Unit compartment refactoring, start tpm2d in unit #558
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
quitschbo
force-pushed
the
unit_compartment
branch
14 times, most recently
from
acb113c to
03881ee
Compare
quitschbo
force-pushed
the
unit_compartment
branch
6 times, most recently
from
213e711 to
2e5a1be
Compare
quitschbo
force-pushed
the
unit_compartment
branch
2 times, most recently
from
4793ed5 to
64073e1
Compare
quitschbo
force-pushed
the
unit_compartment
branch
2 times, most recently
from
1442ce4 to
06b9762
Compare
The compartment module needs an u_* module with name "c_service" to handle state COMPARTMENT_STATE_BOOTING, otherwise the compartment module would directly switch to state RUNNING after state STARTING. We now also use the state BOOTING for initial startup of the unit until we can connect to the socket inside the unit. The state handler using inotify to check if the unit created the socket is now located in the new u_service module and the u_service module does the state transition from BOOTING to RUNNING there. Signed-off-by: Michael Weiß <michael.weiss@aisec.fraunhofer.de>
Since we now have unit state transition, we could properly track units in the cmld module during cmld init stages. Thus, we can switch into container stage after all units are RUNNING. Currently, only the scd is running inside a unit. However, when we also start other CML services in units we have to wait for those units, too. The corresponding modules could notify the cmld module about state changes in their on_connect() callbacks. Signed-off-by: Michael Weiß <michael.weiss@aisec.fraunhofer.de>
Use cmld_init_stage_unit_notify() in on_connect callback to notify cmld module about state change in the scd_unit instead of directly triggering the cmld init container stage. Signed-off-by: Michael Weiß <michael.weiss@aisec.fraunhofer.de>
Since external users should use the notify mechanism now, we do not expose cmld_init_stage_containers() through the header anymore. Signed-off-by: Michael Weiß <michael.weiss@aisec.fraunhofer.de>
Provide implementation for creation time and uptime by u_time submodule. This could be used later in control module to show unit states as protobuf ContainerState. Signed-off-by: Michael Weiß <michael.weiss@aisec.fraunhofer.de>
LIST_CONTAINERS which assembles a list of UUIDs as response now uses the optional protobuf field system_services. If set also the cmld's internal list of units is taken into account. CONTAINER_STATE also provides unit information if system_services is set or if a single UUID of a unit is set. Signed-off-by: Michael Weiß <michael.weiss@aisec.fraunhofer.de>
Allow to set -s for control list (GET_CONTAINER_STATUS) to include system services (units) in response. Set msg.system_services for GET_CONTAINER_STATUS accordingly. Signed-off-by: Michael Weiß <michael.weiss@aisec.fraunhofer.de>
Output of print_usage() was not alligned in help text for the retrieve_logs command. This is fixed now. Signed-off-by: Michael Weiß <michael.weiss@aisec.fraunhofer.de>
To improve TPM communications stability especially in hosted mode, we use the in-kernel resource manager through /dev/tpmrm0 if it is available. Otherwise the previous default /dev/tpm0 is used directly. Signed-off-by: Michael Weiß <michael.weiss@aisec.fraunhofer.de>
Use new unit module to run tpm2d inside of an unprivileged compartment. We set restart paramter of the unit to true. Thus, the tpm2d unit is restarted in case of disconnection of the tpm2d socket and termination of the tpm2d. Signed-off-by: Michael Weiß <michael.weiss@aisec.fraunhofer.de>
Refactored idmapped mount generic syscall compat stuff mount module. Provide a new mount_idmapped header which inludes most of the compat code. Use this for a generic mount_idmapped() implementation. This could later be used in units as well as for a major refactoring in the c_idmapped module. Signed-off-by: Michael Weiß <michael.weiss@aisec.fraunhofer.de>
Introduce a new unit submodule u_idmapped. The u_idmapped module uses the lately introduced mount_idmapped() implementation to mount data dir as well as log dir with uid mapping in units. Signed-off-by: Michael Weiß <michael.weiss@aisec.fraunhofer.de>
Since the lately introduced u_idmapped submodule, logdir and datadir are mounted with idmapping. In this case it is not necessary to set logdir, datadir and sockdir world read- and writeable or change uids. Signed-off-by: Michael Weiß <michael.weiss@aisec.fraunhofer.de>
Added missing header guards to avoid erros on multiple includes. Signed-off-by: Michael Weiß <michael.weiss@aisec.fraunhofer.de>
Added missing header guards to avoid erros on multiple includes. Signed-off-by: Michael Weiß <michael.weiss@aisec.fraunhofer.de>
Remove unused container.proto from c_service.proto. This fixes following compiler warning: protoc --c_out=. c_service.proto c_service.proto:28:1: warning: Import container.proto is unused. Fixes: c1cb8de ("daemon/c_service: Reduced Container Service Interface") Signed-off-by: Michael Weiß <michael.weiss@aisec.fraunhofer.de>
Provide skeleton for scd connection handling. We will use this in a followup commit to implement reconnection handling in the c_smartcard module. Signed-off-by: Michael Weiß <michael.weiss@aisec.fraunhofer.de>
Provide c_smartcard_scd_connect() and register this as the recently introduce container_scd_connect handler. We refactored connection to the smartcard->sock from c_smartcard_new to the new handler. Signed-off-by: Michael Weiß <michael.weiss@aisec.fraunhofer.de>
In case of connection error due to unit restart the scd_on_connect_cb() is triggered if the scd is available again. Thus notify all container instances by calling the new container_scd_connect handler. This reconnects the socket and establishes a new session to the scd for the corresponding container instance. Signed-off-by: Michael Weiß <michael.weiss@aisec.fraunhofer.de>
Since Kernel 6.3 we use the mainline idmapped implementation. shiftfs was only used as part of 5.4 GyroidOS kernel. This was removed in the meta-gyroidos repository some month ago. Thus, remove the corresponding c_shiftid submodule now, too. Signed-off-by: Michael Weiß <michael.weiss@aisec.fraunhofer.de>
In u_net_start_child() sysfs is remounted to reflact netns change in /sys/class/net. However "sys" was used in mount syscall instead of the correct fstype "sysfs". This is fixed now. Fixes: fb6de43 ("daemon/unit: Introduce new unit module for minimal compartments") Signed-off-by: Michael Weiß <michael.weiss@aisec.fraunhofer.de>
The dir_chown_folder() helper can be used to recursively chown all contents of a directory to a uid and gid provided as parameters. Signed-off-by: Michael Weiß <michael.weiss@aisec.fraunhofer.de>
Do a recursive chown of cmld's data_path to root:root. This would avoid errors on using uid mappings for several sub directories, e.g., unit data directories later on. Signed-off-by: Michael Weiß <michael.weiss@aisec.fraunhofer.de>
Instead of using internal static implementation for recursively chowning unit's data dir, make use of the common helper function dir_chown_folder(). Signed-off-by: Michael Weiß <michael.weiss@aisec.fraunhofer.de>
Initialize the internal compartment struct late in unit_new(). Thus, all other relevant unit attributes are already initialized when the compartment_new hooks of the u_* submodules are called. Thus, e.g., we are able to access the unit's data_path in u_idmapped_new(), otherwise it would still be null. Signed-off-by: Michael Weiß <michael.weiss@aisec.fraunhofer.de>
Do a recursive chown of the unit's data_path to root:root. This would avoid errors on using uid mappings in this unit. Signed-off-by: Michael Weiß <michael.weiss@aisec.fraunhofer.de>
In unit_new() socket_name and data_path, where implicitly assumed to be set. Hence, they just where mem_strdup'ed to the unit internal struct. Provide a proper check if this is NULL and only set the internal attributes to the pointer provided by mem_strdup. Especially, due not pass the socket_name and data_path unchecked to mem_strdup() anymore. This would trigger an ASSERT otherwise. Signed-off-by: Michael Weiß <michael.weiss@aisec.fraunhofer.de>
Avoid race where container is already started and the corresponding fifo dir in c0 is not ready yet. We use a syncfs call on the directory path for this. Signed-off-by: Michael Weiß <michael.weiss@aisec.fraunhofer.de>
Free the corresponding response messages after input was handled
during control run. This fixes following ASAN error when leaving
an exemplary debian container:
root@debian0:/# exit
2026-01-13T15:20:39.385211+0000 [864972] <DEBUG> c_run.c+398: \
Check matched: expression `proc_fork_and_execvp((const char *const *)session->argv) < 0' is true
2026-01-13T15:20:39.385358+0000 [864972] <ERROR> c_run.c+402: \
An error occured while trying to execute command. Giving up... (17: File exists)
=================================================================
==864970==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 48896 byte(s) in 191 object(s) allocated from:
#0 0x7f956bcf4c57 in malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
gyroidos#1 0x7f956c30140d in protobuf_c_message_unpack (/lib/x86_64-linux-gnu/libprotobuf-c.so.1+0x540d) \
(BuildId: f881d14a984989aa3aa5f88d4006fd841b22a8e8)
Indirect leak of 7598 byte(s) in 190 object(s) allocated from:
#0 0x7f956bcf4c57 in malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
gyroidos#1 0x7f956c302aaf (/lib/x86_64-linux-gnu/libprotobuf-c.so.1+0x6aaf) \
(BuildId: f881d14a984989aa3aa5f88d4006fd841b22a8e8)
SUMMARY: AddressSanitizer: 56494 byte(s) leaked in 381 allocation(s).
Signed-off-by: Michael Weiß <michael.weiss@aisec.fraunhofer.de>
Use crypto_hash_buf() instead of crypto_hash_file() to hash the audit record without the need for file system access. This will allow the scd to hash records even if it has no access to the AUDIT_LOGDIR. This is the case since scd is running inside a unit. Signed-off-by: Michael Weiß <michael.weiss@aisec.fraunhofer.de>
quitschbo
force-pushed
the
unit_compartment
branch
from
9619965 to
5561dc6
Compare
MPeisl
requested changes
Jan 14, 2026
| ret--; | ||
| } | ||
|
|
||
| return ret; |
Member
There was a problem hiding this comment.
According to function doc string the number of successful chowned entries or -1 is returned. This implementation always returns either 0 or -1.
| if (file_is_dir(file_to_chown)) { | ||
| TRACE("Path %s is dir", file_to_chown); | ||
| if (dir_foreach(file_to_chown, &dir_chown_contents_cb, cb_data) < 0) { | ||
| ERROR_ERRNO("Could not chown all dir contents in '%s'", file_to_chown); |
Member
There was a problem hiding this comment.
Also add "to (%d:%d)" to error string.
| ERROR_ERRNO("Could not chown all dir contents in '%s'", file_to_chown); | ||
| ret--; | ||
| } | ||
| if (chown(file_to_chown, uid, gid) < 0) { |
Member
There was a problem hiding this comment.
Not necessary. The previous call in #L330 already chowned the directory (s. #L348)
| int fd = -1; | ||
|
|
||
| if (!file_is_dir(AUDIT_LOGDIR) && dir_mkdir_p(AUDIT_LOGDIR, 0600)) { | ||
| if (!file_is_dir(AUDIT_LOGDIR) && dir_mkdir_p(AUDIT_LOGDIR, 0700)) { |
Member
There was a problem hiding this comment.
Is there a special reason this needs execute permissions?
| /** | ||
| * Handles scd connect/reconnect. | ||
| * | ||
| * @return 0 if the connection to scd was esstblishes, -1 otherwise |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR generalizes the unit code, thus it is possible to start other daemons in units.
Further idmapped mounts are used for data directory and log dir.
The corresponding commits are also preparing some refactoring of c_idmapped and c_vol to simplify
the code there.
Finaly tpm2d startup in tss module is migrated to a unit.
recently added to this PR: some preparing work to also start the lxcfs daemon inside a unit.
See commit messages for details.