RUN-619: Trim IPC buffers of idle sandbox processes

dfinity · Apr 18, 2023 · c61afdc · c61afdc
1 parent 7530dd1
commit c61afdc
Show file tree

Hide file tree

Showing 7 changed files with 341 additions and 25 deletions.
diff --git a/ic-os/guestos/rootfs/prep/ic-node/ic-node.te b/ic-os/guestos/rootfs/prep/ic-node/ic-node.te
@@ -200,7 +200,8 @@ create_dirs_pattern(ic_replica_t, tmp_t, tmp_t)
 
 # Replica creates and reads/writes to/from internal unix domain socket,
 # as well as the socket connecting it to the sandbox.
-allow ic_replica_t self : unix_stream_socket { create read write };
+# It also uses setsockopt to configure socket timeouts.
+allow ic_replica_t self : unix_stream_socket { create setopt read write };
 
 # Replica uses an internal fifo file
 allow ic_replica_t ic_replica_t : fifo_file { read };
@@ -308,7 +309,7 @@ allow ic_canister_sandbox_t ic_canister_sandbox_t : process { getsched };
 # communication channel (and such that there is no "accidental" use of any
 # differently labeled channel.
 allow ic_canister_sandbox_t ic_replica_t : fd use;
-allow ic_canister_sandbox_t ic_replica_t : unix_stream_socket { read write };
+allow ic_canister_sandbox_t ic_replica_t : unix_stream_socket { setopt read write };
 
 # Allow to access the shared memory area set up by replica. NB this should be
 # labelled differently eventually because allowing tmpfs is fairly broad.
@@ -334,7 +335,7 @@ dontaudit ic_canister_sandbox_t ic_orchestrator_t : fd { use };
 # This should actually not be allowed, logs should be routed through
 # replica.
 allow ic_canister_sandbox_t init_t : fd { use };
-allow ic_canister_sandbox_t init_t : unix_stream_socket { read write };
+allow ic_canister_sandbox_t init_t : unix_stream_socket { setopt read write };
 
 # Deny access to system information as well as own proc file (would
 # also allow accessing proc files of *other* sandboxes).

diff --git a/rs/canister_sandbox/backend_lib/src/lib.rs b/rs/canister_sandbox/backend_lib/src/lib.rs
@@ -4,7 +4,8 @@ pub mod sandbox_manager;
 pub mod sandbox_server;
 
 use ic_canister_sandbox_common::{
-    child_process_initialization, controller_client_stub, protocol, rpc, transport,
+    child_process_initialization, controller_client_stub, protocol, rpc,
+    transport::{self, SocketReaderConfig},
 };
 use ic_config::embedders::Config as EmbeddersConfig;
 use ic_logger::new_replica_logger_from_config;
@@ -118,5 +119,6 @@ pub fn run_canister_sandbox(
             frame_handler.handle(message);
         },
         socket,
+        SocketReaderConfig::for_sandbox(),
     );
 }
diff --git a/rs/canister_sandbox/common/src/process.rs b/rs/canister_sandbox/common/src/process.rs
@@ -4,6 +4,7 @@ use std::os::unix::prelude::{CommandExt, RawFd};
 use std::process::{Child, Command};
 use std::sync::atomic::{AtomicBool, Ordering};
 
+use crate::transport::SocketReaderConfig;
 use crate::{
     protocol, protocol::ctlsvc, rpc, sandbox_client_stub::SandboxClientStub,
     sandbox_service::SandboxService, transport,
@@ -107,6 +108,7 @@ pub fn spawn_canister_sandbox_process_with_factory(
                 demux.handle(message);
             },
             socket,
+            SocketReaderConfig::default(),
         );
         // If we the connection drops, but it is not terminated from
         // our end, that implies that the sandbox process died. At

diff --git a/rs/canister_sandbox/common/src/test_sandbox.rs b/rs/canister_sandbox/common/src/test_sandbox.rs
@@ -1,5 +1,5 @@
-use ic_canister_sandbox_common::protocol::sbxsvc;
 use ic_canister_sandbox_common::*;
+use ic_canister_sandbox_common::{protocol::sbxsvc, transport::SocketReaderConfig};
 use ic_embedders::{
     wasm_utils::{Segments, WasmImportsDetails},
     CompilationResult, SerializedModule, SerializedModuleBytes,
@@ -127,5 +127,6 @@ fn main() {
             demux.handle(message);
         },
         socket,
+        SocketReaderConfig::for_testing(),
     );
 }