public Container()
{
this.handle = new ContainerHandle();
this.user = new ContainerUser(handle, shouldCreate: true);
this.directory = new ContainerDirectory(this.handle, this.user, true);
this.state = ContainerState.Born;
this.processManager = new ProcessManager(this.user);
}
public ProcessManager(ContainerUser containerUser)
{
if (containerUser == null)
{
throw new ArgumentNullException("containerUser");
}
this.containerUser = containerUser;
this.processMatchesUser = (process) =>
{
string processUser = process.GetUserName();
return processUser == containerUser && !process.HasExited;
};
}
private static DirectoryInfo CreateContainerDirectory(ContainerHandle handle, ContainerUser user)
{
var dirInfo = GetContainerDirectoryInfo(handle);
var inheritanceFlags = InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit;
var accessRule = new FileSystemAccessRule(user, FileSystemRights.FullControl, inheritanceFlags,
PropagationFlags.None, AccessControlType.Allow);
DirectoryInfo containerBaseInfo = dirInfo.Item1;
DirectorySecurity security = containerBaseInfo.GetAccessControl();
security.AddAccessRule(accessRule);
string containerDirectory = dirInfo.Item2;
return Directory.CreateDirectory(containerDirectory, security);
}
public ContainerDirectory(ContainerHandle handle, ContainerUser user, bool shouldCreate = false)
{
if (handle == null)
{
throw new ArgumentNullException("handle");
}
if (shouldCreate)
{
this.containerDirectory = CreateContainerDirectory(handle, user);
}
else
{
this.containerDirectory = FindContainerDirectory(handle);
}
}
/// <summary>
/// Used for restore.
/// </summary>
private Container(string handle, ContainerState containerState)
{
if (handle.IsNullOrWhiteSpace())
{
throw new ArgumentNullException("handle");
}
this.handle = new ContainerHandle(handle);
if (containerState == null)
{
throw new ArgumentNullException("containerState");
}
this.state = containerState;
this.user = new ContainerUser(handle);
this.directory = new ContainerDirectory(this.handle, this.user);
this.processManager = new ProcessManager(this.user);
if (this.state == ContainerState.Active)
{
this.RestoreProcesses();
}
}
/// <summary>
/// Give read access to bind mount directories.
/// TODO: move to centralized permission manager.
/// </summary>
/// <param name="bindMounts"></param>
/// <param name="containerUser"></param>
private void ProcessBindMounds(IEnumerable<CreateRequest.BindMount> bindMounts, ContainerUser containerUser)
{
var inheritanceFlags = InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit;
if (!bindMounts.IsNullOrEmpty())
{
foreach (var bindMount in bindMounts)
{
FileSystemRights rights = FileSystemRights.Read;
switch (bindMount.BindMountMode)
{
case CreateRequest.BindMount.Mode.RO:
// TODO: these rights aren't quite enough - rights = FileSystemRights.Read;
rights = FileSystemRights.FullControl;
break;
case CreateRequest.BindMount.Mode.RW:
// TODO: these rights aren't quite enough - rights = FileSystemRights.Read | FileSystemRights.Write;
rights = FileSystemRights.FullControl;
break;
}
var accessRule = new FileSystemAccessRule(containerUser, rights, inheritanceFlags, PropagationFlags.InheritOnly, AccessControlType.Allow);
log.Trace("Adding access rule to SrcPath '{0}', DstPath '{1}'", bindMount.SrcPath, bindMount.DstPath);
AddAccessRuleTo(accessRule, bindMount.SrcPath);
AddAccessRuleTo(accessRule, bindMount.DstPath);
}
}
}
