From: Kunhoon Baik <knhoon.baik@samsung.com>
Date: Mon, 19 Jul 2021 03:14:39 +0000 (+0900)
Subject: Add nsjail service for Tizen distribution
X-Git-Tag: submit/tizen/20210825.085400~9
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=b7c4d7c4b9fd377c6a0c26fea6b1c9570b3ab744;p=platform%2Fupstream%2Fnsjail.git

Add nsjail service for Tizen distribution

Tizen will use nsjail as application container by using USER Namespeace.

If creating new user namespace, the new user can get admin(root) privilege in the namespace,
and can use several kernel resource by creating other namespaces.

However, the new user namesapce cannot access unprivilged resource in original namespace.
For that, Tizen nsjail service creates some resources (directories for cgroup, and bind mount tmp directories) for the new user namespace.

cf) Each Tizen App has each smack label.
    Unfortunatly, nsjail does not consider such issue for bind mount.
    For that, at this moment, we create new user's uid based folder name for each application.
    In the future, the folder name should be created on basis of Tizen package name.
---

diff --git a/mnt.cc b/mnt.cc
index ef2dbd7..f7c5d76 100644
--- a/mnt.cc
+++ b/mnt.cc
@@ -282,7 +282,8 @@ static bool mkdirAndTest(const std::string& dir) {
 static std::unique_ptr<std::string> getDir(nsjconf_t* nsjconf, const char* name) {
 	std::unique_ptr<std::string> dir(new std::string);
 
-	dir->assign("/run/user/").append(std::to_string(nsjconf->orig_uid)).append("/nsjail");
+	// TODO: In Tizen, each app has specific smack label. Thus, app name should be used as folder separator instead getuid or unique folder
+	dir->assign("/run/user/").append(std::to_string(nsjconf->orig_uid)).append("/nsjail/").append(std::to_string(getuid()));
 	if (mkdirAndTest(*dir)) {
 		dir->append("/").append(name);
 		if (mkdirAndTest(*dir)) {
diff --git a/packaging/nsjail.service b/packaging/nsjail.service
new file mode 100644
index 0000000..85c2f34
--- /dev/null
+++ b/packaging/nsjail.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=nsjail service
+After=ac.service wait-mount@opt-usr.service
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+SmackProcessLabel=System::Privileged
+ExecStart=/usr/bin/nsjail.sh start
+ExecStop=/usr/bin/nsjail.sh stop
+RemainAfterExit=yes
+
diff --git a/packaging/nsjail.sh b/packaging/nsjail.sh
new file mode 100644
index 0000000..d38d441
--- /dev/null
+++ b/packaging/nsjail.sh
@@ -0,0 +1,28 @@
+#!/bin/sh
+PATH=/bin:/usr/bin:/sbin:/usr/sbin
+
+OWNER_ID=`id -u owner`
+
+if [ x$1 == "xstart" ]
+then
+	mkdir /sys/fs/cgroup/memory/NSJAIL
+	chown -R owner:users /sys/fs/cgroup/memory/NSJAIL
+
+	mkdir /sys/fs/cgroup/cpu/NSJAIL
+	chown -R owner:users /sys/fs/cgroup/cpu/NSJAIL
+
+	while [ ! -d /run/user/${OWNER_ID} ]; do sleep 1; done
+
+	mkdir /run/user/${OWNER_ID}/nsjail
+	chown owner:users /run/user/${OWNER_ID}/nsjail
+	chsmack -a "*" /run/user/${OWNER_ID}/nsjail
+else
+	rmdir /sys/fs/cgroup/memory/NSJAIL/NSJAIL*
+	rmdir /sys/fs/cgroup/memory/NSJAIL
+
+	rmdir /sys/fs/cgroup/cpu/NSJAIL/NSJAIL*
+	rmdir /sys/fs/cgroup/cpu/NSJAIL
+
+	rm -rf /run/user/${OWNER_ID}/nsjail
+fi
+
diff --git a/packaging/nsjail.spec b/packaging/nsjail.spec
index e698736..db7e3cb 100644
--- a/packaging/nsjail.spec
+++ b/packaging/nsjail.spec
@@ -12,6 +12,8 @@ URL:            https://nsjail.com
 Source0:        nsjail-%{version}.tar.gz
 #Source1:        kafel.tar.gz
 Source1001:	%{name}.manifest
+Source1002:	%{name}.service
+Source1003:	%{name}.sh
 BuildRequires:  autoconf
 BuildRequires:  bison
 BuildRequires:  flex
@@ -38,6 +40,8 @@ Tizen simple test programs to check nsjail execution validation in Tizen platfor
 %prep
 %setup -q
 cp %{SOURCE1001} .
+cp %{SOURCE1002} .
+cp %{SOURCE1003} .
 
 %build
 export CFLAGS="$CFLAGS -DTIZEN"
@@ -52,16 +56,22 @@ popd test
 mkdir -p %{buildroot}/%{_bindir}/
 mkdir -p %{buildroot}/%{_bindir}/nsjail_test/
 mkdir -p %{buildroot}/usr/share/
+mkdir -p %{buildroot}/%{_unitdir}
+
+install -m 0755 nsjail %{buildroot}/%{_bindir}/
+install -m 0755 nsjail.sh %{buildroot}/%{_bindir}/
+install -m 0644 nsjail.service %{buildroot}/%{_unitdir}/
+%install_service multi-user.target.wants nsjail.service
 
-cp nsjail %{buildroot}/%{_bindir}/
 cp -a test/*_test %{buildroot}/%{_bindir}/nsjail_test/
 cp -a test/*.cfg %{buildroot}/usr/share/
 
-
 %files
 %manifest %{name}.manifest
 %license LICENSE
-%{_bindir}/nsjail
+%{_bindir}/nsjail*
+%{_unitdir}/nsjail.service
+%{_unitdir}/multi-user.target.wants/nsjail.service
 
 %files test
 %manifest %{name}.manifest
diff --git a/test/runner-sandbox.cfg b/test/runner-sandbox.cfg
index c7da9bf..c39748a 100644
--- a/test/runner-sandbox.cfg
+++ b/test/runner-sandbox.cfg
@@ -63,6 +63,7 @@ clone_newcgroup: true
 cgroup_mem_max: 10000000
 cgroup_cpu_ms_per_sec: 100
 
+log_file: "/tmp/nsjail.log"
 pass_fd: 10
 
 ## Mount settings