test/ares-test-ns.cc - third_party/c-ares - Git at Google

 /*
  * Copyright (C) The c-ares project
  *
  * Permission to use, copy, modify, and distribute this
  * software and its documentation for any purpose and without
  * fee is hereby granted, provided that the above copyright
  * notice appear in all copies and that both that copyright
  * notice and this permission notice appear in supporting
  * documentation, and that the name of M.I.T. not be used in
  * advertising or publicity pertaining to distribution of the
  * software without specific, written prior permission.
  * M.I.T. makes no representations about the suitability of
  * this software for any purpose.  It is provided "as is"
  * without express or implied warranty.
  *
  * SPDX-License-Identifier: MIT
  */
 #include "ares-test.h"

 #ifdef HAVE_CONTAINER

 #include <sys/mount.h>
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <fcntl.h>

 #include <iostream>
 #include <functional>
 #include <string>
 #include <sstream>
 #include <vector>

 namespace ares {
 namespace test {

 namespace {

 struct ContainerInfo {
   ContainerFilesystem* fs_;
   std::string hostname_;
   std::string domainname_;
   VoidToIntFn fn_;
 };

 int EnterContainer(void *data) {
   ContainerInfo *container = (ContainerInfo*)data;

   if (verbose) {
     std::cerr << "Running function in container {chroot='"
               << container->fs_->root() << "', hostname='" << container->hostname_
               << "', domainname='" << container->domainname_ << "'}"
               << std::endl;
   }

   // Ensure we are apparently root before continuing.
   int count = 10;
   while (getuid() != 0 && count > 0) {
     usleep(100000);
     count--;
   }
   if (getuid() != 0) {
     std::cerr << "Child in user namespace has uid " << getuid() << std::endl;
     return -1;
   }
   if (!container->fs_->mountpt().empty()) {
     // We want to bind mount this inside the specified directory.
     std::string innerdir = container->fs_->root() + container->fs_->mountpt();
     if (verbose) std::cerr << " mount --bind " << container->fs_->mountpt()
                            << " " << innerdir << std::endl;
     int rc = mount(container->fs_->mountpt().c_str(), innerdir.c_str(),
                    "none", MS_BIND, 0);
     if (rc != 0) {
       std::cerr << "Warning: failed to bind mount " << container->fs_->mountpt() << " at "
                 << innerdir << ", errno=" << errno << std::endl;
     }
   }

   // Move into the specified directory.
   if (chdir(container->fs_->root().c_str()) != 0) {
     std::cerr << "Failed to chdir('" << container->fs_->root()
               << "'), errno=" << errno << std::endl;
     return -1;
   }
   // And make it the new root directory;
   char buffer[PATH_MAX + 1];
   if (getcwd(buffer, PATH_MAX) == NULL) {
     std::cerr << "failed to retrieve cwd, errno=" << errno << std::endl;
     return -1;
   }
   buffer[PATH_MAX] = '\0';
   if (chroot(buffer) != 0) {
     std::cerr << "chroot('" << buffer << "') failed, errno=" << errno << std::endl;
     return -1;
   }

   // Set host/domainnames if specified
   if (!container->hostname_.empty()) {
     if (sethostname(container->hostname_.c_str(),
                     container->hostname_.size()) != 0) {
       std::cerr << "Failed to sethostname('" << container->hostname_
                 << "'), errno=" << errno << std::endl;
       return -1;
     }
   }
   if (!container->domainname_.empty()) {
     if (setdomainname(container->domainname_.c_str(),
                       container->domainname_.size()) != 0) {
       std::cerr << "Failed to setdomainname('" << container->domainname_
                 << "'), errno=" << errno << std::endl;
       return -1;
     }
   }

   return container->fn_();
 }

 }  // namespace

 // Run a function while:
 //  - chroot()ed into a particular directory
 //  - having a specified hostname/domainname

 int RunInContainer(ContainerFilesystem* fs, const std::string& hostname,
                    const std::string& domainname, VoidToIntFn fn) {
   const int stack_size = 1024 * 1024;
   std::vector<byte> stack(stack_size, 0);
   ContainerInfo container = {fs, hostname, domainname, fn};

   // Start a child process in a new user and UTS namespace
   pid_t child = clone(EnterContainer, stack.data() + stack_size,
                       CLONE_VM|CLONE_NEWNS|CLONE_NEWUSER|CLONE_NEWUTS|SIGCHLD,
                       (void *)&container);
   if (child < 0) {
     std::cerr << "Failed to clone(), errno=" << errno << std::endl;
     return -1;
   }

   // Build the UID map that makes us look like root inside the namespace.
   std::stringstream mapfiless;
   mapfiless << "/proc/" << child << "/uid_map";
   std::string mapfile = mapfiless.str();
   int fd = open(mapfile.c_str(), O_CREAT|O_WRONLY|O_TRUNC, 0644);
   if (fd < 0) {
     std::cerr << "Failed to create '" << mapfile << "'" << std::endl;
     return -1;
   }
   std::stringstream contentss;
   contentss << "0 " << getuid() << " 1" << std::endl;
   std::string content = contentss.str();
   int rc = write(fd, content.c_str(), content.size());
   if (rc != (int)content.size()) {
     std::cerr << "Failed to write uid map to '" << mapfile << "'" << std::endl;
   }
   close(fd);

   // Wait for the child process and retrieve its status.
   int status;
   waitpid(child, &status, 0);
   if (rc <= 0) {
     std::cerr << "Failed to waitpid(" << child << ")" << std::endl;
     return -1;
   }
   if (!WIFEXITED(status)) {
     std::cerr << "Child " << child << " did not exit normally" << std::endl;
     return -1;
   }
   return status;
 }

 ContainerFilesystem::ContainerFilesystem(NameContentList files, const std::string& mountpt) {
   rootdir_ = TempNam(nullptr, "ares-chroot");
   mkdir(rootdir_.c_str(), 0755);
   dirs_.push_front(rootdir_);
   for (const auto& nc : files) {
     std::string fullpath = rootdir_ + nc.first;
     int idx = fullpath.rfind('/');
     std::string dir = fullpath.substr(0, idx);
     EnsureDirExists(dir);
     files_.push_back(std::unique_ptr<TransientFile>(
         new TransientFile(fullpath, nc.second)));
   }
   if (!mountpt.empty()) {
     char buffer[PATH_MAX + 1];
     if (realpath(mountpt.c_str(), buffer)) {
       mountpt_ = buffer;
       std::string fullpath = rootdir_ + mountpt_;
       EnsureDirExists(fullpath);
     }
   }
 }

 ContainerFilesystem::~ContainerFilesystem() {
   files_.clear();
   for (const std::string& dir : dirs_) {
     rmdir(dir.c_str());
   }
 }

 void ContainerFilesystem::EnsureDirExists(const std::string& dir) {
   if (std::find(dirs_.begin(), dirs_.end(), dir) != dirs_.end()) {
     return;
   }
   size_t idx = dir.rfind('/');
   if (idx != std::string::npos) {
     std::string prevdir = dir.substr(0, idx);
     EnsureDirExists(prevdir);
   }
   // Ensure this directory is in the list before its ancestors.
   mkdir(dir.c_str(), 0755);
   dirs_.push_front(dir);
 }

 }  // namespace test
 }  // namespace ares

 #endif
	/*
	* Copyright (C) The c-ares project
	*
	* Permission to use, copy, modify, and distribute this
	* software and its documentation for any purpose and without
	* fee is hereby granted, provided that the above copyright
	* notice appear in all copies and that both that copyright
	* notice and this permission notice appear in supporting
	* documentation, and that the name of M.I.T. not be used in
	* advertising or publicity pertaining to distribution of the
	* software without specific, written prior permission.
	* M.I.T. makes no representations about the suitability of
	* this software for any purpose. It is provided "as is"
	* without express or implied warranty.
	*
	* SPDX-License-Identifier: MIT
	*/
	#include "ares-test.h"

	#ifdef HAVE_CONTAINER

	#include <sys/mount.h>
	#include <sys/types.h>
	#include <sys/stat.h>
	#include <fcntl.h>

	#include <iostream>
	#include <functional>
	#include <string>
	#include <sstream>
	#include <vector>

	namespace ares {
	namespace test {

	namespace {

	struct ContainerInfo {
	ContainerFilesystem* fs_;
	std::string hostname_;
	std::string domainname_;
	VoidToIntFn fn_;
	};

	int EnterContainer(void *data) {
	ContainerInfo container = (ContainerInfo)data;

	if (verbose) {
	std::cerr << "Running function in container {chroot='"
	<< container->fs_->root() << "', hostname='" << container->hostname_
	<< "', domainname='" << container->domainname_ << "'}"
	<< std::endl;
	}

	// Ensure we are apparently root before continuing.
	int count = 10;
	while (getuid() != 0 && count > 0) {
	usleep(100000);
	count--;
	}
	if (getuid() != 0) {
	std::cerr << "Child in user namespace has uid " << getuid() << std::endl;
	return -1;
	}
	if (!container->fs_->mountpt().empty()) {
	// We want to bind mount this inside the specified directory.
	std::string innerdir = container->fs_->root() + container->fs_->mountpt();
	if (verbose) std::cerr << " mount --bind " << container->fs_->mountpt()
	<< " " << innerdir << std::endl;
	int rc = mount(container->fs_->mountpt().c_str(), innerdir.c_str(),
	"none", MS_BIND, 0);
	if (rc != 0) {
	std::cerr << "Warning: failed to bind mount " << container->fs_->mountpt() << " at "
	<< innerdir << ", errno=" << errno << std::endl;
	}
	}

	// Move into the specified directory.
	if (chdir(container->fs_->root().c_str()) != 0) {
	std::cerr << "Failed to chdir('" << container->fs_->root()
	<< "'), errno=" << errno << std::endl;
	return -1;
	}
	// And make it the new root directory;
	char buffer[PATH_MAX + 1];
	if (getcwd(buffer, PATH_MAX) == NULL) {
	std::cerr << "failed to retrieve cwd, errno=" << errno << std::endl;
	return -1;
	}
	buffer[PATH_MAX] = '\0';
	if (chroot(buffer) != 0) {
	std::cerr << "chroot('" << buffer << "') failed, errno=" << errno << std::endl;
	return -1;
	}

	// Set host/domainnames if specified
	if (!container->hostname_.empty()) {
	if (sethostname(container->hostname_.c_str(),
	container->hostname_.size()) != 0) {
	std::cerr << "Failed to sethostname('" << container->hostname_
	<< "'), errno=" << errno << std::endl;
	return -1;
	}
	}
	if (!container->domainname_.empty()) {
	if (setdomainname(container->domainname_.c_str(),
	container->domainname_.size()) != 0) {
	std::cerr << "Failed to setdomainname('" << container->domainname_
	<< "'), errno=" << errno << std::endl;
	return -1;
	}
	}

	return container->fn_();
	}

	} // namespace

	// Run a function while:
	// - chroot()ed into a particular directory
	// - having a specified hostname/domainname

	int RunInContainer(ContainerFilesystem* fs, const std::string& hostname,
	const std::string& domainname, VoidToIntFn fn) {
	const int stack_size = 1024 * 1024;
	std::vector<byte> stack(stack_size, 0);
	ContainerInfo container = {fs, hostname, domainname, fn};

	// Start a child process in a new user and UTS namespace
	pid_t child = clone(EnterContainer, stack.data() + stack_size,
	CLONE_VM\|CLONE_NEWNS\|CLONE_NEWUSER\|CLONE_NEWUTS\|SIGCHLD,
	(void *)&container);
	if (child < 0) {
	std::cerr << "Failed to clone(), errno=" << errno << std::endl;
	return -1;
	}

	// Build the UID map that makes us look like root inside the namespace.
	std::stringstream mapfiless;
	mapfiless << "/proc/" << child << "/uid_map";
	std::string mapfile = mapfiless.str();
	int fd = open(mapfile.c_str(), O_CREAT\|O_WRONLY\|O_TRUNC, 0644);
	if (fd < 0) {
	std::cerr << "Failed to create '" << mapfile << "'" << std::endl;
	return -1;
	}
	std::stringstream contentss;
	contentss << "0 " << getuid() << " 1" << std::endl;
	std::string content = contentss.str();
	int rc = write(fd, content.c_str(), content.size());
	if (rc != (int)content.size()) {
	std::cerr << "Failed to write uid map to '" << mapfile << "'" << std::endl;
	}
	close(fd);

	// Wait for the child process and retrieve its status.
	int status;
	waitpid(child, &status, 0);
	if (rc <= 0) {
	std::cerr << "Failed to waitpid(" << child << ")" << std::endl;
	return -1;
	}
	if (!WIFEXITED(status)) {
	std::cerr << "Child " << child << " did not exit normally" << std::endl;
	return -1;
	}
	return status;
	}

	ContainerFilesystem::ContainerFilesystem(NameContentList files, const std::string& mountpt) {
	rootdir_ = TempNam(nullptr, "ares-chroot");
	mkdir(rootdir_.c_str(), 0755);
	dirs_.push_front(rootdir_);
	for (const auto& nc : files) {
	std::string fullpath = rootdir_ + nc.first;
	int idx = fullpath.rfind('/');
	std::string dir = fullpath.substr(0, idx);
	EnsureDirExists(dir);
	files_.push_back(std::unique_ptr<TransientFile>(
	new TransientFile(fullpath, nc.second)));
	}
	if (!mountpt.empty()) {
	char buffer[PATH_MAX + 1];
	if (realpath(mountpt.c_str(), buffer)) {
	mountpt_ = buffer;
	std::string fullpath = rootdir_ + mountpt_;
	EnsureDirExists(fullpath);
	}
	}
	}

	ContainerFilesystem::~ContainerFilesystem() {
	files_.clear();
	for (const std::string& dir : dirs_) {
	rmdir(dir.c_str());
	}
	}

	void ContainerFilesystem::EnsureDirExists(const std::string& dir) {
	if (std::find(dirs_.begin(), dirs_.end(), dir) != dirs_.end()) {
	return;
	}
	size_t idx = dir.rfind('/');
	if (idx != std::string::npos) {
	std::string prevdir = dir.substr(0, idx);
	EnsureDirExists(prevdir);
	}
	// Ensure this directory is in the list before its ancestors.
	mkdir(dir.c_str(), 0755);
	dirs_.push_front(dir);
	}

	} // namespace test
	} // namespace ares

	#endif