#define FUSE_USE_VERSION 26
-#include <stdio.h>
#include <dirent.h>
+#include <errno.h>
#include <fcntl.h>
#include <fuse.h>
-#include <unistd.h>
-#include <errno.h>
-#include <stdbool.h>
-#include <time.h>
-#include <string.h>
-#include <stdlib.h>
#include <libgen.h>
-#include <sched.h>
#include <pthread.h>
+#include <sched.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+#include <unistd.h>
+#include <wait.h>
#include <linux/sched.h>
+#include <sys/epoll.h>
+#include <sys/mman.h>
+#include <sys/mount.h>
#include <sys/param.h>
#include <sys/socket.h>
-#include <sys/mount.h>
-#include <sys/epoll.h>
-#include <wait.h>
+#include <sys/syscall.h>
#include "bindings.h"
-
#include "config.h" // for VERSION
+/* Define pivot_root() if missing from the C library */
+#ifndef HAVE_PIVOT_ROOT
+static int pivot_root(const char * new_root, const char * put_old)
+{
+#ifdef __NR_pivot_root
+return syscall(__NR_pivot_root, new_root, put_old);
+#else
+errno = ENOSYS;
+return -1;
+#endif
+}
+#else
+extern int pivot_root(const char * new_root, const char * put_old);
+#endif
+
+#ifdef DEBUG
+#define lxcfs_debug(format, ...) \
+ do { \
+ fprintf(stderr, "%s: %d: %s: " format, __FILE__, __LINE__, \
+ __func__, __VA_ARGS__); \
+ } while (false)
+#else
+#define lxcfs_debug(format, ...)
+#endif /* DEBUG */
+
enum {
LXC_TYPE_CGDIR,
LXC_TYPE_CGFILE,
LXC_TYPE_PROC_UPTIME,
LXC_TYPE_PROC_STAT,
LXC_TYPE_PROC_DISKSTATS,
+ LXC_TYPE_PROC_SWAPS,
};
struct file_info {
}
}
+/* READ-ONLY after __constructor__ collect_and_mount_subsystems() has run.
+ * Number of hierarchies mounted. */
+static int num_hierarchies;
+
+/* READ-ONLY after __constructor__ collect_and_mount_subsystems() has run.
+ * Hierachies mounted {cpuset, blkio, ...}:
+ * Initialized via __constructor__ collect_and_mount_subsystems(). */
+static char **hierarchies;
+
+/* READ-ONLY after __constructor__ collect_and_mount_subsystems() has run.
+ * Open file descriptors:
+ * @fd_hierarchies[i] refers to cgroup @hierarchies[i]. They are mounted in a
+ * private mount namespace.
+ * Initialized via __constructor__ collect_and_mount_subsystems().
+ * @fd_hierarchies[i] can be used to perform file operations on the cgroup
+ * mounts and respective files in the private namespace even when located in
+ * another namespace using the *at() family of functions
+ * {openat(), fchownat(), ...}. */
+static int *fd_hierarchies;
+
static void unlock_mutex(pthread_mutex_t *l)
{
int ret;
snprintf(fnam, 100, "/proc/%d", e->initpid);
if (stat(fnam, &initsb) < 0)
return false;
-#if DEBUG
- fprintf(stderr, "comparing ctime %ld %ld for pid %d\n",
- e->ctime, initsb.st_ctime, e->initpid);
-#endif
+
+ lxcfs_debug("Comparing ctime %ld == %ld for pid %d.\n", e->ctime,
+ initsb.st_ctime, e->initpid);
+
if (e->ctime != initsb.st_ctime)
return false;
return true;
struct pidns_init_store *tmp;
int h;
-#if DEBUG
- fprintf(stderr, "remove_initpid: removing entry for %d\n", e->initpid);
-#endif
+ lxcfs_debug("Remove_initpid: removing entry for %d.\n", e->initpid);
+
h = HASH(e->ino);
if (pidns_hash_table[h] == e) {
pidns_hash_table[h] = e->next;
now = time(NULL);
if (now < last_prune + PURGE_SECS)
return;
-#if DEBUG
- fprintf(stderr, "pruning\n");
-#endif
+
+ lxcfs_debug("%s\n", "Pruning.");
+
last_prune = now;
threshold = now - 2 * PURGE_SECS;
for (i = 0; i < PIDNS_HASH_SIZE; i++) {
for (prev = NULL, e = pidns_hash_table[i]; e; ) {
if (e->lastcheck < threshold) {
-#if DEBUG
- fprintf(stderr, "Removing cached entry for %d\n", e->initpid);
-#endif
+
+ lxcfs_debug("Removing cached entry for %d.\n", e->initpid);
+
delme = e;
if (prev)
prev->next = e->next;
struct stat procsb;
int h;
-#if DEBUG
- fprintf(stderr, "save_initpid: adding entry for %d\n", pid);
-#endif
+ lxcfs_debug("Save_initpid: adding entry for %d.\n", pid);
+
snprintf(fpath, 100, "/proc/%d", pid);
if (stat(fpath, &procsb) < 0)
return;
return NULL;
}
-static int is_dir(const char *path)
+static int is_dir(const char *path, int fd)
{
struct stat statbuf;
- int ret = stat(path, &statbuf);
+ int ret = fstatat(fd, path, &statbuf, fd);
if (ret == 0 && S_ISDIR(statbuf.st_mode))
return 1;
return 0;
*len = newlen;
}
-static char *slurp_file(const char *from)
+static char *slurp_file(const char *from, int fd)
{
char *line = NULL;
char *contents = NULL;
- FILE *f = fopen(from, "r");
+ FILE *f = fdopen(fd, "r");
size_t len = 0, fulllen = 0;
ssize_t linelen;
return contents;
}
-static bool write_string(const char *fnam, const char *string)
+static bool write_string(const char *fnam, const char *string, int fd)
{
FILE *f;
size_t len, ret;
- if (!(f = fopen(fnam, "w")))
+ if (!(f = fdopen(fd, "w")))
return false;
len = strlen(string);
ret = fwrite(string, 1, len, f);
return true;
}
-/*
- * hierarchies, i.e. 'cpu,cpuacct'
- */
-char **hierarchies;
-int num_hierarchies;
-
struct cgfs_files {
char *name;
uint32_t uid, gid;
}
hierarchies = tmp;
}
-
+
hierarchies[num_hierarchies++] = must_copy_string(h);
return true;
}
{
int i;
- fprintf(stderr, "hierarchies:");
+ fprintf(stderr, "hierarchies:\n");
for (i = 0; i < num_hierarchies; i++) {
if (hierarchies[i])
fprintf(stderr, " %d: %s\n", i, hierarchies[i]);
const char *s = haystack, *e;
size_t nlen = strlen(needle);
- while (*s && (e = index(s, ','))) {
+ while (*s && (e = strchr(s, ','))) {
if (nlen != e - s) {
s = e + 1;
continue;
}
/* do we need to do any massaging here? I'm not sure... */
-static char *find_mounted_controller(const char *controller)
+/* Return the mounted controller and store the corresponding open file descriptor
+ * referring to the controller mountpoint in the private lxcfs namespace in
+ * @cfd.
+ */
+static char *find_mounted_controller(const char *controller, int *cfd)
{
int i;
for (i = 0; i < num_hierarchies; i++) {
if (!hierarchies[i])
continue;
- if (strcmp(hierarchies[i], controller) == 0)
+ if (strcmp(hierarchies[i], controller) == 0) {
+ *cfd = fd_hierarchies[i];
return hierarchies[i];
- if (in_comma_list(controller, hierarchies[i]))
+ }
+ if (in_comma_list(controller, hierarchies[i])) {
+ *cfd = fd_hierarchies[i];
return hierarchies[i];
+ }
}
return NULL;
bool cgfs_set_value(const char *controller, const char *cgroup, const char *file,
const char *value)
{
+ int ret, fd, cfd;
size_t len;
- char *fnam, *tmpc = find_mounted_controller(controller);
+ char *fnam, *tmpc;
+ tmpc = find_mounted_controller(controller, &cfd);
if (!tmpc)
return false;
- /* basedir / tmpc / cgroup / file \0 */
- len = strlen(basedir) + strlen(tmpc) + strlen(cgroup) + strlen(file) + 4;
+
+ /* Make sure we pass a relative path to *at() family of functions.
+ * . + /cgroup + / + file + \0
+ */
+ len = strlen(cgroup) + strlen(file) + 3;
fnam = alloca(len);
- snprintf(fnam, len, "%s/%s/%s/%s", basedir, tmpc, cgroup, file);
-
- return write_string(fnam, value);
+ ret = snprintf(fnam, len, "%s%s/%s", *cgroup == '/' ? "." : "", cgroup, file);
+ if (ret < 0 || (size_t)ret >= len)
+ return false;
+
+ fd = openat(cfd, fnam, O_WRONLY);
+ if (fd < 0)
+ return false;
+
+ return write_string(fnam, value, fd);
}
// Chown all the files in the cgroup directory. We do this when we create
// a cgroup on behalf of a user.
-static void chown_all_cgroup_files(const char *dirname, uid_t uid, gid_t gid)
+static void chown_all_cgroup_files(const char *dirname, uid_t uid, gid_t gid, int fd)
{
- struct dirent dirent, *direntp;
+ struct dirent *direntp;
char path[MAXPATHLEN];
size_t len;
DIR *d;
- int ret;
+ int fd1, ret;
len = strlen(dirname);
if (len >= MAXPATHLEN) {
return;
}
- d = opendir(dirname);
+ fd1 = openat(fd, dirname, O_DIRECTORY);
+ if (fd1 < 0)
+ return;
+
+ d = fdopendir(fd1);
if (!d) {
fprintf(stderr, "chown_all_cgroup_files: failed to open %s\n", dirname);
return;
}
- while (readdir_r(d, &dirent, &direntp) == 0 && direntp) {
+ while ((direntp = readdir(d))) {
if (!strcmp(direntp->d_name, ".") || !strcmp(direntp->d_name, ".."))
continue;
ret = snprintf(path, MAXPATHLEN, "%s/%s", dirname, direntp->d_name);
fprintf(stderr, "chown_all_cgroup_files: pathname too long under %s\n", dirname);
continue;
}
- if (chown(path, uid, gid) < 0)
+ if (fchownat(fd, path, uid, gid, 0) < 0)
fprintf(stderr, "Failed to chown file %s to %u:%u", path, uid, gid);
}
closedir(d);
int cgfs_create(const char *controller, const char *cg, uid_t uid, gid_t gid)
{
+ int cfd;
size_t len;
- char *dirnam, *tmpc = find_mounted_controller(controller);
+ char *dirnam, *tmpc;
+ tmpc = find_mounted_controller(controller, &cfd);
if (!tmpc)
return -EINVAL;
- /* basedir / tmpc / cg \0 */
- len = strlen(basedir) + strlen(tmpc) + strlen(cg) + 3;
+
+ /* Make sure we pass a relative path to *at() family of functions.
+ * . + /cg + \0
+ */
+ len = strlen(cg) + 2;
dirnam = alloca(len);
- snprintf(dirnam, len, "%s/%s/%s", basedir,tmpc, cg);
+ snprintf(dirnam, len, "%s%s", *cg == '/' ? "." : "", cg);
- if (mkdir(dirnam, 0755) < 0)
+ if (mkdirat(cfd, dirnam, 0755) < 0)
return -errno;
if (uid == 0 && gid == 0)
return 0;
- if (chown(dirnam, uid, gid) < 0)
+ if (fchownat(cfd, dirnam, uid, gid, 0) < 0)
return -errno;
- chown_all_cgroup_files(dirnam, uid, gid);
+ chown_all_cgroup_files(dirnam, uid, gid, cfd);
return 0;
}
-static bool recursive_rmdir(const char *dirname)
+static bool recursive_rmdir(const char *dirname, int fd, const int cfd)
{
- struct dirent dirent, *direntp;
+ struct dirent *direntp;
DIR *dir;
bool ret = false;
char pathname[MAXPATHLEN];
+ int dupfd;
+
+ dupfd = dup(fd); // fdopendir() does bad things once it uses an fd.
+ if (dupfd < 0)
+ return false;
- dir = opendir(dirname);
+ dir = fdopendir(dupfd);
if (!dir) {
-#if DEBUG
- fprintf(stderr, "%s: failed to open %s: %s\n", __func__, dirname, strerror(errno));
-#endif
+ lxcfs_debug("Failed to open %s: %s.\n", dirname, strerror(errno));
+ close(dupfd);
return false;
}
- while (!readdir_r(dir, &dirent, &direntp)) {
+ while ((direntp = readdir(dir))) {
struct stat mystat;
int rc;
- if (!direntp)
- break;
-
if (!strcmp(direntp->d_name, ".") ||
!strcmp(direntp->d_name, ".."))
continue;
continue;
}
- ret = lstat(pathname, &mystat);
- if (ret) {
-#if DEBUG
- fprintf(stderr, "%s: failed to stat %s: %s\n", __func__, pathname, strerror(errno));
-#endif
+ rc = fstatat(cfd, pathname, &mystat, AT_SYMLINK_NOFOLLOW);
+ if (rc) {
+ lxcfs_debug("Failed to stat %s: %s.\n", pathname, strerror(errno));
continue;
}
- if (S_ISDIR(mystat.st_mode)) {
- if (!recursive_rmdir(pathname)) {
-#if DEBUG
- fprintf(stderr, "Error removing %s\n", pathname);
-#endif
- }
- }
+ if (S_ISDIR(mystat.st_mode))
+ if (!recursive_rmdir(pathname, fd, cfd))
+ lxcfs_debug("Error removing %s.\n", pathname);
}
ret = true;
ret = false;
}
- if (rmdir(dirname) < 0) {
-#if DEBUG
- fprintf(stderr, "%s: failed to delete %s: %s\n", __func__, dirname, strerror(errno));
-#endif
+ if (unlinkat(cfd, dirname, AT_REMOVEDIR) < 0) {
+ lxcfs_debug("Failed to delete %s: %s.\n", dirname, strerror(errno));
ret = false;
}
+ close(dupfd);
+
return ret;
}
bool cgfs_remove(const char *controller, const char *cg)
{
+ int fd, cfd;
size_t len;
- char *dirnam, *tmpc = find_mounted_controller(controller);
+ char *dirnam, *tmpc;
+ bool bret;
+ tmpc = find_mounted_controller(controller, &cfd);
if (!tmpc)
return false;
- /* basedir / tmpc / cg \0 */
- len = strlen(basedir) + strlen(tmpc) + strlen(cg) + 3;
+
+ /* Make sure we pass a relative path to *at() family of functions.
+ * . + /cg + \0
+ */
+ len = strlen(cg) + 2;
dirnam = alloca(len);
- snprintf(dirnam, len, "%s/%s/%s", basedir,tmpc, cg);
- return recursive_rmdir(dirnam);
+ snprintf(dirnam, len, "%s%s", *cg == '/' ? "." : "", cg);
+
+ fd = openat(cfd, dirnam, O_DIRECTORY);
+ if (fd < 0)
+ return false;
+
+ bret = recursive_rmdir(dirnam, fd, cfd);
+ close(fd);
+ return bret;
}
bool cgfs_chmod_file(const char *controller, const char *file, mode_t mode)
{
+ int cfd;
size_t len;
- char *pathname, *tmpc = find_mounted_controller(controller);
+ char *pathname, *tmpc;
+ tmpc = find_mounted_controller(controller, &cfd);
if (!tmpc)
return false;
- /* basedir / tmpc / file \0 */
- len = strlen(basedir) + strlen(tmpc) + strlen(file) + 3;
+
+ /* Make sure we pass a relative path to *at() family of functions.
+ * . + /file + \0
+ */
+ len = strlen(file) + 2;
pathname = alloca(len);
- snprintf(pathname, len, "%s/%s/%s", basedir, tmpc, file);
- if (chmod(pathname, mode) < 0)
+ snprintf(pathname, len, "%s%s", *file == '/' ? "." : "", file);
+ if (fchmodat(cfd, pathname, mode, 0) < 0)
return false;
return true;
}
-static int chown_tasks_files(const char *dirname, uid_t uid, gid_t gid)
+static int chown_tasks_files(const char *dirname, uid_t uid, gid_t gid, int fd)
{
size_t len;
char *fname;
len = strlen(dirname) + strlen("/cgroup.procs") + 1;
fname = alloca(len);
snprintf(fname, len, "%s/tasks", dirname);
- if (chown(fname, uid, gid) != 0)
+ if (fchownat(fd, fname, uid, gid, 0) != 0)
return -errno;
snprintf(fname, len, "%s/cgroup.procs", dirname);
- if (chown(fname, uid, gid) != 0)
+ if (fchownat(fd, fname, uid, gid, 0) != 0)
return -errno;
return 0;
}
int cgfs_chown_file(const char *controller, const char *file, uid_t uid, gid_t gid)
{
+ int cfd;
size_t len;
- char *pathname, *tmpc = find_mounted_controller(controller);
+ char *pathname, *tmpc;
+ tmpc = find_mounted_controller(controller, &cfd);
if (!tmpc)
return -EINVAL;
- /* basedir / tmpc / file \0 */
- len = strlen(basedir) + strlen(tmpc) + strlen(file) + 3;
+
+ /* Make sure we pass a relative path to *at() family of functions.
+ * . + /file + \0
+ */
+ len = strlen(file) + 2;
pathname = alloca(len);
- snprintf(pathname, len, "%s/%s/%s", basedir, tmpc, file);
- if (chown(pathname, uid, gid) < 0)
+ snprintf(pathname, len, "%s%s", *file == '/' ? "." : "", file);
+ if (fchownat(cfd, pathname, uid, gid, 0) < 0)
return -errno;
- if (is_dir(pathname))
+ if (is_dir(pathname, cfd))
// like cgmanager did, we want to chown the tasks file as well
- return chown_tasks_files(pathname, uid, gid);
+ return chown_tasks_files(pathname, uid, gid, cfd);
return 0;
}
FILE *open_pids_file(const char *controller, const char *cgroup)
{
+ int fd, cfd;
size_t len;
- char *pathname, *tmpc = find_mounted_controller(controller);
+ char *pathname, *tmpc;
+ tmpc = find_mounted_controller(controller, &cfd);
if (!tmpc)
return NULL;
- /* basedir / tmpc / cgroup / "cgroup.procs" \0 */
- len = strlen(basedir) + strlen(tmpc) + strlen(cgroup) + 4 + strlen("cgroup.procs");
+
+ /* Make sure we pass a relative path to *at() family of functions.
+ * . + /cgroup + / "cgroup.procs" + \0
+ */
+ len = strlen(cgroup) + strlen("cgroup.procs") + 3;
pathname = alloca(len);
- snprintf(pathname, len, "%s/%s/%s/cgroup.procs", basedir, tmpc, cgroup);
- return fopen(pathname, "w");
+ snprintf(pathname, len, "%s%s/cgroup.procs", *cgroup == '/' ? "." : "", cgroup);
+
+ fd = openat(cfd, pathname, O_WRONLY);
+ if (fd < 0)
+ return NULL;
+
+ return fdopen(fd, "w");
}
-bool cgfs_list_children(const char *controller, const char *cgroup, char ***list)
+static bool cgfs_iterate_cgroup(const char *controller, const char *cgroup, bool directories,
+ void ***list, size_t typesize,
+ void* (*iterator)(const char*, const char*, const char*))
{
+ int cfd, fd, ret;
size_t len;
- char *dirname, *tmpc = find_mounted_controller(controller);
+ char *cg, *tmpc;
char pathname[MAXPATHLEN];
- size_t sz = 0, asz = BATCH_SIZE;
- struct dirent dirent, *direntp;
+ size_t sz = 0, asz = 0;
+ struct dirent *dirent;
DIR *dir;
- int ret;
-
- do {
- *list = malloc(asz * sizeof(char *));
- } while (!*list);
- (*list)[0] = NULL;
+ tmpc = find_mounted_controller(controller, &cfd);
+ *list = NULL;
if (!tmpc)
- return NULL;
+ return false;
+
+ /* Make sure we pass a relative path to *at() family of functions. */
+ len = strlen(cgroup) + 1 /* . */ + 1 /* \0 */;
+ cg = alloca(len);
+ ret = snprintf(cg, len, "%s%s", *cgroup == '/' ? "." : "", cgroup);
+ if (ret < 0 || (size_t)ret >= len) {
+ fprintf(stderr, "%s: pathname too long under %s\n", __func__, cgroup);
+ return false;
+ }
- /* basedir / tmpc / cgroup \0 */
- len = strlen(basedir) + strlen(tmpc) + strlen(cgroup) + 3;
- dirname = alloca(len);
- snprintf(dirname, len, "%s/%s/%s", basedir, tmpc, cgroup);
+ fd = openat(cfd, cg, O_DIRECTORY);
+ if (fd < 0)
+ return false;
- dir = opendir(dirname);
+ dir = fdopendir(fd);
if (!dir)
return false;
- while (!readdir_r(dir, &dirent, &direntp)) {
+ while ((dirent = readdir(dir))) {
struct stat mystat;
- int rc;
- if (!direntp)
- break;
-
- if (!strcmp(direntp->d_name, ".") ||
- !strcmp(direntp->d_name, ".."))
+ if (!strcmp(dirent->d_name, ".") ||
+ !strcmp(dirent->d_name, ".."))
continue;
- rc = snprintf(pathname, MAXPATHLEN, "%s/%s", dirname, direntp->d_name);
- if (rc < 0 || rc >= MAXPATHLEN) {
- fprintf(stderr, "%s: pathname too long under %s\n", __func__, dirname);
+ ret = snprintf(pathname, MAXPATHLEN, "%s/%s", cg, dirent->d_name);
+ if (ret < 0 || ret >= MAXPATHLEN) {
+ fprintf(stderr, "%s: pathname too long under %s\n", __func__, cg);
continue;
}
- ret = lstat(pathname, &mystat);
+ ret = fstatat(cfd, pathname, &mystat, AT_SYMLINK_NOFOLLOW);
if (ret) {
fprintf(stderr, "%s: failed to stat %s: %s\n", __func__, pathname, strerror(errno));
continue;
}
- if (!S_ISDIR(mystat.st_mode))
+ if ((!directories && !S_ISREG(mystat.st_mode)) ||
+ (directories && !S_ISDIR(mystat.st_mode)))
continue;
if (sz+2 >= asz) {
- char **tmp;
+ void **tmp;
asz += BATCH_SIZE;
do {
- tmp = realloc(*list, asz * sizeof(char *));
+ tmp = realloc(*list, asz * typesize);
} while (!tmp);
*list = tmp;
}
- do {
- (*list)[sz] = strdup(direntp->d_name);
- } while (!(*list)[sz]);
+ (*list)[sz] = (*iterator)(controller, cg, dirent->d_name);
(*list)[sz+1] = NULL;
sz++;
}
if (closedir(dir) < 0) {
- fprintf(stderr, "%s: failed closedir for %s: %s\n", __func__, dirname, strerror(errno));
+ fprintf(stderr, "%s: failed closedir for %s: %s\n", __func__, cgroup, strerror(errno));
return false;
}
return true;
}
+static void *make_children_list_entry(const char *controller, const char *cgroup, const char *dir_entry)
+{
+ char *dup;
+ do {
+ dup = strdup(dir_entry);
+ } while (!dup);
+ return dup;
+}
+
+bool cgfs_list_children(const char *controller, const char *cgroup, char ***list)
+{
+ return cgfs_iterate_cgroup(controller, cgroup, true, (void***)list, sizeof(*list), &make_children_list_entry);
+}
+
void free_key(struct cgfs_files *k)
{
if (!k)
bool cgfs_get_value(const char *controller, const char *cgroup, const char *file, char **value)
{
+ int ret, fd, cfd;
size_t len;
- char *fnam, *tmpc = find_mounted_controller(controller);
+ char *fnam, *tmpc;
+ tmpc = find_mounted_controller(controller, &cfd);
if (!tmpc)
return false;
- /* basedir / tmpc / cgroup / file \0 */
- len = strlen(basedir) + strlen(tmpc) + strlen(cgroup) + strlen(file) + 4;
+
+ /* Make sure we pass a relative path to *at() family of functions.
+ * . + /cgroup + / + file + \0
+ */
+ len = strlen(cgroup) + strlen(file) + 3;
fnam = alloca(len);
- snprintf(fnam, len, "%s/%s/%s/%s", basedir, tmpc, cgroup, file);
+ ret = snprintf(fnam, len, "%s%s/%s", *cgroup == '/' ? "." : "", cgroup, file);
+ if (ret < 0 || (size_t)ret >= len)
+ return NULL;
+
+ fd = openat(cfd, fnam, O_RDONLY);
+ if (fd < 0)
+ return NULL;
- *value = slurp_file(fnam);
+ *value = slurp_file(fnam, fd);
return *value != NULL;
}
struct cgfs_files *cgfs_get_key(const char *controller, const char *cgroup, const char *file)
{
+ int ret, cfd;
size_t len;
- char *fnam, *tmpc = find_mounted_controller(controller);
+ char *fnam, *tmpc;
struct stat sb;
struct cgfs_files *newkey;
- int ret;
+ tmpc = find_mounted_controller(controller, &cfd);
if (!tmpc)
return false;
if (file && *file == '/')
file++;
- if (file && index(file, '/'))
+ if (file && strchr(file, '/'))
return NULL;
- /* basedir / tmpc / cgroup / file \0 */
- len = strlen(basedir) + strlen(tmpc) + strlen(cgroup) + 3;
+ /* Make sure we pass a relative path to *at() family of functions.
+ * . + /cgroup + / + file + \0
+ */
+ len = strlen(cgroup) + 3;
if (file)
len += strlen(file) + 1;
fnam = alloca(len);
- snprintf(fnam, len, "%s/%s/%s%s%s", basedir, tmpc, cgroup,
- file ? "/" : "", file ? file : "");
+ snprintf(fnam, len, "%s%s%s%s", *cgroup == '/' ? "." : "", cgroup,
+ file ? "/" : "", file ? file : "");
- ret = stat(fnam, &sb);
+ ret = fstatat(cfd, fnam, &sb, 0);
if (ret < 0)
return NULL;
} while (!newkey);
if (file)
newkey->name = must_copy_string(file);
- else if (rindex(cgroup, '/'))
- newkey->name = must_copy_string(rindex(cgroup, '/'));
+ else if (strrchr(cgroup, '/'))
+ newkey->name = must_copy_string(strrchr(cgroup, '/'));
else
newkey->name = must_copy_string(cgroup);
newkey->uid = sb.st_uid;
return newkey;
}
-bool cgfs_list_keys(const char *controller, const char *cgroup, struct cgfs_files ***keys)
+static void *make_key_list_entry(const char *controller, const char *cgroup, const char *dir_entry)
{
- size_t len;
- char *dirname, *tmpc = find_mounted_controller(controller);
- char pathname[MAXPATHLEN];
- size_t sz = 0, asz = 0;
- struct dirent dirent, *direntp;
- DIR *dir;
- int ret;
-
- *keys = NULL;
- if (!tmpc)
- return NULL;
-
- /* basedir / tmpc / cgroup \0 */
- len = strlen(basedir) + strlen(tmpc) + strlen(cgroup) + 3;
- dirname = alloca(len);
- snprintf(dirname, len, "%s/%s/%s", basedir, tmpc, cgroup);
-
- dir = opendir(dirname);
- if (!dir)
- return false;
-
- while (!readdir_r(dir, &dirent, &direntp)) {
- struct stat mystat;
- int rc;
-
- if (!direntp)
- break;
-
- if (!strcmp(direntp->d_name, ".") ||
- !strcmp(direntp->d_name, ".."))
- continue;
-
- rc = snprintf(pathname, MAXPATHLEN, "%s/%s", dirname, direntp->d_name);
- if (rc < 0 || rc >= MAXPATHLEN) {
- fprintf(stderr, "%s: pathname too long under %s\n", __func__, dirname);
- continue;
- }
-
- ret = lstat(pathname, &mystat);
- if (ret) {
- fprintf(stderr, "%s: failed to stat %s: %s\n", __func__, pathname, strerror(errno));
- continue;
- }
- if (!S_ISREG(mystat.st_mode))
- continue;
-
- if (sz+2 >= asz) {
- struct cgfs_files **tmp;
- asz += BATCH_SIZE;
- do {
- tmp = realloc(*keys, asz * sizeof(struct cgfs_files *));
- } while (!tmp);
- *keys = tmp;
- }
- (*keys)[sz] = cgfs_get_key(controller, cgroup, direntp->d_name);
- (*keys)[sz+1] = NULL;
- if (!(*keys)[sz]) {
- fprintf(stderr, "%s: Error getting files under %s:%s\n",
- __func__, controller, cgroup);
- continue;
- }
- sz++;
- }
- if (closedir(dir) < 0) {
- fprintf(stderr, "%s: failed closedir for %s: %s\n", __func__, dirname, strerror(errno));
- return false;
+ struct cgfs_files *entry = cgfs_get_key(controller, cgroup, dir_entry);
+ if (!entry) {
+ fprintf(stderr, "%s: Error getting files under %s:%s\n",
+ __func__, controller, cgroup);
}
- return true;
+ return entry;
+}
+
+bool cgfs_list_keys(const char *controller, const char *cgroup, struct cgfs_files ***keys)
+{
+ return cgfs_iterate_cgroup(controller, cgroup, false, (void***)keys, sizeof(*keys), &make_key_list_entry);
}
bool is_child_cgroup(const char *controller, const char *cgroup, const char *f)
-{ size_t len;
- char *fnam, *tmpc = find_mounted_controller(controller);
+{
+ int cfd;
+ size_t len;
+ char *fnam, *tmpc;
int ret;
struct stat sb;
+ tmpc = find_mounted_controller(controller, &cfd);
if (!tmpc)
return false;
- /* basedir / tmpc / cgroup / f \0 */
- len = strlen(basedir) + strlen(tmpc) + strlen(cgroup) + strlen(f) + 4;
+
+ /* Make sure we pass a relative path to *at() family of functions.
+ * . + /cgroup + / + f + \0
+ */
+ len = strlen(cgroup) + strlen(f) + 3;
fnam = alloca(len);
- snprintf(fnam, len, "%s/%s/%s/%s", basedir, tmpc, cgroup, f);
+ ret = snprintf(fnam, len, "%s%s/%s", *cgroup == '/' ? "." : "", cgroup, f);
+ if (ret < 0 || (size_t)ret >= len)
+ return false;
- ret = stat(fnam, &sb);
+ ret = fstatat(cfd, fnam, &sb, 0);
if (ret < 0 || !S_ISDIR(sb.st_mode))
return false;
+
return true;
}
static bool recv_creds(int sock, struct ucred *cred, char *v);
static int wait_for_pid(pid_t pid);
static int send_creds(int sock, struct ucred *cred, char v, bool pingfirst);
+static int send_creds_clone_wrapper(void *arg);
/*
- * fork a task which switches to @task's namespace and writes '1'.
+ * clone a task which switches to @task's namespace and writes '1'.
* over a unix sock so we can read the task's reaper's pid in our
* namespace
+ *
+ * Note: glibc's fork() does not respect pidns, which can lead to failed
+ * assertions inside glibc (and thus failed forks) if the child's pid in
+ * the pidns and the parent pid outside are identical. Using clone prevents
+ * this issue.
*/
static void write_task_init_pid_exit(int sock, pid_t target)
{
- struct ucred cred;
char fnam[100];
pid_t pid;
- char v;
int fd, ret;
+ size_t stack_size = sysconf(_SC_PAGESIZE);
+ void *stack = alloca(stack_size);
ret = snprintf(fnam, sizeof(fnam), "/proc/%d/ns/pid", (int)target);
if (ret < 0 || ret >= sizeof(fnam))
close(fd);
_exit(1);
}
- pid = fork();
+ pid = clone(send_creds_clone_wrapper, stack + stack_size, SIGCHLD, &sock);
if (pid < 0)
_exit(1);
if (pid != 0) {
_exit(1);
_exit(0);
}
+}
+
+static int send_creds_clone_wrapper(void *arg) {
+ struct ucred cred;
+ char v;
+ int sock = *(int *)arg;
/* we are the child */
cred.uid = 0;
cred.pid = 1;
v = '1';
if (send_creds(sock, &cred, v, true) != SEND_CREDS_OK)
- _exit(1);
- _exit(0);
+ return 1;
+ return 0;
}
static pid_t get_init_pid_for_task(pid_t task)
*src = tmp;
*asz += BUF_RESERVE_SIZE;
}
- memcpy((*src) +*sz , tmp, tmplen);
+ memcpy((*src) +*sz , tmp, tmplen+1); /* include the \0 */
*sz += tmplen;
- (*src)[*sz] = '\0';
}
/*
return NULL;
}
- if (strcmp(querycg, "/") == 0)
+ if ((strcmp(querycg, "/") == 0) || (strcmp(querycg, "./") == 0))
start = strdup(taskcg + 1);
else
start = strdup(taskcg + strlen(querycg) + 1);
static char *get_pid_cgroup(pid_t pid, const char *contrl)
{
+ int cfd;
char fnam[PROCLEN];
FILE *f;
char *answer = NULL;
char *line = NULL;
size_t len = 0;
int ret;
- const char *h = find_mounted_controller(contrl);
+ const char *h = find_mounted_controller(contrl, &cfd);
if (!h)
return NULL;
prune_init_slice(c2);
/*
- * callers pass in '/' for root cgroup, otherwise they pass
- * in a cgroup without leading '/'
+ * callers pass in '/' or './' (openat()) for root cgroup, otherwise
+ * they pass in a cgroup without leading '/'
+ *
+ * The original line here was:
+ * linecmp = *cg == '/' ? c2 : c2+1;
+ * TODO: I'm not sure why you'd want to increment when *cg != '/'?
+ * Serge, do you know?
*/
- linecmp = *cg == '/' ? c2 : c2+1;
+ if (*cg == '/' || !strncmp(cg, "./", 2))
+ linecmp = c2;
+ else
+ linecmp = c2 + 1;
if (strncmp(linecmp, cg, strlen(linecmp)) != 0) {
if (nextcg) {
*nextcg = get_next_cgroup_dir(linecmp, cg);
char *c2, *task_cg;
size_t target_len, task_len;
- if (strcmp(cg, "/") == 0)
+ if (strcmp(cg, "/") == 0 || strcmp(cg, "./") == 0)
return true;
c2 = get_pid_cgroup(pid, contrl);
const char *p1;
char *contr, *slash;
- if (strlen(path) < 9)
+ if (strlen(path) < 9) {
+ errno = EACCES;
return NULL;
- if (*(path+7) != '/')
+ }
+ if (*(path + 7) != '/') {
+ errno = EINVAL;
return NULL;
- p1 = path+8;
+ }
+ p1 = path + 8;
contr = strdupa(p1);
- if (!contr)
+ if (!contr) {
+ errno = ENOMEM;
return NULL;
+ }
slash = strstr(contr, "/");
if (slash)
*slash = '\0';
int i;
- for (i = 0; i < num_hierarchies; i++) {
+ for (i = 0; i < num_hierarchies; i++) {
if (hierarchies[i] && strcmp(hierarchies[i], contr) == 0)
return hierarchies[i];
}
+ errno = ENOENT;
return NULL;
}
{
const char *p1;
- if (strlen(path) < 9)
+ if (strlen(path) < 9) {
+ errno = EACCES;
return NULL;
- p1 = strstr(path+8, "/");
- if (!p1)
+ }
+ p1 = strstr(path + 8, "/");
+ if (!p1) {
+ errno = EINVAL;
return NULL;
- return p1+1;
+ }
+ errno = 0;
+ return p1 + 1;
}
/*
controller = pick_controller_from_path(fc, path);
if (!controller)
- return -EIO;
+ return -errno;
cgroup = find_cgroup_in_path(path);
if (!cgroup) {
/* this is just /cgroup/controller, return it as a dir */
// return list of keys for the controller, and list of child cgroups
controller = pick_controller_from_path(fc, path);
if (!controller)
- return -EIO;
+ return -errno;
cgroup = find_cgroup_in_path(path);
if (!cgroup) {
struct fuse_context *fc = fuse_get_context();
char **clist = NULL;
+ if (filler(buf, ".", NULL, 0) != 0 || filler(buf, "..", NULL, 0) != 0)
+ return -EIO;
+
if (d->type != LXC_TYPE_CGDIR) {
fprintf(stderr, "Internal error: file cache info used in readdir\n");
return -EIO;
ret = 0;
goto out;
}
- for (i = 0; clist[i]; i++) {
- if (filler(buf, clist[i], NULL, 0) != 0) {
- ret = -EIO;
- goto out;
+ if (clist) {
+ for (i = 0; clist[i]; i++) {
+ if (filler(buf, clist[i], NULL, 0) != 0) {
+ ret = -EIO;
+ goto out;
+ }
}
}
ret = 0;
return ret;
}
-static void do_release_file_info(struct file_info *f)
+static void do_release_file_info(struct fuse_file_info *fi)
{
+ struct file_info *f = (struct file_info *)fi->fh;
+
if (!f)
return;
+
+ fi->fh = 0;
+
free(f->controller);
+ f->controller = NULL;
free(f->cgroup);
+ f->cgroup = NULL;
free(f->file);
+ f->file = NULL;
free(f->buf);
+ f->buf = NULL;
free(f);
}
int cg_releasedir(const char *path, struct fuse_file_info *fi)
{
- struct file_info *d = (struct file_info *)fi->fh;
-
- do_release_file_info(d);
+ do_release_file_info(fi);
return 0;
}
controller = pick_controller_from_path(fc, path);
if (!controller)
- return -EIO;
+ return -errno;
cgroup = find_cgroup_in_path(path);
if (!cgroup)
- return -EINVAL;
+ return -errno;
get_cgdir_and_path(cgroup, &cgdir, &last);
if (!last) {
goto out;
}
if (!fc_may_access(fc, controller, path1, path2, fi->flags)) {
- // should never get here
ret = -EACCES;
goto out;
}
return ret;
}
-int cg_release(const char *path, struct fuse_file_info *fi)
+int cg_access(const char *path, int mode)
{
- struct file_info *f = (struct file_info *)fi->fh;
-
- do_release_file_info(f);
- return 0;
-}
-
-#define POLLIN_SET ( EPOLLIN | EPOLLHUP | EPOLLRDHUP )
+ int ret;
+ const char *cgroup;
+ char *path1, *path2, *controller;
+ char *last = NULL, *cgdir = NULL;
+ struct cgfs_files *k = NULL;
+ struct fuse_context *fc = fuse_get_context();
-static bool wait_for_sock(int sock, int timeout)
-{
- struct epoll_event ev;
- int epfd, ret, now, starttime, deltatime, saved_errno;
+ if (strcmp(path, "/cgroup") == 0)
+ return 0;
- if ((starttime = time(NULL)) < 0)
- return false;
+ if (!fc)
+ return -EIO;
- if ((epfd = epoll_create(1)) < 0) {
- fprintf(stderr, "Failed to create epoll socket: %m\n");
- return false;
+ controller = pick_controller_from_path(fc, path);
+ if (!controller)
+ return -errno;
+ cgroup = find_cgroup_in_path(path);
+ if (!cgroup) {
+ // access("/sys/fs/cgroup/systemd", mode) - rx allowed, w not
+ if ((mode & W_OK) == 0)
+ return 0;
+ return -EACCES;
}
- ev.events = POLLIN_SET;
- ev.data.fd = sock;
- if (epoll_ctl(epfd, EPOLL_CTL_ADD, sock, &ev) < 0) {
- fprintf(stderr, "Failed adding socket to epoll: %m\n");
- close(epfd);
- return false;
+ get_cgdir_and_path(cgroup, &cgdir, &last);
+ if (!last) {
+ path1 = "/";
+ path2 = cgdir;
+ } else {
+ path1 = cgdir;
+ path2 = last;
+ }
+
+ k = cgfs_get_key(controller, path1, path2);
+ if (!k) {
+ if ((mode & W_OK) == 0)
+ ret = 0;
+ else
+ ret = -EACCES;
+ goto out;
+ }
+ free_key(k);
+
+ pid_t initpid = lookup_initpid_in_store(fc->pid);
+ if (initpid <= 0)
+ initpid = fc->pid;
+ if (!caller_may_see_dir(initpid, controller, path1)) {
+ ret = -ENOENT;
+ goto out;
+ }
+ if (!fc_may_access(fc, controller, path1, path2, mode)) {
+ ret = -EACCES;
+ goto out;
+ }
+
+ ret = 0;
+
+out:
+ free(cgdir);
+ return ret;
+}
+
+int cg_release(const char *path, struct fuse_file_info *fi)
+{
+ do_release_file_info(fi);
+ return 0;
+}
+
+#define POLLIN_SET ( EPOLLIN | EPOLLHUP | EPOLLRDHUP )
+
+static bool wait_for_sock(int sock, int timeout)
+{
+ struct epoll_event ev;
+ int epfd, ret, now, starttime, deltatime, saved_errno;
+
+ if ((starttime = time(NULL)) < 0)
+ return false;
+
+ if ((epfd = epoll_create(1)) < 0) {
+ fprintf(stderr, "Failed to create epoll socket: %m\n");
+ return false;
+ }
+
+ ev.events = POLLIN_SET;
+ ev.data.fd = sock;
+ if (epoll_ctl(epfd, EPOLL_CTL_ADD, sock, &ev) < 0) {
+ fprintf(stderr, "Failed adding socket to epoll: %m\n");
+ close(epfd);
+ return false;
}
again:
return true;
}
+struct pid_ns_clone_args {
+ int *cpipe;
+ int sock;
+ pid_t tpid;
+ int (*wrapped) (int, pid_t); // pid_from_ns or pid_to_ns
+};
+
+/*
+ * pid_ns_clone_wrapper - wraps pid_to_ns or pid_from_ns for usage
+ * with clone(). This simply writes '1' as ACK back to the parent
+ * before calling the actual wrapped function.
+ */
+static int pid_ns_clone_wrapper(void *arg) {
+ struct pid_ns_clone_args* args = (struct pid_ns_clone_args *) arg;
+ char b = '1';
+
+ close(args->cpipe[0]);
+ if (write(args->cpipe[1], &b, sizeof(char)) < 0) {
+ fprintf(stderr, "%s (child): error on write: %s\n",
+ __func__, strerror(errno));
+ }
+ close(args->cpipe[1]);
+ return args->wrapped(args->sock, args->tpid);
+}
/*
* pid_to_ns - reads pids from a ucred over a socket, then writes the
* int value back over the socket. This shifts the pid from the
* sender's pidns into tpid's pidns.
*/
-static void pid_to_ns(int sock, pid_t tpid)
+static int pid_to_ns(int sock, pid_t tpid)
{
char v = '0';
struct ucred cred;
while (recv_creds(sock, &cred, &v)) {
if (v == '1')
- _exit(0);
+ return 0;
if (write(sock, &cred.pid, sizeof(pid_t)) != sizeof(pid_t))
- _exit(1);
+ return 1;
}
- _exit(0);
+ return 0;
}
+
/*
* pid_to_ns_wrapper: when you setns into a pidns, you yourself remain
- * in your old pidns. Only children which you fork will be in the target
- * pidns. So the pid_to_ns_wrapper does the setns, then forks a child to
- * actually convert pids
+ * in your old pidns. Only children which you clone will be in the target
+ * pidns. So the pid_to_ns_wrapper does the setns, then clones a child to
+ * actually convert pids.
+ *
+ * Note: glibc's fork() does not respect pidns, which can lead to failed
+ * assertions inside glibc (and thus failed forks) if the child's pid in
+ * the pidns and the parent pid outside are identical. Using clone prevents
+ * this issue.
*/
static void pid_to_ns_wrapper(int sock, pid_t tpid)
{
if (pipe(cpipe) < 0)
_exit(1);
- cpid = fork();
+ struct pid_ns_clone_args args = {
+ .cpipe = cpipe,
+ .sock = sock,
+ .tpid = tpid,
+ .wrapped = &pid_to_ns
+ };
+ size_t stack_size = sysconf(_SC_PAGESIZE);
+ void *stack = alloca(stack_size);
+
+ cpid = clone(pid_ns_clone_wrapper, stack + stack_size, SIGCHLD, &args);
if (cpid < 0)
_exit(1);
- if (!cpid) {
- char b = '1';
- close(cpipe[0]);
- if (write(cpipe[1], &b, sizeof(char)) < 0) {
- fprintf(stderr, "%s (child): erorr on write: %s\n",
- __func__, strerror(errno));
- }
- close(cpipe[1]);
- pid_to_ns(sock, tpid);
- _exit(1); // not reached
- }
// give the child 1 second to be done forking and
// write its ack
if (!wait_for_sock(cpipe[0], 1))
free_key(k);
- if (!fc_may_access(fc, f->controller, f->cgroup, f->file, O_RDONLY)) { // should never get here
+ if (!fc_may_access(fc, f->controller, f->cgroup, f->file, O_RDONLY)) {
ret = -EACCES;
goto out;
}
return ret;
}
-static void pid_from_ns(int sock, pid_t tpid)
+static int pid_from_ns(int sock, pid_t tpid)
{
pid_t vpid;
struct ucred cred;
while (1) {
if (!wait_for_sock(sock, 2)) {
fprintf(stderr, "%s: timeout reading from parent\n", __func__);
- _exit(1);
+ return 1;
}
if ((ret = read(sock, &vpid, sizeof(pid_t))) != sizeof(pid_t)) {
fprintf(stderr, "%s: bad read from parent: %s\n",
__func__, strerror(errno));
- _exit(1);
+ return 1;
}
if (vpid == -1) // done
break;
v = '1';
cred.pid = getpid();
if (send_creds(sock, &cred, v, false) != SEND_CREDS_OK)
- _exit(1);
+ return 1;
}
}
- _exit(0);
+ return 0;
}
static void pid_from_ns_wrapper(int sock, pid_t tpid)
if (pipe(cpipe) < 0)
_exit(1);
-loop:
- cpid = fork();
+ struct pid_ns_clone_args args = {
+ .cpipe = cpipe,
+ .sock = sock,
+ .tpid = tpid,
+ .wrapped = &pid_from_ns
+ };
+ size_t stack_size = sysconf(_SC_PAGESIZE);
+ void *stack = alloca(stack_size);
+ cpid = clone(pid_ns_clone_wrapper, stack + stack_size, SIGCHLD, &args);
if (cpid < 0)
_exit(1);
- if (!cpid) {
- char b = '1';
- close(cpipe[0]);
- if (write(cpipe[1], &b, sizeof(char)) < 0) {
- fprintf(stderr, "%s (child): erorr on write: %s\n",
- __func__, strerror(errno));
- }
- close(cpipe[1]);
- pid_from_ns(sock, tpid);
- }
-
// give the child 1 second to be done forking and
// write its ack
if (!wait_for_sock(cpipe[0], 1))
- goto again;
+ _exit(1);
ret = read(cpipe[0], &v, 1);
- if (ret != sizeof(char) || v != '1') {
- goto again;
- }
+ if (ret != sizeof(char) || v != '1')
+ _exit(1);
if (!wait_for_pid(cpid))
_exit(1);
_exit(0);
-
-again:
- kill(cpid, SIGKILL);
- wait_for_pid(cpid);
- goto loop;
}
/*
return -EIO;
if (strcmp(path, "/cgroup") == 0)
- return -EINVAL;
+ return -EPERM;
controller = pick_controller_from_path(fc, path);
if (!controller)
- return -EINVAL;
+ return errno == ENOENT ? -EPERM : -errno;
+
cgroup = find_cgroup_in_path(path);
if (!cgroup)
/* this is just /cgroup/controller */
- return -EINVAL;
+ return -EPERM;
get_cgdir_and_path(cgroup, &cgdir, &last);
return -EIO;
if (strcmp(path, "/cgroup") == 0)
- return -EINVAL;
+ return -EPERM;
controller = pick_controller_from_path(fc, path);
if (!controller)
- return -EINVAL;
+ return errno == ENOENT ? -EPERM : -errno;
+
cgroup = find_cgroup_in_path(path);
if (!cgroup)
/* this is just /cgroup/controller */
- return -EINVAL;
+ return -EPERM;
get_cgdir_and_path(cgroup, &cgdir, &last);
if (!fc)
return -EIO;
-
controller = pick_controller_from_path(fc, path);
if (!controller)
- return -EINVAL;
+ return errno == ENOENT ? -EPERM : -errno;
cgroup = find_cgroup_in_path(path);
if (!cgroup)
- return -EINVAL;
+ return -errno;
get_cgdir_and_path(cgroup, &cgdir, &last);
if (!last)
else if (last && strcmp(next, last) == 0)
ret = -EEXIST;
else
- ret = -ENOENT;
+ ret = -EPERM;
goto out;
}
return -EIO;
controller = pick_controller_from_path(fc, path);
- if (!controller)
- return -EINVAL;
+ if (!controller) /* Someone's trying to delete "/cgroup". */
+ return -EPERM;
cgroup = find_cgroup_in_path(path);
- if (!cgroup)
- return -EINVAL;
+ if (!cgroup) /* Someone's trying to delete a controller e.g. "/blkio". */
+ return -EPERM;
get_cgdir_and_path(cgroup, &cgdir, &last);
if (!last) {
- ret = -EINVAL;
+ /* Someone's trying to delete a cgroup on the same level as the
+ * "/lxc" cgroup e.g. rmdir "/cgroup/blkio/lxc" or
+ * rmdir "/cgroup/blkio/init.slice".
+ */
+ ret = -EPERM;
goto out;
}
return false;
}
-static void get_mem_cached(char *memstat, unsigned long *v)
+static void parse_memstat(char *memstat, unsigned long *cached,
+ unsigned long *active_anon, unsigned long *inactive_anon,
+ unsigned long *active_file, unsigned long *inactive_file,
+ unsigned long *unevictable)
{
char *eol;
- *v = 0;
while (*memstat) {
- if (startswith(memstat, "total_cache")) {
- sscanf(memstat + 11, "%lu", v);
- *v /= 1024;
- return;
+ if (startswith(memstat, "cache")) {
+ sscanf(memstat + 11, "%lu", cached);
+ *cached /= 1024;
+ } else if (startswith(memstat, "active_anon")) {
+ sscanf(memstat + 11, "%lu", active_anon);
+ *active_anon /= 1024;
+ } else if (startswith(memstat, "inactive_anon")) {
+ sscanf(memstat + 11, "%lu", inactive_anon);
+ *inactive_anon /= 1024;
+ } else if (startswith(memstat, "active_file")) {
+ sscanf(memstat + 11, "%lu", active_file);
+ *active_file /= 1024;
+ } else if (startswith(memstat, "inactive_file")) {
+ sscanf(memstat + 11, "%lu", inactive_file);
+ *inactive_file /= 1024;
+ } else if (startswith(memstat, "unevictable")) {
+ sscanf(memstat + 11, "%lu", unevictable);
+ *unevictable /= 1024;
}
eol = strchr(memstat, '\n');
if (!eol)
return 0;
while (getline(&line, &linelen, f) != -1) {
- size_t l = snprintf(cache, cache_size, "%s", line);
+ ssize_t l = snprintf(cache, cache_size, "%s", line);
if (l < 0) {
perror("Error writing to cache");
rv = 0;
}
d->size = total_len;
- if (total_len > size ) total_len = size;
+ if (total_len > size)
+ total_len = size;
/* read from off 0 */
memcpy(buf, d->buf, total_len);
*memswlimit_str = NULL, *memswusage_str = NULL,
*memswlimit_default_str = NULL, *memswusage_default_str = NULL;
unsigned long memlimit = 0, memusage = 0, memswlimit = 0, memswusage = 0,
- cached = 0, hosttotal = 0;
+ cached = 0, hosttotal = 0, active_anon = 0, inactive_anon = 0,
+ active_file = 0, inactive_file = 0, unevictable = 0;
char *line = NULL;
size_t linelen = 0, total_len = 0, rv = 0;
char *cache = d->buf;
cg = get_pid_cgroup(initpid, "memory");
if (!cg)
return read_file("/proc/meminfo", buf, size, d);
+ prune_init_slice(cg);
memlimit = get_min_memlimit(cg);
if (!cgfs_get_value("memory", cg, "memory.usage_in_bytes", &memusage_str))
memlimit /= 1024;
memusage /= 1024;
- get_mem_cached(memstat_str, &cached);
+ parse_memstat(memstat_str, &cached, &active_anon,
+ &inactive_anon, &active_file, &inactive_file,
+ &unevictable);
f = fopen("/proc/meminfo", "r");
if (!f)
goto err;
while (getline(&line, &linelen, f) != -1) {
- size_t l;
+ ssize_t l;
char *printme, lbuf[100];
memset(lbuf, 0, 100);
snprintf(lbuf, 100, "SwapTotal: %8lu kB\n", memswlimit - memlimit);
printme = lbuf;
} else if (startswith(line, "SwapFree:") && memswlimit > 0 && memswusage > 0) {
- snprintf(lbuf, 100, "SwapFree: %8lu kB\n",
- (memswlimit - memlimit) - (memswusage - memusage));
+ unsigned long swaptotal = memswlimit - memlimit,
+ swapusage = memswusage - memusage,
+ swapfree = swapusage < swaptotal ? swaptotal - swapusage : 0;
+ snprintf(lbuf, 100, "SwapFree: %8lu kB\n", swapfree);
+ printme = lbuf;
+ } else if (startswith(line, "Slab:")) {
+ snprintf(lbuf, 100, "Slab: %8lu kB\n", 0UL);
printme = lbuf;
} else if (startswith(line, "Buffers:")) {
snprintf(lbuf, 100, "Buffers: %8lu kB\n", 0UL);
} else if (startswith(line, "SwapCached:")) {
snprintf(lbuf, 100, "SwapCached: %8lu kB\n", 0UL);
printme = lbuf;
+ } else if (startswith(line, "Active")) {
+ snprintf(lbuf, 100, "Active: %8lu kB\n",
+ active_anon + active_file);
+ printme = lbuf;
+ } else if (startswith(line, "Inactive")) {
+ snprintf(lbuf, 100, "Inactive: %8lu kB\n",
+ inactive_anon + inactive_file);
+ printme = lbuf;
+ } else if (startswith(line, "Active(anon)")) {
+ snprintf(lbuf, 100, "Active(anon): %8lu kB\n", active_anon);
+ printme = lbuf;
+ } else if (startswith(line, "Inactive(anon)")) {
+ snprintf(lbuf, 100, "Inactive(anon): %8lu kB\n", inactive_anon);
+ printme = lbuf;
+ } else if (startswith(line, "Active(file)")) {
+ snprintf(lbuf, 100, "Active(file): %8lu kB\n", active_file);
+ printme = lbuf;
+ } else if (startswith(line, "Inactive(file)")) {
+ snprintf(lbuf, 100, "Inactive(file): %8lu kB\n", inactive_file);
+ printme = lbuf;
+ } else if (startswith(line, "Unevictable")) {
+ snprintf(lbuf, 100, "Unevictable: %8lu kB\n", unevictable);
+ printme = lbuf;
+ } else if (startswith(line, "SReclaimable")) {
+ snprintf(lbuf, 100, "SReclaimable: %8lu kB\n", 0UL);
+ printme = lbuf;
+ } else if (startswith(line, "SUnreclaim")) {
+ snprintf(lbuf, 100, "SUnreclaim: %8lu kB\n", 0UL);
+ printme = lbuf;
} else
printme = line;
char *cpuset = NULL;
char *line = NULL;
size_t linelen = 0, total_len = 0, rv = 0;
- bool am_printing = false;
- int curcpu = -1;
+ bool am_printing = false, firstline = true, is_s390x = false;
+ int curcpu = -1, cpu;
char *cache = d->buf;
size_t cache_size = d->buflen;
FILE *f = NULL;
cg = get_pid_cgroup(initpid, "cpuset");
if (!cg)
return read_file("proc/cpuinfo", buf, size, d);
+ prune_init_slice(cg);
cpuset = get_cpuset(cg);
if (!cpuset)
goto err;
while (getline(&line, &linelen, f) != -1) {
- size_t l;
+ ssize_t l;
+ if (firstline) {
+ firstline = false;
+ if (strstr(line, "IBM/S390") != NULL) {
+ is_s390x = true;
+ am_printing = true;
+ continue;
+ }
+ }
+ if (strncmp(line, "# processors:", 12) == 0)
+ continue;
if (is_processor_line(line)) {
am_printing = cpuline_in_cpuset(line, cpuset);
if (am_printing) {
total_len += l;
}
continue;
+ } else if (is_s390x && sscanf(line, "processor %d:", &cpu) == 1) {
+ char *p;
+ if (!cpu_in_cpuset(cpu, cpuset))
+ continue;
+ curcpu ++;
+ p = strchr(line, ':');
+ if (!p || !*p)
+ goto err;
+ p++;
+ l = snprintf(cache, cache_size, "processor %d:%s", curcpu, p);
+ if (l < 0) {
+ perror("Error writing to cache");
+ rv = 0;
+ goto err;
+ }
+ if (l >= cache_size) {
+ fprintf(stderr, "Internal error: truncated write to cache\n");
+ rv = 0;
+ goto err;
+ }
+ cache += l;
+ cache_size -= l;
+ total_len += l;
+ continue;
+
}
if (am_printing) {
l = snprintf(cache, cache_size, "%s", line);
}
}
+ if (is_s390x) {
+ char *origcache = d->buf;
+ ssize_t l;
+ do {
+ d->buf = malloc(d->buflen);
+ } while (!d->buf);
+ cache = d->buf;
+ cache_size = d->buflen;
+ total_len = 0;
+ l = snprintf(cache, cache_size, "vendor_id : IBM/S390\n");
+ if (l < 0 || l >= cache_size) {
+ free(origcache);
+ goto err;
+ }
+ cache_size -= l;
+ cache += l;
+ total_len += l;
+ l = snprintf(cache, cache_size, "# processors : %d\n", curcpu + 1);
+ if (l < 0 || l >= cache_size) {
+ free(origcache);
+ goto err;
+ }
+ cache_size -= l;
+ cache += l;
+ total_len += l;
+ l = snprintf(cache, cache_size, "%s", origcache);
+ free(origcache);
+ if (l < 0 || l >= cache_size)
+ goto err;
+ total_len += l;
+ }
+
d->cached = 1;
d->size = total_len;
if (total_len > size ) total_len = size;
cg = get_pid_cgroup(initpid, "cpuset");
if (!cg)
return read_file("/proc/stat", buf, size, d);
+ prune_init_slice(cg);
cpuset = get_cpuset(cg);
if (!cpuset)
}
while (getline(&line, &linelen, f) != -1) {
- size_t l;
+ ssize_t l;
int cpu;
char cpu_char[10]; /* That's a lot of cores */
char *c;
+ if (strlen(line) == 0)
+ continue;
if (sscanf(line, "cpu%9[^ ]", cpu_char) != 1) {
/* not a ^cpuN line containing a number N, just print it */
l = snprintf(cache, cache_size, "%s", line);
cgroup = get_pid_cgroup(initpid, "cpuacct");
if (!cgroup)
goto out;
+ prune_init_slice(cgroup);
if (!cgfs_get_value("cpuacct", cgroup, "cpuacct.usage", &usage_str))
goto out;
usage = strtoul(usage_str, NULL, 10);
#if RELOADTEST
void iwashere(void)
{
- char *name, *cwd = get_current_dir_name();
- size_t len;
int fd;
- if (!cwd)
- exit(1);
- len = strlen(cwd) + strlen("/iwashere") + 1;
- name = alloca(len);
- snprintf(name, len, "%s/iwashere", cwd);
- free(cwd);
- fd = creat(name, 0755);
+ fd = creat("/tmp/lxcfs-iwashere", 0644);
if (fd >= 0)
close(fd);
}
long int reaperage = getreaperage(fc->pid);
unsigned long int busytime = get_reaper_busy(fc->pid), idletime;
char *cache = d->buf;
- size_t total_len = 0;
+ ssize_t total_len = 0;
#if RELOADTEST
iwashere();
cg = get_pid_cgroup(initpid, "blkio");
if (!cg)
return read_file("/proc/diskstats", buf, size, d);
+ prune_init_slice(cg);
- if (!cgfs_get_value("blkio", cg, "blkio.io_serviced", &io_serviced_str))
+ if (!cgfs_get_value("blkio", cg, "blkio.io_serviced_recursive", &io_serviced_str))
goto err;
- if (!cgfs_get_value("blkio", cg, "blkio.io_merged", &io_merged_str))
+ if (!cgfs_get_value("blkio", cg, "blkio.io_merged_recursive", &io_merged_str))
goto err;
- if (!cgfs_get_value("blkio", cg, "blkio.io_service_bytes", &io_service_bytes_str))
+ if (!cgfs_get_value("blkio", cg, "blkio.io_service_bytes_recursive", &io_service_bytes_str))
goto err;
- if (!cgfs_get_value("blkio", cg, "blkio.io_wait_time", &io_wait_time_str))
+ if (!cgfs_get_value("blkio", cg, "blkio.io_wait_time_recursive", &io_wait_time_str))
goto err;
- if (!cgfs_get_value("blkio", cg, "blkio.io_service_time", &io_service_time_str))
+ if (!cgfs_get_value("blkio", cg, "blkio.io_service_time_recursive", &io_service_time_str))
goto err;
goto err;
while (getline(&line, &linelen, f) != -1) {
- size_t l;
- char *printme, lbuf[256];
+ ssize_t l;
+ char lbuf[256];
i = sscanf(line, "%u %u %71s", &major, &minor, dev_name);
- if(i == 3){
- get_blkio_io_value(io_serviced_str, major, minor, "Read", &read);
- get_blkio_io_value(io_serviced_str, major, minor, "Write", &write);
- get_blkio_io_value(io_merged_str, major, minor, "Read", &read_merged);
- get_blkio_io_value(io_merged_str, major, minor, "Write", &write_merged);
- get_blkio_io_value(io_service_bytes_str, major, minor, "Read", &read_sectors);
- read_sectors = read_sectors/512;
- get_blkio_io_value(io_service_bytes_str, major, minor, "Write", &write_sectors);
- write_sectors = write_sectors/512;
-
- get_blkio_io_value(io_service_time_str, major, minor, "Read", &rd_svctm);
- rd_svctm = rd_svctm/1000000;
- get_blkio_io_value(io_wait_time_str, major, minor, "Read", &rd_wait);
- rd_wait = rd_wait/1000000;
- read_ticks = rd_svctm + rd_wait;
-
- get_blkio_io_value(io_service_time_str, major, minor, "Write", &wr_svctm);
- wr_svctm = wr_svctm/1000000;
- get_blkio_io_value(io_wait_time_str, major, minor, "Write", &wr_wait);
- wr_wait = wr_wait/1000000;
- write_ticks = wr_svctm + wr_wait;
-
- get_blkio_io_value(io_service_time_str, major, minor, "Total", &tot_ticks);
- tot_ticks = tot_ticks/1000000;
- }else{
+ if (i != 3)
continue;
- }
+
+ get_blkio_io_value(io_serviced_str, major, minor, "Read", &read);
+ get_blkio_io_value(io_serviced_str, major, minor, "Write", &write);
+ get_blkio_io_value(io_merged_str, major, minor, "Read", &read_merged);
+ get_blkio_io_value(io_merged_str, major, minor, "Write", &write_merged);
+ get_blkio_io_value(io_service_bytes_str, major, minor, "Read", &read_sectors);
+ read_sectors = read_sectors/512;
+ get_blkio_io_value(io_service_bytes_str, major, minor, "Write", &write_sectors);
+ write_sectors = write_sectors/512;
+
+ get_blkio_io_value(io_service_time_str, major, minor, "Read", &rd_svctm);
+ rd_svctm = rd_svctm/1000000;
+ get_blkio_io_value(io_wait_time_str, major, minor, "Read", &rd_wait);
+ rd_wait = rd_wait/1000000;
+ read_ticks = rd_svctm + rd_wait;
+
+ get_blkio_io_value(io_service_time_str, major, minor, "Write", &wr_svctm);
+ wr_svctm = wr_svctm/1000000;
+ get_blkio_io_value(io_wait_time_str, major, minor, "Write", &wr_wait);
+ wr_wait = wr_wait/1000000;
+ write_ticks = wr_svctm + wr_wait;
+
+ get_blkio_io_value(io_service_time_str, major, minor, "Total", &tot_ticks);
+ tot_ticks = tot_ticks/1000000;
memset(lbuf, 0, 256);
- if (read || write || read_merged || write_merged || read_sectors || write_sectors || read_ticks || write_ticks) {
+ if (read || write || read_merged || write_merged || read_sectors || write_sectors || read_ticks || write_ticks)
snprintf(lbuf, 256, "%u %u %s %lu %lu %lu %lu %lu %lu %lu %lu %lu %lu %lu\n",
major, minor, dev_name, read, read_merged, read_sectors, read_ticks,
write, write_merged, write_sectors, write_ticks, ios_pgr, tot_ticks, rq_ticks);
- printme = lbuf;
- } else
+ else
continue;
- l = snprintf(cache, cache_size, "%s", printme);
+ l = snprintf(cache, cache_size, "%s", lbuf);
if (l < 0) {
perror("Error writing to fuse buf");
rv = 0;
return rv;
}
+static int proc_swaps_read(char *buf, size_t size, off_t offset,
+ struct fuse_file_info *fi)
+{
+ struct fuse_context *fc = fuse_get_context();
+ struct file_info *d = (struct file_info *)fi->fh;
+ char *cg = NULL;
+ char *memswlimit_str = NULL, *memlimit_str = NULL, *memusage_str = NULL, *memswusage_str = NULL,
+ *memswlimit_default_str = NULL, *memswusage_default_str = NULL;
+ unsigned long memswlimit = 0, memlimit = 0, memusage = 0, memswusage = 0, swap_total = 0, swap_free = 0;
+ ssize_t total_len = 0, rv = 0;
+ ssize_t l = 0;
+ char *cache = d->buf;
+
+ if (offset) {
+ if (offset > d->size)
+ return -EINVAL;
+ if (!d->cached)
+ return 0;
+ int left = d->size - offset;
+ total_len = left > size ? size: left;
+ memcpy(buf, cache + offset, total_len);
+ return total_len;
+ }
+
+ pid_t initpid = lookup_initpid_in_store(fc->pid);
+ if (initpid <= 0)
+ initpid = fc->pid;
+ cg = get_pid_cgroup(initpid, "memory");
+ if (!cg)
+ return read_file("/proc/swaps", buf, size, d);
+ prune_init_slice(cg);
+
+ if (!cgfs_get_value("memory", cg, "memory.limit_in_bytes", &memlimit_str))
+ goto err;
+
+ if (!cgfs_get_value("memory", cg, "memory.usage_in_bytes", &memusage_str))
+ goto err;
+
+ memlimit = strtoul(memlimit_str, NULL, 10);
+ memusage = strtoul(memusage_str, NULL, 10);
+
+ if (cgfs_get_value("memory", cg, "memory.memsw.usage_in_bytes", &memswusage_str) &&
+ cgfs_get_value("memory", cg, "memory.memsw.limit_in_bytes", &memswlimit_str)) {
+
+ /* If swap accounting is turned on, then default value is assumed to be that of cgroup / */
+ if (!cgfs_get_value("memory", "/", "memory.memsw.limit_in_bytes", &memswlimit_default_str))
+ goto err;
+ if (!cgfs_get_value("memory", "/", "memory.memsw.usage_in_bytes", &memswusage_default_str))
+ goto err;
+
+ memswlimit = strtoul(memswlimit_str, NULL, 10);
+ memswusage = strtoul(memswusage_str, NULL, 10);
+
+ if (!strcmp(memswlimit_str, memswlimit_default_str))
+ memswlimit = 0;
+ if (!strcmp(memswusage_str, memswusage_default_str))
+ memswusage = 0;
+
+ swap_total = (memswlimit - memlimit) / 1024;
+ swap_free = (memswusage - memusage) / 1024;
+ }
+
+ total_len = snprintf(d->buf, d->size, "Filename\t\t\t\tType\t\tSize\tUsed\tPriority\n");
+
+ /* When no mem + swap limit is specified or swapaccount=0*/
+ if (!memswlimit) {
+ char *line = NULL;
+ size_t linelen = 0;
+ FILE *f = fopen("/proc/meminfo", "r");
+
+ if (!f)
+ goto err;
+
+ while (getline(&line, &linelen, f) != -1) {
+ if (startswith(line, "SwapTotal:")) {
+ sscanf(line, "SwapTotal: %8lu kB", &swap_total);
+ } else if (startswith(line, "SwapFree:")) {
+ sscanf(line, "SwapFree: %8lu kB", &swap_free);
+ }
+ }
+
+ free(line);
+ fclose(f);
+ }
+
+ if (swap_total > 0) {
+ l = snprintf(d->buf + total_len, d->size - total_len,
+ "none%*svirtual\t\t%lu\t%lu\t0\n", 36, " ",
+ swap_total, swap_free);
+ total_len += l;
+ }
+
+ if (total_len < 0 || l < 0) {
+ perror("Error writing to cache");
+ rv = 0;
+ goto err;
+ }
+
+ d->cached = 1;
+ d->size = (int)total_len;
+
+ if (total_len > size) total_len = size;
+ memcpy(buf, d->buf, total_len);
+ rv = total_len;
+
+err:
+ free(cg);
+ free(memswlimit_str);
+ free(memlimit_str);
+ free(memusage_str);
+ free(memswusage_str);
+ free(memswusage_default_str);
+ free(memswlimit_default_str);
+ return rv;
+}
+
static off_t get_procfile_size(const char *which)
{
FILE *f = fopen(which, "r");
strcmp(path, "/proc/cpuinfo") == 0 ||
strcmp(path, "/proc/uptime") == 0 ||
strcmp(path, "/proc/stat") == 0 ||
- strcmp(path, "/proc/diskstats") == 0) {
+ strcmp(path, "/proc/diskstats") == 0 ||
+ strcmp(path, "/proc/swaps") == 0) {
sb->st_size = 0;
sb->st_mode = S_IFREG | 00444;
sb->st_nlink = 1;
int proc_readdir(const char *path, void *buf, fuse_fill_dir_t filler, off_t offset,
struct fuse_file_info *fi)
{
- if (filler(buf, "cpuinfo", NULL, 0) != 0 ||
- filler(buf, "meminfo", NULL, 0) != 0 ||
- filler(buf, "stat", NULL, 0) != 0 ||
- filler(buf, "uptime", NULL, 0) != 0 ||
- filler(buf, "diskstats", NULL, 0) != 0)
+ if (filler(buf, ".", NULL, 0) != 0 ||
+ filler(buf, "..", NULL, 0) != 0 ||
+ filler(buf, "cpuinfo", NULL, 0) != 0 ||
+ filler(buf, "meminfo", NULL, 0) != 0 ||
+ filler(buf, "stat", NULL, 0) != 0 ||
+ filler(buf, "uptime", NULL, 0) != 0 ||
+ filler(buf, "diskstats", NULL, 0) != 0 ||
+ filler(buf, "swaps", NULL, 0) != 0)
return -EINVAL;
return 0;
}
type = LXC_TYPE_PROC_STAT;
else if (strcmp(path, "/proc/diskstats") == 0)
type = LXC_TYPE_PROC_DISKSTATS;
+ else if (strcmp(path, "/proc/swaps") == 0)
+ type = LXC_TYPE_PROC_SWAPS;
if (type == -1)
return -ENOENT;
return 0;
}
-int proc_release(const char *path, struct fuse_file_info *fi)
+int proc_access(const char *path, int mask)
{
- struct file_info *f = (struct file_info *)fi->fh;
+ if (strcmp(path, "/proc") == 0 && access(path, R_OK) == 0)
+ return 0;
- do_release_file_info(f);
+ /* these are all read-only */
+ if ((mask & ~R_OK) != 0)
+ return -EACCES;
+ return 0;
+}
+
+int proc_release(const char *path, struct fuse_file_info *fi)
+{
+ do_release_file_info(fi);
return 0;
}
return proc_stat_read(buf, size, offset, fi);
case LXC_TYPE_PROC_DISKSTATS:
return proc_diskstats_read(buf, size, offset, fi);
+ case LXC_TYPE_PROC_SWAPS:
+ return proc_swaps_read(buf, size, offset, fi);
default:
return -EINVAL;
}
}
-static void __attribute__((constructor)) collect_subsystems(void)
+/*
+ * Functions needed to setup cgroups in the __constructor__.
+ */
+
+static bool mkdir_p(const char *dir, mode_t mode)
+{
+ const char *tmp = dir;
+ const char *orig = dir;
+ char *makeme;
+
+ do {
+ dir = tmp + strspn(tmp, "/");
+ tmp = dir + strcspn(dir, "/");
+ makeme = strndup(orig, dir - orig);
+ if (!makeme)
+ return false;
+ if (mkdir(makeme, mode) && errno != EEXIST) {
+ fprintf(stderr, "failed to create directory '%s': %s",
+ makeme, strerror(errno));
+ free(makeme);
+ return false;
+ }
+ free(makeme);
+ } while(tmp != dir);
+
+ return true;
+}
+
+static bool umount_if_mounted(void)
+{
+ if (umount2(BASEDIR, MNT_DETACH) < 0 && errno != EINVAL) {
+ fprintf(stderr, "failed to unmount %s: %s.\n", BASEDIR, strerror(errno));
+ return false;
+ }
+ return true;
+}
+
+static int pivot_enter(void)
+{
+ int ret = -1, oldroot = -1, newroot = -1;
+
+ oldroot = open("/", O_DIRECTORY | O_RDONLY);
+ if (oldroot < 0) {
+ fprintf(stderr, "%s: Failed to open old root for fchdir.\n", __func__);
+ return ret;
+ }
+
+ newroot = open(ROOTDIR, O_DIRECTORY | O_RDONLY);
+ if (newroot < 0) {
+ fprintf(stderr, "%s: Failed to open new root for fchdir.\n", __func__);
+ goto err;
+ }
+
+ /* change into new root fs */
+ if (fchdir(newroot) < 0) {
+ fprintf(stderr, "%s: Failed to change directory to new rootfs: %s.\n", __func__, ROOTDIR);
+ goto err;
+ }
+
+ /* pivot_root into our new root fs */
+ if (pivot_root(".", ".") < 0) {
+ fprintf(stderr, "%s: pivot_root() syscall failed: %s.\n", __func__, strerror(errno));
+ goto err;
+ }
+
+ /*
+ * At this point the old-root is mounted on top of our new-root.
+ * To unmounted it we must not be chdir'd into it, so escape back
+ * to the old-root.
+ */
+ if (fchdir(oldroot) < 0) {
+ fprintf(stderr, "%s: Failed to enter old root.\n", __func__);
+ goto err;
+ }
+ if (umount2(".", MNT_DETACH) < 0) {
+ fprintf(stderr, "%s: Failed to detach old root.\n", __func__);
+ goto err;
+ }
+
+ if (fchdir(newroot) < 0) {
+ fprintf(stderr, "%s: Failed to re-enter new root.\n", __func__);
+ goto err;
+ }
+
+ ret = 0;
+
+err:
+ if (oldroot > 0)
+ close(oldroot);
+ if (newroot > 0)
+ close(newroot);
+ return ret;
+}
+
+/* Prepare our new clean root. */
+static int pivot_prepare(void)
+{
+ if (mkdir(ROOTDIR, 0700) < 0 && errno != EEXIST) {
+ fprintf(stderr, "%s: Failed to create directory for new root.\n", __func__);
+ return -1;
+ }
+
+ if (mount("/", ROOTDIR, NULL, MS_BIND, 0) < 0) {
+ fprintf(stderr, "%s: Failed to bind-mount / for new root: %s.\n", __func__, strerror(errno));
+ return -1;
+ }
+
+ if (mount(RUNTIME_PATH, ROOTDIR RUNTIME_PATH, NULL, MS_BIND, 0) < 0) {
+ fprintf(stderr, "%s: Failed to bind-mount /run into new root: %s.\n", __func__, strerror(errno));
+ return -1;
+ }
+
+ if (mount(BASEDIR, ROOTDIR BASEDIR, NULL, MS_REC | MS_MOVE, 0) < 0) {
+ printf("%s: failed to move " BASEDIR " into new root: %s.\n", __func__, strerror(errno));
+ return -1;
+ }
+
+ return 0;
+}
+
+static bool pivot_new_root(void)
+{
+ /* Prepare new root. */
+ if (pivot_prepare() < 0)
+ return false;
+
+ /* Pivot into new root. */
+ if (pivot_enter() < 0)
+ return false;
+
+ return true;
+}
+
+static bool setup_cgfs_dir(void)
+{
+ if (!mkdir_p(BASEDIR, 0700)) {
+ fprintf(stderr, "Failed to create lxcfs cgroup mountpoint.\n");
+ return false;
+ }
+
+ if (!umount_if_mounted()) {
+ fprintf(stderr, "Failed to clean up old lxcfs cgroup mountpoint.\n");
+ return false;
+ }
+
+ if (unshare(CLONE_NEWNS) < 0) {
+ fprintf(stderr, "%s: Failed to unshare mount namespace: %s.\n", __func__, strerror(errno));
+ return false;
+ }
+
+ if (mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, 0) < 0) {
+ fprintf(stderr, "%s: Failed to remount / private: %s.\n", __func__, strerror(errno));
+ return false;
+ }
+
+ if (mount("tmpfs", BASEDIR, "tmpfs", 0, "size=100000,mode=700") < 0) {
+ fprintf(stderr, "Failed to mount tmpfs over lxcfs cgroup mountpoint.\n");
+ return false;
+ }
+
+ return true;
+}
+
+static bool do_mount_cgroups(void)
+{
+ char *target;
+ size_t clen, len;
+ int i, ret;
+
+ for (i = 0; i < num_hierarchies; i++) {
+ char *controller = hierarchies[i];
+ clen = strlen(controller);
+ len = strlen(BASEDIR) + clen + 2;
+ target = malloc(len);
+ if (!target)
+ return false;
+ ret = snprintf(target, len, "%s/%s", BASEDIR, controller);
+ if (ret < 0 || ret >= len) {
+ free(target);
+ return false;
+ }
+ if (mkdir(target, 0755) < 0 && errno != EEXIST) {
+ free(target);
+ return false;
+ }
+ if (mount(controller, target, "cgroup", 0, controller) < 0) {
+ fprintf(stderr, "Failed mounting cgroup %s\n", controller);
+ free(target);
+ return false;
+ }
+
+ fd_hierarchies[i] = open(target, O_DIRECTORY);
+ if (fd_hierarchies[i] < 0) {
+ free(target);
+ return false;
+ }
+ free(target);
+ }
+ return true;
+}
+
+static bool cgfs_setup_controllers(void)
+{
+ if (!setup_cgfs_dir())
+ return false;
+
+ if (!do_mount_cgroups()) {
+ fprintf(stderr, "Failed to set up private lxcfs cgroup mounts.\n");
+ return false;
+ }
+
+ if (!pivot_new_root())
+ return false;
+
+ return true;
+}
+
+static int preserve_ns(int pid)
+{
+ int ret;
+ size_t len = 5 /* /proc */ + 21 /* /int_as_str */ + 7 /* /ns/mnt */ + 1 /* \0 */;
+ char path[len];
+
+ ret = snprintf(path, len, "/proc/%d/ns/mnt", pid);
+ if (ret < 0 || (size_t)ret >= len)
+ return -1;
+
+ return open(path, O_RDONLY | O_CLOEXEC);
+}
+
+static void __attribute__((constructor)) collect_and_mount_subsystems(void)
{
FILE *f;
char *line = NULL;
size_t len = 0;
+ int i, init_ns = -1;
if ((f = fopen("/proc/self/cgroup", "r")) == NULL) {
fprintf(stderr, "Error opening /proc/self/cgroup: %s\n", strerror(errno));
goto out;
*p2 = '\0';
+ /* With cgroupv2 /proc/self/cgroup can contain entries of the
+ * form: 0::/ This will cause lxcfs to fail the cgroup mounts
+ * because it parses out the empty string "" and later on passes
+ * it to mount(). Let's skip such entries.
+ */
+ if (!strcmp(p, ""))
+ continue;
+
if (!store_hierarchy(line, p))
goto out;
}
+ /* Preserve initial namespace. */
+ init_ns = preserve_ns(getpid());
+ if (init_ns < 0)
+ goto out;
+
+ fd_hierarchies = malloc(sizeof(int *) * num_hierarchies);
+ if (!fd_hierarchies)
+ goto out;
+
+ for (i = 0; i < num_hierarchies; i++)
+ fd_hierarchies[i] = -1;
+
+ /* This function calls unshare(CLONE_NEWNS) our initial mount namespace
+ * to privately mount lxcfs cgroups. */
+ if (!cgfs_setup_controllers())
+ goto out;
+
+ if (setns(init_ns, 0) < 0)
+ goto out;
+
print_subsystems();
out:
free(line);
fclose(f);
+ if (init_ns >= 0)
+ close(init_ns);
}
static void __attribute__((destructor)) free_subsystems(void)
{
int i;
- for (i = 0; i < num_hierarchies; i++)
+ for (i = 0; i < num_hierarchies; i++) {
if (hierarchies[i])
free(hierarchies[i]);
+ if (fd_hierarchies && fd_hierarchies[i] >= 0)
+ close(fd_hierarchies[i]);
+ }
free(hierarchies);
+ free(fd_hierarchies);
}