From e36d01f2f3a91060b0fecd3ef4b2c0e09b1e5f23 Mon Sep 17 00:00:00 2001 From: liuxu Date: Fri, 7 Feb 2025 11:43:21 +0800 Subject: [PATCH 185/198] sandbox:sandboxer code isolation Signed-off-by: liuxu --- .../modules/service/service_container.c | 37 ++++++++----------- src/daemon/sandbox/sandbox.cc | 10 ++++- src/daemon/sandbox/sandbox.h | 6 ++- src/daemon/sandbox/sandbox_ops.cc | 2 + src/daemon/sandbox/sandbox_ops.h | 2 + .../sandbox/{ => sandboxer}/sandbox_task.cc | 0 .../sandbox/{ => sandboxer}/sandbox_task.h | 0 7 files changed, 33 insertions(+), 24 deletions(-) rename src/daemon/sandbox/{ => sandboxer}/sandbox_task.cc (100%) rename src/daemon/sandbox/{ => sandboxer}/sandbox_task.h (100%) diff --git a/src/daemon/modules/service/service_container.c b/src/daemon/modules/service/service_container.c index 250e8299..18104781 100644 --- a/src/daemon/modules/service/service_container.c +++ b/src/daemon/modules/service/service_container.c @@ -780,6 +780,9 @@ static int do_start_container(container_t *cont, const char *console_fifos[], bo oci_runtime_spec *oci_spec = NULL; rt_create_params_t create_params = { 0 }; rt_start_params_t start_params = { 0 }; +#ifdef ENABLE_SANDBOXER + int prepare_container_ret = -1; +#endif nret = snprintf(bundle, sizeof(bundle), "%s/%s", cont->root_path, id); if (nret < 0 || (size_t)nret >= sizeof(bundle)) { @@ -904,7 +907,7 @@ static int do_start_container(container_t *cont, const char *console_fifos[], bo } #endif -#ifdef ENABLE_CRI_API_V1 +#ifdef ENABLE_SANDBOXER if (cont->common_config->sandbox_info != NULL && sandbox_prepare_container(cont->common_config, oci_spec, console_fifos, tty) != 0) { @@ -912,6 +915,7 @@ static int do_start_container(container_t *cont, const char *console_fifos[], bo ret = -1; goto close_exit_fd; } + prepare_container_ret = 0; #endif create_params.bundle = bundle; @@ -935,11 +939,7 @@ static int do_start_container(container_t *cont, const char *console_fifos[], bo if (runtime_create(id, runtime, &create_params) != 0) { ret = -1; -#ifdef ENABLE_CRI_API_V1 - goto clean_prepare_container; -#else goto close_exit_fd; -#endif } start_params.rootpath = cont->root_path; @@ -962,32 +962,25 @@ static int do_start_container(container_t *cont, const char *console_fifos[], bo if (do_post_start_on_success(cont, exit_fifo_fd, exit_fifo, pid_info) != 0) { ERROR("Failed to do post start on runtime start success"); ret = -1; -#ifdef ENABLE_CRI_API_V1 - goto clean_prepare_container; -#else goto close_exit_fd; -#endif } } else { // wait monitor cleanup cgroup and processes finished wait_exit_fifo(id, exit_fifo_fd); -#ifdef ENABLE_CRI_API_V1 - goto clean_prepare_container; -#else goto close_exit_fd; -#endif } goto out; -#ifdef ENABLE_CRI_API_V1 -clean_prepare_container: - if (cont->common_config->sandbox_info != NULL && - sandbox_purge_container(cont->common_config) != 0) { - ERROR("Failed to remove container %s from sandbox", id); +close_exit_fd: +#ifdef ENABLE_SANDBOXER + if (prepare_container_ret == 0) { + if (cont->common_config->sandbox_info != NULL && + sandbox_purge_container(cont->common_config) != 0) { + ERROR("Failed to remove container %s from sandbox", id); + } } #endif -close_exit_fd: close(exit_fifo_fd); clean_resources_on_failure(cont, engine_log_path, loglevel); @@ -1689,7 +1682,7 @@ int stop_container(container_t *cont, int timeout, bool force, bool restart) } } -#ifdef ENABLE_CRI_API_V1 +#ifdef ENABLE_SANDBOXER if (cont->common_config->sandbox_info != NULL && sandbox_purge_container(cont->common_config) != 0) { ERROR("Failed to remove container %s from sandbox", id); @@ -2159,7 +2152,7 @@ static int do_exec_container(const container_t *cont, const char *runtime, char goto out; } -#ifdef ENABLE_CRI_API_V1 +#ifdef ENABLE_SANDBOXER if (cont->common_config->sandbox_info != NULL && sandbox_prepare_exec(cont->common_config, request->suffix, process_spec, (const char **)console_fifos, request->tty) != 0) { @@ -2283,7 +2276,7 @@ static void exec_container_end(container_exec_response *response, const containe const char *exec_id, uint32_t cc, int exit_code, int sync_fd, pthread_t thread_id) { -#ifdef ENABLE_CRI_API_V1 +#ifdef ENABLE_SANDBOXER if (cont->common_config->sandbox_info != NULL && sandbox_purge_exec(cont->common_config, exec_id) != 0) { ERROR("Failed to purge container for exec %s", exec_id); diff --git a/src/daemon/sandbox/sandbox.cc b/src/daemon/sandbox/sandbox.cc index d105d71a..d5681d48 100644 --- a/src/daemon/sandbox/sandbox.cc +++ b/src/daemon/sandbox/sandbox.cc @@ -494,7 +494,9 @@ auto Sandbox::Load(Errors &error) -> bool } LoadNetworkSetting(); +#ifdef ENABLE_SANDBOXER LoadSandboxTasks(); +#endif // When the sandbox status acquisition fails or wait fails, the sandbox status is set to not ready, // and the user decides whether to delete the sandbox. @@ -583,9 +585,11 @@ void Sandbox::CleanupSandboxDirs() ERROR("Failed to delete sandbox's root directory %s", m_rootdir.c_str()); } +#ifdef ENABLE_SANDBOXER if (util_recursive_rmdir(m_statedir.c_str(), 0) != 0) { - ERROR("Failed to delete sandbox's state directory %s", m_rootdir.c_str()); + ERROR("Failed to delete sandbox's state directory %s", m_statedir.c_str()); } +#endif } void Sandbox::PrepareSandboxDirs(Errors &error) @@ -615,12 +619,14 @@ void Sandbox::PrepareSandboxDirs(Errors &error) goto out; } +#ifdef ENABLE_SANDBOXER nret = util_mkdir_p(m_statedir.c_str(), TEMP_DIRECTORY_MODE); if (nret < 0) { error.Errorf("Unable to create sandbox state directory %s.", m_statedir.c_str()); ERROR("Unable to create sandbox state directory %s.", m_statedir.c_str()); goto out; } +#endif umask(mask); return; @@ -1119,6 +1125,7 @@ void Sandbox::FillSandboxMetadata(sandbox_metadata* metadata, Errors &error) metadata->sandbox_config_json = util_strdup_s(jsonStr.c_str()); } +#ifdef ENABLE_SANDBOXER void Sandbox::LoadSandboxTasks() { } @@ -1145,5 +1152,6 @@ auto Sandbox::PurgeExec(const char *containerId, const char *execId) -> int { return 0; } +#endif } \ No newline at end of file diff --git a/src/daemon/sandbox/sandbox.h b/src/daemon/sandbox/sandbox.h index 58d60ecb..3a7b0736 100644 --- a/src/daemon/sandbox/sandbox.h +++ b/src/daemon/sandbox/sandbox.h @@ -23,6 +23,9 @@ #include #include #include +#ifdef ENABLE_SANDBOXER +#include +#endif #include "api_v1.grpc.pb.h" #include "errors.h" @@ -30,7 +33,6 @@ #include "controller_manager.h" #include "cstruct_wrapper.h" #include "read_write_lock.h" -#include "sandbox_task.h" namespace sandbox { @@ -140,6 +142,7 @@ public: auto Remove(Errors &error) -> bool; void Status(runtime::v1::PodSandboxStatus &status); +#ifdef ENABLE_SANDBOXER // for sandbox api update virtual void LoadSandboxTasks(); virtual auto PrepareContainer(const char *containerId, const char *baseFs, @@ -149,6 +152,7 @@ public: defs_process *processSpec, const char *consoleFifos[]) -> int; virtual auto PurgeContainer(const char *containerId) -> int; virtual auto PurgeExec(const char *containerId, const char *execId) -> int; +#endif private: auto SaveState(Errors &error) -> bool; diff --git a/src/daemon/sandbox/sandbox_ops.cc b/src/daemon/sandbox/sandbox_ops.cc index ae881933..cf88c1bd 100644 --- a/src/daemon/sandbox/sandbox_ops.cc +++ b/src/daemon/sandbox/sandbox_ops.cc @@ -25,6 +25,7 @@ #include "namespace.h" #include "utils.h" +#ifdef ENABLE_SANDBOXER static inline bool validate_sandbox_info(const container_sandbox_info *sandbox) { return (sandbox != NULL && sandbox->sandboxer != NULL && @@ -110,6 +111,7 @@ int sandbox_purge_exec(const container_config_v2_common_config *config, const ch return sandbox->PurgeExec(config->id, exec_id); } +#endif /* ENABLE_SANDBOXER */ int sandbox_on_sandbox_exit(const char *sandbox_id, int exit_code) { diff --git a/src/daemon/sandbox/sandbox_ops.h b/src/daemon/sandbox/sandbox_ops.h index 8189efd6..e1309313 100644 --- a/src/daemon/sandbox/sandbox_ops.h +++ b/src/daemon/sandbox/sandbox_ops.h @@ -24,6 +24,7 @@ extern "C" { #endif +#ifdef ENABLE_SANDBOXER int sandbox_prepare_container(const container_config_v2_common_config *config, const oci_runtime_spec *oci_spec, const char *console_fifos[], bool tty); @@ -35,6 +36,7 @@ int sandbox_prepare_exec(const container_config_v2_common_config *config, int sandbox_purge_container(const container_config_v2_common_config *config); int sandbox_purge_exec(const container_config_v2_common_config *config, const char *exec_id); +#endif int sandbox_on_sandbox_exit(const char *sandbox_id, int exit_code); diff --git a/src/daemon/sandbox/sandbox_task.cc b/src/daemon/sandbox/sandboxer/sandbox_task.cc similarity index 100% rename from src/daemon/sandbox/sandbox_task.cc rename to src/daemon/sandbox/sandboxer/sandbox_task.cc diff --git a/src/daemon/sandbox/sandbox_task.h b/src/daemon/sandbox/sandboxer/sandbox_task.h similarity index 100% rename from src/daemon/sandbox/sandbox_task.h rename to src/daemon/sandbox/sandboxer/sandbox_task.h -- 2.34.1