From 32431d701c2ee4db77ff8f5f53e18d2a508d3090 Mon Sep 17 00:00:00 2001
From: "fupan.lfp" <fupan.lfp@antfin.com>
Date: Thu, 2 Apr 2020 15:42:53 +0800
Subject: [PATCH 1/2] rpc: fix the issue of kill container process

When kill a process, if the exec id is empty, then
it means to kill all processes in the container, if
the exec id isn't empty, then it will only kill the
specific exec process.

Signed-off-by: fupan.lfp <fupan.lfp@antfin.com>
---
 src/agent/src/grpc.rs | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/agent/src/grpc.rs b/src/agent/src/grpc.rs
index 9b724a1d25..854a3cbef8 100644
--- a/src/agent/src/grpc.rs
+++ b/src/agent/src/grpc.rs
@@ -305,6 +305,7 @@ impl agentService {
         let eid = req.exec_id.clone();
         let s = Arc::clone(&self.sandbox);
         let mut sandbox = s.lock().unwrap();
+        let mut init = false;
 
         info!(
             sl!(),
@@ -312,7 +313,12 @@ impl agentService {
             "container-id" => cid.clone(),
             "exec-id" => eid.clone()
         );
-        let p = find_process(&mut sandbox, cid.as_str(), eid.as_str(), true)?;
+
+        if eid == "" {
+            init = true;
+        }
+
+        let p = find_process(&mut sandbox, cid.as_str(), eid.as_str(), init)?;
 
         let mut signal = Signal::try_from(req.signal as i32).unwrap();
 

From ba3c732f8680e1032c9d2a3d76f2b26eb37fa74a Mon Sep 17 00:00:00 2001
From: "fupan.lfp" <fupan.lfp@antfin.com>
Date: Thu, 2 Apr 2020 18:56:13 +0800
Subject: [PATCH 2/2] grpc: fix the issue of potential crashes

It's better to check whether the sandbox's get_container
result instead of unwrap it directly, otherwise it would
crash the agent if the conainer id is invalid.

Fixes: #178

Signed-off-by: fupan.lfp <fupan.lfp@antfin.com>
---
 src/agent/src/grpc.rs | 65 +++++++++++++++++++++++++++++++++++++++----
 1 file changed, 59 insertions(+), 6 deletions(-)

diff --git a/src/agent/src/grpc.rs b/src/agent/src/grpc.rs
index 854a3cbef8..b83620120f 100644
--- a/src/agent/src/grpc.rs
+++ b/src/agent/src/grpc.rs
@@ -188,7 +188,12 @@ impl agentService {
         if req.timeout == 0 {
             let s = Arc::clone(&self.sandbox);
             let mut sandbox = s.lock().unwrap();
-            let ctr = sandbox.get_container(cid.as_str()).unwrap();
+            let ctr: &mut LinuxContainer = match sandbox.get_container(cid.as_str()) {
+                Some(cr) => cr,
+                None => {
+                    return Err(ErrorKind::Nix(nix::Error::from_errno(Errno::EINVAL)).into());
+                }
+            };
 
             ctr.destroy()?;
 
@@ -223,7 +228,12 @@ impl agentService {
 
         let handle = thread::spawn(move || {
             let mut sandbox = s.lock().unwrap();
-            let ctr = sandbox.get_container(cid2.as_str()).unwrap();
+            let ctr: &mut LinuxContainer = match sandbox.get_container(cid2.as_str()) {
+                Some(cr) => cr,
+                None => {
+                    return;
+                }
+            };
 
             ctr.destroy().unwrap();
             tx.send(1).unwrap();
@@ -371,7 +381,13 @@ impl agentService {
         }
 
         let mut sandbox = s.lock().unwrap();
-        let ctr = sandbox.get_container(cid.as_str()).unwrap();
+        let ctr: &mut LinuxContainer = match sandbox.get_container(cid.as_str()) {
+            Some(cr) => cr,
+            None => {
+                return Err(ErrorKind::Nix(nix::Error::from_errno(Errno::EINVAL)).into());
+            }
+        };
+
         // need to close all fds
         let mut p = ctr.processes.get_mut(&pid).unwrap();
 
@@ -657,7 +673,20 @@ impl protocols::agent_grpc::AgentService for agentService {
         let s = Arc::clone(&self.sandbox);
         let mut sandbox = s.lock().unwrap();
 
-        let ctr = sandbox.get_container(cid.as_str()).unwrap();
+        let ctr: &mut LinuxContainer = match sandbox.get_container(cid.as_str()) {
+            Some(cr) => cr,
+            None => {
+                let f = sink
+                    .fail(RpcStatus::new(
+                        RpcStatusCode::InvalidArgument,
+                        Some(String::from("invalid container id")),
+                    ))
+                    .map_err(|_e| error!(sl!(), "invalid container id!"));
+                ctx.spawn(f);
+                return;
+            }
+        };
+
         let pids = ctr.processes().unwrap();
 
         match format.as_str() {
@@ -750,7 +779,19 @@ impl protocols::agent_grpc::AgentService for agentService {
         let s = Arc::clone(&self.sandbox);
         let mut sandbox = s.lock().unwrap();
 
-        let ctr = sandbox.get_container(cid.as_str()).unwrap();
+        let ctr: &mut LinuxContainer = match sandbox.get_container(cid.as_str()) {
+            Some(cr) => cr,
+            None => {
+                let f = sink
+                    .fail(RpcStatus::new(
+                        RpcStatusCode::Internal,
+                        Some("invalid container id".to_string()),
+                    ))
+                    .map_err(|_e| error!(sl!(), "invalid container id!"));
+                ctx.spawn(f);
+                return;
+            }
+        };
 
         let resp = Empty::new();
 
@@ -788,7 +829,19 @@ impl protocols::agent_grpc::AgentService for agentService {
         let s = Arc::clone(&self.sandbox);
         let mut sandbox = s.lock().unwrap();
 
-        let ctr = sandbox.get_container(cid.as_str()).unwrap();
+        let ctr: &mut LinuxContainer = match sandbox.get_container(cid.as_str()) {
+            Some(cr) => cr,
+            None => {
+                let f = sink
+                    .fail(RpcStatus::new(
+                        RpcStatusCode::Internal,
+                        Some("invalid container id!".to_string()),
+                    ))
+                    .map_err(|_e| error!(sl!(), "invalid container id!"));
+                ctx.spawn(f);
+                return;
+            }
+        };
 
         let resp = match ctr.stats() {
             Err(_e) => {