github.com/schwarzm/garden-linux@v0.0.0-20150507151835-33bca2147c47/old/linux_backend/skeleton/lib/hook-parent-after-clone.sh

github.com/schwarzm/garden-linux@v0.0.0-20150507151835-33bca2147c47/old/linux_backend/skeleton/lib/hook-parent-after-clone.sh (about)

     1  #!/bin/bash
     2  
     3  [ -n "$DEBUG" ] && set -o xtrace
     4  set -o nounset
     5  set -o errexit
     6  shopt -s nullglob
     7  
     8  cd $(dirname $0)/../
     9  
    10  source etc/config
    11  
    12  # write uid map if user namespacing is enabled
    13  if [ "$root_uid" -ne 0 ]
    14  then
    15  cat > /proc/$PID/uid_map <<EOF
    16  0 $root_uid 65534
    17  EOF
    18  
    19  cat > /proc/$PID/gid_map <<EOF
    20  0 $root_uid 65534
    21  EOF
    22  fi
    23  
    24  # Add new group for every subsystem
    25  
    26  # cpuset must be set up first, so that cpuset.cpus and cpuset.mems is assigned
    27  # otherwise adding the process to the subsystem's tasks will fail with ENOSPC
    28  for system_path in ${GARDEN_CGROUP_PATH}/{cpuset,cpu,cpuacct,devices,memory}
    29  do
    30    instance_path=$system_path/instance-$id
    31  
    32    mkdir -p $instance_path
    33  
    34    if [ $(basename $system_path) == "cpuset" ]
    35    then
    36      cat $system_path/cpuset.cpus > $instance_path/cpuset.cpus
    37      cat $system_path/cpuset.mems > $instance_path/cpuset.mems
    38    fi
    39  
    40    if [ $(basename $system_path) == "devices" ]
    41    then
    42      # Deny everything, allow explicitly
    43      echo a > $instance_path/devices.deny
    44  
    45      # Allow mknod for everything.
    46      echo "c *:* m" > $instance_path/devices.allow
    47      echo "b *:* m" > $instance_path/devices.allow
    48  
    49      # /dev/null
    50      echo "c 1:3 rwm" > $instance_path/devices.allow
    51      # /dev/zero
    52      echo "c 1:5 rwm" > $instance_path/devices.allow
    53      # /dev/full
    54      echo "c 1:7 rwm" > $instance_path/devices.allow
    55      # /dev/random
    56      echo "c 1:8 rwm" > $instance_path/devices.allow
    57      # /dev/urandom
    58      echo "c 1:9 rwm" > $instance_path/devices.allow
    59      # /dev/tty0
    60      echo "c 4:0 rwm" > $instance_path/devices.allow
    61      # /dev/tty1
    62      echo "c 4:1 rwm" > $instance_path/devices.allow
    63      # /dev/tty
    64      echo "c 5:0 rwm" > $instance_path/devices.allow
    65      # /dev/console
    66      echo "c 5:1 rwm" > $instance_path/devices.allow
    67      # /dev/ptmx
    68      echo "c 5:2 rwm" > $instance_path/devices.allow
    69      # /dev/pts/*
    70      echo "c 136:* rwm" > $instance_path/devices.allow
    71      # tuntap (?)
    72      echo "c 10:200 rwm" > $instance_path/devices.allow
    73      # /dev/fuse
    74      echo "c 10:229 rwm" > $instance_path/devices.allow
    75    fi
    76  
    77    echo $PID > $instance_path/tasks
    78  done
    79  
    80  echo $PID > ./run/wshd.pid
    81  
    82  exit 0