Add support for EGL device isolation

3XX0 · 3XX0 · commit ea2f780e81cb · 2017-11-09T16:50:01.000-08:00
diff --git a/src/nvc_internal.h b/src/nvc_internal.h
@@ -32,6 +32,7 @@
 #define NV_MPS_PIPE_DIR          _PATH_TMP "nvidia-mps"
 #define NV_PROC_DRIVER           "/proc/driver/nvidia"
 #define NV_UVM_PROC_DRIVER       "/proc/driver/nvidia-uvm"
+#define NV_APP_PROFILE_DIR       "/etc/nvidia/nvidia-application-profiles-rc.d"
 
 struct nvc_context {
         bool initialized;
diff --git a/src/nvc_mount.c b/src/nvc_mount.c
@@ -2,6 +2,7 @@
  * Copyright (c) 2017, NVIDIA CORPORATION. All rights reserved.
  */
 
+#include <sys/sysmacros.h>
 #include <sys/mount.h>
 #include <sys/types.h>
 
@@ -24,6 +25,8 @@ static char *mount_device(struct error *, const struct nvc_container *, const ch
 static char *mount_ipc(struct error *, const struct nvc_container *, const char *);
 static char *mount_procfs(struct error *, const struct nvc_container *);
 static char *mount_procfs_gpu(struct error *, const struct nvc_container *, const char *);
+static char *mount_app_profile(struct error *, const struct nvc_container *);
+static int  update_app_profile(struct error *, const struct nvc_container *, dev_t);
 static void unmount(const char *);
 static int  setup_cgroup(struct error *, const char *, dev_t);
 static int  symlink_library(struct error *, const char *, const char *, const char *, const char *, uid_t, gid_t);
@@ -128,6 +131,76 @@ mount_ipc(struct error *err, const struct nvc_container *cnt, const char *ipc)
         return (NULL);
 }
 
+static char *
+mount_app_profile(struct error *err, const struct nvc_container *cnt)
+{
+        char path[PATH_MAX];
+        char *mnt;
+
+        if (path_resolve(err, path, cnt->cfg.rootfs, NV_APP_PROFILE_DIR) < 0)
+                return (NULL);
+        if (file_create(err, path, NULL, cnt->uid, cnt->gid, MODE_DIR(0555)) < 0)
+                goto fail;
+
+        log_infof("mounting tmpfs at %s", path);
+        if (xmount(err, "tmpfs", path, "tmpfs", 0, "mode=0555") < 0)
+                goto fail;
+        /* XXX Some kernels require MS_BIND in order to remount within a userns */
+        if (xmount(err, NULL, path, NULL, MS_BIND|MS_REMOUNT | MS_NODEV|MS_NOSUID|MS_NOEXEC, NULL) < 0)
+                goto fail;
+        if ((mnt = xstrdup(err, path)) == NULL)
+                goto fail;
+        return (mnt);
+
+ fail:
+        unmount(path);
+        return (NULL);
+}
+
+static int
+update_app_profile(struct error *err, const struct nvc_container *cnt, dev_t id)
+{
+        char path[PATH_MAX];
+        char *buf = NULL;
+        char *ptr;
+        uintmax_t n;
+        uint64_t dev;
+        int rv = -1;
+
+#define profile quote_str({\
+        "profiles": [{"name": "_container_", "settings": ["EGLVisibleDGPUDevices", 0x%lx]}],\
+        "rules": [{"pattern": [], "profile": "_container_"}]\
+})
+
+        dev = 1ull << minor(id);
+        if (path_resolve(err, path, cnt->cfg.rootfs, NV_APP_PROFILE_DIR "/10-container.conf") < 0)
+                return (-1);
+        if (file_read_text(err, path, &buf) < 0) {
+                if (err->code != ENOENT)
+                        goto fail;
+                if (xasprintf(err, &buf, profile, dev) < 0)
+                        goto fail;
+        } else {
+                if ((ptr = strstr(buf, "0x")) == NULL ||
+                    (n = strtoumax(ptr, NULL, 16)) == UINTMAX_MAX) {
+                        error_setx(err, "invalid application profile: %s", path);
+                        goto fail;
+                }
+                free(buf), buf = NULL;
+                if (xasprintf(err, &buf, profile, (uint64_t)n|dev) < 0)
+                        goto fail;
+        }
+        if (file_create(err, path, buf, cnt->uid, cnt->gid, MODE_REG(0555)) < 0)
+                goto fail;
+        rv = 0;
+
+#undef profile
+
+ fail:
+        free(buf);
+        return (rv);
+}
+
 static char *
 mount_procfs(struct error *err, const struct nvc_container *cnt)
 {
@@ -294,6 +367,7 @@ symlink_libraries(struct error *err, const struct nvc_container *cnt, const char
 int
 nvc_driver_mount(struct nvc_context *ctx, const struct nvc_container *cnt, const struct nvc_driver_info *info)
 {
+        char *approf_mnt = NULL;
         char *procfs_mnt = NULL;
         char **files_mnt = NULL;
         char **ipcs_mnt = NULL;
@@ -316,6 +390,10 @@ nvc_driver_mount(struct nvc_context *ctx, const struct nvc_container *cnt, const
         if ((procfs_mnt = mount_procfs(&ctx->err, cnt)) == NULL)
                 goto fail;
 
+        /* Application profile mount */
+        if ((approf_mnt = mount_app_profile(&ctx->err, cnt)) == NULL)
+                goto fail;
+
         /* File mounts */
         nfiles_mnt = 3;
         files_mnt = mnt = array_new(&ctx->err, nfiles_mnt);
@@ -371,6 +449,7 @@ nvc_driver_mount(struct nvc_context *ctx, const struct nvc_container *cnt, const
  fail:
         if (rv < 0) {
                 unmount(procfs_mnt);
+                unmount(approf_mnt);
                 for (size_t i = 0; files_mnt != NULL && i < nfiles_mnt; ++i)
                         unmount(files_mnt[i]);
                 for (size_t i = 0; ipcs_mnt != NULL && i < nipcs_mnt; ++i)
@@ -383,6 +462,7 @@ nvc_driver_mount(struct nvc_context *ctx, const struct nvc_container *cnt, const
         }
 
         free(procfs_mnt);
+        free(approf_mnt);
         array_free(files_mnt, nfiles_mnt);
         array_free(ipcs_mnt, nipcs_mnt);
         array_free(devs_mnt, ndevs_mnt);
@@ -417,6 +497,8 @@ nvc_device_mount(struct nvc_context *ctx, const struct nvc_container *cnt, const
         }
         if ((proc_mnt = mount_procfs_gpu(&ctx->err, cnt, dev->busid)) == NULL)
                 goto fail;
+        if (update_app_profile(&ctx->err, cnt, dev->node.id) < 0)
+                goto fail;
         if (!(cnt->flags & OPT_NO_CGROUPS)) {
                 if (setup_cgroup(&ctx->err, cnt->dev_cg, dev->node.id) < 0)
                         goto fail;
diff --git a/src/utils.c b/src/utils.c
@@ -470,7 +470,7 @@ file_create(struct error *err, const char *path, const char *data, uid_t uid, gi
         } else {
                 if (data != NULL) {
                         size = strlen(data);
-                        flags |= O_WRONLY;
+                        flags |= O_WRONLY|O_TRUNC;
                 }
                 if ((fd = open(path, flags, perm)) < 0)
                         goto fail;
diff --git a/src/utils.h b/src/utils.h
@@ -17,6 +17,7 @@
 
 #define CAP_AMBIENT (cap_flag_t)-1
 
+#define quote_str(...) #__VA_ARGS__
 #define nitems(x) (sizeof(x) / sizeof(*x))
 #define maybe_unused __attribute__((unused))
 #define assert_func(fn) do {      \

Original file line number	Diff line number	Diff line change
`@@ -470,7 +470,7 @@ file_create(struct error err, const char path, const char *data, uid_t uid, gi`
`470`	`470`	`} else {`
`471`	`471`	`if (data != NULL) {`
`472`	`472`	`size = strlen(data);`
`473`		`- flags \|= O_WRONLY;`
	`473`	`+ flags \|= O_WRONLY\|O_TRUNC;`
`474`	`474`	`}`
`475`	`475`	`if ((fd = open(path, flags, perm)) < 0)`
`476`	`476`	`goto fail;`