Skip to content

Commit

Permalink
reduce client capabilities to minimum
Browse files Browse the repository at this point in the history
  • Loading branch information
DrDaveD committed Dec 13, 2024
1 parent df5ddbd commit fc1614a
Show file tree
Hide file tree
Showing 22 changed files with 381 additions and 138 deletions.
15 changes: 11 additions & 4 deletions cvmfs/CMakeLists.txt
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,7 @@ if (BUILD_CVMFS OR BUILD_LIBCVMFS)
cache_stream.cc
cache_tiered.cc
cache_transport.cc
capabilities.cc
catalog.cc
catalog_counters.cc
catalog_mgr_client.cc
Expand Down Expand Up @@ -167,16 +168,16 @@ if (BUILD_CVMFS)
#
add_executable (cvmfs2
fuse_main.cc
capabilities.cc
util/exception.cc
util/logging.cc
util/posix.cc
util/string.cc
)
set_target_properties (cvmfs2 PROPERTIES
COMPILE_FLAGS "-DCVMFS_NAMESPACE_GUARD=stub -DCVMFS_FUSE_MODULE"
LINK_FLAGS "-ldl"
)
target_link_libraries(cvmfs2 pthread dl)
target_link_libraries(cvmfs2 pthread dl ${CAP_LIBRARIES})

#
# /usr/lib/libcvmfs_fuse_stub[3]
Expand All @@ -185,6 +186,7 @@ if (BUILD_CVMFS)
# libcvmfs-fuse.
#
set (CVMFS_STUB_SOURCES
capabilities.cc
globals.cc
loader.cc
loader_talk.cc
Expand Down Expand Up @@ -446,6 +448,7 @@ if (BUILD_LIBCVMFS_CACHE)
cache_plugin/libcvmfs_cache_options.cc
cache_plugin/channel.cc
cache_transport.cc
capabilities.cc
monitor.cc
options.cc
sanitizer.cc
Expand Down Expand Up @@ -474,6 +477,7 @@ if (BUILD_LIBCVMFS_CACHE)
target_link_libraries(cvmfs_cache
PUBLIC cvmfs_crypto
cvmfs_util
${CAP_LIBRARIES}
PRIVATE ${PROTOBUF_LITE_LIBRARY}
)

Expand All @@ -483,6 +487,7 @@ if (BUILD_LIBCVMFS_CACHE)
add_executable (cvmfs_cache_null cache_plugin/cvmfs_cache_null.cc)
target_link_libraries (cvmfs_cache_null
cvmfs_cache
${CAP_LIBRARIES}
${RT_LIBRARY}
pthread
)
Expand Down Expand Up @@ -573,6 +578,7 @@ if (BUILD_SERVER)
#
set (CVMFS_SWISSKNIFE_SOURCES
backoff.cc
capabilities.cc
catalog.cc
catalog_counters.cc
catalog_mgr_ro.cc
Expand Down Expand Up @@ -640,7 +646,6 @@ if (BUILD_SERVER)
supervisor.cc
swissknife.cc
swissknife_assistant.cc
swissknife_capabilities.cc
swissknife_check.cc
swissknife_gc.cc
swissknife_graft.cc
Expand Down Expand Up @@ -1013,6 +1018,7 @@ if(BUILD_RECEIVER)
receiver/receiver.cc
receiver/session_token.cc
backoff.cc
capabilities.cc
catalog.cc
catalog_rw.cc
catalog_counters.cc
Expand Down Expand Up @@ -1085,6 +1091,7 @@ if(BUILD_RECEIVER)
${OPENSSL_LIBRARIES}
${ZLIB_LIBRARIES}
${RT_LIBRARY}
${CAP_LIBRARIES}
${LibArchive_LIBRARY}
pthread
dl
Expand Down Expand Up @@ -1136,7 +1143,6 @@ if (BUILD_SHRINKWRAP)
endif ()

add_executable (cvmfs_shrinkwrap
monitor.cc
shrinkwrap/fs_traversal.cc
shrinkwrap/fs_traversal_libcvmfs.cc
shrinkwrap/posix/data_dir_mgmt.cc
Expand All @@ -1156,6 +1162,7 @@ if (BUILD_SHRINKWRAP)
cvmfs_client
cvmfs_crypto
cvmfs_util
${CAP_LIBRARIES}
pthread
dl
)
Expand Down
68 changes: 43 additions & 25 deletions cvmfs/auto_umount.cc
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@
#include <string>
#include <vector>

#include "capabilities.h"
#include "util/logging.h"
#include "util/platform.h"
#include "util/posix.h"
Expand All @@ -35,21 +36,28 @@ void SetMountpoint(const string &mountpoint) {
}


void UmountOnCrash() {
void UmountOnExit(const bool crashed) {
const char *cleanuptype = "exit";
if (crashed)
cleanuptype = "crash";

if (!mountpoint_) {
LogCvmfs(kLogCvmfs, kLogSyslogErr, "crash cleanup handler: no mountpoint");
LogCvmfs(kLogCvmfs, kLogSyslogErr,
"%s cleanup handler: no mountpoint", cleanuptype);
return;
}

std::vector<std::string> all_mountpoints = platform_mountlist();
if (all_mountpoints.empty()) {
LogCvmfs(kLogCvmfs, kLogSyslogErr, "crash cleanup handler: "
"failed to read mount point list");
LogCvmfs(kLogCvmfs, kLogSyslogErr, "%s cleanup handler: "
"failed to read mount point list", cleanuptype);
return;
}

// Mitigate auto-mount - crash - umount - auto-mount loops
SafeSleepMs(2000);
if (crashed) {
// Mitigate auto-mount - crash - umount - auto-mount loops
SafeSleepMs(2000);
}

// Check if *mountpoint_ is still mounted
// (we don't want to trigger a mount by immediately doing stat *mountpoint_)
Expand All @@ -61,42 +69,52 @@ void UmountOnCrash() {
}
}
if (!still_mounted) {
LogCvmfs(kLogCvmfs, kLogSyslog, "crash cleanup handler: %s not mounted",
mountpoint_->c_str());
int logtype = kLogDebug;
if (crashed)
logtype = kLogSyslog;
LogCvmfs(kLogCvmfs, logtype, "%s cleanup handler: %s not mounted",
cleanuptype, mountpoint_->c_str());
return;
}

// stat() might be served from caches. Opendir ensures fuse module is called.
int expected_error;
if (crashed) {
// stat() might be served from caches. Opendir ensures fuse module is called.
int expected_error;
#ifdef __APPLE__
expected_error = ENXIO;
expected_error = ENXIO;
#else
expected_error = ENOTCONN;
expected_error = ENOTCONN;
#endif
DIR *dirp = opendir(mountpoint_->c_str());
if (dirp || (errno != expected_error)) {
if (dirp) closedir(dirp);
LogCvmfs(kLogCvmfs, kLogSyslog, "crash cleanup handler: "
"%s seems not to be stalled (%d)", mountpoint_->c_str(), errno);
return;
DIR *dirp = opendir(mountpoint_->c_str());
if (dirp || (errno != expected_error)) {
if (dirp) closedir(dirp);
LogCvmfs(kLogCvmfs, kLogSyslog, "crash cleanup handler: "
"%s seems not to be stalled (%d)", mountpoint_->c_str(), errno);
return;
}
}

// sudo umount -l *mountpoint_
if (!SwitchCredentials(0, getegid(), true)) {
LogCvmfs(kLogCvmfs, kLogSyslogErr, "crash cleanup handler: "
"failed to re-gain root privileges");
if (!ObtainSysAdminCapability()) {
LogCvmfs(kLogCvmfs, kLogSyslogErr, "%s cleanup handler: "
"failed to re-gain sys_admin capability", cleanuptype);
return;
}
const bool lazy = true;
bool retval = platform_umount(mountpoint_->c_str(), lazy);
if (!retval) {
LogCvmfs(kLogCvmfs, kLogSyslogErr, "crash cleanup handler: "
"failed to unmount %s", mountpoint_->c_str());
LogCvmfs(kLogCvmfs, kLogSyslogErr, "%s cleanup handler: "
"failed to unmount %s", mountpoint_->c_str(), cleanuptype);
return;
}

LogCvmfs(kLogCvmfs, kLogSyslog, "crash cleanup handler unmounted stalled %s",
mountpoint_->c_str());
if (crashed) {
LogCvmfs(kLogCvmfs, kLogSyslog,
"crash cleanup handler unmounted stalled %s", mountpoint_->c_str());
} else {
LogCvmfs(kLogCvmfs, kLogSyslog,
"exit cleanup handler unmounted %s", mountpoint_->c_str());
}
}

} // namespace auto_umount
2 changes: 1 addition & 1 deletion cvmfs/auto_umount.h
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@
namespace auto_umount {

void SetMountpoint(const std::string &mountpoint);
void UmountOnCrash();
void UmountOnExit(const bool crashed);

} // namespace auto_umount

Expand Down
Loading

0 comments on commit fc1614a

Please sign in to comment.