[lxc-devel] Understanding - LXCFS source code to add /sys/power/state as an entry in LXCFS
Stéphane Graber
stgraber at stgraber.org
Sat Jun 6 02:44:50 UTC 2020
LXCFS' goal is to show accurate resource information in containers.
It's not meant as a security mechanism nor can it be used as one.
If all you're trying to do is prevent access to /sys/power/state,
you'll want to use an LSM for this or just use an unprivileged
container which won't be able to interfere with this in the first
place.
LXCFS's files can be trivially unmounted from the container revealing
the file they're hiding. That's perfectly fine as LXCFS is meant to
provide better data to container and isn't a security mechanism.
On Fri, Jun 5, 2020 at 3:51 AM Souvik Datta <sd.souvikdatta at gmail.com> wrote:
>
> Thanks Christian.
> I am using in a VirtualBox inside which I am running lxcfs
> Distributor ID: Ubuntu
> Description: Ubuntu 18.04.4 LTS
> Release: 18.04
> Codename: bionic
>
> the source code version of lxcfs that I am using is:- 4.0.0
>
> My objective is to prevent the OS, running inside LXC (as privileged
> system container), from changing the power state of the system and in
> that respect, I am trying to virtualize the file /sys/power/state
>
> Can you kindly provide the siginificance of the following:
> - What is the significance of "api_extensions"? It seems it not used
> any where except as console logs as part of liblxcfs.so init function.
> - Can you please explain, before calling - fuse_main(nargs, newargv,
> &lxcfs_ops, opts() [in src/lxcfs.c], what is happening in the
> "constructor" of liblxcfs.so [src/bindings.c] library?
> I am using Ubuntu
>
>
> - I have made following additions in src/bindings.h and
> src/sysfs_fuse.c to show /sys/power/state in the fuse FS.
>
> In src/bindings.h:-
> -------------------
> Added following:-
>
> LXC_TYPE_SYS_POWER,
> LXC_TYPE_SYS_POWER_STATE,
> #define LXC_TYPE_SYS_POWER_STATE_PATH "/sys/power/state"
>
> In src/sysfs_fuse.c:-
> ---------------------
> Added following:-
>
> In function:
>
> [1] __lxcfs_fuse_ops int sys_getattr(const char *path, struct stat *sb)
>
> #if 1
> if (strcmp(path, "/sys/power") == 0) {
> sb->st_mode = S_IFDIR | 00555;
> sb->st_nlink = 2;
> return 0;
> }
>
>
> if (strcmp(path, "/sys/power/state") == 0) {
> sb->st_size = 0;
> sb->st_mode = S_IFREG | 00444;
> sb->st_nlink = 1;
> return 0;
> }
>
> #endif
>
> [2] __lxcfs_fuse_ops int sys_readdir(const char *path, void *buf,
> fuse_fill_dir_t filler, off_t offset, struct fuse_file_info *fi)
> #if 1
> if (strcmp(path, "/sys/power") == 0) {
> if (filler(buf, ".", NULL, 0) != 0 ||
> filler(buf, "..", NULL, 0) != 0 ||
> filler(buf, "state", NULL, 0) != 0)
> return -ENOENT;
>
> return 0;
> }
>
> #endif
>
> [3] __lxcfs_fuse_ops int sys_open(const char *path, struct fuse_file_info *fi)
>
> #if 1
> if (strcmp(path, "/sys/power") == 0)
> type = LXC_TYPE_SYS_POWER;
> if (strcmp(path, "/sys/power/state") == 0)
> type = LXC_TYPE_SYS_POWER_STATE;
> #endif
>
> [4] __lxcfs_fuse_ops int sys_access(const char *path, int mask)
> #if 1
>
> if (strcmp(path, "/sys/power") == 0 &&
> access(path, R_OK) == 0)
> return 0;
> #endif
>
> [5] __lxcfs_fuse_ops int sys_releasedir(const char *path, struct
> fuse_file_info *fi)
> #if 1
> case LXC_TYPE_SYS_POWER:
> lxcfs_info("LXC_TYPE_SYS_POWER -----%s", __func__);
> break;
> case LXC_TYPE_SYS_POWER_STATE:
> //Need to take action here
> lxcfs_info("LXC_TYPE_SYS_POWER_STATE -----%s", __func__);
> break;
>
> #endif
>
> To run my modified liblxcfs.so, I followed these steps:-
> -------------------------------------------------------
> 1. I stopped systemd - lxcfs.service
> 2. From command line, I ran lxcfs binary -
> $sudo /usr/bin/lxcfs -f /var/lib/lxcfs
>
> I verified that fuse file system got mounted at "/var/lib/lxcfs" by
> running "mount" command. Here is the output of "mount" command:-
> lxcfs on /var/lib/lxcfs type fuse.lxcfs
> (rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other)
>
> After this when I ran "tree" command on "/var/lib/lxcfs" -I am not
> able to see /sys/power/state in the fuse file system although I could
> see
> /sys/devices/system/cpu/online
>
> Is there any other file/s that I would need to modify to bring in
> /sys/power/state in the FUSE FS?
>
> Thanks and Regards,
> Souvik
>
> On 6/4/20, Christian Brauner <christian.brauner at ubuntu.com> wrote:
> > On Wed, Jun 03, 2020 at 11:06:23PM +0530, Souvik Datta wrote:
> >> Hello,
> >> I am trying to understand the source code of LXCFS. My final objective
> >> is to add /sys/power/state file as an entry. I understand the changes
> >> that need to be done in sysfs_fuse.c/h to support this.
> >>
> >> To do this, first I am first trying to understand, how the sys entry -
> >> "/sys/devices/system/cpu/online" has been added in the "target
> >> directory - /var/lib/lxcfs" but I am not able to figure that out.
> >>
> >> Can you please give me some pointers so that I can understand how this
> >> is achieved?
> >
> > Please take a look at:
> > src/sysfs_fuse.c:sys_read()
> > The enum and path used to add a file type is defined in
> > src/bindings.h: enum lxcfs_virt_t
> >
> > and then you need to implement the actual virtualization in
> > sysfs_fuse.{c,h}.
> >
> > Christian
> > _______________________________________________
> > lxc-devel mailing list
> > lxc-devel at lists.linuxcontainers.org
> > http://lists.linuxcontainers.org/listinfo/lxc-devel
> >
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel
--
Stéphane
More information about the lxc-devel
mailing list