diff options
Diffstat (limited to '0185-sandbox-sandboxer-code-isolation.patch')
| -rw-r--r-- | 0185-sandbox-sandboxer-code-isolation.patch | 275 |
1 files changed, 275 insertions, 0 deletions
diff --git a/0185-sandbox-sandboxer-code-isolation.patch b/0185-sandbox-sandboxer-code-isolation.patch new file mode 100644 index 0000000..c2024ac --- /dev/null +++ b/0185-sandbox-sandboxer-code-isolation.patch @@ -0,0 +1,275 @@ +From e36d01f2f3a91060b0fecd3ef4b2c0e09b1e5f23 Mon Sep 17 00:00:00 2001 +From: liuxu <liuxu156@huawei.com> +Date: Fri, 7 Feb 2025 11:43:21 +0800 +Subject: [PATCH 185/198] sandbox:sandboxer code isolation + +Signed-off-by: liuxu <liuxu156@huawei.com> +--- + .../modules/service/service_container.c | 37 ++++++++----------- + src/daemon/sandbox/sandbox.cc | 10 ++++- + src/daemon/sandbox/sandbox.h | 6 ++- + src/daemon/sandbox/sandbox_ops.cc | 2 + + src/daemon/sandbox/sandbox_ops.h | 2 + + .../sandbox/{ => sandboxer}/sandbox_task.cc | 0 + .../sandbox/{ => sandboxer}/sandbox_task.h | 0 + 7 files changed, 33 insertions(+), 24 deletions(-) + rename src/daemon/sandbox/{ => sandboxer}/sandbox_task.cc (100%) + rename src/daemon/sandbox/{ => sandboxer}/sandbox_task.h (100%) + +diff --git a/src/daemon/modules/service/service_container.c b/src/daemon/modules/service/service_container.c +index 250e8299..18104781 100644 +--- a/src/daemon/modules/service/service_container.c ++++ b/src/daemon/modules/service/service_container.c +@@ -780,6 +780,9 @@ static int do_start_container(container_t *cont, const char *console_fifos[], bo + oci_runtime_spec *oci_spec = NULL; + rt_create_params_t create_params = { 0 }; + rt_start_params_t start_params = { 0 }; ++#ifdef ENABLE_SANDBOXER ++ int prepare_container_ret = -1; ++#endif + + nret = snprintf(bundle, sizeof(bundle), "%s/%s", cont->root_path, id); + if (nret < 0 || (size_t)nret >= sizeof(bundle)) { +@@ -904,7 +907,7 @@ static int do_start_container(container_t *cont, const char *console_fifos[], bo + } + #endif + +-#ifdef ENABLE_CRI_API_V1 ++#ifdef ENABLE_SANDBOXER + if (cont->common_config->sandbox_info != NULL && + sandbox_prepare_container(cont->common_config, + oci_spec, console_fifos, tty) != 0) { +@@ -912,6 +915,7 @@ static int do_start_container(container_t *cont, const char *console_fifos[], bo + ret = -1; + goto close_exit_fd; + } ++ prepare_container_ret = 0; + #endif + + create_params.bundle = bundle; +@@ -935,11 +939,7 @@ static int do_start_container(container_t *cont, const char *console_fifos[], bo + + if (runtime_create(id, runtime, &create_params) != 0) { + ret = -1; +-#ifdef ENABLE_CRI_API_V1 +- goto clean_prepare_container; +-#else + goto close_exit_fd; +-#endif + } + + start_params.rootpath = cont->root_path; +@@ -962,32 +962,25 @@ static int do_start_container(container_t *cont, const char *console_fifos[], bo + if (do_post_start_on_success(cont, exit_fifo_fd, exit_fifo, pid_info) != 0) { + ERROR("Failed to do post start on runtime start success"); + ret = -1; +-#ifdef ENABLE_CRI_API_V1 +- goto clean_prepare_container; +-#else + goto close_exit_fd; +-#endif + } + } else { + // wait monitor cleanup cgroup and processes finished + wait_exit_fifo(id, exit_fifo_fd); +-#ifdef ENABLE_CRI_API_V1 +- goto clean_prepare_container; +-#else + goto close_exit_fd; +-#endif + } + goto out; + +-#ifdef ENABLE_CRI_API_V1 +-clean_prepare_container: +- if (cont->common_config->sandbox_info != NULL && +- sandbox_purge_container(cont->common_config) != 0) { +- ERROR("Failed to remove container %s from sandbox", id); ++close_exit_fd: ++#ifdef ENABLE_SANDBOXER ++ if (prepare_container_ret == 0) { ++ if (cont->common_config->sandbox_info != NULL && ++ sandbox_purge_container(cont->common_config) != 0) { ++ ERROR("Failed to remove container %s from sandbox", id); ++ } + } + #endif + +-close_exit_fd: + close(exit_fifo_fd); + clean_resources_on_failure(cont, engine_log_path, loglevel); + +@@ -1689,7 +1682,7 @@ int stop_container(container_t *cont, int timeout, bool force, bool restart) + } + } + +-#ifdef ENABLE_CRI_API_V1 ++#ifdef ENABLE_SANDBOXER + if (cont->common_config->sandbox_info != NULL && + sandbox_purge_container(cont->common_config) != 0) { + ERROR("Failed to remove container %s from sandbox", id); +@@ -2159,7 +2152,7 @@ static int do_exec_container(const container_t *cont, const char *runtime, char + goto out; + } + +-#ifdef ENABLE_CRI_API_V1 ++#ifdef ENABLE_SANDBOXER + if (cont->common_config->sandbox_info != NULL && + sandbox_prepare_exec(cont->common_config, request->suffix, + process_spec, (const char **)console_fifos, request->tty) != 0) { +@@ -2283,7 +2276,7 @@ static void exec_container_end(container_exec_response *response, const containe + const char *exec_id, uint32_t cc, + int exit_code, int sync_fd, pthread_t thread_id) + { +-#ifdef ENABLE_CRI_API_V1 ++#ifdef ENABLE_SANDBOXER + if (cont->common_config->sandbox_info != NULL && + sandbox_purge_exec(cont->common_config, exec_id) != 0) { + ERROR("Failed to purge container for exec %s", exec_id); +diff --git a/src/daemon/sandbox/sandbox.cc b/src/daemon/sandbox/sandbox.cc +index d105d71a..d5681d48 100644 +--- a/src/daemon/sandbox/sandbox.cc ++++ b/src/daemon/sandbox/sandbox.cc +@@ -494,7 +494,9 @@ auto Sandbox::Load(Errors &error) -> bool + } + + LoadNetworkSetting(); ++#ifdef ENABLE_SANDBOXER + LoadSandboxTasks(); ++#endif + + // When the sandbox status acquisition fails or wait fails, the sandbox status is set to not ready, + // and the user decides whether to delete the sandbox. +@@ -583,9 +585,11 @@ void Sandbox::CleanupSandboxDirs() + ERROR("Failed to delete sandbox's root directory %s", m_rootdir.c_str()); + } + ++#ifdef ENABLE_SANDBOXER + if (util_recursive_rmdir(m_statedir.c_str(), 0) != 0) { +- ERROR("Failed to delete sandbox's state directory %s", m_rootdir.c_str()); ++ ERROR("Failed to delete sandbox's state directory %s", m_statedir.c_str()); + } ++#endif + } + + void Sandbox::PrepareSandboxDirs(Errors &error) +@@ -615,12 +619,14 @@ void Sandbox::PrepareSandboxDirs(Errors &error) + goto out; + } + ++#ifdef ENABLE_SANDBOXER + nret = util_mkdir_p(m_statedir.c_str(), TEMP_DIRECTORY_MODE); + if (nret < 0) { + error.Errorf("Unable to create sandbox state directory %s.", m_statedir.c_str()); + ERROR("Unable to create sandbox state directory %s.", m_statedir.c_str()); + goto out; + } ++#endif + + umask(mask); + return; +@@ -1119,6 +1125,7 @@ void Sandbox::FillSandboxMetadata(sandbox_metadata* metadata, Errors &error) + metadata->sandbox_config_json = util_strdup_s(jsonStr.c_str()); + } + ++#ifdef ENABLE_SANDBOXER + void Sandbox::LoadSandboxTasks() + { + } +@@ -1145,5 +1152,6 @@ auto Sandbox::PurgeExec(const char *containerId, const char *execId) -> int + { + return 0; + } ++#endif + + } +\ No newline at end of file +diff --git a/src/daemon/sandbox/sandbox.h b/src/daemon/sandbox/sandbox.h +index 58d60ecb..3a7b0736 100644 +--- a/src/daemon/sandbox/sandbox.h ++++ b/src/daemon/sandbox/sandbox.h +@@ -23,6 +23,9 @@ + #include <isula_libutils/container_network_settings.h> + #include <isula_libutils/sandbox_state.h> + #include <isula_libutils/sandbox_metadata.h> ++#ifdef ENABLE_SANDBOXER ++#include <isula_libutils/oci_runtime_spec.h> ++#endif + + #include "api_v1.grpc.pb.h" + #include "errors.h" +@@ -30,7 +33,6 @@ + #include "controller_manager.h" + #include "cstruct_wrapper.h" + #include "read_write_lock.h" +-#include "sandbox_task.h" + + namespace sandbox { + +@@ -140,6 +142,7 @@ public: + auto Remove(Errors &error) -> bool; + void Status(runtime::v1::PodSandboxStatus &status); + ++#ifdef ENABLE_SANDBOXER + // for sandbox api update + virtual void LoadSandboxTasks(); + virtual auto PrepareContainer(const char *containerId, const char *baseFs, +@@ -149,6 +152,7 @@ public: + defs_process *processSpec, const char *consoleFifos[]) -> int; + virtual auto PurgeContainer(const char *containerId) -> int; + virtual auto PurgeExec(const char *containerId, const char *execId) -> int; ++#endif + + private: + auto SaveState(Errors &error) -> bool; +diff --git a/src/daemon/sandbox/sandbox_ops.cc b/src/daemon/sandbox/sandbox_ops.cc +index ae881933..cf88c1bd 100644 +--- a/src/daemon/sandbox/sandbox_ops.cc ++++ b/src/daemon/sandbox/sandbox_ops.cc +@@ -25,6 +25,7 @@ + #include "namespace.h" + #include "utils.h" + ++#ifdef ENABLE_SANDBOXER + static inline bool validate_sandbox_info(const container_sandbox_info *sandbox) + { + return (sandbox != NULL && sandbox->sandboxer != NULL && +@@ -110,6 +111,7 @@ int sandbox_purge_exec(const container_config_v2_common_config *config, const ch + + return sandbox->PurgeExec(config->id, exec_id); + } ++#endif /* ENABLE_SANDBOXER */ + + int sandbox_on_sandbox_exit(const char *sandbox_id, int exit_code) + { +diff --git a/src/daemon/sandbox/sandbox_ops.h b/src/daemon/sandbox/sandbox_ops.h +index 8189efd6..e1309313 100644 +--- a/src/daemon/sandbox/sandbox_ops.h ++++ b/src/daemon/sandbox/sandbox_ops.h +@@ -24,6 +24,7 @@ + extern "C" { + #endif + ++#ifdef ENABLE_SANDBOXER + int sandbox_prepare_container(const container_config_v2_common_config *config, + const oci_runtime_spec *oci_spec, + const char *console_fifos[], bool tty); +@@ -35,6 +36,7 @@ int sandbox_prepare_exec(const container_config_v2_common_config *config, + int sandbox_purge_container(const container_config_v2_common_config *config); + + int sandbox_purge_exec(const container_config_v2_common_config *config, const char *exec_id); ++#endif + + int sandbox_on_sandbox_exit(const char *sandbox_id, int exit_code); + +diff --git a/src/daemon/sandbox/sandbox_task.cc b/src/daemon/sandbox/sandboxer/sandbox_task.cc +similarity index 100% +rename from src/daemon/sandbox/sandbox_task.cc +rename to src/daemon/sandbox/sandboxer/sandbox_task.cc +diff --git a/src/daemon/sandbox/sandbox_task.h b/src/daemon/sandbox/sandboxer/sandbox_task.h +similarity index 100% +rename from src/daemon/sandbox/sandbox_task.h +rename to src/daemon/sandbox/sandboxer/sandbox_task.h +-- +2.34.1 + |