+struct rlimit_name {
+ const char *name;
+ int resource;
+};
+
+static const struct rlimit_name rlimit_names[] = {
+ { "as", RLIMIT_AS },
+ { "core", RLIMIT_CORE },
+ { "cpu", RLIMIT_CPU },
+ { "data", RLIMIT_DATA },
+ { "fsize", RLIMIT_FSIZE },
+ { "memlock", RLIMIT_MEMLOCK },
+ { "nofile", RLIMIT_NOFILE },
+ { "nproc", RLIMIT_NPROC },
+ { "rss", RLIMIT_RSS },
+ { "stack", RLIMIT_STACK },
+#ifdef linux
+ { "nice", RLIMIT_NICE },
+ { "rtprio", RLIMIT_RTPRIO },
+ { "msgqueue", RLIMIT_MSGQUEUE },
+ { "sigpending", RLIMIT_SIGPENDING },
+#endif
+ { NULL, 0 }
+};
+
+static char trace[] = "/sbin/utrace";
+
+static void closefd(int fd)
+{
+ if (fd > STDERR_FILENO)
+ close(fd);
+}
+
+static void
+instance_limits(const char *limit, const char *value)
+{
+ int i;
+ struct rlimit rlim;
+ unsigned long cur, max;
+
+ for (i = 0; rlimit_names[i].name != NULL; i++) {
+ if (strcmp(rlimit_names[i].name, limit))
+ continue;
+ if (!strcmp(value, "unlimited")) {
+ rlim.rlim_cur = RLIM_INFINITY;
+ rlim.rlim_max = RLIM_INFINITY;
+ } else {
+ if (getrlimit(rlimit_names[i].resource, &rlim))
+ return;
+
+ cur = rlim.rlim_cur;
+ max = rlim.rlim_max;
+
+ if (sscanf(value, "%lu %lu", &cur, &max) < 1)
+ return;
+
+ rlim.rlim_cur = cur;
+ rlim.rlim_max = max;
+ }
+
+ setrlimit(rlimit_names[i].resource, &rlim);
+ return;
+ }
+}
+
+static inline int
+jail_run(struct service_instance *in, char **argv)
+{
+ struct blobmsg_list_node *var;
+ struct jail *jail = &in->jail;
+ int argc = 0;
+
+ argv[argc++] = "/sbin/ujail";
+
+ if (jail->name) {
+ argv[argc++] = "-n";
+ argv[argc++] = jail->name;
+ }
+
+ if (jail->hostname) {
+ argv[argc++] = "-h";
+ argv[argc++] = jail->hostname;
+ }
+
+ if (in->seccomp) {
+ argv[argc++] = "-S";
+ argv[argc++] = in->seccomp;
+ }
+
+ if (in->no_new_privs)
+ argv[argc++] = "-c";
+
+ if (jail->procfs)
+ argv[argc++] = "-p";
+
+ if (jail->sysfs)
+ argv[argc++] = "-s";
+
+ if (jail->ubus)
+ argv[argc++] = "-u";
+
+ if (jail->log)
+ argv[argc++] = "-l";
+
+ if (jail->ronly)
+ argv[argc++] = "-o";
+
+ blobmsg_list_for_each(&jail->mount, var) {
+ const char *type = blobmsg_data(var->data);
+
+ if (*type == '1')
+ argv[argc++] = "-w";
+ else
+ argv[argc++] = "-r";
+ argv[argc++] = (char *) blobmsg_name(var->data);
+ }
+
+ argv[argc++] = "--";
+
+ return argc;
+}
+
+static int
+instance_removepid(struct service_instance *in) {
+ if (!in->pidfile)
+ return 0;
+ if (unlink(in->pidfile)) {
+ ERROR("Failed to removed pidfile: %s: %d - %s\n",
+ in->pidfile, errno, strerror(errno));
+ return 1;
+ }
+ return 0;
+}
+
+static int
+instance_writepid(struct service_instance *in)
+{
+ FILE *_pidfile;
+
+ if (!in->pidfile) {
+ return 0;
+ }
+ _pidfile = fopen(in->pidfile, "w");
+ if (_pidfile == NULL) {
+ ERROR("failed to open pidfile for writing: %s: %d (%s)",
+ in->pidfile, errno, strerror(errno));
+ return 1;
+ }
+ if (fprintf(_pidfile, "%d\n", in->proc.pid) < 0) {
+ ERROR("failed to write pidfile: %s: %d (%s)",
+ in->pidfile, errno, strerror(errno));
+ fclose(_pidfile);
+ return 2;
+ }
+ if (fclose(_pidfile)) {
+ ERROR("failed to close pidfile: %s: %d (%s)",
+ in->pidfile, errno, strerror(errno));
+ return 3;
+ }
+
+ return 0;
+}
+