diff --git a/cgroup-tproxy.sh b/cgroup-tproxy.sh index 657b648..d9e117d 100644 --- a/cgroup-tproxy.sh +++ b/cgroup-tproxy.sh @@ -77,10 +77,11 @@ get_available_route_table(){ # echo "table: $table fwmark: $fwmark, mark_newin: $mark_newin" ## cgroup things -cgroup_mount_point=$(findmnt -t cgroup2 -n -o TARGET) -cgroup_type="cgroup2" -cgroup_procs_file="cgroup.procs" - +[ -z ${cgroup_mount_point+x} ] && cgroup_mount_point=$(findmnt -t cgroup2 -n -o TARGET | head -n 1) +[ -z $cgroup_mount_point ] && { >&2 echo "iptables: no cgroup2 mount point available"; exit -1; } +[ ! -d $cgroup_mount_point ] && mkdir -p $cgroup_mount_point +[ "$(findmnt -M $cgroup_mount_point -n -o FSTYPE)" != "cgroup2" ] && mount -t cgroup2 none $cgroup_mount_point +[ "$(findmnt -M $cgroup_mount_point -n -o FSTYPE)" != "cgroup2" ] && { >&2 echo "iptables: mount $cgroup_mount_point failed"; exit -1; } stop(){ iptables -t mangle -L TPROXY_PRE &> /dev/null || return @@ -108,6 +109,8 @@ stop(){ ## may not exist, just ignore, and tracking their existence is not reliable iptables -t nat -D POSTROUTING -m owner ! --socket-exists -j MASQUERADE &> /dev/null ip6tables -t nat -D POSTROUTING -m owner ! --socket-exists -s fc00::/7 -j MASQUERADE &> /dev/null + ## unmount cgroup2 + [ "$(findmnt -M $cgroup_mount_point -n -o FSTYPE)" = "cgroup2" ] && umount $cgroup_mount_point } ## parse parameter diff --git a/src/cgroup_attach.cpp b/src/cgroup_attach.cpp index 0ce0cf2..13c49ca 100644 --- a/src/cgroup_attach.cpp +++ b/src/cgroup_attach.cpp @@ -14,19 +14,8 @@ namespace CGPROXY::CGROUP { -string cgroup2_mount_point = get_cgroup2_mount_point(); +string cgroup2_mount_point = CGROUP2_MOUNT_POINT; -string get_cgroup2_mount_point() { - stringstream buffer; - unique_ptr fp(popen("findmnt -t cgroup2 -n -o TARGET", "r"), - &pclose); - if (!fp) return ""; - char buf[READ_SIZE_MAX]; - while (fgets(buf, READ_SIZE_MAX, fp.get()) != NULL) { buffer << buf; } - string s = buffer.str(); - if (!s.empty()) s.pop_back(); // remove newline character - return s; -} bool validate(string pid, string cgroup) { bool pid_v = validPid(pid); diff --git a/src/cgroup_attach.h b/src/cgroup_attach.h index 896edd0..d992557 100644 --- a/src/cgroup_attach.h +++ b/src/cgroup_attach.h @@ -8,7 +8,6 @@ using namespace std; namespace CGPROXY::CGROUP { extern string cgroup2_mount_point; bool validate(string pid, string cgroup); -string get_cgroup2_mount_point(); int attach(const string pid, const string cgroup_target); int attach(const int pid, const string cgroup_target); int write2procs(string pid, string procspath); diff --git a/src/common.h b/src/common.h index f2ddab9..16aa9e5 100644 --- a/src/common.h +++ b/src/common.h @@ -11,6 +11,7 @@ using namespace std; #define TPROXY_IPTABLS_CLEAN "/usr/share/cgproxy/scripts/cgroup-tproxy.sh stop" #define LIBEXECSNOOP_SO "/usr/lib/cgproxy/libexecsnoop.so" +#define CGROUP2_MOUNT_POINT "/var/run/cgproxy/cgroup2" #define PID_LOCK_FILE "/var/run/cgproxyd.pid" #define SOCKET_PATH "/tmp/cgproxy_unix_socket" #define LISTEN_BACKLOG 64 diff --git a/src/config.cpp b/src/config.cpp index 2de0050..770d900 100644 --- a/src/config.cpp +++ b/src/config.cpp @@ -21,6 +21,7 @@ using json = nlohmann::json; namespace CGPROXY::CONFIG { void Config::toEnv() { + setenv("cgroup_mount_point", CGROUP2_MOUNT_POINT, 1); setenv("program_proxy", join2str(program_proxy, ':').c_str(), 1); setenv("program_noproxy", join2str(program_noproxy, ':').c_str(), 1); setenv("cgroup_proxy", join2str(cgroup_proxy, ':').c_str(), 1);