1 /*
2 * Copyright (C) 2019 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 //#define LOG_NDEBUG 0
18 #define LOG_TAG "libprocessgroup"
19
20 #include <dirent.h>
21 #include <errno.h>
22 #include <fcntl.h>
23 #include <grp.h>
24 #include <pwd.h>
25 #include <sys/mount.h>
26 #include <sys/stat.h>
27 #include <sys/types.h>
28 #include <unistd.h>
29
30 #include <android-base/logging.h>
31 #include <processgroup/cgroup_descriptor.h>
32 #include <processgroup/processgroup.h>
33 #include <processgroup/setup.h>
34 #include <processgroup/util.h>
35
36 #include "../build_flags.h"
37 #include "../internal.h"
38
39 static constexpr const char* CGROUPS_DESC_FILE = "/etc/cgroups.json";
40 static constexpr const char* CGROUPS_DESC_VENDOR_FILE = "/vendor/etc/cgroups.json";
41
42 static constexpr const char* TEMPLATE_CGROUPS_DESC_API_FILE = "/etc/task_profiles/cgroups_%u.json";
43
ChangeDirModeAndOwner(const std::string & path,mode_t mode,const std::string & uid,const std::string & gid,bool permissive_mode=false)44 static bool ChangeDirModeAndOwner(const std::string& path, mode_t mode, const std::string& uid,
45 const std::string& gid, bool permissive_mode = false) {
46 uid_t pw_uid = -1;
47 gid_t gr_gid = -1;
48
49 if (!uid.empty()) {
50 passwd* uid_pwd = getpwnam(uid.c_str());
51 if (!uid_pwd) {
52 PLOG(ERROR) << "Unable to decode UID for '" << uid << "'";
53 return false;
54 }
55
56 pw_uid = uid_pwd->pw_uid;
57 gr_gid = -1;
58
59 if (!gid.empty()) {
60 group* gid_pwd = getgrnam(gid.c_str());
61 if (!gid_pwd) {
62 PLOG(ERROR) << "Unable to decode GID for '" << gid << "'";
63 return false;
64 }
65 gr_gid = gid_pwd->gr_gid;
66 }
67 }
68
69 auto dir = std::unique_ptr<DIR, decltype(&closedir)>(opendir(path.c_str()), closedir);
70
71 if (dir == NULL) {
72 PLOG(ERROR) << "opendir failed for " << path;
73 return false;
74 }
75
76 struct dirent* dir_entry;
77 while ((dir_entry = readdir(dir.get()))) {
78 if (!strcmp("..", dir_entry->d_name)) {
79 continue;
80 }
81
82 std::string file_path = path + "/" + dir_entry->d_name;
83
84 if (pw_uid != -1 && lchown(file_path.c_str(), pw_uid, gr_gid) < 0) {
85 PLOG(ERROR) << "lchown() failed for " << file_path;
86 return false;
87 }
88
89 if (fchmodat(AT_FDCWD, file_path.c_str(), mode, AT_SYMLINK_NOFOLLOW) != 0 &&
90 (errno != EROFS || !permissive_mode)) {
91 PLOG(ERROR) << "fchmodat() failed for " << path;
92 return false;
93 }
94 }
95
96 return true;
97 }
98
Mkdir(const std::string & path,mode_t mode,const std::string & uid,const std::string & gid)99 static bool Mkdir(const std::string& path, mode_t mode, const std::string& uid,
100 const std::string& gid) {
101 bool permissive_mode = false;
102
103 if (mode == 0) {
104 /* Allow chmod to fail */
105 permissive_mode = true;
106 mode = 0755;
107 }
108
109 if (mkdir(path.c_str(), mode) != 0) {
110 // /acct is a special case when the directory already exists
111 if (errno != EEXIST) {
112 PLOG(ERROR) << "mkdir() failed for " << path;
113 return false;
114 } else {
115 permissive_mode = true;
116 }
117 }
118
119 if (uid.empty() && permissive_mode) {
120 return true;
121 }
122
123 if (!ChangeDirModeAndOwner(path, mode, uid, gid, permissive_mode)) {
124 PLOG(ERROR) << "change of ownership or mode failed for " << path;
125 return false;
126 }
127
128 return true;
129 }
130
131 // To avoid issues in sdk_mac build
132 #if defined(__ANDROID__)
133
IsOptionalController(const CgroupController * controller)134 static bool IsOptionalController(const CgroupController* controller) {
135 return controller->flags() & CGROUPRC_CONTROLLER_FLAG_OPTIONAL;
136 }
137
MountV2CgroupController(const CgroupDescriptor & descriptor)138 static bool MountV2CgroupController(const CgroupDescriptor& descriptor) {
139 const CgroupController* controller = descriptor.controller();
140
141 // /sys/fs/cgroup is created by cgroup2 with specific selinux permissions,
142 // try to create again in case the mount point is changed
143 if (!Mkdir(controller->path(), 0, "", "")) {
144 LOG(ERROR) << "Failed to create directory for " << controller->name() << " cgroup";
145 return false;
146 }
147
148 // The memory_recursiveprot mount option has been introduced by kernel commit
149 // 8a931f801340 ("mm: memcontrol: recursive memory.low protection"; v5.7). Try first to
150 // mount with that option enabled. If mounting fails because the kernel is too old,
151 // retry without that mount option.
152 if (mount("none", controller->path(), "cgroup2", MS_NODEV | MS_NOEXEC | MS_NOSUID,
153 "memory_recursiveprot") < 0) {
154 LOG(INFO) << "Mounting memcg with memory_recursiveprot failed. Retrying without.";
155 if (mount("none", controller->path(), "cgroup2", MS_NODEV | MS_NOEXEC | MS_NOSUID,
156 nullptr) < 0) {
157 PLOG(ERROR) << "Failed to mount cgroup v2";
158 return IsOptionalController(controller);
159 }
160 }
161
162 // selinux permissions change after mounting, so it's ok to change mode and owner now
163 if (!ChangeDirModeAndOwner(controller->path(), descriptor.mode(), descriptor.uid(),
164 descriptor.gid())) {
165 PLOG(ERROR) << "Change of ownership or mode failed for controller " << controller->name();
166 return IsOptionalController(controller);
167 }
168
169 return true;
170 }
171
ActivateV2CgroupController(const CgroupDescriptor & descriptor)172 static bool ActivateV2CgroupController(const CgroupDescriptor& descriptor) {
173 const CgroupController* controller = descriptor.controller();
174
175 if (!Mkdir(controller->path(), descriptor.mode(), descriptor.uid(), descriptor.gid())) {
176 LOG(ERROR) << "Failed to create directory for " << controller->name() << " cgroup";
177 return false;
178 }
179
180 return ::ActivateControllers(controller->path(), {{controller->name(), descriptor}});
181 }
182
MountV1CgroupController(const CgroupDescriptor & descriptor)183 static bool MountV1CgroupController(const CgroupDescriptor& descriptor) {
184 const CgroupController* controller = descriptor.controller();
185
186 // mkdir <path> [mode] [owner] [group]
187 if (!Mkdir(controller->path(), descriptor.mode(), descriptor.uid(), descriptor.gid())) {
188 LOG(ERROR) << "Failed to create directory for " << controller->name() << " cgroup";
189 return false;
190 }
191
192 // Unfortunately historically cpuset controller was mounted using a mount command
193 // different from all other controllers. This results in controller attributes not
194 // to be prepended with controller name. For example this way instead of
195 // /dev/cpuset/cpuset.cpus the attribute becomes /dev/cpuset/cpus which is what
196 // the system currently expects.
197 int res;
198 if (!strcmp(controller->name(), "cpuset")) {
199 // mount cpuset none /dev/cpuset nodev noexec nosuid
200 res = mount("none", controller->path(), controller->name(),
201 MS_NODEV | MS_NOEXEC | MS_NOSUID, nullptr);
202 } else {
203 // mount cgroup none <path> nodev noexec nosuid <controller>
204 res = mount("none", controller->path(), "cgroup", MS_NODEV | MS_NOEXEC | MS_NOSUID,
205 controller->name());
206 }
207 if (res != 0) {
208 if (IsOptionalController(controller)) {
209 PLOG(INFO) << "Failed to mount optional controller " << controller->name();
210 return true;
211 }
212 PLOG(ERROR) << "Failed to mount controller " << controller->name();
213 return false;
214 }
215 return true;
216 }
217
SetupCgroup(const CgroupDescriptor & descriptor)218 static bool SetupCgroup(const CgroupDescriptor& descriptor) {
219 const CgroupController* controller = descriptor.controller();
220
221 if (controller->version() == 2) {
222 if (controller->name() == CGROUPV2_HIERARCHY_NAME) {
223 return MountV2CgroupController(descriptor);
224 } else {
225 return ActivateV2CgroupController(descriptor);
226 }
227 } else {
228 return MountV1CgroupController(descriptor);
229 }
230 }
231
232 #else
233
234 // Stubs for non-Android targets.
SetupCgroup(const CgroupDescriptor &)235 static bool SetupCgroup(const CgroupDescriptor&) {
236 return false;
237 }
238
239 #endif
240
CgroupDescriptor(uint32_t version,const std::string & name,const std::string & path,mode_t mode,const std::string & uid,const std::string & gid,uint32_t flags,uint32_t max_activation_depth)241 CgroupDescriptor::CgroupDescriptor(uint32_t version, const std::string& name,
242 const std::string& path, mode_t mode, const std::string& uid,
243 const std::string& gid, uint32_t flags,
244 uint32_t max_activation_depth)
245 : controller_(version, flags, name, path, max_activation_depth),
246 mode_(mode),
247 uid_(uid),
248 gid_(gid) {}
249
set_mounted(bool mounted)250 void CgroupDescriptor::set_mounted(bool mounted) {
251 uint32_t flags = controller_.flags();
252 if (mounted) {
253 flags |= CGROUPRC_CONTROLLER_FLAG_MOUNTED;
254 } else {
255 flags &= ~CGROUPRC_CONTROLLER_FLAG_MOUNTED;
256 }
257 controller_.set_flags(flags);
258 }
259
CreateV2SubHierarchy(const std::string & path,const CgroupDescriptorMap & descriptors)260 static bool CreateV2SubHierarchy(const std::string& path, const CgroupDescriptorMap& descriptors) {
261 const auto cgv2_iter = descriptors.find(CGROUPV2_HIERARCHY_NAME);
262 if (cgv2_iter == descriptors.end()) return false;
263 const CgroupDescriptor cgv2_descriptor = cgv2_iter->second;
264
265 if (!Mkdir(path, cgv2_descriptor.mode(), cgv2_descriptor.uid(), cgv2_descriptor.gid())) {
266 PLOG(ERROR) << "Failed to create directory for " << path;
267 return false;
268 }
269
270 // Activate all v2 controllers in path so they can be activated in
271 // children as they are created.
272 return ::ActivateControllers(path, descriptors);
273 }
274
CgroupSetup()275 bool CgroupSetup() {
276 CgroupDescriptorMap descriptors;
277
278 if (getpid() != 1) {
279 LOG(ERROR) << "Cgroup setup can be done only by init process";
280 return false;
281 }
282
283 // load cgroups.json file
284 if (!ReadDescriptors(&descriptors)) {
285 LOG(ERROR) << "Failed to load cgroup description file";
286 return false;
287 }
288
289 // setup cgroups
290 for (auto& [name, descriptor] : descriptors) {
291 if (descriptor.controller()->flags() & CGROUPRC_CONTROLLER_FLAG_MOUNTED) {
292 LOG(WARNING) << "Attempt to call CgroupSetup() more than once";
293 return true;
294 }
295
296 if (!SetupCgroup(descriptor)) {
297 // issue a warning and proceed with the next cgroup
298 LOG(WARNING) << "Failed to setup " << name << " cgroup";
299 }
300 }
301
302 // System / app isolation.
303 // This really belongs in early-init in init.rc, but we cannot use the flag there.
304 if (android::libprocessgroup_flags::cgroup_v2_sys_app_isolation()) {
305 const auto it = descriptors.find(CGROUPV2_HIERARCHY_NAME);
306 const std::string cgroup_v2_root = (it == descriptors.end())
307 ? CGROUP_V2_ROOT_DEFAULT
308 : it->second.controller()->path();
309
310 LOG(INFO) << "Using system/app isolation under: " << cgroup_v2_root;
311 if (!CreateV2SubHierarchy(cgroup_v2_root + "/apps", descriptors) ||
312 !CreateV2SubHierarchy(cgroup_v2_root + "/system", descriptors)) {
313 return false;
314 }
315 }
316
317 return true;
318 }
319