From: Robert Swiecki <robert@swiecki.net>
Date: Sun, 20 Jan 2019 17:37:47 +0000 (+0100)
Subject: Make netlink3-route mandatory
X-Git-Tag: 2.9~42
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=83fc152d7c80211fa3c52e21bda5377ecc8410af;p=platform%2Fupstream%2Fnsjail.git

Make netlink3-route mandatory
---

diff --git a/Makefile b/Makefile
index e318820..6749427 100644
--- a/Makefile
+++ b/Makefile
@@ -48,14 +48,11 @@ ifdef DEBUG
 	CXXFLAGS += -g -ggdb -gdwarf-4
 endif
 
-USE_NL3 ?= yes
-ifeq ($(USE_NL3), yes)
 NL3_EXISTS := $(shell pkg-config --exists libnl-route-3.0 && echo yes)
 ifeq ($(NL3_EXISTS), yes)
-	CXXFLAGS += -DNSJAIL_NL3_WITH_MACVLAN $(shell pkg-config --cflags libnl-route-3.0)
+	CXXFLAGS += $(shell pkg-config --cflags libnl-route-3.0)
 	LDFLAGS += $(shell pkg-config --libs libnl-route-3.0)
 endif
-endif
 
 .PHONY: all clean depend indent
 
@@ -66,9 +63,9 @@ all: $(BIN)
 
 $(BIN): $(LIBS) $(OBJS)
 ifneq ($(NL3_EXISTS), yes)
-	$(warning "==========================================================")
-	$(warning "No support for libnl3/libnl-route-3; /sbin/ip will be used")
-	$(warning "==========================================================")
+	$(warning "============================================================")
+	$(warning "You probably miss libnl3(-dev)/libnl-route-3(-dev) libraries")
+	$(warning "============================================================")
 endif
 	$(CXX) -o $(BIN) $(OBJS) $(LIBS) $(LDFLAGS)
 
diff --git a/cgroup.cc b/cgroup.cc
index 91a09ce..f84aead 100644
--- a/cgroup.cc
+++ b/cgroup.cc
@@ -38,7 +38,7 @@
 namespace cgroup {
 
 static bool createCgroup(const std::string& cgroup_path, pid_t pid) {
-	LOG_D("Create '%s' for PID=%d", cgroup_path.c_str(), (int)pid);
+	LOG_D("Create '%s' for pid=%d", cgroup_path.c_str(), (int)pid);
 	if (mkdir(cgroup_path.c_str(), 0700) == -1 && errno != EEXIST) {
 		PLOG_W("mkdir('%s', 0700) failed", cgroup_path.c_str());
 		return false;
@@ -62,7 +62,7 @@ static bool writeToCgroup(
 static bool addPidToTaskList(const std::string& cgroup_path, pid_t pid) {
 	std::string pid_str = std::to_string(pid);
 	std::string tasks_path = cgroup_path + "/tasks";
-	LOG_D("Adding PID='%s' to '%s'", pid_str.c_str(), tasks_path.c_str());
+	LOG_D("Adding pid='%s' to '%s'", pid_str.c_str(), tasks_path.c_str());
 	return writeToCgroup(tasks_path, pid_str, "'" + tasks_path + "' task list");
 }
 
diff --git a/net.cc b/net.cc
index fb78e9b..9220022 100644
--- a/net.cc
+++ b/net.cc
@@ -50,7 +50,6 @@ namespace net {
 
 #define IFACE_NAME "vs"
 
-#if defined(NSJAIL_NL3_WITH_MACVLAN)
 #include <netlink/route/link.h>
 #include <netlink/route/link/macvlan.h>
 
@@ -116,7 +115,7 @@ static bool moveToNs(
 
 	int err = rtnl_link_change(sk, orig_link, new_link, RTM_SETLINK);
 	if (err < 0) {
-		LOG_E("rtnl_link_change(): set NS of interface '%s' to PID=%d: %s", iface.c_str(),
+		LOG_E("rtnl_link_change(): set NS of interface '%s' to pid=%d: %s", iface.c_str(),
 		    (int)pid, nl_geterror(err));
 		rtnl_link_put(new_link);
 		rtnl_link_put(orig_link);
@@ -169,52 +168,6 @@ bool initNsFromParent(nsjconf_t* nsjconf, int pid) {
 	nl_socket_free(sk);
 	return true;
 }
-#else   // defined(NSJAIL_NL3_WITH_MACVLAN)
-
-static bool moveToNs(const std::string& iface, pid_t pid) {
-	const std::vector<std::string> argv{
-	    "/sbin/ip", "link", "set", iface, "netns", std::to_string(pid)};
-	if (subproc::systemExe(argv, environ) != 0) {
-		LOG_E("Couldn't put interface '%s' into NET ns of the PID=%d", iface.c_str(),
-		    (int)pid);
-		return false;
-	}
-	return true;
-}
-
-bool initNsFromParent(nsjconf_t* nsjconf, int pid) {
-	if (!nsjconf->clone_newnet) {
-		return true;
-	}
-	for (const auto& iface : nsjconf->ifaces) {
-		if (!moveToNs(iface, pid)) {
-			return false;
-		}
-	}
-	if (nsjconf->iface_vs.empty()) {
-		return true;
-	}
-
-	LOG_D("Putting iface:'%s' into namespace of PID:%d (with /sbin/ip)",
-	    nsjconf->iface_vs.c_str(), pid);
-
-	std::vector<std::string> argv;
-
-	if (nsjconf->iface_vs_ma != "") {
-		argv = {"/sbin/ip", "link", "add", "link", nsjconf->iface_vs, "name", IFACE_NAME,
-		    "netns", std::to_string(pid), "address", nsjconf->iface_vs_ma, "type",
-		    "macvlan", "mode", "bridge"};
-	} else {
-		argv = {"/sbin/ip", "link", "add", "link", nsjconf->iface_vs, "name", IFACE_NAME,
-		    "netns", std::to_string(pid), "type", "macvlan", "mode", "bridge"};
-	}
-	if (subproc::systemExe(argv, environ) != 0) {
-		LOG_E("Couldn't create MACVTAP interface for '%s'", nsjconf->iface_vs.c_str());
-		return false;
-	}
-	return true;
-}
-#endif  // defined(NSJAIL_NL3_WITH_MACVLAN)
 
 static bool isSocket(int fd) {
 	int optval;
diff --git a/subproc.cc b/subproc.cc
index dc05383..2767307 100644
--- a/subproc.cc
+++ b/subproc.cc
@@ -207,14 +207,14 @@ static void addProc(nsjconf_t* nsjconf, pid_t pid, int sock) {
 
 	nsjconf->pids.push_back(p);
 
-	LOG_D("Added pid '%d' with start time '%u' to the queue for IP: '%s'", p.pid,
+	LOG_D("Added pid=%d with start time '%u' to the queue for IP: '%s'", p.pid,
 	    (unsigned int)p.start, p.remote_txt.c_str());
 }
 
 static void removeProc(nsjconf_t* nsjconf, pid_t pid) {
 	for (auto p = nsjconf->pids.begin(); p != nsjconf->pids.end(); ++p) {
 		if (p->pid == pid) {
-			LOG_D("Removing pid '%d' from the queue (IP:'%s', start time:'%s')", p->pid,
+			LOG_D("Removing pid=%d from the queue (IP:'%s', start time:'%s')", p->pid,
 			    p->remote_txt.c_str(), util::timeToStr(p->start).c_str());
 			close(p->pid_syscall_fd);
 			nsjconf->pids.erase(p);
@@ -222,7 +222,7 @@ static void removeProc(nsjconf_t* nsjconf, pid_t pid) {
 			return;
 		}
 	}
-	LOG_W("PID: %d not found (?)", pid);
+	LOG_W("pid=%d not found (?)", pid);
 }
 
 int countProc(nsjconf_t* nsjconf) {
@@ -235,7 +235,7 @@ void displayProc(nsjconf_t* nsjconf) {
 	for (const auto& pid : nsjconf->pids) {
 		time_t diff = now - pid.start;
 		uint64_t left = nsjconf->tlimit ? nsjconf->tlimit - (uint64_t)diff : 0;
-		LOG_I("PID: %d, Remote host: %s, Run time: %ld sec. (time left: %" PRId64 " sec.)",
+		LOG_I("pid=%d, Remote host: %s, Run time: %ld sec. (time left: %" PRId64 " sec.)",
 		    pid.pid, pid.remote_txt.c_str(), (long)diff, left);
 	}
 }
@@ -250,20 +250,20 @@ static const pids_t* getPidElem(nsjconf_t* nsjconf, pid_t pid) {
 }
 
 static void seccompViolation(nsjconf_t* nsjconf, siginfo_t* si) {
-	LOG_W("PID: %d commited a syscall/seccomp violation and exited with SIGSYS", si->si_pid);
+	LOG_W("pid=%d commited a syscall/seccomp violation and exited with SIGSYS", si->si_pid);
 
 	const pids_t* p = getPidElem(nsjconf, si->si_pid);
 	if (p == NULL) {
-		LOG_W("PID:%d SiSyscall: %d, SiCode: %d, SiErrno: %d, SiSigno: %d", (int)si->si_pid,
+		LOG_W("pid=%d SiSyscall: %d, SiCode: %d, SiErrno: %d, SiSigno: %d", (int)si->si_pid,
 		    si->si_syscall, si->si_code, si->si_errno, si->si_signo);
-		LOG_E("Couldn't find pid element in the subproc list for PID: %d", (int)si->si_pid);
+		LOG_E("Couldn't find pid element in the subproc list for pid=%d", (int)si->si_pid);
 		return;
 	}
 
 	char buf[4096];
 	ssize_t rdsize = util::readFromFd(p->pid_syscall_fd, buf, sizeof(buf) - 1);
 	if (rdsize < 1) {
-		LOG_W("PID: %d, SiSyscall: %d, SiCode: %d, SiErrno: %d, SiSigno: %d",
+		LOG_W("pid=%d, SiSyscall: %d, SiCode: %d, SiErrno: %d, SiSigno: %d",
 		    (int)si->si_pid, si->si_syscall, si->si_code, si->si_errno, si->si_signo);
 		return;
 	}
@@ -275,18 +275,18 @@ static void seccompViolation(nsjconf_t* nsjconf, siginfo_t* si) {
 	    &arg4, &arg5, &arg6, &sp, &pc);
 	if (ret == 9) {
 		LOG_W(
-		    "PID: %d, Syscall number: %td, Arguments: %#tx, %#tx, %#tx, %#tx, %#tx, %#tx, "
+		    "pid=%d, Syscall number: %td, Arguments: %#tx, %#tx, %#tx, %#tx, %#tx, %#tx, "
 		    "SP: %#tx, PC: %#tx, si_syscall: %d, si_errno: %#x",
 		    (int)si->si_pid, sc, arg1, arg2, arg3, arg4, arg5, arg6, sp, pc, si->si_syscall,
 		    si->si_errno);
 	} else if (ret == 3) {
 		LOG_W(
-		    "PID: %d, SiSyscall: %d, SiCode: %d, SiErrno: %d, SiSigno: %d, SP: %#tx, PC: "
+		    "pid=%d, SiSyscall: %d, SiCode: %d, SiErrno: %d, SiSigno: %d, SP: %#tx, PC: "
 		    "%#tx",
 		    (int)si->si_pid, si->si_syscall, si->si_code, si->si_errno, si->si_signo, arg1,
 		    arg2);
 	} else {
-		LOG_W("PID: %d, SiSyscall: %d, SiCode: %d, SiErrno: %d, Syscall string '%s'",
+		LOG_W("pid=%d, SiSyscall: %d, SiCode: %d, SiErrno: %d, Syscall string '%s'",
 		    (int)si->si_pid, si->si_syscall, si->si_code, si->si_errno, buf);
 	}
 }
@@ -304,13 +304,13 @@ static int reapProc(nsjconf_t* nsjconf, pid_t pid, bool should_wait = false) {
 		}
 
 		if (WIFEXITED(status)) {
-			LOG_I("PID: %d (%s) exited with status: %d, (PIDs left: %d)", pid,
+			LOG_I("pid=%d (%s) exited with status: %d, (PIDs left: %d)", pid,
 			    remote_txt.c_str(), WEXITSTATUS(status), countProc(nsjconf) - 1);
 			removeProc(nsjconf, pid);
 			return WEXITSTATUS(status);
 		}
 		if (WIFSIGNALED(status)) {
-			LOG_I("PID: %d (%s) terminated with signal: %s (%d), (PIDs left: %d)", pid,
+			LOG_I("pid=%d (%s) terminated with signal: %s (%d), (PIDs left: %d)", pid,
 			    remote_txt.c_str(), util::sigName(WTERMSIG(status)).c_str(),
 			    WTERMSIG(status), countProc(nsjconf) - 1);
 			removeProc(nsjconf, pid);
@@ -346,17 +346,16 @@ int reapProc(nsjconf_t* nsjconf) {
 		pid_t pid = p.pid;
 		time_t diff = now - p.start;
 		if ((uint64_t)diff >= nsjconf->tlimit) {
-			LOG_I("PID: %d run time >= time limit (%ld >= %" PRIu64
-			      ") (%s). Killing it",
+			LOG_I("pid=%d run time >= time limit (%ld >= %" PRIu64 ") (%s). Killing it",
 			    pid, (long)diff, nsjconf->tlimit, p.remote_txt.c_str());
 			/*
 			 * Probably a kernel bug - some processes cannot be killed with KILL if
 			 * they're namespaced, and in a stopped state
 			 */
 			kill(pid, SIGCONT);
-			LOG_D("Sent SIGCONT to PID: %d", pid);
+			LOG_D("Sent SIGCONT to pid=%d", pid);
 			kill(pid, SIGKILL);
-			LOG_D("Sent SIGKILL to PID: %d", pid);
+			LOG_D("Sent SIGKILL to pid=%d", pid);
 		}
 	}
 	return rv;
@@ -375,15 +374,15 @@ void killAndReapAll(nsjconf_t* nsjconf) {
 
 static bool initParent(nsjconf_t* nsjconf, pid_t pid, int pipefd) {
 	if (!net::initNsFromParent(nsjconf, pid)) {
-		LOG_E("Couldn't initialize net namespace for pid '%d'", pid);
+		LOG_E("Couldn't initialize net namespace for pid=%d", pid);
 		return false;
 	}
 	if (!cgroup::initNsFromParent(nsjconf, pid)) {
-		LOG_E("Couldn't initialize cgroup user namespace for pid '%d'", pid);
+		LOG_E("Couldn't initialize cgroup user namespace for pid=%d", pid);
 		exit(0xff);
 	}
 	if (!user::initNsFromParent(nsjconf, pid)) {
-		LOG_E("Couldn't initialize user namespace for pid %d", pid);
+		LOG_E("Couldn't initialize user namespace for pid=%d", pid);
 		return false;
 	}
 	if (!util::writeToFd(pipefd, &kSubprocDoneChar, sizeof(kSubprocDoneChar))) {
@@ -557,7 +556,7 @@ int systemExe(const std::vector<std::string>& args, char** env) {
 		}
 		if (WIFEXITED(status)) {
 			int exit_code = WEXITSTATUS(status);
-			LOG_D("PID %d exited with exit code: %d", pid, exit_code);
+			LOG_D("pid=%d exited with exit code: %d", pid, exit_code);
 			if (exec_failed) {
 				return -1;
 			} else if (exit_code == 0) {
@@ -568,7 +567,7 @@ int systemExe(const std::vector<std::string>& args, char** env) {
 		}
 		if (WIFSIGNALED(status)) {
 			int exit_signal = WTERMSIG(status);
-			LOG_W("PID %d killed by signal: %d (%s)", pid, exit_signal,
+			LOG_W("pid=%d killed by signal: %d (%s)", pid, exit_signal,
 			    util::sigName(exit_signal).c_str());
 			return 2;
 		}