Add support for custom driver root directory

Author: 3XX0

src/cli/cli.h

@@ -25,6 +25,7 @@ struct context {
         /* main */
         uid_t uid;
         gid_t gid;
+        char *root;
         char *ldcache;
         bool load_kmods;
         char *init_flags;

src/cli/configure.c

@@ -13,7 +13,6 @@ static error_t configure_parser(int, char *, struct argp_state *);
 static int check_cuda_version(const struct dsl_data *, enum dsl_comparator, const char *);
 static int check_driver_version(const struct dsl_data *, enum dsl_comparator, const char *);
 static int check_device_arch(const struct dsl_data *, enum dsl_comparator, const char *);
-static bool is_root_dir(const char *);
 
 const struct argp configure_usage = {
         (const struct argp_option[]){
@@ -104,7 +103,7 @@ configure_parser(int key, char *arg, struct argp_state *state)
         case ARGP_KEY_ARG:
                 if (state->arg_num > 0)
                         argp_usage(state);
-                if (is_root_dir(arg)) {
+                if (arg[0] != '/' || !strcmp(arg, "/")) {
                         error_setx(&err, "invalid rootfs directory");
                         goto fatal;
                 }
@@ -155,19 +154,6 @@ check_device_arch(const struct dsl_data *data, enum dsl_comparator cmp, const ch
         return (dsl_compare_version(data->dev->arch, cmp, arch));
 }
 
-static bool
-is_root_dir(const char *path)
-{
-        bool rv = false;
-        char *p;
-
-        p = realpath(path, NULL);
-        if (p != NULL && !strcmp(p, "/"))
-                rv = true;
-        free(p);
-        return (rv);
-}
-
 int
 configure_command(const struct context *ctx)
 {
@@ -207,6 +193,7 @@ configure_command(const struct context *ctx)
         }
         nvc_cfg->uid = ctx->uid;
         nvc_cfg->gid = ctx->gid;
+        nvc_cfg->root = ctx->root;
         nvc_cfg->ldcache = ctx->ldcache;
         if (nvc_init(nvc, nvc_cfg, ctx->init_flags) < 0) {
                 warnx("initialization error: %s", nvc_error(nvc));

src/cli/info.c

@@ -51,7 +51,7 @@ info_command(const struct context *ctx)
         int rv = EXIT_FAILURE;
 
         run_as_root = (geteuid() == 0);
-        if (!run_as_root && ctx->load_kmods) {
+        if (!run_as_root && (ctx->load_kmods || ctx->root != NULL)) {
                 warnx("requires root privileges");
                 return (rv);
         }
@@ -82,6 +82,7 @@ info_command(const struct context *ctx)
         }
         nvc_cfg->uid = (!run_as_root && ctx->uid == (uid_t)-1) ? geteuid() : ctx->uid;
         nvc_cfg->gid = (!run_as_root && ctx->gid == (gid_t)-1) ? getegid() : ctx->gid;
+        nvc_cfg->root = ctx->root;
         nvc_cfg->ldcache = ctx->ldcache;
         if (nvc_init(nvc, nvc_cfg, ctx->init_flags) < 0) {
                 warnx("initialization error: %s", nvc_error(nvc));

src/cli/list.c

@@ -84,7 +84,7 @@ list_command(const struct context *ctx)
         int rv = EXIT_FAILURE;
 
         run_as_root = (geteuid() == 0);
-        if (!run_as_root && ctx->load_kmods) {
+        if (!run_as_root && (ctx->load_kmods || ctx->root != NULL)) {
                 warnx("requires root privileges");
                 return (rv);
         }
@@ -115,6 +115,7 @@ list_command(const struct context *ctx)
         }
         nvc_cfg->uid = (!run_as_root && ctx->uid == (uid_t)-1) ? geteuid() : ctx->uid;
         nvc_cfg->gid = (!run_as_root && ctx->gid == (gid_t)-1) ? getegid() : ctx->gid;
+        nvc_cfg->root = ctx->root;
         nvc_cfg->ldcache = ctx->ldcache;
         if (nvc_init(nvc, nvc_cfg, ctx->init_flags) < 0) {
                 warnx("initialization error: %s", nvc_error(nvc));

src/cli/main.c

@@ -29,6 +29,7 @@ static struct argp usage = {
                 {"debug", 'd', "FILE", 0, "Log debug information", -1},
                 {"load-kmods", 'k', NULL, 0, "Load kernel modules", -1},
                 {"user", 'u', "UID[:GID]", OPTION_ARG_OPTIONAL, "User and group to use for privilege separation", -1},
+                {"root", 'r', "PATH", 0, "Path to the driver root directory", -1},
                 {"ldcache", 'l', "FILE", 0, "Path to the system's DSO cache", -1},
                 {NULL, 0, NULL, 0, "Commands:", 0},
                 {"info", 0, NULL, OPTION_DOC|OPTION_NO_USAGE, "Report information about the driver and devices", 0},
@@ -100,6 +101,9 @@ parser(int key, char *arg, struct argp_state *state)
                         ctx->gid = getegid();
                 }
                 break;
+        case 'r':
+                ctx->root = arg;
+                break;
         case 'l':
                 ctx->ldcache = arg;
                 break;

src/common.h

@@ -11,6 +11,7 @@
 #define PROC_SELF                 "/proc/self"
 #define PROC_MOUNTS_PATH(proc)    proc "/mountinfo"
 #define PROC_CGROUP_PATH(proc)    proc "/cgroup"
+#define PROC_ROOT_PATH(proc)      proc "/root/" /* XXX Leading slash is required */
 #define PROC_NS_PATH(proc)        proc "/ns/%s"
 #define PROC_SETGROUPS_PATH(proc) proc "/setgroups"
 #define PROC_UID_MAP_PATH(proc)   proc "/uid_map"

src/driver.c

@@ -37,7 +37,7 @@
 
 static int reset_cuda_environment(struct error *);
 static int setup_rpc_client(struct driver *);
-static noreturn void setup_rpc_service(struct driver *, uid_t, gid_t, pid_t);
+static noreturn void setup_rpc_service(struct driver *, const char *, uid_t, gid_t, pid_t);
 static int reap_process(struct error *, pid_t, int, bool);
 
 static struct driver_device {
@@ -129,8 +129,10 @@ setup_rpc_client(struct driver *ctx)
 }
 
 static void
-setup_rpc_service(struct driver *ctx, uid_t uid, gid_t gid, pid_t ppid)
+setup_rpc_service(struct driver *ctx, const char *root, uid_t uid, gid_t gid, pid_t ppid)
 {
+        int rv = EXIT_FAILURE;
+
         log_info("starting driver service");
         prctl(PR_SET_NAME, (unsigned long)"nvc:[driver]", 0, 0, 0);
 
@@ -143,6 +145,18 @@ setup_rpc_service(struct driver *ctx, uid_t uid, gid_t gid, pid_t ppid)
         if (getppid() != ppid)
                 kill(getpid(), SIGTERM);
 
+        if (strcmp(root, "/")) {
+                if (chroot(root) < 0 || chdir("/") < 0) {
+                        error_set(ctx->err, "change root failed");
+                        goto fail;
+                }
+        }
+
+        if ((ctx->cuda_dl = xdlopen(ctx->err, SONAME_LIBCUDA, RTLD_NOW)) == NULL)
+                goto fail;
+        if ((ctx->nvml_dl = xdlopen(ctx->err, SONAME_LIBNVML, RTLD_NOW)) == NULL)
+                goto fail;
+
         /*
          * Drop privileges and capabilities for security reasons.
          *
@@ -167,14 +181,16 @@ setup_rpc_service(struct driver *ctx, uid_t uid, gid_t gid, pid_t ppid)
         svc_run();
 
         log_info("terminating driver service");
-        svc_destroy(ctx->rpc_svc);
-        _exit(EXIT_SUCCESS);
+        rv = EXIT_SUCCESS;
 
  fail:
-        log_errf("could not start driver service: %s", ctx->err->msg);
+        if (rv != EXIT_SUCCESS)
+                log_errf("could not start driver service: %s", ctx->err->msg);
+        xdlclose(NULL, ctx->cuda_dl);
+        xdlclose(NULL, ctx->nvml_dl);
         if (ctx->rpc_svc != NULL)
                 svc_destroy(ctx->rpc_svc);
-        _exit(EXIT_FAILURE);
+        _exit(rv);
 }
 
 static int
@@ -217,26 +233,21 @@ driver_program_1_freeresult(maybe_unused SVCXPRT *svc, xdrproc_t xdr_result, cad
 }
 
 int
-driver_init(struct driver *ctx, struct error *err, uid_t uid, gid_t gid)
+driver_init(struct driver *ctx, struct error *err, const char *root, uid_t uid, gid_t gid)
 {
         int ret;
         pid_t pid;
         struct driver_init_res res = {0};
 
         *ctx = (struct driver){err, NULL, NULL, {-1, -1}, -1, NULL, NULL};
 
-        if ((ctx->cuda_dl = xdlopen(err, SONAME_LIBCUDA, RTLD_NOW)) == NULL)
-                goto fail;
-        if ((ctx->nvml_dl = xdlopen(err, SONAME_LIBNVML, RTLD_NOW)) == NULL)
-                goto fail;
-
         pid = getpid();
         if (socketpair(PF_LOCAL, SOCK_STREAM|SOCK_CLOEXEC, 0, ctx->fd) < 0 || (ctx->pid = fork()) < 0) {
                 error_set(err, "process creation failed");
                 goto fail;
         }
         if (ctx->pid == 0)
-                setup_rpc_service(ctx, uid, gid, pid);
+                setup_rpc_service(ctx, root, uid, gid, pid);
         if (setup_rpc_client(ctx) < 0)
                 goto fail;
 
@@ -255,8 +266,6 @@ driver_init(struct driver *ctx, struct error *err, uid_t uid, gid_t gid)
 
         xclose(ctx->fd[SOCK_CLT]);
         xclose(ctx->fd[SOCK_SVC]);
-        xdlclose(NULL, ctx->cuda_dl);
-        xdlclose(NULL, ctx->nvml_dl);
         return (-1);
 }
 
@@ -294,11 +303,6 @@ driver_shutdown(struct driver *ctx)
 
         xclose(ctx->fd[SOCK_CLT]);
         xclose(ctx->fd[SOCK_SVC]);
-        if (xdlclose(ctx->err, ctx->cuda_dl) < 0)
-                return (-1);
-        if (xdlclose(ctx->err, ctx->nvml_dl) < 0)
-                return (-1);
-
         *ctx = (struct driver){NULL, NULL, NULL, {-1, -1}, -1, NULL, NULL};
         return (0);
 }

src/driver.h

@@ -35,7 +35,7 @@ struct driver {
 
 void driver_program_1(struct svc_req *, register SVCXPRT *);
 
-int driver_init(struct driver *, struct error *, uid_t, gid_t);
+int driver_init(struct driver *, struct error *, const char *, uid_t, gid_t);
 int driver_shutdown(struct driver *);
 int driver_get_rm_version(struct driver *, char **);
 int driver_get_cuda_version(struct driver *, char **);

src/ldcache.c

@@ -107,7 +107,7 @@ ldcache_close(struct ldcache *ctx)
 }
 
 int
-ldcache_resolve(struct ldcache *ctx, uint32_t arch, const char * const libs[],
+ldcache_resolve(struct ldcache *ctx, uint32_t arch, const char *root, const char * const libs[],
     char *paths[], size_t size, ldcache_select_fn select, void *select_ctx)
 {
         char path[PATH_MAX];
@@ -128,11 +128,11 @@ ldcache_resolve(struct ldcache *ctx, uint32_t arch, const char * const libs[],
                 for (size_t j = 0; j < size; ++j) {
                         if (strpcmp(key, libs[j]))
                                 continue;
-                        if (xrealpath(ctx->err, value, path) == NULL)
+                        if (path_resolve(ctx->err, path, root, value) < 0)
                                 return (-1);
                         if (paths[j] != NULL && !strcmp(paths[j], path))
                                 continue;
-                        if ((override = select(ctx->err, select_ctx, paths[j], path)) < 0)
+                        if ((override = select(ctx->err, select_ctx, root, paths[j], path)) < 0)
                                 return (-1);
                         if (override) {
                                 free(paths[j]);

src/ldcache.h

@@ -44,12 +44,12 @@ enum {
         LD_MIPS64_LIBN64_NAN2008   = 0x0e00,
 };
 
-typedef int (*ldcache_select_fn)(struct error *, void *, const char *, const char *);
+typedef int (*ldcache_select_fn)(struct error *, void *, const char *, const char *, const char *);
 
 void ldcache_init(struct ldcache *, struct error *, const char *);
 int  ldcache_open(struct ldcache *);
 int  ldcache_close(struct ldcache *);
-int  ldcache_resolve(struct ldcache *, uint32_t, const char * const [],
+int  ldcache_resolve(struct ldcache *, uint32_t, const char *, const char * const [],
     char *[], size_t, ldcache_select_fn, void *);
 
 #endif /* HEADER_LDCACHE_H */