2 * A Process Isolator based in Linux Containers
4 * (c) 2012 Martin Mares <mj@ucw.cz>
25 #include <sys/signal.h>
26 #include <sys/resource.h>
27 #include <sys/mount.h>
30 #define NONRET __attribute__((noreturn))
31 #define UNUSED __attribute__((unused))
32 #define ARRAY_SIZE(a) (int)(sizeof(a)/sizeof(a[0]))
34 #define BOX_DIR CONFIG_ISOLATE_BOX_DIR
35 #define BOX_UID CONFIG_ISOLATE_BOX_UID
36 #define BOX_GID CONFIG_ISOLATE_BOX_GID
38 static int timeout; /* milliseconds */
39 static int wall_timeout;
40 static int extra_timeout;
41 static int pass_environ;
43 static int memory_limit;
44 static int stack_limit;
45 static int max_processes = 1;
46 static char *redir_stdin, *redir_stdout, *redir_stderr;
49 static int cg_memory_limit;
51 static char *cg_root = "/sys/fs/cgroup";
53 static uid_t orig_uid;
54 static gid_t orig_gid;
57 static int partial_line;
58 static char cleanup_cmd[256];
60 static struct timeval start_time;
61 static int ticks_per_sec;
62 static int total_ms, wall_ms;
63 static volatile sig_atomic_t timer_tick;
65 static int error_pipes[2];
66 static int write_errors_to_fd;
67 static int read_errors_from_fd;
69 static void die(char *msg, ...) NONRET;
70 static void cg_stats(void);
71 static int get_wall_time_ms(void);
72 static int get_run_time_ms(void);
76 static FILE *metafile;
79 meta_open(const char *name)
81 if (!strcmp(name, "-"))
86 metafile = fopen(name, "w");
88 die("Failed to open metafile '%s'",name);
94 if (metafile && metafile != stdout)
98 static void __attribute__((format(printf,1,2)))
99 meta_printf(const char *fmt, ...)
106 vfprintf(metafile, fmt, args);
111 final_stats(struct rusage *rus)
113 total_ms = get_run_time_ms();
114 wall_ms = get_wall_time_ms();
116 meta_printf("time:%d.%03d\n", total_ms/1000, total_ms%1000);
117 meta_printf("time-wall:%d.%03d\n", wall_ms/1000, wall_ms%1000);
118 meta_printf("max-rss:%ld\n", rus->ru_maxrss);
119 meta_printf("csw-voluntary:%ld\n", rus->ru_nvcsw);
120 meta_printf("csw-forced:%ld\n", rus->ru_nivcsw);
125 /*** Messages and exits ***/
128 xsystem(const char *cmd)
130 int ret = system(cmd);
132 die("system(\"%s\"): %m", cmd);
133 if (!WIFEXITED(ret) || WEXITSTATUS(ret))
134 die("system(\"%s\"): Exited with status %d", cmd, ret);
142 kill(-box_pid, SIGKILL);
143 kill(box_pid, SIGKILL);
144 meta_printf("killed:1\n");
149 p = wait4(box_pid, &stat, 0, &rus);
150 while (p < 0 && errno == EINTR);
152 fprintf(stderr, "UGH: Lost track of the process (%m)\n");
157 if (rc < 2 && cleanup_cmd[0])
158 xsystem(cleanup_cmd);
172 /* Report an error of the sandbox itself */
173 static void NONRET __attribute__((format(printf,1,2)))
179 int n = vsnprintf(buf, sizeof(buf), msg, args);
181 if (write_errors_to_fd)
183 // We are inside the box, have to use error pipe for error reporting.
184 // We hope that the whole error message fits in PIPE_BUF bytes.
185 write(write_errors_to_fd, buf, n);
189 // Otherwise, we in the box keeper process, so we report errors normally
191 meta_printf("status:XX\nmessage:%s\n", buf);
197 /* Report an error of the program inside the sandbox */
198 static void NONRET __attribute__((format(printf,1,2)))
204 if (msg[0] && msg[1] && msg[2] == ':' && msg[3] == ' ')
206 meta_printf("status:%c%c\n", msg[0], msg[1]);
210 vsnprintf(buf, sizeof(buf), msg, args);
211 meta_printf("message:%s\n", buf);
217 /* Write a message, but only if in verbose mode */
218 static void __attribute__((format(printf,1,2)))
225 int len = strlen(msg);
227 partial_line = (msg[len-1] != '\n');
228 vfprintf(stderr, msg, args);
237 void *p = malloc(size);
239 die("Out of memory");
243 /*** Environment rules ***/
246 char *var; // Variable to match
247 char *val; // ""=clear, NULL=inherit
249 struct env_rule *next;
252 static struct env_rule *first_env_rule;
253 static struct env_rule **last_env_rule = &first_env_rule;
255 static struct env_rule default_env_rules[] = {
256 { "LIBC_FATAL_STDERR_", "1" }
260 set_env_action(char *a0)
262 struct env_rule *r = xmalloc(sizeof(*r) + strlen(a0) + 1);
263 char *a = (char *)(r+1);
266 char *sep = strchr(a, '=');
278 last_env_rule = &r->next;
284 match_env_var(char *env_entry, struct env_rule *r)
286 if (strncmp(env_entry, r->var, r->var_len))
288 return (env_entry[r->var_len] == '=');
292 apply_env_rule(char **env, int *env_sizep, struct env_rule *r)
294 // First remove the variable if already set
296 while (pos < *env_sizep && !match_env_var(env[pos], r))
298 if (pos < *env_sizep)
301 env[pos] = env[*env_sizep];
302 env[*env_sizep] = NULL;
305 // What is the new value?
311 new = xmalloc(r->var_len + 1 + strlen(r->val) + 1);
312 sprintf(new, "%s=%s", r->var, r->val);
317 while (environ[pos] && !match_env_var(environ[pos], r))
319 if (!(new = environ[pos]))
323 // Add it at the end of the array
324 env[(*env_sizep)++] = new;
325 env[*env_sizep] = NULL;
329 setup_environment(void)
331 // Link built-in rules with user rules
332 for (int i=ARRAY_SIZE(default_env_rules)-1; i >= 0; i--)
334 default_env_rules[i].next = first_env_rule;
335 first_env_rule = &default_env_rules[i];
338 // Scan the original environment
339 char **orig_env = environ;
341 while (orig_env[orig_size])
344 // For each rule, reserve one more slot and calculate length
346 for (struct env_rule *r = first_env_rule; r; r=r->next)
349 r->var_len = strlen(r->var);
352 // Create a new environment
353 char **env = xmalloc((orig_size + num_rules + 1) * sizeof(char *));
357 memcpy(env, environ, orig_size * sizeof(char *));
364 // Apply the rules one by one
365 for (struct env_rule *r = first_env_rule; r; r=r->next)
366 apply_env_rule(env, &size, r);
368 // Return the new env and pass some gossip
371 fprintf(stderr, "Passing environment:\n");
372 for (int i=0; env[i]; i++)
373 fprintf(stderr, "\t%s\n", env[i]);
378 /*** Control groups ***/
380 static char cg_path[256];
382 #define CG_BUFSIZE 1024
385 cg_read(char *attr, char *buf)
395 snprintf(path, sizeof(path), "%s/%s", cg_path, attr);
397 int fd = open(path, O_RDONLY);
402 die("Cannot read %s: %m", path);
405 int n = read(fd, buf, CG_BUFSIZE);
407 die("Cannot read %s: %m", path);
408 if (n >= CG_BUFSIZE - 1)
409 die("Attribute %s too long", path);
410 if (n > 0 && buf[n-1] == '\n')
415 msg("CG: Read %s = %s\n", attr, buf);
421 static void __attribute__((format(printf,2,3)))
422 cg_write(char *attr, char *fmt, ...)
427 char buf[CG_BUFSIZE];
428 int n = vsnprintf(buf, sizeof(buf), fmt, args);
430 die("cg_writef: Value for attribute %s is too long", attr);
433 msg("CG: Write %s = %s", attr, buf);
436 snprintf(path, sizeof(path), "%s/%s", cg_path, attr);
438 int fd = open(path, O_WRONLY | O_TRUNC);
440 die("Cannot write %s: %m", path);
442 int written = write(fd, buf, n);
444 die("Cannot set %s to %s: %m", path, buf);
446 die("Short write to %s (%d out of %d bytes)", path, written, n);
459 if (stat(cg_root, &st) < 0 || !S_ISDIR(st.st_mode))
460 die("Control group filesystem at %s not mounted", cg_root);
462 snprintf(cg_path, sizeof(cg_path), "%s/box-%d", cg_root, BOX_UID);
463 msg("Using control group %s\n", cg_path);
473 char buf[CG_BUFSIZE];
475 if (stat(cg_path, &st) >= 0 || errno != ENOENT)
477 msg("Control group %s already exists, trying to empty it.\n", cg_path);
478 if (rmdir(cg_path) < 0)
479 die("Failed to reset control group %s: %m", cg_path);
482 if (mkdir(cg_path, 0777) < 0)
483 die("Failed to create control group %s: %m", cg_path);
485 // If cpuset module is enabled, copy allowed cpus and memory nodes from parent group
486 if (cg_read("?../cpuset.cpus", buf))
487 cg_write("cpuset.cpus", "%s", buf);
488 if (cg_read("?../cpuset.mems", buf))
489 cg_write("cpuset.mems", "%s", buf);
498 msg("Entering control group %s\n", cg_path);
501 if (stat(cg_path, &st) < 0)
502 die("Control group %s does not exist: %m", cg_path);
506 cg_write("memory.limit_in_bytes", "%lld\n", (long long) cg_memory_limit << 10);
507 cg_write("memory.memsw.limit_in_bytes", "%lld\n", (long long) cg_memory_limit << 10);
511 cg_write("cpuacct.usage", "0\n");
513 cg_write("tasks", "%d\n", (int) getpid());
517 cg_get_run_time_ms(void)
522 char buf[CG_BUFSIZE];
523 cg_read("cpuacct.usage", buf);
524 unsigned long long ns = atoll(buf);
534 char buf[CG_BUFSIZE];
536 // Memory usage statistics
537 unsigned long long mem=0, memsw=0;
538 if (cg_read("?memory.max_usage_in_bytes", buf))
540 if (cg_read("?memory.memsw.max_usage_in_bytes", buf))
547 meta_printf("cg-mem:%lld\n", mem >> 10);
553 char buf[CG_BUFSIZE];
558 cg_read("tasks", buf);
560 die("Some tasks left in control group %s, failed to remove it", cg_path);
562 if (rmdir(cg_path) < 0)
563 die("Cannot remove control group %s: %m", cg_path);
566 /*** The keeper process ***/
569 signal_alarm(int unused UNUSED)
571 /* Time limit checks are synchronous, so we only schedule them there. */
577 signal_int(int unused UNUSED)
579 /* Interrupts are fatal, so no synchronization requirements. */
580 meta_printf("exitsig:%d\n", SIGINT);
581 err("SG: Interrupted");
584 #define PROC_BUF_SIZE 4096
586 read_proc_file(char *buf, char *name, int *fdp)
592 sprintf(buf, "/proc/%d/%s", (int) box_pid, name);
593 *fdp = open(buf, O_RDONLY);
595 die("open(%s): %m", buf);
597 lseek(*fdp, 0, SEEK_SET);
598 if ((c = read(*fdp, buf, PROC_BUF_SIZE-1)) < 0)
599 die("read on /proc/$pid/%s: %m", name);
600 if (c >= PROC_BUF_SIZE-1)
601 die("/proc/$pid/%s too long", name);
606 get_wall_time_ms(void)
608 struct timeval now, wall;
609 gettimeofday(&now, NULL);
610 timersub(&now, &start_time, &wall);
611 return wall.tv_sec*1000 + wall.tv_usec/1000;
615 get_run_time_ms(void)
618 return cg_get_run_time_ms();
620 char buf[PROC_BUF_SIZE], *x;
622 static int proc_stat_fd;
624 read_proc_file(buf, "stat", &proc_stat_fd);
626 while (*x && *x != ' ')
631 die("proc stat syntax error 1");
632 while (*x && (*x != ')' || x[1] != ' '))
634 while (*x == ')' || *x == ' ')
636 if (sscanf(x, "%*c %*d %*d %*d %*d %*d %*d %*d %*d %*d %*d %d %d", &utime, &stime) != 2)
637 die("proc stat syntax error 2");
639 return (utime + stime) * 1000 / ticks_per_sec;
647 int wall_ms = get_wall_time_ms();
648 if (wall_ms > wall_timeout)
649 err("TO: Time limit exceeded (wall clock)");
651 fprintf(stderr, "[wall time check: %d msec]\n", wall_ms);
655 int ms = get_run_time_ms();
657 fprintf(stderr, "[time check: %d msec]\n", ms);
658 if (ms > timeout && ms > extra_timeout)
659 err("TO: Time limit exceeded");
666 read_errors_from_fd = error_pipes[0];
667 close(error_pipes[1]);
670 bzero(&sa, sizeof(sa));
671 sa.sa_handler = signal_int;
672 sigaction(SIGINT, &sa, NULL);
674 gettimeofday(&start_time, NULL);
675 ticks_per_sec = sysconf(_SC_CLK_TCK);
676 if (ticks_per_sec <= 0)
677 die("Invalid ticks_per_sec!");
679 if (timeout || wall_timeout)
681 sa.sa_handler = signal_alarm;
682 sigaction(SIGALRM, &sa, NULL);
696 p = wait4(box_pid, &stat, 0, &rus);
704 die("wait4: unknown pid %d exited!", p);
707 // Check error pipe if there is an internal error passed from inside the box
709 int n = read(read_errors_from_fd, interr, sizeof(interr) - 1);
719 if (WEXITSTATUS(stat))
721 meta_printf("exitcode:%d\n", WEXITSTATUS(stat));
722 err("RE: Exited with error status %d", WEXITSTATUS(stat));
724 if (timeout && total_ms > timeout)
725 err("TO: Time limit exceeded");
726 if (wall_timeout && wall_ms > wall_timeout)
727 err("TO: Time limit exceeded (wall clock)");
729 fprintf(stderr, "OK (%d.%03d sec real, %d.%03d sec wall)\n",
730 total_ms/1000, total_ms%1000,
731 wall_ms/1000, wall_ms%1000);
734 else if (WIFSIGNALED(stat))
736 meta_printf("exitsig:%d\n", WTERMSIG(stat));
738 err("SG: Caught fatal signal %d", WTERMSIG(stat));
740 else if (WIFSTOPPED(stat))
742 meta_printf("exitsig:%d\n", WSTOPSIG(stat));
744 err("SG: Stopped by signal %d", WSTOPSIG(stat));
747 die("wait4: unknown status %x, giving up!", stat);
751 /*** The process running inside the box ***/
756 if (mkdir("root", 0750) < 0 && errno != EEXIST)
757 die("mkdir('root'): %m");
759 if (mount("none", "root", "tmpfs", 0, "mode=755") < 0)
760 die("Cannot mount root ramdisk: %m");
762 static const char * const dirs[] = { "box", "/bin", "/lib", "/usr", "/dev" };
763 for (int i=0; i < ARRAY_SIZE(dirs); i++)
765 const char *d = dirs[i];
767 snprintf(buf, sizeof(buf), "root/%s", (d[0] == '/' ? d+1 : d));
768 msg("Binding %s on %s\n", d, buf);
769 if (mkdir(buf, 0755) < 0)
770 die("mkdir(%s): %m", buf);
771 if (mount(d, buf, "none", MS_BIND | MS_NOSUID | MS_NODEV, "") < 0)
772 die("Cannot bind %s on %s: %m", d, buf);
775 if (mkdir("root/proc", 0755) < 0)
776 die("Cannot create proc: %m");
777 if (mount("none", "root/proc", "proc", 0, "") < 0)
778 die("Cannot mount proc: %m");
780 if (chroot("root") < 0)
781 die("Chroot failed: %m");
783 if (chdir("root/box") < 0)
784 die("Cannot change current directory: %m");
788 setup_credentials(void)
790 if (setresgid(BOX_GID, BOX_GID, BOX_GID) < 0)
791 die("setresgid: %m");
792 if (setgroups(0, NULL) < 0)
793 die("setgroups: %m");
794 if (setresuid(BOX_UID, BOX_UID, BOX_UID) < 0)
795 die("setresuid: %m");
805 if (open(redir_stdin, O_RDONLY) != 0)
806 die("open(\"%s\"): %m", redir_stdin);
811 if (open(redir_stdout, O_WRONLY | O_CREAT | O_TRUNC, 0666) != 1)
812 die("open(\"%s\"): %m", redir_stdout);
817 if (open(redir_stderr, O_WRONLY | O_CREAT | O_TRUNC, 0666) != 2)
818 die("open(\"%s\"): %m", redir_stderr);
825 setup_rlim(const char *res_name, int res, rlim_t limit)
827 struct rlimit rl = { .rlim_cur = limit, .rlim_max = limit };
828 if (setrlimit(res, &rl) < 0)
829 die("setrlimit(%s, %jd)", res_name, (intmax_t) limit);
835 #define RLIM(res, val) setup_rlim("RLIMIT_" #res, RLIMIT_##res, val)
838 RLIM(AS, memory_limit * 1024);
840 RLIM(STACK, (stack_limit ? (rlim_t)stack_limit * 1024 : RLIM_INFINITY));
845 RLIM(NPROC, max_processes);
851 box_inside(void *arg)
854 write_errors_to_fd = error_pipes[1];
855 close(error_pipes[0]);
862 char **env = setup_environment();
864 execve(args[0], args, env);
865 die("execve(\"%s\"): %m", args[0]);
873 msg("Preparing sandbox directory\n");
874 xsystem("rm -rf box");
875 if (mkdir("box", 0700) < 0)
876 die("Cannot create box: %m");
877 if (chown("box", orig_uid, orig_gid) < 0)
878 die("Cannot chown box: %m");
887 if (stat("box", &st) < 0 || !S_ISDIR(st.st_mode))
888 die("Box directory not found, there isn't anything to clean up");
890 msg("Deleting sandbox directory\n");
891 xsystem("rm -rf box");
899 if (stat("box", &st) < 0 || !S_ISDIR(st.st_mode))
900 die("Box directory not found, did you run `isolate --init'?");
903 snprintf(cmd, sizeof(cmd), "chown -R %d.%d box", BOX_UID, BOX_GID);
905 snprintf(cleanup_cmd, sizeof(cleanup_cmd), "chown -R %d.%d box", orig_uid, orig_gid);
907 if (pipe(error_pipes) < 0)
909 for (int i=0; i<2; i++)
910 if (fcntl(error_pipes[i], F_SETFD, fcntl(error_pipes[i], F_GETFD) | FD_CLOEXEC) < 0 ||
911 fcntl(error_pipes[i], F_SETFL, fcntl(error_pipes[i], F_GETFL) | O_NONBLOCK) < 0)
912 die("fcntl on pipe: %m");
915 box_inside, // Function to execute as the body of the new process
916 argv, // Pass our stack
917 SIGCHLD | CLONE_NEWIPC | CLONE_NEWNET | CLONE_NEWNS | CLONE_NEWPID,
918 argv); // Pass the arguments
922 die("clone returned 0");
930 printf("Process isolator 0.0\n");
931 printf("(c) 2012 Martin Mares <mj@ucw.cz>\n\n");
932 printf("Sandbox directory: %s\n", BOX_DIR);
933 printf("Sandbox credentials: uid=%u gid=%u\n", BOX_UID, BOX_GID);
941 fprintf(stderr, "Invalid arguments!\n");
943 Usage: isolate [<options>] <command>\n\
946 -c, --cg[=<parent>]\tPut process in a control group (optionally a sub-group of <parent>)\n\
947 --cg-mem=<size>\tLimit memory usage of the control group to <size> KB\n\
948 --cg-timing\t\tTime limits affects total run time of the control group\n\
949 -E, --env=<var>\tInherit the environment variable <var> from the parent process\n\
950 -E, --env=<var>=<val>\tSet the environment variable <var> to <val>; unset it if <var> is empty\n\
951 -x, --extra-time=<time>\tSet extra timeout, before which a timing-out program is not yet killed,\n\
952 \t\t\tso that its real execution time is reported (seconds, fractions allowed)\n\
953 -e, --full-env\t\tInherit full environment of the parent process\n\
954 -m, --mem=<size>\tLimit address space to <size> KB\n\
955 -M, --meta=<file>\tOutput process information to <file> (name:value)\n\
956 -k, --stack=<size>\tLimit stack size to <size> KB (default: 0=unlimited)\n\
957 -r, --stderr=<file>\tRedirect stderr to <file>\n\
958 -i, --stdin=<file>\tRedirect stdin from <file>\n\
959 -o, --stdout=<file>\tRedirect stdout to <file>\n\
960 -p, --processes[=<max>]\tEnable multiple processes (at most <max> of them); needs --cg\n\
961 -t, --time=<time>\tSet run time limit (seconds, fractions allowed)\n\
962 -v, --verbose\t\tBe verbose (use multiple times for even more verbosity)\n\
963 -w, --wall-time=<time>\tSet wall clock time limit (seconds, fractions allowed)\n\
966 --init\t\tInitialize sandbox (and its control group when --cg is used)\n\
967 --run -- <cmd> ...\tRun given command within sandbox\n\
968 --cleanup\t\tClean up sandbox\n\
969 --version\t\tDisplay program version and configuration\n\
983 static const char short_opts[] = "c::eE:i:k:m:M:o:p::r:t:vw:x:";
985 static const struct option long_opts[] = {
986 { "cg", 2, NULL, 'c' },
987 { "cg-mem", 1, NULL, OPT_CG_MEM },
988 { "cg-timing", 0, NULL, OPT_CG_TIMING },
989 { "cleanup", 0, NULL, OPT_CLEANUP },
990 { "env", 1, NULL, 'E' },
991 { "extra-time", 1, NULL, 'x' },
992 { "full-env", 0, NULL, 'e' },
993 { "init", 0, NULL, OPT_INIT },
994 { "mem", 1, NULL, 'm' },
995 { "meta", 1, NULL, 'M' },
996 { "processes", 2, NULL, 'p' },
997 { "run", 0, NULL, OPT_RUN },
998 { "stack", 1, NULL, 'k' },
999 { "stderr", 1, NULL, 'r' },
1000 { "stdin", 1, NULL, 'i' },
1001 { "stdout", 1, NULL, 'o' },
1002 { "time", 1, NULL, 't' },
1003 { "verbose", 0, NULL, 'v' },
1004 { "version", 0, NULL, OPT_VERSION },
1005 { "wall-time", 1, NULL, 'w' },
1006 { NULL, 0, NULL, 0 }
1010 main(int argc, char **argv)
1013 enum opt_code mode = 0;
1015 while ((c = getopt_long(argc, argv, short_opts, long_opts, NULL)) >= 0)
1027 if (!set_env_action(optarg))
1031 stack_limit = atoi(optarg);
1034 redir_stdin = optarg;
1037 memory_limit = atoi(optarg);
1043 redir_stdout = optarg;
1047 max_processes = atoi(optarg);
1052 redir_stderr = optarg;
1055 timeout = 1000*atof(optarg);
1061 wall_timeout = 1000*atof(optarg);
1064 extra_timeout = 1000*atof(optarg);
1073 cg_memory_limit = atoi(optarg);
1084 if (mode == OPT_VERSION)
1091 die("Must be started as root");
1092 orig_uid = getuid();
1093 orig_gid = getgid();
1096 if (chdir(BOX_DIR) < 0)
1097 die("chdir(%s): %m", BOX_DIR);
1118 die("Internal error: mode mismatch");
projects / moe.git / blob