lxc: enable libseccomp usage + add helper script for setting up cgroups

2019-07-13 21:11:25 +03:00 · 2019-07-13 21:11:25 +03:00 · 0e26eef818
parent 45882652f9
commit 0e26eef818
5 changed files with 157 additions and 1 deletions
--- a/root-packages/libseccomp/build.sh
+++ b/root-packages/libseccomp/build.sh
@ -0,0 +1,7 @@
+TERMUX_PKG_HOMEPAGE=https://github.com/seccomp/libseccomp
+TERMUX_PKG_DESCRIPTION="Enhanced seccomp library"
+TERMUX_PKG_LICENSE="LGPL-2.1"
+TERMUX_PKG_MAINTAINER="Leonid Plyushch <leonid.plyushch@gmail.com> @xeffyr"
+TERMUX_PKG_VERSION=2.4.1
+TERMUX_PKG_SRCURL=https://github.com/seccomp/libseccomp/releases/download/v${TERMUX_PKG_VERSION}/libseccomp-${TERMUX_PKG_VERSION}.tar.gz
+TERMUX_PKG_SHA256=1ca3735249af66a1b2f762fe6e710fcc294ad7185f1cc961e5bd83f9988006e8
--- a/root-packages/lxc/build.sh
+++ b/root-packages/lxc/build.sh
@ -3,15 +3,28 @@ TERMUX_PKG_DESCRIPTION="Linux Containers"
 TERMUX_PKG_LICENSE="LGPL-2.1"
 TERMUX_PKG_MAINTAINER="Leonid Plyushch <leonid.plyushch@gmail.com>"
 TERMUX_PKG_VERSION=3.1.0
+TERMUX_PKG_REVISION=1
 TERMUX_PKG_SRCURL=https://linuxcontainers.org/downloads/lxc-$TERMUX_PKG_VERSION.tar.gz
 TERMUX_PKG_SHA256=4d8772c25baeaea2c37a954902b88c05d1454c91c887cb6a0997258cfac3fdc5
-TERMUX_PKG_DEPENDS="dirmngr, gnupg, libcap, rsync, wget"
+TERMUX_PKG_DEPENDS="dirmngr, gnupg, libcap, libseccomp, rsync, wget"

 TERMUX_PKG_EXTRA_CONFIGURE_ARGS="
 --with-distro=termux
 --with-runtime-path=$TERMUX_PREFIX/var/run
+--disable-apparmor
+--disable-selinux
+--enable-seccomp
+--enable-capabilities
+--disable-examples
 "

 termux_step_pre_configure() {
 	export LIBS="-llog"
 }
+
+termux_step_post_make_install() {
+	# Simple helper script for mounting cgroups.
+	install -Dm755 "$TERMUX_PKG_BUILDER_DIR"/lxc-setup-cgroups.sh \
+		"$TERMUX_PREFIX"/bin/lxc-setup-cgroups
+	sed -i "s|@TERMUX_PREFIX@|$TERMUX_PREFIX|" "$TERMUX_PREFIX"/bin/lxc-setup-cgroups
+}
--- a/root-packages/lxc/lxc-setup-cgroups.sh
+++ b/root-packages/lxc/lxc-setup-cgroups.sh
@ -0,0 +1,18 @@
+#!@TERMUX_PREFIX@/bin/sh
+set -e
+
+export PATH=$PATH:/system/xbin:/system/bin
+
+if ! mountpoint -q /sys/fs/cgroup; then
+	mount -t tmpfs -o mode=755,nodev,noexec,nosuid tmpfs /sys/fs/cgroup
+fi
+
+for cg in blkio cpu cpuacct cpuset devices freezer memory; do
+	if [ ! -d "/sys/fs/cgroup/${cg}" ]; then
+		mkdir -p "/sys/fs/cgroup/${cg}"
+	fi
+
+	if ! mountpoint -q "/sys/fs/cgroup/${cg}"; then
+		mount -t cgroup -o "${cg}" cgroup "/sys/fs/cgroup/${cg}" || true
+	fi
+done
--- a/root-packages/lxc/src-lxc-cgroups-cgfsng.c.patch
+++ b/root-packages/lxc/src-lxc-cgroups-cgfsng.c.patch
@ -0,0 +1,68 @@
+diff -uNr lxc-3.1.0/src/lxc/cgroups/cgfsng.c lxc-3.1.0.mod/src/lxc/cgroups/cgfsng.c
+--- lxc-3.1.0/src/lxc/cgroups/cgfsng.c	2018-12-14 01:13:51.000000000 +0200
+++ lxc-3.1.0.mod/src/lxc/cgroups/cgfsng.c	2019-07-13 20:47:37.511164109 +0300
+@@ -395,7 +395,7 @@
+ 	}
+ 	oldv = *lastslash;
+ 	*lastslash = '\0';
+-	fpath = must_make_path(path, "cpuset.cpus", NULL);
+	fpath = must_make_path(path, "cpus", NULL);
+ 	posscpus = read_file(fpath);
+ 	if (!posscpus) {
+ 		SYSERROR("Failed to read file \"%s\"", fpath);
+@@ -412,7 +412,7 @@
+ 		DEBUG("The path \""__ISOL_CPUS"\" to read isolated cpus from does not exist");
+ 		cpulist = posscpus;
+ 		/* No isolated cpus but we weren't already initialized by
+-		 * someone. We should simply copy the parents cpuset.cpus
+		 * someone. We should simply copy the parents cpus
+ 		 * values.
+ 		 */
+ 		if (!am_initialized) {
+@@ -434,7 +434,7 @@
+ 		TRACE("No isolated cpus detected");
+ 		cpulist = posscpus;
+ 		/* No isolated cpus but we weren't already initialized by
+-		 * someone. We should simply copy the parents cpuset.cpus
+		 * someone. We should simply copy the parents cpus
+ 		 * values.
+ 		 */
+ 		if (!am_initialized) {
+@@ -491,7 +491,7 @@
+ copy_parent:
+ 	*lastslash = oldv;
+ 	free(fpath);
+-	fpath = must_make_path(path, "cpuset.cpus", NULL);
+	fpath = must_make_path(path, "cpus", NULL);
+ 	ret = lxc_write_to_file(fpath, cpulist, strlen(cpulist), false, 0666);
+ 	if (ret < 0) {
+ 		SYSERROR("Failed to write cpu list to \"%s\"", fpath);
+@@ -606,7 +606,7 @@
+ 		return false;
+ 	}
+ 
+-	/* Make sure any isolated cpus are removed from cpuset.cpus. */
+	/* Make sure any isolated cpus are removed from cpus. */
+ 	if (!cg_legacy_filter_and_set_cpus(cgpath, v == '1')) {
+ 		SYSERROR("Failed to remove isolated cpus");
+ 		free(clonechildrenpath);
+@@ -623,8 +623,8 @@
+ 	}
+ 
+ 	/* copy parent's settings */
+-	if (!copy_parent_file(cgpath, "cpuset.mems")) {
+-		SYSERROR("Failed to copy \"cpuset.mems\" settings");
+	if (!copy_parent_file(cgpath, "mems")) {
+		SYSERROR("Failed to copy \"mems\" settings");
+ 		free(cgpath);
+ 		free(clonechildrenpath);
+ 		return false;
+@@ -742,7 +742,7 @@
+ 	 * verify /sys/fs/cgroup/ in this field.
+ 	 */
+ 	if (strncmp(p, "/sys/fs/cgroup/", 15) != 0) {
+-		ERROR("Found hierarchy not under /sys/fs/cgroup: \"%s\"", p);
+		WARN("Found hierarchy not under /sys/fs/cgroup: \"%s\"", p);
+ 		return NULL;
+ 	}
+ 
--- a/root-packages/lxc/src-lxc-pam-pam_cgfs.c.patch
+++ b/root-packages/lxc/src-lxc-pam-pam_cgfs.c.patch
@ -0,0 +1,50 @@
+diff -uNr lxc-3.1.0/src/lxc/pam/pam_cgfs.c lxc-3.1.0.mod/src/lxc/pam/pam_cgfs.c
+--- lxc-3.1.0/src/lxc/pam/pam_cgfs.c	2018-12-14 01:13:51.000000000 +0200
+++ lxc-3.1.0.mod/src/lxc/pam/pam_cgfs.c	2019-07-13 20:47:50.341249255 +0300
+@@ -1749,7 +1749,7 @@
+ 	oldv = *lastslash;
+ 	*lastslash = '\0';
+ 
+-	fpath = must_make_path(path, "cpuset.cpus", NULL);
+	fpath = must_make_path(path, "cpus", NULL);
+ 	posscpus = read_file(fpath);
+ 	if (!posscpus) {
+ 		pam_cgfs_debug("Could not read file: %s\n", fpath);
+@@ -1767,7 +1767,7 @@
+ 		cpulist = posscpus;
+ 
+ 		/* No isolated cpus but we weren't already initialized by
+-		 * someone. We should simply copy the parents cpuset.cpus
+		 * someone. We should simply copy the parents cpus
+ 		 * values.
+ 		 */
+ 		if (!am_initialized) {
+@@ -1792,7 +1792,7 @@
+ 		cpulist = posscpus;
+ 
+ 		/* No isolated cpus but we weren't already initialized by
+-		 * someone. We should simply copy the parents cpuset.cpus
+		 * someone. We should simply copy the parents cpus
+ 		 * values.
+ 		 */
+ 		if (!am_initialized) {
+@@ -1851,7 +1851,7 @@
+ 
+ 	free(fpath);
+ 
+-	fpath = must_make_path(path, "cpuset.cpus", NULL);
+	fpath = must_make_path(path, "cpus", NULL);
+ 	ret = lxc_write_to_file(fpath, cpulist, strlen(cpulist), false, 0660);
+ 	if (ret < 0) {
+ 		pam_cgfs_debug("Could not write cpu list to: %s\n", fpath);
+@@ -2020,8 +2020,8 @@
+ 	}
+ 
+ 	/* copy parent's settings */
+-	if (!cg_copy_parent_file(cgpath, "cpuset.mems")) {
+-		pam_cgfs_debug("%s", "Failed to copy \"cpuset.mems\" settings\n");
+	if (!cg_copy_parent_file(cgpath, "mems")) {
+		pam_cgfs_debug("%s", "Failed to copy \"mems\" settings\n");
+ 		free(cgpath);
+ 		free(clonechildrenpath);
+ 		return false;