diff --git a/varutil/src/parse.rs b/varutil/src/parse.rs index 1283f3a..5f79924 100644 --- a/varutil/src/parse.rs +++ b/varutil/src/parse.rs @@ -378,7 +378,9 @@ mod tests { var, Variable::OrElse( "PROFILE".to_string(), - Box::new(Variable::Const("profile-arm64-minimum.txt".to_string())))); + Box::new(Variable::Const("profile-arm64-minimum.txt".to_string())) + ) + ); assert_eq!(v2, None); } @@ -391,7 +393,9 @@ mod tests { var, Variable::OrElse( "PROFILE".to_string(), - Box::new(Variable::Const("profile-arm64-minimum.txt".to_string())))); + Box::new(Variable::Const("profile-arm64-minimum.txt".to_string())) + ) + ); assert_eq!(v2, None); } @@ -405,7 +409,9 @@ mod tests { var, &Variable::OrElse( "PROFILE".to_string(), - Box::new(Variable::Const("profile-arm64-minimum.txt".to_string())))); + Box::new(Variable::Const("profile-arm64-minimum.txt".to_string())) + ) + ); assert_eq!(v2, None); } #[test] diff --git a/xc-bin/src/jailfile/directives/copy.rs b/xc-bin/src/jailfile/directives/copy.rs index fb63a37..bdbd9d6 100644 --- a/xc-bin/src/jailfile/directives/copy.rs +++ b/xc-bin/src/jailfile/directives/copy.rs @@ -137,7 +137,6 @@ mod tests { fn test_parse_args() { let input = ["oo", "--from", "abcde", "--to", "fgh", ".", "."]; let parsed = CopyDirective::parse_from(input); - println!("{parsed:?}"); assert_eq!(parsed.from, Some("abcde".to_string())); assert_eq!(parsed.to, Some("fgh".to_string())); assert_eq!(parsed.source_path, ".".to_string()); diff --git a/xc-bin/src/main.rs b/xc-bin/src/main.rs index 6a1f8f4..89bdebb 100644 --- a/xc-bin/src/main.rs +++ b/xc-bin/src/main.rs @@ -612,77 +612,75 @@ fn main() -> Result<(), ActionError> { } let entry_point = entry_point.unwrap_or_else(|| "main".to_string()); + let envs = { + let mut map = std::collections::HashMap::new(); + for env in envs.into_iter() { + map.insert(env.key, env.value); + } + map + }; + + let dns = if empty_dns { + DnsSetting::Specified { + servers: Vec::new(), + search_domains: Vec::new(), + } + } else if dns_servers.is_empty() && dns_searchs.is_empty() { + DnsSetting::Inherit + } else { + DnsSetting::Specified { + servers: dns_servers, + search_domains: dns_searchs, + } + }; + + let hostname = hostname.or_else(|| name.clone()); + + let mount_req = mounts + .iter() + .map(|mount| { + let source = std::fs::canonicalize(mount.source.clone()) + .unwrap() + .to_string_lossy() + .to_string(); + MountReq { + source, + dest: mount.destination.clone(), + } + }) + .collect::>(); + + let copies: List = copy + .into_iter() + .map(|bind| { + let file = std::fs::OpenOptions::new() + .read(true) + .open(bind.source) + .expect("cannot open file for reading"); + let source = Fd(file.into_raw_fd()); + CopyFile { + source, + destination: bind.destination, + } + }) + .collect(); + + let mut extra_layer_files = Vec::new(); + + for layer in extra_layers.iter() { + extra_layer_files.push(std::fs::OpenOptions::new().read(true).open(layer)?); + } + + let extra_layers = + List::from_iter(extra_layer_files.iter().map(|file| Fd(file.as_raw_fd()))); let (res, notify) = { - let envs = { - let mut map = std::collections::HashMap::new(); - for env in envs.into_iter() { - map.insert(env.key, env.value); - } - map - }; - - let dns = if empty_dns { - DnsSetting::Specified { - servers: Vec::new(), - search_domains: Vec::new(), - } - } else if dns_servers.is_empty() && dns_searchs.is_empty() { - DnsSetting::Inherit - } else { - DnsSetting::Specified { - servers: dns_servers, - search_domains: dns_searchs, - } - }; - - let hostname = hostname.or_else(|| name.clone()); - - let mount_req = mounts - .iter() - .map(|mount| { - let source = std::fs::canonicalize(mount.source.clone()) - .unwrap() - .to_string_lossy() - .to_string(); - MountReq { - source, - dest: mount.destination.clone(), - } - }) - .collect::>(); - - let copies: List = copy - .into_iter() - .map(|bind| { - let file = std::fs::OpenOptions::new() - .read(true) - .open(bind.source) - .expect("cannot open file for reading"); - let source = Fd(file.into_raw_fd()); - CopyFile { - source, - destination: bind.destination, - } - }) - .collect(); - let main_started_notify = if detach { Maybe::None } else { let fd = unsafe { eventfd(0, nix::libc::EFD_NONBLOCK) }; Maybe::Some(Fd(fd)) }; - - let mut extra_layer_files = Vec::new(); - - for layer in extra_layers.iter() { - extra_layer_files.push(std::fs::OpenOptions::new().read(true).open(layer)?); - } - - let extra_layers = - List::from_iter(extra_layer_files.iter().map(|file| Fd(file.as_raw_fd()))); - let mut reqt = InstantiateRequest { alt_root: None, name, diff --git a/xc/src/container/runner.rs b/xc/src/container/runner.rs index 2ae5dba..52f55e4 100644 --- a/xc/src/container/runner.rs +++ b/xc/src/container/runner.rs @@ -338,6 +338,7 @@ impl ProcessRunner { exec: &Jexec, notify: Option>, ) -> Result { + debug!("spawn: {exec:#?}"); let jail = freebsd::jail::RunningJail::from_jid_unchecked(self.container.jid); let paths = exec .envs @@ -446,7 +447,9 @@ impl ProcessRunner { pub fn run_main(&mut self) { if let Some(main) = self.container.main_proto.clone() { - _ = self.spawn_process("main", &main, None); + if let Err(error) = self.spawn_process("main", &main, None) { + error!("cannot spawn main: {error:#?}"); + } self.container.main_started_notify.notify_waiters(); self.main_started = true; self.should_run_main = false; diff --git a/xcd/src/auth/mod.rs b/xcd/src/auth/mod.rs index d462c00..2fd0d3c 100644 --- a/xcd/src/auth/mod.rs +++ b/xcd/src/auth/mod.rs @@ -51,7 +51,7 @@ impl Credential { #[inline(always)] pub(crate) fn can_read(&self, metadata: &Metadata) -> bool { let mode = metadata.mode(); - self.unix_credential.uid == 0 + self.unix_credential.uid == 0 || mode & 0o004 > 0 || mode & 0o400 > 0 && self.unix_credential.uid == metadata.uid() || mode & 0o040 > 0 && self.unix_credential.gids.contains(&metadata.gid()) @@ -60,7 +60,7 @@ impl Credential { #[inline(always)] pub(crate) fn can_write(&self, metadata: &Metadata) -> bool { let mode = metadata.mode(); - self.unix_credential.uid == 0 + self.unix_credential.uid == 0 || mode & 0o002 > 0 || mode & 0o200 > 0 && self.unix_credential.uid == metadata.uid() || mode & 0o020 > 0 && self.unix_credential.gids.contains(&metadata.gid())