StarMirror/sandboxed-api
1
0
Fork 0
mirror of https://github.com/google/sandboxed-api.git synced 2024-03-22 13:11:30 +08:00
Code Issues Projects Releases Wiki Activity

EmbedFile: Reopen memfds as readonly to workaround problems with CRIU

Browse Source 
CRIU while restoring memfd sometimes reopens them, which might result in ETXTBUSY on execveat.

PiperOrigin-RevId: 553114741
Change-Id: I11ee7aabe48a2853a8921a270c6cdcc70b50a518
This commit is contained in:
Wiktor Garbacz 2023-08-02 05:27:05 -07:00 committed by Copybara-Service
parent eaa175c8d2
commit 1c960e8389
4 changed files with 15 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
sandboxed_api/BUILD.bazel
View File

@ -47,7 +47,6 @@ cc_library(
"//sandboxed_api/sandbox2:util", "//sandboxed_api/sandbox2:util",
"//sandboxed_api/util:fileops", "//sandboxed_api/util:fileops",
"//sandboxed_api/util:raw_logging", "//sandboxed_api/util:raw_logging",
"//sandboxed_api/util:strerror",
"@com_google_absl//absl/container:flat_hash_map", "@com_google_absl//absl/container:flat_hash_map",
"@com_google_absl//absl/strings", "@com_google_absl//absl/strings",
"@com_google_absl//absl/synchronization", "@com_google_absl//absl/synchronization",

13
sandboxed_api/CMakeLists.txt
View File

@ -52,18 +52,13 @@ add_library(sapi_embed_file ${SAPI_LIB_TYPE}
) )
add_library(sapi::embed_file ALIAS sapi_embed_file) add_library(sapi::embed_file ALIAS sapi_embed_file)
target_link_libraries(sapi_embed_file target_link_libraries(sapi_embed_file
PRIVATE absl::flat_hash_map PRIVATE absl::strings
absl::status
absl::statusor
absl::strings
absl::synchronization
sapi::fileops
sapi::strerror
sandbox2::util sandbox2::util
sapi::base sapi::base
sapi::fileops
sapi::raw_logging sapi::raw_logging
sapi::status PUBLIC absl::flat_hash_map
PUBLIC absl::log absl::synchronization
) )
# sandboxed_api:sapi # sandboxed_api:sapi

14
sandboxed_api/embed_file.cc
View File

@ -20,11 +20,10 @@
#include <sys/types.h> #include <sys/types.h>
#include <unistd.h> #include <unistd.h>
#include "absl/strings/string_view.h" #include "absl/strings/str_cat.h"
#include "sandboxed_api/sandbox2/util.h" #include "sandboxed_api/sandbox2/util.h"
#include "sandboxed_api/util/fileops.h" #include "sandboxed_api/util/fileops.h"
#include "sandboxed_api/util/raw_logging.h" #include "sandboxed_api/util/raw_logging.h"
#include "sandboxed_api/util/strerror.h"
namespace sapi { namespace sapi {
@ -64,7 +63,16 @@ int EmbedFile::CreateFdForFileToc(const FileToc* toc) {
// mm/memfd.c). Since fsync() is a no-op on memfds, it doesn't help to // mm/memfd.c). Since fsync() is a no-op on memfds, it doesn't help to
// ameliorate the problem. // ameliorate the problem.
return embed_fd.Release(); // Instead of working around problems with CRIU we reopen the file as
// read-only.
fd = open(absl::StrCat("/proc/", getpid(), "/fd/", embed_fd.get()).c_str(),
O_RDONLY | O_CLOEXEC);
if (fd == -1) {
SAPI_RAW_PLOG(ERROR, "Couldn't reopen '%d' read-only through /proc",
embed_fd.get());
return -1;
}
return fd;
} }
int EmbedFile::GetFdForFileToc(const FileToc* toc) { int EmbedFile::GetFdForFileToc(const FileToc* toc) {

2
sandboxed_api/embed_file.h
View File

@ -15,8 +15,6 @@
#ifndef SANDBOXED_API_EMBED_FILE_H_ #ifndef SANDBOXED_API_EMBED_FILE_H_
#define SANDBOXED_API_EMBED_FILE_H_ #define SANDBOXED_API_EMBED_FILE_H_
#include <vector>
#include "sandboxed_api/file_toc.h" #include "sandboxed_api/file_toc.h"
#include "absl/container/flat_hash_map.h" #include "absl/container/flat_hash_map.h"
#include "absl/synchronization/mutex.h" #include "absl/synchronization/mutex.h"