[9front] Pitch for devskel

[9front] Pitch for devskel

[Jacob Moody]

I have been trying to find ergonomic ways of building
restricted namespaces. One issue that I keep running
in to, and that I've discussed before, is the need
for skeleton directories. Devskel is an iteration
on making these skeleton directories easier to create.

This adds a new device, '#z', that can be walked to
produce a single skeleton file or directory. For example walking

#z/ls

gives you a directory with a single empty 'ls' file within it.
A 'd' attach argument can be given to have this 'ls' file become
a empty directory instead:

#zd/ls

Each attach of '#z' can at most 'make up' one skeleton;
after the first walk from the root the hierarchy becomes stable.
The 'e' attach option instead makes the root directory always
empty.

An example of using this to build a /bin with only bind and ls.

term% bind -b '#zd/bin.new' /bin
term% bind '#z/ls' /bin/bin.new
term% bind -a '#z/bind' /bin/bin.new
term% ls /bin/bin.new
/bin/bin.new/bind
/bin/bin.new/ls
term% bind /bin/bind /bin/bin.new/bind
term% bind /bin/ls /bin/bin.new/ls
term% bind /bin/bin.new /bin
term% ls /bin/
/bin/bind
/bin/ls
term%

Why devskel instead of mntgen?

1. mntgen only exposes directories
2. mntgen permits more then a single directory to be made up
3. mntgen shows folders that other clients have walked to.

3 could just be labeled as a bug. 1 and 2 could be specified
in attach options but I am not sure what the semantics should be
for specifying both. Using mntgen would also require the use
of /srv, and I do prefer having this separated from /srv.


thanks,
moody

diff 926be5e34eb633bc3e22b013705f5474d21aa735 uncommitted
--- /dev/null
+++ b//sys/src/9/port/devskel.c
@@ -1,0 +1,237 @@
+#include	"u.h"
+#include	"../port/lib.h"
+#include	"mem.h"
+#include	"dat.h"
+#include	"fns.h"
+#include	"../port/error.h"
+
+#include	"netif.h"
+
+typedef struct Skel Skel;
+struct Skel {
+	int ref;
+	QLock lk;
+	char name[KNAMELEN];
+	char mode;
+};
+
+struct
+{
+	QLock lk;
+	ulong path;
+} skelalloc;
+
+enum{
+	Qroot,
+	Qdir,
+	Qskel,
+};
+
+static Chan*
+skelattach(char *spec)
+{
+	Chan *c;
+	Skel *f;
+	uvlong path;
+
+	c = devattach('z', spec);
+
+	f = smalloc(sizeof *f);
+	if(spec != nil && spec[0] != '\0' && strchr("de", spec[0]) != nil)
+		f->mode = spec[0];
+	else
+		f->mode = 'f';
+
+	f->ref = 1;
+
+	qlock(&skelalloc.lk);
+	path = skelalloc.path++;
+	qunlock(&skelalloc.lk);
+
+	mkqid(&c->qid, NETQID(path, Qroot), 0, QTDIR);
+	c->aux = f;
+	return c;
+}
+
+static int
+step(Chan *c, Dir *dp, int direction)
+{
+	Skel *f;
+	Qid qid;
+	ulong perm;
+	uvlong path;
+	char *name;
+
+	perm = 0555|DMDIR;
+	path = NETTYPE(c->qid.path);
+	f = c->aux;
+	name = f->name;
+
+	path += direction;
+	if(!f->name[0] && path != Qroot)
+		return -1;
+
+	switch(path){
+	case Qroot:
+		mkqid(&qid, Qroot, 0, QTDIR);
+		name = "#z";
+		break;
+	case Qdir:
+		mkqid(&qid, Qdir, 0, QTDIR);
+		break;
+	case Qskel:
+		switch(f->mode){
+		case 'd':
+			mkqid(&qid, Qskel, 0, QTDIR);
+			break;
+		case 'f':
+		default:
+			mkqid(&qid, Qskel, 0, QTFILE);
+			perm = 0666;
+			break;
+		}
+		break;
+	default:
+		return -1;
+	}
+
+	qid.path = NETQID(NETID(c->qid.path), qid.path);
+	devdir(c, qid, name, 0, eve, perm, dp);
+	return 1;
+}
+
+
+static int
+skelgen(Chan *c, char *name, Dirtab *, int, int s, Dir *dp)
+{
+	Skel *f;
+
+	f = c->aux;
+	//First walk away from root
+	if(name && !f->name[0] && f->mode != 'e' && NETTYPE(c->qid.path) == Qroot)
+		utfecpy(f->name, f->name + sizeof f->name, name);
+
+	if(s != DEVDOTDOT)
+		s++;
+
+	return step(c, dp, s);
+}
+
+static Walkqid*
+skelwalk(Chan *c, Chan *nc, char **name, int nname)
+{
+	Walkqid *wq;
+	Skel *f;
+
+	f = c->aux;
+	qlock(&f->lk);
+	if(waserror()){
+		qunlock(&f->lk);
+		nexterror();
+	}
+
+	wq = devwalk(c, nc, name, nname, nil, 0, skelgen);
+	if(wq != nil && wq->clone != nil && wq->clone != c){
+		if(f->ref <= 0)
+			panic("devskel ref");
+		f->ref++;
+	}
+	qunlock(&f->lk);
+	poperror();
+	return wq;
+}
+
+static Chan*
+skelopen(Chan *c, int omode)
+{
+	if(!(c->qid.type & QTDIR))
+		error(Eperm);
+	if(omode != OREAD)
+		error(Ebadarg);
+
+	c->mode = omode;
+	c->flag |= COPEN;
+	c->offset = 0;
+	return c;
+}
+
+static void
+skelclose(Chan *c)
+{
+	Skel *f;
+
+	f = c->aux;
+	qlock(&f->lk);
+	f->ref--;
+	if(f->ref == 0){
+		qunlock(&f->lk);
+		free(f);
+	} else
+		qunlock(&f->lk);
+}
+
+static long
+skelread(Chan *c, void *va, long n, vlong)
+{
+	Skel *f;
+	long nout;
+
+	if(!(c->qid.type & QTDIR))
+		error(Eperm);
+
+	f = c->aux;
+	qlock(&f->lk);
+	if(waserror()){
+		qunlock(&f->lk);
+		nexterror();
+	}
+	nout = devdirread(c, va, n, nil, 0, skelgen);
+	qunlock(&f->lk);
+	poperror();
+	return nout;
+}
+
+static long
+skelwrite(Chan *, void *, long, vlong)
+{
+	error(Eperm);
+	return 0;
+}
+
+static int
+skelstat(Chan *c, uchar *db, int n)
+{
+	Skel *f;
+	Dir dir;
+
+	f = c->aux;
+	qlock(&f->lk);
+	step(c, &dir, 0);
+	qunlock(&f->lk);
+
+	n = convD2M(&dir, db, n);
+	if(n < BIT16SZ)
+		error(Eshortstat);
+	return n;
+}
+
+Dev skeldevtab = {
+	'z',
+	"skel",
+
+	devreset,
+	devinit,
+	devshutdown,
+	skelattach,
+	skelwalk,
+	skelstat,
+	skelopen,
+	devcreate,
+	skelclose,
+	skelread,
+	devbread,
+	skelwrite,
+	devbwrite,
+	devremove,
+	devwstat,
+};

Re: [9front] Pitch for devskel

[Jacob Moody]

To further the case for this, I've worked on a userspace
application of the device in the form of auth/box.

The premise of auth/box is to setup a slim namespace
and execute a program as none.

-f and -d specify the files and directories to be included
in the new namespace. The absolute path is replicated
to the new namespace and the specified file/dir is bound
over the empty skeleton.

The specified files/dirs are stat'd to reveal their
device. Box then restricts devices to only those
found this way, the -e option specifies additional
devices.

An example of creating a box with /env, /bin/walk and /sys/log:

; auth/box -f /bin/walk -d /env -d /sys/log walk /
/sys/log/auth
/sys/log/boot
...
/sys/log
/sys
/env/terminal
/env/cputype
...
/env
/bin/walk
/bin
/


thanks,
moody

---
diff df92301d8fc8310fbfdf3de91b97a156ca0504d4 uncommitted
--- /dev/null
+++ b//sys/src/cmd/auth/box.c
@@ -1,0 +1,210 @@
+#include <u.h>
+#include <libc.h>
+#include <auth.h>
+
+static int debug;
+static int mountok;
+
+#define DEBUG if(debug)
+
+typedef struct List List;
+struct List {
+	char *s;
+	Rune dev;
+	List *next;
+};
+
+void
+addto(List *l, char *s)
+{
+	List *p;
+
+	for(p = l; p->s != nil && p->next != nil; p = p->next)
+		if(strcmp(p->s, s) == 0)
+			return;
+
+	if(p->s != nil){
+		p->next = mallocz(sizeof *p, 1);
+		p = p->next;
+
+	}
+	p->s = s;
+}
+
+void
+resolve(List *l)
+{
+	List *p;
+	char buf[8192];
+	int fd;
+	Dir *d;
+
+	fd = open(".", OREAD);
+	if(fd < 0)
+		sysfatal("could not open .: %r");
+	fd2path(fd, buf, sizeof buf);
+	for(p = l; p != nil; p = p->next){
+		if(p->s == nil)
+			continue;
+		cleanname(p->s);
+		switch(p->s[0]){
+		case '#':
+		case '/':
+			break;
+		case '.':
+			if(p->s[1] == '/')
+				break;
+		default:
+			p->s = cleanname(smprint("%s/%s", buf, p->s));
+		}
+		d = dirstat(p->s);
+		if(d == nil){
+			p->s = nil;
+			continue;
+		}
+		p->dev = d->type;
+		free(d);
+	}
+
+	close(fd);
+}
+
+void
+mimic(char *newroot, List *l, int type)
+{
+	char *parts[32];
+	char src[8192], targ[8192], dir[8192], skel[8192];
+	char mode;
+	List *p;
+	int n, i;
+
+	for(p = l; p != nil; p = p ->next){
+		if(p->s == nil)
+			continue;
+		snprint(src, sizeof src, "%s", p->s);
+		n = gettokens(src, parts, nelem(parts), "/");
+		snprint(targ, sizeof targ, "%s", newroot);
+		for(i = 0; i < n; i++){
+			snprint(dir, sizeof dir, "%s", targ);
+			snprint(targ, sizeof targ, "%s/%s", targ, parts[i]);
+			if(close(open(targ, OREAD)) >= 0)
+				continue;
+			if(i == n-1 && type == QTFILE)
+				mode = 'f';
+			else
+				mode = 'd';
+			snprint(skel, sizeof skel, "#z%c/%s", mode, parts[i]);
+			DEBUG print("bind -b %s %s\n", skel, dir);
+			bind(skel, dir, MBEFORE);
+		}
+		if(i > 0){
+			DEBUG print("bind %s %s\n", p->s, targ);
+			bind(p->s, targ, MREPL);
+		}
+	}
+	
+}
+
+void
+collectdevs(List *l, char *buf, int n)
+{
+	List *p;
+	for(p = l; p != nil; p = p->next){
+		if(!mountok && p->dev == 'M')
+			continue;
+		if(utfrune(buf, p->dev) == nil)
+			snprint(buf, n, "%s%C", buf, p->dev);
+	}
+}
+
+void
+run(char **a)
+{
+	exec(a[0], a);
+
+	if(a[0][0] != '/' && a[0][0] != '#' &&
+	  (a[0][0] != '.' || (a[0][1] != '/' &&
+		             (a[0][1] != '.' ||  a[0][2] != '/'))))
+		exec(smprint("/bin/%s", a[0]), a);
+
+	sysfatal("exec: %s: %r", a[0]);
+}
+
+void
+usage(void)
+{
+	fprint(2, "usage %s: [ -f file ] [ -d dir ] cmd args...\n", argv0);
+	exits("usage");
+}
+
+void
+main(int argc, char **argv)
+{
+	char newroot[8192];
+	char devs[1024];
+	int dfd;
+	char *p;
+	List files, dirs;
+	char *defargv[] = { "/bin/rc", "-i", nil };
+
+	dfd = -1;
+	mountok = 0;
+	memset(devs, 0, sizeof devs);
+	ARGBEGIN{
+	case 'M':
+		mountok = 1;
+		snprint(devs, sizeof devs, "%s%c", devs, 'M');
+		break;
+	case 'D':
+		debug = 1;
+		break;
+	case 'f':
+		addto(&files, EARGF(usage()));
+		break;
+	case 'd':
+		addto(&dirs, EARGF(usage()));
+		break;
+	case 'e':
+		p = EARGF(usage());
+		snprint(devs, sizeof devs, "%s%s", devs, p);
+		break;
+	default:
+		usage();
+		break;
+	}ARGEND
+
+	rfork(RFNAMEG|RFENVG);
+	snprint(newroot, sizeof newroot, "#zd/newroot.%d", getpid());
+
+	resolve(&files);
+	resolve(&dirs);
+	if(procsetuser("none") < 0)
+		sysfatal("cant become none: %r");
+	putenv("user", "none");
+	collectdevs(&files, devs, sizeof devs);
+	collectdevs(&dirs, devs, sizeof devs);
+	if(devs[0] != '\0'){
+		dfd = open("/dev/drivers", OWRITE);
+		if(dfd < 0)
+			sysfatal("cant open drivers: %r");
+	}
+
+	if(bind(newroot, "/", MBEFORE) < 0)
+		sysfatal("failed to bind: %r");
+
+	p = newroot + strlen("#zd");
+	mimic(p, &files, QTFILE);
+	mimic(p, &dirs, QTDIR);
+	if(bind(p, "/", MREPL) < 0)
+		sysfatal("failed to bind: %r");
+
+	if(devs[0] != '\0'){
+		DEBUG print("chdev %s\n", devs);
+		fprint(dfd, "chdev & %s", devs);
+		close(dfd);
+	}
+
+	if(argc == 0)
+		argv = defargv;
+	run(argv);
+}
--- a//sys/src/cmd/auth/mkfile
+++ b//sys/src/cmd/auth/mkfile
@@ -9,6 +9,7 @@
 	asn1dump\
 	asn12rsa\
 	authsrv\
+	box\
 	changeuser\
 	convkeys\
 	cron\

Re: [9front] Pitch for devskel

[Jacob Moody]

nicer version of auth/box

---
diff df92301d8fc8310fbfdf3de91b97a156ca0504d4 uncommitted
--- /dev/null
+++ b//sys/src/cmd/auth/box.c
@@ -1,0 +1,197 @@
+#include <u.h>
+#include <libc.h>
+#include <auth.h>
+
+static int debug;
+static int mountok;
+
+void
+binderr(char *new, char *old, int flag)
+{
+	char dash[4] = { '-' };
+
+	if(debug){
+		if(flag & MCREATE){
+			dash[2] = 'c';
+			flag &= ~MCREATE;
+		}
+		switch(flag){
+		case MREPL:
+			dash[0] = ' ';
+			if(dash[2] == 'c')
+				dash[1] = '-';
+			else
+				dash[1] = ' ';
+			break;
+		case MBEFORE:
+			dash[1] = 'b';
+			break;
+		case MAFTER:
+			dash[1] = 'a';
+			break;
+		}
+		print("bind %s %s %s\n", dash, new, old);
+	}
+	if(bind(new, old, flag) < 0)
+		sysfatal("bind: %r");
+}
+
+void
+resolve(char **names, int nname)
+{
+	int i;
+	char buf[8192];
+	int fd;
+
+	fd = open(".", OREAD|OCEXEC);
+	if(fd < 0)
+		sysfatal("could not open .: %r");
+	fd2path(fd, buf, sizeof buf);
+	for(i = 0; i < nname; i++){
+		if(names[i] == nil)
+			continue;
+		cleanname(names[i]);
+		switch(names[i][0]){
+		case '#':
+		case '/':
+			break;
+		case '.':
+			if(names[i][1] == '/')
+				break;
+		default:
+			names[i] = cleanname(smprint("%s/%s", buf, names[i]));
+		}	
+	}
+	close(fd);
+}
+
+char*
+mimic(char **names, int *flags, int nname)
+{
+	char *parts[32];
+	char devs[128];
+	char rootskel[128];
+	char src[8192], targ[8192], dir[8192], skel[8192];
+	char mode;
+	char *newroot;
+	Dir *d;
+	int i, j, n;
+
+	snprint(rootskel, sizeof rootskel, "#zd/newroot.%d", getpid());
+	binderr(rootskel, "/", MBEFORE);
+
+	memset(devs, 0, sizeof devs);
+	newroot = rootskel + strlen("#zd");
+
+	for(j = 0; j < nname; j++){
+		if(names[j] == nil)
+			continue;
+		n = gettokens(strdup(names[j]), parts, nelem(parts), "/");
+		snprint(targ, sizeof targ, "%s", newroot);
+		memset(src, 0, sizeof src);
+		for(i = 0; i < n; i++){
+			snprint(dir, sizeof dir, "%s", targ);
+			snprint(targ, sizeof targ, "%s/%s", targ, parts[i]);
+			snprint(src, sizeof src, "%s/%s", src, parts[i]);
+			d = dirstat(src);
+			if(d == nil)
+				continue;
+			if(d->mode & DMDIR)
+				mode = 'd';
+			else
+				mode = 'f';
+			if(mountok || d->type != L'M')
+				if(utfrune(devs, d->type) == nil)
+					snprint(devs, sizeof devs, "%s%C", devs, d->type);
+			free(d);
+			snprint(skel, sizeof skel, "#z%c/%s", mode, parts[i]);
+			binderr(skel, dir, MBEFORE);
+		}
+		binderr(names[j], targ, flags[j]);
+	}
+	binderr(newroot, "/", MREPL);
+	return strdup(devs);
+}
+
+void
+run(char **a)
+{
+	exec(a[0], a);
+
+	if(a[0][0] != '/' && a[0][0] != '#' &&
+	  (a[0][0] != '.' || (a[0][1] != '/' &&
+		             (a[0][1] != '.' ||  a[0][2] != '/'))))
+		exec(smprint("/bin/%s", a[0]), a);
+
+	sysfatal("exec: %s: %r", a[0]);
+}
+
+void
+usage(void)
+{
+	fprint(2, "usage %s: [ -DM ] [ -r file ] [ -c dir ] [ -e devs ] cmd args...\n", argv0);
+	exits("usage");
+}
+
+void
+main(int argc, char **argv)
+{
+	char devs[1024];
+	char *reqdevs;
+	int dfd;
+	char *parts[256];
+	int mflags[256];
+	int nparts;
+	char *defargv[] = { "/bin/rc", "-i", nil };
+
+	mountok = 0;
+	nparts = 0;
+	memset(devs, 0, sizeof devs);
+	ARGBEGIN{
+	case 'M':
+		mountok = 1;
+		snprint(devs, sizeof devs, "%s%c", devs, 'M');
+		break;
+	case 'D':
+		debug = 1;
+		break;
+	case 'r':
+		parts[nparts] = EARGF(usage());
+		mflags[nparts++] = MREPL;
+		break;
+	case 'c':
+		parts[nparts] = EARGF(usage());
+		mflags[nparts++] = MCREATE|MREPL;
+		break;
+	case 'e':
+		snprint(devs, sizeof devs, "%s%s", devs, EARGF(usage()));
+		break;
+	default:
+		usage();
+		break;
+	}ARGEND
+
+	rfork(RFNAMEG|RFENVG);
+	dfd = open("/dev/drivers", OWRITE|OCEXEC);
+	resolve(parts, nparts);
+
+	if(procsetuser("none") < 0)
+		sysfatal("cant become none: %r");
+	putenv("user", "none");
+
+	reqdevs = mimic(parts, mflags, nparts);
+	snprint(devs, sizeof devs, "%s%s", devs, reqdevs);
+
+	if(devs[0] != '\0'){
+		if(debug)
+			print("chdev %s\n", devs);
+		if(dfd < 0)
+			sysfatal("could not open /dev/drivers: %r");
+		if(fprint(dfd, "chdev & %s", devs) <= 0)
+			sysfatal("could not write chdev: %r");
+	}
+
+	if(argc == 0)
+		argv = defargv;
+	run(argv);
+}
--- a//sys/src/cmd/auth/mkfile
+++ b//sys/src/cmd/auth/mkfile
@@ -9,6 +9,7 @@
 	asn1dump\
 	asn12rsa\
 	authsrv\
+	box\
 	changeuser\
 	convkeys\
 	cron\

Re: [9front] Pitch for devskel

[ori]

Quoth Jacob Moody <moody@mail.posixcafe.org>:
> +	case 'M':
> +		mountok = 1;
> +		snprint(devs, sizeof devs, "%s%c", devs, 'M');
> +		break;

I think this should be allowed by default -- I we can
already allow programs to mess with their namespace
as they see fit using bind and unmount, and I don't
think mount should be any more privileged.

Actually, thinking about this more, I think that all
devices should be dropped by default (bind them in
if you care), and mounts should be allowed.

mimic seems like it'd be largely unneeded, since
you can already bind things into your ns before
boxing.

Re: [9front] Pitch for devskel

[Jacob Moody]

On 6/6/22 08:40, ori@eigenstate.org wrote:
> Quoth Jacob Moody <moody@mail.posixcafe.org>:
>> +	case 'M':
>> +		mountok = 1;
>> +		snprint(devs, sizeof devs, "%s%c", devs, 'M');
>> +		break;
> 
> I think this should be allowed by default -- I we can
> already allow programs to mess with their namespace
> as they see fit using bind and unmount, and I don't
> think mount should be any more privileged.

Sure. The only difference between mount
and bind is that mount does a new devmnt attach, potentially
doing authentication as part of that. Without the ability to
mount, a program can never reauthenticate to a fs.

> 
> Actually, thinking about this more, I think that all
> devices should be dropped by default (bind them in
> if you care), and mounts should be allowed.

Sure I am OK with that. Although binding them
in does not work for things like '#|', so a
devmask will likely still need to be supplied with -e
for such cases.

> mimic seems like it'd be largely unneeded, since
> you can already bind things into your ns before
> boxing.
> 

You _can_ just bind things in to your namespace,
and if you did you just wouldn't need auth/box.
The point of auth/box is take potentially deeply
nested/relative paths and to mimic that hierarchy
the the new root. Due to the restriction of devskel
to only permit one skeleton per attach. Mimicking some
hierarchies can be tedious. This removes that tedium.

For example to mimic /sys/log/www to newroot.
You need to do:

bind -b '#zd/sys' /newroot
bind '#zd/log' /newroot/sys
bind '#zf/www' /newroot/sys/log/
bind /sys/log/www /newroot/sys/log/www

The point of auth/* tools has always been to
assist in doing namespace operations for what
you could otherwise do yourself, just in a way
that is a bit more ergonomic.I also think the
auth/* also live as C examples for doing some of these
operations in other code.


Thanks,
Moody

Re: [9front] Pitch for devskel

[ori]

Quoth Jacob Moody <moody@mail.posixcafe.org>:
> 
> You _can_ just bind things in to your namespace,
> and if you did you just wouldn't need auth/box.
> The point of auth/box is take potentially deeply
> nested/relative paths and to mimic that hierarchy
> the the new root. Due to the restriction of devskel
> to only permit one skeleton per attach. Mimicking some
> hierarchies can be tedious. This removes that tedium.

I'm not disagreeing with that; I'm wondering if we can
drop the device munging part of it, and instead fix
references to '#'-devs throughout the tree.

Re: [9front] Pitch for devskel

[Jacob Moody]

On 6/6/22 09:24, ori@eigenstate.org wrote:
> Quoth Jacob Moody <moody@mail.posixcafe.org>:
>>
>> You _can_ just bind things in to your namespace,
>> and if you did you just wouldn't need auth/box.
>> The point of auth/box is take potentially deeply
>> nested/relative paths and to mimic that hierarchy
>> the the new root. Due to the restriction of devskel
>> to only permit one skeleton per attach. Mimicking some
>> hierarchies can be tedious. This removes that tedium.
> 
> I'm not disagreeing with that; I'm wondering if we can
> drop the device munging part of it, and instead fix
> references to '#'-devs throughout the tree.
> 
Yeah I perfectly content just blocking all devices
unless explicitly stated otherwise(through -e flag).
And yeah, there likely will need to be some code
that directly references devices through '#' in the
tree that we need to clean up.

I will clean up the device inference parts of this
code and rework how mount permissions are specified.


Thanks,
Moody