-#include <sys/resource.h>
-#include <fcntl.h>
-#include <ctype.h>
-#include <stdarg.h>
-
-//--------------------------------------------------------------------
-#include <vserver.h>
-#include "planetlab.h"
-
-/* Change to root:root (before entering new context) */
-static int setuidgid_root()
-{
- if (setgid(0) < 0) {
- PERROR("setgid(0)");
- return -1;
- }
- if (setuid(0) < 0) {
- PERROR("setuid(0)");
- return -1;
- }
- return 0;
-}
-
-static void compute_new_root(char *base, char **root, const struct passwd *pwd)
-{
- int root_len;
-
- root_len =
- strlen(base) + strlen("/") +
- strlen(pwd->pw_name) + NULLBYTE_SIZE;
- (*root) = (char *)malloc(root_len);
- if ((*root) == NULL) {
- PERROR("malloc(%d)", root_len);
- exit(1);
- }
-
- sprintf((*root), "%s/%s", base, pwd->pw_name);
- (*root)[root_len - 1] = '\0';
-}
-
-static int sandbox_chroot(const struct passwd *pwd)
-{
- char *sandbox_root = NULL;
-
- compute_new_root(DEFAULT_VSERVERDIR,&sandbox_root, pwd);
- if (chroot(sandbox_root) < 0) {
- PERROR("chroot(%s)", sandbox_root);
- exit(1);
- }
- if (chdir("/") < 0) {
- PERROR("chdir(/)");
- exit(1);
- }
- return 0;
-}
-
-static int sandbox_processes(xid_t ctx, const char *context, const struct passwd *pwd)
-{
-#ifdef CONFIG_VSERVER_LEGACY
- int flags;
-
- flags = 0;
- flags |= 1; /* VX_INFO_LOCK -- cannot request a new vx_id */
- /* flags |= 4; VX_INFO_NPROC -- limit number of procs in a context */
-
- (void) vc_new_s_context(ctx, 0, flags);
-
- /* use legacy dirty hack for capremove */
- if (vc_new_s_context(VC_SAMECTX, vc_get_insecurebcaps(), flags) == VC_NOCTX) {
- PERROR("vc_new_s_context(%u, 0x%16llx, 0x%08x)",
- VC_SAMECTX, vc_get_insecurebcaps(), flags);
- exit(1);
- }
-#else
- int ctx_is_new;
- struct sliver_resources slr;
- char hostname[HOST_NAME_MAX+1];
- pl_get_limits(context,&slr);
-
- if (gethostname(hostname, sizeof hostname) == -1)
- {
- PERROR("gethostname(...)");
- exit(1);
- }
-
- /* check whether the slice has been suspended */
- if (slr.vs_cpu==0)
- {
- fprintf(stderr, "*** %s: %s has zero cpu resources and presumably it has been disabled/suspended ***\n", hostname, context);
- exit(0);
- }
-
- (void) (sandbox_chroot(pwd));