X-Git-Url: http://mj.ucw.cz/gitweb/?a=blobdiff_plain;f=isolate%2Fisolate.c;h=c383664619d0698336702e3e2b755b58f97dfed0;hb=4af13f1bd0c9c39b756071754b513a4797c88f46;hp=ea14aa9998ba4f6e79dd6a838104ad92b558af7b;hpb=28c3aa2bd73958557fc5e5441bcb7a2a2ca1c375;p=moe.git

diff --git a/isolate/isolate.c b/isolate/isolate.c
index ea14aa9..c383664 100644
--- a/isolate/isolate.c
+++ b/isolate/isolate.c
@@ -21,21 +21,21 @@
 #include <sched.h>
 #include <time.h>
 #include <grp.h>
+#include <mntent.h>
+#include <limits.h>
 #include <sys/wait.h>
 #include <sys/time.h>
 #include <sys/signal.h>
 #include <sys/resource.h>
 #include <sys/mount.h>
 #include <sys/stat.h>
+#include <sys/quota.h>
+#include <sys/vfs.h>
 
 #define NONRET __attribute__((noreturn))
 #define UNUSED __attribute__((unused))
 #define ARRAY_SIZE(a) (int)(sizeof(a)/sizeof(a[0]))
 
-#define BOX_DIR CONFIG_ISOLATE_BOX_DIR
-#define BOX_UID CONFIG_ISOLATE_BOX_UID
-#define BOX_GID CONFIG_ISOLATE_BOX_GID
-
 static int timeout;			/* milliseconds */
 static int wall_timeout;
 static int extra_timeout;
@@ -43,18 +43,24 @@ static int pass_environ;
 static int verbose;
 static int memory_limit;
 static int stack_limit;
+static int block_quota;
+static int inode_quota;
 static int max_processes = 1;
 static char *redir_stdin, *redir_stdout, *redir_stderr;
 
 static int cg_enable;
 static int cg_memory_limit;
 static int cg_timing;
-static char *cg_root = "/sys/fs/cgroup";
 
+static int box_id;
+static char box_dir[1024];
+static pid_t box_pid;
+
+static uid_t box_uid;
+static gid_t box_gid;
 static uid_t orig_uid;
 static gid_t orig_gid;
 
-static pid_t box_pid;
 static int partial_line;
 static char cleanup_cmd[256];
 
@@ -393,7 +399,7 @@ setup_environment(void)
   return env;
 }
 
-/*** Mount rules ***/
+/*** Directory rules ***/
 
 struct dir_rule {
   char *inside;			// A relative path
@@ -407,8 +413,11 @@ enum dir_rule_flags {
   DIR_FLAG_NOEXEC = 2,
   DIR_FLAG_FS = 4,
   DIR_FLAG_MAYBE = 8,
+  DIR_FLAG_DEV = 16,
 };
 
+static const char * const dir_flag_names[] = { "rw", "noexec", "fs", "maybe", "dev" };
+
 static struct dir_rule *first_dir_rule;
 static struct dir_rule **last_dir_rule = &first_dir_rule;
 
@@ -434,14 +443,14 @@ static int add_dir_rule(char *in, char *out, unsigned int flags)
 
   // Override an existing rule
   struct dir_rule *r;
-  for (r = first_dir_rule; r; r=r->next)
+  for (r = first_dir_rule; r; r = r->next)
     if (!strcmp(r->inside, in))
       break;
 
   // Add a new rule
   if (!r)
     {
-      struct dir_rule *r = xmalloc(sizeof(*r));
+      r = xmalloc(sizeof(*r));
       r->inside = in;
       *last_dir_rule = r;
       last_dir_rule = &r->next;
@@ -454,14 +463,9 @@ static int add_dir_rule(char *in, char *out, unsigned int flags)
 
 static unsigned int parse_dir_option(char *opt)
 {
-  if (!strcmp(opt, "rw"))
-    return DIR_FLAG_RW;
-  if (!strcmp(opt, "noexec"))
-    return DIR_FLAG_NOEXEC;
-  if (!strcmp(opt, "fs"))
-    return DIR_FLAG_FS;
-  if (!strcmp(opt, "maybe"))
-    return DIR_FLAG_MAYBE;
+  for (unsigned int i = 0; i < ARRAY_SIZE(dir_flag_names); i++)
+    if (!strcmp(opt, dir_flag_names[i]))
+      return 1U << i;
   die("Unknown directory option %s", opt);
 }
 
@@ -473,11 +477,11 @@ static int set_dir_action(char *arg)
   unsigned int flags = 0;
   while (colon)
     {
-      char *opt = colon + 1;
-      char *next = strchr(opt, ':');
+      *colon++ = 0;
+      char *next = strchr(colon, ':');
       if (next)
 	*next = 0;
-      flags |= parse_dir_option(opt);
+      flags |= parse_dir_option(colon);
       colon = next;
     }
 
@@ -499,7 +503,7 @@ static void init_dir_rules(void)
 {
   set_dir_action("box=./box:rw");
   set_dir_action("bin");
-  set_dir_action("dev");
+  set_dir_action("dev:dev");
   set_dir_action("lib");
   set_dir_action("lib64:maybe");
   set_dir_action("proc=proc:fs");
@@ -508,7 +512,8 @@ static void init_dir_rules(void)
 
 static void make_dir(char *path)
 {
-  char *sep = path;
+  char *sep = (path[0] == '/' ? path+1 : path);
+
   for (;;)
     {
       sep = strchr(sep, '/');
@@ -551,18 +556,23 @@ static void apply_dir_rules(void)
 	mount_flags |= MS_RDONLY;
       if (r->flags & DIR_FLAG_NOEXEC)
 	mount_flags |= MS_NOEXEC;
+      if (!(r->flags & DIR_FLAG_DEV))
+	mount_flags |= MS_NODEV;
 
       if (r->flags & DIR_FLAG_FS)
 	{
-	  msg("Mounting %s on %s\n", out, in);
+	  msg("Mounting %s on %s (flags %lx)\n", out, in, mount_flags);
 	  if (mount("none", root_in, out, mount_flags, "") < 0)
 	    die("Cannot mount %s on %s: %m", out, in);
 	}
       else
 	{
-	  msg("Binding %s on %s\n", out, in);
-	  if (mount(out, root_in, "none", MS_BIND | MS_NOSUID | MS_NODEV | mount_flags, "") < 0)
-	    die("Cannot bind %s on %s: %m", out, in);
+	  mount_flags |= MS_BIND | MS_NOSUID;
+	  msg("Binding %s on %s (flags %lx)\n", out, in, mount_flags);
+	  // Most mount flags need remount to work
+	  if (mount(out, root_in, "none", mount_flags, "") < 0 ||
+	      mount(out, root_in, "none", MS_REMOUNT | mount_flags, "") < 0)
+	    die("Cannot mount %s on %s: %m", out, in);
 	}
     }
 }
@@ -647,10 +657,11 @@ cg_init(void)
   if (!cg_enable)
     return;
 
+  char *cg_root = CONFIG_ISOLATE_CGROUP_ROOT;
   if (!dir_exists(cg_root))
     die("Control group filesystem at %s not mounted", cg_root);
 
-  snprintf(cg_path, sizeof(cg_path), "%s/box-%d", cg_root, BOX_UID);
+  snprintf(cg_path, sizeof(cg_path), "%s/box-%d", cg_root, box_id);
   msg("Using control group %s\n", cg_path);
 }
 
@@ -754,6 +765,86 @@ cg_remove(void)
     die("Cannot remove control group %s: %m", cg_path);
 }
 
+/*** Disk quotas ***/
+
+static int
+path_begins_with(char *path, char *with)
+{
+  while (*with)
+    if (*path++ != *with++)
+      return 0;
+  return (!*with || *with == '/');
+}
+
+static char *
+find_device(char *path)
+{
+  FILE *f = setmntent("/proc/mounts", "r");
+  if (!f)
+    die("Cannot open /proc/mounts: %m");
+
+  struct mntent *me;
+  int best_len = 0;
+  char *best_dev = NULL;
+  while (me = getmntent(f))
+    {
+      if (!path_begins_with(me->mnt_fsname, "/dev"))
+	continue;
+      if (path_begins_with(path, me->mnt_dir))
+	{
+	  int len = strlen(me->mnt_dir);
+	  if (len > best_len)
+	    {
+	      best_len = len;
+	      free(best_dev);
+	      best_dev = xstrdup(me->mnt_fsname);
+	    }
+	}
+    }
+  endmntent(f);
+  return best_dev;
+}
+
+static void
+set_quota(void)
+{
+  if (!block_quota)
+    return;
+
+  char cwd[PATH_MAX];
+  if (!getcwd(cwd, sizeof(cwd)))
+    die("getcwd: %m");
+
+  char *dev = find_device(cwd);
+  if (!dev)
+    die("Cannot identify filesystem which contains %s", cwd);
+  msg("Quota: Mapped path %s to a filesystem on %s\n", cwd, dev);
+
+  // Sanity check
+  struct stat dev_st, cwd_st;
+  if (stat(dev, &dev_st) < 0)
+    die("Cannot identify block device %s: %m", dev);
+  if (!S_ISBLK(dev_st.st_mode))
+    die("Expected that %s is a block device", dev);
+  if (stat(".", &cwd_st) < 0)
+    die("Cannot stat cwd: %m");
+  if (cwd_st.st_dev != dev_st.st_rdev)
+    die("Identified %s as a filesystem on %s, but it is obviously false", cwd, dev);
+
+  struct dqblk dq = {
+    .dqb_bhardlimit = block_quota,
+    .dqb_bsoftlimit = block_quota,
+    .dqb_ihardlimit = inode_quota,
+    .dqb_isoftlimit = inode_quota,
+    .dqb_valid = QIF_LIMITS,
+  };
+  if (quotactl(QCMD(Q_SETQUOTA, USRQUOTA), dev, box_uid, (caddr_t) &dq) < 0)
+    die("Cannot set disk quota: %m");
+  msg("Quota: Set block quota %d and inode quota %d\n", block_quota, inode_quota);
+
+  free(dev);
+}
+
 /*** The keeper process ***/
 
 static void
@@ -969,11 +1060,11 @@ setup_root(void)
 static void
 setup_credentials(void)
 {
-  if (setresgid(BOX_GID, BOX_GID, BOX_GID) < 0)
+  if (setresgid(box_gid, box_gid, box_gid) < 0)
     die("setresgid: %m");
   if (setgroups(0, NULL) < 0)
     die("setgroups: %m");
-  if (setresuid(BOX_UID, BOX_UID, BOX_UID) < 0)
+  if (setresuid(box_uid, box_uid, box_uid) < 0)
     die("setresuid: %m");
   setpgrp();
 }
@@ -1047,6 +1138,20 @@ box_inside(void *arg)
   die("execve(\"%s\"): %m", args[0]);
 }
 
+static void
+box_init(void)
+{
+  if (box_id < 0 || box_id >= CONFIG_ISOLATE_NUM_BOXES)
+    die("Sandbox ID out of range (allowed: 0-%d)", CONFIG_ISOLATE_NUM_BOXES-1);
+  box_uid = CONFIG_ISOLATE_FIRST_UID + box_id;
+  box_gid = CONFIG_ISOLATE_FIRST_GID + box_id;
+
+  snprintf(box_dir, sizeof(box_dir), "%s/%d", CONFIG_ISOLATE_BOX_DIR, box_id);
+  make_dir(box_dir);
+  if (chdir(box_dir) < 0)
+    die("chdir(%s): %m", box_dir);
+}
+
 /*** Commands ***/
 
 static void
@@ -1060,6 +1165,9 @@ init(void)
     die("Cannot chown box: %m");
 
   cg_prepare();
+  set_quota();
+
+  puts(box_dir);
 }
 
 static void
@@ -1069,7 +1177,9 @@ cleanup(void)
     die("Box directory not found, there isn't anything to clean up");
 
   msg("Deleting sandbox directory\n");
-  xsystem("rm -rf box");
+  xsystem("rm -rf *");
+  if (rmdir(box_dir) < 0)
+    die("Cannot remove %s: %m", box_dir);
   cg_remove();
 }
 
@@ -1080,7 +1190,7 @@ run(char **argv)
     die("Box directory not found, did you run `isolate --init'?");
 
   char cmd[256];
-  snprintf(cmd, sizeof(cmd), "chown -R %d.%d box", BOX_UID, BOX_GID);
+  snprintf(cmd, sizeof(cmd), "chown -R %d.%d box", box_uid, box_gid);
   xsystem(cmd);
   snprintf(cleanup_cmd, sizeof(cleanup_cmd), "chown -R %d.%d box", orig_uid, orig_gid);
 
@@ -1109,8 +1219,12 @@ show_version(void)
   printf("Process isolator 1.0\n");
   printf("(c) 2012 Martin Mares and Bernard Blackham\n");
   printf("\nCompile-time configuration:\n");
-  printf("Sandbox directory: %s\n", BOX_DIR);
-  printf("Sandbox credentials: uid=%u gid=%u\n", BOX_UID, BOX_GID);
+  printf("Sandbox directory: %s\n", CONFIG_ISOLATE_BOX_DIR);
+  printf("Sandbox credentials: uid=%u-%u gid=%u-%u\n",
+    CONFIG_ISOLATE_FIRST_UID,
+    CONFIG_ISOLATE_FIRST_UID + CONFIG_ISOLATE_NUM_BOXES - 1,
+    CONFIG_ISOLATE_FIRST_GID,
+    CONFIG_ISOLATE_FIRST_GID + CONFIG_ISOLATE_NUM_BOXES - 1);
 }
 
 /*** Options ***/
@@ -1123,13 +1237,19 @@ usage(void)
 Usage: isolate [<options>] <command>\n\
 \n\
 Options:\n\
+-b, --box-id=<id>\tWhen multiple sandboxes are used in parallel, each must get a unique ID\n\
 -c, --cg[=<parent>]\tPut process in a control group (optionally a sub-group of <parent>)\n\
     --cg-mem=<size>\tLimit memory usage of the control group to <size> KB\n\
     --cg-timing\t\tTime limits affects total run time of the control group\n\
 -d, --dir=<dir>\t\tMake a directory <dir> visible inside the sandbox\n\
     --dir=<in>=<out>\tMake a directory <out> outside visible as <in> inside\n\
     --dir=<in>=\t\tDelete a previously defined directory rule (even a default one)\n\
-    --dir=...:<opt>\tSpecify options for a rule: rw, noexec, fs, maybe\n\
+    --dir=...:<opt>\tSpecify options for a rule:\n\
+\t\t\t\tdev\tAllow access to special files\n\
+\t\t\t\tfs\tMount a filesystem (e.g., --dir=/proc:proc:fs)\n\
+\t\t\t\tmaybe\tSkip the rule if <out> does not exist\n\
+\t\t\t\tnoexec\tDo not allow execution of binaries\n\
+\t\t\t\trw\tAllow read-write access\n\
 -E, --env=<var>\t\tInherit the environment variable <var> from the parent process\n\
 -E, --env=<var>=<val>\tSet the environment variable <var> to <val>; unset it if <var> is empty\n\
 -x, --extra-time=<time>\tSet extra timeout, before which a timing-out program is not yet killed,\n\
@@ -1137,6 +1257,7 @@ Options:\n\
 -e, --full-env\t\tInherit full environment of the parent process\n\
 -m, --mem=<size>\tLimit address space to <size> KB\n\
 -M, --meta=<file>\tOutput process information to <file> (name:value)\n\
+-q, --quota=<blk>,<ino>\tSet disk quota to <blk> blocks and <ino> inodes\n\
 -k, --stack=<size>\tLimit stack size to <size> KB (default: 0=unlimited)\n\
 -r, --stderr=<file>\tRedirect stderr to <file>\n\
 -i, --stdin=<file>\tRedirect stdin from <file>\n\
@@ -1164,10 +1285,11 @@ enum opt_code {
   OPT_CG_TIMING,
 };
 
-static const char short_opts[] = "c::d:eE:i:k:m:M:o:p::r:t:vw:x:";
+static const char short_opts[] = "b:c:d:eE:i:k:m:M:o:p::q:r:t:vw:x:";
 
 static const struct option long_opts[] = {
-  { "cg",		2, NULL, 'c' },
+  { "box-id",		1, NULL, 'b' },
+  { "cg",		1, NULL, 'c' },
   { "cg-mem",		1, NULL, OPT_CG_MEM },
   { "cg-timing",	0, NULL, OPT_CG_TIMING },
   { "cleanup",		0, NULL, OPT_CLEANUP },
@@ -1179,6 +1301,7 @@ static const struct option long_opts[] = {
   { "mem",		1, NULL, 'm' },
   { "meta",		1, NULL, 'M' },
   { "processes",	2, NULL, 'p' },
+  { "quota",		1, NULL, 'q' },
   { "run",		0, NULL, OPT_RUN },
   { "stack",		1, NULL, 'k' },
   { "stderr",		1, NULL, 'r' },
@@ -1195,6 +1318,7 @@ int
 main(int argc, char **argv)
 {
   int c;
+  char *sep;
   enum opt_code mode = 0;
 
   init_dir_rules();
@@ -1202,9 +1326,10 @@ main(int argc, char **argv)
   while ((c = getopt_long(argc, argv, short_opts, long_opts, NULL)) >= 0)
     switch (c)
       {
+      case 'b':
+	box_id = atoi(optarg);
+	break;
       case 'c':
-	if (optarg)
-	  cg_root = optarg;
 	cg_enable = 1;
 	break;
       case 'd':
@@ -1239,6 +1364,13 @@ main(int argc, char **argv)
 	else
 	  max_processes = 0;
 	break;
+      case 'q':
+	sep = strchr(optarg, ',');
+	if (!sep)
+	  usage();
+	block_quota = atoi(optarg);
+	inode_quota = atoi(sep+1);
+	break;
       case 'r':
 	redir_stderr = optarg;
 	break;
@@ -1284,8 +1416,7 @@ main(int argc, char **argv)
   orig_gid = getgid();
 
   umask(022);
-  if (chdir(BOX_DIR) < 0)
-    die("chdir(%s): %m", BOX_DIR);
+  box_init();
   cg_init();
 
   switch (mode)