TError TClient::IdentifyContainer(TContainerHolder &holder) {
std::shared_ptr<TContainer> c;
TError err = holder.FindTaskContainer(Pid, c);
if (err)
return err;
Container = c;
return TError::Success();
}
TError TClient::IdentifyClient(TContainerHolder &holder, bool initial) {
std::shared_ptr<TContainer> ct;
struct ucred cr;
socklen_t len = sizeof(cr);
TError error;
if (getsockopt(Fd, SOL_SOCKET, SO_PEERCRED, &cr, &len))
return TError(EError::Unknown, errno, "Cannot identify client: getsockopt() failed");
/* check that request from the same pid and container is still here */
if (!initial && Pid == cr.pid && TaskCred.Uid == cr.uid &&
TaskCred.Gid == cr.gid && !ClientContainer.expired())
return TError::Success();
TaskCred.Uid = cr.uid;
TaskCred.Gid = cr.gid;
Pid = cr.pid;
error = holder.FindTaskContainer(Pid, ct);
if (error && error.GetErrno() != ENOENT)
L_WRN() << "Cannot identify container of pid " << Pid
<< " : " << error << std::endl;
if (error)
return error;
if (!ct->IsPortoEnabled())
return TError(EError::Permission,
"Porto disabled in container " + ct->GetName());
ClientContainer = ct;
error = TPath("/proc/" + std::to_string(Pid) + "/comm").ReadAll(Comm, 64);
if (error)
Comm = "<unknown process>";
else
Comm.resize(Comm.length() - 1); /* cut \n at the end */
if (ct->IsRoot()) {
Cred.Uid = cr.uid;
Cred.Gid = cr.gid;
error = LoadGroups();
if (error && error.GetErrno() != ENOENT)
L_WRN() << "Cannot load supplementary group list" << Pid
<< " : " << error << std::endl;
} else {
/* requests from containers are executed in behalf of their owners */
Cred = ct->OwnerCred;
}
ReadOnlyAccess = !Cred.IsPortoUser();
return TError::Success();
}
TError TClient::IdentifyClient(TContainerHolder &holder, bool initial) {
struct ucred cr;
socklen_t len = sizeof(cr);
TError error;
if (getsockopt(Fd, SOL_SOCKET, SO_PEERCRED, &cr, &len))
return TError(EError::Unknown, errno, "Cannot identify client: getsockopt() failed");
if (!initial && Pid == cr.pid && Cred.Uid == cr.uid && Cred.Gid == cr.gid &&
!ClientContainer.expired())
return TError::Success();
Cred.Uid = cr.uid;
Cred.Gid = cr.gid;
Pid = cr.pid;
error = TPath("/proc/" + std::to_string(Pid) + "/comm").ReadAll(Comm, 64);
if (error)
Comm = "<unknown process>";
else
Comm.resize(Comm.length() - 1); /* cut \n at the end */
error = LoadGroups();
if (error && error.GetErrno() != ENOENT)
L_WRN() << "Cannot load supplementary group list" << Pid
<< " : " << error << std::endl;
ReadOnlyAccess = !Cred.IsPortoUser();
std::shared_ptr<TContainer> container;
error = holder.FindTaskContainer(Pid, container);
if (error && error.GetErrno() != ENOENT)
L_WRN() << "Cannot identify container of pid " << Pid
<< " : " << error << std::endl;
if (error)
return error;
if (!container->Prop->Get<bool>(P_ENABLE_PORTO))
return TError(EError::Permission, "Porto disabled in container " + container->GetName());
ClientContainer = container;
return TError::Success();
}