summaryrefslogtreecommitdiff
path: root/0070-isolate-sandboxer-code-by-using-macro.patch
diff options
context:
space:
mode:
Diffstat (limited to '0070-isolate-sandboxer-code-by-using-macro.patch')
-rw-r--r--0070-isolate-sandboxer-code-by-using-macro.patch143
1 files changed, 143 insertions, 0 deletions
diff --git a/0070-isolate-sandboxer-code-by-using-macro.patch b/0070-isolate-sandboxer-code-by-using-macro.patch
new file mode 100644
index 0000000..4ab8cb2
--- /dev/null
+++ b/0070-isolate-sandboxer-code-by-using-macro.patch
@@ -0,0 +1,143 @@
+From c1d445e178cd610f8a6d9156012c6c7922eed9c5 Mon Sep 17 00:00:00 2001
+From: xuxuepeng <xuxuepeng1@huawei.com>
+Date: Sat, 20 Apr 2024 11:24:18 +0800
+Subject: [PATCH 1/2] isolate sandboxer code by using macro
+
+Signed-off-by: xuxuepeng <xuxuepeng1@huawei.com>
+---
+ cmake/options.cmake | 2 +-
+ src/daemon/common/cri/v1/v1_cri_helpers.cc | 7 +++++++
+ src/daemon/config/isulad_config.c | 2 ++
+ src/daemon/sandbox/controller/CMakeLists.txt | 2 +-
+ src/daemon/sandbox/controller/controller_manager.cc | 6 ++++++
+ src/daemon/sandbox/controller/controller_manager.h | 2 ++
+ 6 files changed, 19 insertions(+), 2 deletions(-)
+
+diff --git a/cmake/options.cmake b/cmake/options.cmake
+index c1eac472..a15b8194 100644
+--- a/cmake/options.cmake
++++ b/cmake/options.cmake
+@@ -51,7 +51,7 @@ if (ENABLE_CDI STREQUAL "ON")
+ endif()
+ endif()
+
+-option(ENABLE_SANDBOXER "Enable sandbox API" ON)
++option(ENABLE_SANDBOXER "Enable sandbox API" OFF)
+ if (ENABLE_SANDBOXER STREQUAL "ON")
+ add_definitions(-DENABLE_SANDBOXER)
+ set(ENABLE_SANDBOXER 1)
+diff --git a/src/daemon/common/cri/v1/v1_cri_helpers.cc b/src/daemon/common/cri/v1/v1_cri_helpers.cc
+index 520d23d4..1f797ad7 100644
+--- a/src/daemon/common/cri/v1/v1_cri_helpers.cc
++++ b/src/daemon/common/cri/v1/v1_cri_helpers.cc
+@@ -391,6 +391,7 @@ void GetContainerSandboxID(const std::string &containerID, std::string &realCont
+ realContainerID = info->id;
+ }
+
++#ifdef ENABLE_SANDBOXER
+ std::string CRISandboxerConvert(const std::string &runtime)
+ {
+ std::string sandboxer;
+@@ -429,6 +430,12 @@ out:
+ (void)isulad_server_conf_unlock();
+ return sandboxer;
+ }
++#else
++std::string CRISandboxerConvert(const std::string &runtime)
++{
++ return DEFAULT_SANDBOXER_NAME;
++}
++#endif
+
+ void ApplySandboxSecurityContextToHostConfig(const runtime::v1::LinuxSandboxSecurityContext &context, host_config *hc,
+ Errors &error)
+diff --git a/src/daemon/config/isulad_config.c b/src/daemon/config/isulad_config.c
+index 695a0d95..617db7a2 100644
+--- a/src/daemon/config/isulad_config.c
++++ b/src/daemon/config/isulad_config.c
+@@ -1757,8 +1757,10 @@ int merge_json_confs_into_global(struct service_arguments *args)
+ args->json_confs->runtimes = tmp_json_confs->runtimes;
+ tmp_json_confs->runtimes = NULL;
+ #ifdef ENABLE_CRI_API_V1
++#ifdef ENABLE_SANDBOXER
+ args->json_confs->cri_sandboxers = tmp_json_confs->cri_sandboxers;
+ tmp_json_confs->cri_sandboxers = NULL;
++#endif
+ args->json_confs->enable_cri_v1 = tmp_json_confs->enable_cri_v1;
+ args->json_confs->enable_pod_events = tmp_json_confs->enable_pod_events;
+ #endif
+diff --git a/src/daemon/sandbox/controller/CMakeLists.txt b/src/daemon/sandbox/controller/CMakeLists.txt
+index f846657a..8764c05b 100644
+--- a/src/daemon/sandbox/controller/CMakeLists.txt
++++ b/src/daemon/sandbox/controller/CMakeLists.txt
+@@ -9,7 +9,7 @@ set(local_sandbox_controller_top_incs
+ ${CMAKE_CURRENT_SOURCE_DIR}
+ )
+
+-if (ENABLE_SANDBOXER)
++if (ENABLE_CRI_API_V1 AND ENABLE_SANDBOXER)
+ add_subdirectory(sandboxer)
+ list (APPEND local_sandbox_controller_top_srcs
+ ${CONTROLLER_SANDBOXER_SRCS}
+diff --git a/src/daemon/sandbox/controller/controller_manager.cc b/src/daemon/sandbox/controller/controller_manager.cc
+index 21c6f5fe..91c98d26 100644
+--- a/src/daemon/sandbox/controller/controller_manager.cc
++++ b/src/daemon/sandbox/controller/controller_manager.cc
+@@ -20,7 +20,9 @@
+ #include <isula_libutils/defs.h>
+
+ #include "shim_controller.h"
++#ifdef ENABLE_SANDBOXER
+ #include "sandboxer_controller.h"
++#endif
+ #include "isulad_config.h"
+ #include "daemon_arguments.h"
+
+@@ -44,10 +46,12 @@ bool ControllerManager::Init(Errors &error)
+ return false;
+ }
+
++#ifdef ENABLE_SANDBOXER
+ // Initialize sandboxer controller
+ if (!RegisterAllSandboxerControllers(error)) {
+ return false;
+ }
++#endif
+ return true;
+ }
+
+@@ -75,6 +79,7 @@ auto ControllerManager::RegisterShimController(Errors &error) -> bool
+ return true;
+ }
+
++#ifdef ENABLE_SANDBOXER
+ auto ControllerManager::RegisterAllSandboxerControllers(Errors &error) -> bool
+ {
+ std::map<std::string, std::string> config;
+@@ -160,6 +165,7 @@ auto ControllerManager::RegisterSandboxerController(const std::string &sandboxer
+ INFO("Sandboxer controller initialized successfully, sandboxer: %s", sandboxer.c_str());
+ return true;
+ }
++#endif
+
+ auto ControllerManager::GetController(const std::string &name) -> std::shared_ptr<Controller>
+ {
+diff --git a/src/daemon/sandbox/controller/controller_manager.h b/src/daemon/sandbox/controller/controller_manager.h
+index 28b52c2f..3fd547cf 100644
+--- a/src/daemon/sandbox/controller/controller_manager.h
++++ b/src/daemon/sandbox/controller/controller_manager.h
+@@ -31,9 +31,11 @@ public:
+ auto GetController(const std::string &name) -> std::shared_ptr<Controller>;
+ private:
+ auto RegisterShimController(Errors &error) -> bool;
++#ifdef ENABLE_SANDBOXER
+ auto RegisterAllSandboxerControllers(Errors &error) -> bool;
+ auto LoadSandboxerControllersConfig(std::map<std::string, std::string> &config) -> bool;
+ auto RegisterSandboxerController(const std::string &sandboxer, const std::string &address, Errors &error) -> bool;
++#endif
+
+ protected:
+ std::map<std::string, std::shared_ptr<Controller>> m_controllers;
+--
+2.34.1
+
generated by cgit v1.2.3 (git 2.25.1) at 2025-04-29 11:03:08 +0000