This was a year long journey which seems to finally have come to an end.
Closes: #1620.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
## seccomp\_allow\_deny\_syntax
This adds the ability to use "denylist" and "allowlist" in seccomp v2 policies.
+
+## devpts\_fd
+
+This adds the ability to allocate a file descriptor for the devpts instance of
+the container.
"network_bridge_vlan",
"time_namespace",
"seccomp_allow_deny_syntax",
+ "devpts_fd",
};
static size_t nr_api_extensions = sizeof(api_extensions) / sizeof(*api_extensions);
_exit(EXIT_FAILURE);
}
-static int lxc_attach_terminal(struct lxc_conf *conf,
+static int lxc_attach_terminal(const char *name, const char *lxcpath, struct lxc_conf *conf,
struct lxc_terminal *terminal)
{
int ret;
lxc_terminal_init(terminal);
- ret = lxc_terminal_create(terminal);
+ ret = lxc_terminal_create(name, lxcpath, terminal);
if (ret < 0)
return log_error(-1, "Failed to create terminal");
}
if (options->attach_flags & LXC_ATTACH_TERMINAL) {
- ret = lxc_attach_terminal(conf, &terminal);
+ ret = lxc_attach_terminal(name, lxcpath, conf, &terminal);
if (ret < 0) {
ERROR("Failed to setup new terminal");
free(cwd);
[LXC_CMD_GET_INIT_PIDFD] = "get_init_pidfd",
[LXC_CMD_GET_LIMITING_CGROUP] = "get_limiting_cgroup",
[LXC_CMD_GET_LIMITING_CGROUP2_FD] = "get_limiting_cgroup2_fd",
+ [LXC_CMD_GET_DEVPTS_FD] = "get_devpts_fd",
};
if (cmd >= LXC_CMD_MAX)
rsp->data = INT_TO_PTR(init_pidfd);
}
+ if (cmd->req.cmd == LXC_CMD_GET_DEVPTS_FD) {
+ int devpts_fd = move_fd(fd_rsp);
+ rsp->data = INT_TO_PTR(devpts_fd);
+ }
+
if (rsp->datalen == 0)
return log_debug(ret,
"Response data length for command \"%s\" is 0",
return 0;
}
+int lxc_cmd_get_devpts_fd(const char *name, const char *lxcpath)
+{
+ int ret, stopped;
+ struct lxc_cmd_rr cmd = {
+ .req = {
+ .cmd = LXC_CMD_GET_DEVPTS_FD,
+ },
+ };
+
+ ret = lxc_cmd(name, &cmd, &stopped, lxcpath, NULL);
+ if (ret < 0)
+ return log_debug_errno(-1, errno, "Failed to process devpts fd command");
+
+ if (cmd.rsp.ret < 0)
+ return log_debug_errno(-EBADF, errno, "Failed to receive devpts fd");
+
+ return PTR_TO_INT(cmd.rsp.data);
+}
+
+static int lxc_cmd_get_devpts_fd_callback(int fd, struct lxc_cmd_req *req,
+ struct lxc_handler *handler,
+ struct lxc_epoll_descr *descr)
+{
+ struct lxc_cmd_rsp rsp = {
+ .ret = 0,
+ };
+ int ret;
+
+ if (!handler->conf || handler->conf->devpts_fd < 0)
+ rsp.ret = -EBADF;
+ ret = lxc_abstract_unix_send_fds(fd, &handler->conf->devpts_fd, 1, &rsp, sizeof(rsp));
+ if (ret < 0)
+ return log_error(LXC_CMD_REAP_CLIENT_FD, "Failed to send devpts fd");
+
+ return 0;
+}
+
/*
* lxc_cmd_get_clone_flags: Get clone flags container was spawned with
*
[LXC_CMD_GET_INIT_PIDFD] = lxc_cmd_get_init_pidfd_callback,
[LXC_CMD_GET_LIMITING_CGROUP] = lxc_cmd_get_limiting_cgroup_callback,
[LXC_CMD_GET_LIMITING_CGROUP2_FD] = lxc_cmd_get_limiting_cgroup2_fd_callback,
+ [LXC_CMD_GET_DEVPTS_FD] = lxc_cmd_get_devpts_fd_callback,
};
if (req->cmd >= LXC_CMD_MAX)
LXC_CMD_GET_INIT_PIDFD,
LXC_CMD_GET_LIMITING_CGROUP,
LXC_CMD_GET_LIMITING_CGROUP2_FD,
+ LXC_CMD_GET_DEVPTS_FD,
LXC_CMD_MAX,
} lxc_cmd_t;
__hidden extern char *lxc_cmd_get_limiting_cgroup_path(const char *name, const char *lxcpath,
const char *subsystem);
__hidden extern int lxc_cmd_get_limiting_cgroup2_fd(const char *name, const char *lxcpath);
+__hidden extern int lxc_cmd_get_devpts_fd(const char *name, const char *lxcpath);
#endif /* __commands_h */
return retmap;
}
-static int lxc_setup_devpts(struct lxc_conf *conf)
+static int lxc_setup_devpts(struct lxc_handler *handler)
{
+ __do_close int devpts_fd = -EBADF;
int ret;
char **opts;
char devpts_mntopts[256];
char *mntopt_sets[5];
char default_devpts_mntopts[256] = "gid=5,newinstance,ptmxmode=0666,mode=0620";
+ struct lxc_conf *conf = handler->conf;
+ int sock = handler->data_sock[0];
if (conf->pty_max <= 0)
return log_debug(0, "No new devpts instance will be mounted since no pts devices are requested");
return log_error_errno(-1, errno, "Failed to mount new devpts instance");
DEBUG("Mount new devpts instance with options \"%s\"", *opts);
+ devpts_fd = open_tree(-EBADF, "/dev/pts", OPEN_TREE_CLONE | OPEN_TREE_CLOEXEC | AT_EMPTY_PATH);
+ if (devpts_fd < 0) {
+ TRACE("Failed to create detached devpts mount");
+ ret = lxc_abstract_unix_send_fds(sock, NULL, 0, NULL, 0);
+ } else {
+ ret = lxc_abstract_unix_send_fds(sock, &devpts_fd, 1, NULL, 0);
+ }
+ if (ret < 0)
+ return log_error_errno(-1, errno, "Failed to send devpts fd to parent");
+
/* Remove any pre-existing /dev/ptmx file. */
ret = remove("/dev/ptmx");
if (ret < 0) {
if (lxc_conf->autodev > 0)
(void)lxc_setup_boot_id();
- ret = lxc_setup_devpts(lxc_conf);
+ ret = lxc_setup_devpts(handler);
if (ret < 0)
return log_error(-1, "Failed to setup new devpts instance");
struct lxc_terminal console;
/* maximum pty devices allowed by devpts mount */
size_t pty_max;
+ /* file descriptor for the container's /dev/pts mount */
+ int devpts_fd;
/* set to true when rootfs has been setup */
bool rootfs_setup;
WRAP_API(int, lxcapi_init_pidfd)
+static int do_lxcapi_devpts_fd(struct lxc_container *c)
+{
+ if (!c)
+ return ret_errno(EBADF);
+
+ return lxc_cmd_get_devpts_fd(c->name, c->config_path);
+}
+
+WRAP_API(int, lxcapi_devpts_fd)
+
static bool load_config_locked(struct lxc_container *c, const char *fname)
{
if (!c->lxc_conf)
c->unfreeze = lxcapi_unfreeze;
c->console = lxcapi_console;
c->console_getfd = lxcapi_console_getfd;
+ c->devpts_fd = lxcapi_devpts_fd;
c->init_pid = lxcapi_init_pid;
c->init_pidfd = lxcapi_init_pidfd;
c->load_config = lxcapi_load_config;
* \return pidfd of init process of the container.
*/
int (*init_pidfd)(struct lxc_container *c);
+
+ /*!
+ * \brief Retrieve a mount fd for the container's devpts instance.
+ *
+ * \param c Container.
+ *
+ * \return Mount fd of the container's devpts instance.
+ */
+ int (*devpts_fd)(struct lxc_container *c);
};
/*!
lxc_terminal_delete(&handler->conf->console);
lxc_delete_tty(&handler->conf->ttys);
+ close_prot_errno_disarm(handler->conf->devpts_fd);
/* The command socket is now closed, no more state clients can register
* themselves from now on. So free the list of state clients.
}
}
+ ret = lxc_abstract_unix_recv_fds(data_sock1, &handler->conf->devpts_fd, 1, NULL, 0);
+ if (ret < 0) {
+ SYSERROR("Failed to receive devpts fd from child");
+ goto out_delete_net;
+ }
+ if (ret == 0)
+ handler->conf->devpts_fd = -EBADF;
+
/* Now all networks are created, network devices are moved into place,
* and the correct names and ifindices in the respective namespaces have
* been recorded. The corresponding structs have now all been filled. So
return 0;
}
-int lxc_terminal_create(struct lxc_terminal *terminal)
+static int lxc_terminal_create_foreign(struct lxc_terminal *terminal)
{
int ret;
return -ENODEV;
}
+static int lxc_terminal_create_native(const char *name, const char *lxcpath,
+ struct lxc_terminal *terminal)
+{
+ __do_close int devpts_fd = -EBADF, ptx_fd = -EBADF, pty_fd = -EBADF;
+ int ret;
+
+ devpts_fd = lxc_cmd_get_devpts_fd(name, lxcpath);
+ if (devpts_fd < 0)
+ return log_error_errno(-1, errno, "Failed to receive devpts fd");
+
+ ptx_fd = openat(devpts_fd, "ptmx", O_RDWR | O_NOCTTY | O_CLOEXEC);
+ if (ptx_fd < 0)
+ return log_error_errno(-1, errno, "Failed to open terminal multiplexer device");
+
+ ret = grantpt(ptx_fd);
+ if (ret < 0)
+ return log_error_errno(-1, errno, "Failed to grant access to multiplexer device");
+
+ ret = unlockpt(ptx_fd);
+ if (ret < 0)
+ return log_error_errno(-1, errno, "Failed to unlock multiplexer device device");
+
+ pty_fd = ioctl(ptx_fd, TIOCGPTPEER, O_RDWR | O_NOCTTY | O_CLOEXEC);
+ if (pty_fd < 0)
+ return log_error_errno(-1, errno, "Failed to allocate new pty device");
+
+ ret = ttyname_r(terminal->pty, terminal->name, sizeof(terminal->name));
+ if (ret < 0)
+ return log_error_errno(-1, errno, "Failed to retrieve name of terminal pty");
+
+ terminal->ptx = move_fd(ptx_fd);
+ terminal->pty = move_fd(pty_fd);
+ ret = lxc_terminal_peer_default(terminal);
+ if (ret < 0) {
+ ERROR("Failed to allocate proxy terminal");
+ goto err;
+ }
+
+ return 0;
+
+err:
+ lxc_terminal_delete(terminal);
+ return -ENODEV;
+}
+
+int lxc_terminal_create(const char *name, const char *lxcpath, struct lxc_terminal *terminal)
+{
+ if (!lxc_terminal_create_native(name, lxcpath, terminal))
+ return 0;
+
+ return lxc_terminal_create_foreign(terminal);
+}
+
int lxc_terminal_setup(struct lxc_conf *conf)
{
int ret;
return 0;
}
- ret = lxc_terminal_create(terminal);
+ ret = lxc_terminal_create_foreign(terminal);
if (ret < 0)
return -1;
* - sets up SIGWINCH handler, winsz, and new terminal settings
* (Handlers for SIGWINCH and I/O are not registered in a mainloop.)
*/
-__hidden extern int lxc_terminal_create(struct lxc_terminal *console);
+__hidden extern int lxc_terminal_create(const char *name, const char *lxcpath,
+ struct lxc_terminal *console);
/**
* lxc_terminal_setup: Create a new terminal.
projects / thirdparty / lxc.git / commitdiff
