#include <stdio.h>
#include <stdlib.h>
#include <string.h>
-#include <stdlib.h>
#include <errno.h>
+#include <limits.h>
#include <pwd.h>
#include <unistd.h>
#include <syscall.h>
#include <sys/mount.h>
#include <sys/types.h>
#include <sys/stat.h>
+#include <sys/resource.h>
#include <fcntl.h>
#include <ctype.h>
#include <stdarg.h>
//--------------------------------------------------------------------
#include "vserver.h"
+#include "planetlab.h"
#undef CONFIG_VSERVER_LEGACY
-/* Null byte made explicit */
-#define NULLBYTE_SIZE 1
-
/* Base for all vserver roots for chroot */
#define VSERVER_ROOT_BASE "/vservers"
-static int
-_PERROR(const char *format, char *file, int line, int _errno, ...)
-{
- va_list ap;
-
- va_start(ap, _errno);
- fprintf(stderr, "%s:%d: ", file, line);
- vfprintf(stderr, format, ap);
- if (_errno)
- fprintf(stderr, ": %s (%d)", strerror(_errno), _errno);
- fputs("\n", stderr);
- fflush(stderr);
-
- return _errno;
-}
-
-#define PERROR(format, args...) _PERROR(format, __FILE__, __LINE__, errno, ## args)
-
/* Change to root:root (before entering new context) */
static int setuidgid_root()
{
return 0;
}
-static int sandbox_processes(xid_t xid)
+static int sandbox_processes(xid_t ctx, char *context)
{
#ifdef CONFIG_VSERVER_LEGACY
int flags;
flags |= 1; /* VX_INFO_LOCK -- cannot request a new vx_id */
/* flags |= 4; VX_INFO_NPROC -- limit number of procs in a context */
- (void) vc_new_s_context(xid, 0, flags);
+ (void) vc_new_s_context(ctx, 0, flags);
/* use legacy dirty hack for capremove */
if (vc_new_s_context(VC_SAMECTX, vc_get_insecurebcaps(), flags) == VC_NOCTX) {
exit(1);
}
#else
- struct vc_ctx_caps caps;
- struct vc_ctx_flags flags;
-
- caps.ccaps = ~vc_get_insecureccaps();
- caps.cmask = ~0ull;
- caps.bcaps = ~vc_get_insecurebcaps();
- caps.bmask = ~0ull;
-
- flags.flagword = VC_VXF_INFO_LOCK;
- flags.mask = VC_VXF_STATE_SETUP | VC_VXF_INFO_LOCK;
-
- if (vc_ctx_create(xid) == VC_NOCTX) {
- PERROR("vc_ctx_create(%d)", xid);
- exit(1);
- }
-
- if (vc_set_ccaps(xid, &caps) == -1) {
- PERROR("vc_set_ccaps(%d, 0x%16ullx/0x%16ullx, 0x%16ullx/0x%16ullx)\n",
- xid, caps.ccaps, caps.cmask, caps.bcaps, caps.bmask);
- exit(1);
- }
-
- if (vc_set_cflags(xid, &flags) == -1) {
- PERROR("vc_set_cflags(%d, 0x%16llx/0x%16llx)\n",
- xid, flags.flagword, flags.mask);
- exit(1);
- }
+ int ctx_is_new;
+ struct sliver_resources slr;
+ char hostname[HOST_NAME_MAX+1];
+ pl_get_limits(context,&slr);
+
+ if (gethostname(hostname, sizeof hostname) == -1)
+ {
+ PERROR("gethostname(...)");
+ exit(1);
+ }
+
+ /* check whether the slice has been taken off of the whitelist */
+ if (slr.vs_whitelisted==0)
+ {
+ fprintf(stderr, "*** %s: %s has not been allocated resources on this node ***\n", hostname, context);
+ exit(0);
+ }
+
+ /* check whether the slice has been suspended */
+ if (slr.vs_cpu==0)
+ {
+ fprintf(stderr, "*** %s: %s has zero cpu resources and presumably it has been disabled/suspended ***\n", hostname, context);
+ exit(0);
+ }
+
+ (void) (sandbox_chroot(ctx));
+
+ if ((ctx_is_new = pl_chcontext(ctx, ~vc_get_insecurebcaps(),&slr)) < 0)
+ {
+ PERROR("pl_chcontext(%u)", ctx);
+ exit(1);
+ }
+ if (ctx_is_new)
+ {
+ pl_set_limits(ctx,&slr);
+ pl_setup_done(ctx);
+ }
#endif
return 0;
}
struct passwd pwdd, *pwd = &pwdd, *result;
char *pwdBuffer;
long pwdBuffer_len;
- unsigned remove_cap;
uid_t uid;
pwdBuffer_len = sysconf(_SC_GETPW_R_SIZE_MAX);
PERROR("getpwnam_r(%s)", context);
exit(2);
}
-
- context = (char*)malloc(strlen(pwd->pw_name)+NULLBYTE_SIZE);
- if (!context) {
- PERROR("malloc(%d)");
- exit(2);
- }
- strcpy(context,pwd->pw_name);
+ uid = pwd->pw_uid;
if (setuidgid_root() < 0) { /* For chroot, new_s_context */
fprintf(stderr, "vsh: Could not become root, check that SUID flag is set on binary\n");
exit(2);
}
- uid = pwd->pw_uid;
-
- if (sandbox_chroot(uid) < 0) {
- fprintf(stderr, "vsh: Could not chroot\n");
- exit(2);
- }
+#ifdef CONFIG_VSERVER_LEGACY
+ (void) (sandbox_chroot(uid));
+#endif
- if (sandbox_processes((xid_t) uid) < 0) {
+ if (sandbox_processes((xid_t) uid, context) < 0) {
fprintf(stderr, "vsh: Could not change context to %d\n", uid);
exit(2);
}