redmine

Testing reimplementation of thread-splitting support

... ... @@ -164,6 +164,13 @@ enum threadingmode {
};
typedef enum threadingmode threadingmode_t;
enum splittingmode_enum {
SM_OFF = 0,
SM_THREAD,
SM_PROCESS,
};
typedef enum splittingmode_enum splittingmode_t;
/*
struct excludeinfo {
unsigned int seqid_min;
... ...
... ... @@ -198,4 +198,4 @@ filesz:1M\n\
// In nanoseconds
#define OUTPUT_LOCK_TIMEOUT (100*1000*1000)
#define WAITPID_TIMED_GRANULARITY (30*1000*1000)
#define WAITPID_TIMED_GRANULARITY (30*1000*1000)
... ...
... ... @@ -99,7 +99,7 @@ enum flags_enum {
CUSTOMSIGNALS = 23|OPTION_LONGOPTONLY,
CHROOT = 24|OPTION_LONGOPTONLY,
MOUNTPOINTS = 25|OPTION_LONGOPTONLY,
PROCESSSPLITTING = 26|OPTION_LONGOPTONLY,
SPLITTING = 26|OPTION_LONGOPTONLY,
SYNCHANDLERUID = 27|OPTION_LONGOPTONLY,
SYNCHANDLERGID = 28|OPTION_LONGOPTONLY,
CAPS_INHERIT = 29|OPTION_LONGOPTONLY,
... ... @@ -109,10 +109,12 @@ enum flags_enum {
DETACH_MISCELLANEA = 33|OPTION_LONGOPTONLY,
ADDPERMITTEDHOOKFILES = 34|OPTION_LONGOPTONLY,
SECCOMP_FILTER = 35|OPTION_LONGOPTONLY,
SECUREPROCESSSPLITTING = 37|OPTION_LONGOPTONLY,
FORGET_PRIVTHREAD_INFO = 36|OPTION_LONGOPTONLY,
SECURESPLITTING = 37|OPTION_LONGOPTONLY,
FTS_EXPERIMENTAL_OPTIMIZATION = 38|OPTION_LONGOPTONLY,
FORBIDDEVICES = 39|OPTION_LONGOPTONLY,
CG_GROUPNAME = 40|OPTION_LONGOPTONLY,
PERMIT_MPROTECT = 41|OPTION_LONGOPTONLY,
};
typedef enum flags_enum flags_t;
... ...
... ... @@ -89,14 +89,15 @@ static const struct option long_options[] =
#endif
#ifdef CAPABILITIES_SUPPORT
# ifdef SECCOMP_SUPPORT
{"secure-process-splitting",optional_argument, NULL, SECUREPROCESSSPLITTING},
{"secure-splitting", required_argument, NULL, SECURESPLITTING},
# endif
{"process-splitting", optional_argument, NULL, PROCESSSPLITTING},
{"splitting", required_argument, NULL, SPLITTING},
{"check-execvp-args", optional_argument, NULL, CHECK_EXECVP_ARGS},
{"add-permitted-hook-files",required_argument, NULL, ADDPERMITTEDHOOKFILES},
# ifdef SECCOMP_SUPPORT
{"seccomp-filter", optional_argument, NULL, SECCOMP_FILTER},
# endif
{"forget-privthread-info",optional_argument, NULL, FORGET_PRIVTHREAD_INFO},
#endif
#ifdef GETMNTENT_SUPPORT
{"mountpoints", required_argument, NULL, MOUNTPOINTS},
... ... @@ -228,6 +229,13 @@ static char *const threading_modes[] = {
NULL
};
static char *const splitting_modes[] = {
[SM_OFF] = "off",
[SM_THREAD] = "thread",
[SM_PROCESS] = "process",
NULL
};
static char *const notify_engines[] = {
[NE_UNDEFINED] = "",
[NE_INOTIFY] = "inotify",
... ... @@ -351,7 +359,7 @@ void *watchforparent(void *parent_pid_p) {
while (1) {
if (getppid() == 1)
child_sigchld();
sleep(1);
sleep(SLEEP_SECONDS);
}
return NULL;
... ... @@ -867,11 +875,41 @@ int parse_parameter(ctx_t *ctx_p, uint16_t param_id, char *arg, paramsource_t pa
}
#ifdef CAPABILITIES_SUPPORT
# ifdef SECCOMP_SUPPORT
case SECUREPROCESSSPLITTING: {
ctx_p->flags[PROCESSSPLITTING]++;
case SECURESPLITTING: {
ctx_p->flags[CHECK_EXECVP_ARGS]++;
ctx_p->flags[SECCOMP_FILTER]++;
ctx_p->flags[FORBIDDEVICES]++;
}
case SPLITTING: {
char *value, *arg_orig = arg;
if (!*arg) {
ctx_p->flags[param_id] = 0;
return 0;
}
splittingmode_t splittingmode = getsubopt(&arg, splitting_modes, &value);
if((int)splittingmode == -1) {
errno = EINVAL;
error("Invalid splitting mode entered: \"%s\"", arg_orig);
return EINVAL;
}
ctx_p->flags[SPLITTING] = splittingmode;
if (param_id != SECURESPLITTING)
break;
switch (splittingmode) {
case SM_THREAD:
ctx_p->flags[FORGET_PRIVTHREAD_INFO]++;
break;
case SM_PROCESS:
break;
case SM_OFF:
errno = EINVAL;
error("Cannot understand \"--secure-splitting=off\". This configuration line have no sence.");
break;
}
ctx_p->flags[PERMIT_MPROTECT] = 0;
break;
}
# endif
... ...
... ... @@ -191,6 +191,9 @@ int memory_init() {
void *shm_malloc(size_t size) {
void *ret;
#ifdef PARANOID
size++;
#endif
int privileged_shmid = shmget(0, size, IPC_PRIVATE|IPC_CREAT|0600);
struct shmid_ds shmid_ds;
critical_on (privileged_shmid == -1)
... ... @@ -211,6 +214,23 @@ void *shm_malloc(size_t size) {
return ret;
}
void *shm_calloc(size_t nmemb, size_t size) {
void *ret;
size_t total_size;
#ifdef PARANOID
nmemb++;
size++;
#endif
total_size = nmemb * size;
ret = shm_malloc(total_size);
critical_on (ret == NULL);
memset(ret, 0, total_size);
return ret;
}
void shm_free(void *ptr) {
debug(25, "(%p)", ptr);
shmdt(ptr);
... ...
... ... @@ -31,6 +31,7 @@ extern int is_protected(void *addr);
# endif
#endif
extern void *shm_malloc(size_t size);
extern void *shm_calloc(size_t nmemb, size_t size);
extern void shm_free(void *ptr);
extern int memory_init();
... ...
This diff is collapsed. Click to expand it.
... ... @@ -3709,19 +3709,6 @@ int sync_run(ctx_t *ctx_p) {
}
}
#ifdef CLUSTER_SUPPORT
// Initializing cluster subsystem
if(ctx_p->cluster_iface != NULL) {
ret = cluster_init(ctx_p, &indexes);
if(ret) {
error("Cannot initialize cluster subsystem.");
cluster_deinit();
return ret;
}
}
#endif
// Initializing rand-generator if it's required
if(ctx_p->listoutdir)
... ... @@ -3765,12 +3752,6 @@ int sync_run(ctx_t *ctx_p) {
}
}
#ifdef ENABLE_SOCKET
// Creating control socket
if (ctx_p->socketpath != NULL)
ret = control_run(ctx_p);
#endif
if (!ctx_p->flags[ONLYINITSYNC]) {
// Initializing FS monitor kernel subsystem in this userspace application
if (sync_notify_init(ctx_p))
... ... @@ -3780,6 +3761,25 @@ int sync_run(ctx_t *ctx_p) {
if ((ret=privileged_init(ctx_p)))
return ret;
#ifdef CLUSTER_SUPPORT
// Initializing cluster subsystem
if(ctx_p->cluster_iface != NULL) {
ret = cluster_init(ctx_p, &indexes);
if(ret) {
error("Cannot initialize cluster subsystem.");
cluster_deinit();
return ret;
}
}
#endif
#ifdef ENABLE_SOCKET
// Creating control socket
if (ctx_p->socketpath != NULL)
ret = control_run(ctx_p);
#endif
if (!ctx_p->flags[ONLYINITSYNC]) {
// Marking file tree for FS monitor
debug(30, "Running recursive notify marking function");
... ...