Ophestra
fd515badff
All checks were successful
Test / Create distribution (push) Successful in 1m1s
Test / Sandbox (push) Successful in 2m40s
Test / Hakurei (push) Successful in 3m41s
Test / ShareFS (push) Successful in 3m39s
Test / Sandbox (race detector) (push) Successful in 5m0s
Test / Hakurei (race detector) (push) Successful in 6m57s
Test / Flake checks (push) Successful in 2m9s
This avoids depending on cgo. Signed-off-by: Ophestra <cat@gensokyo.uk>
92 lines
2.6 KiB
Go
92 lines
2.6 KiB
Go
package container
|
|
|
|
import (
|
|
. "syscall"
|
|
"unsafe"
|
|
|
|
"hakurei.app/container/std"
|
|
)
|
|
|
|
// Prctl manipulates various aspects of the behavior of the calling thread or process.
|
|
func Prctl(op, arg2, arg3 uintptr) error {
|
|
r, _, errno := Syscall(SYS_PRCTL, op, arg2, arg3)
|
|
if r < 0 {
|
|
return errno
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// SetPtracer allows processes to ptrace(2) the calling process.
|
|
func SetPtracer(pid uintptr) error { return Prctl(PR_SET_PTRACER, pid, 0) }
|
|
|
|
// linux/sched/coredump.h
|
|
const (
|
|
SUID_DUMP_DISABLE = iota
|
|
SUID_DUMP_USER
|
|
)
|
|
|
|
// SetDumpable sets the "dumpable" attribute of the calling process.
|
|
func SetDumpable(dumpable uintptr) error { return Prctl(PR_SET_DUMPABLE, dumpable, 0) }
|
|
|
|
// SetNoNewPrivs sets the calling thread's no_new_privs attribute.
|
|
func SetNoNewPrivs() error { return Prctl(PR_SET_NO_NEW_PRIVS, 1, 0) }
|
|
|
|
// Isatty tests whether a file descriptor refers to a terminal.
|
|
func Isatty(fd int) bool {
|
|
var buf [8]byte
|
|
r, _, _ := Syscall(
|
|
SYS_IOCTL,
|
|
uintptr(fd),
|
|
TIOCGWINSZ,
|
|
uintptr(unsafe.Pointer(&buf[0])),
|
|
)
|
|
return r == 0
|
|
}
|
|
|
|
// schedParam is equivalent to struct sched_param from include/linux/sched.h.
|
|
type schedParam struct {
|
|
// sched_priority
|
|
priority std.Int
|
|
}
|
|
|
|
// schedSetscheduler sets both the scheduling policy and parameters for the
|
|
// thread whose ID is specified in tid. If tid equals zero, the scheduling
|
|
// policy and parameters of the calling thread will be set.
|
|
//
|
|
// This function is unexported because it is [very subtle to use correctly]. The
|
|
// function signature in libc is misleading: pid actually refers to a thread ID.
|
|
// The glibc wrapper for this system call ignores this semantic and exposes
|
|
// this counterintuitive behaviour.
|
|
//
|
|
// This function is only called from the container setup thread. Do not reuse
|
|
// this if you do not have something similar in place!
|
|
//
|
|
// [very subtle to use correctly]: https://www.openwall.com/lists/musl/2016/03/01/4
|
|
func schedSetscheduler(tid int, policy std.SchedPolicy, param *schedParam) error {
|
|
if r, _, errno := Syscall(
|
|
SYS_SCHED_SETSCHEDULER,
|
|
uintptr(tid),
|
|
uintptr(policy),
|
|
uintptr(unsafe.Pointer(param)),
|
|
); r < 0 {
|
|
return errno
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// IgnoringEINTR makes a function call and repeats it if it returns an
|
|
// EINTR error. This appears to be required even though we install all
|
|
// signal handlers with SA_RESTART: see #22838, #38033, #38836, #40846.
|
|
// Also #20400 and #36644 are issues in which a signal handler is
|
|
// installed without setting SA_RESTART. None of these are the common case,
|
|
// but there are enough of them that it seems that we can't avoid
|
|
// an EINTR loop.
|
|
func IgnoringEINTR(fn func() error) error {
|
|
for {
|
|
err := fn()
|
|
if err != EINTR {
|
|
return err
|
|
}
|
|
}
|
|
}
|