1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
|
/*
clsync - file tree sync utility based on inotify/kqueue/bsm
Copyright (C) 2014 Dmitry Yu Okunev <dyokunev@ut.mephi.ru> 0x8E30679C
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "common.h"
#include "error.h"
#include <libcgroup.h>
static struct cgroup *cgroup = NULL;
int clsync_cgroup_init ( ctx_t *ctx_p )
{
debug ( 2, "cgroup_name == \"%s\"", ctx_p->cg_groupname );
SAFE ( cgroup_init(), return -1; );
SAFE ( ( cgroup = cgroup_new_cgroup ( ctx_p->cg_groupname ) ) == NULL, return -1; );
return 0;
}
__extension__ int clsync_cgroup_forbid_extra_devices()
{
int rc;
char *allowed_devices[] = CG_ALLOWED_DEVICES, **allowed_device_i;
/*
* Unfortunately, libcgroup doesn't allow multiple values for one key, and cgroups doesn't allow multiple devices for one set. So I was been have to write this hack. It adds character '/' to start of "devices.allow" for every new entry. So libclsync thinks that it's different keys, "/sys/fs/cgroup/devices/clsync/123/devices.allow" == "/sys/fs/cgroup/devices/clsync/123//devices.allow".
*/
char control_name_buf[BUFSIZ + BUFSIZ] = {[0 ... BUFSIZ - 1] = '/', 'd', 'e', 'v', 'i', 'c', 'e', 's', '.', 'a', 'l', 'l', 'o', 'w'}, *control_name = &control_name_buf[BUFSIZ];
debug ( 2, "" );
struct cgroup_controller *cgc;
SAFE ( ( cgc = cgroup_add_controller ( cgroup, "devices" ) ) == NULL, return -1; );
debug ( 8, "Deny device: \"a\"" );
SAFE ( cgroup_add_value_string ( cgc, "devices.deny", "a" ), return -1; );
allowed_device_i = allowed_devices;
while ( *allowed_device_i != NULL ) {
critical_on ( control_name < control_name_buf );
debug ( 8, "Allow device: \"%s\" (\"%s\" = \"%s\")", *allowed_device_i, control_name, *allowed_device_i );
SAFE ( cgroup_add_value_string ( cgc, control_name, *allowed_device_i ), return -1; );
control_name--;
allowed_device_i++;
}
if ( ( rc = cgroup_create_cgroup ( cgroup, 1 ) ) ) {
error ( "Got error while cgroup_create_cgroup(): %s", cgroup_strerror ( rc ) );
return -1;
}
return 0;
}
int clsync_cgroup_attach ( ctx_t *ctx_p )
{
int rc;
debug ( 2, "" );
if ( ( rc = cgroup_attach_task_pid ( cgroup, ctx_p->pid ) ) ) {
error ( "Got error while cgroup_attach_task_pid(): %s", cgroup_strerror ( rc ) );
return -1;
}
return 0;
}
int clsync_cgroup_deinit ( ctx_t *ctx_p )
{
( void ) ctx_p;
debug ( 2, "" );
error_on ( cgroup_delete_cgroup_ext ( cgroup, CGFLAG_DELETE_IGNORE_MIGRATION | CGFLAG_DELETE_RECURSIVE ) );
cgroup_free ( &cgroup );
debug ( 15, "end" );
return 0;
}
|
