未验证 提交 5115df07 编写于 作者: jia zhang's avatar jia zhang 提交者: GitHub

rune/libenclave: Fix processing LD_LIBRARY_PATH #2

Instead of inheriting LD_LIBRARY_PATH by bootstrap, make it available
only for boostrap's child process.
Signed-off-by: jia zhang's avatarJia Zhang <zhang.jia@linux.alibaba.com>
上级 ad721161
...@@ -531,16 +531,12 @@ func (c *linuxContainer) commandTemplate(p *Process, childInitPipe *os.File, chi ...@@ -531,16 +531,12 @@ func (c *linuxContainer) commandTemplate(p *Process, childInitPipe *os.File, chi
fmt.Sprintf("_LIBCONTAINER_AGENTPIPE=%d", stdioFdCount+len(cmd.ExtraFiles)-1)) fmt.Sprintf("_LIBCONTAINER_AGENTPIPE=%d", stdioFdCount+len(cmd.ExtraFiles)-1))
} }
if c.config.Enclave.Path != "" {
cmd.Env = append(cmd.Env, "_LIBCONTAINER_PAL_PATH="+string(c.config.Enclave.Path))
}
if c.config.Enclave.Signer != "server" { if c.config.Enclave.Signer != "server" {
rootfs := c.config.Rootfs cmd.Env = append(cmd.Env, "_LIBCONTAINER_PAL_ROOTFS="+string(c.config.Rootfs))
// LD_LIBRARY_PATH must be set before the process starts to be valid
cmd.Env = append(cmd.Env,
fmt.Sprintf("LD_LIBRARY_PATH=%s/usr/lib:%s/usr/lib64:%s/lib:%s/lib64",
rootfs, rootfs, rootfs, rootfs));
cmd.Env = append(cmd.Env,
fmt.Sprintf("_LIBCONTAINER_PAL_PATH=%s/%s", rootfs, c.config.Enclave.Path))
} else if c.config.Enclave.Path != "" {
cmd.Env = append(cmd.Env, "_LIBCONTAINER_PAL_PATH=" + c.config.Enclave.Path)
} }
if detached { if detached {
......
...@@ -4,6 +4,7 @@ ...@@ -4,6 +4,7 @@
#include <stdlib.h> #include <stdlib.h>
#include <string.h> #include <string.h>
#include <dlfcn.h> #include <dlfcn.h>
#include <linux/limits.h>
/* Defined in nsexec.c. */ /* Defined in nsexec.c. */
...@@ -37,18 +38,28 @@ int is_enclave(void) ...@@ -37,18 +38,28 @@ int is_enclave(void)
int load_enclave_runtime(void) int load_enclave_runtime(void)
{ {
const char *file; char pal_full_path[PATH_MAX+1];
char *pal_path;
const char *rootfs;
void *dl; void *dl;
file = getenv("_LIBCONTAINER_PAL_PATH"); pal_path = getenv("_LIBCONTAINER_PAL_PATH");
if (file == NULL || *file == '\0') { if (pal_path == NULL || *pal_path == '\0') {
write_log(DEBUG, "invalid environment _LIBCONTAINER_PAL_PATH"); write_log(DEBUG, "invalid environment _LIBCONTAINER_PAL_PATH");
return 0; return 0;
} }
write_log(DEBUG, "_LIBCONTAINER_PAL_PATH = %s", file);
write_log(DEBUG, "_LIBCONTAINER_PAL_PATH = %s", pal_path);
write_log(DEBUG, "LD_LIBRARY_PATH = %s", getenv("LD_LIBRARY_PATH")); write_log(DEBUG, "LD_LIBRARY_PATH = %s", getenv("LD_LIBRARY_PATH"));
dl = dlopen(file, RTLD_NOW); rootfs = getenv("_LIBCONTAINER_PAL_ROOTFS");
if (rootfs && *rootfs != '\0') {
snprintf(pal_full_path, sizeof(pal_full_path) - 1, "%s/%s", rootfs, pal_path);
pal_path = pal_full_path;
}
dl = dlopen(pal_path, RTLD_NOW);
unsetenv("LD_LIBRARY_PATH");
if (dl == NULL) { if (dl == NULL) {
write_log(DEBUG, "dlopen(): %s", dlerror()); write_log(DEBUG, "dlopen(): %s", dlerror());
/* set errno correctly, make bail() work better */ /* set errno correctly, make bail() work better */
......
...@@ -579,6 +579,7 @@ void nsexec(void) ...@@ -579,6 +579,7 @@ void nsexec(void)
jmp_buf env; jmp_buf env;
int sync_child_pipe[2], sync_grandchild_pipe[2]; int sync_child_pipe[2], sync_grandchild_pipe[2];
struct nlconfig_t config = { 0 }; struct nlconfig_t config = { 0 };
char *rootfs;
/* /*
* Setup a pipe to send logs to the parent. This should happen * Setup a pipe to send logs to the parent. This should happen
...@@ -643,6 +644,16 @@ void nsexec(void) ...@@ -643,6 +644,16 @@ void nsexec(void)
/* TODO: Currently we aren't dealing with child deaths properly. */ /* TODO: Currently we aren't dealing with child deaths properly. */
rootfs = getenv("_LIBCONTAINER_PAL_ROOTFS");
if (rootfs && *rootfs != '\0') {
char ld_path[PATH_MAX+1];
snprintf(ld_path, sizeof(ld_path) - 1,
"%s/usr/lib/x86_64-linux-gnu:%s/usr/lib:%s/usr/lib64:%s/lib:%s/lib64",
rootfs, rootfs, rootfs, rootfs, rootfs);
setenv("LD_LIBRARY_PATH", ld_path, 1);
}
/* /*
* Okay, so this is quite annoying. * Okay, so this is quite annoying.
* *
...@@ -702,15 +713,10 @@ void nsexec(void) ...@@ -702,15 +713,10 @@ void nsexec(void)
int len; int len;
pid_t child, first_child = -1; pid_t child, first_child = -1;
bool ready = false; bool ready = false;
int ret;
/* For debugging. */ /* For debugging. */
prctl(PR_SET_NAME, (unsigned long)"runc:[0:PARENT]", 0, 0, 0); prctl(PR_SET_NAME, (unsigned long)"runc:[0:PARENT]", 0, 0, 0);
ret = load_enclave_runtime();
if (ret < 0)
bail("load_enclave_runtime() failed, ret = %d", ret);
/* Start the process of getting a container. */ /* Start the process of getting a container. */
child = clone_parent(&env, JUMP_CHILD); child = clone_parent(&env, JUMP_CHILD);
if (child < 0) if (child < 0)
...@@ -837,6 +843,11 @@ void nsexec(void) ...@@ -837,6 +843,11 @@ void nsexec(void)
case JUMP_CHILD:{ case JUMP_CHILD:{
pid_t child; pid_t child;
enum sync_t s; enum sync_t s;
int ret;
ret = load_enclave_runtime();
if (ret < 0)
bail("load_enclave_runtime() failed, ret = %d", ret);
/* We're in a child and thus need to tell the parent if we die. */ /* We're in a child and thus need to tell the parent if we die. */
syncfd = sync_child_pipe[0]; syncfd = sync_child_pipe[0];
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册