libcontainer/libcontainer_util.h - mirrors/cros/chromiumos/platform2 - Git at Google

 // Copyright 2017 The Chromium OS Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

 #ifndef LIBCONTAINER_LIBCONTAINER_UTIL_H_
 #define LIBCONTAINER_LIBCONTAINER_UTIL_H_

 #include <linux/loop.h>

 #include <string>
 #include <vector>

 #include <base/callback_forward.h>
 #include <base/files/file_path.h>
 #include <base/files/scoped_file.h>
 #include <base/logging.h>
 #include <base/macros.h>
 #include <libminijail.h>

 #include "libcontainer/config.h"
 #include "libcontainer/libcontainer.h"

 namespace libcontainer {

 // WaitablePipe provides a way for one process to wait on another. This only
 // uses the read(2) and close(2) syscalls, so it can work even in a restrictive
 // environment. Each process must call only one of Wait() and Signal() exactly
 // once.
 struct WaitablePipe {
   WaitablePipe();
   ~WaitablePipe();

   WaitablePipe(WaitablePipe&&);
   WaitablePipe(const WaitablePipe&) = delete;
   WaitablePipe& operator=(const WaitablePipe&) = delete;

   // Waits for Signal() to be called.
   void Wait();

   // Notifies the process that called Wait() to continue running.
   void Signal();

   int pipe_fds[2];
 };

 // HookState holds two WaitablePipes so that the container can wait for its
 // parent to run prestart hooks just prior to calling execve(2).
 class HookState {
  public:
   HookState();
   ~HookState();

   HookState(HookState&& state);
   HookState(const HookState&) = delete;
   HookState& operator=(const HookState&) = delete;

   // Initializes this HookState so that WaitForHookAndRun() can be invoked and
   // waited upon when |j| reaches |event|. Returns true on success.
   bool InstallHook(minijail* j, minijail_hook_event_t event);

   // Waits for the event specified in InstallHook() and invokes |callbacks| in
   // the caller process. Returns true if all callbacks succeeded.
   bool WaitForHookAndRun(const std::vector<HookCallback>& callbacks,
                          pid_t container_pid);

  private:
   // A function that can be passed to minijail_add_hook() that blocks the
   // process in the container until the parent has finished running whatever
   // operations are needed outside the container. This is not expected to be
   // called directly.
   static int WaitHook(void* payload);

   bool installed_ = false;
   WaitablePipe reached_pipe_;
   WaitablePipe ready_pipe_;
 };

 // Loopdev represents an active loopback device.
 struct Loopdev {
   // The path of the loopback device. e.g. /dev/loop1
   base::FilePath path;

   // An open file descriptor for the loopback device. Has the autoclear flag,
   // such that the kernel will automatically remove it once all references to it
   // are closed.
   base::ScopedFD fd;

   // Information about the loop device.
   struct loop_info64 info;
 };

 // Given a uid/gid map of "inside1 outside1 length1, ...", and an id inside of
 // the user namespace, populate |id_out|. Returns true on success.
 bool GetUsernsOutsideId(const std::string& map, int id, int* id_out);

 bool MakeDir(const base::FilePath& path, int uid, int gid, int mode);

 bool TouchFile(const base::FilePath& path, int uid, int gid, int mode);

 // Find a free loop device and attach it.
 bool LoopdevSetup(const base::FilePath& source, Loopdev* loopdev_out);

 // Detach the specified loop device.
 bool LoopdevDetach(Loopdev* loopdev);

 // Create a new device mapper target for the source.
 bool DeviceMapperSetup(const base::FilePath& source,
                        const std::string& verity_cmdline,
                        base::FilePath* dm_path_out,
                        std::string* dm_name_out);

 // Tear down the device mapper target.
 bool DeviceMapperDetach(const std::string& dm_name);

 // Match mount_one in minijail, mount one mountpoint with
 // consideration for combination of MS_BIND/MS_RDONLY flag.
 bool MountExternal(const std::string& src,
                    const std::string& dest,
                    const std::string& type,
                    unsigned long flags,
                    const std::string& data);

 // Creates a pipe using pipe2(2) and returns both ends as base::ScopedFDs.
 bool Pipe2(base::ScopedFD* read_pipe, base::ScopedFD* write_pipe, int flags);

 // Creates a callback that will fork(2)+execve(2) the program specified by args.
 HookCallback CreateExecveCallback(base::FilePath filename,
                                   std::vector<std::string> args,
                                   base::ScopedFD stdin_fd,
                                   base::ScopedFD stdout_fd,
                                   base::ScopedFD stderr_fd);

 // Wraps a callback to be run in a subset of the container's namespaces.
 HookCallback AdaptCallbackToRunInNamespaces(HookCallback callback,
                                             std::vector<int> nstypes);

 // Similar to base::CreateDirectory, but allows specifying the created
 // directories' mode and owner.
 bool CreateDirectoryOwnedBy(const base::FilePath& full_path,
                             mode_t mode,
                             uid_t uid,
                             gid_t gid);

 }  // namespace libcontainer

 #endif  // LIBCONTAINER_LIBCONTAINER_UTIL_H_
	// Copyright 2017 The Chromium OS Authors. All rights reserved.
	// Use of this source code is governed by a BSD-style license that can be
	// found in the LICENSE file.

	#ifndef LIBCONTAINER_LIBCONTAINER_UTIL_H_
	#define LIBCONTAINER_LIBCONTAINER_UTIL_H_

	#include <linux/loop.h>

	#include <string>
	#include <vector>

	#include <base/callback_forward.h>
	#include <base/files/file_path.h>
	#include <base/files/scoped_file.h>
	#include <base/logging.h>
	#include <base/macros.h>
	#include <libminijail.h>

	#include "libcontainer/config.h"
	#include "libcontainer/libcontainer.h"

	namespace libcontainer {

	// WaitablePipe provides a way for one process to wait on another. This only
	// uses the read(2) and close(2) syscalls, so it can work even in a restrictive
	// environment. Each process must call only one of Wait() and Signal() exactly
	// once.
	struct WaitablePipe {
	WaitablePipe();
	~WaitablePipe();

	WaitablePipe(WaitablePipe&&);
	WaitablePipe(const WaitablePipe&) = delete;
	WaitablePipe& operator=(const WaitablePipe&) = delete;

	// Waits for Signal() to be called.
	void Wait();

	// Notifies the process that called Wait() to continue running.
	void Signal();

	int pipe_fds[2];
	};

	// HookState holds two WaitablePipes so that the container can wait for its
	// parent to run prestart hooks just prior to calling execve(2).
	class HookState {
	public:
	HookState();
	~HookState();

	HookState(HookState&& state);
	HookState(const HookState&) = delete;
	HookState& operator=(const HookState&) = delete;

	// Initializes this HookState so that WaitForHookAndRun() can be invoked and
	// waited upon when \|j\| reaches \|event\|. Returns true on success.
	bool InstallHook(minijail* j, minijail_hook_event_t event);

	// Waits for the event specified in InstallHook() and invokes \|callbacks\| in
	// the caller process. Returns true if all callbacks succeeded.
	bool WaitForHookAndRun(const std::vector<HookCallback>& callbacks,
	pid_t container_pid);

	private:
	// A function that can be passed to minijail_add_hook() that blocks the
	// process in the container until the parent has finished running whatever
	// operations are needed outside the container. This is not expected to be
	// called directly.
	static int WaitHook(void* payload);

	bool installed_ = false;
	WaitablePipe reached_pipe_;
	WaitablePipe ready_pipe_;
	};

	// Loopdev represents an active loopback device.
	struct Loopdev {
	// The path of the loopback device. e.g. /dev/loop1
	base::FilePath path;

	// An open file descriptor for the loopback device. Has the autoclear flag,
	// such that the kernel will automatically remove it once all references to it
	// are closed.
	base::ScopedFD fd;

	// Information about the loop device.
	struct loop_info64 info;
	};

	// Given a uid/gid map of "inside1 outside1 length1, ...", and an id inside of
	// the user namespace, populate \|id_out\|. Returns true on success.
	bool GetUsernsOutsideId(const std::string& map, int id, int* id_out);

	bool MakeDir(const base::FilePath& path, int uid, int gid, int mode);

	bool TouchFile(const base::FilePath& path, int uid, int gid, int mode);

	// Find a free loop device and attach it.
	bool LoopdevSetup(const base::FilePath& source, Loopdev* loopdev_out);

	// Detach the specified loop device.
	bool LoopdevDetach(Loopdev* loopdev);

	// Create a new device mapper target for the source.
	bool DeviceMapperSetup(const base::FilePath& source,
	const std::string& verity_cmdline,
	base::FilePath* dm_path_out,
	std::string* dm_name_out);

	// Tear down the device mapper target.
	bool DeviceMapperDetach(const std::string& dm_name);

	// Match mount_one in minijail, mount one mountpoint with
	// consideration for combination of MS_BIND/MS_RDONLY flag.
	bool MountExternal(const std::string& src,
	const std::string& dest,
	const std::string& type,
	unsigned long flags,
	const std::string& data);

	// Creates a pipe using pipe2(2) and returns both ends as base::ScopedFDs.
	bool Pipe2(base::ScopedFD* read_pipe, base::ScopedFD* write_pipe, int flags);

	// Creates a callback that will fork(2)+execve(2) the program specified by args.
	HookCallback CreateExecveCallback(base::FilePath filename,
	std::vector<std::string> args,
	base::ScopedFD stdin_fd,
	base::ScopedFD stdout_fd,
	base::ScopedFD stderr_fd);

	// Wraps a callback to be run in a subset of the container's namespaces.
	HookCallback AdaptCallbackToRunInNamespaces(HookCallback callback,
	std::vector<int> nstypes);

	// Similar to base::CreateDirectory, but allows specifying the created
	// directories' mode and owner.
	bool CreateDirectoryOwnedBy(const base::FilePath& full_path,
	mode_t mode,
	uid_t uid,
	gid_t gid);

	} // namespace libcontainer

	#endif // LIBCONTAINER_LIBCONTAINER_UTIL_H_