1 /*
2 * Copyright (C) 2019 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 //#define LOG_NDEBUG 0
18 #define LOG_TAG "libprocessgroup"
19
20 #include <errno.h>
21 #include <fcntl.h>
22 #include <grp.h>
23 #include <pwd.h>
24 #include <sys/mman.h>
25 #include <sys/mount.h>
26 #include <sys/stat.h>
27 #include <sys/types.h>
28 #include <time.h>
29 #include <unistd.h>
30
31 #include <regex>
32
33 #include <android-base/file.h>
34 #include <android-base/logging.h>
35 #include <android-base/properties.h>
36 #include <android-base/stringprintf.h>
37 #include <android-base/unique_fd.h>
38 #include <android/cgrouprc.h>
39 #include <json/reader.h>
40 #include <json/value.h>
41 #include <processgroup/format/cgroup_file.h>
42 #include <processgroup/processgroup.h>
43 #include <processgroup/setup.h>
44
45 #include "cgroup_descriptor.h"
46
47 using android::base::GetBoolProperty;
48 using android::base::StringPrintf;
49 using android::base::unique_fd;
50
51 namespace android {
52 namespace cgrouprc {
53
54 static constexpr const char* CGROUPS_DESC_FILE = "/etc/cgroups.json";
55 static constexpr const char* CGROUPS_DESC_VENDOR_FILE = "/vendor/etc/cgroups.json";
56
Mkdir(const std::string & path,mode_t mode,const std::string & uid,const std::string & gid)57 static bool Mkdir(const std::string& path, mode_t mode, const std::string& uid,
58 const std::string& gid) {
59 if (mode == 0) {
60 mode = 0755;
61 }
62
63 if (mkdir(path.c_str(), mode) != 0) {
64 /* chmod in case the directory already exists */
65 if (errno == EEXIST) {
66 if (fchmodat(AT_FDCWD, path.c_str(), mode, AT_SYMLINK_NOFOLLOW) != 0) {
67 // /acct is a special case when the directory already exists
68 // TODO: check if file mode is already what we want instead of using EROFS
69 if (errno != EROFS) {
70 PLOG(ERROR) << "fchmodat() failed for " << path;
71 return false;
72 }
73 }
74 } else {
75 PLOG(ERROR) << "mkdir() failed for " << path;
76 return false;
77 }
78 }
79
80 if (uid.empty()) {
81 return true;
82 }
83
84 passwd* uid_pwd = getpwnam(uid.c_str());
85 if (!uid_pwd) {
86 PLOG(ERROR) << "Unable to decode UID for '" << uid << "'";
87 return false;
88 }
89
90 uid_t pw_uid = uid_pwd->pw_uid;
91 gid_t gr_gid = -1;
92 if (!gid.empty()) {
93 group* gid_pwd = getgrnam(gid.c_str());
94 if (!gid_pwd) {
95 PLOG(ERROR) << "Unable to decode GID for '" << gid << "'";
96 return false;
97 }
98 gr_gid = gid_pwd->gr_gid;
99 }
100
101 if (lchown(path.c_str(), pw_uid, gr_gid) < 0) {
102 PLOG(ERROR) << "lchown() failed for " << path;
103 return false;
104 }
105
106 /* chown may have cleared S_ISUID and S_ISGID, chmod again */
107 if (mode & (S_ISUID | S_ISGID)) {
108 if (fchmodat(AT_FDCWD, path.c_str(), mode, AT_SYMLINK_NOFOLLOW) != 0) {
109 PLOG(ERROR) << "fchmodat() failed for " << path;
110 return false;
111 }
112 }
113
114 return true;
115 }
116
ReadDescriptorsFromFile(const std::string & file_name,std::map<std::string,CgroupDescriptor> * descriptors)117 static bool ReadDescriptorsFromFile(const std::string& file_name,
118 std::map<std::string, CgroupDescriptor>* descriptors) {
119 std::vector<CgroupDescriptor> result;
120 std::string json_doc;
121
122 if (!android::base::ReadFileToString(file_name, &json_doc)) {
123 PLOG(ERROR) << "Failed to read task profiles from " << file_name;
124 return false;
125 }
126
127 Json::Reader reader;
128 Json::Value root;
129 if (!reader.parse(json_doc, root)) {
130 LOG(ERROR) << "Failed to parse cgroups description: " << reader.getFormattedErrorMessages();
131 return false;
132 }
133
134 if (root.isMember("Cgroups")) {
135 const Json::Value& cgroups = root["Cgroups"];
136 for (Json::Value::ArrayIndex i = 0; i < cgroups.size(); ++i) {
137 std::string name = cgroups[i]["Controller"].asString();
138 auto iter = descriptors->find(name);
139 if (iter == descriptors->end()) {
140 descriptors->emplace(
141 name, CgroupDescriptor(
142 1, name, cgroups[i]["Path"].asString(),
143 std::strtoul(cgroups[i]["Mode"].asString().c_str(), 0, 8),
144 cgroups[i]["UID"].asString(), cgroups[i]["GID"].asString()));
145 } else {
146 iter->second = CgroupDescriptor(
147 1, name, cgroups[i]["Path"].asString(),
148 std::strtoul(cgroups[i]["Mode"].asString().c_str(), 0, 8),
149 cgroups[i]["UID"].asString(), cgroups[i]["GID"].asString());
150 }
151 }
152 }
153
154 if (root.isMember("Cgroups2")) {
155 const Json::Value& cgroups2 = root["Cgroups2"];
156 auto iter = descriptors->find(CGROUPV2_CONTROLLER_NAME);
157 if (iter == descriptors->end()) {
158 descriptors->emplace(
159 CGROUPV2_CONTROLLER_NAME,
160 CgroupDescriptor(2, CGROUPV2_CONTROLLER_NAME, cgroups2["Path"].asString(),
161 std::strtoul(cgroups2["Mode"].asString().c_str(), 0, 8),
162 cgroups2["UID"].asString(), cgroups2["GID"].asString()));
163 } else {
164 iter->second =
165 CgroupDescriptor(2, CGROUPV2_CONTROLLER_NAME, cgroups2["Path"].asString(),
166 std::strtoul(cgroups2["Mode"].asString().c_str(), 0, 8),
167 cgroups2["UID"].asString(), cgroups2["GID"].asString());
168 }
169 }
170
171 return true;
172 }
173
ReadDescriptors(std::map<std::string,CgroupDescriptor> * descriptors)174 static bool ReadDescriptors(std::map<std::string, CgroupDescriptor>* descriptors) {
175 // load system cgroup descriptors
176 if (!ReadDescriptorsFromFile(CGROUPS_DESC_FILE, descriptors)) {
177 return false;
178 }
179
180 // load vendor cgroup descriptors if the file exists
181 if (!access(CGROUPS_DESC_VENDOR_FILE, F_OK) &&
182 !ReadDescriptorsFromFile(CGROUPS_DESC_VENDOR_FILE, descriptors)) {
183 return false;
184 }
185
186 return true;
187 }
188
189 // To avoid issues in sdk_mac build
190 #if defined(__ANDROID__)
191
SetupCgroup(const CgroupDescriptor & descriptor)192 static bool SetupCgroup(const CgroupDescriptor& descriptor) {
193 const format::CgroupController* controller = descriptor.controller();
194
195 // mkdir <path> [mode] [owner] [group]
196 if (!Mkdir(controller->path(), descriptor.mode(), descriptor.uid(), descriptor.gid())) {
197 LOG(ERROR) << "Failed to create directory for " << controller->name() << " cgroup";
198 return false;
199 }
200
201 int result;
202 if (controller->version() == 2) {
203 result = mount("none", controller->path(), "cgroup2", MS_NODEV | MS_NOEXEC | MS_NOSUID,
204 nullptr);
205 } else {
206 // Unfortunately historically cpuset controller was mounted using a mount command
207 // different from all other controllers. This results in controller attributes not
208 // to be prepended with controller name. For example this way instead of
209 // /dev/cpuset/cpuset.cpus the attribute becomes /dev/cpuset/cpus which is what
210 // the system currently expects.
211 if (!strcmp(controller->name(), "cpuset")) {
212 // mount cpuset none /dev/cpuset nodev noexec nosuid
213 result = mount("none", controller->path(), controller->name(),
214 MS_NODEV | MS_NOEXEC | MS_NOSUID, nullptr);
215 } else {
216 // mount cgroup none <path> nodev noexec nosuid <controller>
217 result = mount("none", controller->path(), "cgroup", MS_NODEV | MS_NOEXEC | MS_NOSUID,
218 controller->name());
219 }
220 }
221
222 if (result < 0) {
223 PLOG(ERROR) << "Failed to mount " << controller->name() << " cgroup";
224 return false;
225 }
226
227 return true;
228 }
229
230 #else
231
232 // Stubs for non-Android targets.
SetupCgroup(const CgroupDescriptor &)233 static bool SetupCgroup(const CgroupDescriptor&) {
234 return false;
235 }
236
237 #endif
238
WriteRcFile(const std::map<std::string,CgroupDescriptor> & descriptors)239 static bool WriteRcFile(const std::map<std::string, CgroupDescriptor>& descriptors) {
240 unique_fd fd(TEMP_FAILURE_RETRY(open(CGROUPS_RC_PATH, O_CREAT | O_WRONLY | O_TRUNC | O_CLOEXEC,
241 S_IRUSR | S_IRGRP | S_IROTH)));
242 if (fd < 0) {
243 PLOG(ERROR) << "open() failed for " << CGROUPS_RC_PATH;
244 return false;
245 }
246
247 format::CgroupFile fl;
248 fl.version_ = format::CgroupFile::FILE_CURR_VERSION;
249 fl.controller_count_ = descriptors.size();
250 int ret = TEMP_FAILURE_RETRY(write(fd, &fl, sizeof(fl)));
251 if (ret < 0) {
252 PLOG(ERROR) << "write() failed for " << CGROUPS_RC_PATH;
253 return false;
254 }
255
256 for (const auto& [name, descriptor] : descriptors) {
257 ret = TEMP_FAILURE_RETRY(
258 write(fd, descriptor.controller(), sizeof(format::CgroupController)));
259 if (ret < 0) {
260 PLOG(ERROR) << "write() failed for " << CGROUPS_RC_PATH;
261 return false;
262 }
263 }
264
265 return true;
266 }
267
CgroupDescriptor(uint32_t version,const std::string & name,const std::string & path,mode_t mode,const std::string & uid,const std::string & gid)268 CgroupDescriptor::CgroupDescriptor(uint32_t version, const std::string& name,
269 const std::string& path, mode_t mode, const std::string& uid,
270 const std::string& gid)
271 : controller_(version, 0, name, path), mode_(mode), uid_(uid), gid_(gid) {}
272
set_mounted(bool mounted)273 void CgroupDescriptor::set_mounted(bool mounted) {
274 uint32_t flags = controller_.flags();
275 if (mounted) {
276 flags |= CGROUPRC_CONTROLLER_FLAG_MOUNTED;
277 } else {
278 flags &= ~CGROUPRC_CONTROLLER_FLAG_MOUNTED;
279 }
280 controller_.set_flags(flags);
281 }
282
283 } // namespace cgrouprc
284 } // namespace android
285
CgroupSetup()286 bool CgroupSetup() {
287 using namespace android::cgrouprc;
288
289 std::map<std::string, CgroupDescriptor> descriptors;
290
291 if (getpid() != 1) {
292 LOG(ERROR) << "Cgroup setup can be done only by init process";
293 return false;
294 }
295
296 // Make sure we do this only one time. No need for std::call_once because
297 // init is a single-threaded process
298 if (access(CGROUPS_RC_PATH, F_OK) == 0) {
299 LOG(WARNING) << "Attempt to call SetupCgroups more than once";
300 return true;
301 }
302
303 // load cgroups.json file
304 if (!ReadDescriptors(&descriptors)) {
305 LOG(ERROR) << "Failed to load cgroup description file";
306 return false;
307 }
308
309 // setup cgroups
310 for (auto& [name, descriptor] : descriptors) {
311 if (SetupCgroup(descriptor)) {
312 descriptor.set_mounted(true);
313 } else {
314 // issue a warning and proceed with the next cgroup
315 LOG(WARNING) << "Failed to setup " << name << " cgroup";
316 }
317 }
318
319 // mkdir <CGROUPS_RC_DIR> 0711 system system
320 if (!Mkdir(android::base::Dirname(CGROUPS_RC_PATH), 0711, "system", "system")) {
321 LOG(ERROR) << "Failed to create directory for " << CGROUPS_RC_PATH << " file";
322 return false;
323 }
324
325 // Generate <CGROUPS_RC_FILE> file which can be directly mmapped into
326 // process memory. This optimizes performance, memory usage
327 // and limits infrormation shared with unprivileged processes
328 // to the minimum subset of information from cgroups.json
329 if (!WriteRcFile(descriptors)) {
330 LOG(ERROR) << "Failed to write " << CGROUPS_RC_PATH << " file";
331 return false;
332 }
333
334 // chmod 0644 <CGROUPS_RC_PATH>
335 if (fchmodat(AT_FDCWD, CGROUPS_RC_PATH, 0644, AT_SYMLINK_NOFOLLOW) < 0) {
336 PLOG(ERROR) << "fchmodat() failed";
337 return false;
338 }
339
340 return true;
341 }
342