Permalink
Browse files

Exec wshd in context of the container

  • Loading branch information...
1 parent 7d7206f commit 8de5d039ecdac7486be3599ded8317df1f661451 Dmitriy Kalinin and Pieter Noordhuis committed Mar 15, 2013
@@ -10,3 +10,6 @@ cd $(dirname $0)/../
source ./lib/common.sh
setup_fs
+
+cp bin/wshd mnt/sbin/wshd
+chmod 700 mnt/sbin/wshd
View
@@ -18,9 +18,6 @@ int barrier_open(barrier_t *bar) {
goto err;
}
- fcntl_mix_cloexec(aux[0]);
- fcntl_mix_cloexec(aux[1]);
-
bar->fd[0] = aux[0];
bar->fd[1] = aux[1];
return 0;
@@ -36,6 +33,11 @@ void barrier_close(barrier_t *bar) {
close(bar->fd[1]);
}
+void barrier_mix_cloexec(barrier_t *bar) {
+ fcntl_mix_cloexec(bar->fd[0]);
+ fcntl_mix_cloexec(bar->fd[1]);
+}
+
void barrier_close_wait(barrier_t *bar) {
close(bar->fd[0]);
}
View
@@ -18,6 +18,7 @@ struct barrier_s {
int barrier_open(barrier_t *bar);
void barrier_close(barrier_t *bar);
+void barrier_mix_cloexec(barrier_t *bar);
void barrier_close_wait(barrier_t *bar);
void barrier_close_signal(barrier_t *bar);
View
@@ -10,7 +10,6 @@
#include <unistd.h>
#include "un.h"
-#include "util.h"
int un__socket() {
int fd;
@@ -34,8 +33,6 @@ int un_listen(const char *path) {
strcpy(sa.sun_path, path);
unlink(sa.sun_path);
- fcntl_mix_cloexec(fd);
-
if (bind(fd, (struct sockaddr *)&sa, sizeof(sa)) == -1) {
perror("bind");
exit(1);
View
@@ -10,7 +10,9 @@
#include <stdlib.h>
#include <string.h>
#include <sys/ioctl.h>
+#include <sys/ipc.h>
#include <sys/param.h>
+#include <sys/shm.h>
#include <sys/signalfd.h>
#include <sys/socket.h>
#include <sys/stat.h>
@@ -623,6 +625,65 @@ int child_loop(wshd_t *w) {
/* No header defines this */
extern int pivot_root(const char *new_root, const char *put_old);
+void child_save_to_shm(wshd_t *w) {
+ int rv;
+ void *w_;
+
+ rv = shmget(0xdeadbeef, sizeof(*w), IPC_CREAT | IPC_EXCL | 0600);
+ if (rv == -1) {
+ perror("shmget");
+ abort();
+ }
+
+ w_ = shmat(rv, NULL, 0);
+ if (w_ == (void *)-1) {
+ perror("shmat");
+ abort();
+ }
+
+ memcpy(w_, w, sizeof(*w));
+}
+
+wshd_t *child_load_from_shm(void) {
+ int rv;
+ wshd_t *w;
+ void *w_;
+
+ rv = shmget(0xdeadbeef, sizeof(*w), 0600);
+ if (rv == -1) {
+ perror("shmget");
+ abort();
+ }
+
+ w_ = shmat(rv, NULL, 0);
+ if (w_ == (void *)-1) {
+ perror("shmat");
+ abort();
+ }
+
+ w = malloc(sizeof(*w));
+ if (w == NULL) {
+ perror("malloc");
+ abort();
+ }
+
+ memcpy(w, w_, sizeof(*w));
+
+ rv = shmdt(w_);
+ if (w_ == (void *)-1) {
+ perror("shmdt");
+ abort();
+ }
+
+ rv = shmctl(0xdeadbeef, IPC_RMID, NULL);
+ if (w_ == (void *)-1) {
+ perror("shmctl");
+ abort();
+ }
+
+ return w;
+}
+
int child_run(void *data) {
wshd_t *w = (wshd_t *)data;
int rv;
@@ -668,6 +729,27 @@ int child_run(void *data) {
rv = run(pivoted_lib_path, "hook-child-after-pivot.sh");
assert(rv == 0);
+ child_save_to_shm(w);
+
+ execl("/sbin/wshd", "/sbin/wshd", "--continue", NULL);
+ perror("exec");
+ abort();
+}
+
+int child_continue(int argc, char **argv) {
+ wshd_t *w;
+ int rv;
+
+ w = child_load_from_shm();
+
+ /* Process MUST not leak file descriptors to children */
+ barrier_mix_cloexec(&w->barrier_child);
+ fcntl_mix_cloexec(w->fd);
+
+ if (strlen(w->title) > 0) {
+ setproctitle(argv, w->title);
+ }
+
rv = mount_umount_pivoted_root("/mnt");
if (rv == -1) {
exit(1);
@@ -778,6 +860,11 @@ int main(int argc, char **argv) {
wshd_t *w;
int rv;
+ /* Continue child execution in the context of the container */
+ if (argc > 1 && strcmp(argv[1], "--continue") == 0) {
+ return child_continue(argc, argv);
+ }
+
w = calloc(1, sizeof(*w));
assert(w != NULL);
@@ -798,10 +885,6 @@ int main(int argc, char **argv) {
strcpy(w->root_path, "root");
}
- if (w->title != NULL) {
- setproctitle(argv, w->title);
- }
-
assert_directory(w->run_path);
assert_directory(w->lib_path);
assert_directory(w->root_path);

0 comments on commit 8de5d03

Please sign in to comment.