root
/
linyaps-box
mirror of https://github.com/OpenAtom-Linyaps/linyaps-box.git
1
0
Fork 0
Code Issues Actions Packages Projects Releases Wiki Activity
95 Commits 7 Branches 20 Tags 1.1 MiB
Commit Graph

95 Commits

Author SHA1 Message Date
liujianqiang 19830d2eaa feat: bump version to 1.2.6-1 
1. adjust wait pid strategy.
2. print pidns in log.
3. configure uid/gid mapping after clone.
4. remove CLONE-FS flag when cloning NonePrivilegeProc.
5. wrong /dev/ptmx link.

Log:
Change-Id: Ic73eee817eb856baaa1d9ab9e4796ca6127b67ec
 2022-03-22 13:43:48 +08:00
black-desk 12a6002703 fix: wrong /dev/ptmx link 
* Swap from and to when making symlink
  * Add path to the rootfs of container as prefix

Change-Id: I9dcbd3952148a5b5994828b4da32853f6cb5b812
 2022-03-22 09:43:26 +08:00
black-desk 22f6e94676 fix: remove CLONE_FS flag when cloning NonePrivilegeProc 
* CLONE_FS cannot be use with CLONE_NEWUSER, which cause a EINVAL

  refer: man 2 clone
  > For security reasons, CLONE_NEWUSER cannot be specified in
  > conjunction with CLONE_FS.

Change-Id: I4b2463ad799d7c3c37d346824edca37918056cfb
 2022-03-17 20:21:44 +08:00
black-desk f343b5159d refactor: configure uid/gid mapping after clone 
* Move the uid(gid) mapping configure logic into cloned process
  * Void using of semaphore
  * Improve log of wait helper functions.

Change-Id: Ifb0ca77df62c07dc7513698be8895dfa52e1a443
 2022-03-17 09:43:57 +08:00
black-desk b8822dc890 feat: print pidns in log 
As we may create double nest pid namespace there might be two ll-box
  both think their pid=1. So when print log, we have to print the pid
  namespace them in as well as their pids.

Change-Id: Ie5716bd902f16c82fe315ed7faaabc50d0f48c7e
 2022-03-17 09:43:57 +08:00
black-desk bf8c9ded08 fix: adjust wait pid strategy 
- ll-box 1
    - ll-box 2
      - ll-box 3
        - app

  If app daemonlize itself, it will be adopted by the init process of
  its pid namespace. for now, this init process maybe ll-box 2 or ll-box
  3, so we have to wait -1 in ll-box 2 in case we do not create new pid
  namespace when creating ll-box 3 by clone.

Change-Id: I32548d5427a7598a806187259323653055e0603f
 2022-03-15 16:35:18 +08:00
liujianqiang 63d1b59ed1 feat: bump version to 1.2.5-1 
1. rename json fields.
2. close leaked fds.
3. remove forced CLONE_NEWPID flag for second clone.
4. add waitpid helper.
5. add support for dbus proxy.
6. remove unused code.

Log:
Change-Id: Ie23cb1f7d2db3355752bb6b7a5f3bb570531a1cf
 2022-03-15 10:08:31 +08:00
black-desk d9ec9bbe91 fix: remove unused code 
* Partly revert 4d40bce034

  Note: not sure why these unused codes make the third-level ll-box
        terminate, but the second-level ll-box donot exit.

Change-Id: I9ca5b72f1c8ed7ec0f25214a7972ca6f375806f7
 2022-03-14 16:52:40 +08:00
black-desk 4d40bce034 feat: add support for dbus proxy 
* Add support for dbus proxy

Change-Id: I1a20a042109394f549d9cb1e0b46b672009b335c
 2022-03-14 13:09:05 +08:00
black-desk 54ca53e17c feat: add waitpid helper 
* Add Wait helper function to wait child to exit and print it's
    exit status

Change-Id: I742c7ee29b9bdb48e404755e14a893f5bf48794c
 2022-03-14 13:09:05 +08:00
black-desk 68c0aa9c9f fix: remove forced CLONE_NEWPID flag for second clone 
this flag lead to a mismatch /proc mount between pidns

Change-Id: I4fa0ebd0c5e7ccfa28de265be226065c072e95d7
 2022-03-11 16:05:46 +08:00
black-desk f9568f2aa0 fix: close leaked fds 
* Close fds which be used to do mount

Change-Id: I4c2088a0eb136c10f575fde04ac61357fa3f3317
 2022-03-10 11:17:57 +08:00
black-desk 3ec092e869 style: rename json fields 
* add new marcos to handle json convert
  * container_root_path -> containerRootPath
  * lower_parent -> lowerParent

Change-Id: I18ea8ab7a6a84d374e3479096520f4774e391076
 2022-03-09 16:09:16 +08:00
black-desk 5ba8cff2f6 feat: bump version to 1.2.4-1 
1. void c_str() of destoryed string.

Log:
Change-Id: I8ab3b7818d910d41c1c51ab41a0ba04fb0242e7e
 2022-03-08 17:23:53 +08:00
black-desk b8fcef5bc7 fix: void c_str() of destoryed string 
* Add a debug message for container root
  * Void using c_str() of destoryed string rvalue

Change-Id: I9df1c7b13cc0a5b9b105b849227817367d822b9f
 2022-03-08 17:11:48 +08:00
liujianqiang ead0494155 feat: bump version to 1.2.3-1 
1. make fuse-overlayfs defalut.
2. fix update error info.
3. fix do mount by proc fd.

Log:
Change-Id: I6214741f0ef85ec9ad7fa600e764e582902a3af0
 2022-03-08 13:30:01 +08:00
black-desk 6235157007 fix: do mount by proc fd 
Fix: CVE-2021-30465

https://github.com/advisories/GHSA-c3xm-pvg7-gh7r

Change-Id: I147f190997d9736c6786e3163e71926f4c152de3
 2022-03-08 11:22:32 +08:00
black-desk 0fe3062018 fix: update error info 
Update a error info, make it more readable.

Change-Id: I441a97d24aaf996571992a2beace23da96607408
 2022-03-03 09:51:16 +08:00
black-desk a80ee2b593 fix: make fuse-overlayfs defalut 
This partly revert commit 6f3a445a1f.
Make fuse-overlayfs defalut again.

Change-Id: I409d38b86be820df284858aefb9f1fbc6ee9a53d
 2022-02-28 13:55:49 +08:00
liujianqiang 9910a0d7fc feat: bump version to 1.2.2-1 
1. fix read/write /dev/null failed.
2. add log fliter.
3. fix mount mqueue amd cgroup in rootless mode.
4. fix make mountnode const again.
5. fix make ro bind work.

Log:
Change-Id: I6633a5d5c3a6aeb123dcba19db95a8687f80f3f6
 2022-02-17 14:21:29 +08:00
black-desk c52f736cf9 fix: make ro bind work 
* Do remount when `data` not empty or unique mount options are set
  * Clean up some argments ignored by kernel
  * Merge `praseMountOptions` to `from_json` of `Mount`
  * Rename field `options` of `Mount` to `data`
  * Add some comments

Change-Id: Ie6575b6df6f259b2ee1a3c40cd68383dea00fe60
 2022-02-16 18:05:59 +08:00
black-desk c1ccf74650 fix: make MountNode const again 
* Add mutable to sys_is_binded
  * Make MountNode const again

Change-Id: Ib0c828169ad50945517f14d031305abe37f3f128
 2022-02-16 17:26:26 +08:00
black-desk 8836b6a14d fix: proper way to mount mqueue and cgroup in rootless mode 
* Bind mount /dev/mquque when fail to mount a new one.
  * Do not report cgroup mount fail if sysfs is bind-mounted.
  * Remove ignored argments when doing a bind mount of sysfs.

refers:
  * 466b8991c4/pkg/specgen/generate/oci.go (L206-L223)
  * https://github.com/containers/crun/pull/870

Change-Id: I309fe32a835c086d7b469e90e19017023e4e9625
 2022-02-15 16:05:35 +08:00
black-desk 8891c71835 feat: log fliter 
* fliter log message according to envriment "LINGLONG_LOG_LEVEL"
  * move some inline methods in header to .cpp
  * make fatal level crash

Change-Id: Icf1d5bd213888d9a4a3f26a1b92fda510e266853
 2022-02-11 14:01:00 +08:00
Iceyer 4e82558487 fix: read/write /dev/null failed 
mount device failed with options, spilt flag and data from options as
parseMountOptions in libcontainer.

ref to c83abc503d/libcontainer/specconv/spec_linux.go (L956-L1006)

Change-Id: Ie2cd8ca8b7df144a2bea8b6fb80167a223297672
 2022-01-26 18:03:02 +08:00
liujianqiang a5359e707e feat: bump version to 1.2.1-1 
1. fuse proxy support
2. fix construct string with nullptr cause crash
3. fallback to bind when sysfs mount failed
4. root mount for ll-fuse-proxy

Log:
Change-Id: Id0b97028ae5192eab57a286fb6b1a3ed0b541485
 2022-01-24 09:30:43 +08:00
black-desk 6f3a445a1f fix: add root mount for ll-fuse-proxy 
add a mount for root directory

Log:
Change-Id: I80f1614a57a3b4e5b46e05bd197f330f1d0d2ad0
 2022-01-21 17:17:01 +08:00
black-desk dcb8ec1c49 fix: fallback to bind when sysfs mount failed 
fallback to bind when sysfs mount failed as crun

Log:
Change-Id: Ibaab4def2c6345765a715d7aff848c9be2cee8d0
 2022-01-21 17:15:59 +08:00
black-desk d5b8fae1e5 fix: construct string with nullptr cause crash 
std::string(nullptr) would call the std::string(const char *s) constructor, which cause a crash.

Log:
Change-Id: I0a461fc983c0ce538c7413ce078eb7c5fc29226a
 2022-01-20 09:50:20 +08:00
Iceyer b6e25bf7c5 feat: add fuse proxy support 
default is fuse proxy backend, use LL_BOX_FS_BACKEND=overlayfs to use
fuse-overlayfs.

Log:
Change-Id: I8fbbfc70a0ce1f8443e9ab40b6d4d22eabd4c908
 2022-01-20 09:50:20 +08:00
liujianqiang 2d8663e8f4 feat: bump version to 1.2.0-1 
mount add a MS_REC flag

Log:
Change-Id: I990d32e64333e22a0249a0c6988d47fd3fc86fab
 2022-01-14 10:54:03 +08:00
black-desk 324715affd fix: Temporary fix for recursively mounting issue 
Add a MS_REC flag

Log:
Change-Id: Ib01e2f51ba8fc45f3eea8179b18c9181b6c3faa2
 2022-01-12 14:38:45 +08:00
Iceyer 0f42a2a85b
feat: bump version to 1.0.1 
Release 1.0.1

Log: support rootless sandbox and fuse filesystem
Change-Id: I2c56a61073c4fabe1076c32074e2823c698e35f3
 2021-12-29 17:57:56 +08:00
liujianqiang a4fba04834 fix: 去掉ll-box suid权限 
去掉ll-box suid权限,避免导致系统崩溃

Log:
Change-Id: I674a407c1f6c15a4240eefea26e6e2a9652a841b
 2021-12-24 08:30:18 +08:00
Iceyer 5fb76fb206 fix: search caller path when exec real efl 
Set PATH to caller and use execvpe to load elf

Log:
Change-Id: Ib4024907e937f72915112b9436b464f632a20e4e
 2021-12-22 17:32:43 +08:00
Iceyer 487b9f2199
feat: support rootless mode and rootfs 
Support rootfs with overlayfs/native mode. Using annotations to storage
rootfs information.

Support rootless mode, remove setuid by default.

Log: support rootless mode.

Change-Id: Idd7ef1cb57a8495ab691d540df03ccdfd86b279f
 2021-12-22 11:40:08 +08:00
Iceyer 6a09f9cd7d fix: remove build warning 
remove format-security warning and remove unused exception

Log:
Change-Id: If743b66f3fbb9fb50afad96f56b5deb7a6df8399
 2021-11-18 14:32:19 +08:00
Iceyer 3ac63255b8
fix: tmep mount i386 lib to /usr/lib 
the mesa dri will search /usr/lib/i386-linux-gnu for driver

Log:
Change-Id: Ie103f60ef81b788ab4763d99fcf3e98af4baff9d
 2021-11-18 14:23:08 +08:00
Iceyer fb48e6ba18
fix: mount bundle files failed 
missing / when bind bundle files

Log:
Change-Id: I97ba8bb445718391371b469dc03fe5bda433e5a6
 2021-11-16 16:46:28 +08:00
chenhuixing 8d3ee83d5c fix: Add compilation dependencies 
Add dependencies to debian control.

Log:
Change-Id: Ib6c2faf31cc4d4c1e58a94a398d1bc12cc6ace37
 2021-11-15 21:52:52 +08:00
Iceyer 548d436bd8
feat: support workaroud load rootless bundle 
usage:

ll-box appid temp_app_root_path exec_path_in_container

for expample:

ll-box cn.wps.wps-office \
  /tmp/uap-iYqDHF/ \
  /opt/apps/cn.wps.wps-office/files/bin/wps

Log:
Change-Id: I06a0fb485fb09b9e2267611b2f66feaa2f8787a9
 2021-11-15 21:48:42 +08:00
Iceyer fdf6637d1b fix: build failed with format checking 
it seem mistake check of froware sprintf args check, disable now.

Log:
Change-Id: I0a18c6bdd62b6fb0637793d1d46df655c7bfa2b2
 2021-11-15 21:47:40 +08:00
chenhuixing f514ff2611 feat: Add debian directory 
Add debian directory and rules for packaging.

Log:
Change-Id: I33b0dfb81ea101489fdbe8681ff25508cd3dc635
 2021-11-15 20:22:16 +08:00
Iceyer 93bcf23e6c
feat: add support for rootless mode and setuid mode 
Change-Id: I8d7f78063c2b674dcdd3a33706072c992f4a28f4
 2021-11-15 16:17:52 +08:00
gerritadmin eabf51bcd5 'Init commit' 2021-11-01 09:47:44 +08:00