[RFC PATCH 11/27] containers: Sample program for driving container objects

David Howells dhowells at redhat.com
Fri Feb 15 16:09:05 UTC 2019


Add a sample program to demonstrate driving a container object.  It is
called something like:

	./samples/vfs/test-container /dev/sda3

where /dev/sda3 holds an ext4 filesystem that has appropriate /etc, /bin,
/usr, /lib, /proc directories emplaced such that procfs can be mounted and
then /bin/bash can be executed within the container.

Signed-off-by: David Howells <dhowells at redhat.com>
---

 samples/vfs/Makefile         |    5 +
 samples/vfs/test-container.c |  279 ++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 283 insertions(+), 1 deletion(-)
 create mode 100644 samples/vfs/test-container.c

diff --git a/samples/vfs/Makefile b/samples/vfs/Makefile
index b88655cb2f1d..25420919ee40 100644
--- a/samples/vfs/Makefile
+++ b/samples/vfs/Makefile
@@ -4,7 +4,8 @@ hostprogs-$(CONFIG_SAMPLE_VFS) := \
 	test-fs-query \
 	test-fsmount \
 	test-mntinfo \
-	test-statx
+	test-statx \
+	test-container
 
 # Tell kbuild to always build the programs
 always := $(hostprogs-y)
@@ -17,3 +18,5 @@ HOSTLDLIBS_test-mntinfo += -lm
 HOSTCFLAGS_test-fs-query.o += -I$(objtree)/usr/include
 HOSTCFLAGS_test-fsmount.o += -I$(objtree)/usr/include
 HOSTCFLAGS_test-statx.o += -I$(objtree)/usr/include
+HOSTCFLAGS_test-container.o += -I$(objtree)/usr/include
+HOSTLDLIBS_test-container += -lkeyutils
diff --git a/samples/vfs/test-container.c b/samples/vfs/test-container.c
new file mode 100644
index 000000000000..44ff57afb5a4
--- /dev/null
+++ b/samples/vfs/test-container.c
@@ -0,0 +1,279 @@
+/* Container test.
+ *
+ * Copyright (C) 2019 Red Hat, Inc. All Rights Reserved.
+ * Written by David Howells (dhowells at redhat.com)
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public Licence
+ * as published by the Free Software Foundation; either version
+ * 2 of the Licence, or (at your option) any later version.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <errno.h>
+#include <sys/wait.h>
+#include <linux/mount.h>
+#include <linux/unistd.h>
+#include <dirent.h>
+#include <sys/stat.h>
+#include <keyutils.h>
+
+/* Hope -1 isn't a syscall */
+#ifndef __NR_fsopen
+#define __NR_fsopen -1
+#endif
+#ifndef __NR_fsmount
+#define __NR_fsmount -1
+#endif
+#ifndef __NR_fsconfig
+#define __NR_fsconfig -1
+#endif
+#ifndef __NR_move_mount
+#define __NR_move_mount -1
+#endif
+
+
+#define E(x) do { if ((x) == -1) { perror(#x); exit(1); } } while(0)
+
+static void check_messages(int fd)
+{
+	char buf[4096];
+	int err, n;
+
+	err = errno;
+
+	for (;;) {
+		n = read(fd, buf, sizeof(buf));
+		if (n < 0)
+			break;
+		n -= 2;
+
+		switch (buf[0]) {
+		case 'e':
+			fprintf(stderr, "Error: %*.*s\n", n, n, buf + 2);
+			break;
+		case 'w':
+			fprintf(stderr, "Warning: %*.*s\n", n, n, buf + 2);
+			break;
+		case 'i':
+			fprintf(stderr, "Info: %*.*s\n", n, n, buf + 2);
+			break;
+		}
+	}
+
+	errno = err;
+}
+
+static __attribute__((noreturn))
+void mount_error(int fd, const char *s)
+{
+	check_messages(fd);
+	fprintf(stderr, "%s: %m\n", s);
+	exit(1);
+}
+
+#define CONTAINER_NEW_FS_NS		0x00000001 /* Dup current fs namespace */
+#define CONTAINER_NEW_EMPTY_FS_NS	0x00000002 /* Provide new empty fs namespace */
+#define CONTAINER_NEW_CGROUP_NS		0x00000004 /* Dup current cgroup namespace [priv] */
+#define CONTAINER_NEW_UTS_NS		0x00000008 /* Dup current uts namespace */
+#define CONTAINER_NEW_IPC_NS		0x00000010 /* Dup current ipc namespace */
+#define CONTAINER_NEW_USER_NS		0x00000020 /* Dup current user namespace */
+#define CONTAINER_NEW_PID_NS		0x00000040 /* Dup current pid namespace */
+#define CONTAINER_NEW_NET_NS		0x00000080 /* Dup current net namespace */
+#define CONTAINER_KILL_ON_CLOSE		0x00000100 /* Kill all member processes when fd closed */
+#define CONTAINER_FD_CLOEXEC		0x00000200 /* Close the fd on exec */
+#define CONTAINER__FLAG_MASK		0x000003ff
+
+static inline int fsopen(const char *fs_name, unsigned int flags)
+{
+	return syscall(__NR_fsopen, fs_name, flags);
+}
+
+static inline int fsconfig(int fsfd, unsigned int cmd,
+			   const char *key, const void *val, int aux)
+{
+	return syscall(__NR_fsconfig, fsfd, cmd, key, val, aux);
+}
+
+static inline int fsmount(int fsfd, unsigned int flags, unsigned int attr_flags)
+{
+	return syscall(__NR_fsmount, fsfd, flags, attr_flags);
+}
+
+static inline int move_mount(int from_dfd, const char *from_pathname,
+			     int to_dfd, const char *to_pathname,
+			     unsigned int flags)
+{
+	return syscall(__NR_move_mount,
+		       from_dfd, from_pathname,
+		       to_dfd, to_pathname, flags);
+}
+
+static inline int container_create(const char *name, unsigned int mask)
+{
+	return syscall(__NR_container_create, name, mask, 0, 0, 0);
+}
+
+static inline int fork_into_container(int containerfd)
+{
+	return syscall(__NR_fork_into_container, containerfd);
+}
+
+#define E_fsconfig(fd, cmd, key, val, aux)				\
+	do {								\
+		if (fsconfig(fd, cmd, key, val, aux) == -1)		\
+			mount_error(fd, key ?: "create");		\
+	} while (0)
+
+/*
+ * The container init process.
+ */
+static __attribute__((noreturn))
+void container_init(void)
+{
+	if (0) {
+		/* Do a bit of debugging on the container. */
+		struct dirent **dlist;
+		struct stat st;
+		char buf[4096];
+		int n, i;
+
+		printf("hello!\n");
+		n = scandir("/", &dlist, NULL, alphasort);
+		if (n == -1) {
+			perror("scandir");
+			exit(1);
+		}
+
+		for (i = 0; i < n; i++) {
+			struct dirent *p = dlist[i];
+
+			if (p)
+				printf("- %u %s\n", p->d_type, p->d_name);
+		}
+
+		n = readlink("/bin", buf, sizeof(buf) - 1);
+		if (n == -1) {
+			perror("readlink");
+			exit(1);
+		}
+
+		buf[n] = 0;
+		printf("/bin -> %s\n", buf);
+
+		if (stat("/lib64/ld-linux-x86-64.so.2", &st) == -1) {
+			perror("stat");
+			exit(1);
+		}
+
+		printf("mode %o\n", st.st_mode);
+	}
+
+	if (keyctl_join_session_keyring(NULL) == -1) {
+		perror("keyctl/join");
+		exit(1);
+	}
+
+	setenv("PS1", "container>", 1);
+	execl("/bin/bash", "bash", NULL);
+	perror("execl");
+	exit(1);
+}
+
+/*
+ * The container manager process.
+ */
+int main(int argc, char *argv[])
+{
+	pid_t pid;
+	int fsfd, mfd, cfd, ws;
+
+	if (argc != 2) {
+		fprintf(stderr, "Format: test-container <root-dev>\n");
+		exit(2);
+	}
+
+	cfd = container_create("foo-test",
+			       CONTAINER_NEW_EMPTY_FS_NS |
+			       //CONTAINER_NEW_UTS_NS |
+			       //CONTAINER_NEW_IPC_NS |
+			       //CONTAINER_NEW_USER_NS |
+			       CONTAINER_NEW_PID_NS |
+			       CONTAINER_KILL_ON_CLOSE |
+			       CONTAINER_FD_CLOEXEC);
+	if (cfd == -1) {
+		perror("container_create");
+		exit(1);
+	}
+
+	system("cat /proc/containers");
+
+	/* Open the filesystem that's going to form the container root. */
+	printf("Creating root...\n");
+	fsfd = fsopen("ext4", 0);
+	if (fsfd == -1) {
+		perror("fsopen/root");
+		exit(1);
+	}
+
+	E_fsconfig(fsfd, FSCONFIG_SET_CONTAINER, NULL, NULL, cfd);
+	E_fsconfig(fsfd, FSCONFIG_SET_STRING, "source", argv[1], 0);
+	E_fsconfig(fsfd, FSCONFIG_SET_FLAG, "user_xattr", NULL, 0);
+	E_fsconfig(fsfd, FSCONFIG_CMD_CREATE, NULL, NULL, 0);
+
+	/* Mount the container root */
+	printf("Mounting root...\n");
+	mfd = fsmount(fsfd, 0, 0);
+	if (mfd < 0)
+		mount_error(fsfd, "fsmount/root");
+
+	if (move_mount(mfd, "", cfd, "/",
+		       MOVE_MOUNT_F_EMPTY_PATH | MOVE_MOUNT_T_CONTAINER_ROOT) < 0) {
+		perror("move_mount/root");
+		exit(1);
+	}
+	E(close(fsfd));
+	E(close(mfd));
+
+	/* Mount procfs within the container */
+	printf("Creating procfs...\n");
+	fsfd = fsopen("proc", 0);
+	if (fsfd == -1) {
+		perror("fsopen/proc");
+		exit(1);
+	}
+
+	E_fsconfig(fsfd, FSCONFIG_SET_CONTAINER, NULL, NULL, cfd);
+	E_fsconfig(fsfd, FSCONFIG_CMD_CREATE, NULL, NULL, 0);
+
+	printf("Mounting procfs...\n");
+	mfd = fsmount(fsfd, 0, 0);
+	if (mfd < 0)
+		mount_error(fsfd, "fsmount/proc");
+	if (move_mount(mfd, "", cfd, "proc", MOVE_MOUNT_F_EMPTY_PATH) < 0) {
+		perror("move_mount/proc");
+		exit(1);
+	}
+	E(close(fsfd));
+	E(close(mfd));
+
+	/* Start the 'init' process. */
+	printf("Forking...\n");
+	switch ((pid = fork_into_container(cfd))) {
+	case -1:
+		perror("fork_into_container");
+		exit(1);
+	case 0:
+		close(cfd);
+		container_init();
+	default:
+		if (waitpid(pid, &ws, 0) < 0) {
+			perror("waitpid");
+			exit(1);
+		}
+	}
+	E(close(cfd));
+	exit(0);
+}



More information about the Linux-security-module-archive mailing list