Exec wshd in context of the container

warden/root/linux/skeleton/lib/hook-parent-before-clone.sh

@@ -10,3 +10,6 @@ cd $(dirname $0)/../
 source ./lib/common.sh
 
 setup_fs
+
+cp bin/wshd mnt/sbin/wshd
+chmod 700 mnt/sbin/wshd

warden/src/wsh/barrier.c

@@ -18,9 +18,6 @@ int barrier_open(barrier_t *bar) {
     goto err;
   }
 
-  fcntl_mix_cloexec(aux[0]);
-  fcntl_mix_cloexec(aux[1]);
-
   bar->fd[0] = aux[0];
   bar->fd[1] = aux[1];
   return 0;
@@ -36,6 +33,11 @@ void barrier_close(barrier_t *bar) {
   close(bar->fd[1]);
 }
 
+void barrier_mix_cloexec(barrier_t *bar) {
+  fcntl_mix_cloexec(bar->fd[0]);
+  fcntl_mix_cloexec(bar->fd[1]);
+}
+
 void barrier_close_wait(barrier_t *bar) {
   close(bar->fd[0]);
 }

warden/src/wsh/barrier.h

@@ -18,6 +18,7 @@ struct barrier_s {
 
 int barrier_open(barrier_t *bar);
 void barrier_close(barrier_t *bar);
+void barrier_mix_cloexec(barrier_t *bar);
 
 void barrier_close_wait(barrier_t *bar);
 void barrier_close_signal(barrier_t *bar);

warden/src/wsh/un.c

@@ -10,7 +10,6 @@
 #include <unistd.h>
 
 #include "un.h"
-#include "util.h"
 
 int un__socket() {
   int fd;
@@ -34,8 +33,6 @@ int un_listen(const char *path) {
   strcpy(sa.sun_path, path);
   unlink(sa.sun_path);
 
-  fcntl_mix_cloexec(fd);
-
   if (bind(fd, (struct sockaddr *)&sa, sizeof(sa)) == -1) {
     perror("bind");
     exit(1);

warden/src/wsh/wshd.c

@@ -10,7 +10,9 @@
 #include <stdlib.h>
 #include <string.h>
 #include <sys/ioctl.h>
+#include <sys/ipc.h>
 #include <sys/param.h>
+#include <sys/shm.h>
 #include <sys/signalfd.h>
 #include <sys/socket.h>
 #include <sys/stat.h>
@@ -623,6 +625,65 @@ int child_loop(wshd_t *w) {
 /* No header defines this */
 extern int pivot_root(const char *new_root, const char *put_old);
 
+void child_save_to_shm(wshd_t *w) {
+  int rv;
+  void *w_;
+
+  rv = shmget(0xdeadbeef, sizeof(*w), IPC_CREAT | IPC_EXCL | 0600);
+  if (rv == -1) {
+    perror("shmget");
+    abort();
+  }
+
+  w_ = shmat(rv, NULL, 0);
+  if (w_ == (void *)-1) {
+    perror("shmat");
+    abort();
+  }
+
+  memcpy(w_, w, sizeof(*w));
+}
+
+wshd_t *child_load_from_shm(void) {
+  int rv;
+  wshd_t *w;
+  void *w_;
+
+  rv = shmget(0xdeadbeef, sizeof(*w), 0600);
+  if (rv == -1) {
+    perror("shmget");
+    abort();
+  }
+
+  w_ = shmat(rv, NULL, 0);
+  if (w_ == (void *)-1) {
+    perror("shmat");
+    abort();
+  }
+
+  w = malloc(sizeof(*w));
+  if (w == NULL) {
+    perror("malloc");
+    abort();
+  }
+
+  memcpy(w, w_, sizeof(*w));
+
+  rv = shmdt(w_);
+  if (w_ == (void *)-1) {
+    perror("shmdt");
+    abort();
+  }
+
+  rv = shmctl(0xdeadbeef, IPC_RMID, NULL);
+  if (w_ == (void *)-1) {
+    perror("shmctl");
+    abort();
+  }
+
+  return w;
+}
+
 int child_run(void *data) {
   wshd_t *w = (wshd_t *)data;
   int rv;
@@ -668,6 +729,27 @@ int child_run(void *data) {
   rv = run(pivoted_lib_path, "hook-child-after-pivot.sh");
   assert(rv == 0);
 
+  child_save_to_shm(w);
+
+  execl("/sbin/wshd", "/sbin/wshd", "--continue", NULL);
+  perror("exec");
+  abort();
+}
+
+int child_continue(int argc, char **argv) {
+  wshd_t *w;
+  int rv;
+
+  w = child_load_from_shm();
+
+  /* Process MUST not leak file descriptors to children */
+  barrier_mix_cloexec(&w->barrier_child);
+  fcntl_mix_cloexec(w->fd);
+
+  if (strlen(w->title) > 0) {
+    setproctitle(argv, w->title);
+  }
+
   rv = mount_umount_pivoted_root("/mnt");
   if (rv == -1) {
     exit(1);
@@ -778,6 +860,11 @@ int main(int argc, char **argv) {
   wshd_t *w;
   int rv;
 
+  /* Continue child execution in the context of the container */
+  if (argc > 1 && strcmp(argv[1], "--continue") == 0) {
+    return child_continue(argc, argv);
+  }
+
   w = calloc(1, sizeof(*w));
   assert(w != NULL);
 
@@ -798,10 +885,6 @@ int main(int argc, char **argv) {
     strcpy(w->root_path, "root");
   }
 
-  if (w->title != NULL) {
-    setproctitle(argv, w->title);
-  }
-
   assert_directory(w->run_path);
   assert_directory(w->lib_path);
   assert_directory(w->root_path);