X-Git-Url: http://git.onelab.eu/?a=blobdiff_plain;f=python%2Fvserverimpl.c;h=083c945bc1d1c01974ffd3fa0df67cec2feaadad;hb=27829b920327ad00cdc6a388b247b14e1c95faf5;hp=d16dfa3be2bfd9ad1e39ef2959bf60e21deb71c2;hpb=ec4370f7ebd7fb0ce7f002f5bf2c74f03acd3ec1;p=util-vserver.git diff --git a/python/vserverimpl.c b/python/vserverimpl.c index d16dfa3..083c945 100644 --- a/python/vserverimpl.c +++ b/python/vserverimpl.c @@ -39,6 +39,13 @@ POSSIBILITY OF SUCH DAMAGE. #include #include #include +#include +#include +#include +#include +#include +#include +#include #include "config.h" #include "pathconfig.h" @@ -57,10 +64,11 @@ vserver_chcontext(PyObject *self, PyObject *args) { int ctx_is_new; xid_t ctx; - uint_least64_t bcaps = ~vc_get_insecurebcaps(); + uint_least64_t bcaps = 0; - if (!PyArg_ParseTuple(args, "I", &ctx)) + if (!PyArg_ParseTuple(args, "I|K", &ctx, &bcaps)) return NULL; + bcaps |= ~vc_get_insecurebcaps(); if ((ctx_is_new = pl_chcontext(ctx, bcaps, 0)) < 0) return PyErr_SetFromErrno(PyExc_OSError); @@ -266,8 +274,16 @@ vserver_unset_dlimit(PyObject *self, PyObject *args) static PyObject * vserver_killall(PyObject *self, PyObject *args) { - xid_t ctx; - int sig; + xid_t ctx; + int sig; + struct vc_ctx_flags cflags = { + .flagword = 0, + .mask = VC_VXF_PERSISTENT + }; + struct vc_net_flags nflags = { + .flagword = 0, + .mask = VC_NXF_PERSISTENT + }; if (!PyArg_ParseTuple(args, "Ii", &ctx, &sig)) return NULL; @@ -275,6 +291,370 @@ vserver_killall(PyObject *self, PyObject *args) if (vc_ctx_kill(ctx, 0, sig) && errno != ESRCH) return PyErr_SetFromErrno(PyExc_OSError); + if (vc_set_cflags(ctx, &cflags) && errno != ESRCH) + return PyErr_SetFromErrno(PyExc_OSError); + + if (vc_set_nflags(ctx, &nflags) && errno != ESRCH) + return PyErr_SetFromErrno(PyExc_OSError); + + return NONE; +} + +static PyObject * +vserver_set_bcaps(PyObject *self, PyObject *args) +{ + xid_t ctx; + struct vc_ctx_caps caps; + + if (!PyArg_ParseTuple(args, "IK", &ctx, &caps.bcaps)) + return NULL; + + caps.bmask = vc_get_insecurebcaps(); + caps.cmask = caps.ccaps = 0; + if (vc_set_ccaps(ctx, &caps) == -1 && errno != ESRCH) + return PyErr_SetFromErrno(PyExc_OSError); + + return NONE; +} + +static PyObject * +vserver_text2bcaps(PyObject *self, PyObject *args) +{ + struct vc_ctx_caps caps = { .bcaps = 0 }; + const char *list; + int len; + struct vc_err_listparser err; + + if (!PyArg_ParseTuple(args, "s#", &list, &len)) + return NULL; + + vc_list2bcap(list, len, &err, &caps); + + return Py_BuildValue("K", caps.bcaps); +} + +static PyObject * +vserver_get_bcaps(PyObject *self, PyObject *args) +{ + xid_t ctx; + struct vc_ctx_caps caps; + + if (!PyArg_ParseTuple(args, "I", &ctx)) + return NULL; + + if (vc_get_ccaps(ctx, &caps) == -1) { + if (errno != -ESRCH) + return PyErr_SetFromErrno(PyExc_OSError); + else + caps.bcaps = 0; + } + + return Py_BuildValue("K", caps.bcaps & vc_get_insecurebcaps()); +} + +static PyObject * +vserver_bcaps2text(PyObject *self, PyObject *args) +{ + struct vc_ctx_caps caps = { .bcaps = 0 }; + PyObject *list; + const char *cap; + + if (!PyArg_ParseTuple(args, "K", &caps.bcaps)) + return NULL; + + list = PyString_FromString(""); + + while ((cap = vc_lobcap2text(&caps.bcaps)) != NULL) { + if (list == NULL) + break; + PyString_ConcatAndDel(&list, PyString_FromFormat( + (PyString_Size(list) > 0 ? ",CAP_%s" : "CAP_%s" ), + cap)); + } + + return list; +} + +static const struct AF_to_vcNET { + int af; + vc_net_nx_type vc_net; + size_t len; + size_t offset; +} converter[] = { + { AF_INET, vcNET_IPV4, sizeof(struct in_addr), offsetof(struct sockaddr_in, sin_addr.s_addr) }, + { AF_INET6, vcNET_IPV6, sizeof(struct in6_addr), offsetof(struct sockaddr_in6, sin6_addr.s6_addr) }, + { 0, 0, 0, 0 } +}; + +static inline int +convert_address(const char *str, vc_net_nx_type *type, void *dst) +{ + const struct AF_to_vcNET *i; + for (i = converter; i->af; i++) { + if (inet_pton(i->af, str, dst)) { + *type = i->vc_net; + return 0; + } + } + return -1; +} + +static int +get_mask(struct vc_net_nx *addr) +{ + const struct AF_to_vcNET *i; + struct ifaddrs *head, *ifa; + int ret = 0; + + for (i = converter; i->af; i++) { + if (i->vc_net == addr->type) + break; + } + if (!i) { + errno = EINVAL; + return -1; + } + + if (getifaddrs(&head) == -1) + return -1; + for (ifa = head; ifa; ifa = ifa->ifa_next) { + if (ifa->ifa_addr->sa_family == i->af && + memcmp((char *) ifa->ifa_addr + i->offset, addr->ip, i->len) == 0) { + switch (addr->type) { + case vcNET_IPV4: + memcpy(&addr->mask[0], ifa->ifa_netmask + i->offset, i->len); + break; + case vcNET_IPV6: { + uint32_t *m = ((struct sockaddr_in6 *) ifa->ifa_netmask)->sin6_addr.s6_addr32; + /* optimization for the common case */ + if ((m[1] & 1) == 1 && (m[2] & 0x80000000) == 0) + addr->mask[0] = 64; + else { + addr->mask[0] = 0; + while (m[addr->mask[0] / 32] & (addr->mask[0] % 32)) + addr->mask[0]++; + } + break; + } + } + ret = 1; + break; + } + } + /* no match, use a default */ + if (!ret) { + switch (addr->type) { + case vcNET_IPV4: addr->mask[0] = htonl(0xffffff00); break; + case vcNET_IPV6: addr->mask[0] = 64; break; + default: addr->mask[0] = 0; break; + } + } + freeifaddrs(head); + return ret; +} + +/* XXX These two functions are really similar */ +static PyObject * +vserver_net_add(PyObject *self, PyObject *args) +{ + struct vc_net_nx addr; + nid_t nid; + const char *ip; + + if (!PyArg_ParseTuple(args, "Is", &nid, &ip)) + return NULL; + + if (convert_address(ip, &addr.type, &addr.ip) == -1) + return PyErr_Format(PyExc_ValueError, "%s is not a valid IP address", ip); + + switch (get_mask(&addr)) { + case -1: + return PyErr_SetFromErrno(PyExc_OSError); + case 0: + /* XXX error here? */ + break; + } + addr.count = 1; + + if (vc_net_add(nid, &addr) == -1 && errno != ESRCH) + return PyErr_SetFromErrno(PyExc_OSError); + + return NONE; +} + +static PyObject * +vserver_net_remove(PyObject *self, PyObject *args) +{ + struct vc_net_nx addr; + nid_t nid; + const char *ip; + + if (!PyArg_ParseTuple(args, "Is", &nid, &ip)) + return NULL; + + if (strcmp(ip, "all") == 0) + addr.type = vcNET_ANY; + else if (strcmp(ip, "all4") == 0) + addr.type = vcNET_IPV4A; + else if (strcmp(ip, "all6") == 0) + addr.type = vcNET_IPV6A; + else + if (convert_address(ip, &addr.type, &addr.ip) == -1) + return PyErr_Format(PyExc_ValueError, "%s is not a valid IP address", ip); + + switch (get_mask(&addr)) { + case -1: + return PyErr_SetFromErrno(PyExc_OSError); + } + addr.count = 1; + + if (vc_net_remove(nid, &addr) == -1 && errno != ESRCH) + return PyErr_SetFromErrno(PyExc_OSError); + + return NONE; +} + +struct secure_dirs { + int host_fd; + int cwd_fd; + int guest_fd; + int target_fd; +}; + +static inline int +fchroot(int fd) +{ + if (fchdir(fd) == -1 || chroot(".") == -1) + return -1; + return 0; +} + +static inline int +restore_dirs(struct secure_dirs *dirs) +{ + if (dirs->host_fd != -1) { + if (fchroot(dirs->host_fd) == -1) + return -1; + if (close(dirs->host_fd) == -1) + return -1; + } + if (dirs->guest_fd != -1) { + if (close(dirs->guest_fd) == -1) + return -1; + } + if (dirs->target_fd != -1) { + if (close(dirs->target_fd) == -1) + return -1; + } + if (dirs->cwd_fd != -1) { + if (fchdir(dirs->cwd_fd) == -1) + return -1; + if (close(dirs->cwd_fd) == -1) + return -1; + } + return 0; +} + +static inline int +secure_chdir(struct secure_dirs *dirs, const char *guest, const char *target) +{ + dirs->host_fd = dirs->cwd_fd = dirs->guest_fd = dirs->target_fd = -1; + + dirs->host_fd = open("/", O_RDONLY|O_DIRECTORY); + if (dirs->host_fd == -1) + return -1; + + dirs->cwd_fd = open(".", O_RDONLY|O_DIRECTORY); + if (dirs->cwd_fd == -1) + return -1; + + dirs->guest_fd = open(guest, O_RDONLY|O_DIRECTORY); + if (dirs->guest_fd == -1) + return -1; + if (fchroot(dirs->guest_fd) == -1) + return -1; + + dirs->target_fd = open(target, O_RDONLY|O_DIRECTORY); + if (dirs->target_fd == -1) + return -1; + + if (fchroot(dirs->host_fd) == -1 || close(dirs->host_fd) == -1) + return -1; + dirs->host_fd = -1; + if (close(dirs->guest_fd) == -1) + return -1; + dirs->guest_fd = -1; + + if (fchdir(dirs->target_fd) == -1 || close(dirs->target_fd) == -1) + return -1; + + return 0; +} + +static PyObject * +vserver_mount(PyObject *self, PyObject *args) +{ + const char *guest, *target, *source, *type, *data = NULL; + unsigned long flags = 0; + struct secure_dirs dirs; + + if (!PyArg_ParseTuple(args, "ssss|ks", &source, &guest, &target, &type, + &flags, &data)) + return NULL; + + if (secure_chdir(&dirs, guest, target) == -1) + goto out; + if (mount(source, ".", type, flags, data) == -1) + goto out; + restore_dirs(&dirs); + + return NONE; + +out: + restore_dirs(&dirs); + return PyErr_SetFromErrno(PyExc_OSError); +} + +static PyObject * +vserver_umount(PyObject *self, PyObject *args) +{ + const char *guest, *target; + int flags = 0; + char *path; + PyObject *ret; + + if (!PyArg_ParseTuple(args, "ss|i", &guest, &target, &flags)) + return NULL; + + path = calloc(strlen(guest) + strlen(target) + 2, sizeof(char)); + sprintf(path, "%s/%s", guest, target); + if (umount2(path, flags) == -1) + ret = PyErr_SetFromErrno(PyExc_OSError); + else + ret = NONE; + free(path); + + return ret; +} + +static PyObject * +vserver_set_runlevel(PyObject *self, PyObject *args) +{ + const char *file; + int runlevel; + struct utmp ut; + + if (!PyArg_ParseTuple(args, "si", &file, &runlevel)) + return NULL; + + utmpname(file); + setutent(); + memset(&ut, 0, sizeof(ut)); + ut.ut_type = RUN_LVL; + ut.ut_pid = ('#' << 8) + runlevel + '0'; + pututline(&ut); + endutent(); + return NONE; } @@ -299,6 +679,24 @@ static PyMethodDef methods[] = { "Send signal to all processes in vserver context" }, { "isrunning", vserver_isrunning, METH_VARARGS, "Check if vserver is running"}, + { "setbcaps", vserver_set_bcaps, METH_VARARGS, + "Set POSIX capabilities of a vserver context" }, + { "getbcaps", vserver_get_bcaps, METH_VARARGS, + "Get POSIX capabilities of a vserver context" }, + { "text2bcaps", vserver_text2bcaps, METH_VARARGS, + "Translate a string of capabilities to a bitmap" }, + { "bcaps2text", vserver_bcaps2text, METH_VARARGS, + "Translate a capability-bitmap into a string" }, + { "netadd", vserver_net_add, METH_VARARGS, + "Assign an IP address to a context" }, + { "netremove", vserver_net_remove, METH_VARARGS, + "Remove IP address(es) from a context" }, + { "mount", vserver_mount, METH_VARARGS, + "Perform the mount() system call" }, + { "umount", vserver_umount, METH_VARARGS, + "Perform the umount2() system call" }, + { "setrunlevel", vserver_set_runlevel, METH_VARARGS, + "Set the runlevel in utmp" }, { NULL, NULL, 0, NULL } };