torque-4.2.9-ipc-isolation.patch 2.5 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106
  1. diff --git a/configure.ac b/configure.ac
  2. index 2c8154c..c0afee9 100644
  3. --- a/configure.ac
  4. +++ b/configure.ac
  5. @@ -1243,6 +1243,19 @@ case "$BLCR" in
  6. *) AC_MSG_ERROR([--enable-blcr should be yes or no]) ;;
  7. esac
  8. +dnl
  9. +dnl enable IPC isolation
  10. +dnl
  11. +AC_MSG_CHECKING([whether to build ipc isolation support])
  12. +AC_ARG_ENABLE(ipc-isolation,
  13. + [ --enable-ipc-isolation enable ipc isolation support],
  14. + IPC=$enableval,IPC=no)
  15. +AC_MSG_RESULT($IPC)
  16. +case "$IPC" in
  17. + yes) AC_DEFINE([IPC_ISOLATION], 1, [Define to enable ipc isolation support]) ;;
  18. + no) : ;;
  19. + *) AC_MSG_ERROR([--enable-ipc-isolation should be yes or no]) ;;
  20. +esac
  21. dnl
  22. dnl enable Nvidia gpu support
  23. diff --git a/src/include/pbs_error_db.h b/src/include/pbs_error_db.h
  24. index 8c7aac9..6a4e11c 100644
  25. --- a/src/include/pbs_error_db.h
  26. +++ b/src/include/pbs_error_db.h
  27. @@ -266,6 +266,7 @@ PbsErrClient(PBSE_JOB_NOT_IN_QUEUE, (char *)"Job not found in queue.")
  28. PbsErrClient(PBSE_LOGIN_BUSY, (char *)"Login node is currently too busy to run a job")
  29. /* pbs client errors ceiling (max_client_err + 1) */
  30. +PbsErrClient(PBSE_BADIPC, "Failure of IPC namespace unsharing")
  31. PbsErrClient(PBSE_CEILING, (char*)0)
  32. #endif
  33. diff --git a/src/lib/Libutils/u_users.c b/src/lib/Libutils/u_users.c
  34. index 5a0548a..50594ad 100644
  35. --- a/src/lib/Libutils/u_users.c
  36. +++ b/src/lib/Libutils/u_users.c
  37. @@ -9,6 +9,10 @@
  38. #include "log.h"
  39. #include "../Liblog/pbs_log.h"
  40. +#ifdef IPC_ISOLATION
  41. +#include <sched.h>
  42. +#endif
  43. +
  44. #define LDAP_RETRIES 5
  45. struct passwd *getpwnam_wrapper(const char *user_name);
  46. @@ -111,6 +115,12 @@ int setuid_ext(
  47. errno = 0;
  48. +#ifdef IPC_ISOLATION
  49. + rc = unshare(CLONE_NEWIPC)
  50. +
  51. + if (rc == 0)
  52. + {
  53. +#endif
  54. while (count < LDAP_RETRIES)
  55. {
  56. if (set_euid == TRUE)
  57. @@ -142,6 +152,9 @@ int setuid_ext(
  58. }
  59. }
  60. } /* end retry loop */
  61. +#ifdef IPC_ISOLATION
  62. + }
  63. +#endif
  64. return(rc);
  65. } /* END setuid_ext() */
  66. diff --git a/src/resmom/requests.c b/src/resmom/requests.c
  67. index f7cddb5..06cfd62 100644
  68. --- a/src/resmom/requests.c
  69. +++ b/src/resmom/requests.c
  70. @@ -121,6 +121,10 @@
  71. #include <sys/category.h>
  72. #endif
  73. +#ifdef IPC_ISOLATION
  74. +#include <sched.h>
  75. +#endif
  76. +
  77. #ifdef HAVE_WORDEXP
  78. #include <wordexp.h>
  79. @@ -482,6 +486,15 @@ static pid_t fork_to_user(
  80. return(-PBSE_BADGRP);
  81. }
  82. +#ifdef IPC_ISOLATION
  83. + if (unshare(CLONE_NEWIPC) != 0)
  84. + {
  85. + /* cannot isolate IPC namespace */
  86. +
  87. + return(-PBSE_BADIPC);
  88. + }
  89. +#endif
  90. +
  91. if (setuid_ext(useruid, FALSE) == -1)
  92. {
  93. /* cannot run as the user */