vmm: notify virtio-console of pty resizes
When a pty is resized (using the TIOCSWINSZ ioctl -- see ioctl_tty(2)),
the kernel will send a SIGWINCH signal to the pty's foreground process
group to notify it of the resize. This is the only way to be notified
by the kernel of a pty resize.
We can't just make the cloud-hypervisor process's process group the
foreground process group though, because a process can only set the
foreground process group of its controlling terminal, and
cloud-hypervisor's controlling terminal will often be the terminal the
user is running it in. To work around this, we fork a subprocess in a
new process group, and set its process group to be the foreground
process group of the pty. The subprocess additionally must be running
in a new session so that it can have a different controlling
terminal. This subprocess writes a byte to a pipe every time the pty
is resized, and the virtio-console device can listen for this in its
epoll loop.
Alternatives I considered were to have the subprocess just send
SIGWINCH to its parent, and to use an eventfd instead of a pipe.
I decided against the signal approach because re-purposing a signal
that has a very specific meaning (even if this use was only slightly
different to its normal meaning) felt unclean, and because it would
have required using pidfds to avoid race conditions if
cloud-hypervisor had terminated, which added complexity. I decided
against using an eventfd because using a pipe instead allows the child
to be notified (via poll(2)) when nothing is reading from the pipe any
more, meaning it can be reliably notified of parent death and
terminate itself immediately.
I used clone3(2) instead of fork(2) because without
CLONE_CLEAR_SIGHAND the subprocess would inherit signal-hook's signal
handlers, and there's no other straightforward way to restore all signal
handlers to their defaults in the child process. The only way to do
it would be to iterate through all possible signals, or maintain a
global list of monitored signals ourselves (vmm:vm::HANDLED_SIGNALS is
insufficient because it doesn't take into account e.g. the SIGSYS
signal handler that catches seccomp violations).
Signed-off-by: Alyssa Ross <hi@alyssa.is>
2021-09-10 11:12:17 +00:00
|
|
|
// Copyright 2021 Alyssa Ross <hi@alyssa.is>
|
|
|
|
|
// SPDX-License-Identifier: Apache-2.0
|
|
|
|
|
|
|
|
|
|
use crate::clone3::{clone3, clone_args, CLONE_CLEAR_SIGHAND};
|
|
|
|
|
use libc::{
|
|
|
|
|
c_int, c_void, close, getpgrp, ioctl, pipe2, poll, pollfd, setsid, sigemptyset, siginfo_t,
|
|
|
|
|
sigprocmask, tcsetpgrp, O_CLOEXEC, POLLERR, SIGWINCH, SIG_SETMASK, STDIN_FILENO, STDOUT_FILENO,
|
|
|
|
|
TIOCSCTTY,
|
|
|
|
|
};
|
|
|
|
|
use seccompiler::{apply_filter, BpfProgram};
|
|
|
|
|
use std::cell::RefCell;
|
|
|
|
|
use std::fs::File;
|
|
|
|
|
use std::io::{self, ErrorKind, Read, Write};
|
|
|
|
|
use std::mem::size_of;
|
|
|
|
|
use std::mem::MaybeUninit;
|
|
|
|
|
use std::os::unix::prelude::*;
|
|
|
|
|
use std::process::exit;
|
|
|
|
|
use std::ptr::null_mut;
|
|
|
|
|
use vmm_sys_util::signal::register_signal_handler;
|
|
|
|
|
|
|
|
|
|
thread_local! {
|
|
|
|
|
// The tty file descriptor is stored in a global variable so it
|
|
|
|
|
// can be accessed by a signal handler.
|
|
|
|
|
static TX: RefCell<Option<File>> = RefCell::new(None);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
fn with_tx<R, F: FnOnce(&File) -> R>(f: F) -> R {
|
|
|
|
|
TX.with(|tx| f(tx.borrow().as_ref().unwrap()))
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// This function has to be safe to call from a signal handler, and
|
|
|
|
|
// therefore must not panic.
|
|
|
|
|
fn notify() {
|
|
|
|
|
if let Err(e) = with_tx(|mut tx| tx.write_all(b"\n")) {
|
|
|
|
|
if e.kind() == ErrorKind::BrokenPipe {
|
|
|
|
|
exit(0);
|
|
|
|
|
}
|
|
|
|
|
exit(1);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
extern "C" fn sigwinch_handler(_signo: c_int, _info: *mut siginfo_t, _unused: *mut c_void) {
|
|
|
|
|
notify();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
fn unblock_all_signals() -> io::Result<()> {
|
|
|
|
|
let mut set = MaybeUninit::uninit();
|
|
|
|
|
if unsafe { sigemptyset(set.as_mut_ptr()) } == -1 {
|
|
|
|
|
return Err(io::Error::last_os_error());
|
|
|
|
|
}
|
|
|
|
|
let set = unsafe { set.assume_init() };
|
|
|
|
|
|
|
|
|
|
if unsafe { sigprocmask(SIG_SETMASK, &set, null_mut()) } == -1 {
|
|
|
|
|
return Err(io::Error::last_os_error());
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
Ok(())
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
fn sigwinch_listener_main(seccomp_filter: BpfProgram, tx: File, tty: &File) -> ! {
|
|
|
|
|
TX.with(|opt| opt.replace(Some(tx)));
|
|
|
|
|
|
|
|
|
|
unsafe {
|
|
|
|
|
close(STDIN_FILENO);
|
|
|
|
|
close(STDOUT_FILENO);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
unblock_all_signals().unwrap();
|
|
|
|
|
|
2021-11-16 13:56:45 +00:00
|
|
|
if !seccomp_filter.is_empty() {
|
|
|
|
|
apply_filter(&seccomp_filter).unwrap();
|
|
|
|
|
}
|
vmm: notify virtio-console of pty resizes
When a pty is resized (using the TIOCSWINSZ ioctl -- see ioctl_tty(2)),
the kernel will send a SIGWINCH signal to the pty's foreground process
group to notify it of the resize. This is the only way to be notified
by the kernel of a pty resize.
We can't just make the cloud-hypervisor process's process group the
foreground process group though, because a process can only set the
foreground process group of its controlling terminal, and
cloud-hypervisor's controlling terminal will often be the terminal the
user is running it in. To work around this, we fork a subprocess in a
new process group, and set its process group to be the foreground
process group of the pty. The subprocess additionally must be running
in a new session so that it can have a different controlling
terminal. This subprocess writes a byte to a pipe every time the pty
is resized, and the virtio-console device can listen for this in its
epoll loop.
Alternatives I considered were to have the subprocess just send
SIGWINCH to its parent, and to use an eventfd instead of a pipe.
I decided against the signal approach because re-purposing a signal
that has a very specific meaning (even if this use was only slightly
different to its normal meaning) felt unclean, and because it would
have required using pidfds to avoid race conditions if
cloud-hypervisor had terminated, which added complexity. I decided
against using an eventfd because using a pipe instead allows the child
to be notified (via poll(2)) when nothing is reading from the pipe any
more, meaning it can be reliably notified of parent death and
terminate itself immediately.
I used clone3(2) instead of fork(2) because without
CLONE_CLEAR_SIGHAND the subprocess would inherit signal-hook's signal
handlers, and there's no other straightforward way to restore all signal
handlers to their defaults in the child process. The only way to do
it would be to iterate through all possible signals, or maintain a
global list of monitored signals ourselves (vmm:vm::HANDLED_SIGNALS is
insufficient because it doesn't take into account e.g. the SIGSYS
signal handler that catches seccomp violations).
Signed-off-by: Alyssa Ross <hi@alyssa.is>
2021-09-10 11:12:17 +00:00
|
|
|
|
|
|
|
|
register_signal_handler(SIGWINCH, sigwinch_handler).unwrap();
|
|
|
|
|
|
|
|
|
|
unsafe {
|
|
|
|
|
// Create a new session (and therefore a new process group).
|
|
|
|
|
assert_ne!(setsid(), -1);
|
|
|
|
|
|
|
|
|
|
// Set the tty to be this process's controlling terminal.
|
|
|
|
|
assert_ne!(ioctl(tty.as_raw_fd(), TIOCSCTTY, 0), -1);
|
|
|
|
|
|
|
|
|
|
// Become the foreground process group of the tty.
|
|
|
|
|
assert_ne!(tcsetpgrp(tty.as_raw_fd(), getpgrp()), -1);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
notify();
|
|
|
|
|
|
|
|
|
|
// Wait for the pipe to close, indicating the parent has exited.
|
|
|
|
|
with_tx(|tx| {
|
|
|
|
|
let mut pollfd = pollfd {
|
|
|
|
|
fd: tx.as_raw_fd(),
|
|
|
|
|
events: 0,
|
|
|
|
|
revents: 0,
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
while unsafe { poll(&mut pollfd, 1, -1) } == -1 {
|
|
|
|
|
let e = io::Error::last_os_error();
|
2021-10-19 14:01:42 +00:00
|
|
|
assert!(
|
|
|
|
|
matches!(e.kind(), ErrorKind::Interrupted | ErrorKind::WouldBlock),
|
|
|
|
|
"poll: {}",
|
|
|
|
|
e
|
|
|
|
|
);
|
vmm: notify virtio-console of pty resizes
When a pty is resized (using the TIOCSWINSZ ioctl -- see ioctl_tty(2)),
the kernel will send a SIGWINCH signal to the pty's foreground process
group to notify it of the resize. This is the only way to be notified
by the kernel of a pty resize.
We can't just make the cloud-hypervisor process's process group the
foreground process group though, because a process can only set the
foreground process group of its controlling terminal, and
cloud-hypervisor's controlling terminal will often be the terminal the
user is running it in. To work around this, we fork a subprocess in a
new process group, and set its process group to be the foreground
process group of the pty. The subprocess additionally must be running
in a new session so that it can have a different controlling
terminal. This subprocess writes a byte to a pipe every time the pty
is resized, and the virtio-console device can listen for this in its
epoll loop.
Alternatives I considered were to have the subprocess just send
SIGWINCH to its parent, and to use an eventfd instead of a pipe.
I decided against the signal approach because re-purposing a signal
that has a very specific meaning (even if this use was only slightly
different to its normal meaning) felt unclean, and because it would
have required using pidfds to avoid race conditions if
cloud-hypervisor had terminated, which added complexity. I decided
against using an eventfd because using a pipe instead allows the child
to be notified (via poll(2)) when nothing is reading from the pipe any
more, meaning it can be reliably notified of parent death and
terminate itself immediately.
I used clone3(2) instead of fork(2) because without
CLONE_CLEAR_SIGHAND the subprocess would inherit signal-hook's signal
handlers, and there's no other straightforward way to restore all signal
handlers to their defaults in the child process. The only way to do
it would be to iterate through all possible signals, or maintain a
global list of monitored signals ourselves (vmm:vm::HANDLED_SIGNALS is
insufficient because it doesn't take into account e.g. the SIGSYS
signal handler that catches seccomp violations).
Signed-off-by: Alyssa Ross <hi@alyssa.is>
2021-09-10 11:12:17 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
assert_eq!(pollfd.revents, POLLERR);
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
exit(0);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
pub fn start_sigwinch_listener(seccomp_filter: BpfProgram, pty: &File) -> io::Result<File> {
|
|
|
|
|
let mut pipe = [-1; 2];
|
|
|
|
|
if unsafe { pipe2(pipe.as_mut_ptr(), O_CLOEXEC) } == -1 {
|
|
|
|
|
return Err(io::Error::last_os_error());
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
let mut rx = unsafe { File::from_raw_fd(pipe[0]) };
|
|
|
|
|
let tx = unsafe { File::from_raw_fd(pipe[1]) };
|
|
|
|
|
|
|
|
|
|
let mut args = clone_args::default();
|
|
|
|
|
args.flags |= CLONE_CLEAR_SIGHAND;
|
|
|
|
|
|
|
|
|
|
match unsafe { clone3(&mut args, size_of::<clone_args>()) } {
|
|
|
|
|
-1 => return Err(io::Error::last_os_error()),
|
|
|
|
|
0 => {
|
|
|
|
|
drop(rx);
|
|
|
|
|
sigwinch_listener_main(seccomp_filter, tx, pty);
|
|
|
|
|
}
|
|
|
|
|
_ => (),
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
drop(tx);
|
|
|
|
|
|
|
|
|
|
// Wait for a notification indicating readiness.
|
|
|
|
|
rx.read_exact(&mut [0])?;
|
|
|
|
|
|
|
|
|
|
Ok(rx)
|
|
|
|
|
}
|
