From 4191ef4ce4da9d458950a59542b973b700d57d81 Mon Sep 17 00:00:00 2001 From: lhchavez Date: Mon, 13 Feb 2023 02:57:29 +0100 Subject: [PATCH] Avoid `pidfd_open` altogether without sandboxing (#43) This is causing problems for M1 chips, so let's skip it. --- src/jail/child_init.rs | 12 ++++++----- src/jail/parent.rs | 48 +++++++++++++++++++++++------------------- 2 files changed, 33 insertions(+), 27 deletions(-) diff --git a/src/jail/child_init.rs b/src/jail/child_init.rs index 77d9a6a..bc3b325 100644 --- a/src/jail/child_init.rs +++ b/src/jail/child_init.rs @@ -91,11 +91,13 @@ pub(crate) fn run(mut parent_jail_sock: UnixStream, opts: JailOptions) -> Result { write_message(&mut parent_jail_sock, SetupCgroupRequest {}) .context("write setup cgroup request")?; - let child_pidfd = - pidfd_open(child, 0).with_context(|| anyhow!("pidfd_open({})", child))?; - parent_jail_sock - .send_file(child_pidfd) - .context("send child pidfd")?; + if !opts.disable_sandboxing { + let child_pidfd = + pidfd_open(child, 0).with_context(|| anyhow!("pidfd_open({})", child))?; + parent_jail_sock + .send_file(child_pidfd) + .context("send child pidfd")?; + } read_message::(&mut parent_jail_sock) .context("read setup cgroup response")?; } diff --git a/src/jail/parent.rs b/src/jail/parent.rs index 7e2092c..c6b1b0c 100644 --- a/src/jail/parent.rs +++ b/src/jail/parent.rs @@ -25,31 +25,35 @@ pub(crate) fn setup_child( write_message(parent_sock, ParentSetupDoneEvent {}).context("write parent setup done event")?; read_message::(parent_sock).context("wait for setup cgroup request")?; - let pidfd = parent_sock.recv_file().context("receive seccomp pidfd")?; - let cgroups = match (&jail_options.cgroup_path, jail_options.disable_sandboxing) { - (Some(cgroup_path_root), false) => { - let pid = get_pid_from_pidfd(&pidfd).context("get jailed pid")?; - let cgroup_path = cgroup_path_root.join(&jail_options.seccomp_profile_name); - let cgroup = CGroup::new( - if CGroup::is_cgroup_v2() { "" } else { "memory" }, - &cgroup_path, - ) - .with_context(|| anyhow!("create cgroup {:?}", &cgroup_path))?; - cgroup - .add_pid(pid) - .with_context(|| anyhow!("add {} to cgroup", pid))?; - if jail_options.use_cgroups_for_memory_limit { - if let Some(memory_limit) = jail_options.memory_limit { - cgroup.set_memory_limit(memory_limit).with_context(|| { - anyhow!("set pid {}'s memory limit to {}", pid, memory_limit) - })?; + let cgroups = if !jail_options.disable_sandboxing { + let pidfd = parent_sock.recv_file().context("receive seccomp pidfd")?; + match &jail_options.cgroup_path { + Some(cgroup_path_root) => { + let pid = get_pid_from_pidfd(&pidfd).context("get jailed pid")?; + let cgroup_path = cgroup_path_root.join(&jail_options.seccomp_profile_name); + let cgroup = CGroup::new( + if CGroup::is_cgroup_v2() { "" } else { "memory" }, + &cgroup_path, + ) + .with_context(|| anyhow!("create cgroup {:?}", &cgroup_path))?; + cgroup + .add_pid(pid) + .with_context(|| anyhow!("add {} to cgroup", pid))?; + if jail_options.use_cgroups_for_memory_limit { + if let Some(memory_limit) = jail_options.memory_limit { + cgroup.set_memory_limit(memory_limit).with_context(|| { + anyhow!("set pid {}'s memory limit to {}", pid, memory_limit) + })?; + } } + vec![cgroup] + } + None => { + vec![] } - vec![cgroup] - } - (None, _) | (_, true) => { - vec![] } + } else { + vec![] }; write_message(parent_sock, SetupCgroupResponse {}).context("write setup cgroup response")?;