CA-383491: Invoke pygrub in depriv mode

.github/workflows/0.150-lcm.yml

@@ -48,6 +48,9 @@ jobs:
           # invalidate cache daily, gets built daily using a scheduled job
           key: ${{ steps.cache-key.outputs.date }}-0.150
 
+      - name: Update Ubuntu repositories
+        run: sudo apt-get update
+
       - name: Use ocaml
         uses: avsm/setup-ocaml@v1
         with:

Makefile

@@ -44,6 +44,7 @@ install:
 	install -D ./scripts/common.py $(DESTDIR)/$(LIBEXECDIR)/common.py
 	install -D ./scripts/igmp_query_injector.py $(DESTDIR)/$(LIBEXECDIR)/igmp_query_injector.py
 	install -D ./scripts/qemu-wrapper $(DESTDIR)/$(QEMU_WRAPPER_DIR)/qemu-wrapper
+	install -D ./scripts/pygrub-wrapper $(DESTDIR)/$(QEMU_WRAPPER_DIR)/pygrub-wrapper
 	DESTDIR=$(DESTDIR) SBINDIR=$(SBINDIR) QEMU_WRAPPER_DIR=$(QEMU_WRAPPER_DIR) LIBEXECDIR=$(LIBEXECDIR) ETCDIR=$(ETCDIR) ./scripts/make-custom-xenopsd.conf
 
 uninstall:
@@ -70,5 +71,6 @@ uninstall:
 	rm -f $(DESTDIR)/$(LIBEXECDIR)/common.py*
 	rm -f $(DESTDIR)/$(LIBEXECDIR)/igmp_query_injector.py*
 	rm -f $(DESTDIR)/$(QEMU_WRAPPER_DIR)/qemu-wrapper
+	rm -f $(DESTDIR)/$(QEMU_WRAPPER_DIR)/pygrub-wrapper
 
 .DEFAULT_GOAL := release

lib/bootloader.ml

@@ -59,7 +59,7 @@ exception Error_from_bootloader of string
 type t = {kernel_path: string; initrd_path: string option; kernel_args: string}
 
 (** Helper function to generate a bootloader commandline *)
-let command bootloader q pv_bootloader_args image vm_uuid =
+let command bootloader q pv_bootloader_args image vm_uuid domid =
   (* Let's not do anything fancy while parsing the pv_bootloader_args string: no
      escaping of spaces or quotes for now *)
   let pv_bootloader_args =
@@ -77,6 +77,7 @@ let command bootloader q pv_bootloader_args image vm_uuid =
         [
           ["--output-format=simple"]
         ; q
+        ; [Printf.sprintf "--domid=%d" domid]
         ; (* --vm is unnecessary for pygrub and not supported upstream *)
           pv_bootloader_args
         ; image
@@ -221,11 +222,11 @@ let sanity_check_path p =
 (** Extract the default kernel using the -q option *)
 let extract (task : Xenops_task.task_handle) ~bootloader ~disk
     ?(legacy_args = "") ?(extra_args = "") ?(pv_bootloader_args = "")
-    ~vm:vm_uuid () =
+    ~vm:vm_uuid ~domid () =
   (* Without this path, pygrub will fail: *)
   Unixext.mkdir_rec "/var/run/xend/boot" 0o0755 ;
   let bootloader_path, cmdline =
-    command bootloader true pv_bootloader_args disk vm_uuid
+    command bootloader true pv_bootloader_args disk vm_uuid domid
   in
   debug "Bootloader commandline: %s %s\n" bootloader_path
     (String.concat " " cmdline) ;

lib/bootloader.mli

@@ -38,6 +38,7 @@ val extract :
   -> ?extra_args:string
   -> ?pv_bootloader_args:string
   -> vm:string
+  -> domid:int
   -> unit
   -> t
 (** Extract the default kernel from the disk *)

lib/open_uri_https.ml

@@ -1,4 +1,3 @@
-
 (* This code is usually in xcp-idl but we introduced a local copy here
    to support https, which has a dependency on stunnel and would create
    a circular dependency. *)
@@ -21,22 +20,22 @@ let with_open_uri uri f =
           )
   )
   | Some "https" -> (
-    let process (s : Stunnel.t) =
-      finally
-        (fun () -> f Safe_resources.Unixfd.(!(s.Stunnel.fd)))
-        (fun () -> Stunnel.disconnect s)
-    in
-    match (Uri.host uri, Uri.port uri) with
-    | Some host, Some port ->
-        Stunnel.with_connect host port process
-    | Some host, None ->
-        Stunnel.with_connect host https_port process
-    | _, _ ->
-        failwith
-          (Printf.sprintf "Failed to parse host and port from URI: %s"
-             (Uri.to_string uri)
-          )
-  )
+      let process (s : Stunnel.t) =
+        finally
+          (fun () -> f Safe_resources.Unixfd.(!(s.Stunnel.fd)))
+          (fun () -> Stunnel.disconnect s)
+      in
+      match (Uri.host uri, Uri.port uri) with
+      | Some host, Some port ->
+          Stunnel.with_connect host port process
+      | Some host, None ->
+          Stunnel.with_connect host https_port process
+      | _, _ ->
+          failwith
+            (Printf.sprintf "Failed to parse host and port from URI: %s"
+               (Uri.to_string uri)
+            )
+    )
   | Some "file" ->
       let filename = Uri.path_and_query uri in
       let sockaddr = Unix.ADDR_UNIX filename in
@@ -48,5 +47,3 @@ let with_open_uri uri f =
       failwith (Printf.sprintf "Unsupported URI scheme: %s" x)
   | None ->
       failwith (Printf.sprintf "Failed to parse URI: %s" (Uri.to_string uri))
-
-

lib/resources.ml

@@ -28,7 +28,7 @@ let rmmod = ref "/usr/sbin/rmmod"
 
 let hvmloader = ref "hvmloader"
 
-let pygrub = ref "pygrub"
+let pygrub = ref "pygrub-wrapper"
 
 let eliloader = ref "eliloader"
 

lib/xcp_client_https.ml

@@ -42,7 +42,9 @@ let switch_rpc ?timeout queue_name string_of_call response_of_string =
     response_of_string
       (get_ok
          (Message_switch_unix.Protocol_unix.Client.rpc ~t ?timeout
-            ~queue:queue_name ~body:(string_of_call call) ()))
+            ~queue:queue_name ~body:(string_of_call call) ()
+         )
+      )
 
 let split_colon str =
   try
@@ -94,7 +96,8 @@ let http_rpc string_of_call response_of_string ?(srcstr = "unset")
       | `Invalid x ->
           failwith
             (Printf.sprintf "Failed to read HTTP response from: %s (got '%s')"
-               (url ()) x)
+               (url ()) x
+            )
       | `Ok response -> (
           let body = Buffer.create 16 in
           let reader = Response.make_body_reader response ic in
@@ -115,8 +118,10 @@ let http_rpc string_of_call response_of_string ?(srcstr = "unset")
           | bad ->
               failwith
                 (Printf.sprintf "Unexpected HTTP response code: %s"
-                   (Cohttp.Code.string_of_status bad))
-        ))
+                   (Cohttp.Code.string_of_status bad)
+                )
+        )
+  )
 
 let xml_http_rpc = http_rpc Xmlrpc.string_of_call Xmlrpc.response_of_string
 
@@ -129,9 +134,11 @@ let () =
     | Xmlm.Error ((line, col), error) ->
         Some
           (Printf.sprintf "Xmlm.Error(%d:%d, \"%s\")" line col
-             (Xmlm.error_message error))
+             (Xmlm.error_message error)
+          )
     | _ ->
-        None)
+        None
+    )
 
 (* Use a binary 16-byte length to frame RPC messages *)
 let binary_rpc string_of_call response_of_string ?(srcstr = "unset")
@@ -153,7 +160,8 @@ let binary_rpc string_of_call response_of_string ?(srcstr = "unset")
       let (response : Rpc.response) =
         response_of_string (Bytes.unsafe_to_string msg_buf)
       in
-      response)
+      response
+  )
 
 let json_binary_rpc =
   binary_rpc Jsonrpc.string_of_call Jsonrpc.response_of_string

scripts/make-custom-xenopsd.conf

@@ -46,6 +46,7 @@ qemu-dm-wrapper=${LIBEXECDIR}/qemu-dm-wrapper
 setup-vif-rules=${LIBEXECDIR}/setup-vif-rules
 sockets-group=$group
 qemu-wrapper=${QEMU_WRAPPER_DIR}/qemu-wrapper
+pygrub-wrapper=${QEMU_WRAPPER_DIR}/pygrub-wrapper
 
 disable-logging-for=http
 # Workaround xenopsd bug #45

scripts/pygrub-wrapper

@@ -0,0 +1,49 @@
+#! /usr/bin/python
+#
+# Copyright (C) 2023 Cloud Software Group
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published
+# by the Free Software Foundation; version 2.1 only. with the special
+# exception on linking described in file LICENSE.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+
+from __future__ import print_function
+import pwd, subprocess, sys
+import grp, os, stat
+
+cmd = ["pygrub"]
+
+# Get the usage string. We can't use check_output() because the exit status isn't 0
+pygrub_usage = subprocess.Popen(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE).communicate()[1]
+
+with_depriv = False
+for arg in sys.argv[1:]:
+    # Catch the synthetic --domid argument and turn it into --runas
+    argname_domid = "--domid="
+    if arg.startswith(argname_domid):
+        if "[--runas=]" not in pygrub_usage:
+            # Skip depriv if pygrub doesn't support it
+            continue
+        with_depriv = True
+        domid = int(arg[len(argname_domid):])
+        uid = pwd.getpwnam('qemu_base').pw_uid + domid
+        cmd += ["--runas=" + str(uid)]
+
+        # Set group permissions on the disk so a depriv pygrub can read it
+        disk = sys.argv[-1]
+        gid = grp.getgrnam('disk').gr_gid
+        disk_stat = os.stat(disk)
+        os.chown(disk, uid, gid)
+        os.chmod(disk, disk_stat.st_mode | stat.S_IRGRP)
+    else:
+        cmd += [arg]
+
+if 'PYGRUB_FORCE_DEPRIV' in os.environ.keys() and not with_depriv:
+    raise RuntimeError("Trying to run pygrub as root: %s" % pygrub_usage)
+
+sys.exit(subprocess.call(cmd))

xapi-xenopsd.opam

@@ -24,11 +24,13 @@ depends: [
   "rpclib"
   "sexplib"
   "stdext"
+  "stunnel"
   "base-threads"
   "uri"
   "uuidm"
   "uutf"
   "xapi-idl"
+  "xapi-test-utils" {with-test}
   "xenctrl"
   "xmlm"
   "fmt" { >= "0.8.8" }

xc/xenops_server_xen.ml

@@ -2106,7 +2106,7 @@ module VM = struct
                     Bootloader.extract task ~bootloader:i.bootloader
                       ~legacy_args:i.legacy_args ~extra_args:i.extra_args
                       ~pv_bootloader_args:i.bootloader_args ~disk:dev
-                      ~vm:vm.Vm.id ()
+                      ~vm:vm.Vm.id ~domid ()
                   in
                   kernel_to_cleanup := Some b ;
                   let builder_spec_info =
@@ -2150,7 +2150,7 @@ module VM = struct
                     Bootloader.extract task ~bootloader:i.bootloader
                       ~legacy_args:i.legacy_args ~extra_args:i.extra_args
                       ~pv_bootloader_args:i.bootloader_args ~disk:dev
-                      ~vm:vm.Vm.id ()
+                      ~vm:vm.Vm.id ~domid ()
                   in
                   kernel_to_cleanup := Some b ;
                   let builder_spec_info =