Start of support for /proc/pid/cgroup file.

PiperOrigin-RevId: 248263378 Change-Id: Ic057d2bb0b6212110f43ac4df3f0ac9bf931ab98
author: Nicolas Lacasse <nlacasse@google.com> 2019-05-14 20:33:44 -0700
committer: Shentubot <shentubot@google.com> 2019-05-14 20:34:50 -0700
commit: dd153c014de69968dac96629e457ee17944e410e (patch)
tree: 66ee7503f31d89355a37e5942c3a5ee099dfa1a7 /pkg/sentry
parent: 330a1bbd04815b846e9396e9f5763afe6350b537 (diff)
5 files changed, 78 insertions, 23 deletions
diff --git a/pkg/sentry/fs/proc/BUILD b/pkg/sentry/fs/proc/BUILD
index 3aa70a28e..d19c360e0 100644
--- a/pkg/sentry/fs/proc/BUILD
+++ b/pkg/sentry/fs/proc/BUILD
@@ -5,6 +5,7 @@ load("//tools/go_stateify:defs.bzl", "go_library", "go_test")
 go_library(
     name = "proc",
     srcs = [
+        "cgroup.go",
         "cpuinfo.go",
         "exec_args.go",
         "fds.go",
diff --git a/pkg/sentry/fs/proc/cgroup.go b/pkg/sentry/fs/proc/cgroup.go
new file mode 100644
index 000000000..1019f862a
--- /dev/null
+++ b/pkg/sentry/fs/proc/cgroup.go
@@ -0,0 +1,41 @@
+// Copyright 2018 The gVisor Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package proc
+
+import (
+	"fmt"
+
+	"gvisor.googlesource.com/gvisor/pkg/sentry/context"
+	"gvisor.googlesource.com/gvisor/pkg/sentry/fs"
+)
+
+func newCGroupInode(ctx context.Context, msrc *fs.MountSource, cgroupControllers map[string]string) *fs.Inode {
+	// From man 7 cgroups: "For each cgroup hierarchy of which the process
+	// is a member, there is one entry containing three colon-separated
+	// fields: hierarchy-ID:controller-list:cgroup-path"
+
+	// The hierarchy ids must be positive integers (for cgroup v1), but the
+	// exact number does not matter, so long as they are unique. We can
+	// just use a counter, but since linux sorts this file in descending
+	// order, we must count down to perserve this behavior.
+	i := len(cgroupControllers)
+	var data string
+	for name, dir := range cgroupControllers {
+		data += fmt.Sprintf("%d:%s:%s\n", i, name, dir)
+		i--
+	}
+
+	return newStaticProcInode(ctx, msrc, []byte(data))
+}
diff --git a/pkg/sentry/fs/proc/fs.go b/pkg/sentry/fs/proc/fs.go
index 7c5f8484a..d57d6cc5d 100644
--- a/pkg/sentry/fs/proc/fs.go
+++ b/pkg/sentry/fs/proc/fs.go
@@ -57,7 +57,7 @@ func (*filesystem) Flags() fs.FilesystemFlags {
 }
 
 // Mount returns the root of a procfs that can be positioned in the vfs.
-func (f *filesystem) Mount(ctx context.Context, device string, flags fs.MountSourceFlags, data string, _ interface{}) (*fs.Inode, error) {
+func (f *filesystem) Mount(ctx context.Context, device string, flags fs.MountSourceFlags, data string, cgroupsInt interface{}) (*fs.Inode, error) {
 	// device is always ignored.
 
 	// Parse generic comma-separated key=value options, this file system expects them.
@@ -70,7 +70,12 @@ func (f *filesystem) Mount(ctx context.Context, device string, flags fs.MountSou
 		return nil, fmt.Errorf("unsupported mount options: %v", options)
 	}
 
+	var cgroups map[string]string
+	if cgroupsInt != nil {
+		cgroups = cgroupsInt.(map[string]string)
+	}
+
 	// Construct the procfs root. Since procfs files are all virtual, we
 	// never want them cached.
-	return New(ctx, fs.NewNonCachingMountSource(f, flags))
+	return New(ctx, fs.NewNonCachingMountSource(f, flags), cgroups)
 }
diff --git a/pkg/sentry/fs/proc/proc.go b/pkg/sentry/fs/proc/proc.go
index 196fa5128..0e15894b4 100644
--- a/pkg/sentry/fs/proc/proc.go
+++ b/pkg/sentry/fs/proc/proc.go
@@ -43,10 +43,15 @@ type proc struct {
 	// pidns is the PID namespace of the task that mounted the proc filesystem
 	// that this node represents.
 	pidns *kernel.PIDNamespace
+
+	// cgroupControllers is a map of controller name to directory in the
+	// cgroup hierarchy. These controllers are immutable and will be listed
+	// in /proc/pid/cgroup if not nil.
+	cgroupControllers map[string]string
 }
 
 // New returns the root node of a partial simple procfs.
-func New(ctx context.Context, msrc *fs.MountSource) (*fs.Inode, error) {
+func New(ctx context.Context, msrc *fs.MountSource, cgroupControllers map[string]string) (*fs.Inode, error) {
 	k := kernel.KernelFromContext(ctx)
 	if k == nil {
 		return nil, fmt.Errorf("procfs requires a kernel")
@@ -73,9 +78,10 @@ func New(ctx context.Context, msrc *fs.MountSource) (*fs.Inode, error) {
 
 	// Construct the proc InodeOperations.
 	p := &proc{
-		Dir:   *ramfs.NewDir(ctx, contents, fs.RootOwner, fs.FilePermsFromMode(0555)),
-		k:     k,
-		pidns: pidns,
+		Dir:               *ramfs.NewDir(ctx, contents, fs.RootOwner, fs.FilePermsFromMode(0555)),
+		k:                 k,
+		pidns:             pidns,
+		cgroupControllers: cgroupControllers,
 	}
 
 	// Add more contents that need proc to be initialized.
@@ -178,7 +184,7 @@ func (p *proc) Lookup(ctx context.Context, dir *fs.Inode, name string) (*fs.Dire
 	}
 
 	// Wrap it in a taskDir.
-	td := newTaskDir(otherTask, dir.MountSource, p.pidns, true)
+	td := p.newTaskDir(otherTask, dir.MountSource, true)
 	return fs.NewDirent(td, name), nil
 }
 
diff --git a/pkg/sentry/fs/proc/task.go b/pkg/sentry/fs/proc/task.go
index 0f400e80f..66d76d194 100644
--- a/pkg/sentry/fs/proc/task.go
+++ b/pkg/sentry/fs/proc/task.go
@@ -67,7 +67,7 @@ type taskDir struct {
 var _ fs.InodeOperations = (*taskDir)(nil)
 
 // newTaskDir creates a new proc task entry.
-func newTaskDir(t *kernel.Task, msrc *fs.MountSource, pidns *kernel.PIDNamespace, showSubtasks bool) *fs.Inode {
+func (p *proc) newTaskDir(t *kernel.Task, msrc *fs.MountSource, showSubtasks bool) *fs.Inode {
 	contents := map[string]*fs.Inode{
 		"auxv":    newAuxvec(t, msrc),
 		"cmdline": newExecArgInode(t, msrc, cmdlineExecArg),
@@ -84,20 +84,22 @@ func newTaskDir(t *kernel.Task, msrc *fs.MountSource, pidns *kernel.PIDNamespace
 		"mounts":    seqfile.NewSeqFileInode(t, &mountsFile{t: t}, msrc),
 		"ns":        newNamespaceDir(t, msrc),
 		"smaps":     newSmaps(t, msrc),
-		"stat":      newTaskStat(t, msrc, showSubtasks, pidns),
+		"stat":      newTaskStat(t, msrc, showSubtasks, p.pidns),
 		"statm":     newStatm(t, msrc),
-		"status":    newStatus(t, msrc, pidns),
+		"status":    newStatus(t, msrc, p.pidns),
 		"uid_map":   newUIDMap(t, msrc),
 	}
 	if showSubtasks {
-		contents["task"] = newSubtasks(t, msrc, pidns)
+		contents["task"] = p.newSubtasks(t, msrc)
+	}
+	if len(p.cgroupControllers) > 0 {
+		contents["cgroup"] = newCGroupInode(t, msrc, p.cgroupControllers)
 	}
 
 	// TODO(b/31916171): Set EUID/EGID based on dumpability.
 	d := &taskDir{
-		Dir:   *ramfs.NewDir(t, contents, fs.RootOwner, fs.FilePermsFromMode(0555)),
-		t:     t,
-		pidns: pidns,
+		Dir: *ramfs.NewDir(t, contents, fs.RootOwner, fs.FilePermsFromMode(0555)),
+		t:   t,
 	}
 	return newProcInode(d, msrc, fs.SpecialDirectory, t)
 }
@@ -108,17 +110,17 @@ func newTaskDir(t *kernel.Task, msrc *fs.MountSource, pidns *kernel.PIDNamespace
 type subtasks struct {
 	ramfs.Dir
 
-	t     *kernel.Task
-	pidns *kernel.PIDNamespace
+	t *kernel.Task
+	p *proc
 }
 
 var _ fs.InodeOperations = (*subtasks)(nil)
 
-func newSubtasks(t *kernel.Task, msrc *fs.MountSource, pidns *kernel.PIDNamespace) *fs.Inode {
+func (p *proc) newSubtasks(t *kernel.Task, msrc *fs.MountSource) *fs.Inode {
 	s := &subtasks{
-		Dir:   *ramfs.NewDir(t, nil, fs.RootOwner, fs.FilePermsFromMode(0555)),
-		t:     t,
-		pidns: pidns,
+		Dir: *ramfs.NewDir(t, nil, fs.RootOwner, fs.FilePermsFromMode(0555)),
+		t:   t,
+		p:   p,
 	}
 	return newProcInode(s, msrc, fs.SpecialDirectory, t)
 }
@@ -137,7 +139,7 @@ func (s *subtasks) UnstableAttr(ctx context.Context, inode *fs.Inode) (fs.Unstab
 
 // GetFile implements fs.InodeOperations.GetFile.
 func (s *subtasks) GetFile(ctx context.Context, dirent *fs.Dirent, flags fs.FileFlags) (*fs.File, error) {
-	return fs.NewFile(ctx, dirent, flags, &subtasksFile{t: s.t, pidns: s.pidns}), nil
+	return fs.NewFile(ctx, dirent, flags, &subtasksFile{t: s.t, pidns: s.p.pidns}), nil
 }
 
 // +stateify savable
@@ -212,7 +214,7 @@ func (s *subtasks) Lookup(ctx context.Context, dir *fs.Inode, p string) (*fs.Dir
 		return nil, syserror.ENOENT
 	}
 
-	task := s.pidns.TaskWithID(kernel.ThreadID(tid))
+	task := s.p.pidns.TaskWithID(kernel.ThreadID(tid))
 	if task == nil {
 		return nil, syserror.ENOENT
 	}
@@ -220,7 +222,7 @@ func (s *subtasks) Lookup(ctx context.Context, dir *fs.Inode, p string) (*fs.Dir
 		return nil, syserror.ENOENT
 	}
 
-	td := newTaskDir(task, dir.MountSource, s.pidns, false)
+	td := s.p.newTaskDir(task, dir.MountSource, false)
 	return fs.NewDirent(td, p), nil
 }
author	Nicolas Lacasse <nlacasse@google.com>	2019-05-14 20:33:44 -0700
committer	Shentubot <shentubot@google.com>	2019-05-14 20:34:50 -0700
commit	dd153c014de69968dac96629e457ee17944e410e (patch)
tree	66ee7503f31d89355a37e5942c3a5ee099dfa1a7 /pkg/sentry
parent	330a1bbd04815b846e9396e9f5763afe6350b537 (diff)