From 106de2182d34197d76fb68863cd4a102ebac2dbb Mon Sep 17 00:00:00 2001
From: Nicolas Lacasse <nlacasse@google.com>
Date: Fri, 24 Aug 2018 17:42:30 -0700
Subject: runsc: Terminal support for "docker exec -ti".

This CL adds terminal support for "docker exec".  We previously only supported
consoles for the container process, but not exec processes.

The SYS_IOCTL syscall was added to the default seccomp filter list, but only
for ioctls that get/set winsize and termios structs. We need to allow these
ioctl for all containers because it's possible to run "exec -ti" on a
container that was started without an attached console, after the filters
have been installed.

Note that control-character signals are still not properly supported.

Tested with:
	$ docker run --runtime=runsc -it alpine
In another terminial:
	$ docker exec -it <containerid> /bin/sh

PiperOrigin-RevId: 210185456
Change-Id: I6d2401e53a7697bb988c120a8961505c335f96d9
---
 pkg/sentry/fs/host/BUILD           |  1 -
 pkg/sentry/fs/host/file.go         | 19 +++++++++----------
 pkg/sentry/fs/host/ioctl_unsafe.go | 19 ++++++++++++++++++-
 3 files changed, 27 insertions(+), 12 deletions(-)

(limited to 'pkg/sentry/fs/host')

diff --git a/pkg/sentry/fs/host/BUILD b/pkg/sentry/fs/host/BUILD
index 29c79284a..f1252b0f2 100644
--- a/pkg/sentry/fs/host/BUILD
+++ b/pkg/sentry/fs/host/BUILD
@@ -48,7 +48,6 @@ go_library(
         "//pkg/unet",
         "//pkg/waiter",
         "//pkg/waiter/fdnotifier",
-        "@org_golang_x_sys//unix:go_default_library",
     ],
 )
 
diff --git a/pkg/sentry/fs/host/file.go b/pkg/sentry/fs/host/file.go
index f9bef6d93..8d2463c78 100644
--- a/pkg/sentry/fs/host/file.go
+++ b/pkg/sentry/fs/host/file.go
@@ -18,7 +18,6 @@ import (
 	"fmt"
 	"syscall"
 
-	"golang.org/x/sys/unix"
 	"gvisor.googlesource.com/gvisor/pkg/abi/linux"
 	"gvisor.googlesource.com/gvisor/pkg/fd"
 	"gvisor.googlesource.com/gvisor/pkg/log"
@@ -296,7 +295,7 @@ func (f *fileOperations) Ioctl(ctx context.Context, io usermem.IO, args arch.Sys
 	fd := f.iops.fileState.FD()
 	ioctl := args[1].Uint64()
 	switch ioctl {
-	case unix.TCGETS:
+	case linux.TCGETS:
 		termios, err := ioctlGetTermios(fd)
 		if err != nil {
 			return 0, err
@@ -306,7 +305,7 @@ func (f *fileOperations) Ioctl(ctx context.Context, io usermem.IO, args arch.Sys
 		})
 		return 0, err
 
-	case unix.TCSETS, unix.TCSETSW:
+	case linux.TCSETS, linux.TCSETSW:
 		var termios linux.Termios
 		if _, err := usermem.CopyObjectIn(ctx, io, args[2].Pointer(), &termios, usermem.IOOpts{
 			AddressSpaceActive: true,
@@ -316,7 +315,7 @@ func (f *fileOperations) Ioctl(ctx context.Context, io usermem.IO, args arch.Sys
 		err := ioctlSetTermios(fd, ioctl, &termios)
 		return 0, err
 
-	case unix.TIOCGPGRP:
+	case linux.TIOCGPGRP:
 		// Args: pid_t *argp
 		// When successful, equivalent to *argp = tcgetpgrp(fd).
 		// Get the process group ID of the foreground process group on
@@ -332,7 +331,7 @@ func (f *fileOperations) Ioctl(ctx context.Context, io usermem.IO, args arch.Sys
 		})
 		return 0, err
 
-	case unix.TIOCSPGRP:
+	case linux.TIOCSPGRP:
 		// Args: const pid_t *argp
 		// Equivalent to tcsetpgrp(fd, *argp).
 		// Set the foreground process group ID of this terminal.
@@ -343,10 +342,10 @@ func (f *fileOperations) Ioctl(ctx context.Context, io usermem.IO, args arch.Sys
 		log.Warningf("Ignoring application ioctl(TIOCSPGRP) call")
 		return 0, nil
 
-	case unix.TIOCGWINSZ:
+	case linux.TIOCGWINSZ:
 		// Args: struct winsize *argp
 		// Get window size.
-		winsize, err := unix.IoctlGetWinsize(fd, unix.TIOCGWINSZ)
+		winsize, err := ioctlGetWinsize(fd)
 		if err != nil {
 			return 0, err
 		}
@@ -355,16 +354,16 @@ func (f *fileOperations) Ioctl(ctx context.Context, io usermem.IO, args arch.Sys
 		})
 		return 0, err
 
-	case unix.TIOCSWINSZ:
+	case linux.TIOCSWINSZ:
 		// Args: const struct winsize *argp
 		// Set window size.
-		var winsize unix.Winsize
+		var winsize linux.Winsize
 		if _, err := usermem.CopyObjectIn(ctx, io, args[2].Pointer(), &winsize, usermem.IOOpts{
 			AddressSpaceActive: true,
 		}); err != nil {
 			return 0, err
 		}
-		err := unix.IoctlSetWinsize(fd, unix.TIOCSWINSZ, &winsize)
+		err := ioctlSetWinsize(fd, &winsize)
 		return 0, err
 
 	default:
diff --git a/pkg/sentry/fs/host/ioctl_unsafe.go b/pkg/sentry/fs/host/ioctl_unsafe.go
index 3c07c3850..bc965a1c2 100644
--- a/pkg/sentry/fs/host/ioctl_unsafe.go
+++ b/pkg/sentry/fs/host/ioctl_unsafe.go
@@ -23,7 +23,7 @@ import (
 
 func ioctlGetTermios(fd int) (*linux.Termios, error) {
 	var t linux.Termios
-	_, _, errno := syscall.Syscall(syscall.SYS_IOCTL, uintptr(fd), syscall.TCGETS, uintptr(unsafe.Pointer(&t)))
+	_, _, errno := syscall.Syscall(syscall.SYS_IOCTL, uintptr(fd), linux.TCGETS, uintptr(unsafe.Pointer(&t)))
 	if errno != 0 {
 		return nil, errno
 	}
@@ -37,3 +37,20 @@ func ioctlSetTermios(fd int, req uint64, t *linux.Termios) error {
 	}
 	return nil
 }
+
+func ioctlGetWinsize(fd int) (*linux.Winsize, error) {
+	var w linux.Winsize
+	_, _, errno := syscall.Syscall(syscall.SYS_IOCTL, uintptr(fd), linux.TIOCGWINSZ, uintptr(unsafe.Pointer(&w)))
+	if errno != 0 {
+		return nil, errno
+	}
+	return &w, nil
+}
+
+func ioctlSetWinsize(fd int, w *linux.Winsize) error {
+	_, _, errno := syscall.Syscall(syscall.SYS_IOCTL, uintptr(fd), linux.TIOCSWINSZ, uintptr(unsafe.Pointer(w)))
+	if errno != 0 {
+		return errno
+	}
+	return nil
+}
-- 
cgit v1.2.3