Golang syscall.Chroot函數代碼示例

func init() {
	reexec.Register("chrootwrite", func() {
		var rootfs, path string
		var uid, gid int
		flag.StringVar(&rootfs, "rootfs", "", "rootfs")
		flag.StringVar(&path, "path", "", "path")
		flag.IntVar(&uid, "uid", 0, "uid")
		flag.IntVar(&gid, "gid", 0, "gid")
		flag.Parse()

		if err := syscall.Chroot(rootfs); err != nil {
			panic(err)
		}

		if err := os.Chdir("/"); err != nil {
			panic(err)
		}

		var contents bytes.Buffer
		if _, err := io.Copy(&contents, os.Stdin); err != nil {
			panic(err)
		}

		w := RootfsWriter{}
		if err := w.writeFile(lager.NewLogger("chroot-write"), path, contents.Bytes(), rootfs, uid, gid); err != nil {
			panic(err)
		}
	})
}

func main() {
	flag.Parse()

	log.SetDebug(debug)
	diag.SetDebug(debug)

	if !debug {
		diag.SetOutput(ioutil.Discard)
	}

	root, err := getRootDir(podPid)
	if err != nil {
		log.FatalE("Failed to get pod root", err)
	}

	if err := os.Chdir(root); err != nil {
		log.FatalE("Failed to change to new root", err)
	}

	if err := syscall.Chroot(root); err != nil {
		log.FatalE("Failed to chroot", err)
	}

	diag.Println("PID:", podPid)
	diag.Println("APP:", appName)
	diag.Println("ARGS:", flag.Args())

	if err := execArgs(); err != nil {
		log.PrintE("exec failed", err)
	}

	os.Exit(254)
}

func prepare() {
	var rootfsPath = flag.String("rootfsPath", "", "rootfs path to chroot into")
	var uid = flag.Int("uid", 0, "uid to create directories as")
	var gid = flag.Int("gid", 0, "gid to create directories as")
	var perm = flag.Int("perm", 0755, "Mode to create the directory with")
	var recreate = flag.Bool("recreate", false, "whether to delete the directory before (re-)creating it")

	flag.Parse()

	runtime.LockOSThread()
	if err := syscall.Chroot(*rootfsPath); err != nil {
		panic(err)
	}

	if err := os.Chdir("/"); err != nil {
		panic(err)
	}

	for _, path := range flag.Args() {
		path, err := filepath.Abs(path)
		if err != nil {
			panic(err)
		}

		if *recreate {
			rmdir(path)
		}

		mkdir(path, *uid, *gid, os.FileMode(*perm))
	}
}

// EnterChroot changes the current directory to the path specified,
// and then calls chroot(2) with the same path.  This must be called
// while the process has CAP_SYS_CHROOT.
func EnterChroot(path string) (err error) {
	if err = syscall.Chdir(path); err != nil {
		return
	}
	if err = syscall.Chroot(path); err != nil {
		return
	}
	if err = syscall.Chdir("/"); err != nil {
		return
	}
	return
}

func main() {
	var root, cmd string
	var opts []string

	if len(os.Args) < 3 {
		panic("not enough arguments\n")
	}

	root = os.Args[1]
	cmd = os.Args[2]
	if len(os.Args) > 3 {
		opts = os.Args[3:len(os.Args)]
	}

	rs, err := os.Stat(root)
	if err != nil {
		if os.IsNotExist(err) {
			panic(fmt.Sprintf("'%s' does not exist, cannot chroot there!", root))
		} else {
			panic(fmt.Sprintf("Could not stat '%s': %s", root, err))
		}
	} else {
		if !rs.Mode().IsDir() {
			panic(fmt.Sprintf("'%s' is not a directory, cannot chroot there!", root))
		}
	}

	fmt.Printf("root: %s, cmd: %s, opts: %s\n", root, cmd, opts)

	err = os.Chdir(root)
	if err != nil {
		panic(fmt.Sprintf("chdir failed: %s", err))
	}

	err = syscall.Chroot(root)
	if err != nil {
		panic(fmt.Sprintf("chroot failed: %s", err))
	}

	// we're going to exec right away in the child, CLONE_VFORK will block the
	// parent from being scheduled until the child starts up, see clone(2)
	pid, err := lnxns.NsFork(lnxns.CLONE_VFORK)

	if err == syscall.EINVAL {
		panic("OS returned EINVAL. Make sure your kernel configuration includes all CONFIG_*_NS options.")
	} else if err != nil {
		panic(fmt.Sprintf("lnxns.NsFork() failed: %s", err))
	}

	if pid != 0 {
		proc, _ := os.FindProcess(pid)
		proc.Wait()
	} else {
		err = syscall.Exec(cmd, opts, os.Environ())
		if err != nil {
			panic(fmt.Sprintf("exec failed: %s", err))
		}
		panic("impossible")
	}
}

func switchRoot(rootfs, subdir string, rmUsr bool) error {
	if err := syscall.Unmount(config.OEM, 0); err != nil {
		log.Debugf("Not umounting OEM: %v", err)
	}

	if subdir != "" {
		fullRootfs := path.Join(rootfs, subdir)
		if _, err := os.Stat(fullRootfs); os.IsNotExist(err) {
			if err := os.MkdirAll(fullRootfs, 0755); err != nil {
				log.Errorf("Failed to create directory %s: %v", fullRootfs, err)
				return err
			}
		}

		log.Debugf("Bind mounting mount %s to %s", fullRootfs, rootfs)
		if err := syscall.Mount(fullRootfs, rootfs, "", syscall.MS_BIND, ""); err != nil {
			log.Errorf("Failed to bind mount subdir for %s: %v", fullRootfs, err)
			return err
		}
	}

	for _, i := range []string{"/dev", "/sys", "/proc", "/run"} {
		log.Debugf("Moving mount %s to %s", i, path.Join(rootfs, i))
		if err := os.MkdirAll(path.Join(rootfs, i), 0755); err != nil {
			return err
		}
		if err := syscall.Mount(i, path.Join(rootfs, i), "", syscall.MS_MOVE, ""); err != nil {
			return err
		}
	}

	if err := copyMoveRoot(rootfs, rmUsr); err != nil {
		return err
	}

	log.Debugf("chdir %s", rootfs)
	if err := syscall.Chdir(rootfs); err != nil {
		return err
	}

	log.Debugf("mount MS_MOVE %s", rootfs)
	if err := syscall.Mount(rootfs, "/", "", syscall.MS_MOVE, ""); err != nil {
		return err
	}

	log.Debug("chroot .")
	if err := syscall.Chroot("."); err != nil {
		return err
	}

	log.Debug("chdir /")
	if err := syscall.Chdir("/"); err != nil {
		return err
	}

	log.Debugf("Successfully moved to new root at %s", path.Join(rootfs, subdir))
	os.Unsetenv("DOCKER_RAMDISK")

	return nil
}

func (d *Context) child() (err error) {
	if initialized {
		return os.ErrInvalid
	}
	initialized = true

	decoder := json.NewDecoder(os.Stdin)
	if err = decoder.Decode(d); err != nil {
		return
	}

	if err = syscall.Close(0); err != nil {
		return
	}
	if err = syscall.Dup2(3, 0); err != nil {
		return
	}

	if len(d.PidFileName) > 0 {
		d.pidFile = NewLockFile(os.NewFile(4, d.PidFileName))
		if err = d.pidFile.WritePid(); err != nil {
			return
		}
	}

	if d.Umask != 0 {
		syscall.Umask(int(d.Umask))
	}
	if len(d.Chroot) > 0 {
		err = syscall.Chroot(d.Chroot)
	}

	return
}

func main() {
	documentRoot := flag.String("d", "", "Document Root (default: none)")
	portNumber := flag.String("p", "80", "Port number used by AMS for listening connections")
	flag.Parse()

	if *documentRoot == "" {
		fmt.Printf("Please specify the document root for the web server with -d <document root>")
		return
	}

	mp4.Debug(false)

	err := syscall.Chroot(*documentRoot)
	if err != nil {
		fmt.Printf("Please run Afrostream Media Server as root, cannot chroot the document root directory for security: %v", err)
		return
	}

	listenPort := ":" + *portNumber
	log.Printf(" [*] Running Afrostream Media Server on %s, To exit press CTRL+C", listenPort)
	http.HandleFunc("/", httpRootServer)
	http.ListenAndServe(listenPort, nil)

	return
}

func runChroot(cmd *cobra.Command, args []string) {
	runtime.LockOSThread()
	err := syscall.Chroot(flagChroot)
	if err != nil {
		errAndExit("couldn't chroot: %v", err)
	}
	err = os.Chdir("/")
	if err != nil {
		errAndExit("couldn't cd: %v", err)
	}

	if flagWorkingDir != "" {
		err = os.Chdir(flagWorkingDir)
		if err != nil {
			errAndExit("couldn't cd: %v", err)
		}
	}

	execCmd := exec.Command(flagCmd, flagArgs...)
	execCmd.Env = flagEnv
	execCmd.Stdin = os.Stdin
	execCmd.Stdout = os.Stdout
	execCmd.Stderr = os.Stderr
	err = execCmd.Run()
	if err != nil {
		if exitErr, ok := err.(*exec.ExitError); ok {
			code := exitErr.Sys().(syscall.WaitStatus).ExitStatus()
			os.Exit(code)
		}
		errAndExit("%v", err)
	}
}

func main() {
	flag.Usage = usage
	flag.Parse()
	if flag.NArg() < 1 {
		usage()
	}
	args := flag.Args()

	ck(syscall.Chroot(args[0]))
	ck(syscall.Chdir("/"))

	var cmd *exec.Cmd
	if len(args) == 1 {
		shell := os.Getenv("SHELL")
		if shell == "" {
			shell = "/bin/sh"
		}
		cmd = exec.Command(shell, "-i")
	} else {
		cmd = exec.Command(args[1], args[2:]...)
	}
	cmd.Stdin = os.Stdin
	cmd.Stderr = os.Stderr
	cmd.Stdout = os.Stdout
	ck(cmd.Run())
}

func realChroot(path string) error {
	if err := syscall.Chroot(path); err != nil {
		return fmt.Errorf("Error after fallback to chroot: %v", err)
	}
	if err := syscall.Chdir("/"); err != nil {
		return fmt.Errorf("Error changing to new root after chroot: %v", err)
	}
	return nil
}

func msMoveRoot(rootfs string) error {
	if err := syscall.Mount(rootfs, "/", "", syscall.MS_MOVE, ""); err != nil {
		return err
	}
	if err := syscall.Chroot("."); err != nil {
		return err
	}
	return syscall.Chdir("/")
}

// Chroot runs a command with a changed root.
func Chroot(wd string, cmd *exec.Cmd) error {
	err := syscall.Chroot(wd)
	if err != nil {
		return fmt.Errorf("couldn't chroot to directory %s: %+v", wd, err)
	}
	if err := cmd.Run(); err != nil {
		return fmt.Errorf("error while running command %+v: %+v", cmd, err)
	}
	return nil
}

func containerChroot(fsPath string) error {
	err := syscall.Mount(fsPath, "/", "", syscall.MS_MOVE, "")
	if err != nil {
		return err
	}
	err = syscall.Chroot(".")
	if err != nil {
		return err
	}
	return syscall.Chdir("/")
}

func MsMoveRoot(rootfs string) error {
	if err := syscall.Mount(rootfs, "/", "", syscall.MS_MOVE, ""); err != nil {
		return fmt.Errorf("mount move %s into / %s", rootfs, err)
	}

	if err := syscall.Chroot("."); err != nil {
		return fmt.Errorf("chroot . %s", err)
	}

	return syscall.Chdir("/")
}