From 3d05266caeb6157926c12b4890be9f96f86a39e5 Mon Sep 17 00:00:00 2001
From: Shengjing Zhu <i@zhsj.me>
Date: Fri, 13 Jul 2018 13:23:14 +0800
Subject: [PATCH] lxc: encode device permission into configuration

Closes: #804
Signed-off-by: Shengjing Zhu <i@zhsj.me>
---
 src/anbox/cmds/session_manager.cpp            |  6 +++---
 src/anbox/container/configuration.h           |  6 ++++--
 src/anbox/container/lxc_container.cpp         | 20 +++++++++----------
 src/anbox/container/lxc_container.h           |  2 +-
 .../container/management_api_skeleton.cpp     |  2 +-
 src/anbox/container/management_api_stub.cpp   | 11 +++++-----
 src/anbox/protobuf/anbox_container.proto      |  6 +++++-
 7 files changed, 30 insertions(+), 23 deletions(-)

diff --git a/src/anbox/cmds/session_manager.cpp b/src/anbox/cmds/session_manager.cpp
index 5ea1cc0..65ee603 100644
--- a/src/anbox/cmds/session_manager.cpp
+++ b/src/anbox/cmds/session_manager.cpp
@@ -249,9 +249,9 @@ anbox::cmds::SessionManager::SessionManager()
       };
 
       container_configuration.devices = {
-        {"/dev/binder"},
-        {"/dev/ashmem"},
-        {"/dev/fuse"},
+        {"/dev/binder", {0666}},
+        {"/dev/ashmem", {0666}},
+        {"/dev/fuse", {0666}},
       };
 
       dispatcher->dispatch([&]() {
diff --git a/src/anbox/container/configuration.h b/src/anbox/container/configuration.h
index 99757cf..d380eea 100644
--- a/src/anbox/container/configuration.h
+++ b/src/anbox/container/configuration.h
@@ -20,13 +20,15 @@
 
 #include <string>
 #include <unordered_map>
-#include <vector>
 
 namespace anbox {
 namespace container {
+struct DeviceSpecification {
+    uint32_t permission;
+};
 struct Configuration {
   std::unordered_map<std::string, std::string> bind_mounts;
-  std::vector<std::string> devices;
+  std::unordered_map<std::string, DeviceSpecification> devices;
 };
 }  // namespace container
 }  // namespace anbox
diff --git a/src/anbox/container/lxc_container.cpp b/src/anbox/container/lxc_container.cpp
index 8b8e785..c257582 100644
--- a/src/anbox/container/lxc_container.cpp
+++ b/src/anbox/container/lxc_container.cpp
@@ -166,7 +166,7 @@ void LxcContainer::setup_network() {
   }
 }
 
-void LxcContainer::add_device(const std::string& device) {
+void LxcContainer::add_device(const std::string& device, const DeviceSpecification& spec) {
   struct stat st;
   int r = stat(device.c_str(), &st);
   if (r < 0) {
@@ -176,7 +176,7 @@ void LxcContainer::add_device(const std::string& device) {
 
   const auto major = device_major(st.st_rdev);
   const auto minor = device_minor(st.st_rdev);
-  const auto mode = st.st_mode;
+  const auto mode = ((st.st_mode >> 9) << 9) | (spec.permission & ~(1 << 9));
   const auto new_device_name = fs::basename(device);
   const auto devices_path = fs::path(SystemConfiguration::instance().container_devices_dir());
   const auto new_device_path = (devices_path / new_device_name).string();
@@ -318,13 +318,13 @@ void LxcContainer::start(const Configuration &configuration) {
   auto devices = configuration.devices;
 
   // Additional devices we need in our container
-  devices.push_back("/dev/console");
-  devices.push_back("/dev/full");
-  devices.push_back("/dev/null");
-  devices.push_back("/dev/random");
-  devices.push_back("/dev/tty");
-  devices.push_back("/dev/urandom");
-  devices.push_back("/dev/zero");
+  devices.insert({"/dev/console", {0600}});
+  devices.insert({"/dev/full", {0666}});
+  devices.insert({"/dev/null", {0666}});
+  devices.insert({"/dev/random", {0666}});
+  devices.insert({"/dev/tty", {0666}});
+  devices.insert({"/dev/urandom", {0666}});
+  devices.insert({"/dev/zero", {0666}});
 
   // Remove all left over devices from last time first before
   // creating any new ones
@@ -333,7 +333,7 @@ void LxcContainer::start(const Configuration &configuration) {
   fs::create_directories(devices_dir);
 
   for (const auto& device : devices)
-    add_device(device);
+    add_device(device.first, device.second);
 
   if (!container_->save_config(container_, nullptr))
     throw std::runtime_error("Failed to save container configuration");
diff --git a/src/anbox/container/lxc_container.h b/src/anbox/container/lxc_container.h
index 4048e3c..4871014 100644
--- a/src/anbox/container/lxc_container.h
+++ b/src/anbox/container/lxc_container.h
@@ -40,7 +40,7 @@ class LxcContainer : public Container {
   void set_config_item(const std::string &key, const std::string &value);
   void setup_id_map();
   void setup_network();
-  void add_device(const std::string& device);
+  void add_device(const std::string& device, const DeviceSpecification& spec);
 
   State state_;
   lxc_container *container_;
diff --git a/src/anbox/container/management_api_skeleton.cpp b/src/anbox/container/management_api_skeleton.cpp
index eed820c..565f7eb 100644
--- a/src/anbox/container/management_api_skeleton.cpp
+++ b/src/anbox/container/management_api_skeleton.cpp
@@ -55,7 +55,7 @@ void ManagementApiSkeleton::start_container(
 
   for (int n = 0; n < configuration.devices_size(); n++) {
     const auto device = configuration.devices(n);
-    container_configuration.devices.push_back(device);
+    container_configuration.devices.insert({device.path(), {device.permission()}});
   }
 
   try {
diff --git a/src/anbox/container/management_api_stub.cpp b/src/anbox/container/management_api_stub.cpp
index 6c8bb99..6f900a2 100644
--- a/src/anbox/container/management_api_stub.cpp
+++ b/src/anbox/container/management_api_stub.cpp
@@ -45,13 +45,14 @@ void ManagementApiStub::start_container(const Configuration &configuration) {
     bind_mount_message->set_target(item.second);
   }
 
-  message.set_allocated_configuration(message_configuration);
-
-  for (const auto &device : configuration.devices) {
-    auto d = message_configuration->add_devices();
-    *d = device;
+  for (const auto &item: configuration.devices) {
+    auto device_message = message_configuration->add_devices();
+    device_message->set_path(item.first);
+    device_message->set_permission(item.second.permission);
   }
 
+  message.set_allocated_configuration(message_configuration);
+
   {
     std::lock_guard<decltype(mutex_)> lock(mutex_);
     c->wh.expect_result();
diff --git a/src/anbox/protobuf/anbox_container.proto b/src/anbox/protobuf/anbox_container.proto
index 7cc1542..c424c6a 100644
--- a/src/anbox/protobuf/anbox_container.proto
+++ b/src/anbox/protobuf/anbox_container.proto
@@ -7,8 +7,12 @@ message Configuration {
         required string source = 1;
         required string target = 2;
     }
+    message Devices {
+        required string path = 1;
+        required uint32 permission = 2;
+    }
     repeated BindMount bind_mounts = 1;
-    repeated string devices = 2;
+    repeated Devices devices = 2;
 }
 
 message StartContainer {