc_cmd_unfreeze(const char *name, const char *lxcpath, int timeout) | |
1236 | { | |
1237 | int ret, stopped; | |
1238 | struct lxc_cmd_rr cmd = { | |
1239 | .req = { | |
1240 | .cmd = LXC_CMD_UNFREEZE, | |
1241 | .data = INT_TO_PTR(timeout), | |
1242 | }, | |
1243 | }; | |
1244 | ||
1245 | ret = lxc_cmd(name, &cmd, &stopped, lxcpath, NULL); | |
1246 | if (ret <= 0 || cmd.rsp.ret < 0) | |
3d0327ed | 1247 | return log_error_errno(-1, errno, "Failed to unfreeze container"); |
018051e3 CB |
1248 | |
1249 | return cmd.rsp.ret; | |
1250 | } | |
1251 | ||
1252 | static int lxc_cmd_unfreeze_callback(int fd, struct lxc_cmd_req *req, | |
1253 | struct lxc_handler *handler, | |
1254 | struct lxc_epoll_descr *descr) | |
1255 | { | |
1256 | int timeout = PTR_TO_INT(req->data); | |
1257 | struct lxc_cmd_rsp rsp = { | |
1258 | .ret = -ENOENT, | |
1259 | }; | |
1260 | struct cgroup_ops *ops = handler->cgroup_ops; | |
1261 | ||
1973b62a | 1262 | if (pure_unified_layout(ops)) |
018051e3 CB |
1263 | rsp.ret = ops->unfreeze(ops, timeout); |
1264 | ||
1265 | return lxc_cmd_rsp_send(fd, &rsp); | |
1266 | } | |
1267 | ||
bad788b0 CB |
1268 | int lxc_cmd_get_cgroup2_fd(const char *name, const char *lxcpath) |
1269 | { | |
1270 | int ret, stopped; | |
1271 | struct lxc_cmd_rr cmd = { | |
1272 | .req = { | |
1273 | .cmd = LXC_CMD_GET_CGROUP2_FD, | |
1274 | }, | |
1275 | }; | |
1276 | ||
1277 | ret = lxc_cmd(name, &cmd, &stopped, lxcpath, NULL); | |
23a917e5 CB |
1278 | if (ret < 0) |
1279 | return -1; | |
1280 | ||
1281 | if (cmd.rsp.ret < 0) | |
900b6606 | 1282 | return log_debug_errno(-1, errno, "Failed to receive cgroup2 fd"); |
bad788b0 CB |
1283 | |
1284 | return PTR_TO_INT(cmd.rsp.data); | |
1285 | } | |
1286 | ||
1287 | static int lxc_cmd_get_cgroup2_fd_callback(int fd, struct lxc_cmd_req *req, | |
1288 | struct lxc_handler *handler, | |
1289 | struct lxc_epoll_descr *descr) | |
1290 | { | |
1291 | struct lxc_cmd_rsp rsp = { | |
1292 | .ret = -EINVAL, | |
1293 | }; | |
1294 | struct cgroup_ops *ops = handler->cgroup_ops; | |
1295 | int ret; | |
1296 | ||
1973b62a | 1297 | if (!pure_unified_layout(ops) || !ops->unified) |
bad788b0 CB |
1298 | return lxc_cmd_rsp_send(fd, &rsp); |
1299 | ||
1300 | rsp.ret = 0; | |
1973b62a | 1301 | ret = lxc_abstract_unix_send_fds(fd, &ops->unified->cgfd_con, 1, &rsp, |
bad788b0 CB |
1302 | sizeof(rsp)); |
1303 | if (ret < 0) | |
1304 | return log_error(1, "Failed to send cgroup2 fd"); | |
1305 | ||
1306 | return 0; | |
1307 | } | |
1308 | ||
ef6e34ee | 1309 | static int lxc_cmd_process(int fd, struct lxc_cmd_req *req, |
cdb2a47f CB |
1310 | struct lxc_handler *handler, |
1311 | struct lxc_epoll_descr *descr) | |
724e753c | 1312 | { |
cdb2a47f CB |
1313 | typedef int (*callback)(int, struct lxc_cmd_req *, struct lxc_handler *, |
1314 | struct lxc_epoll_descr *); | |
ef6e34ee DE |
1315 | |
1316 | callback cb[LXC_CMD_MAX] = { | |
2a63b5cb CB |
1317 | [LXC_CMD_CONSOLE] = lxc_cmd_console_callback, |
1318 | [LXC_CMD_TERMINAL_WINCH] = lxc_cmd_terminal_winch_callback, | |
1319 | [LXC_CMD_STOP] = lxc_cmd_stop_callback, | |
1320 | [LXC_CMD_GET_STATE] = lxc_cmd_get_state_callback, | |
1321 | [LXC_CMD_GET_INIT_PID] = lxc_cmd_get_init_pid_callback, | |
1322 | [LXC_CMD_GET_CLONE_FLAGS] = lxc_cmd_get_clone_flags_callback, | |
1323 | [LXC_CMD_GET_CGROUP] = lxc_cmd_get_cgroup_callback, | |
1324 | [LXC_CMD_GET_CONFIG_ITEM] = lxc_cmd_get_config_item_callback, | |
1325 | [LXC_CMD_GET_NAME] = lxc_cmd_get_name_callback, | |
1326 | [LXC_CMD_GET_LXCPATH] = lxc_cmd_get_lxcpath_callback, | |
1327 | [LXC_CMD_ADD_STATE_CLIENT] = lxc_cmd_add_state_client_callback, | |
1328 | [LXC_CMD_CONSOLE_LOG] = lxc_cmd_console_log_callback, | |
1329 | [LXC_CMD_SERVE_STATE_CLIENTS] = lxc_cmd_serve_state_clients_callback, | |
1330 | [LXC_CMD_SECCOMP_NOTIFY_ADD_LISTENER] = lxc_cmd_seccomp_notify_add_listener_callback, | |
1331 | [LXC_CMD_ADD_BPF_DEVICE_CGROUP] = lxc_cmd_add_bpf_device_cgroup_callback, | |
018051e3 CB |
1332 | [LXC_CMD_FREEZE] = lxc_cmd_freeze_callback, |
1333 | [LXC_CMD_UNFREEZE] = lxc_cmd_unfreeze_callback, | |
bad788b0 | 1334 | [LXC_CMD_GET_CGROUP2_FD] = lxc_cmd_get_cgroup2_fd_callback, |
724e753c MN |
1335 | }; |
1336 | ||
23a917e5 CB |
1337 | if (req->cmd >= LXC_CMD_MAX) |
1338 | return log_error_errno(-1, ENOENT, "Undefined command id %d", req->cmd); | |
1339 | ||
cdb2a47f | 1340 | return cb[req->cmd](fd, req, handler, descr); |
724e753c MN |
1341 | } |
1342 | ||
ef6e34ee | 1343 | static void lxc_cmd_fd_cleanup(int fd, struct lxc_handler *handler, |
cdb2a47f | 1344 | struct lxc_epoll_descr *descr, const lxc_cmd_t cmd) |
724e753c | 1345 | { |
f6fc1565 CB |
1346 | struct lxc_list *cur, *next; |
1347 | ||
3dfe6f8d | 1348 | lxc_terminal_free(handler->conf, fd); |
724e753c | 1349 | lxc_mainloop_del_handler(descr, fd); |
f6fc1565 | 1350 | |
cdb2a47f CB |
1351 | switch (cmd) { |
1352 | case LXC_CMD_ADD_STATE_CLIENT: | |
1353 | lxc_list_for_each_safe(cur, &handler->conf->state_clients, next) { | |
1354 | struct lxc_state_client *client = cur->elem; | |
1355 | ||
1356 | if (client->clientfd != fd) | |
1357 | continue; | |
1358 | ||
1359 | /* kick client from list */ | |
1360 | lxc_list_del(cur); | |
1361 | close(client->clientfd); | |
1362 | free(cur->elem); | |
1363 | free(cur); | |
1364 | /* No need to walk the whole list. If we found the state | |
1365 | * client fd there can't be a second one. | |
1366 | */ | |
1367 | break; | |
1368 | } | |
b1ca434a | 1369 | break; |
cdb2a47f CB |
1370 | default: |
1371 | close(fd); | |
f6fc1565 | 1372 | } |
724e753c MN |
1373 | } |
1374 | ||
84c92abd DE |
1375 | static int lxc_cmd_handler(int fd, uint32_t events, void *data, |
1376 | struct lxc_epoll_descr *descr) | |
724e753c | 1377 | { |
5265a60c | 1378 | __do_free void *reqdata = NULL; |
724e753c | 1379 | int ret; |
ef6e34ee | 1380 | struct lxc_cmd_req req; |
724e753c MN |
1381 | struct lxc_handler *handler = data; |
1382 | ||
aae93dd3 | 1383 | ret = lxc_abstract_unix_rcv_credential(fd, &req, sizeof(req)); |
ded1d23f | 1384 | if (ret < 0) { |
fe84a562 | 1385 | SYSERROR("Failed to receive data on command socket for command " |
9044b79e | 1386 | "\"%s\"", lxc_cmd_str(req.cmd)); |
1387 | ||
1388 | if (errno == EACCES) { | |
1389 | /* We don't care for the peer, just send and close. */ | |
1390 | struct lxc_cmd_rsp rsp = {.ret = ret}; | |
1391 | ||
1392 | lxc_cmd_rsp_send(fd, &rsp); | |
1393 | } | |
1394 | ||
724e753c MN |
1395 | goto out_close; |
1396 | } | |
1397 | ||
fe84a562 | 1398 | if (ret == 0) |
724e753c | 1399 | goto out_close; |
724e753c | 1400 | |
ef6e34ee | 1401 | if (ret != sizeof(req)) { |
c01c2be6 | 1402 | WARN("Failed to receive full command request. Ignoring request " |
fe84a562 | 1403 | "for \"%s\"", lxc_cmd_str(req.cmd)); |
ef6e34ee DE |
1404 | ret = -1; |
1405 | goto out_close; | |
1406 | } | |
1407 | ||
191d43cc CB |
1408 | if ((req.datalen > LXC_CMD_DATA_MAX) && |
1409 | (req.cmd != LXC_CMD_CONSOLE_LOG)) { | |
c01c2be6 | 1410 | ERROR("Received command data length %d is too large for " |
fe84a562 CB |
1411 | "command \"%s\"", req.datalen, lxc_cmd_str(req.cmd)); |
1412 | errno = EFBIG; | |
1413 | ret = -EFBIG; | |
724e753c MN |
1414 | goto out_close; |
1415 | } | |
1416 | ||
ef6e34ee | 1417 | if (req.datalen > 0) { |
5265a60c | 1418 | reqdata = must_realloc(NULL, req.datalen); |
e3233f26 | 1419 | ret = lxc_recv_nointr(fd, reqdata, req.datalen, 0); |
ef6e34ee | 1420 | if (ret != req.datalen) { |
c01c2be6 | 1421 | WARN("Failed to receive full command request. Ignoring " |
fe84a562 | 1422 | "request for \"%s\"", lxc_cmd_str(req.cmd)); |
b2a48508 | 1423 | ret = LXC_MAINLOOP_ERROR; |
ef6e34ee DE |
1424 | goto out_close; |
1425 | } | |
fe84a562 | 1426 | |
ef6e34ee DE |
1427 | req.data = reqdata; |
1428 | } | |
1429 | ||
cdb2a47f | 1430 | ret = lxc_cmd_process(fd, &req, handler, descr); |
724e753c | 1431 | if (ret) { |
fe84a562 | 1432 | /* This is not an error, but only a request to close fd. */ |
b2a48508 | 1433 | ret = LXC_MAINLOOP_CONTINUE; |
724e753c MN |
1434 | goto out_close; |
1435 | } | |
1436 | ||
1437 | out: | |
1438 | return ret; | |
fe84a562 | 1439 | |
724e753c | 1440 | out_close: |
f6fc1565 | 1441 | lxc_cmd_fd_cleanup(fd, handler, descr, req.cmd); |
724e753c MN |
1442 | goto out; |
1443 | } | |
1444 | ||
84c92abd DE |
1445 | static int lxc_cmd_accept(int fd, uint32_t events, void *data, |
1446 | struct lxc_epoll_descr *descr) | |
724e753c | 1447 | { |
4c2effce | 1448 | __do_close_prot_errno int connection = -EBADF; |
fe84a562 | 1449 | int opt = 1, ret = -1; |
724e753c MN |
1450 | |
1451 | connection = accept(fd, NULL, 0); | |
1452 | if (connection < 0) { | |
47903908 | 1453 | SYSERROR("Failed to accept connection to run command"); |
b2a48508 | 1454 | return LXC_MAINLOOP_ERROR; |
724e753c MN |
1455 | } |
1456 | ||
fe84a562 CB |
1457 | ret = fcntl(connection, F_SETFD, FD_CLOEXEC); |
1458 | if (ret < 0) { | |
1459 | SYSERROR("Failed to set close-on-exec on incoming command connection"); | |
4c2effce | 1460 | return ret; |
9ccb2dbc DL |
1461 | } |
1462 | ||
fe84a562 CB |
1463 | ret = setsockopt(connection, SOL_SOCKET, SO_PASSCRED, &opt, sizeof(opt)); |
1464 | if (ret < 0) { | |
1465 | SYSERROR("Failed to enable necessary credentials on command socket"); | |
4c2effce | 1466 | return ret; |
724e753c MN |
1467 | } |
1468 | ||
ef6e34ee | 1469 | ret = lxc_mainloop_add_handler(descr, connection, lxc_cmd_handler, data); |
724e753c | 1470 | if (ret) { |
fe84a562 | 1471 | ERROR("Failed to add command handler"); |
4c2effce | 1472 | return ret; |
724e753c MN |
1473 | } |
1474 | ||
240fecd0 | 1475 | move_fd(connection); |
724e753c | 1476 | return ret; |
724e753c MN |
1477 | } |
1478 | ||
9dfa4041 | 1479 | int lxc_cmd_init(const char *name, const char *lxcpath, const char *suffix) |
724e753c | 1480 | { |
c13e7111 CB |
1481 | __do_close_prot_errno int fd = -EBADF; |
1482 | int ret; | |
b1234129 | 1483 | char path[LXC_AUDS_ADDR_LEN] = {0}; |
724e753c | 1484 | |
5b46db1a | 1485 | ret = lxc_make_abstract_socket_name(path, sizeof(path), name, lxcpath, NULL, suffix); |
fe84a562 | 1486 | if (ret < 0) |
9ba8130c | 1487 | return -1; |
724e753c | 1488 | |
aae93dd3 | 1489 | fd = lxc_abstract_unix_open(path, SOCK_STREAM, 0); |
724e753c | 1490 | if (fd < 0) { |
5b46db1a | 1491 | SYSERROR("Failed to create command socket %s", &path[1]); |
08aa08fe | 1492 | if (errno == EADDRINUSE) |
fe84a562 | 1493 | ERROR("Container \"%s\" appears to be already running", name); |
6d1400b5 | 1494 | |
724e753c MN |
1495 | return -1; |
1496 | } | |
1497 | ||
fe84a562 CB |
1498 | ret = fcntl(fd, F_SETFD, FD_CLOEXEC); |
1499 | if (ret < 0) { | |
1500 | SYSERROR("Failed to set FD_CLOEXEC on command socket file descriptor"); | |
91480a0f DL |
1501 | return -1; |
1502 | } | |
1503 | ||
c13e7111 | 1504 | TRACE("Created abstract unix socket \"%s\"", &path[1]); |
240fecd0 | 1505 | return move_fd(fd); |
d2e30e99 DE |
1506 | } |
1507 | ||
fe84a562 | 1508 | int lxc_cmd_mainloop_add(const char *name, struct lxc_epoll_descr *descr, |
ef6e34ee | 1509 | struct lxc_handler *handler) |
d2e30e99 | 1510 | { |
2a30bdea | 1511 | __do_close_prot_errno int fd = handler->conf->maincmd_fd; |
fe84a562 | 1512 | int ret; |
d2e30e99 | 1513 | |
ef6e34ee | 1514 | ret = lxc_mainloop_add_handler(descr, fd, lxc_cmd_accept, handler); |
fe84a562 CB |
1515 | if (ret < 0) { |
1516 | ERROR("Failed to add handler for command socket"); | |
2a30bdea | 1517 | return ret; |
724e753c MN |
1518 | } |
1519 | ||
240fecd0 | 1520 | move_fd(fd); |
724e753c MN |
1521 | return ret; |
1522 | } |