1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
|
From e36d01f2f3a91060b0fecd3ef4b2c0e09b1e5f23 Mon Sep 17 00:00:00 2001
From: liuxu <liuxu156@huawei.com>
Date: Fri, 7 Feb 2025 11:43:21 +0800
Subject: [PATCH 185/198] sandbox:sandboxer code isolation
Signed-off-by: liuxu <liuxu156@huawei.com>
---
.../modules/service/service_container.c | 37 ++++++++-----------
src/daemon/sandbox/sandbox.cc | 10 ++++-
src/daemon/sandbox/sandbox.h | 6 ++-
src/daemon/sandbox/sandbox_ops.cc | 2 +
src/daemon/sandbox/sandbox_ops.h | 2 +
.../sandbox/{ => sandboxer}/sandbox_task.cc | 0
.../sandbox/{ => sandboxer}/sandbox_task.h | 0
7 files changed, 33 insertions(+), 24 deletions(-)
rename src/daemon/sandbox/{ => sandboxer}/sandbox_task.cc (100%)
rename src/daemon/sandbox/{ => sandboxer}/sandbox_task.h (100%)
diff --git a/src/daemon/modules/service/service_container.c b/src/daemon/modules/service/service_container.c
index 250e8299..18104781 100644
--- a/src/daemon/modules/service/service_container.c
+++ b/src/daemon/modules/service/service_container.c
@@ -780,6 +780,9 @@ static int do_start_container(container_t *cont, const char *console_fifos[], bo
oci_runtime_spec *oci_spec = NULL;
rt_create_params_t create_params = { 0 };
rt_start_params_t start_params = { 0 };
+#ifdef ENABLE_SANDBOXER
+ int prepare_container_ret = -1;
+#endif
nret = snprintf(bundle, sizeof(bundle), "%s/%s", cont->root_path, id);
if (nret < 0 || (size_t)nret >= sizeof(bundle)) {
@@ -904,7 +907,7 @@ static int do_start_container(container_t *cont, const char *console_fifos[], bo
}
#endif
-#ifdef ENABLE_CRI_API_V1
+#ifdef ENABLE_SANDBOXER
if (cont->common_config->sandbox_info != NULL &&
sandbox_prepare_container(cont->common_config,
oci_spec, console_fifos, tty) != 0) {
@@ -912,6 +915,7 @@ static int do_start_container(container_t *cont, const char *console_fifos[], bo
ret = -1;
goto close_exit_fd;
}
+ prepare_container_ret = 0;
#endif
create_params.bundle = bundle;
@@ -935,11 +939,7 @@ static int do_start_container(container_t *cont, const char *console_fifos[], bo
if (runtime_create(id, runtime, &create_params) != 0) {
ret = -1;
-#ifdef ENABLE_CRI_API_V1
- goto clean_prepare_container;
-#else
goto close_exit_fd;
-#endif
}
start_params.rootpath = cont->root_path;
@@ -962,32 +962,25 @@ static int do_start_container(container_t *cont, const char *console_fifos[], bo
if (do_post_start_on_success(cont, exit_fifo_fd, exit_fifo, pid_info) != 0) {
ERROR("Failed to do post start on runtime start success");
ret = -1;
-#ifdef ENABLE_CRI_API_V1
- goto clean_prepare_container;
-#else
goto close_exit_fd;
-#endif
}
} else {
// wait monitor cleanup cgroup and processes finished
wait_exit_fifo(id, exit_fifo_fd);
-#ifdef ENABLE_CRI_API_V1
- goto clean_prepare_container;
-#else
goto close_exit_fd;
-#endif
}
goto out;
-#ifdef ENABLE_CRI_API_V1
-clean_prepare_container:
- if (cont->common_config->sandbox_info != NULL &&
- sandbox_purge_container(cont->common_config) != 0) {
- ERROR("Failed to remove container %s from sandbox", id);
+close_exit_fd:
+#ifdef ENABLE_SANDBOXER
+ if (prepare_container_ret == 0) {
+ if (cont->common_config->sandbox_info != NULL &&
+ sandbox_purge_container(cont->common_config) != 0) {
+ ERROR("Failed to remove container %s from sandbox", id);
+ }
}
#endif
-close_exit_fd:
close(exit_fifo_fd);
clean_resources_on_failure(cont, engine_log_path, loglevel);
@@ -1689,7 +1682,7 @@ int stop_container(container_t *cont, int timeout, bool force, bool restart)
}
}
-#ifdef ENABLE_CRI_API_V1
+#ifdef ENABLE_SANDBOXER
if (cont->common_config->sandbox_info != NULL &&
sandbox_purge_container(cont->common_config) != 0) {
ERROR("Failed to remove container %s from sandbox", id);
@@ -2159,7 +2152,7 @@ static int do_exec_container(const container_t *cont, const char *runtime, char
goto out;
}
-#ifdef ENABLE_CRI_API_V1
+#ifdef ENABLE_SANDBOXER
if (cont->common_config->sandbox_info != NULL &&
sandbox_prepare_exec(cont->common_config, request->suffix,
process_spec, (const char **)console_fifos, request->tty) != 0) {
@@ -2283,7 +2276,7 @@ static void exec_container_end(container_exec_response *response, const containe
const char *exec_id, uint32_t cc,
int exit_code, int sync_fd, pthread_t thread_id)
{
-#ifdef ENABLE_CRI_API_V1
+#ifdef ENABLE_SANDBOXER
if (cont->common_config->sandbox_info != NULL &&
sandbox_purge_exec(cont->common_config, exec_id) != 0) {
ERROR("Failed to purge container for exec %s", exec_id);
diff --git a/src/daemon/sandbox/sandbox.cc b/src/daemon/sandbox/sandbox.cc
index d105d71a..d5681d48 100644
--- a/src/daemon/sandbox/sandbox.cc
+++ b/src/daemon/sandbox/sandbox.cc
@@ -494,7 +494,9 @@ auto Sandbox::Load(Errors &error) -> bool
}
LoadNetworkSetting();
+#ifdef ENABLE_SANDBOXER
LoadSandboxTasks();
+#endif
// When the sandbox status acquisition fails or wait fails, the sandbox status is set to not ready,
// and the user decides whether to delete the sandbox.
@@ -583,9 +585,11 @@ void Sandbox::CleanupSandboxDirs()
ERROR("Failed to delete sandbox's root directory %s", m_rootdir.c_str());
}
+#ifdef ENABLE_SANDBOXER
if (util_recursive_rmdir(m_statedir.c_str(), 0) != 0) {
- ERROR("Failed to delete sandbox's state directory %s", m_rootdir.c_str());
+ ERROR("Failed to delete sandbox's state directory %s", m_statedir.c_str());
}
+#endif
}
void Sandbox::PrepareSandboxDirs(Errors &error)
@@ -615,12 +619,14 @@ void Sandbox::PrepareSandboxDirs(Errors &error)
goto out;
}
+#ifdef ENABLE_SANDBOXER
nret = util_mkdir_p(m_statedir.c_str(), TEMP_DIRECTORY_MODE);
if (nret < 0) {
error.Errorf("Unable to create sandbox state directory %s.", m_statedir.c_str());
ERROR("Unable to create sandbox state directory %s.", m_statedir.c_str());
goto out;
}
+#endif
umask(mask);
return;
@@ -1119,6 +1125,7 @@ void Sandbox::FillSandboxMetadata(sandbox_metadata* metadata, Errors &error)
metadata->sandbox_config_json = util_strdup_s(jsonStr.c_str());
}
+#ifdef ENABLE_SANDBOXER
void Sandbox::LoadSandboxTasks()
{
}
@@ -1145,5 +1152,6 @@ auto Sandbox::PurgeExec(const char *containerId, const char *execId) -> int
{
return 0;
}
+#endif
}
\ No newline at end of file
diff --git a/src/daemon/sandbox/sandbox.h b/src/daemon/sandbox/sandbox.h
index 58d60ecb..3a7b0736 100644
--- a/src/daemon/sandbox/sandbox.h
+++ b/src/daemon/sandbox/sandbox.h
@@ -23,6 +23,9 @@
#include <isula_libutils/container_network_settings.h>
#include <isula_libutils/sandbox_state.h>
#include <isula_libutils/sandbox_metadata.h>
+#ifdef ENABLE_SANDBOXER
+#include <isula_libutils/oci_runtime_spec.h>
+#endif
#include "api_v1.grpc.pb.h"
#include "errors.h"
@@ -30,7 +33,6 @@
#include "controller_manager.h"
#include "cstruct_wrapper.h"
#include "read_write_lock.h"
-#include "sandbox_task.h"
namespace sandbox {
@@ -140,6 +142,7 @@ public:
auto Remove(Errors &error) -> bool;
void Status(runtime::v1::PodSandboxStatus &status);
+#ifdef ENABLE_SANDBOXER
// for sandbox api update
virtual void LoadSandboxTasks();
virtual auto PrepareContainer(const char *containerId, const char *baseFs,
@@ -149,6 +152,7 @@ public:
defs_process *processSpec, const char *consoleFifos[]) -> int;
virtual auto PurgeContainer(const char *containerId) -> int;
virtual auto PurgeExec(const char *containerId, const char *execId) -> int;
+#endif
private:
auto SaveState(Errors &error) -> bool;
diff --git a/src/daemon/sandbox/sandbox_ops.cc b/src/daemon/sandbox/sandbox_ops.cc
index ae881933..cf88c1bd 100644
--- a/src/daemon/sandbox/sandbox_ops.cc
+++ b/src/daemon/sandbox/sandbox_ops.cc
@@ -25,6 +25,7 @@
#include "namespace.h"
#include "utils.h"
+#ifdef ENABLE_SANDBOXER
static inline bool validate_sandbox_info(const container_sandbox_info *sandbox)
{
return (sandbox != NULL && sandbox->sandboxer != NULL &&
@@ -110,6 +111,7 @@ int sandbox_purge_exec(const container_config_v2_common_config *config, const ch
return sandbox->PurgeExec(config->id, exec_id);
}
+#endif /* ENABLE_SANDBOXER */
int sandbox_on_sandbox_exit(const char *sandbox_id, int exit_code)
{
diff --git a/src/daemon/sandbox/sandbox_ops.h b/src/daemon/sandbox/sandbox_ops.h
index 8189efd6..e1309313 100644
--- a/src/daemon/sandbox/sandbox_ops.h
+++ b/src/daemon/sandbox/sandbox_ops.h
@@ -24,6 +24,7 @@
extern "C" {
#endif
+#ifdef ENABLE_SANDBOXER
int sandbox_prepare_container(const container_config_v2_common_config *config,
const oci_runtime_spec *oci_spec,
const char *console_fifos[], bool tty);
@@ -35,6 +36,7 @@ int sandbox_prepare_exec(const container_config_v2_common_config *config,
int sandbox_purge_container(const container_config_v2_common_config *config);
int sandbox_purge_exec(const container_config_v2_common_config *config, const char *exec_id);
+#endif
int sandbox_on_sandbox_exit(const char *sandbox_id, int exit_code);
diff --git a/src/daemon/sandbox/sandbox_task.cc b/src/daemon/sandbox/sandboxer/sandbox_task.cc
similarity index 100%
rename from src/daemon/sandbox/sandbox_task.cc
rename to src/daemon/sandbox/sandboxer/sandbox_task.cc
diff --git a/src/daemon/sandbox/sandbox_task.h b/src/daemon/sandbox/sandboxer/sandbox_task.h
similarity index 100%
rename from src/daemon/sandbox/sandbox_task.h
rename to src/daemon/sandbox/sandboxer/sandbox_task.h
--
2.34.1
|
