Skip to content

Commit 889c683

Browse files
author
Christian Brauner
authored
Merge pull request #630 from mihalicyn/sys_write_forbid
lxcfs: tighten policy about write() syscall
2 parents 6540dd4 + 3517755 commit 889c683

File tree

4 files changed

+33
-19
lines changed

4 files changed

+33
-19
lines changed

.github/workflows/tests.yml

+12
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,12 @@ jobs:
2020
- ubuntu-22.04
2121
runs-on: ${{ matrix.os }}
2222
steps:
23+
# TODO(mihalicyn): Remove once the following is fixed:
24+
# https://github.com/actions/runner-images/issues/9491
25+
- name: Reduce ASLR entropy as a temporary workaround
26+
run: |
27+
sudo sysctl -w vm.mmap_rnd_bits=28
28+
2329
- name: Checkout code
2430
uses: actions/checkout@v2
2531

@@ -63,6 +69,12 @@ jobs:
6369
- ubuntu-22.04
6470
runs-on: ${{ matrix.os }}
6571
steps:
72+
# TODO(mihalicyn): Remove once the following is fixed:
73+
# https://github.com/actions/runner-images/issues/9491
74+
- name: Reduce ASLR entropy as a temporary workaround
75+
run: |
76+
sudo sysctl -w vm.mmap_rnd_bits=28
77+
6678
- name: Checkout code
6779
uses: actions/checkout@v2
6880

src/lxcfs.c

+19-13
Original file line numberDiff line numberDiff line change
@@ -661,6 +661,8 @@ static int do_sys_releasedir(const char *path, struct fuse_file_info *fi)
661661
return __sys_releasedir(path, fi);
662662
}
663663

664+
static bool cgroup_is_enabled = false;
665+
664666
#if HAVE_FUSE3
665667
static int lxcfs_getattr(const char *path, struct stat *sb, struct fuse_file_info *fi)
666668
#else
@@ -681,7 +683,7 @@ static int lxcfs_getattr(const char *path, struct stat *sb)
681683
return 0;
682684
}
683685

684-
if (strncmp(path, "/cgroup", 7) == 0) {
686+
if (cgroup_is_enabled && strncmp(path, "/cgroup", 7) == 0) {
685687
up_users();
686688
ret = do_cg_getattr(path, sb);
687689
down_users();
@@ -712,7 +714,7 @@ static int lxcfs_opendir(const char *path, struct fuse_file_info *fi)
712714
if (strcmp(path, "/") == 0)
713715
return 0;
714716

715-
if (strncmp(path, "/cgroup", 7) == 0) {
717+
if (cgroup_is_enabled && strncmp(path, "/cgroup", 7) == 0) {
716718
up_users();
717719
ret = do_cg_opendir(path, fi);
718720
down_users();
@@ -747,13 +749,13 @@ static int lxcfs_readdir(const char *path, void *buf, fuse_fill_dir_t filler,
747749
dir_filler(filler, buf, "..", 0) != 0 ||
748750
dir_filler(filler, buf, "proc", 0) != 0 ||
749751
dir_filler(filler, buf, "sys", 0) != 0 ||
750-
dir_filler(filler, buf, "cgroup", 0) != 0)
752+
(cgroup_is_enabled && dir_filler(filler, buf, "cgroup", 0) != 0))
751753
return -ENOMEM;
752754

753755
return 0;
754756
}
755757

756-
if (strncmp(path, "/cgroup", 7) == 0) {
758+
if (cgroup_is_enabled && strncmp(path, "/cgroup", 7) == 0) {
757759
up_users();
758760
ret = do_cg_readdir(path, buf, filler, offset, fi);
759761
down_users();
@@ -784,7 +786,7 @@ static int lxcfs_access(const char *path, int mode)
784786
if (strcmp(path, "/") == 0 && (mode & W_OK) == 0)
785787
return 0;
786788

787-
if (strncmp(path, "/cgroup", 7) == 0) {
789+
if (cgroup_is_enabled && strncmp(path, "/cgroup", 7) == 0) {
788790
up_users();
789791
ret = do_cg_access(path, mode);
790792
down_users();
@@ -846,7 +848,7 @@ static int lxcfs_open(const char *path, struct fuse_file_info *fi)
846848
{
847849
int ret;
848850

849-
if (strncmp(path, "/cgroup", 7) == 0) {
851+
if (cgroup_is_enabled && strncmp(path, "/cgroup", 7) == 0) {
850852
up_users();
851853
ret = do_cg_open(path, fi);
852854
down_users();
@@ -875,7 +877,7 @@ static int lxcfs_read(const char *path, char *buf, size_t size, off_t offset,
875877
{
876878
int ret;
877879

878-
if (strncmp(path, "/cgroup", 7) == 0) {
880+
if (cgroup_is_enabled && strncmp(path, "/cgroup", 7) == 0) {
879881
up_users();
880882
ret = do_cg_read(path, buf, size, offset, fi);
881883
down_users();
@@ -904,7 +906,7 @@ int lxcfs_write(const char *path, const char *buf, size_t size, off_t offset,
904906
{
905907
int ret;
906908

907-
if (strncmp(path, "/cgroup", 7) == 0) {
909+
if (cgroup_is_enabled && strncmp(path, "/cgroup", 7) == 0) {
908910
up_users();
909911
ret = do_cg_write(path, buf, size, offset, fi);
910912
down_users();
@@ -983,7 +985,7 @@ int lxcfs_mkdir(const char *path, mode_t mode)
983985
{
984986
int ret;
985987

986-
if (strncmp(path, "/cgroup", 7) == 0) {
988+
if (cgroup_is_enabled && strncmp(path, "/cgroup", 7) == 0) {
987989
up_users();
988990
ret = do_cg_mkdir(path, mode);
989991
down_users();
@@ -1001,7 +1003,7 @@ int lxcfs_chown(const char *path, uid_t uid, gid_t gid)
10011003
{
10021004
int ret;
10031005

1004-
if (strncmp(path, "/cgroup", 7) == 0) {
1006+
if (cgroup_is_enabled && strncmp(path, "/cgroup", 7) == 0) {
10051007
up_users();
10061008
ret = do_cg_chown(path, uid, gid);
10071009
down_users();
@@ -1028,7 +1030,7 @@ int lxcfs_truncate(const char *path, off_t newsize, struct fuse_file_info *fi)
10281030
int lxcfs_truncate(const char *path, off_t newsize)
10291031
#endif
10301032
{
1031-
if (strncmp(path, "/cgroup", 7) == 0)
1033+
if (cgroup_is_enabled && strncmp(path, "/cgroup", 7) == 0)
10321034
return 0;
10331035

10341036
if (strncmp(path, "/sys", 4) == 0)
@@ -1041,7 +1043,7 @@ int lxcfs_rmdir(const char *path)
10411043
{
10421044
int ret;
10431045

1044-
if (strncmp(path, "/cgroup", 7) == 0) {
1046+
if (cgroup_is_enabled && strncmp(path, "/cgroup", 7) == 0) {
10451047
up_users();
10461048
ret = do_cg_rmdir(path);
10471049
down_users();
@@ -1059,7 +1061,7 @@ int lxcfs_chmod(const char *path, mode_t mode)
10591061
{
10601062
int ret;
10611063

1062-
if (strncmp(path, "/cgroup", 7) == 0) {
1064+
if (cgroup_is_enabled && strncmp(path, "/cgroup", 7) == 0) {
10631065
up_users();
10641066
ret = do_cg_chmod(path, mode);
10651067
down_users();
@@ -1190,6 +1192,7 @@ static void usage(void)
11901192
lxcfs_info(" -v, --version Print lxcfs version");
11911193
lxcfs_info(" --enable-cfs Enable CPU virtualization via CPU shares");
11921194
lxcfs_info(" --enable-pidfd Use pidfd for process tracking");
1195+
lxcfs_info(" --enable-cgroup Enable cgroup emulation code");
11931196
exit(EXIT_FAILURE);
11941197
}
11951198

@@ -1238,6 +1241,7 @@ static const struct option long_options[] = {
12381241

12391242
{"enable-cfs", no_argument, 0, 0 },
12401243
{"enable-pidfd", no_argument, 0, 0 },
1244+
{"enable-cgroup", no_argument, 0, 0 },
12411245

12421246
{"pidfile", required_argument, 0, 'p' },
12431247
{ },
@@ -1318,6 +1322,8 @@ int main(int argc, char *argv[])
13181322
opts->use_pidfd = true;
13191323
else if (strcmp(long_options[idx].name, "enable-cfs") == 0)
13201324
opts->use_cfs = true;
1325+
else if (strcmp(long_options[idx].name, "enable-cgroup") == 0)
1326+
cgroup_is_enabled = true;
13211327
else
13221328
usage();
13231329
break;

src/sysfs_fuse.c

+1-5
Original file line numberDiff line numberDiff line change
@@ -307,11 +307,7 @@ __lxcfs_fuse_ops int sys_write(const char *path, const char *buf, size_t size,
307307
if (f->type != LXC_TYPE_SYS_DEVICES_SYSTEM_CPU_SUBFILE)
308308
return -EINVAL;
309309

310-
fd = open(path, O_WRONLY | O_CLOEXEC);
311-
if (fd == -1)
312-
return -errno;
313-
314-
return pwrite(fd, buf, size, offset);
310+
return -EACCES;
315311
}
316312

317313
static int sys_readdir_legacy(const char *path, void *buf, fuse_fill_dir_t filler,

tests/main.sh.in

+1-1
Original file line numberDiff line numberDiff line change
@@ -45,7 +45,7 @@ if [ -x ${lxcfs} ]; then
4545
export LD_LIBRARY_PATH="{{LXCFS_BUILD_ROOT}}"
4646
fi
4747
echo "=> Spawning ${lxcfs} ${LXCFSDIR}"
48-
${lxcfs} -p ${pidfile} ${LXCFSDIR} &
48+
${lxcfs} --enable-cgroup -p ${pidfile} ${LXCFSDIR} &
4949
LXCFSPID=$!
5050
else
5151
UNSHARE=0

0 commit comments

Comments
 (0)