Thanks Stephane. Yes, I understand your point and completely agree.
However, can you please let me know the issue, why I am not able to
add /sys/power/state in the FUSE?
Thanks and Regards,
Souvik
On 6/6/20, Stéphane Graber <stgra...@stgraber.org> wrote:
> LXCFS' goal is to show accurate resource information in containers.
>
> It's not meant as a security mechanism nor can it be used as one.
> If all you're trying to do is prevent access to /sys/power/state,
> you'll want to use an LSM for this or just use an unprivileged
> container which won't be able to interfere with this in the first
> place.
>
> LXCFS's files can be trivially unmounted from the container revealing
> the file they're hiding. That's perfectly fine as LXCFS is meant to
> provide better data to container and isn't a security mechanism.
>
> On Fri, Jun 5, 2020 at 3:51 AM Souvik Datta <sd.souvikda...@gmail.com>
> wrote:
>>
>> Thanks Christian.
>> I am using in a VirtualBox inside which I am running lxcfs
>> Distributor ID: Ubuntu
>> Description: Ubuntu 18.04.4 LTS
>> Release: 18.04
>> Codename: bionic
>>
>> the source code version of lxcfs that I am using is:- 4.0.0
>>
>> My objective is to prevent the OS, running inside LXC (as privileged
>> system container), from changing the power state of the system and in
>> that respect, I am trying to virtualize the file /sys/power/state
>>
>> Can you kindly provide the siginificance of the following:
>> - What is the significance of "api_extensions"? It seems it not used
>> any where except as console logs as part of liblxcfs.so init function.
>> - Can you please explain, before calling - fuse_main(nargs, newargv,
>> &lxcfs_ops, opts() [in src/lxcfs.c], what is happening in the
>> "constructor" of liblxcfs.so [src/bindings.c] library?
>> I am using Ubuntu
>>
>>
>> - I have made following additions in src/bindings.h and
>> src/sysfs_fuse.c to show /sys/power/state in the fuse FS.
>>
>> In src/bindings.h:-
>> -------------------
>> Added following:-
>>
>> LXC_TYPE_SYS_POWER,
>> LXC_TYPE_SYS_POWER_STATE,
>> #define LXC_TYPE_SYS_POWER_STATE_PATH "/sys/power/state"
>>
>> In src/sysfs_fuse.c:-
>> ---------------------
>> Added following:-
>>
>> In function:
>>
>> [1] __lxcfs_fuse_ops int sys_getattr(const char *path, struct stat *sb)
>>
>> #if 1
>> if (strcmp(path, "/sys/power") == 0) {
>> sb->st_mode = S_IFDIR | 00555;
>> sb->st_nlink = 2;
>> return 0;
>> }
>>
>>
>> if (strcmp(path, "/sys/power/state") == 0) {
>> sb->st_size = 0;
>> sb->st_mode = S_IFREG | 00444;
>> sb->st_nlink = 1;
>> return 0;
>> }
>>
>> #endif
>>
>> [2] __lxcfs_fuse_ops int sys_readdir(const char *path, void *buf,
>> fuse_fill_dir_t filler, off_t offset, struct fuse_file_info *fi)
>> #if 1
>> if (strcmp(path, "/sys/power") == 0) {
>> if (filler(buf, ".", NULL, 0) != 0 ||
>> filler(buf, "..", NULL, 0) != 0 ||
>> filler(buf, "state", NULL, 0) != 0)
>> return -ENOENT;
>>
>> return 0;
>> }
>>
>> #endif
>>
>> [3] __lxcfs_fuse_ops int sys_open(const char *path, struct fuse_file_info
>> *fi)
>>
>> #if 1
>> if (strcmp(path, "/sys/power") == 0)
>> type = LXC_TYPE_SYS_POWER;
>> if (strcmp(path, "/sys/power/state") == 0)
>> type = LXC_TYPE_SYS_POWER_STATE;
>> #endif
>>
>> [4] __lxcfs_fuse_ops int sys_access(const char *path, int mask)
>> #if 1
>>
>> if (strcmp(path, "/sys/power") == 0 &&
>> access(path, R_OK) == 0)
>> return 0;
>> #endif
>>
>> [5] __lxcfs_fuse_ops int sys_releasedir(const char *path, struct
>> fuse_file_info *fi)
>> #if 1
>> case LXC_TYPE_SYS_POWER:
>> lxcfs_info("LXC_TYPE_SYS_POWER -----%s", __func__);
>> break;
>> case LXC_TYPE_SYS_POWER_STATE:
>> //Need to take action here
>> lxcfs_info("LXC_TYPE_SYS_POWER_STATE -----%s", __func__);
>> break;
>>
>> #endif
>>
>> To run my modified liblxcfs.so, I followed these steps:-
>> -------------------------------------------------------
>> 1. I stopped systemd - lxcfs.service
>> 2. From command line, I ran lxcfs binary -
>> $sudo /usr/bin/lxcfs -f /var/lib/lxcfs
>>
>> I verified that fuse file system got mounted at "/var/lib/lxcfs" by
>> running "mount" command. Here is the output of "mount" command:-
>> lxcfs on /var/lib/lxcfs type fuse.lxcfs
>> (rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other)
>>
>> After this when I ran "tree" command on "/var/lib/lxcfs" -I am not
>> able to see /sys/power/state in the fuse file system although I could
>> see
>> /sys/devices/system/cpu/online
>>
>> Is there any other file/s that I would need to modify to bring in
>> /sys/power/state in the FUSE FS?
>>
>> Thanks and Regards,
>> Souvik
>>
>> On 6/4/20, Christian Brauner <christian.brau...@ubuntu.com> wrote:
>> > On Wed, Jun 03, 2020 at 11:06:23PM +0530, Souvik Datta wrote:
>> >> Hello,
>> >> I am trying to understand the source code of LXCFS. My final objective
>> >> is to add /sys/power/state file as an entry. I understand the changes
>> >> that need to be done in sysfs_fuse.c/h to support this.
>> >>
>> >> To do this, first I am first trying to understand, how the sys entry -
>> >> "/sys/devices/system/cpu/online" has been added in the "target
>> >> directory - /var/lib/lxcfs" but I am not able to figure that out.
>> >>
>> >> Can you please give me some pointers so that I can understand how this
>> >> is achieved?
>> >
>> > Please take a look at:
>> > src/sysfs_fuse.c:sys_read()
>> > The enum and path used to add a file type is defined in
>> > src/bindings.h: enum lxcfs_virt_t
>> >
>> > and then you need to implement the actual virtualization in
>> > sysfs_fuse.{c,h}.
>> >
>> > Christian
>> > _______________________________________________
>> > lxc-devel mailing list
>> > lxc-devel@lists.linuxcontainers.org
>> > http://lists.linuxcontainers.org/listinfo/lxc-devel
>> >
>> _______________________________________________
>> lxc-devel mailing list
>> lxc-devel@lists.linuxcontainers.org
>> http://lists.linuxcontainers.org/listinfo/lxc-devel
>
>
>
> --
> Stéphane
> _______________________________________________
> lxc-devel mailing list
> lxc-devel@lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel
>
_______________________________________________
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel
