Add routine to scan rules.conf file and move matching running tasks
in /proc/pid/* into configured control groups. Then at init time
we can move running tasks into the correct control group.

Expose this routine via libcg so other applications can use it
to classify existing applications after creating control groups.

CC: Jan Safranek <jsafr...@redhat.com>
Signed-off-by: John Fastabend <john.r.fastab...@intel.com>
---
 include/libcgroup/tasks.h |   11 +++++++++++
 src/api.c                 |   46 +++++++++++++++++++++++++++++++++++++++++++++
 src/daemon/cgrulesengd.c  |    5 +++++
 src/libcgroup.map         |    1 +
 4 files changed, 63 insertions(+)

diff --git a/include/libcgroup/tasks.h b/include/libcgroup/tasks.h
index 0f79220..aad438a 100644
--- a/include/libcgroup/tasks.h
+++ b/include/libcgroup/tasks.h
@@ -121,6 +121,17 @@ void cgroup_print_rules_config(FILE *fp);
  */
 
 /**
+ * Changes the cgroup of all running PIDs based on the rules in the config
+ * file. If a rules exists for a PID, then the PID is placed in the correct
+ * group.
+ *
+ * This function may be called after creating new control groups to move
+ * running PIDs into the newly created control groups.
+ *     @return 0 on success, < 0 on error
+ */
+int cgroup_change_all_cgroups(void);
+
+/**
  * Changes the cgroup of a program based on the rules in the config file.
  * If a rule exists for the given UID, GID or PROCESS NAME, then the given
  * PID is placed into the correct group.  By default, this function parses
diff --git a/src/api.c b/src/api.c
index 11cd1b4..2851efd 100644
--- a/src/api.c
+++ b/src/api.c
@@ -3056,6 +3056,52 @@ int cgroup_change_cgroup_path(const char *dest, pid_t 
pid,
 }
 
 /**
+ * Changes the cgroup of all running PIDs based on the rules in the config
+ * file. If a rules exists for a PID, then the PID is placed in the correct
+ * group.
+ *
+ * This function may be called after creating new control groups to move
+ * running PIDs into the newly created control groups.
+ *     @return 0 on success, < 0 on error
+ */
+int cgroup_change_all_cgroups(void)
+{
+       DIR *dir;
+       struct dirent *pid_dir = NULL;
+       char *path = "/proc/";
+
+       dir = opendir(path);
+       if (!dir)
+               return -ECGOTHER;
+
+       while ((pid_dir = readdir(dir)) != NULL) {
+               int err, pid;
+               uid_t euid;
+               gid_t egid;
+               char *procname = NULL;
+
+               err = sscanf(pid_dir->d_name, "%i", &pid);
+               if (err < 1)
+                       continue;
+
+               err = cgroup_get_uid_gid_from_procfs(pid, &euid, &egid);
+               if (err)
+                       continue;
+
+               err = cgroup_get_procname_from_procfs(pid, &procname);
+               if (err)
+                       continue;
+
+               err = cgroup_change_cgroup_flags(euid, egid, procname, pid, 0);
+               if (err)
+                       cgroup_dbg("cgroup change pid %i failed\n", pid);
+       }
+
+       closedir(dir);
+       return 0;
+}
+
+/**
  * Print the cached rules table.  This function should be called only after
  * first calling cgroup_parse_config(), but it will work with an empty rule
  * list.
diff --git a/src/daemon/cgrulesengd.c b/src/daemon/cgrulesengd.c
index f12db45..42feacc 100644
--- a/src/daemon/cgrulesengd.c
+++ b/src/daemon/cgrulesengd.c
@@ -1171,6 +1171,11 @@ int main(int argc, char *argv[])
        if (logfile && loglevel >= LOG_INFO)
                cgroup_print_rules_config(logfile);
 
+       /* Scan for running applications with rules */
+       ret = cgroup_change_all_cgroups();
+       if (ret)
+               flog(LOG_WARNING, "Failed to initialize running tasks.");
+
        flog(LOG_NOTICE, "Started the CGroup Rules Engine Daemon.");
 
        /* We loop endlesly in this function, unless we encounter an error. */
diff --git a/src/libcgroup.map b/src/libcgroup.map
index b550a58..f6adb9a 100644
--- a/src/libcgroup.map
+++ b/src/libcgroup.map
@@ -33,6 +33,7 @@ global:
        cgroup_set_value_bool;
        cgroup_change_cgroup_uid_gid_flags;
        cgroup_print_rules_config;
+       cgroup_change_all_cgroups;
        cgroup_reload_cached_rules;
        cgroup_init_rules_cache;
        cgroup_get_current_controller_path;


------------------------------------------------------------------------------
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013 
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb
_______________________________________________
Libcg-devel mailing list
Libcg-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/libcg-devel

Reply via email to