forked from apple/containerization
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathExecCommand.swift
More file actions
162 lines (136 loc) · 5.95 KB
/
ExecCommand.swift
File metadata and controls
162 lines (136 loc) · 5.95 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
//===----------------------------------------------------------------------===//
// Copyright © 2025-2026 Apple Inc. and the Containerization project authors.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// https://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//===----------------------------------------------------------------------===//
import ArgumentParser
import ContainerizationOCI
import ContainerizationOS
import FoundationEssentials
import LCShim
import Logging
import Musl
import SystemPackage
struct ExecCommand: ParsableCommand {
static let configuration = CommandConfiguration(
commandName: "exec",
abstract: "Exec in a container"
)
@Option(name: .long, help: "path to an OCI runtime spec process configuration")
var processPath: String
@Option(name: .long, help: "pid of the init process for the container")
var parentPid: Int
func run() throws {
do {
let src = URL(fileURLWithPath: processPath)
let processBytes = try Data(contentsOf: src)
let process = try JSONDecoder().decode(
ContainerizationOCI.Process.self,
from: processBytes
)
try execInNamespaces(process: process)
} catch {
App.writeError(error)
throw error
}
}
static func enterNS(pidFd: Int32, nsType: Int32) throws {
guard setns(pidFd, nsType) == 0 else {
throw App.Errno(stage: "setns(fd)")
}
}
private func execInNamespaces(process: ContainerizationOCI.Process) throws {
let syncPipe = FileDescriptor(rawValue: 3)
let ackPipe = FileDescriptor(rawValue: 4)
let pidFd = CZ_pidfd_open(Int32(parentPid), 0)
guard pidFd > 0 else {
throw App.Errno(stage: "pidfd_open(\(parentPid))")
}
try Self.enterNS(
pidFd: pidFd,
nsType: CLONE_NEWCGROUP | CLONE_NEWPID | CLONE_NEWUTS | CLONE_NEWNS
)
let processID = fork()
guard processID != -1 else {
try? syncPipe.close()
try? ackPipe.close()
throw App.Errno(stage: "fork")
}
if processID == 0 { // child
// Wait for the grandparent to tell us that they acked our pid.
var pidAckBuffer = [UInt8](repeating: 0, count: App.ackPid.count)
let pidAckBytesRead = try pidAckBuffer.withUnsafeMutableBytes { buffer in
try ackPipe.read(into: buffer)
}
guard pidAckBytesRead > 0 else {
throw App.Failure(message: "read ack pipe")
}
let pidAckStr = String(decoding: pidAckBuffer[..<pidAckBytesRead], as: UTF8.self)
guard pidAckStr == App.ackPid else {
throw App.Failure(message: "received invalid acknowledgement string: \(pidAckStr)")
}
guard setsid() != -1 else {
throw App.Errno(stage: "setsid()")
}
if process.terminal {
let pty = try Console()
try pty.configureStdIO()
var masterFD = pty.master
try withUnsafeBytes(of: &masterFD) { bytes in
_ = try syncPipe.write(bytes)
}
// Wait for the grandparent to tell us that they acked our console.
var consoleAckBuffer = [UInt8](repeating: 0, count: App.ackConsole.count)
let consoleAckBytesRead = try consoleAckBuffer.withUnsafeMutableBytes { buffer in
try ackPipe.read(into: buffer)
}
guard consoleAckBytesRead > 0 else {
throw App.Failure(message: "read ack pipe")
}
let consoleAckStr = String(decoding: consoleAckBuffer[..<consoleAckBytesRead], as: UTF8.self)
guard consoleAckStr == App.ackConsole else {
throw App.Failure(message: "received invalid acknowledgement string: \(consoleAckStr)")
}
guard ioctl(0, UInt(TIOCSCTTY), 0) != -1 else {
throw App.Errno(stage: "setctty(0)")
}
try pty.close()
}
// Apply O_CLOEXEC to all file descriptors except stdio.
// This ensures that all unwanted fds we may have accidentally
// inherited are marked close-on-exec so they stay out of the
// container.
try App.applyCloseExecOnFDs()
try App.setRLimits(rlimits: process.rlimits)
// Prepare capabilities (before user change).
let preparedCaps = try App.prepareCapabilities(capabilities: process.capabilities ?? ContainerizationOCI.LinuxCapabilities())
// Change stdio to be owned by the requested user.
try App.fixStdioPerms(user: process.user)
// Set uid, gid, and supplementary groups.
try App.setPermissions(user: process.user)
// Finish capabilities (after user change).
try App.finishCapabilities(preparedCaps)
// Set no_new_privs (after user/capability changes).
if process.noNewPrivileges {
try App.setNoNewPrivs()
}
try App.exec(process: process, currentEnv: process.env)
} else { // parent process
// Send our child's pid to our parent before we exit.
var childPid = processID
try withUnsafeBytes(of: &childPid) { bytes in
_ = try syncPipe.write(bytes)
}
}
}
}