#include <sys/mount.h>
#include <sys/types.h>
#include <sys/stat.h>
+#include <sys/resource.h>
#include <fcntl.h>
#include <ctype.h>
#include <stdarg.h>
return 0;
}
-static int sandbox_processes(xid_t xid)
+#define WHITESPACE(buffer,index,len) \
+ while(isspace((int)buffer[index])) \
+ if (index < len) index++; else goto out;
+
+struct resources {
+ char *name;
+ int *limit;
+};
+
+#define VSERVERCONF "/etc/vservers/"
+static void get_limits(char *context, int *cpu, int *mem, int *task) {
+ FILE *fb;
+ size_t len = strlen(VSERVERCONF) + strlen(context) + strlen(".conf") + NULLBYTE_SIZE;
+ char *conf = (char *)malloc(len);
+ struct resources list[] =
+ {{"MEMLIMIT", mem},
+ {"CPULIMIT", cpu},
+ {"TASKLIMIT", task},
+ {0,0}};
+ struct resources *r;
+
+ sprintf(conf, "%s%s.conf", VSERVERCONF, context);
+
+ /* open the conf file for reading */
+ fb = fopen(conf,"r");
+ if (fb != NULL) {
+ size_t index;
+ char *buffer = malloc(1000);
+ char *p;
+
+ /* the conf file exist */
+ while((p=fgets(buffer,1000-1,fb))!=NULL) {
+ index = 0;
+ len = strnlen(buffer,1000);
+ WHITESPACE(buffer,index,len);
+ if (buffer[index] == '#')
+ continue;
+
+ for (r=list; r->name; r++)
+ if ((p=strstr(&buffer[index],r->name))!=NULL) {
+ /* adjust index into buffer */
+ index+= (p-&buffer[index])+strlen(r->name);
+
+ /* skip over whitespace */
+ WHITESPACE(buffer,index,len);
+
+ /* expecting to see = sign */
+ if (buffer[index++]!='=') goto out;
+
+ /* skip over whitespace */
+ WHITESPACE(buffer,index,len);
+
+ /* expecting to see a digit for number */
+ if (!isdigit((int)buffer[index])) goto out;
+
+ *r->limit = atoi(&buffer[index]);
+ break;
+ }
+ }
+ out:
+ free(buffer);
+ } else {
+ fprintf(stderr,"cannot open %s\n",conf);
+ }
+ free(conf);
+}
+
+
+static int sandbox_processes(xid_t xid, char *context)
{
#ifdef CONFIG_VSERVER_LEGACY
int flags;
exit(1);
}
#else
+ struct vc_rlimit limits;
struct vc_ctx_caps caps;
struct vc_ctx_flags flags;
+ int ctx;
+ int cpu = VC_LIM_KEEP;
+ int mem = VC_LIM_KEEP;
+ int task = VC_LIM_KEEP;
+ get_limits(context,&cpu, &mem, &task);
+ (void) (sandbox_chroot(xid));
caps.ccaps = ~vc_get_insecureccaps();
caps.cmask = ~0ull;
flags.flagword = VC_VXF_INFO_LOCK;
flags.mask = VC_VXF_STATE_SETUP | VC_VXF_INFO_LOCK;
- if ((vc_ctx_create(xid) == VC_NOCTX) && (errno != EEXIST)) {
+ ctx = vc_ctx_create(xid);
+ if (ctx == VC_NOCTX && errno != EEXIST) {
PERROR("vc_ctx_create(%d)", xid);
exit(1);
}
+ /* (re)set the various limits on the (possibly new) context */
+
+ /* CPU */
+ /* not yet */
+
+ /* MEM */
+ limits.min = VC_LIM_KEEP;
+ limits.soft = VC_LIM_KEEP;
+ limits.hard = mem;
+ if (vc_set_rlimit(xid, RLIMIT_RSS, &limits)) {
+ PERROR("vc_set_rlimit(%d, %d, %d/%d/%d)",
+ xid, RLIMIT_RSS, limits.min, limits.soft, limits.hard);
+ exit(1);
+ }
+
+ /* TASK */
+ limits.min = VC_LIM_KEEP;
+ limits.soft = VC_LIM_KEEP;
+ limits.hard = task;
+ if (vc_set_rlimit(xid, RLIMIT_NPROC, &limits)) {
+ PERROR("vc_set_rlimit(%d, %d, %d/%d/%d)",
+ xid, RLIMIT_NPROC, limits.min, limits.soft, limits.hard);
+ exit(1);
+ }
+
if (vc_set_ccaps(xid, &caps) == -1) {
- PERROR("vc_set_ccaps(%d, 0x%16ullx/0x%16ullx, 0x%16ullx/0x%16ullx)\n",
+ PERROR("vc_set_ccaps(%d, 0x%16ullx/0x%16ullx, 0x%16ullx/0x%16ullx)",
xid, caps.ccaps, caps.cmask, caps.bcaps, caps.bmask);
exit(1);
}
if (vc_set_cflags(xid, &flags) == -1) {
- PERROR("vc_set_cflags(%d, 0x%16llx/0x%16llx)\n",
+ PERROR("vc_set_cflags(%d, 0x%16llx/0x%16llx)",
xid, flags.flagword, flags.mask);
exit(1);
}
+
+ /* context already exists, migrate to it */
+ if (ctx == VC_NOCTX && vc_ctx_migrate(xid) == -1) {
+ PERROR("vc_ctx_migrate(%d)", xid);
+ exit(1);
+ }
#endif
return 0;
}
struct passwd pwdd, *pwd = &pwdd, *result;
char *pwdBuffer;
long pwdBuffer_len;
- unsigned remove_cap;
uid_t uid;
pwdBuffer_len = sysconf(_SC_GETPW_R_SIZE_MAX);
PERROR("getpwnam_r(%s)", context);
exit(2);
}
-
- context = (char*)malloc(strlen(pwd->pw_name)+NULLBYTE_SIZE);
- if (!context) {
- PERROR("malloc(%d)");
- exit(2);
- }
- strcpy(context,pwd->pw_name);
+ uid = pwd->pw_uid;
if (setuidgid_root() < 0) { /* For chroot, new_s_context */
fprintf(stderr, "vsh: Could not become root, check that SUID flag is set on binary\n");
exit(2);
}
- uid = pwd->pw_uid;
-
- if (sandbox_chroot(uid) < 0) {
- fprintf(stderr, "vsh: Could not chroot\n");
- exit(2);
- }
+#ifdef CONFIG_VSERVER_LEGACY
+ (void) (sandbox_chroot(uid));
+#endif
- if (sandbox_processes((xid_t) uid) < 0) {
+ if (sandbox_processes((xid_t) uid, context) < 0) {
fprintf(stderr, "vsh: Could not change context to %d\n", uid);
exit(2);
}