diff options
| author | Lennart Poettering <lennart@poettering.net> | 2010-06-21 23:27:18 +0200 | 
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2010-06-21 23:27:18 +0200 | 
| commit | 8c6db8336536916d0476ff8233e0abf40a2f6aab (patch) | |
| tree | 66ea4c87f407d9ed24eed9539cf9a5275045add2 /src | |
| parent | 96551bae6107936a4576b9b4b391abbc9963bdfe (diff) | |
pam: implement systemd PAM module and generelize cgroup API for that a bit
Diffstat (limited to 'src')
| -rw-r--r-- | src/cgroup-util.c | 694 | ||||
| -rw-r--r-- | src/cgroup-util.h | 54 | ||||
| -rw-r--r-- | src/cgroup.c | 318 | ||||
| -rw-r--r-- | src/cgroup.h | 9 | ||||
| -rw-r--r-- | src/manager.c | 4 | ||||
| -rw-r--r-- | src/pam-module.c | 466 | ||||
| -rw-r--r-- | src/test-cgroup.c | 84 | ||||
| -rw-r--r-- | src/util.c | 169 | ||||
| -rw-r--r-- | src/util.h | 8 | ||||
| -rw-r--r-- | src/utmp-wtmp.c | 6 | 
10 files changed, 1522 insertions, 290 deletions
| diff --git a/src/cgroup-util.c b/src/cgroup-util.c new file mode 100644 index 0000000000..9337817b6b --- /dev/null +++ b/src/cgroup-util.c @@ -0,0 +1,694 @@ +/*-*- Mode: C; c-basic-offset: 8 -*-*/ + +/*** +  This file is part of systemd. + +  Copyright 2010 Lennart Poettering + +  systemd is free software; you can redistribute it and/or modify it +  under the terms of the GNU General Public License as published by +  the Free Software Foundation; either version 2 of the License, or +  (at your option) any later version. + +  systemd is distributed in the hope that it will be useful, but +  WITHOUT ANY WARRANTY; without even the implied warranty of +  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +  General Public License for more details. + +  You should have received a copy of the GNU General Public License +  along with systemd; If not, see <http://www.gnu.org/licenses/>. +***/ + +#include <errno.h> +#include <unistd.h> +#include <signal.h> +#include <string.h> +#include <stdlib.h> + +#include <libcgroup.h> + +#include "cgroup-util.h" +#include "log.h" +#include "set.h" +#include "macro.h" +#include "util.h" + +int cg_translate_error(int error, int _errno) { + +        switch (error) { + +        case ECGROUPNOTCOMPILED: +        case ECGROUPNOTMOUNTED: +        case ECGROUPNOTEXIST: +        case ECGROUPNOTCREATED: +                return -ENOENT; + +        case ECGINVAL: +                return -EINVAL; + +        case ECGROUPNOTALLOWED: +                return -EPERM; + +        case ECGOTHER: +                return -_errno; +        } + +        return -EIO; +} + +static struct cgroup* cg_new(const char *controller, const char *path) { +        struct cgroup *cgroup; + +        assert(path); +        assert(controller); + +        if (!(cgroup = cgroup_new_cgroup(path))) +                return NULL; + +        if (!cgroup_add_controller(cgroup, controller)) { +                cgroup_free(&cgroup); +                return NULL; +        } + +        return cgroup; +} + +int cg_kill(const char *controller, const char *path, int sig, bool ignore_self) { +        bool killed = false, done = false; +        Set *s; +        pid_t my_pid; +        int r, ret = 0; + +        assert(controller); +        assert(path); +        assert(sig >= 0); + +        /* This goes through the tasks list and kills them all. This +         * is repeated until no further processes are added to the +         * tasks list, to properly handle forking processes */ + +        if (!(s = set_new(trivial_hash_func, trivial_compare_func))) +                return -ENOMEM; + +        my_pid = getpid(); + +        do { +                void *iterator = NULL; +                pid_t pid = 0; + +                done = true; + +                r = cgroup_get_task_begin(path, controller, &iterator, &pid); +                while (r == 0) { + +                        if (pid == my_pid && ignore_self) +                                goto next; + +                        if (set_get(s, INT_TO_PTR(pid)) == INT_TO_PTR(pid)) +                                goto next; + +                        /* If we haven't killed this process yet, kill +                         * it */ + +                        if (kill(pid, sig) < 0 && errno != ESRCH) { +                                if (ret == 0) +                                        ret = -errno; +                        } + +                        killed = true; +                        done = false; + +                        if ((r = set_put(s, INT_TO_PTR(pid))) < 0) +                                goto loop_exit; + +                next: +                        r = cgroup_get_task_next(&iterator, &pid); +                } + +                if (r == 0 || r == ECGEOF) +                        r = 0; +                else if (r == ECGOTHER && errno == ENOENT) +                        r = -ESRCH; +                else +                        r = cg_translate_error(r, errno); + +        loop_exit: +                assert_se(cgroup_get_task_end(&iterator) == 0); + +                /* To avoid racing against processes which fork +                 * quicker than we can kill them we repeat this until +                 * no new pids need to be killed. */ + +        } while (!done && r >= 0); + +        set_free(s); + +        if (ret < 0) +                return ret; + +        if (r < 0) +                return r; + +        return !!killed; +} + +int cg_kill_recursive(const char *controller, const char *path, int sig, bool ignore_self) { +        struct cgroup_file_info info; +        int level = 0, r, ret = 0; +        void *iterator = NULL; +        bool killed = false; + +        assert(path); +        assert(controller); +        assert(sig >= 0); + +        zero(info); + +        r = cgroup_walk_tree_begin(controller, path, 0, &iterator, &info, &level); +        while (r == 0) { +                int k; +                char *p; + +                if (info.type != CGROUP_FILE_TYPE_DIR) +                        goto next; + +                if (asprintf(&p, "%s/%s", path, info.path) < 0) { +                        ret = -ENOMEM; +                        break; +                } + +                k = cg_kill(controller, p, sig, ignore_self); +                free(p); + +                if (k < 0) { +                        if (ret == 0) +                                ret = k; +                } else if (k > 0) +                        killed = true; + +        next: + +                r = cgroup_walk_tree_next(0, &iterator, &info, level); +        } + +        if (ret == 0) { +                if (r == 0 || r == ECGEOF) +                        ret = !!killed; +                else if (r == ECGOTHER && errno == ENOENT) +                        ret = -ESRCH; +                else +                        ret = cg_translate_error(r, errno); +        } + +        assert_se(cgroup_walk_tree_end(&iterator) == 0); + +        return ret; +} + +int cg_kill_recursive_and_wait(const char *controller, const char *path) { +        unsigned i; + +        assert(path); +        assert(controller); + +        /* This safely kills all processes; first it sends a SIGTERM, +         * then checks 8 times after 50ms whether the group is +         * now empty, and finally kills everything that is left with +         * SIGKILL */ + +        for (i = 0; i < 10; i++) { +int sig, r; + +                if (i <= 0) +                        sig = SIGTERM; +                else if (i >= 9) +                        sig = SIGKILL; +                else +                        sig = 0; + +                if ((r = cg_kill_recursive(controller, path, sig, true)) <= 0) +                        return r; + +                usleep(50 * USEC_PER_MSEC); +        } + +        return 0; +} + +int cg_migrate(const char *controller, const char *from, const char *to, bool ignore_self) { +        bool migrated = false, done = false; +        struct cgroup *dest; +        int r, ret = 0; +        pid_t my_pid; + +        assert(controller); +        assert(from); +        assert(to); + +        if (!(dest = cg_new(controller, to))) +                return -ENOMEM; + +        my_pid = getpid(); + +        do { +                void *iterator = NULL; +                pid_t pid = 0; + +                done = true; + +                r = cgroup_get_task_begin(from, controller, &iterator, &pid); +                while (r == 0) { + +                        if (pid == my_pid && ignore_self) +                                goto next; + +                        if ((r = cgroup_attach_task_pid(dest, pid)) != 0) { +                                if (ret == 0) +                                        r = cg_translate_error(r, errno); +                        } + +                        migrated = true; +                        done = false; + +                next: + +                        r = cgroup_get_task_next(&iterator, &pid); +                } + +                if (r == 0 || r == ECGEOF) +                        r = 0; +                else if (r == ECGOTHER && errno == ENOENT) +                        r = -ESRCH; +                else +                        r = cg_translate_error(r, errno); + +                assert_se(cgroup_get_task_end(&iterator) == 0); + +        } while (!done && r >= 0); + +        cgroup_free(&dest); + +        if (ret < 0) +                return ret; + +        if (r < 0) +                return r; + +        return !!migrated; +} + +int cg_migrate_recursive(const char *controller, const char *from, const char *to, bool ignore_self) { +        struct cgroup_file_info info; +        int level = 0, r, ret = 0; +        void *iterator = NULL; +        bool migrated = false; + +        assert(controller); +        assert(from); +        assert(to); + +        zero(info); + +        r = cgroup_walk_tree_begin(controller, from, 0, &iterator, &info, &level); +        while (r == 0) { +                int k; +                char *p; + +                if (info.type != CGROUP_FILE_TYPE_DIR) +                        goto next; + +                if (asprintf(&p, "%s/%s", from, info.path) < 0) { +                        ret = -ENOMEM; +                        break; +                } + +                k = cg_migrate(controller, p, to, ignore_self); +                free(p); + +                if (k < 0) { +                        if (ret == 0) +                                ret = k; +                } else if (k > 0) +                        migrated = true; + +        next: +                r = cgroup_walk_tree_next(0, &iterator, &info, level); +        } + +        if (ret == 0) { +                if (r == 0 || r == ECGEOF) +                        r = !!migrated; +                else if (r == ECGOTHER && errno == ENOENT) +                        r = -ESRCH; +                else +                        r = cg_translate_error(r, errno); +        } + +        assert_se(cgroup_walk_tree_end(&iterator) == 0); + +        return ret; +} + +int cg_get_path(const char *controller, const char *path, const char *suffix, char **fs) { +        char *mp; +        int r; + +        assert(controller); +        assert(path); + +        if ((r = cgroup_get_subsys_mount_point(controller, &mp)) != 0) +                return cg_translate_error(r, errno); + +        if (suffix) +                r = asprintf(fs, "%s/%s/%s", mp, path, suffix); +        else +                r = asprintf(fs, "%s/%s", mp, path); + +        free(mp); + +        return r < 0 ? -ENOMEM : 0; +} + +int cg_trim(const char *controller, const char *path, bool delete_root) { +        char *fs; +        int r; + +        assert(controller); +        assert(path); + +        if ((r = cg_get_path(controller, path, NULL, &fs)) < 0) +                return r; + +        r = rm_rf(fs, true, delete_root); +        free(fs); + +        return r; +} + +int cg_delete(const char *controller, const char *path) { +        struct cgroup *cg; +        int r; + +        assert(controller); +        assert(path); + +        if (!(cg = cg_new(controller, path))) +                return -ENOMEM; + +        if ((r = cgroup_delete_cgroup_ext(cg, CGFLAG_DELETE_RECURSIVE|CGFLAG_DELETE_IGNORE_MIGRATION)) != 0) { +                r = cg_translate_error(r, errno); +                goto finish; +        } + +        r = 0; + +finish: +        cgroup_free(&cg); + +        return r; +} + +int cg_create(const char *controller, const char *path) { +        struct cgroup *cg; +        int r; + +        assert(controller); +        assert(path); + +        if (!(cg = cg_new(controller, path))) +                return -ENOMEM; + +        if ((r = cgroup_create_cgroup(cg, 1)) != 0) { +                r = cg_translate_error(r, errno); +                goto finish; +        } + +        r = 0; + +finish: +        cgroup_free(&cg); + +        return r; +} + +int cg_attach(const char *controller, const char *path, pid_t pid) { +        struct cgroup *cg; +        int r; + +        assert(controller); +        assert(path); +        assert(pid >= 0); + +        if (!(cg = cg_new(controller, path))) +                return -ENOMEM; + +        if (pid == 0) +                pid = getpid(); + +        if ((r = cgroup_attach_task_pid(cg, pid))) { +                r = cg_translate_error(r, errno); +                goto finish; +        } + +        r = 0; + +finish: +        cgroup_free(&cg); + +        return r; +} + +int cg_create_and_attach(const char *controller, const char *path, pid_t pid) { +        struct cgroup *cg; +        int r; + +        assert(controller); +        assert(path); +        assert(pid >= 0); + +        if (!(cg = cg_new(controller, path))) +                return -ENOMEM; + +        if ((r = cgroup_create_cgroup(cg, 1)) != 0) { +                r = cg_translate_error(r, errno); +                goto finish; +        } + +        if (pid == 0) +                pid = getpid(); + +        if ((r = cgroup_attach_task_pid(cg, pid))) { +                r = cg_translate_error(r, errno); +                goto finish; +        } + +        r = 0; + +finish: +        cgroup_free(&cg); + +        return r; +} + +int cg_set_group_access(const char *controller, const char *path, mode_t mode, uid_t uid, gid_t gid) { +        char *fs; +        int r; + +        assert(controller); +        assert(path); + +        if ((r = cg_get_path(controller, path, NULL, &fs)) < 0) +                return r; + +        r = chmod_and_chown(fs, mode, uid, gid); +        free(fs); + +        return r; +} + +int cg_set_task_access(const char *controller, const char *path, mode_t mode, uid_t uid, gid_t gid) { +        char *fs; +        int r; + +        assert(controller); +        assert(path); + +        if ((r = cg_get_path(controller, path, "tasks", &fs)) < 0) +                return r; + +        r = chmod_and_chown(fs, mode, uid, gid); +        free(fs); + +        return r; +} + +int cg_get_by_pid(const char *controller, pid_t pid, char **path) { +        int r; +        char *p = NULL; + +        assert(controller); +        assert(pid > 0); +        assert(path); + +        if ((r = cgroup_get_current_controller_path(pid, controller, &p)) != 0) +                return cg_translate_error(r, errno); + +        assert(p); + +        *path = p; +        return 0; +} + +int cg_install_release_agent(const char *controller, const char *agent) { +        char *mp = NULL, *path = NULL, *contents = NULL, *line = NULL, *sc; +        int r; + +        assert(controller); +        assert(agent); + +        if ((r = cgroup_get_subsys_mount_point(controller, &mp)) != 0) +                return cg_translate_error(r, errno); + +        if (asprintf(&path, "%s/release_agent", mp) < 0) { +                r = -ENOMEM; +                goto finish; +        } + +        if ((r = read_one_line_file(path, &contents)) < 0) +                goto finish; + +        sc = strstrip(contents); + +        if (sc[0] == 0) { + +                if (asprintf(&line, "%s\n", agent) < 0) { +                        r = -ENOMEM; +                        goto finish; +                } + +                if ((r = write_one_line_file(path, line)) < 0) +                        goto finish; + +        } else if (!streq(sc, agent)) { +                r = -EEXIST; +                goto finish; +        } + +        free(path); +        path = NULL; +        if (asprintf(&path, "%s/notify_on_release", mp) < 0) { +                r = -ENOMEM; +                goto finish; +        } + +        free(contents); +        contents = NULL; +        if ((r = read_one_line_file(path, &contents)) < 0) +                goto finish; + +        sc = strstrip(contents); + +        if (streq(sc, "0")) { +                if ((r = write_one_line_file(path, "1\n")) < 0) +                        goto finish; +        } else if (!streq(sc, "1")) { +                r = -EIO; +                goto finish; +        } + +        r = 0; + +finish: +        free(mp); +        free(path); +        free(contents); +        free(line); + +        return r; +} + +int cg_is_empty(const char *controller, const char *path, bool ignore_self) { +        void *iterator = NULL; +        pid_t pid = 0; +        int r; + +        assert(controller); +        assert(path); + +        r = cgroup_get_task_begin(path, controller, &iterator, &pid); +        while (r == 0) { + +                if (ignore_self&& pid == getpid()) +                        goto next; + +                break; + +        next: +                r = cgroup_get_task_next(&iterator, &pid); +        } + + +        if (r == ECGEOF) +                r = 1; +        else if (r != 0) +                r = cg_translate_error(r, errno); +        else +                r = 0; + +        assert_se(cgroup_get_task_end(&iterator) == 0); + +        return r; +} + +int cg_is_empty_recursive(const char *controller, const char *path, bool ignore_self) { +        struct cgroup_file_info info; +        int level = 0, r, ret = 0; +        void *iterator = NULL; +        bool empty = true; + +        assert(controller); +        assert(path); + +        zero(info); + +        r = cgroup_walk_tree_begin(controller, path, 0, &iterator, &info, &level); +        while (r == 0) { +                int k; +                char *p; + +                if (info.type != CGROUP_FILE_TYPE_DIR) +                        goto next; + +                if (asprintf(&p, "%s/%s", path, info.path) < 0) { +                        ret = -ENOMEM; +                        break; +                } + +                k = cg_is_empty(controller, p, ignore_self); +                free(p); + +                if (k < 0) { +                        ret = k; +                        break; +                } else if (k == 0) { +                        empty = false; +                        break; +                } + +        next: +                r = cgroup_walk_tree_next(0, &iterator, &info, level); +        } + +        if (ret == 0) { +                if (r == 0 || r == ECGEOF) +                        ret = !!empty; +                else if (r == ECGOTHER && errno == ENOENT) +                        ret = -ESRCH; +                else +                        ret = cg_translate_error(r, errno); +        } + +        assert_se(cgroup_walk_tree_end(&iterator) == 0); + +        return ret; +} diff --git a/src/cgroup-util.h b/src/cgroup-util.h new file mode 100644 index 0000000000..4ada71bc17 --- /dev/null +++ b/src/cgroup-util.h @@ -0,0 +1,54 @@ +/*-*- Mode: C; c-basic-offset: 8 -*-*/ + +#ifndef foocgrouputilhfoo +#define foocgrouputilhfoo + +/*** +  This file is part of systemd. + +  Copyright 2010 Lennart Poettering + +  systemd is free software; you can redistribute it and/or modify it +  under the terms of the GNU General Public License as published by +  the Free Software Foundation; either version 2 of the License, or +  (at your option) any later version. + +  systemd is distributed in the hope that it will be useful, but +  WITHOUT ANY WARRANTY; without even the implied warranty of +  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +  General Public License for more details. + +  You should have received a copy of the GNU General Public License +  along with systemd; If not, see <http://www.gnu.org/licenses/>. +***/ + +#include <sys/types.h> + +int cg_translate_error(int error, int _errno); + +int cg_kill(const char *controller, const char *path, int sig, bool ignore_self); +int cg_kill_recursive(const char *controller, const char *path, int sig, bool ignore_self); +int cg_kill_recursive_and_wait(const char *controller, const char *path); + +int cg_migrate(const char *controller, const char *from, const char *to, bool ignore_self); +int cg_migrate_recursive(const char *controller, const char *from, const char *to, bool ignore_self); + +int cg_get_path(const char *controller, const char *path, const char *suffix, char **fs); +int cg_get_by_pid(const char *controller, pid_t pid, char **path); + +int cg_trim(const char *controller, const char *path, bool delete_root); +int cg_delete(const char *controller, const char *path); + +int cg_create(const char *controller, const char *path); +int cg_attach(const char *controller, const char *path, pid_t pid); +int cg_create_and_attach(const char *controller, const char *path, pid_t pid); + +int cg_set_group_access(const char *controller, const char *path, mode_t mode, uid_t uid, gid_t gid); +int cg_set_task_access(const char *controller, const char *path, mode_t mode, uid_t uid, gid_t gid); + +int cg_install_release_agent(const char *controller, const char *agent); + +int cg_is_empty(const char *controller, const char *path, bool ignore_self); +int cg_is_empty_recursive(const char *controller, const char *path, bool ignore_self); + +#endif diff --git a/src/cgroup.c b/src/cgroup.c index 291db4e6c9..27130a9c39 100644 --- a/src/cgroup.c +++ b/src/cgroup.c @@ -26,32 +26,12 @@  #include <signal.h>  #include <sys/mount.h> +#include <libcgroup.h> +  #include "cgroup.h" +#include "cgroup-util.h"  #include "log.h" -static int translate_error(int error, int _errno) { - -        switch (error) { - -        case ECGROUPNOTCOMPILED: -        case ECGROUPNOTMOUNTED: -        case ECGROUPNOTEXIST: -        case ECGROUPNOTCREATED: -                return -ENOENT; - -        case ECGINVAL: -                return -EINVAL; - -        case ECGROUPNOTALLOWED: -                return -EPERM; - -        case ECGOTHER: -                return -_errno; -        } - -        return -EIO; -} -  int cgroup_bonding_realize(CGroupBonding *b) {          int r; @@ -59,39 +39,27 @@ int cgroup_bonding_realize(CGroupBonding *b) {          assert(b->path);          assert(b->controller); -        if (b->cgroup) +        if (b->realized)                  return 0; -        if (!(b->cgroup = cgroup_new_cgroup(b->path))) -                return -ENOMEM; +        if ((r = cg_create(b->controller, b->path)) < 0) +                return r; -        if (!cgroup_add_controller(b->cgroup, b->controller)) { -                r = -ENOMEM; -                goto fail; -        } +        b->realized = true; -        if ((r = cgroup_create_cgroup(b->cgroup, true)) != 0) { -                r = translate_error(r, errno); -                goto fail; -        } +        if (b->only_us && b->clean_up) +                cg_trim(b->controller, b->path, false);          return 0; - -fail: -        cgroup_free(&b->cgroup); -        b->cgroup = NULL; -        return r;  }  int cgroup_bonding_realize_list(CGroupBonding *first) {          CGroupBonding *b; +        int r; -        LIST_FOREACH(by_unit, b, first) { -                int r; - +        LIST_FOREACH(by_unit, b, first)                  if ((r = cgroup_bonding_realize(b)) < 0)                          return r; -        }          return 0;  } @@ -113,11 +81,12 @@ void cgroup_bonding_free(CGroupBonding *b) {                          hashmap_remove(b->unit->meta.manager->cgroup_bondings, b->path);          } -        if (b->cgroup) { -                if (b->only_us && b->clean_up && cgroup_bonding_is_empty(b) > 0) -                        cgroup_delete_cgroup_ext(b->cgroup, true); +        if (b->realized && b->only_us && b->clean_up) { -                cgroup_free(&b->cgroup); +                if (cgroup_bonding_is_empty(b) > 0) +                        cg_delete(b->controller, b->path); +                else +                        cg_trim(b->controller, b->path, false);          }          free(b->controller); @@ -138,109 +107,36 @@ int cgroup_bonding_install(CGroupBonding *b, pid_t pid) {          assert(b);          assert(pid >= 0); -        if (pid == 0) -                pid = getpid(); - -        if (!b->cgroup) -                return -ENOENT; - -        if ((r = cgroup_attach_task_pid(b->cgroup, pid))) -                return translate_error(r, errno); +        if ((r = cg_create_and_attach(b->controller, b->path, pid)) < 0) +                return r; +        b->realized = true;          return 0;  }  int cgroup_bonding_install_list(CGroupBonding *first, pid_t pid) {          CGroupBonding *b; +        int r; -        LIST_FOREACH(by_unit, b, first) { -                int r; - +        LIST_FOREACH(by_unit, b, first)                  if ((r = cgroup_bonding_install(b, pid)) < 0)                          return r; -        }          return 0;  }  int cgroup_bonding_kill(CGroupBonding *b, int sig) {          int r; -        Set *s; -        bool done; -        bool killed = false;          assert(b); -        assert(sig > 0); - -        if (!b->only_us) -                return -EAGAIN; - -        if (!(s = set_new(trivial_hash_func, trivial_compare_func))) -                return -ENOMEM; - -        do { -                void *iterator; -                pid_t pid; - -                done = true; - -                if ((r = cgroup_get_task_begin(b->path, b->controller, &iterator, &pid)) != 0) { -                        if (r == ECGEOF) { -                                r = 0; -                                goto kill_done; -                        } else { -                                if (r == ECGOTHER && errno == ENOENT) -                                        r = ESRCH; -                                else -                                        r = translate_error(r, errno); -                                break; -                        } -                } - -                for (;;) { -                        if (set_get(s, INT_TO_PTR(pid)) != INT_TO_PTR(pid)) { - -                                /* If we haven't killed this process -                                 * yet, kill it */ - -                                if (kill(pid, sig) < 0 && errno != ESRCH) { -                                        r = -errno; -                                        break; -                                } - -                                killed = true; -                                done = false; - -                                if ((r = set_put(s, INT_TO_PTR(pid))) < 0) -                                    break; -                        } - -                        if ((r = cgroup_get_task_next(&iterator, &pid)) != 0) { +        assert(sig >= 0); -                                if (r == ECGEOF) -                                        r = 0; -                                else -                                        r = translate_error(r, errno); - -                                break; -                        } -                } - -        kill_done: -                assert_se(cgroup_get_task_end(&iterator) == 0); - -                /* To avoid racing against processes which fork -                 * quicker than we can kill them we repeat this until -                 * no new pids need to be killed. */ - -        } while (!done && r >= 0); - -        set_free(s); - -        if (r < 0) +        if ((r = cgroup_bonding_realize(b)) < 0)                  return r; -        return killed ? 0 : -ESRCH; +        assert(b->realized); + +        return cg_kill_recursive(b->controller, b->path, sig, true);  }  int cgroup_bonding_kill_list(CGroupBonding *first, int sig) { @@ -249,7 +145,7 @@ int cgroup_bonding_kill_list(CGroupBonding *first, int sig) {          LIST_FOREACH(by_unit, b, first) {                  if ((r = cgroup_bonding_kill(b, sig)) < 0) { -                        if (r == -EAGAIN || -ESRCH) +                        if (r == -EAGAIN || r == -ESRCH)                                  continue;                          return r; @@ -264,33 +160,19 @@ int cgroup_bonding_kill_list(CGroupBonding *first, int sig) {  /* Returns 1 if the group is empty, 0 if it is not, -EAGAIN if we   * cannot know */  int cgroup_bonding_is_empty(CGroupBonding *b) { -        void *iterator; -        pid_t pid;          int r;          assert(b); -        r = cgroup_get_task_begin(b->path, b->controller, &iterator, &pid); - -        if (r == 0 || r == ECGEOF) -                cgroup_get_task_end(&iterator); +        if ((r = cg_is_empty_recursive(b->controller, b->path, true)) < 0) +                return r; -        /* Hmm, no PID in this group? Then it is definitely empty */ -        if (r == ECGEOF) +        /* If it is empty it is empty */ +        if (r > 0)                  return 1; -        /* Some error? Let's return it */ -        if (r != 0) -                return translate_error(r, errno); - -        /* It's not empty, and we are the only user, then it is -         * definitely not empty */ -        if (b->only_us) -                return 0; - -        /* There are PIDs in the group but we aren't the only users, -         * hence we cannot say */ -        return -EAGAIN; +        /* It's not only us using this cgroup, so we just don't know */ +        return b->only_us ? 0 : -EAGAIN;  }  int cgroup_bonding_is_empty_list(CGroupBonding *first) { @@ -313,99 +195,6 @@ int cgroup_bonding_is_empty_list(CGroupBonding *first) {          return -EAGAIN;  } -static int install_release_agent(Manager *m, const char *mount_point) { -        char *p, *c, *sc; -        int r; - -        assert(m); -        assert(mount_point); - -        if (asprintf(&p, "%s/release_agent", mount_point) < 0) -                return -ENOMEM; - -        if ((r = read_one_line_file(p, &c)) < 0) { -                free(p); -                return r; -        } - -        sc = strstrip(c); - -        if (sc[0] == 0) { -                if ((r = write_one_line_file(p, CGROUP_AGENT_PATH "\n" )) < 0) { -                        free(p); -                        free(c); -                        return r; -                } -        } else if (!streq(sc, CGROUP_AGENT_PATH)) { -                free(p); -                free(c); -                return -EEXIST; -        } - -        free(c); -        free(p); - -        if (asprintf(&p, "%s/notify_on_release", mount_point) < 0) -                return -ENOMEM; - -        if ((r = read_one_line_file(p, &c)) < 0) { -                free(p); -                return r; -        } - -        sc = strstrip(c); - -        if (streq(sc, "0")) { -                if ((r = write_one_line_file(p, "1\n")) < 0) { -                        free(p); -                        free(c); -                        return r; -                } -        } else if (!streq(sc, "1")) { -                free(p); -                free(c); -                return -EIO; -        } - -        free(p); -        free(c); - -        return 0; -} - -static int create_hierarchy_cgroup(Manager *m) { -        struct cgroup *cg; -        int r; - -        assert(m); - -        if (!(cg = cgroup_new_cgroup(m->cgroup_hierarchy))) -                return -ENOMEM; - -        if (!(cgroup_add_controller(cg, m->cgroup_controller))) { -                r = -ENOMEM; -                goto finish; -        } - -        if ((r = cgroup_create_cgroup(cg, true)) != 0) { -                log_error("Failed to create cgroup hierarchy group: %s", cgroup_strerror(r)); -                r = translate_error(r, errno); -                goto finish; -        } - -        if ((r = cgroup_attach_task(cg)) != 0) { -                log_error("Failed to add ourselves to hierarchy group: %s", cgroup_strerror(r)); -                r = translate_error(r, errno); -                goto finish; -        } - -        r = 0; - -finish: -        cgroup_free(&cg); -        return r; -} -  int manager_setup_cgroup(Manager *m) {          char *cp;          int r; @@ -416,7 +205,7 @@ int manager_setup_cgroup(Manager *m) {          if ((r = cgroup_init()) != 0) {                  log_error("Failed to initialize libcg: %s", cgroup_strerror(r)); -                return translate_error(r, errno); +                return cg_translate_error(r, errno);          }          free(m->cgroup_controller); @@ -426,12 +215,12 @@ int manager_setup_cgroup(Manager *m) {          free(m->cgroup_mount_point);          m->cgroup_mount_point = NULL;          if ((r = cgroup_get_subsys_mount_point(m->cgroup_controller, &m->cgroup_mount_point))) -                return translate_error(r, errno); +                return cg_translate_error(r, errno);          pid = getpid();          if ((r = cgroup_get_current_controller_path(pid, m->cgroup_controller, &cp))) -                return translate_error(r, errno); +                return cg_translate_error(r, errno);          snprintf(suffix, sizeof(suffix), "/systemd-%u", (unsigned) pid);          char_array_0(suffix); @@ -457,12 +246,12 @@ int manager_setup_cgroup(Manager *m) {                    m->cgroup_mount_point,                    m->cgroup_hierarchy); -        if ((r = install_release_agent(m, m->cgroup_mount_point)) < 0) +        if ((r = cg_install_release_agent(m->cgroup_controller, CGROUP_AGENT_PATH)) < 0)                  log_warning("Failed to install release agent, ignoring: %s", strerror(-r));          else                  log_debug("Installed release agent, or already installed."); -        if ((r = create_hierarchy_cgroup(m)) < 0) +        if ((r = cg_create_and_attach(m->cgroup_controller, m->cgroup_hierarchy, 0)) < 0)                  log_error("Failed to create root cgroup hierarchy: %s", strerror(-r));          else                  log_debug("Created root group."); @@ -470,33 +259,13 @@ int manager_setup_cgroup(Manager *m) {          return r;  } -int manager_shutdown_cgroup(Manager *m, bool delete) { -        struct cgroup *cg; -        int r; - +int manager_shutdown_cgroup(Manager *m) {          assert(m); -        if (!m->cgroup_hierarchy) +        if (!m->cgroup_controller || !m->cgroup_hierarchy)                  return 0; -        if (!(cg = cgroup_new_cgroup(m->cgroup_hierarchy))) -                return -ENOMEM; - -        if (!(cgroup_add_controller(cg, m->cgroup_controller))) { -                r = -ENOMEM; -                goto finish; -        } - -        /* Often enough we won't be able to delete the cgroup we -         * ourselves are in, hence ignore all errors here */ -        if (delete) -                cgroup_delete_cgroup_ext(cg, CGFLAG_DELETE_IGNORE_MIGRATION|CGFLAG_DELETE_RECURSIVE); -        r = 0; - -finish: -        cgroup_free(&cg); -        return r; - +        return cg_delete(m->cgroup_controller, m->cgroup_hierarchy);  }  int cgroup_notify_empty(Manager *m, const char *group) { @@ -541,15 +310,12 @@ Unit* cgroup_unit_by_pid(Manager *m, pid_t pid) {          if (pid <= 1)                  return NULL; -        if ((r = cgroup_get_current_controller_path(pid, m->cgroup_controller, &group))) +        if ((r = cg_get_by_pid(m->cgroup_controller, pid, &group)))                  return NULL;          l = hashmap_get(m->cgroup_bondings, group);          free(group); -        if (!l) -                return NULL; -          LIST_FOREACH(by_path, b, l) {                  if (!b->unit) diff --git a/src/cgroup.h b/src/cgroup.h index 67c7cc3501..11d2aba8cf 100644 --- a/src/cgroup.h +++ b/src/cgroup.h @@ -22,8 +22,6 @@    along with systemd; If not, see <http://www.gnu.org/licenses/>.  ***/ -#include <libcgroup.h> -  typedef struct CGroupBonding CGroupBonding;  #include "unit.h" @@ -35,8 +33,6 @@ struct CGroupBonding {          Unit *unit; -        struct cgroup *cgroup; -          /* For the Unit::cgroup_bondings list */          LIST_FIELDS(CGroupBonding, by_unit); @@ -48,6 +44,9 @@ struct CGroupBonding {          /* When our tasks are the only ones in this group */          bool only_us:1; + +        /* This cgroup is realized */ +        bool realized:1;  };  int cgroup_bonding_realize(CGroupBonding *b); @@ -72,7 +71,7 @@ char *cgroup_bonding_to_string(CGroupBonding *b);  #include "manager.h"  int manager_setup_cgroup(Manager *m); -int manager_shutdown_cgroup(Manager *m, bool delete); +int manager_shutdown_cgroup(Manager *m);  int cgroup_notify_empty(Manager *m, const char *group); diff --git a/src/manager.c b/src/manager.c index 554dd8e866..f1a79b5e89 100644 --- a/src/manager.c +++ b/src/manager.c @@ -32,7 +32,6 @@  #include <sys/reboot.h>  #include <sys/ioctl.h>  #include <linux/kd.h> -#include <libcgroup.h>  #include <termios.h>  #include <fcntl.h>  #include <sys/types.h> @@ -421,7 +420,8 @@ void manager_free(Manager *m) {          /* If we reexecute ourselves, we keep the root cgroup           * around */ -        manager_shutdown_cgroup(m, m->exit_code != MANAGER_REEXECUTE); +        if (m->exit_code != MANAGER_REEXECUTE) +                manager_shutdown_cgroup(m);          bus_done(m); diff --git a/src/pam-module.c b/src/pam-module.c new file mode 100644 index 0000000000..5157897a71 --- /dev/null +++ b/src/pam-module.c @@ -0,0 +1,466 @@ +/*-*- Mode: C; c-basic-offset: 8 -*-*/ + +/*** +  This file is part of systemd. + +  Copyright 2010 Lennart Poettering + +  systemd is free software; you can redistribute it and/or modify it +  under the terms of the GNU General Public License as published by +  the Free Software Foundation; either version 2 of the License, or +  (at your option) any later version. + +  systemd is distributed in the hope that it will be useful, but +  WITHOUT ANY WARRANTY; without even the implied warranty of +  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +  General Public License for more details. + +  You should have received a copy of the GNU General Public License +  along with systemd; If not, see <http://www.gnu.org/licenses/>. +***/ + +#include <errno.h> +#include <fcntl.h> +#include <sys/file.h> +#include <pwd.h> + +#include <security/pam_modules.h> +#include <security/_pam_macros.h> +#include <security/pam_modutil.h> +#include <security/pam_ext.h> +#include <security/pam_misc.h> + +#include <libcgroup.h> + +#include "util.h" +#include "cgroup-util.h" +#include "macro.h" +#include "sd-daemon.h" + +static int parse_argv(pam_handle_t *handle, +                      int argc, const char **argv, +                      bool *create_session, +                      bool *kill_session, +                      bool *kill_user) { + +        unsigned i; + +        assert(argc >= 0); +        assert(argc == 0 || argv); + +        for (i = 0; i < (unsigned) argc; i++) { +                int k; + +                if (startswith(argv[i], "create-session=")) { +                        if ((k = parse_boolean(argv[i] + 15)) < 0) { +                                pam_syslog(handle, LOG_ERR, "Failed to parse create-session= argument."); +                                return k; +                        } + +                        if (create_session) +                                *create_session = k; +                } else if (startswith(argv[i], "kill-session=")) { +                        if ((k = parse_boolean(argv[i] + 13)) < 0) { +                                pam_syslog(handle, LOG_ERR, "Failed to parse kill-session= argument."); +                                return k; +                        } + +                        if (kill_session) +                                *kill_session = k; + +                } else if (startswith(argv[i], "kill-user=")) { +                        if ((k = parse_boolean(argv[i] + 10)) < 0) { +                                pam_syslog(handle, LOG_ERR, "Failed to parse kill-user= argument."); +                                return k; +                        } + +                        if (kill_user) +                                *kill_user = k; +                } else { +                        pam_syslog(handle, LOG_ERR, "Unknown parameter '%s'.", argv[i]); +                        return -EINVAL; +                } +        } + +        if (kill_session && *kill_session && kill_user) +                *kill_user = true; + +        return 0; +} + +static int open_file_and_lock(const char *fn) { +        int fd; + +        assert(fn); + +        if ((fd = open(fn, O_RDWR|O_CLOEXEC|O_NOCTTY|O_NOFOLLOW|O_CREAT, 0600)) < 0) +                return -errno; + +        if (flock(fd, LOCK_EX) < 0) +                return -errno; + +        return fd; +} + +static uint32_t combine32(unsigned long long u) { +        uint32_t r = 0; +        unsigned i; + +        for (i = 0; i < sizeof(u)/4; i ++) +                r ^= (uint32_t) ((u >> (i*32)) & 0xFFFFFFFFULL); + +        return r; +} + +static char *generate_session_cookie(void) { +        char *machine; +        char *cookie; +        unsigned long long r; +        usec_t u; +        int k; + +        if (getmachineid_malloc(&machine) < 0) +                if (!(machine = gethostname_malloc())) +                        return NULL; + +        r = random_ull(); +        u = now(CLOCK_REALTIME); + +        k = asprintf(&cookie, "%s-%lu-%lu", +                     machine, +                     (unsigned long) combine32(r), +                     (unsigned long) combine32((unsigned long long) u)); +        free(machine); + +        return k < 0 ? NULL : cookie; +} + +static int get_user_data( +                pam_handle_t *handle, +                const char **ret_username, +                struct passwd **ret_pw) { + +        const char *username; +        struct passwd *pw; +        int r; + +        assert(handle); +        assert(ret_username); +        assert(ret_pw); + +        if ((r = pam_get_user(handle, &username, NULL)) != PAM_SUCCESS) { +                pam_syslog(handle, LOG_ERR, "Failed to get user name."); +                return r; +        } + +        if (!username || !*username) { +                pam_syslog(handle, LOG_ERR, "User name not valid."); +                return PAM_AUTH_ERR; +        } + +        if (!(pw = pam_modutil_getpwnam(handle, username))) { +                pam_syslog(handle, LOG_ERR, "Failed to get user data."); +                return PAM_USER_UNKNOWN; +        } + +        *ret_pw = pw; +        *ret_username = username; + +        return PAM_SUCCESS; +} + +static int create_user_group(pam_handle_t *handle, const char *group, struct passwd *pw, bool attach) { +        int r; + +        assert(handle); +        assert(group); + +        if (attach) +                r = cg_create_and_attach("name=systemd", group, 0); +        else +                r = cg_create("name=systemd", group); + +        if (r < 0) { +                pam_syslog(handle, LOG_ERR, "Failed to create cgroup: %s", strerror(-r)); +                return PAM_SESSION_ERR; +        } + +        if ((r = cg_set_task_access("name=systemd", group, 0755, pw->pw_uid, pw->pw_gid)) < 0 || +            (r = cg_set_group_access("name=systemd", group, 0755, pw->pw_uid, pw->pw_gid)) < 0) { +                pam_syslog(handle, LOG_ERR, "Failed to change access modes: %s", strerror(-r)); +                return PAM_SESSION_ERR; +        } + +        return PAM_SUCCESS; +} + +_public_ PAM_EXTERN int pam_sm_open_session( +                pam_handle_t *handle, +                int flags, +                int argc, const char **argv) { + +        const char *username = NULL; +        struct passwd *pw; +        int r; +        char *buf = NULL; +        int lock_fd = -1; +        bool create_session = true; + +        assert(handle); + +        pam_syslog(handle, LOG_INFO, "pam-systemd initializing"); + +        if (parse_argv(handle, argc, argv, &create_session, NULL, NULL) < 0) +                return PAM_SESSION_ERR; + +        /* Make this a NOP on non-systemd systems */ +        if (sd_booted() <= 0) +                return PAM_SUCCESS; + +        if ((r = cgroup_init()) != 0) { +                pam_syslog(handle, LOG_ERR, "libcgroup initialization failed: %s", cgroup_strerror(r)); +                r = PAM_SESSION_ERR; +                goto finish; +        } + +        if ((r = get_user_data(handle, &username, &pw)) != PAM_SUCCESS) +                goto finish; + +        if (safe_mkdir(RUNTIME_DIR "/user", 0755, 0, 0) < 0) { +                pam_syslog(handle, LOG_ERR, "Failed to create runtime directory: %m"); +                r = PAM_SYSTEM_ERR; +                goto finish; +        } + +        if ((lock_fd = open_file_and_lock(RUNTIME_DIR "/user/.pam-systemd-lock")) < 0) { +                pam_syslog(handle, LOG_ERR, "Failed to lock runtime directory: %m"); +                r = PAM_SYSTEM_ERR; +                goto finish; +        } + +        /* Create /var/run/$USER */ +        free(buf); +        if (asprintf(&buf, RUNTIME_DIR "/user/%s", username) < 0) { +                r = PAM_BUF_ERR; +                goto finish; +        } + +        if (safe_mkdir(buf, 0700, pw->pw_uid, pw->pw_gid) < 0) { +                pam_syslog(handle, LOG_WARNING, "Failed to create runtime directory: %m"); +                r = PAM_SYSTEM_ERR; +                goto finish; +        } else if ((r = pam_misc_setenv(handle, "XDG_RUNTIME_DIR", buf, 0)) != PAM_SUCCESS) { +                pam_syslog(handle, LOG_ERR, "Failed to set runtime dir."); +                goto finish; +        } + +        free(buf); +        buf = NULL; + +        if (create_session) { +                const char *cookie; + +                /* Reuse or create XDG session ID */ +                if (!(cookie = pam_getenv(handle, "XDG_SESSION_COOKIE"))) { +                        if (!(buf = generate_session_cookie())) { +                                r = PAM_BUF_ERR; +                                goto finish; +                        } + +                        if ((r = pam_misc_setenv(handle, "XDG_SESSION_COOKIE", buf, 0)) != PAM_SUCCESS) { +                                pam_syslog(handle, LOG_ERR, "Failed to set cookie."); +                                goto finish; +                        } + +                        if (!(cookie = pam_getenv(handle, "XDG_SESSION_COOKIE"))) { +                                pam_syslog(handle, LOG_ERR, "Failed to get cookie."); +                                r = PAM_SESSION_ERR; +                                goto finish; +                        } +                } + +                r = asprintf(&buf, "/user/%s/%s", username, cookie); +        } else +                r = asprintf(&buf, "/user/%s/no-session", username); + +        if (r < 0) { +                r = PAM_BUF_ERR; +                goto finish; +        } + +        if ((r = create_user_group(handle, buf, pw, true)) != PAM_SUCCESS) +                goto finish; + +        r = PAM_SUCCESS; + +finish: +        free(buf); + +        if (lock_fd >= 0) +                close_nointr_nofail(lock_fd); + +        return r; +} + +static int session_remains(pam_handle_t *handle, const char *user_path) { +        struct cgroup_file_info info; +        int level = 0, r; +        void *iterator = NULL; +        bool remains = false; + +        zero(info); + +        r = cgroup_walk_tree_begin("name=systemd", user_path, 0, &iterator, &info, &level); +        while (r == 0) { + +                if (info.type != CGROUP_FILE_TYPE_DIR) +                        goto next; + +                if (streq(info.path, "")) +                        goto next; + +                if (streq(info.path, "no-session")) +                        goto next; + +                remains = true; +                break; + +        next: + +                r = cgroup_walk_tree_next(0, &iterator, &info, level); +        } + + +        if (remains) +                r = 1; +        else if (r == 0 || r == ECGEOF) +                r = 0; +        else +                r = cg_translate_error(r, errno); + +        assert_se(cgroup_walk_tree_end(&iterator) == 0); + +        return r; +} + +_public_ PAM_EXTERN int pam_sm_close_session( +                pam_handle_t *handle, +                int flags, +                int argc, const char **argv) { + +        const char *username = NULL; +        bool kill_session = false; +        bool kill_user = false; +        int lock_fd = -1, r; +        char *session_path = NULL, *nosession_path = NULL, *user_path = NULL; +        const char *cookie; +        struct passwd *pw; + +        assert(handle); + +        if (parse_argv(handle, argc, argv, NULL, &kill_session, &kill_user) < 0) +                return PAM_SESSION_ERR; + +        /* Make this a NOP on non-systemd systems */ +        if (sd_booted() <= 0) +                return PAM_SUCCESS; + +        if ((r = get_user_data(handle, &username, &pw)) != PAM_SUCCESS) +                goto finish; + +        if ((lock_fd = open_file_and_lock(RUNTIME_DIR "/user/.pam-systemd-lock")) < 0) { +                pam_syslog(handle, LOG_ERR, "Failed to lock runtime directory: %m"); +                r = PAM_SYSTEM_ERR; +                goto finish; +        } + +        if (asprintf(&user_path, "/user/%s", username) < 0) { +                r = PAM_BUF_ERR; +                goto finish; +        } + +        if ((cookie = pam_getenv(handle, "XDG_SESSION_COOKIE"))) { + +                if (asprintf(&session_path, "/user/%s/%s", username, cookie) < 0 || +                    asprintf(&nosession_path, "/user/%s/no-session", username) < 0) { +                        r = PAM_BUF_ERR; +                        goto finish; +                } + +                if (kill_session)  { +                        pam_syslog(handle, LOG_INFO, "KILLING ENTER"); + +                        /* Kill processes in session cgroup */ +                        if ((r = cg_kill_recursive_and_wait("name=systemd", session_path)) < 0) +                                pam_syslog(handle, LOG_ERR, "Failed to kill session cgroup: %s", strerror(-r)); + +                        pam_syslog(handle, LOG_INFO, "KILLING EXIT"); + +                } else  { +                        /* Migrate processes from session to +                         * no-session cgroup. First, try to create the +                         * no-session group in case it doesn't exist +                         * yet. */ +                        create_user_group(handle, nosession_path, pw, 0); + +                        if ((r = cg_migrate_recursive("name=systemd", session_path, nosession_path, false)) < 0) +                                pam_syslog(handle, LOG_ERR, "Failed to migrate session cgroup: %s", strerror(-r)); +                } + +                /* Delete session cgroup */ +                if (r < 0) +                        pam_syslog(handle, LOG_INFO, "Couldn't empty session cgroup, not deleting."); +                else { +                        if ((r = cg_delete("name=systemd", session_path)) < 0) +                                pam_syslog(handle, LOG_ERR, "Failed to delete session cgroup: %s", strerror(-r)); +                } +        } + +        /* GC user tree */ +        cg_trim("name=systemd", user_path, false); + +        if ((r = session_remains(handle, user_path)) < 0) +                pam_syslog(handle, LOG_ERR, "Failed to determine whether a session remains: %s", strerror(-r)); + +        /* Kill user processes not attached to any session */ +        if (kill_user && r == 0) { + +                /* Kill no-session cgroup */ +                if ((r = cg_kill_recursive_and_wait("name=systemd", user_path)) < 0) +                        pam_syslog(handle, LOG_ERR, "Failed to kill user cgroup: %s", strerror(-r)); +        } else { + +                if ((r = cg_is_empty_recursive("name=systemd", user_path, true)) < 0) +                        pam_syslog(handle, LOG_ERR, "Failed to check user cgroup: %s", strerror(-r)); + +                /* If we managed to kill somebody, don't cleanup the cgroup. */ +                if (r == 0) +                        r = -EBUSY; +        } + +        if (r >= 0) { +                const char *runtime_dir; + +                /* Remove user cgroup */ +                if ((r = cg_delete("name=systemd", user_path)) < 0) +                        pam_syslog(handle, LOG_ERR, "Failed to delete user cgroup: %s", strerror(-r)); + +                /* This will migrate us to the /user cgroup. */ + +                if ((runtime_dir = pam_getenv(handle, "XDG_RUNTIME_DIR"))) +                        if ((r = rm_rf(runtime_dir, false, true)) < 0) +                                pam_syslog(handle, LOG_ERR, "Failed to remove runtime directory: %s", strerror(-r)); +        } + +        r = PAM_SUCCESS; + +finish: +        if (lock_fd >= 0) +                close_nointr_nofail(lock_fd); + +        free(session_path); +        free(nosession_path); +        free(user_path); + +        return r; +} diff --git a/src/test-cgroup.c b/src/test-cgroup.c new file mode 100644 index 0000000000..389df6d398 --- /dev/null +++ b/src/test-cgroup.c @@ -0,0 +1,84 @@ +/*-*- Mode: C; c-basic-offset: 8 -*-*/ + +/*** +  This file is part of systemd. + +  Copyright 2010 Lennart Poettering + +  systemd is free software; you can redistribute it and/or modify it +  under the terms of the GNU General Public License as published by +  the Free Software Foundation; either version 2 of the License, or +  (at your option) any later version. + +  systemd is distributed in the hope that it will be useful, but +  WITHOUT ANY WARRANTY; without even the implied warranty of +  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +  General Public License for more details. + +  You should have received a copy of the GNU General Public License +  along with systemd; If not, see <http://www.gnu.org/licenses/>. +***/ + +#include <unistd.h> +#include <string.h> + +#include <libcgroup.h> + +#include "cgroup-util.h" +#include "util.h" +#include "log.h" + +int main(int argc, char*argv[]) { +        char *path; + +        assert_se(cgroup_init() == 0); + +        assert_se(cg_create("name=systemd", "/test-a") == 0); +        assert_se(cg_create("name=systemd", "/test-a") == 0); +        assert_se(cg_create("name=systemd", "/test-b") == 0); +        assert_se(cg_create("name=systemd", "/test-b/test-c") == 0); +        assert_se(cg_create_and_attach("name=systemd", "/test-b", 0) == 0); + +        assert_se(cg_get_by_pid("name=systemd", getpid(), &path) == 0); +        assert_se(streq(path, "/test-b")); +        free(path); + +        assert_se(cg_attach("name=systemd", "/test-a", 0) == 0); + +        assert_se(cg_get_by_pid("name=systemd", getpid(), &path) == 0); +        assert_se(path_equal(path, "/test-a")); +        free(path); + +        assert_se(cg_create_and_attach("name=systemd", "/test-b/test-d", 0) == 0); + +        assert_se(cg_get_by_pid("name=systemd", getpid(), &path) == 0); +        assert_se(path_equal(path, "/test-b/test-d")); +        free(path); + +        assert_se(cg_get_path("name=systemd", "/test-b/test-d", NULL, &path) == 0); +        assert_se(path_equal(path, "/cgroup/systemd/test-b/test-d")); +        free(path); + +        assert_se(cg_is_empty("name=systemd", "/test-a", false) > 0); +        assert_se(cg_is_empty("name=systemd", "/test-b", false) > 0); +        assert_se(cg_is_empty_recursive("name=systemd", "/test-a", false) > 0); +        assert_se(cg_is_empty_recursive("name=systemd", "/test-b", false) == 0); + +        assert_se(cg_kill_recursive("name=systemd", "/test-a", 0, false) == 0); +        assert_se(cg_kill_recursive("name=systemd", "/test-b", 0, false) > 0); + +        assert_se(cg_migrate_recursive("name=systemd", "/test-b", "/test-a", false) == 0); + +        assert_se(cg_is_empty_recursive("name=systemd", "/test-a", false) == 0); +        assert_se(cg_is_empty_recursive("name=systemd", "/test-b", false) > 0); + +        assert_se(cg_kill_recursive("name=systemd", "/test-a", 0, false) > 0); +        assert_se(cg_kill_recursive("name=systemd", "/test-b", 0, false) == 0); + +        cg_trim("name=systemd", "/", false); + +        assert_se(cg_delete("name=systemd", "/test-b") < 0); +        assert_se(cg_delete("name=systemd", "/test-a") == 0); + +        return 0; +} diff --git a/src/util.c b/src/util.c index 6fa9dec3a6..11ab074569 100644 --- a/src/util.c +++ b/src/util.c @@ -846,6 +846,28 @@ char *file_in_same_dir(const char *path, const char *filename) {          return r;  } +int safe_mkdir(const char *path, mode_t mode, uid_t uid, gid_t gid) { +        struct stat st; + +        if (mkdir(path, mode) >= 0) +                if (chmod_and_chown(path, mode, uid, gid) < 0) +                        return -errno; + +        if (lstat(path, &st) < 0) +                return -errno; + +        if ((st.st_mode & 0777) != mode || +            st.st_uid != uid || +            st.st_gid != gid || +            !S_ISDIR(st.st_mode)) { +                errno = EEXIST; +                return -errno; +        } + +        return 0; +} + +  int mkdir_parents(const char *path, mode_t mode) {          const char *p, *e; @@ -2325,6 +2347,18 @@ char* gethostname_malloc(void) {          return strdup(u.sysname);  } +int getmachineid_malloc(char **b) { +        int r; + +        assert(b); + +        if ((r = read_one_line_file("/var/lib/dbus/machine-id", b)) < 0) +                return r; + +        strstrip(*b); +        return 0; +} +  char* getlogname_malloc(void) {          uid_t uid;          long bufsize; @@ -2361,11 +2395,13 @@ char* getlogname_malloc(void) {          return name;  } -char *getttyname_malloc(void) { -        char path[PATH_MAX], *p; +int getttyname_malloc(char **r) { +        char path[PATH_MAX], *p, *c; + +        assert(r);          if (ttyname_r(STDIN_FILENO, path, sizeof(path)) < 0) -                return strdup("unknown"); +                return -errno;          char_array_0(path); @@ -2373,7 +2409,132 @@ char *getttyname_malloc(void) {          if (startswith(path, "/dev/"))                  p += 5; -        return strdup(p); +        if (!(c = strdup(p))) +                return -ENOMEM; + +        *r = c; +        return 0; +} + +static int rm_rf_children(int fd, bool only_dirs) { +        DIR *d; +        int ret = 0; + +        assert(fd >= 0); + +        /* This returns the first error we run into, but nevertheless +         * tries to go on */ + +        if (!(d = fdopendir(fd))) { +                close_nointr_nofail(fd); +                return -errno; +        } + +        for (;;) { +                struct dirent buf, *de; +                bool is_dir; +                int r; + +                if ((r = readdir_r(d, &buf, &de)) != 0) { +                        if (ret == 0) +                                ret = -r; +                        break; +                } + +                if (!de) +                        break; + +                if (streq(de->d_name, ".") || streq(de->d_name, "..")) +                        continue; + +                if (de->d_type == DT_UNKNOWN) { +                        struct stat st; + +                        if (fstatat(fd, de->d_name, &st, AT_SYMLINK_NOFOLLOW) < 0) { +                                if (ret == 0) +                                        ret = -errno; +                                continue; +                        } + +                        is_dir = S_ISDIR(st.st_mode); +                } else +                        is_dir = de->d_type == DT_DIR; + +                if (is_dir) { +                        int subdir_fd; + +                        if ((subdir_fd = openat(fd, de->d_name, O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC)) < 0) { +                                if (ret == 0) +                                        ret = -errno; +                                continue; +                        } + +                        if ((r = rm_rf_children(subdir_fd, only_dirs)) < 0) { +                                if (ret == 0) +                                        ret = r; +                        } + +                        if (unlinkat(fd, de->d_name, AT_REMOVEDIR) < 0) { +                                if (ret == 0) +                                        ret = -errno; +                        } +                } else  if (!only_dirs) { + +                        if (unlinkat(fd, de->d_name, 0) < 0) { +                                if (ret == 0) +                                        ret = -errno; +                        } +                } +        } + +        closedir(d); + +        return ret; +} + +int rm_rf(const char *path, bool only_dirs, bool delete_root) { +        int fd; +        int r; + +        assert(path); + +        if ((fd = open(path, O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC)) < 0) { + +                if (errno != ENOTDIR) +                        return -errno; + +                if (delete_root && !only_dirs) +                        if (unlink(path) < 0) +                                return -errno; + +                return 0; +        } + +        r = rm_rf_children(fd, only_dirs); + +        if (delete_root) +                if (rmdir(path) < 0) { +                        if (r == 0) +                                r = -errno; +                } + +        return r; +} + +int chmod_and_chown(const char *path, mode_t mode, uid_t uid, gid_t gid) { +        assert(path); + +        /* Under the assumption that we are running privileged we +         * first change the access mode and only then hand out +         * ownership to avoid a window where access is too open. */ + +        if (chmod(path, mode) < 0) +                return -errno; + +        if (chown(path, uid, gid) < 0) +                return -errno; + +        return 0;  }  static const char *const ioprio_class_table[] = { diff --git a/src/util.h b/src/util.h index 9af2ca8ae6..864d98fa63 100644 --- a/src/util.h +++ b/src/util.h @@ -160,6 +160,7 @@ char *delete_chars(char *s, const char *bad);  char *truncate_nl(char *s);  char *file_in_same_dir(const char *path, const char *filename); +int safe_mkdir(const char *path, mode_t mode, uid_t uid, gid_t gid);  int mkdir_parents(const char *path, mode_t mode);  int mkdir_p(const char *path, mode_t mode); @@ -263,7 +264,12 @@ void sigset_add_many(sigset_t *ss, ...);  char* gethostname_malloc(void);  char* getlogname_malloc(void); -char *getttyname_malloc(void); +int getttyname_malloc(char **r); +int getmachineid_malloc(char **r); + +int chmod_and_chown(const char *path, mode_t mode, uid_t uid, gid_t gid); + +int rm_rf(const char *path, bool only_dirs, bool delete_root);  const char *ioprio_class_to_string(int i);  int ioprio_class_from_string(const char *s); diff --git a/src/utmp-wtmp.c b/src/utmp-wtmp.c index d7cda82d5a..45da79c681 100644 --- a/src/utmp-wtmp.c +++ b/src/utmp-wtmp.c @@ -296,12 +296,14 @@ int utmp_wall(const char *message) {          time_t t;          if (!(hn = gethostname_malloc()) || -            !(un = getlogname_malloc()) || -            !(tty = getttyname_malloc())) { +            !(un = getlogname_malloc())) {                  r = -ENOMEM;                  goto finish;          } +        if ((r = getttyname_malloc(&tty)) < 0) +                goto finish; +          time(&t);          assert_se(ctime_r(&t, date));          delete_chars(date, "\n\r"); | 
