From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on sa.local.altlinux.org X-Spam-Level: X-Spam-Status: No, score=-1.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, T_DKIM_INVALID autolearn=no autolearn_force=no version=3.4.1 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=altlinux.org; s=dkim; h=Subject:In-Reply-To:Content-Type:MIME-Version: References:Message-ID:Cc:To:From:Date:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=tcVjDW25Cb9u2cJS8M7GEs1GS7oh/Fp6P9ZB1znw5U0=; b=tqrCA/9cnaj0V0t0zTEbLFlfug Al+XA/4dom3UOvgqALFhvUR/NPPOfQ35WdG0IEHtBg4SHFD7YVcfC3c6etRhYHcW9Cqz2OmUyB2XK JFCkYQafPWsKVBqg9z0C4rJ6KxroKYN1NNRXzJ0vAnwrO4uM+TtSwZXuYaw+XPmJMFLirdVzWMCCQ mM3j9CC+JMnCoZ0LicmRpR6tvIEDo7X3trgUlwbN58d1biJW9jMH4FDklgqBnvvBb+xGt8ZoJvgz/ yAsu11lFM4uSuVz7/mL0a9ijQd4oMFbRPY/Dk01vYFqX5Tl3+A7p96lHfUggwGZyiwxYNSl0yqQcd MFdUwBbA==; Date: Thu, 17 Sep 2020 16:11:07 +0300 From: Arseny Maslennikov To: Alex Gladkov , ALT Linux Team development discussions Message-ID: <20200917131107.GE286846@cello> References: <2dd521b85103ae35347e548c89b6873a80811206.1576183643.git.legion@altlinux.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="19uQFt6ulqmgNgg1" Content-Disposition: inline In-Reply-To: <2dd521b85103ae35347e548c89b6873a80811206.1576183643.git.legion@altlinux.org> OpenPGP: url=http://grep.cs.msu.ru/~ar/pgp-key.asc X-SA-Exim-Connect-IP: 10.7.5.179 X-SA-Exim-Mail-From: arseny@altlinux.org X-SA-Exim-Version: 4.2.1 X-SA-Exim-Scanned: Yes (on mail.cs.msu.ru) Cc: ldv@altlinux.org Subject: Re: [devel] [PATCH hasher-priv v1 3/3] Add cgroup support X-BeenThere: devel@lists.altlinux.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: ALT Linux Team development discussions List-Id: ALT Linux Team development discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Sep 2020 13:11:10 -0000 Archived-At: List-Archive: List-Post: --19uQFt6ulqmgNgg1 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Dec 13, 2019 at 12:42:05PM +0100, Alex Gladkov wrote: > From: Alexey Gladkov >=20 Could you please explain what you're trying to do with this patch? Even if it's obvious from the source itself, we still must have an opportunity to discuss, and a decent explanation should stay in the project history. Most likely, it'll turn out we _at least_ have to pass Delegate=3Dyes to the systemd service: Delegate=3D Turns on delegation of further resource control partitioning to processes of the unit. Units where this is enabled may create and manage their own private subhierarchy of control groups below the control group of the unit itself. Manual page systemd.resource-control(5): lines 786-791 Do we only support cgroup2 and ignore cgroup1? If yes, great, but perhaps then we might want to have a setting to not fiddle with cgroup trees, to support the unfortunate users that have to run Docker and other garbage. > Signed-off-by: Alexey Gladkov > --- > hasher-priv/Makefile | 2 +- > hasher-priv/caller_task.c | 3 + > hasher-priv/cgroup.c | 119 ++++++++++++++++++++++++++++++++++++++ > hasher-priv/config.c | 5 ++ > hasher-priv/priv.h | 2 + > hasher-priv/server.conf | 9 +++ > 6 files changed, 139 insertions(+), 1 deletion(-) > create mode 100644 hasher-priv/cgroup.c >=20 > diff --git a/hasher-priv/Makefile b/hasher-priv/Makefile > index c73216f..e999972 100644 > --- a/hasher-priv/Makefile > +++ b/hasher-priv/Makefile > @@ -51,7 +51,7 @@ server_SRC =3D hasher-privd.c \ > chdir.c chdiruid.c chid.c child.c chrootuid.c cmdline.c \ > config.c fds.c getconf.c getugid.c ipc.c killuid.c io_log.c io_x11.c \ > makedev.c mount.c net.c parent.c pass.c pty.c signal.c tty.c \ > - unshare.c xmalloc.c x11.c > + unshare.c xmalloc.c x11.c cgroup.c > server_OBJ =3D $(server_SRC:.c=3D.o) > =20 > DEP =3D $(SRC:.c=3D.d) $(server_SRC:.c=3D.d) > diff --git a/hasher-priv/caller_task.c b/hasher-priv/caller_task.c > index d8f2dd5..722e0a6 100644 > --- a/hasher-priv/caller_task.c > +++ b/hasher-priv/caller_task.c > @@ -95,6 +95,9 @@ caller_task(struct task *task) > return pid; > } > =20 > + if (join_cgroup() < 0) > + exit(rc); > + > if ((rc =3D reopen_iostreams(task->stdin, task->stdout, task->stderr)) = < 0) > exit(rc); > =20 > diff --git a/hasher-priv/cgroup.c b/hasher-priv/cgroup.c > new file mode 100644 > index 0000000..ac14938 > --- /dev/null > +++ b/hasher-priv/cgroup.c > @@ -0,0 +1,119 @@ > + > +/* > + Copyright (C) 2019 Alexey Gladkov > + > + The cgroup helper for hasher-privd program. > + > + SPDX-License-Identifier: GPL-2.0-or-later > +*/ > + > +#include > +#include > +#include > + > +#include > +#include > +#include > +#include > +#include > +#include > + > +#include "logging.h" > +#include "priv.h" > + > +int > +join_cgroup(void) > +{ > + int ret =3D 0; > + > + if (!server_cgroup_template) > + return ret; > + > + char cgroup_path[MAXPATHLEN]; > + > + size_t i, j, escape; > + size_t len =3D strlen(server_cgroup_template); > + int fd =3D -1; > + > + i =3D j =3D escape =3D 0; > + > + for (; i < len; i++) { > + if (j > sizeof(cgroup_path)) { > + err("path too long"); > + ret =3D -1; > + goto fail; > + } > + > + if (escape) { > + ssize_t n =3D 0; > + char *p =3D cgroup_path + j; > + size_t sz =3D (size_t) (p - cgroup_path); > + > + switch (server_cgroup_template[i]) { > + case 'u': > + n =3D snprintf(p, sz, "%s", caller_user); > + break; > + case 'U': > + n =3D snprintf(p, sz, "%u", caller_uid); > + break; > + case 'G': > + n =3D snprintf(p, sz, "%u", caller_gid); > + break; > + case 'N': > + n =3D snprintf(p, sz, "%u", caller_num); > + break; > + case '%': > + n =3D snprintf(p, sz, "%%"); > + break; > + } > + > + if (n <=3D 0) { > + err("unable to expand escape sequence: %%%c", > + server_cgroup_template[i]); > + ret =3D -1; > + goto fail; > + } > + > + j +=3D (size_t) n; > + > + escape =3D 0; > + continue; > + > + } else if (server_cgroup_template[i] =3D=3D '%') { > + escape =3D 1; > + continue; > + > + } else if (server_cgroup_template[i] =3D=3D '/' && j > 0) { > + cgroup_path[j] =3D '\0'; > + > + errno =3D 0; > + if (mkdir(cgroup_path, 0755) < 0 && errno !=3D EEXIST) { > + err("mkdir: %s: errno=3D%d: %m", cgroup_path, errno); > + ret =3D -1; > + goto fail; > + } > + } > + > + cgroup_path[j++] =3D server_cgroup_template[i]; > + } > + > + cgroup_path[j] =3D '\0'; > + > + if ((fd =3D open(cgroup_path, O_CREAT | O_WRONLY | O_CLOEXEC, 0644)) < = 0) { > + err("open: %s: %m", cgroup_path); > + ret =3D -1; > + goto fail; > + } > + > + if (dprintf(fd, "%d\n", getpid()) < 0) { > + err("dprintf: %s: unable to write pid", cgroup_path); > + ret =3D -1; > + } > +fail: > + if (fd >=3D 0 && close(fd) < 0) { > + err("close: %s: %m", cgroup_path); > + ret =3D -1; > + } > + > + return ret; > +} > diff --git a/hasher-priv/config.c b/hasher-priv/config.c > index 6b6bdb1..3faf936 100644 > --- a/hasher-priv/config.c > +++ b/hasher-priv/config.c > @@ -30,6 +30,7 @@ const char *const *chroot_prefix_list; > const char *chroot_prefix_path; > const char *change_user1, *change_user2; > char *server_control_group =3D NULL; > +char *server_cgroup_template =3D NULL; > char *server_pidfile =3D NULL; > const char *term; > const char *x11_display, *x11_key; > @@ -671,6 +672,9 @@ set_server_config(const char *name, const char *value= , const char *filename) > } else if (!strcasecmp("control_group", name)) { > free(server_control_group); > server_control_group =3D xstrdup(value); > + } else if (!strcasecmp("cgroup_template", name)) { > + free(server_cgroup_template); > + server_cgroup_template =3D xstrdup(value); > } else { > bad_option_name(name, filename); > } > @@ -771,4 +775,5 @@ free_server_configuration(void) > { > free(server_pidfile); > free(server_control_group); > + free(server_cgroup_template); > } > diff --git a/hasher-priv/priv.h b/hasher-priv/priv.h > index f0eb9f9..f29603a 100644 > --- a/hasher-priv/priv.h > +++ b/hasher-priv/priv.h > @@ -120,6 +120,7 @@ int do_chrootuid2(void); > =20 > int process_caller_task(int, struct task *); > pid_t fork_server(int, uid_t, gid_t, unsigned); > +int join_cgroup(void); > =20 > extern const char *chroot_path; > extern const char **chroot_argv; > @@ -162,6 +163,7 @@ extern work_limit_t wlimit; > extern int server_log_priority; > extern unsigned long server_session_timeout; > extern char *server_control_group; > +extern char *server_cgroup_template; > extern char *server_pidfile; > extern gid_t server_gid; > =20 > diff --git a/hasher-priv/server.conf b/hasher-priv/server.conf > index 53ea5c3..9e70487 100644 > --- a/hasher-priv/server.conf > +++ b/hasher-priv/server.conf > @@ -11,3 +11,12 @@ session_timeout=3D3600 > =20 > # Allow users of this group to interact with hasher-privd via the contro= l socket. > control_group=3Dhashman > + > +# Template for cgroup path to which task handler should be added. > +# > +# %u -- Session's user name. > +# %U -- Session's user numeric ID. > +# %G -- Session's group numeric ID. > +# %N -- Session's user number. > +# > +#cgroup_template=3D/sys/fs/cgroup2/hasher-priv/%u/cgroup.procs > --=20 > 2.24.0 >=20 > _______________________________________________ > Devel mailing list > Devel@lists.altlinux.org > https://lists.altlinux.org/mailman/listinfo/devel --19uQFt6ulqmgNgg1 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE56JD3UKTLEu/ddrm9dQjyAYL01AFAl9jYGoACgkQ9dQjyAYL 01CNDQ//bi7sdd0Issh8s6arPG6vrWq1AvvHuhANIQBUzx37eXtWLV7E53U0fSmF 4dUveIYUu/clFiORVeavAHxemZuYqSJL2x4iAov5xaaFYq9nPM4Wp+gAr0Oe561C GCgYHuizMiVzNV6ojwIA8Yx99nDrfulcZpO+l6rtQ/EshO+NLu6jHGHvpDnEsmpi prEn/SZtwSfompJ4AnaGBDPFINi8lqEuflQuykxRpqDCMnwpNxH7I1GodzuFO8qd X1/pJbPAt0msI8QW3THYjdss/3hiHzH9ZkIBNo+QCcXFeOkTVPM+EsnmyWbp0ta+ ElXi3LyuY/1qbbwc9RjPm6cOC5YMYLoMN50lWzbPHHJZbT2dcWVIBVydh7HoZqu0 1nSLPRCxdiJT8wa/6zahQCW818qA2dpTsrQP6n4Xz7s3NOaVpb1NFmq8zceUHKY/ 1x4GJR05VS2BX7tML7Gk2XH3RfdpTLinoxokntWtSVlopmFRUsDXrxV2sGekyiTa 6QCqiyto73y0xdAXIrdWfGDWO1oQA8hUfO4vT6undAYRIDBHO4TwvHhfIxnAlh9h errEMHuO8g2/mBuaBN7G44PoPyqWcryMVGpXv7s56G7R7t5tUa67YR9qtINA8k2n anSgLwGiZ8Dc750xO+yav+eP9Av2Igs+nlMzGyyGpLTtK43ndBo= =elfX -----END PGP SIGNATURE----- --19uQFt6ulqmgNgg1--