diff options
author | Nicolas Lacasse <nlacasse@google.com> | 2019-05-14 20:33:44 -0700 |
---|---|---|
committer | Shentubot <shentubot@google.com> | 2019-05-14 20:34:50 -0700 |
commit | dd153c014de69968dac96629e457ee17944e410e (patch) | |
tree | 66ee7503f31d89355a37e5942c3a5ee099dfa1a7 /pkg/sentry/fs | |
parent | 330a1bbd04815b846e9396e9f5763afe6350b537 (diff) |
Start of support for /proc/pid/cgroup file.
PiperOrigin-RevId: 248263378
Change-Id: Ic057d2bb0b6212110f43ac4df3f0ac9bf931ab98
Diffstat (limited to 'pkg/sentry/fs')
-rw-r--r-- | pkg/sentry/fs/proc/BUILD | 1 | ||||
-rw-r--r-- | pkg/sentry/fs/proc/cgroup.go | 41 | ||||
-rw-r--r-- | pkg/sentry/fs/proc/fs.go | 9 | ||||
-rw-r--r-- | pkg/sentry/fs/proc/proc.go | 16 | ||||
-rw-r--r-- | pkg/sentry/fs/proc/task.go | 34 |
5 files changed, 78 insertions, 23 deletions
diff --git a/pkg/sentry/fs/proc/BUILD b/pkg/sentry/fs/proc/BUILD index 3aa70a28e..d19c360e0 100644 --- a/pkg/sentry/fs/proc/BUILD +++ b/pkg/sentry/fs/proc/BUILD @@ -5,6 +5,7 @@ load("//tools/go_stateify:defs.bzl", "go_library", "go_test") go_library( name = "proc", srcs = [ + "cgroup.go", "cpuinfo.go", "exec_args.go", "fds.go", diff --git a/pkg/sentry/fs/proc/cgroup.go b/pkg/sentry/fs/proc/cgroup.go new file mode 100644 index 000000000..1019f862a --- /dev/null +++ b/pkg/sentry/fs/proc/cgroup.go @@ -0,0 +1,41 @@ +// Copyright 2018 The gVisor Authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package proc + +import ( + "fmt" + + "gvisor.googlesource.com/gvisor/pkg/sentry/context" + "gvisor.googlesource.com/gvisor/pkg/sentry/fs" +) + +func newCGroupInode(ctx context.Context, msrc *fs.MountSource, cgroupControllers map[string]string) *fs.Inode { + // From man 7 cgroups: "For each cgroup hierarchy of which the process + // is a member, there is one entry containing three colon-separated + // fields: hierarchy-ID:controller-list:cgroup-path" + + // The hierarchy ids must be positive integers (for cgroup v1), but the + // exact number does not matter, so long as they are unique. We can + // just use a counter, but since linux sorts this file in descending + // order, we must count down to perserve this behavior. + i := len(cgroupControllers) + var data string + for name, dir := range cgroupControllers { + data += fmt.Sprintf("%d:%s:%s\n", i, name, dir) + i-- + } + + return newStaticProcInode(ctx, msrc, []byte(data)) +} diff --git a/pkg/sentry/fs/proc/fs.go b/pkg/sentry/fs/proc/fs.go index 7c5f8484a..d57d6cc5d 100644 --- a/pkg/sentry/fs/proc/fs.go +++ b/pkg/sentry/fs/proc/fs.go @@ -57,7 +57,7 @@ func (*filesystem) Flags() fs.FilesystemFlags { } // Mount returns the root of a procfs that can be positioned in the vfs. -func (f *filesystem) Mount(ctx context.Context, device string, flags fs.MountSourceFlags, data string, _ interface{}) (*fs.Inode, error) { +func (f *filesystem) Mount(ctx context.Context, device string, flags fs.MountSourceFlags, data string, cgroupsInt interface{}) (*fs.Inode, error) { // device is always ignored. // Parse generic comma-separated key=value options, this file system expects them. @@ -70,7 +70,12 @@ func (f *filesystem) Mount(ctx context.Context, device string, flags fs.MountSou return nil, fmt.Errorf("unsupported mount options: %v", options) } + var cgroups map[string]string + if cgroupsInt != nil { + cgroups = cgroupsInt.(map[string]string) + } + // Construct the procfs root. Since procfs files are all virtual, we // never want them cached. - return New(ctx, fs.NewNonCachingMountSource(f, flags)) + return New(ctx, fs.NewNonCachingMountSource(f, flags), cgroups) } diff --git a/pkg/sentry/fs/proc/proc.go b/pkg/sentry/fs/proc/proc.go index 196fa5128..0e15894b4 100644 --- a/pkg/sentry/fs/proc/proc.go +++ b/pkg/sentry/fs/proc/proc.go @@ -43,10 +43,15 @@ type proc struct { // pidns is the PID namespace of the task that mounted the proc filesystem // that this node represents. pidns *kernel.PIDNamespace + + // cgroupControllers is a map of controller name to directory in the + // cgroup hierarchy. These controllers are immutable and will be listed + // in /proc/pid/cgroup if not nil. + cgroupControllers map[string]string } // New returns the root node of a partial simple procfs. -func New(ctx context.Context, msrc *fs.MountSource) (*fs.Inode, error) { +func New(ctx context.Context, msrc *fs.MountSource, cgroupControllers map[string]string) (*fs.Inode, error) { k := kernel.KernelFromContext(ctx) if k == nil { return nil, fmt.Errorf("procfs requires a kernel") @@ -73,9 +78,10 @@ func New(ctx context.Context, msrc *fs.MountSource) (*fs.Inode, error) { // Construct the proc InodeOperations. p := &proc{ - Dir: *ramfs.NewDir(ctx, contents, fs.RootOwner, fs.FilePermsFromMode(0555)), - k: k, - pidns: pidns, + Dir: *ramfs.NewDir(ctx, contents, fs.RootOwner, fs.FilePermsFromMode(0555)), + k: k, + pidns: pidns, + cgroupControllers: cgroupControllers, } // Add more contents that need proc to be initialized. @@ -178,7 +184,7 @@ func (p *proc) Lookup(ctx context.Context, dir *fs.Inode, name string) (*fs.Dire } // Wrap it in a taskDir. - td := newTaskDir(otherTask, dir.MountSource, p.pidns, true) + td := p.newTaskDir(otherTask, dir.MountSource, true) return fs.NewDirent(td, name), nil } diff --git a/pkg/sentry/fs/proc/task.go b/pkg/sentry/fs/proc/task.go index 0f400e80f..66d76d194 100644 --- a/pkg/sentry/fs/proc/task.go +++ b/pkg/sentry/fs/proc/task.go @@ -67,7 +67,7 @@ type taskDir struct { var _ fs.InodeOperations = (*taskDir)(nil) // newTaskDir creates a new proc task entry. -func newTaskDir(t *kernel.Task, msrc *fs.MountSource, pidns *kernel.PIDNamespace, showSubtasks bool) *fs.Inode { +func (p *proc) newTaskDir(t *kernel.Task, msrc *fs.MountSource, showSubtasks bool) *fs.Inode { contents := map[string]*fs.Inode{ "auxv": newAuxvec(t, msrc), "cmdline": newExecArgInode(t, msrc, cmdlineExecArg), @@ -84,20 +84,22 @@ func newTaskDir(t *kernel.Task, msrc *fs.MountSource, pidns *kernel.PIDNamespace "mounts": seqfile.NewSeqFileInode(t, &mountsFile{t: t}, msrc), "ns": newNamespaceDir(t, msrc), "smaps": newSmaps(t, msrc), - "stat": newTaskStat(t, msrc, showSubtasks, pidns), + "stat": newTaskStat(t, msrc, showSubtasks, p.pidns), "statm": newStatm(t, msrc), - "status": newStatus(t, msrc, pidns), + "status": newStatus(t, msrc, p.pidns), "uid_map": newUIDMap(t, msrc), } if showSubtasks { - contents["task"] = newSubtasks(t, msrc, pidns) + contents["task"] = p.newSubtasks(t, msrc) + } + if len(p.cgroupControllers) > 0 { + contents["cgroup"] = newCGroupInode(t, msrc, p.cgroupControllers) } // TODO(b/31916171): Set EUID/EGID based on dumpability. d := &taskDir{ - Dir: *ramfs.NewDir(t, contents, fs.RootOwner, fs.FilePermsFromMode(0555)), - t: t, - pidns: pidns, + Dir: *ramfs.NewDir(t, contents, fs.RootOwner, fs.FilePermsFromMode(0555)), + t: t, } return newProcInode(d, msrc, fs.SpecialDirectory, t) } @@ -108,17 +110,17 @@ func newTaskDir(t *kernel.Task, msrc *fs.MountSource, pidns *kernel.PIDNamespace type subtasks struct { ramfs.Dir - t *kernel.Task - pidns *kernel.PIDNamespace + t *kernel.Task + p *proc } var _ fs.InodeOperations = (*subtasks)(nil) -func newSubtasks(t *kernel.Task, msrc *fs.MountSource, pidns *kernel.PIDNamespace) *fs.Inode { +func (p *proc) newSubtasks(t *kernel.Task, msrc *fs.MountSource) *fs.Inode { s := &subtasks{ - Dir: *ramfs.NewDir(t, nil, fs.RootOwner, fs.FilePermsFromMode(0555)), - t: t, - pidns: pidns, + Dir: *ramfs.NewDir(t, nil, fs.RootOwner, fs.FilePermsFromMode(0555)), + t: t, + p: p, } return newProcInode(s, msrc, fs.SpecialDirectory, t) } @@ -137,7 +139,7 @@ func (s *subtasks) UnstableAttr(ctx context.Context, inode *fs.Inode) (fs.Unstab // GetFile implements fs.InodeOperations.GetFile. func (s *subtasks) GetFile(ctx context.Context, dirent *fs.Dirent, flags fs.FileFlags) (*fs.File, error) { - return fs.NewFile(ctx, dirent, flags, &subtasksFile{t: s.t, pidns: s.pidns}), nil + return fs.NewFile(ctx, dirent, flags, &subtasksFile{t: s.t, pidns: s.p.pidns}), nil } // +stateify savable @@ -212,7 +214,7 @@ func (s *subtasks) Lookup(ctx context.Context, dir *fs.Inode, p string) (*fs.Dir return nil, syserror.ENOENT } - task := s.pidns.TaskWithID(kernel.ThreadID(tid)) + task := s.p.pidns.TaskWithID(kernel.ThreadID(tid)) if task == nil { return nil, syserror.ENOENT } @@ -220,7 +222,7 @@ func (s *subtasks) Lookup(ctx context.Context, dir *fs.Inode, p string) (*fs.Dir return nil, syserror.ENOENT } - td := newTaskDir(task, dir.MountSource, s.pidns, false) + td := s.p.newTaskDir(task, dir.MountSource, false) return fs.NewDirent(td, p), nil } |