redox/programs/contain/src/main.rs

extern crate syscall;

use std::{env, thread};
use std::os::unix::process::CommandExt;
use std::process::Command;

pub fn main() {
    let mut args = env::args().skip(1);

    let root_opt = args.next();

    let cmd = args.next().unwrap_or("sh".to_string());

    let mut names = vec![
        "rand",
        "tcp",
        "udp"
    ];

    if root_opt.is_none() {
        names.push("file");
    }

    let mut name_ptrs = Vec::new();
    for name in names.iter() {
        name_ptrs.push([name.as_ptr() as usize, name.len()]);
    }

    let new_ns = syscall::mkns(&name_ptrs).unwrap();

    let root_thread = if let Some(root) = root_opt {
        Some(thread::spawn(move || {
            syscall::setrens(-1isize as usize, new_ns).unwrap();
            let scheme_fd = syscall::open(":file", syscall::O_CREAT | syscall::O_RDWR | syscall::O_CLOEXEC).unwrap();
            syscall::setrens(-1isize as usize, syscall::getns().unwrap()).unwrap();

            loop {
                let mut packet = syscall::Packet::default();
                if syscall::read(scheme_fd, &mut packet).unwrap() == 0 {
                    break;
                }
                println!("{:?}", packet);
            }

            let _ = syscall::close(scheme_fd);
        }))
    } else {
        None
    };

    let pid = unsafe { syscall::clone(0).unwrap() };
    if pid == 0 {
        syscall::setrens(new_ns, new_ns).unwrap();

        println!("Container {}: enter: {}", new_ns, cmd);

        let mut command = Command::new(&cmd);
        for arg in args {
            command.arg(&arg);
        }

        let err = command.exec();

        panic!("contain: failed to launch {}: {}", cmd, err);
    } else {
        let mut status = 0;
        syscall::waitpid(pid, &mut status, 0).unwrap();

        loop {
            let mut c_status = 0;
            let c_pid = syscall::waitpid(0, &mut c_status, syscall::WNOHANG).unwrap();
            if c_pid == 0 {
                break;
            } else {
                println!("Container zombie {}: {:X}", c_pid, c_status);
            }
        }

        println!("Container {}: exit: {:X}", new_ns, status);
    }
}
Add ability to contain a process in a scheme sandbox 2016-11-17 04:54:38 +01:00			`extern crate syscall;`

Implement O_DIRECTORY, switch to open for mkdir 2016-11-26 02:24:38 +01:00			`use std::{env, thread};`
Add signal support - exit on signal 2016-11-17 20:12:02 +01:00			`use std::os::unix::process::CommandExt;`
			`use std::process::Command;`
Add ability to contain a process in a scheme sandbox 2016-11-17 04:54:38 +01:00
			`pub fn main() {`
WIP: Chroot 2016-11-25 23:42:26 +01:00			`let mut args = env::args().skip(1);`

Implement O_DIRECTORY, switch to open for mkdir 2016-11-26 02:24:38 +01:00			`let root_opt = args.next();`
WIP: Chroot 2016-11-25 23:42:26 +01:00
			`let cmd = args.next().unwrap_or("sh".to_string());`

			`let mut names = vec![`
Add signal support - exit on signal 2016-11-17 20:12:02 +01:00			`"rand",`
			`"tcp",`
			`"udp"`
			`];`
Implement O_DIRECTORY, switch to open for mkdir 2016-11-26 02:24:38 +01:00
			`if root_opt.is_none() {`
WIP: Chroot 2016-11-25 23:42:26 +01:00			`names.push("file");`
			`}`
Add signal support - exit on signal 2016-11-17 20:12:02 +01:00
Implement rfc 4 2016-11-25 20:09:54 +01:00			`let mut name_ptrs = Vec::new();`
			`for name in names.iter() {`
			`name_ptrs.push([name.as_ptr() as usize, name.len()]);`
			`}`

			`let new_ns = syscall::mkns(&name_ptrs).unwrap();`

Implement O_DIRECTORY, switch to open for mkdir 2016-11-26 02:24:38 +01:00			`let root_thread = if let Some(root) = root_opt {`
			`Some(thread::spawn(move \|\| {`
			`syscall::setrens(-1isize as usize, new_ns).unwrap();`
			`let scheme_fd = syscall::open(":file", syscall::O_CREAT \| syscall::O_RDWR \| syscall::O_CLOEXEC).unwrap();`
			`syscall::setrens(-1isize as usize, syscall::getns().unwrap()).unwrap();`

			`loop {`
			`let mut packet = syscall::Packet::default();`
			`if syscall::read(scheme_fd, &mut packet).unwrap() == 0 {`
			`break;`
			`}`
			`println!("{:?}", packet);`
			`}`

			`let _ = syscall::close(scheme_fd);`
			`}))`
			`} else {`
			`None`
			`};`

More advanced setns syscall 2016-11-17 06:14:02 +01:00			`let pid = unsafe { syscall::clone(0).unwrap() };`
Add ability to contain a process in a scheme sandbox 2016-11-17 04:54:38 +01:00			`if pid == 0 {`
Implement rfc 4 2016-11-25 20:09:54 +01:00			`syscall::setrens(new_ns, new_ns).unwrap();`
More advanced setns syscall 2016-11-17 06:14:02 +01:00
WIP: Chroot 2016-11-25 23:42:26 +01:00			`println!("Container {}: enter: {}", new_ns, cmd);`

			`let mut command = Command::new(&cmd);`
			`for arg in args {`
			`command.arg(&arg);`
			`}`
More advanced setns syscall 2016-11-17 06:14:02 +01:00
WIP: Chroot 2016-11-25 23:42:26 +01:00			`let err = command.exec();`
Add signal support - exit on signal 2016-11-17 20:12:02 +01:00
WIP: Chroot 2016-11-25 23:42:26 +01:00			`panic!("contain: failed to launch {}: {}", cmd, err);`
Add ability to contain a process in a scheme sandbox 2016-11-17 04:54:38 +01:00			`} else {`
			`let mut status = 0;`
			`syscall::waitpid(pid, &mut status, 0).unwrap();`

Cleanup zombies in container - show scheme namespace in context list 2016-11-17 20:24:46 +01:00			`loop {`
			`let mut c_status = 0;`
			`let c_pid = syscall::waitpid(0, &mut c_status, syscall::WNOHANG).unwrap();`
			`if c_pid == 0 {`
			`break;`
			`} else {`
			`println!("Container zombie {}: {:X}", c_pid, c_status);`
			`}`
			`}`

Implement rfc 4 2016-11-25 20:09:54 +01:00			`println!("Container {}: exit: {:X}", new_ns, status);`
Add ability to contain a process in a scheme sandbox 2016-11-17 04:54:38 +01:00			`}`
			`}`