Merge commit from fork

* apparmor: use safe procfs API for labels

Signed-off-by: Yusuke Sakurai <yusuke.sakurai@3-shake.com>

* remove ensure_procfs

Signed-off-by: Yusuke <yusuke.sakurai@3-shake.com>

* sysctl: use safe procfs API from libpathrs

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>

* convert Process::myself to ProcfsHandle

Signed-off-by: Yusuke <yusuke.sakurai@3-shake.com>

* use ProcfsHandle for /proc/self/setgroups

Signed-off-by: Yusuke Sakurai <yusuke.sakurai@3-shake.com>

* use libpathrs for mount_into_container

Signed-off-by: Yusuke Sakurai <yusuke.sakurai@3-shake.com>

* rootfs: switch fd-based handling of mountpoint targets

Signed-off-by: Yusuke Sakurai <yusuke.sakurai@3-shake.com>

* update libpathrs version

Signed-off-by: Yusuke Sakurai <yusuke.sakurai@3-shake.com>

* adjust test for fd-base mount

Signed-off-by: Yusuke Sakurai <yusuke.sakurai@3-shake.com>

* Harden masked paths

Signed-off-by: utam0k <k0ma@utam0k.jp>

* fixup! Harden masked paths

Signed-off-by: utam0k <k0ma@utam0k.jp>

* mount_setattr: fd base

Signed-off-by: Yusuke Sakurai <yusuke.sakurai@3-shake.com>

* rootfs: switch fd-based handling of mountpoint targets to using move_mount

Signed-off-by: Yusuke Sakurai <yusuke.sakurai@3-shake.com>

* fd-based handling for src and dest

Signed-off-by: Yusuke Sakurai <yusuke.sakurai@3-shake.com>

* use BorrowedFd and as_fd

Signed-off-by: Yusuke Sakurai <yusuke.sakurai@3-shake.com>

* the mount flags are set via mount_setattr (not fsmount)

Signed-off-by: Yusuke Sakurai <yusuke.sakurai@3-shake.com>

* use resolve replace subpath

Signed-off-by: Yusuke Sakurai <yusuke.sakurai@3-shake.com>

---------

Signed-off-by: Yusuke Sakurai <yusuke.sakurai@3-shake.com>
Signed-off-by: Yusuke <yusuke.sakurai@3-shake.com>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
Signed-off-by: utam0k <k0ma@utam0k.jp>
Co-authored-by: Aleksa Sarai <cyphar@cyphar.com>
Co-authored-by: utam0k <k0ma@utam0k.jp>

Author: 3 people

Cargo.lock

@@ -22,6 +22,7 @@ cgroupsv2_devices = ["rbpf", "libbpf-sys", "errno", "libc", "nix/dir"]
 [dependencies]
 nix = { version = "0.29.0", features = ["signal", "user", "fs"] }
 procfs = "0.17.0"
+pathrs = "0.2.1"
 oci-spec = { version = "~0.8.3", features = ["runtime"] }
 fixedbitset = "0.5.7"
 serde = { version = "1.0", features = ["derive"] }

crates/libcgroups/Cargo.toml

@@ -4,8 +4,9 @@ use std::path::{Path, PathBuf};
 use std::time::Duration;
 
 use nix::unistd::Pid;
-use procfs::ProcError;
-use procfs::process::Process;
+use pathrs::flags::OpenFlags;
+use pathrs::procfs::{ProcfsBase, ProcfsHandle};
+use procfs::{FromRead, ProcError, ProcessCGroups};
 
 use super::blkio::{Blkio, V1BlkioStatsError};
 use super::controller::Controller;
@@ -47,6 +48,8 @@ pub enum V1ManagerError {
     CGroupRequired(CtrlType),
     #[error("subsystem does not exist")]
     SubsystemDoesNotExist,
+    #[error(transparent)]
+    Pathrs(#[from] pathrs::error::Error),
 
     #[error(transparent)]
     BlkioController(WrappedIoError),
@@ -101,11 +104,14 @@ impl Manager {
         tracing::debug!("Get path for subsystem: {}", subsystem);
         let mount_point = util::get_subsystem_mount_point(subsystem)?;
 
-        let cgroup = Process::myself()?
-            .cgroups()?
-            .into_iter()
-            .find(|c| c.controllers.contains(&subsystem.to_string()))
-            .ok_or(V1ManagerError::SubsystemDoesNotExist)?;
+        let cgroup = ProcessCGroups::from_read(ProcfsHandle::new()?.open(
+            ProcfsBase::ProcSelf,
+            "cgroup",
+            OpenFlags::O_RDONLY | OpenFlags::O_CLOEXEC,
+        )?)?
+        .into_iter()
+        .find(|c| c.controllers.contains(&subsystem.to_string()))
+        .ok_or(V1ManagerError::SubsystemDoesNotExist)?;
 
         let p = if cgroup_path.as_os_str().is_empty() {
             mount_point.join_safely(Path::new(&cgroup.pathname))?

crates/libcgroups/src/v1/manager.rs

@@ -1,33 +1,50 @@
 use std::collections::HashMap;
+use std::io::{BufRead, BufReader};
 use std::path::PathBuf;
 
+use pathrs::flags::OpenFlags;
+use pathrs::procfs::{ProcfsBase, ProcfsHandle};
 use procfs::ProcError;
-use procfs::process::Process;
+use procfs::process::MountInfo;
 
 use super::ControllerType;
 use super::controller_type::CONTROLLERS;
 
 #[derive(thiserror::Error, Debug)]
 pub enum V1MountPointError {
-    #[error("failed to read process info from /proc/self: {0}")]
-    ReadSelf(ProcError),
+    #[error("io error: {0}")]
+    Io(#[from] std::io::Error),
     #[error("failed to get mountinfo: {0}")]
     MountInfo(ProcError),
     #[error("could not find mountpoint for {subsystem}")]
     NotFound { subsystem: ControllerType },
+    #[error(transparent)]
+    Pathrs(#[from] pathrs::error::Error),
 }
 
 /// List all cgroup v1 subsystem mount points on the system. This can include unsupported
 /// subsystems, comounted controllers and named hierarchies.
 pub fn list_subsystem_mount_points() -> Result<Vec<PathBuf>, V1MountPointError> {
-    Ok(Process::myself()
-        .map_err(V1MountPointError::ReadSelf)?
-        .mountinfo()
-        .map_err(V1MountPointError::MountInfo)?
-        .into_iter()
-        .filter(|m| m.fs_type == "cgroup")
-        .map(|m| m.mount_point)
-        .collect())
+    let reader = BufReader::new(ProcfsHandle::new()?.open(
+        ProcfsBase::ProcSelf,
+        "mountinfo",
+        OpenFlags::O_RDONLY | OpenFlags::O_CLOEXEC,
+    )?);
+
+    reader
+        .lines()
+        .map(|lr| {
+            lr.map_err(V1MountPointError::Io)
+                .and_then(|line| MountInfo::from_line(&line).map_err(V1MountPointError::MountInfo))
+        })
+        .try_fold(Vec::new(), |mut mount_points, r| {
+            r.map(|m| {
+                if m.fs_type == "cgroup" {
+                    mount_points.push(m.mount_point);
+                }
+                mount_points
+            })
+        })
 }
 
 /// List the mount points of all currently supported cgroup subsystems.
@@ -46,38 +63,44 @@ pub fn list_supported_mount_points() -> Result<HashMap<ControllerType, PathBuf>,
 
 pub fn get_subsystem_mount_point(subsystem: &ControllerType) -> Result<PathBuf, V1MountPointError> {
     let subsystem_name = subsystem.to_string();
-    Process::myself()
-        .map_err(V1MountPointError::ReadSelf)?
-        .mountinfo()
-        .map_err(V1MountPointError::MountInfo)?
-        .into_iter()
-        .find(|m| {
-            if m.fs_type == "cgroup" {
+    let reader = BufReader::new(ProcfsHandle::new()?.open(
+        ProcfsBase::ProcSelf,
+        "mountinfo",
+        OpenFlags::O_RDONLY | OpenFlags::O_CLOEXEC,
+    )?);
+
+    reader
+        .lines()
+        .map(|lr| {
+            lr.map_err(V1MountPointError::Io)
+                .and_then(|line| MountInfo::from_line(&line).map_err(V1MountPointError::MountInfo))
+        })
+        .find_map(|r| match r {
+            Err(e) => Some(Err(e)),
+            Ok(m) if m.fs_type == "cgroup" => {
                 // Some systems mount net_prio and net_cls in the same directory
                 // other systems mount them in their own directories. This
                 // should handle both cases.
-                if subsystem_name == "net_cls" {
-                    return m.mount_point.ends_with("net_cls,net_prio")
-                        || m.mount_point.ends_with("net_prio,net_cls")
-                        || m.mount_point.ends_with("net_cls");
-                } else if subsystem_name == "net_prio" {
-                    return m.mount_point.ends_with("net_cls,net_prio")
-                        || m.mount_point.ends_with("net_prio,net_cls")
-                        || m.mount_point.ends_with("net_prio");
-                }
-
-                if subsystem_name == "cpu" {
-                    return m.mount_point.ends_with("cpu,cpuacct")
-                        || m.mount_point.ends_with("cpu");
-                }
-                if subsystem_name == "cpuacct" {
-                    return m.mount_point.ends_with("cpu,cpuacct")
-                        || m.mount_point.ends_with("cpuacct");
-                }
+                let ok = match subsystem_name.as_str() {
+                    "net_cls" => ["net_cls,net_prio", "net_prio,net_cls", "net_cls"]
+                        .iter()
+                        .any(|s| m.mount_point.ends_with(s)),
+                    "net_prio" => ["net_cls,net_prio", "net_prio,net_cls", "net_prio"]
+                        .iter()
+                        .any(|s| m.mount_point.ends_with(s)),
+                    "cpu" => ["cpu,cpuacct", "cpu"]
+                        .iter()
+                        .any(|s| m.mount_point.ends_with(s)),
+                    "cpuacct" => ["cpu,cpuacct", "cpuacct"]
+                        .iter()
+                        .any(|s| m.mount_point.ends_with(s)),
+                    _ => m.mount_point.ends_with(&subsystem_name),
+                };
+                if ok { Some(Ok(m.mount_point)) } else { None }
             }
-            m.mount_point.ends_with(&subsystem_name)
+            Ok(_) => None,
         })
-        .map(|m| m.mount_point)
+        .transpose()?
         .ok_or(V1MountPointError::NotFound {
             subsystem: *subsystem,
         })

crates/libcgroups/src/v1/util.rs

@@ -1,7 +1,10 @@
+use std::io::{BufRead, BufReader};
 use std::path::{Path, PathBuf};
 
+use pathrs::flags::OpenFlags;
+use pathrs::procfs::{ProcfsBase, ProcfsHandle};
 use procfs::ProcError;
-use procfs::process::Process;
+use procfs::process::MountInfo;
 
 use super::controller_type::ControllerType;
 use crate::common::{self, WrappedIoError};
@@ -11,6 +14,8 @@ pub const CGROUP_SUBTREE_CONTROL: &str = "cgroup.subtree_control";
 
 #[derive(thiserror::Error, Debug)]
 pub enum V2UtilError {
+    #[error("io error: {0}")]
+    Io(#[from] std::io::Error),
     #[error("io error: {0}")]
     WrappedIo(#[from] WrappedIoError),
     #[error("proc error: {0}")]
@@ -19,15 +24,30 @@ pub enum V2UtilError {
     CouldNotFind,
     #[error("cannot get available controllers. {0} does not exist")]
     DoesNotExist(PathBuf),
+    #[error(transparent)]
+    Pathrs(#[from] pathrs::error::Error),
 }
 
 // Reads the `/proc/self/mountinfo` to get the mount point of this cgroup
 pub fn get_unified_mount_point() -> Result<PathBuf, V2UtilError> {
-    Process::myself()?
-        .mountinfo()?
-        .into_iter()
-        .find(|m| m.fs_type == "cgroup2")
-        .map(|m| m.mount_point)
+    let reader = BufReader::new(ProcfsHandle::new()?.open(
+        ProcfsBase::ProcSelf,
+        "mountinfo",
+        OpenFlags::O_RDONLY | OpenFlags::O_CLOEXEC,
+    )?);
+
+    reader
+        .lines()
+        .map(|lr| {
+            lr.map_err(V2UtilError::Io)
+                .and_then(|s| MountInfo::from_line(&s).map_err(V2UtilError::from))
+        })
+        .find_map(|r| match r {
+            Ok(mi) if mi.fs_type == "cgroup2" => Some(Ok(mi.mount_point)),
+            Ok(_) => None,
+            Err(e) => Some(Err(e)),
+        })
+        .transpose()?
         .ok_or(V2UtilError::CouldNotFind)
 }
 

crates/libcgroups/src/v2/util.rs

@@ -53,6 +53,7 @@ thiserror = "2.0.17"
 tracing = { version = "0.1.41", features = ["attributes"] }
 safe-path = "0.1.0"
 nc = "0.9.6"
+pathrs = "0.2.1"
 
 [dev-dependencies]
 oci-spec = { version = "~0.8.3", features = ["proptests", "runtime"] }