diff --git a/.gitignore b/.gitignore index 272afd3..10301ed 100644 --- a/.gitignore +++ b/.gitignore @@ -52,6 +52,5 @@ profile.out *.tar rootfs config.json -bin -rootfs.go +image/data.go .ip diff --git a/Makefile b/Makefile index 58ea0d3..f170280 100644 --- a/Makefile +++ b/Makefile @@ -1,17 +1,18 @@ # Set an output prefix, which is the local directory if not specified PREFIX?=$(shell pwd) -BUILDTAGS=seccomp apparmor # Setup name variables for the package/tool NAME := binctr PKG := github.com/genuinetools/$(NAME) # Set any default go build tags -BUILDTAGS := +BUILDTAGS := seccomp apparmor # Set the build dir, where built cross-compiled binaries will be output BUILDDIR := ${PREFIX}/cross +IMAGE := alpine + # Populate version variables # Add to compile time flags VERSION := $(shell cat VERSION.txt) @@ -20,28 +21,26 @@ GITUNTRACKEDCHANGES := $(shell git status --porcelain --untracked-files=no) ifneq ($(GITUNTRACKEDCHANGES),) GITCOMMIT := $(GITCOMMIT)-dirty endif -CTIMEVAR=-X $(PKG)/version.GITCOMMIT=$(GITCOMMIT) -X $(PKG)/version.VERSION=$(VERSION) +CTIMEVAR=-X $(PKG)/version.GITCOMMIT=$(GITCOMMIT) -X $(PKG)/version.VERSION=$(VERSION) \ + -X main.IMAGE=$(notdir $(IMAGE)) \ + -X main.IMAGESHA=$(shell docker inspect --format "{{.Id}}" $(IMAGE)) GO_LDFLAGS=-ldflags "-w $(CTIMEVAR)" GO_LDFLAGS_STATIC=-ldflags "-w $(CTIMEVAR) -extldflags -static" -# List the GOOS and GOARCH to build -GOOSARCHES = darwin/amd64 darwin/386 freebsd/amd64 freebsd/386 linux/arm linux/arm64 linux/amd64 linux/386 solaris/amd64 windows/amd64 windows/386 - -all: clean build fmt lint test staticcheck vet install ## Runs a clean, build, fmt, lint, test, staticcheck, vet and install +all: clean build fmt lint test staticcheck vet ## Runs a clean, build, fmt, lint, test, staticcheck, and vet .PHONY: build -build: $(NAME) ## Builds a dynamic executable or package +build: $(BUILDDIR)/$(notdir $(IMAGE)) ## Builds a static executable or package -$(NAME): *.go VERSION.txt - @echo "+ $@" - go build -tags "$(BUILDTAGS)" ${GO_LDFLAGS} -o $(NAME) . +$(BUILDDIR): + @mkdir -p $@ -.PHONY: static -static: ## Builds a static executable +$(BUILDDIR)/$(notdir $(IMAGE)): $(BUILDDIR) image/data.go *.go VERSION.txt @echo "+ $@" - CGO_ENABLED=0 go build \ + CGO_ENABLED=1 go build \ -tags "$(BUILDTAGS) static_build" \ - ${GO_LDFLAGS_STATIC} -o $(NAME) . + ${GO_LDFLAGS_STATIC} -o $@ . + @echo "Static container for $(IMAGE) created at: $@" .PHONY: fmt fmt: ## Verifies all files have men `gofmt`ed @@ -79,40 +78,6 @@ cover: ## Runs go test with coverage fi; \ done; -.PHONY: install -install: ## Installs the executable or package - @echo "+ $@" - go install -a -tags "$(BUILDTAGS)" ${GO_LDFLAGS} . - -define buildpretty -mkdir -p $(BUILDDIR)/$(1)/$(2); -GOOS=$(1) GOARCH=$(2) CGO_ENABLED=0 go build \ - -o $(BUILDDIR)/$(1)/$(2)/$(NAME) \ - -a -tags "$(BUILDTAGS) static_build netgo" \ - -installsuffix netgo ${GO_LDFLAGS_STATIC} .; -md5sum $(BUILDDIR)/$(1)/$(2)/$(NAME) > $(BUILDDIR)/$(1)/$(2)/$(NAME).md5; -sha256sum $(BUILDDIR)/$(1)/$(2)/$(NAME) > $(BUILDDIR)/$(1)/$(2)/$(NAME).sha256; -endef - -.PHONY: cross -cross: *.go VERSION.txt ## Builds the cross-compiled binaries, creating a clean directory structure (eg. GOOS/GOARCH/binary) - @echo "+ $@" - $(foreach GOOSARCH,$(GOOSARCHES), $(call buildpretty,$(subst /,,$(dir $(GOOSARCH))),$(notdir $(GOOSARCH)))) - -define buildrelease -GOOS=$(1) GOARCH=$(2) CGO_ENABLED=0 go build \ - -o $(BUILDDIR)/$(NAME)-$(1)-$(2) \ - -a -tags "$(BUILDTAGS) static_build netgo" \ - -installsuffix netgo ${GO_LDFLAGS_STATIC} .; -md5sum $(BUILDDIR)/$(NAME)-$(1)-$(2) > $(BUILDDIR)/$(NAME)-$(1)-$(2).md5; -sha256sum $(BUILDDIR)/$(NAME)-$(1)-$(2) > $(BUILDDIR)/$(NAME)-$(1)-$(2).sha256; -endef - -.PHONY: release -release: *.go VERSION.txt ## Builds the cross-compiled binaries, naming them in such a way for release (eg. binary-GOOS-GOARCH) - @echo "+ $@" - $(foreach GOOSARCH,$(GOOSARCHES), $(call buildrelease,$(subst /,,$(dir $(GOOSARCH))),$(notdir $(GOOSARCH)))) - .PHONY: bump-version BUMP := patch bump-version: ## Bump the version in the version file. Set BUMP to [ patch | major | minor ] @@ -131,11 +96,24 @@ tag: ## Create a new git tag to prepare to build a release git tag -sa $(VERSION) -m "$(VERSION)" @echo "Run git push origin $(VERSION) to push your new tag to GitHub and trigger a travis build." +.PHONY: image.tar +image.tar: + docker pull --disable-content-trust=false $(IMAGE) + docker export $(shell docker create $(IMAGE) sh) > $@ + +.PHONY: image/data.go +image/data.go: image.tar + GOMAXPROCS=1 go generate + .PHONY: clean clean: ## Cleanup any build binaries or packages @echo "+ $@" $(RM) $(NAME) $(RM) -r $(BUILDDIR) + @sudo $(RM) -r rootfs + $(RM) *.tar + $(RM) image/data.go + -@docker rm $(shell docker ps -aq) /dev/null 2>&1 .PHONY: help help: diff --git a/generate.go b/generate.go index acbb8f4..7f58da5 100644 --- a/generate.go +++ b/generate.go @@ -9,19 +9,23 @@ import ( "path/filepath" ) -// Reads static/index.html and saves as a constant in static.go +// Reads image.tar and saves as a constant in rootfs.go func main() { wd, err := os.Getwd() if err != nil { panic(err) } - out, err := os.Create(filepath.Join(wd, "rootfs.go")) + out, err := os.Create(filepath.Join(wd, "image", "data.go")) if err != nil { panic(err) } tarPath := filepath.Join(wd, "image.tar") - out.Write([]byte("// This file is autogenerated; DO NOT EDIT DIRECTLY\n// See generate.go for more info\npackage main\n\nconst (\n")) + out.Write([]byte("// Package image is autogenerated; DO NOT EDIT DIRECTLY\n")) + out.Write([]byte("// See generate.go for more info\n")) + out.Write([]byte("package image\n\n")) + out.Write([]byte("const (\n")) + out.Write([]byte("\t// DATA is the image data that is embessed at compile time.\n")) out.Write([]byte("\tDATA = `")) f, err := ioutil.ReadFile(tarPath) if err != nil { diff --git a/image/image.go b/image/image.go new file mode 100644 index 0000000..3361d57 --- /dev/null +++ b/image/image.go @@ -0,0 +1,7 @@ +package image + +// NAME is the name of the image that is embedded at compile time. +var NAME string + +// SHA is the sha digest of the image that is embedded at compile time. +var SHA string diff --git a/main.go b/main.go index be15590..9542da5 100644 --- a/main.go +++ b/main.go @@ -10,6 +10,7 @@ import ( "strings" aaprofile "github.com/docker/docker/profiles/apparmor" + "github.com/genuinetools/binctr/image" "github.com/genuinetools/binctr/version" "github.com/opencontainers/runc/libcontainer" "github.com/opencontainers/runc/libcontainer/apparmor" @@ -56,11 +57,6 @@ var ( debug bool vrsn bool - - // IMAGE is the name of the image that is embedded at compile time. - IMAGE = "alpine" - // IMAGESHA is the sha digest of the image that is embedded at compile time. - IMAGESHA = "sha256:70c557e50ed630deed07cbb0dc4d28aa0f2a485cf7af124cc48f06bce83f784b" ) // stringSlice is a slice of strings @@ -107,7 +103,7 @@ func (s stringSlice) ParseHooks() (hooks specs.Hooks, err error) { func init() { // Parse flags - flag.StringVar(&containerID, "id", IMAGE, "container ID") + flag.StringVar(&containerID, "id", image.NAME, "container ID") flag.StringVar(&pidFile, "pid-file", "", "specify the file to write the process id to") flag.StringVar(&root, "root", defaultRoot, "root directory of container state, should be tmpfs") @@ -123,14 +119,14 @@ func init() { flag.BoolVar(&debug, "D", false, "run in debug mode") flag.Usage = func() { - fmt.Fprint(os.Stderr, fmt.Sprintf(BANNER, IMAGE, IMAGESHA, version.VERSION, version.GITCOMMIT)) + fmt.Fprint(os.Stderr, fmt.Sprintf(BANNER, image.NAME, image.SHA, version.VERSION, version.GITCOMMIT)) flag.PrintDefaults() } flag.Parse() if vrsn { - fmt.Printf("%s, commit: %s, image: %s, image digest: %s", version.VERSION, version.GITCOMMIT, IMAGE, IMAGESHA) + fmt.Printf("%s, commit: %s, image: %s, image digest: %s", version.VERSION, version.GITCOMMIT, image.NAME, image.SHA) os.Exit(0) } diff --git a/notify_socket.go b/notify_socket.go index 98bb14d..5d4068f 100644 --- a/notify_socket.go +++ b/notify_socket.go @@ -63,16 +63,16 @@ func (s *notifySocket) setupSocket() error { // pid1 must be set only with -d, as it is used to set the new process as the main process // for the service in butts -func (notifySocket *notifySocket) run(pid1 int) { +func (s *notifySocket) run(pid1 int) { buf := make([]byte, 512) - notifySocketHostAddr := net.UnixAddr{Name: notifySocket.host, Net: "unixgram"} + notifySocketHostAddr := net.UnixAddr{Name: s.host, Net: "unixgram"} client, err := net.DialUnix("unixgram", nil, ¬ifySocketHostAddr) if err != nil { logrus.Error(err) return } for { - r, err := notifySocket.socket.Read(buf) + r, err := s.socket.Read(buf) if err != nil { break } diff --git a/rlimit_linux.go b/rlimit_linux.go index c97a0fb..b8abbfb 100644 --- a/rlimit_linux.go +++ b/rlimit_linux.go @@ -3,41 +3,41 @@ package main import "fmt" const ( - RLIMIT_CPU = iota // CPU time in sec - RLIMIT_FSIZE // Maximum filesize - RLIMIT_DATA // max data size - RLIMIT_STACK // max stack size - RLIMIT_CORE // max core file size - RLIMIT_RSS // max resident set size - RLIMIT_NPROC // max number of processes - RLIMIT_NOFILE // max number of open files - RLIMIT_MEMLOCK // max locked-in-memory address space - RLIMIT_AS // address space limit - RLIMIT_LOCKS // maximum file locks held - RLIMIT_SIGPENDING // max number of pending signals - RLIMIT_MSGQUEUE // maximum bytes in POSIX mqueues - RLIMIT_NICE // max nice prio allowed to raise to - RLIMIT_RTPRIO // maximum realtime priority - RLIMIT_RTTIME // timeout for RT tasks in us + rLimitCPU = iota // CPU time in sec + rLimitFsize // Maximum filesize + rLimitData // max data size + rLimitStack // max stack size + rLimitCore // max core file size + rLimitRss // max resident set size + rLimitNproc // max number of processes + rLimitNofile // max number of open files + rLimitMemlock // max locked-in-memory address space + rLimitAs // address space limit + rLimitLocks // maximum file locks held + rLimitSigpending // max number of pending signals + rLimitMsgqueue // maximum bytes in POSIX mqueues + rLimitNice // max nice prio allowed to raise to + rLimitRtprio // maximum realtime priority + rLimitRttime // timeout for RT tasks in us ) var rlimitMap = map[string]int{ - "RLIMIT_CPU": RLIMIT_CPU, - "RLIMIT_FSIZE": RLIMIT_FSIZE, - "RLIMIT_DATA": RLIMIT_DATA, - "RLIMIT_STACK": RLIMIT_STACK, - "RLIMIT_CORE": RLIMIT_CORE, - "RLIMIT_RSS": RLIMIT_RSS, - "RLIMIT_NPROC": RLIMIT_NPROC, - "RLIMIT_NOFILE": RLIMIT_NOFILE, - "RLIMIT_MEMLOCK": RLIMIT_MEMLOCK, - "RLIMIT_AS": RLIMIT_AS, - "RLIMIT_LOCKS": RLIMIT_LOCKS, - "RLIMIT_SIGPENDING": RLIMIT_SIGPENDING, - "RLIMIT_MSGQUEUE": RLIMIT_MSGQUEUE, - "RLIMIT_NICE": RLIMIT_NICE, - "RLIMIT_RTPRIO": RLIMIT_RTPRIO, - "RLIMIT_RTTIME": RLIMIT_RTTIME, + "RLIMIT_CPU": rLimitCPU, + "RLIMIT_FSIZE": rLimitFsize, + "RLIMIT_DATA": rLimitData, + "RLIMIT_STACK": rLimitStack, + "RLIMIT_CORE": rLimitCore, + "RLIMIT_RSS": rLimitRss, + "RLIMIT_NPROC": rLimitNproc, + "RLIMIT_NOFILE": rLimitNofile, + "RLIMIT_MEMLOCK": rLimitMemlock, + "RLIMIT_AS": rLimitAs, + "RLIMIT_LOCKS": rLimitLocks, + "RLIMIT_SIGPENDING": rLimitSigpending, + "RLIMIT_MSGQUEUE": rLimitMsgqueue, + "RLIMIT_NICE": rLimitNice, + "RLIMIT_RTPRIO": rLimitRtprio, + "RLIMIT_RTTIME": rLimitRttime, } func strToRlimit(key string) (int, error) { diff --git a/rootfs_ops.go b/rootfs.go similarity index 87% rename from rootfs_ops.go rename to rootfs.go index 0aeafe4..9761ab7 100644 --- a/rootfs_ops.go +++ b/rootfs.go @@ -8,13 +8,12 @@ import ( "path/filepath" "github.com/docker/docker/pkg/archive" + "github.com/genuinetools/binctr/image" "github.com/opencontainers/runtime-spec/specs-go" ) -const DATA = "" - func unpackRootfs(spec *specs.Spec) error { - data, err := base64.StdEncoding.DecodeString(DATA) + data, err := base64.StdEncoding.DecodeString(image.DATA) if err != nil { return err } diff --git a/seccomp.json b/seccomp.json deleted file mode 100755 index c298009..0000000 --- a/seccomp.json +++ /dev/null @@ -1,1623 +0,0 @@ -G{ - "defaultAction": "SCMP_ACT_ERRNO", - "architectures": [ - "SCMP_ARCH_X86_64", - "SCMP_ARCH_X86", - "SCMP_ARCH_X32" - ], - "syscalls": [ - { - "name": "accept", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "accept4", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "access", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "alarm", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "arch_prctl", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "bind", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "brk", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "capget", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "capset", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "chdir", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "chmod", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "chown", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "chown32", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "chroot", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "clock_getres", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "clock_gettime", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "clock_nanosleep", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "clone", - "action": "SCMP_ACT_ALLOW", - "args": [ - { - "index": 0, - "value": 2080505856, - "valueTwo": 0, - "op": "SCMP_CMP_MASKED_EQ" - } - ] - }, - { - "name": "close", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "connect", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "copy_file_range", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "creat", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "dup", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "dup2", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "dup3", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "epoll_create", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "epoll_create1", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "epoll_ctl", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "epoll_ctl_old", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "epoll_pwait", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "epoll_wait", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "epoll_wait_old", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "eventfd", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "eventfd2", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "execve", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "execveat", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "exit", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "exit_group", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "faccessat", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "fadvise64", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "fadvise64_64", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "fallocate", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "fanotify_init", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "fanotify_mark", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "fchdir", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "fchmod", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "fchmodat", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "fchown", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "fchown32", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "fchownat", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "fcntl", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "fcntl64", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "fdatasync", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "fgetxattr", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "flistxattr", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "flock", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "fork", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "fremovexattr", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "fsetxattr", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "fstat", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "fstat64", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "fstatat64", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "fstatfs", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "fstatfs64", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "fsync", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "ftruncate", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "ftruncate64", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "futex", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "futimesat", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "getcpu", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "getcwd", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "getdents", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "getdents64", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "getegid", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "getegid32", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "geteuid", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "geteuid32", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "getgid", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "getgid32", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "getgroups", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "getgroups32", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "getitimer", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "getpeername", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "getpgid", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "getpgrp", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "getpid", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "getppid", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "getpriority", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "getrandom", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "getresgid", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "getresgid32", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "getresuid", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "getresuid32", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "getrlimit", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "get_robust_list", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "getrusage", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "getsid", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "getsockname", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "getsockopt", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "get_thread_area", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "gettid", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "gettimeofday", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "getuid", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "getuid32", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "getxattr", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "inotify_add_watch", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "inotify_init", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "inotify_init1", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "inotify_rm_watch", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "io_cancel", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "ioctl", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "io_destroy", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "io_getevents", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "ioprio_get", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "ioprio_set", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "io_setup", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "io_submit", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "ipc", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "kill", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "lchown", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "lchown32", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "lgetxattr", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "link", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "linkat", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "listen", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "listxattr", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "llistxattr", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "_llseek", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "lremovexattr", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "lseek", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "lsetxattr", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "lstat", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "lstat64", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "madvise", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "memfd_create", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "mincore", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "mkdir", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "mkdirat", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "mknod", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "mknodat", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "mlock", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "mlock2", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "mlockall", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "mmap", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "mmap2", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "mprotect", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "mq_getsetattr", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "mq_notify", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "mq_open", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "mq_timedreceive", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "mq_timedsend", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "mq_unlink", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "mremap", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "msgctl", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "msgget", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "msgrcv", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "msgsnd", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "msync", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "munlock", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "munlockall", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "munmap", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "nanosleep", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "newfstatat", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "_newselect", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "open", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "openat", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "pause", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "personality", - "action": "SCMP_ACT_ALLOW", - "args": [ - { - "index": 0, - "value": 0, - "valueTwo": 0, - "op": "SCMP_CMP_EQ" - } - ] - }, - { - "name": "personality", - "action": "SCMP_ACT_ALLOW", - "args": [ - { - "index": 0, - "value": 8, - "valueTwo": 0, - "op": "SCMP_CMP_EQ" - } - ] - }, - { - "name": "personality", - "action": "SCMP_ACT_ALLOW", - "args": [ - { - "index": 0, - "value": 4294967295, - "valueTwo": 0, - "op": "SCMP_CMP_EQ" - } - ] - }, - { - "name": "pipe", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "pipe2", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "poll", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "ppoll", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "prctl", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "pread64", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "preadv", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "prlimit64", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "pselect6", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "pwrite64", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "pwritev", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "read", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "readahead", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "readlink", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "readlinkat", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "readv", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "recv", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "recvfrom", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "recvmmsg", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "recvmsg", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "remap_file_pages", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "removexattr", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "rename", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "renameat", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "renameat2", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "restart_syscall", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "rmdir", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "rt_sigaction", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "rt_sigpending", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "rt_sigprocmask", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "rt_sigqueueinfo", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "rt_sigreturn", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "rt_sigsuspend", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "rt_sigtimedwait", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "rt_tgsigqueueinfo", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "sched_getaffinity", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "sched_getattr", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "sched_getparam", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "sched_get_priority_max", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "sched_get_priority_min", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "sched_getscheduler", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "sched_rr_get_interval", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "sched_setaffinity", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "sched_setattr", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "sched_setparam", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "sched_setscheduler", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "sched_yield", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "seccomp", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "select", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "semctl", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "semget", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "semop", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "semtimedop", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "send", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "sendfile", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "sendfile64", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "sendmmsg", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "sendmsg", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "sendto", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "setdomainname", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "setfsgid", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "setfsgid32", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "setfsuid", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "setfsuid32", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "setgid", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "setgid32", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "setgroups", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "setgroups32", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "sethostname", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "setitimer", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "setpgid", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "setpriority", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "setregid", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "setregid32", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "setresgid", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "setresgid32", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "setresuid", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "setresuid32", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "setreuid", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "setreuid32", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "setrlimit", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "set_robust_list", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "setsid", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "setsockopt", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "set_thread_area", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "set_tid_address", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "setuid", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "setuid32", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "setxattr", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "shmat", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "shmctl", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "shmdt", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "shmget", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "shutdown", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "sigaltstack", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "signalfd", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "signalfd4", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "sigreturn", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "socket", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "socketpair", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "splice", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "stat", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "stat64", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "statfs", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "statfs64", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "symlink", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "symlinkat", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "sync", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "sync_file_range", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "syncfs", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "sysinfo", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "syslog", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "tee", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "tgkill", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "time", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "timer_create", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "timer_delete", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "timerfd_create", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "timerfd_gettime", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "timerfd_settime", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "timer_getoverrun", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "timer_gettime", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "timer_settime", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "times", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "tkill", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "truncate", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "truncate64", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "ugetrlimit", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "umask", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "uname", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "unlink", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "unlinkat", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "utime", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "utimensat", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "utimes", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "vfork", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "vhangup", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "vmsplice", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "wait4", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "waitid", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "waitpid", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "write", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "writev", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "modify_ldt", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "breakpoint", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "cacheflush", - "action": "SCMP_ACT_ALLOW", - "args": [] - }, - { - "name": "set_tls", - "action": "SCMP_ACT_ALLOW", - "args": [] - } - ] -} diff --git a/signals.go b/signals.go index 0dde1c6..b3fd8cd 100644 --- a/signals.go +++ b/signals.go @@ -67,9 +67,9 @@ func (h *signalHandler) forward(process *libcontainer.Process, tty *tty, detach if detach { h.notifySocket.run(pid1) return 0, nil - } else { - go h.notifySocket.run(0) } + + go h.notifySocket.run(0) } // Perform the initial tty resize. Always ignore errors resizing because