diff options
| author | Toni Uhlig <matzeton@googlemail.com> | 2018-06-04 22:51:50 +0200 |
|---|---|---|
| committer | Toni Uhlig <matzeton@googlemail.com> | 2018-06-04 22:51:50 +0200 |
| commit | f08f519880261ec2bd72ba50bf5ff8600783fcd1 (patch) | |
| tree | 05fdf6d9939261ea987d932dcde8b1f4acac6129 | |
| parent | b882854c0dd614427ab5e1297c65cf1dace3a391 (diff) | |
POTD skeleton #94.
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
| -rw-r--r-- | src/options.c | 5 | ||||
| -rw-r--r-- | src/pseccomp.c | 14 | ||||
| -rw-r--r-- | src/utils.c | 82 |
3 files changed, 79 insertions, 22 deletions
diff --git a/src/options.c b/src/options.c index 084751d..4b14bf1 100644 --- a/src/options.c +++ b/src/options.c @@ -1,5 +1,7 @@ #ifdef HAVE_CONFIG_H #include "config.h" +#else +#define POTD_LOGFILE "/tmp/potd.log" #endif #include <stdio.h> @@ -10,6 +12,7 @@ #include <getopt.h> #include "options.h" +#include "log.h" typedef enum opt_type { OT_INVALID = 0, OT_NOARG, OT_L, OT_LL, OT_STR, @@ -52,7 +55,7 @@ struct opt { static struct opt options[OPT_MAX+1] = { OPT_NOARG("log-to-file", "short_help", "help"), OPT(OT_PATH, .str = POTD_LOGFILE, "log-file", "short help", "help"), - OPT(OT_STR, .ll = 0, "log-level", "short help", "help"), + OPT(OT_STR, .ll = NOTICE, "log-level", "short help", "help"), OPT_NOARG("daemon", "short help", "help"), OPT_LIST(OT_STR, .ll = 0, "redirect", "short_help", "help"), OPT_LIST(OT_STR, .ll = 0, "protocol", "short_help", "help"), diff --git a/src/pseccomp.c b/src/pseccomp.c index 23198bd..250ffe4 100644 --- a/src/pseccomp.c +++ b/src/pseccomp.c @@ -20,10 +20,11 @@ static const int default_allowed_syscalls[] = { SCMP_SYS(rt_sigaction), SCMP_SYS(time), SCMP_SYS(nanosleep), SCMP_SYS(clock_gettime), SCMP_SYS(set_tid_address), SCMP_SYS(exit), SCMP_SYS(exit_group), - SCMP_SYS(read), SCMP_SYS(write), SCMP_SYS(fcntl), SCMP_SYS(writev), + SCMP_SYS(read), SCMP_SYS(write), SCMP_SYS(writev), + SCMP_SYS(fcntl), SCMP_SYS(fcntl64), SCMP_SYS(close), SCMP_SYS(wait4), - SCMP_SYS(sigprocmask), SCMP_SYS(tgkill), - SCMP_SYS(clone), SCMP_SYS(execve), + SCMP_SYS(sigprocmask), SCMP_SYS(tgkill), SCMP_SYS(gettid), + SCMP_SYS(fork), SCMP_SYS(clone), SCMP_SYS(execve), SCMP_SYS(socket), SCMP_SYS(bind), SCMP_SYS(setsockopt), SCMP_SYS(shutdown), SCMP_SYS(listen), SCMP_SYS(connect), SCMP_SYS(getsockname), SCMP_SYS(accept), SCMP_SYS(sendto), SCMP_SYS(recvmsg), SCMP_SYS(recvfrom), @@ -61,10 +62,11 @@ static const int jail_allowed_syscalls[] = { SCMP_SYS(rt_sigreturn), SCMP_SYS(rt_sigprocmask), SCMP_SYS(rt_sigaction), SCMP_SYS(time), SCMP_SYS(nanosleep), SCMP_SYS(exit), SCMP_SYS(exit_group), - SCMP_SYS(read), SCMP_SYS(write), SCMP_SYS(fcntl), SCMP_SYS(writev), + SCMP_SYS(read), SCMP_SYS(write), SCMP_SYS(writev), + SCMP_SYS(fcntl), SCMP_SYS(fcntl64), SCMP_SYS(close), SCMP_SYS(wait4), - SCMP_SYS(sigprocmask), SCMP_SYS(tgkill), - SCMP_SYS(clone), SCMP_SYS(execve), + SCMP_SYS(sigprocmask), SCMP_SYS(tgkill), SCMP_SYS(gettid), + SCMP_SYS(fork), SCMP_SYS(clone), SCMP_SYS(execve), SCMP_SYS(mmap), SCMP_SYS(brk), SCMP_SYS(madvise), SCMP_SYS(mprotect), SCMP_SYS(munmap), SCMP_SYS(futex), SCMP_SYS(open), SCMP_SYS(openat), SCMP_SYS(fstat), SCMP_SYS(access), diff --git a/src/utils.c b/src/utils.c index de757af..9fe158b 100644 --- a/src/utils.c +++ b/src/utils.c @@ -27,6 +27,10 @@ static int null_fd = -1; static const char cgmem[] = "/sys/fs/cgroup/memory/potd"; static const char cgcpu[] = "/sys/fs/cgroup/cpu/potd"; static const char cgpid[] = "/sys/fs/cgroup/pids/potd"; +static const char cgdef[] = "/sys/fs/cgroup/potd"; +static const char *_cgmem = NULL; +static const char *_cgcpu = NULL; +static const char *_cgpid = NULL; static void sighandler_child(int signo); static void sighandler_master(int signo); @@ -124,8 +128,10 @@ pid_t daemonize(int stay_foreground) pid = fork(); /* An error occurred */ - if (pid < 0) + if (pid < 0) { + E_STRERR("%s", "fork"); return pid; + } /* Success: Let the parent terminate */ if (pid > 0) { @@ -188,7 +194,7 @@ int close_fds_except(int fds, ...) max_fd = sysconf(_SC_OPEN_MAX) - 1; if (max_fd <= 0) - return 1; + max_fd = 1024; va_start(ap, fds); { @@ -450,7 +456,7 @@ static int cgroups_write_file(const char *cdir, const char *csub, if ((fd = open(buf, O_WRONLY)) < 0 || write(fd, value, siz) <= 0) { - E_STRERR("Write '%s' to '%s/%s'", + W_STRERR("Write '%s' to '%s/%s'", value, cdir, csub); s = 1; } @@ -462,7 +468,7 @@ static int cgroups_write_file(const char *cdir, const char *csub, int cgroups_set(void) { - int s = 0; + int s = 0, fail = 0; const char maxmem[] = "memory.limit_in_bytes"; const char maxmem_soft[] = "memory.soft_limit_in_bytes"; @@ -478,32 +484,78 @@ int cgroups_set(void) const char cfs_quota_limit[] = "10000"; const char pid_max[] = "pids.max"; const char pid_max_limit[] = "10"; + const char rt_period[] = "cpu.rt_period_us"; + const char *rt_period_limit = cfs_period_limit; + const char rt_runtime[] = "cpu.rt_runtime_us"; + const char *rt_runtime_limit = cfs_quota_limit; if (remove(cgmem) && errno != ENOENT) return 1; + errno = 0; s |= mkdir(cgmem, S_IRUSR|S_IWUSR|S_IXUSR | S_IRGRP|S_IXGRP | S_IROTH|S_IXOTH); + if (errno) + fail++; + if (remove(cgcpu) && errno != ENOENT) return 1; + errno = 0; s |= mkdir(cgcpu, S_IRUSR|S_IWUSR|S_IXUSR | S_IRGRP|S_IXGRP | S_IROTH|S_IXOTH); + if (errno) + fail++; + if (remove(cgpid) && errno != ENOENT) return 1; + errno = 0; s |= mkdir(cgpid, S_IRUSR|S_IWUSR|S_IXUSR | S_IRGRP|S_IXGRP | S_IROTH|S_IXOTH); + if (errno) + fail++; - s |= cgroups_write_file(cgmem, maxmem, maxmem_limit, sizeof maxmem_limit); - s |= cgroups_write_file(cgmem, maxmem_soft, maxmem_soft_limit, + if (fail == 3) { + if (remove(cgdef) && errno != ENOENT) + return 1; + if (mkdir(cgdef, + S_IRUSR|S_IWUSR|S_IXUSR | S_IRGRP|S_IXGRP | S_IROTH|S_IXOTH)) + { + return 1; + } + + _cgmem = cgdef; + _cgcpu = cgdef; + _cgpid = cgdef; + } else { + _cgmem = cgmem; + _cgcpu = cgcpu; + _cgpid = cgpid; + } + + s |= cgroups_write_file(_cgmem, maxmem, maxmem_limit, sizeof maxmem_limit); + s |= cgroups_write_file(_cgmem, maxmem_soft, maxmem_soft_limit, sizeof maxmem_limit); - s |= cgroups_write_file(cgmem, kmem_tcp, maxmem_limit, sizeof maxmem_limit); - s |= cgroups_write_file(cgmem, kmem, maxmem_limit, sizeof maxmem_limit); - s |= cgroups_write_file(cgcpu, cpu_shares, cpu_shares_limit, + s |= cgroups_write_file(_cgmem, kmem_tcp, maxmem_limit, sizeof maxmem_limit); + s |= cgroups_write_file(_cgmem, kmem, maxmem_limit, sizeof maxmem_limit); + s |= cgroups_write_file(_cgcpu, cpu_shares, cpu_shares_limit, sizeof cpu_shares_limit); - s |= cgroups_write_file(cgcpu, cfs_period, cfs_period_limit, + + errno = 0; + cgroups_write_file(_cgcpu, cfs_period, cfs_period_limit, sizeof cfs_period_limit); - s |= cgroups_write_file(cgcpu, cfs_quota, cfs_quota_limit, + if (errno) { + s |= cgroups_write_file(_cgcpu, rt_period, rt_period_limit, + sizeof cfs_period_limit); + } + + errno = 0; + cgroups_write_file(_cgcpu, cfs_quota, cfs_quota_limit, sizeof cfs_quota_limit); - s |= cgroups_write_file(cgpid, pid_max, pid_max_limit, + if (errno) { + s |= cgroups_write_file(_cgcpu, rt_runtime, rt_runtime_limit, + sizeof cfs_quota_limit); + } + + s |= cgroups_write_file(_cgpid, pid_max, pid_max_limit, sizeof pid_max_limit); return s; @@ -519,17 +571,17 @@ int cgroups_activate(void) s = snprintf(buf, sizeof buf, "%d", p); if (s <= 0) return 1; - s = cgroups_write_file(cgmem, tasks, buf, s); + s = cgroups_write_file(_cgmem, tasks, buf, s); s = snprintf(buf, sizeof buf, "%d", p); if (s <= 0) return 1; - s = cgroups_write_file(cgcpu, tasks, buf, s); + s = cgroups_write_file(_cgcpu, tasks, buf, s); s = snprintf(buf, sizeof buf, "%d", p); if (s <= 0) return 1; - s = cgroups_write_file(cgpid, tasks, buf, s); + s = cgroups_write_file(_cgpid, tasks, buf, s); return s; } |