lxc: add time namespace support

src/lxc/conf.c

@@ -2599,6 +2599,7 @@ struct lxc_conf *lxc_conf_init(void)
 	new->init_gid = 0;
 	memset(&new->cgroup_meta, 0, sizeof(struct lxc_cgroup));
 	memset(&new->ns_share, 0, sizeof(char *) * LXC_NS_MAX);
+	memset(&new->timens, 0, sizeof(struct timens_offsets));
 	seccomp_conf_init(new);
 
 	return new;

src/lxc/conf.h

@@ -233,6 +233,16 @@ struct device_item {
 	int global_rule;
 };
 
+struct timens_offsets {
+	/* Currently, either s_boot or ns_boot is set, but not both. */
+	int64_t s_boot;
+	int64_t ns_boot;
+
+	/* Currently, either s_monotonic or ns_monotonic is set, but not both. */
+	int64_t s_monotonic;
+	int64_t ns_monotonic;
+};
+
 struct lxc_conf {
 	/* Pointer to the name of the container. Do not free! */
 	const char *name;
@@ -401,6 +411,8 @@ struct lxc_conf {
 		/* Absolute path (in the container) to the shared mount point */
 		char *path_cont;
 	} shmount;
+
+	struct timens_offsets timens;
 };
 
 extern int write_id_mapping(enum idtype idtype, pid_t pid, const char *buf,

src/lxc/file_utils.c

@@ -512,3 +512,30 @@ FILE *fdopen_cached(int fd, const char *mode, void **caller_freed_buffer)
 #endif
 	return f;
 }
+
+int timens_offset_write(clockid_t clk_id, int64_t s_offset, int64_t ns_offset)
+{
+	__do_close int fd = -EBADF;
+	int ret;
+	ssize_t len;
+	char buf[INTTYPE_TO_STRLEN(int) +
+		 STRLITERALLEN(" ") + INTTYPE_TO_STRLEN(int64_t) +
+		 STRLITERALLEN(" ") + INTTYPE_TO_STRLEN(int64_t) + 1];
+
+	if (clk_id == CLOCK_MONOTONIC_COARSE || clk_id == CLOCK_MONOTONIC_RAW)
+		clk_id = CLOCK_MONOTONIC;
+
+	fd = open("/proc/self/timens_offsets", O_WRONLY | O_CLOEXEC);
+	if (fd < 0)
+		return -errno;
+
+	len = snprintf(buf, sizeof(buf), "%d %" PRId64 " %" PRId64, clk_id, s_offset, ns_offset);
+	if (len < 0 || len >= sizeof(buf))
+		return ret_errno(EFBIG);
+
+	ret = lxc_write_nointr(fd, buf, len);
+	if (ret < 0 || (size_t)ret != len)
+		return -EIO;
+
+	return 0;
+}

src/lxc/file_utils.h

@@ -82,5 +82,6 @@ extern int lxc_open_dirfd(const char *dir);
 extern FILE *fdopen_cached(int fd, const char *mode, void **caller_freed_buffer);
 extern FILE *fopen_cached(const char *path, const char *mode,
 			  void **caller_freed_buffer);
+extern int timens_offset_write(clockid_t clk_id, int64_t s_offset, int64_t ns_offset);
 
 #endif /* __LXC_FILE_UTILS_H */

src/lxc/namespace.c

@@ -44,7 +44,8 @@ const struct ns_info ns_info[LXC_NS_MAX] = {
 	[LXC_NS_UTS]    =  { "uts",    CLONE_NEWUTS,    "CLONE_NEWUTS",    "LXC_UTS_NS"     },
 	[LXC_NS_IPC]    =  { "ipc",    CLONE_NEWIPC,    "CLONE_NEWIPC",    "LXC_IPC_NS"     },
 	[LXC_NS_NET]    =  { "net",    CLONE_NEWNET,    "CLONE_NEWNET",    "LXC_NET_NS"     },
-	[LXC_NS_CGROUP] =  { "cgroup", CLONE_NEWCGROUP, "CLONE_NEWCGROUP", "LXC_CGROUP_NS"  }
+	[LXC_NS_CGROUP] =  { "cgroup", CLONE_NEWCGROUP, "CLONE_NEWCGROUP", "LXC_CGROUP_NS"  },
+	[LXC_NS_TIME]	=  { "time",   CLONE_NEWTIME,   "CLONE_NEWTIME",   "LXC_TIME_NS"    },
 };
 
 int lxc_namespace_2_cloneflag(const char *namespace)

src/lxc/namespace.h

@@ -15,6 +15,7 @@ enum {
 	LXC_NS_IPC,
 	LXC_NS_NET,
 	LXC_NS_CGROUP,
+	LXC_NS_TIME,
 	LXC_NS_MAX
 };
 

src/lxc/start.c

@@ -1205,6 +1205,55 @@ static int do_start(void *data)
 		}
 	}
 
+	if (handler->ns_clone_flags & CLONE_NEWTIME) {
+		ret = unshare(CLONE_NEWTIME);
+		if (ret < 0) {
+			if (errno != EINVAL) {
+				SYSERROR("Failed to unshare CLONE_NEWTIME");
+				goto out_warn_father;
+			}
+
+			handler->ns_clone_flags &= ~CLONE_NEWTIME;
+			SYSINFO("Kernel does not support CLONE_NEWTIME");
+		} else {
+			__do_close int timens_fd = -EBADF;
+
+			INFO("Unshared CLONE_NEWTIME");
+
+			if (handler->conf->timens.s_boot)
+				ret = timens_offset_write(CLOCK_BOOTTIME, handler->conf->timens.s_boot, 0);
+			else if (handler->conf->timens.ns_boot)
+				ret = timens_offset_write(CLOCK_BOOTTIME, 0, handler->conf->timens.ns_boot);
+			if (ret) {
+				SYSERROR("Failed to write CLONE_BOOTTIME offset");
+				goto out_warn_father;
+			}
+			TRACE("Wrote CLOCK_BOOTTIME offset");
+
+			if (handler->conf->timens.s_monotonic)
+				ret = timens_offset_write(CLOCK_MONOTONIC, handler->conf->timens.s_monotonic, 0);
+			else if (handler->conf->timens.ns_monotonic)
+				ret = timens_offset_write(CLOCK_MONOTONIC, 0, handler->conf->timens.ns_monotonic);
+			if (ret) {
+				SYSERROR("Failed to write CLONE_MONOTONIC offset");
+				goto out_warn_father;
+			}
+			TRACE("Wrote CLOCK_MONOTONIC offset");
+
+			timens_fd = open("/proc/self/ns/time_for_children", O_RDONLY | O_CLOEXEC);
+			if (timens_fd < 0) {
+				SYSERROR("Failed to open \"/proc/self/ns/time_for_children\"");
+				goto out_warn_father;
+			}
+
+			ret = setns(timens_fd, CLONE_NEWTIME);
+ 			if (ret) {
+				SYSERROR("Failed to setns(%d(\"/proc/self/ns/time_for_children\"))", timens_fd);
+				goto out_warn_father;
+			}
+		}
+	}
+
 	/* Add the requested environment variables to the current environment to
 	 * allow them to be used by the various hooks, such as the start hook
 	 * below.
@@ -1452,6 +1501,8 @@ int resolve_clone_flags(struct lxc_handler *handler)
 {
 	int i;
 	struct lxc_conf *conf = handler->conf;
+	bool wants_timens = conf->timens.s_boot || conf->timens.ns_boot ||
+			    conf->timens.s_monotonic || conf->timens.ns_monotonic;
 
 	for (i = 0; i < LXC_NS_MAX; i++) {
 		if (conf->ns_keep) {
@@ -1470,6 +1521,9 @@ int resolve_clone_flags(struct lxc_handler *handler)
 			if (i == LXC_NS_CGROUP && !cgns_supported())
 				continue;
 
+			if (i == LXC_NS_TIME && !wants_timens)
+				continue;
+
 			handler->ns_clone_flags |= ns_info[i].clone_flag;
 		}
 
@@ -1480,6 +1534,9 @@ int resolve_clone_flags(struct lxc_handler *handler)
 		TRACE("Sharing %s namespace", ns_info[i].proc_name);
 	}
 
+	if (wants_timens && (conf->ns_keep & ns_info[LXC_NS_TIME].clone_flag))
+		return log_trace_errno(-1, EINVAL, "Requested to keep time namespace while also specifying offsets");
+
 	return 0;
 }
 
@@ -1614,6 +1671,9 @@ static int lxc_spawn(struct lxc_handler *handler)
 	/* The cgroup namespace gets unshare()ed not clone()ed. */
 	handler->ns_on_clone_flags &= ~CLONE_NEWCGROUP;
 
+	/* The time namespace (currently) gets unshare()ed not clone()ed. */
+	handler->ns_on_clone_flags &= ~CLONE_NEWTIME;
+
 	if (share_ns) {
 		pid_t attacher_pid;
 

src/lxc/string_utils.c

@@ -667,6 +667,51 @@ int lxc_safe_uint64(const char *numstr, uint64_t *converted, int base)
 	return 0;
 }
 
+int lxc_safe_int64_residual(const char *numstr, int64_t *converted, int base, char *residual,
+			    size_t residual_len)
+{
+	char *remaining = NULL;
+	int64_t u;
+
+	if (residual && residual_len == 0)
+		return ret_errno(EINVAL);
+
+	if (!residual && residual_len != 0)
+		return ret_errno(EINVAL);
+
+	while (isspace(*numstr))
+		numstr++;
+
+	errno = 0;
+	u = strtoll(numstr, &remaining, base);
+	if (errno == ERANGE && u == INT64_MAX)
+		return -ERANGE;
+
+	if (remaining == numstr)
+		return -EINVAL;
+
+	if (residual) {
+		size_t len = 0;
+
+		if (*remaining == '\0') {
+			memset(residual, 0, residual_len);
+			goto out;
+		}
+
+		len = strlen(remaining);
+		if (len >= residual_len)
+			return -EINVAL;
+
+		memcpy(residual, remaining, len);
+	} else if (*remaining != '\0') {
+		return -EINVAL;
+	}
+
+out:
+	*converted = u;
+	return 0;
+}
+
 int lxc_safe_int(const char *numstr, int *converted)
 {
 	char *err = NULL;

src/lxc/string_utils.h

@@ -76,6 +76,8 @@ extern int lxc_safe_long(const char *numstr, long int *converted);
 extern int lxc_safe_long_long(const char *numstr, long long int *converted);
 extern int lxc_safe_ulong(const char *numstr, unsigned long *converted);
 extern int lxc_safe_uint64(const char *numstr, uint64_t *converted, int base);
+extern int lxc_safe_int64_residual(const char *numstr, int64_t *converted, int base, char *residual,
+				   size_t residual_len);
 /* Handles B, kb, MB, GB. Detects overflows and reports -ERANGE. */
 extern int parse_byte_size_string(const char *s, int64_t *converted);