Merge #52

52: Update shared items config r=MikailBag a=MikailBag

- Make naming more consistent
- Add a name parameter (it can be later used in a
backend-specific configuration)

Co-authored-by: Mikail Bagishov <bagishov.mikail@yandex.ru>

Author: bors[bot]

minion-cli/src/main.rs

@@ -16,7 +16,7 @@ fn parse_env_item(src: &str) -> Result<EnvItem, &'static str> {
     })
 }
 
-fn parse_path_exposition_item(src: &str) -> Result<minion::SharedDir, String> {
+fn parse_path_exposition_item(src: &str) -> Result<minion::SharedItem, String> {
     let parts = src.splitn(3, ':').collect::<Vec<_>>();
     if parts.len() != 3 {
         return Err(format!(
@@ -32,16 +32,17 @@ fn parse_path_exposition_item(src: &str) -> Result<minion::SharedDir, String> {
         ));
     }
     let kind = match amask {
-        "rwx" => minion::SharedDirKind::Full,
-        "r-x" => minion::SharedDirKind::Readonly,
+        "rwx" => minion::SharedItemKind::Full,
+        "r-x" => minion::SharedItemKind::Readonly,
         _ => {
             return Err(format!(
                 "unknown access mask {}. rwx or r-x expected",
                 amask
             ));
         }
     };
-    Ok(minion::SharedDir {
+    Ok(minion::SharedItem {
+        id: None,
         src: parts[0].to_string().into(),
         dest: parts[2].to_string().into(),
         kind,
@@ -96,7 +97,7 @@ struct ExecOpt {
         long = "expose",
         parse(try_from_str = parse_path_exposition_item)
     )]
-    exposed_paths: Vec<minion::SharedDir>,
+    exposed_paths: Vec<minion::SharedItem>,
 
     /// Process working dir, relative to `isolation_root`
     #[structopt(short = "p", long = "pwd", default_value = "/")]
@@ -133,7 +134,7 @@ async fn main() {
             max_alive_process_count: options.num_processes.min(u32::max_value() as usize) as u32,
             memory_limit: options.memory_limit as u64,
             isolation_root: options.isolation_root.into(),
-            exposed_paths: options.exposed_paths,
+            shared_items: options.exposed_paths,
             cpu_time_limit: Duration::from_millis(u64::from(options.time_limit)),
             real_time_limit: Duration::from_millis(u64::from(options.time_limit * 3)),
         })

minion-ffi/src/lib.rs

@@ -102,7 +102,7 @@ pub struct SandboxOptions {
     pub process_limit: u32,
     pub memory_limit: u32,
     pub isolation_root: *const c_char,
-    pub shared_directories: *const SharedDirectoryAccess,
+    pub shared_items: *const SharedItem,
 }
 
 #[derive(Clone)]
@@ -161,19 +161,20 @@ pub unsafe extern "C" fn minion_sandbox_create(
     options: SandboxOptions,
     out: &mut *mut Sandbox,
 ) -> ErrorCode {
-    let mut exposed_paths = Vec::new();
+    let mut shared_items = Vec::new();
     unsafe {
-        let mut p = options.shared_directories;
+        let mut p = options.shared_items;
         while !(*p).host_path.is_null() {
-            let opt = minion::SharedDir {
+            let opt = minion::SharedItem {
+                id: None,
                 src: get_string((*p).host_path).into(),
                 dest: get_string((*p).sandbox_path).into(),
                 kind: match (*p).kind {
-                    SharedDirectoryAccessKind::Full => minion::SharedDirKind::Full,
-                    SharedDirectoryAccessKind::Readonly => minion::SharedDirKind::Readonly,
+                    SharedItemAccessKind::Full => minion::SharedItemKind::Full,
+                    SharedItemAccessKind::Readonly => minion::SharedItemKind::Readonly,
                 },
             };
-            exposed_paths.push(opt);
+            shared_items.push(opt);
             p = p.offset(1);
         }
     }
@@ -190,7 +191,7 @@ pub unsafe extern "C" fn minion_sandbox_create(
             options.real_time_limit.nanoseconds,
         ),
         isolation_root,
-        exposed_paths,
+        shared_items,
     };
     let d = backend.0.new_sandbox(opts);
     let d = d.unwrap();
@@ -250,24 +251,24 @@ pub struct ChildProcessOptions {
 }
 
 #[repr(C)]
-pub enum SharedDirectoryAccessKind {
+pub enum SharedItemAccessKind {
     Full,
     Readonly,
 }
 
 #[repr(C)]
-pub struct SharedDirectoryAccess {
-    pub kind: SharedDirectoryAccessKind,
+pub struct SharedItem {
+    pub kind: SharedItemAccessKind,
     pub host_path: *const c_char,
     pub sandbox_path: *const c_char,
 }
 
 // minion-ffi will never modify host_path or sandbox_path, so no races can occur
-unsafe impl Sync for SharedDirectoryAccess {}
+unsafe impl Sync for SharedItem {}
 
 #[no_mangle]
-pub static SHARED_DIRECTORY_ACCESS_FIN: SharedDirectoryAccess = SharedDirectoryAccess {
-    kind: SharedDirectoryAccessKind::Full, //doesn't matter
+pub static SHARED_DIRECTORY_ACCESS_FIN: SharedItem = SharedItem {
+    kind: SharedItemAccessKind::Full, //doesn't matter
     host_path: std::ptr::null(),
     sandbox_path: std::ptr::null(),
 };

minion-tests/src/worker.rs

@@ -21,10 +21,11 @@ async fn inner_main(test_cases: &[&'static dyn TestCase]) {
         max_alive_process_count: test_case.process_count_limit(),
         memory_limit: MEMORY_LIMIT_IN_BYTES,
         isolation_root: tempdir.path().to_path_buf(),
-        exposed_paths: vec![minion::SharedDir {
+        shared_items: vec![minion::SharedItem {
+            id: None,
             src: std::env::current_exe().unwrap(),
             dest: "/me".into(),
-            kind: minion::SharedDirKind::Readonly,
+            kind: minion::SharedItemKind::Readonly,
         }],
     };
     let sandbox = backend.new_sandbox(opts).expect("can not create sandbox");

src/lib.rs

@@ -51,18 +51,21 @@ pub use command::Command;
 ///
 /// Warning: this type is __unstable__ (i.e. not covered by SemVer) and __non-portable__
 #[derive(Serialize, Deserialize, Debug, Clone)]
-pub enum SharedDirKind {
+pub enum SharedItemKind {
     Readonly,
     Full,
 }
 
 #[derive(Serialize, Deserialize, Debug, Clone)]
-pub struct SharedDir {
+pub struct SharedItem {
+    /// Optional identifier.
+    /// It can be used to provide additional backend-specific settings.
+    pub id: Option<String>,
     /// Path on system
     pub src: PathBuf,
     /// Path for child
     pub dest: PathBuf,
-    pub kind: SharedDirKind,
+    pub kind: SharedItemKind,
 }
 
 /// This struct is returned by `Sandbox::resource_usage`
@@ -86,7 +89,7 @@ pub struct SandboxOptions {
     /// Specifies total wall-clock timer limit for whole sandbox
     pub real_time_limit: Duration,
     pub isolation_root: PathBuf,
-    pub exposed_paths: Vec<SharedDir>,
+    pub shared_items: Vec<SharedItem>,
 }
 
 impl SandboxOptions {
@@ -99,11 +102,11 @@ impl SandboxOptions {
     }
 
     fn postprocess(&mut self) {
-        let mut paths = std::mem::replace(&mut self.exposed_paths, Vec::new());
+        let mut paths = std::mem::replace(&mut self.shared_items, Vec::new());
         for x in &mut paths {
             x.dest = self.make_relative(&x.dest).to_path_buf();
         }
-        std::mem::swap(&mut paths, &mut self.exposed_paths);
+        std::mem::swap(&mut paths, &mut self.shared_items);
     }
 }
 

src/linux/jail_common.rs

@@ -1,4 +1,4 @@
-use crate::{linux::util::Pid, SharedDir};
+use crate::{linux::util::Pid, SharedItem};
 use rand::seq::SliceRandom;
 use serde::{Deserialize, Serialize};
 use std::{ffi::OsString, os::unix::io::RawFd, path::PathBuf, time::Duration};
@@ -14,7 +14,7 @@ pub(crate) struct JailOptions {
     /// Possible value: time_limit * 3.
     pub(crate) real_time_limit: Duration,
     pub(crate) isolation_root: PathBuf,
-    pub(crate) exposed_paths: Vec<SharedDir>,
+    pub(crate) shared_items: Vec<SharedItem>,
     pub(crate) jail_id: String,
     pub(crate) watchdog_chan: RawFd,
     pub(crate) allow_mount_ns_failure: bool,

src/linux/sandbox.rs

@@ -171,7 +171,7 @@ impl LinuxSandbox {
             cpu_time_limit: options.cpu_time_limit,
             real_time_limit: options.real_time_limit,
             isolation_root: options.isolation_root.clone(),
-            exposed_paths: options.exposed_paths.clone(),
+            shared_items: options.shared_items.clone(),
             jail_id: jail_id.clone(),
             watchdog_chan: write_end,
             allow_mount_ns_failure: settings.allow_unsupported_mount_namespace,

src/linux/zygote/setup.rs

@@ -8,7 +8,7 @@ use crate::{
         },
         Error,
     },
-    SharedDir, SharedDirKind,
+    SharedItem, SharedItemKind,
 };
 use nix::sys::signal;
 use std::{
@@ -49,7 +49,7 @@ fn configure_dir(dir_path: &Path) -> Result<(), Error> {
     Ok(())
 }
 
-fn expose_dir(jail_root: &Path, system_path: &Path, alias_path: &Path, kind: SharedDirKind) {
+fn expose_item(jail_root: &Path, system_path: &Path, alias_path: &Path, kind: SharedItemKind) {
     let bind_target = jail_root.join(alias_path);
     fs::create_dir_all(&bind_target).unwrap();
     let stat = fs::metadata(&system_path)
@@ -72,7 +72,7 @@ fn expose_dir(jail_root: &Path, system_path: &Path, alias_path: &Path, kind: Sha
             err_exit("mount");
         }
 
-        if let SharedDirKind::Readonly = kind {
+        if let SharedItemKind::Readonly = kind {
             let rem_ret = libc::mount(
                 ptr::null(),
                 bind_target.as_ptr(),
@@ -87,10 +87,10 @@ fn expose_dir(jail_root: &Path, system_path: &Path, alias_path: &Path, kind: Sha
     }
 }
 
-pub(crate) fn expose_dirs(expose: &[SharedDir], jail_root: &Path) {
+pub(crate) fn expose_items(expose: &[SharedItem], jail_root: &Path) {
     // mount --bind
     for x in expose {
-        expose_dir(jail_root, &x.src, &x.dest, x.kind.clone())
+        expose_item(jail_root, &x.src, &x.dest, x.kind.clone())
     }
 }
 
@@ -183,7 +183,7 @@ fn setup_time_watch(
 }
 
 fn setup_expositions(options: &JailOptions) {
-    expose_dirs(&options.exposed_paths, &options.isolation_root);
+    expose_items(&options.shared_items, &options.isolation_root);
 }
 
 fn setup_panic_hook() {