vbatts/cri-o
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Merge pull request #213 from runcom/bump-runtime-tools

Browse source 
*: bump opencontainers/runtime-tools
This commit is contained in:
Mrunal Patel 2016-11-24 08:29:43 -08:00 committed by GitHub
commit b6f1b027eb
11 changed files with 2529 additions and 328 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
server/container_create.go
View file

@ -149,9 +149,9 @@ func (s *Server) createSandboxContainer(containerID string, containerName string
return nil, fmt.Errorf("Mount.HostPath is empty") return nil, fmt.Errorf("Mount.HostPath is empty")
} }
options := "rw" options := []string{"rw"}
if mount.GetReadonly() { if mount.GetReadonly() {
options = "ro" options = []string{"ro"}
} }
if mount.GetSelinuxRelabel() { if mount.GetSelinuxRelabel() {
@ -162,7 +162,6 @@ func (s *Server) createSandboxContainer(containerID string, containerName string
} }
specgen.AddBindMount(src, dest, options) specgen.AddBindMount(src, dest, options)
} }
labels := containerConfig.GetLabels() labels := containerConfig.GetLabels()
@ -283,7 +282,7 @@ func (s *Server) createSandboxContainer(containerID string, containerName string
} }
specgen.AddAnnotation("ocid/labels", string(labelsJSON)) specgen.AddAnnotation("ocid/labels", string(labelsJSON))
if err = specgen.SaveToFile(filepath.Join(containerDir, "config.json")); err != nil { if err = specgen.SaveToFile(filepath.Join(containerDir, "config.json"), generate.ExportOptions{}); err != nil {
return nil, err return nil, err
} }

4
server/sandbox_run.go
View file

@ -107,7 +107,7 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
return nil, err return nil, err
} }
g.AddBindMount(resolvPath, "/etc/resolv.conf", "ro") g.AddBindMount(resolvPath, "/etc/resolv.conf", []string{"ro"})
// add metadata // add metadata
metadata := req.GetConfig().GetMetadata() metadata := req.GetConfig().GetMetadata()
@ -228,7 +228,7 @@ func (s *Server) RunPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
} }
} }
err = g.SaveToFile(filepath.Join(podSandboxDir, "config.json")) err = g.SaveToFile(filepath.Join(podSandboxDir, "config.json"), generate.ExportOptions{})
if err != nil { if err != nil {
return nil, err return nil, err
} }

489
vendor/src/github.com/opencontainers/runtime-tools/generate/generate.go vendored
View file

@ -7,10 +7,10 @@ import (
"io" "io"
"os" "os"
"runtime" "runtime"
"strconv"
"strings" "strings"
rspec "github.com/opencontainers/runtime-spec/specs-go" rspec "github.com/opencontainers/runtime-spec/specs-go"
"github.com/opencontainers/runtime-tools/generate/seccomp"
"github.com/syndtr/gocapability/capability" "github.com/syndtr/gocapability/capability"
) )
@ -25,6 +25,11 @@ type Generator struct {
HostSpecific bool HostSpecific bool
} }
// ExportOptions have toggles for exporting only certain parts of the specification
type ExportOptions struct {
Seccomp bool // seccomp toggles if only seccomp should be exported
}
// New creates a spec Generator with the default spec. // New creates a spec Generator with the default spec.
func New() Generator { func New() Generator {
spec := rspec.Spec{ spec := rspec.Spec{
@ -140,6 +145,7 @@ func New() Generator {
Devices: []rspec.Device{}, Devices: []rspec.Device{},
}, },
} }
spec.Linux.Seccomp = seccomp.DefaultProfile(&spec)
return Generator{ return Generator{
spec: &spec, spec: &spec,
} }
@ -152,7 +158,7 @@ func NewFromSpec(spec *rspec.Spec) Generator {
} }
} }
// NewFromFile loads the template specifed in a file into a spec Generator. // NewFromFile loads the template specified in a file into a spec Generator.
func NewFromFile(path string) (Generator, error) { func NewFromFile(path string) (Generator, error) {
cf, err := os.Open(path) cf, err := os.Open(path)
if err != nil { if err != nil {
@ -187,8 +193,14 @@ func (g *Generator) Spec() *rspec.Spec {
} }
// Save writes the spec into w. // Save writes the spec into w.
func (g *Generator) Save(w io.Writer) error { func (g *Generator) Save(w io.Writer, exportOpts ExportOptions) (err error) {
data, err := json.MarshalIndent(g.spec, "", "\t") var data []byte
if exportOpts.Seccomp {
data, err = json.MarshalIndent(g.spec.Linux.Seccomp, "", "\t")
} else {
data, err = json.MarshalIndent(g.spec, "", "\t")
}
if err != nil { if err != nil {
return err return err
} }
@ -202,13 +214,13 @@ func (g *Generator) Save(w io.Writer) error {
} }
// SaveToFile writes the spec into a file. // SaveToFile writes the spec into a file.
func (g *Generator) SaveToFile(path string) error { func (g *Generator) SaveToFile(path string, exportOpts ExportOptions) error {
f, err := os.Create(path) f, err := os.Create(path)
if err != nil { if err != nil {
return err return err
} }
defer f.Close() defer f.Close()
return g.Save(f) return g.Save(f, exportOpts)
} }
// SetVersion sets g.spec.Version. // SetVersion sets g.spec.Version.
@ -325,6 +337,47 @@ func (g *Generator) AddProcessEnv(env string) {
g.spec.Process.Env = append(g.spec.Process.Env, env) g.spec.Process.Env = append(g.spec.Process.Env, env)
} }
// AddProcessRlimits adds rlimit into g.spec.Process.Rlimits.
func (g *Generator) AddProcessRlimits(rType string, rHard uint64, rSoft uint64) {
g.initSpec()
for i, rlimit := range g.spec.Process.Rlimits {
if rlimit.Type == rType {
g.spec.Process.Rlimits[i].Hard = rHard
g.spec.Process.Rlimits[i].Soft = rSoft
return
}
}
newRlimit := rspec.Rlimit{
Type: rType,
Hard: rHard,
Soft: rSoft,
}
g.spec.Process.Rlimits = append(g.spec.Process.Rlimits, newRlimit)
}
// RemoveProcessRlimits removes a rlimit from g.spec.Process.Rlimits.
func (g *Generator) RemoveProcessRlimits(rType string) error {
if g.spec == nil {
return nil
}
for i, rlimit := range g.spec.Process.Rlimits {
if rlimit.Type == rType {
g.spec.Process.Rlimits = append(g.spec.Process.Rlimits[:i], g.spec.Process.Rlimits[i+1:]...)
return nil
}
}
return nil
}
// ClearProcessRlimits clear g.spec.Process.Rlimits.
func (g *Generator) ClearProcessRlimits() {
if g.spec == nil {
return
}
g.spec.Process.Rlimits = []rspec.Rlimit{}
}
// ClearProcessAdditionalGids clear g.spec.Process.AdditionalGids. // ClearProcessAdditionalGids clear g.spec.Process.AdditionalGids.
func (g *Generator) ClearProcessAdditionalGids() { func (g *Generator) ClearProcessAdditionalGids() {
if g.spec == nil { if g.spec == nil {
@ -362,6 +415,12 @@ func (g *Generator) SetLinuxMountLabel(label string) {
g.spec.Linux.MountLabel = label g.spec.Linux.MountLabel = label
} }
// SetLinuxResourcesDisableOOMKiller sets g.spec.Linux.Resources.DisableOOMKiller.
func (g *Generator) SetLinuxResourcesDisableOOMKiller(disable bool) {
g.initSpecLinuxResources()
g.spec.Linux.Resources.DisableOOMKiller = &disable
}
// SetLinuxResourcesOOMScoreAdj sets g.spec.Linux.Resources.OOMScoreAdj. // SetLinuxResourcesOOMScoreAdj sets g.spec.Linux.Resources.OOMScoreAdj.
func (g *Generator) SetLinuxResourcesOOMScoreAdj(adj int) { func (g *Generator) SetLinuxResourcesOOMScoreAdj(adj int) {
g.initSpecLinuxResources() g.initSpecLinuxResources()
@ -446,6 +505,44 @@ func (g *Generator) SetLinuxResourcesMemorySwappiness(swappiness uint64) {
g.spec.Linux.Resources.Memory.Swappiness = &swappiness g.spec.Linux.Resources.Memory.Swappiness = &swappiness
} }
// SetLinuxResourcesNetworkClassID sets g.spec.Linux.Resources.Network.ClassID.
func (g *Generator) SetLinuxResourcesNetworkClassID(classid uint32) {
g.initSpecLinuxResourcesNetwork()
g.spec.Linux.Resources.Network.ClassID = &classid
}
// AddLinuxResourcesNetworkPriorities adds or sets g.spec.Linux.Resources.Network.Priorities.
func (g *Generator) AddLinuxResourcesNetworkPriorities(name string, prio uint32) {
g.initSpecLinuxResourcesNetwork()
for i, netPriority := range g.spec.Linux.Resources.Network.Priorities {
if netPriority.Name == name {
g.spec.Linux.Resources.Network.Priorities[i].Priority = prio
return
}
}
interfacePrio := new(rspec.InterfacePriority)
interfacePrio.Name = name
interfacePrio.Priority = prio
g.spec.Linux.Resources.Network.Priorities = append(g.spec.Linux.Resources.Network.Priorities, *interfacePrio)
}
// DropLinuxResourcesNetworkPriorities drops one item from g.spec.Linux.Resources.Network.Priorities.
func (g *Generator) DropLinuxResourcesNetworkPriorities(name string) {
g.initSpecLinuxResourcesNetwork()
for i, netPriority := range g.spec.Linux.Resources.Network.Priorities {
if netPriority.Name == name {
g.spec.Linux.Resources.Network.Priorities = append(g.spec.Linux.Resources.Network.Priorities[:i], g.spec.Linux.Resources.Network.Priorities[i+1:]...)
return
}
}
}
// SetLinuxResourcesPidsLimit sets g.spec.Linux.Resources.Pids.Limit.
func (g *Generator) SetLinuxResourcesPidsLimit(limit int64) {
g.initSpecLinuxResourcesPids()
g.spec.Linux.Resources.Pids.Limit = &limit
}
// ClearLinuxSysctl clears g.spec.Linux.Sysctl. // ClearLinuxSysctl clears g.spec.Linux.Sysctl.
func (g *Generator) ClearLinuxSysctl() { func (g *Generator) ClearLinuxSysctl() {
if g.spec == nil || g.spec.Linux == nil { if g.spec == nil || g.spec.Linux == nil {
@ -468,278 +565,6 @@ func (g *Generator) RemoveLinuxSysctl(key string) {
delete(g.spec.Linux.Sysctl, key) delete(g.spec.Linux.Sysctl, key)
} }
// SetLinuxSeccompDefault sets g.spec.Linux.Seccomp.DefaultAction.
func (g *Generator) SetLinuxSeccompDefault(sdefault string) error {
switch sdefault {
case "":
case "SCMP_ACT_KILL":
case "SCMP_ACT_TRAP":
case "SCMP_ACT_ERRNO":
case "SCMP_ACT_TRACE":
case "SCMP_ACT_ALLOW":
default:
return fmt.Errorf("seccomp-default must be empty or one of " +
"SCMP_ACT_KILL|SCMP_ACT_TRAP|SCMP_ACT_ERRNO|SCMP_ACT_TRACE|" +
"SCMP_ACT_ALLOW")
}
g.initSpecLinuxSeccomp()
g.spec.Linux.Seccomp.DefaultAction = rspec.Action(sdefault)
return nil
}
func checkSeccompArch(arch string) error {
switch arch {
case "":
case "SCMP_ARCH_X86":
case "SCMP_ARCH_X86_64":
case "SCMP_ARCH_X32":
case "SCMP_ARCH_ARM":
case "SCMP_ARCH_AARCH64":
case "SCMP_ARCH_MIPS":
case "SCMP_ARCH_MIPS64":
case "SCMP_ARCH_MIPS64N32":
case "SCMP_ARCH_MIPSEL":
case "SCMP_ARCH_MIPSEL64":
case "SCMP_ARCH_MIPSEL64N32":
default:
return fmt.Errorf("seccomp-arch must be empty or one of " +
"SCMP_ARCH_X86|SCMP_ARCH_X86_64|SCMP_ARCH_X32|SCMP_ARCH_ARM|" +
"SCMP_ARCH_AARCH64SCMP_ARCH_MIPS|SCMP_ARCH_MIPS64|" +
"SCMP_ARCH_MIPS64N32|SCMP_ARCH_MIPSEL|SCMP_ARCH_MIPSEL64|" +
"SCMP_ARCH_MIPSEL64N32")
}
return nil
}
// ClearLinuxSeccompArch clears g.spec.Linux.Seccomp.Architectures.
func (g *Generator) ClearLinuxSeccompArch() {
if g.spec == nil || g.spec.Linux == nil || g.spec.Linux.Seccomp == nil {
return
}
g.spec.Linux.Seccomp.Architectures = []rspec.Arch{}
}
// AddLinuxSeccompArch adds sArch into g.spec.Linux.Seccomp.Architectures.
func (g *Generator) AddLinuxSeccompArch(sArch string) error {
if err := checkSeccompArch(sArch); err != nil {
return err
}
g.initSpecLinuxSeccomp()
g.spec.Linux.Seccomp.Architectures = append(g.spec.Linux.Seccomp.Architectures, rspec.Arch(sArch))
return nil
}
// RemoveSeccompArch removes sArch from g.spec.Linux.Seccomp.Architectures.
func (g *Generator) RemoveSeccompArch(sArch string) error {
if err := checkSeccompArch(sArch); err != nil {
return err
}
if g.spec == nil || g.spec.Linux == nil || g.spec.Linux.Seccomp == nil {
return nil
}
for i, arch := range g.spec.Linux.Seccomp.Architectures {
if string(arch) == sArch {
g.spec.Linux.Seccomp.Architectures = append(g.spec.Linux.Seccomp.Architectures[:i], g.spec.Linux.Seccomp.Architectures[i+1:]...)
return nil
}
}
return nil
}
func checkSeccompSyscallAction(syscall string) error {
switch syscall {
case "":
case "SCMP_ACT_KILL":
case "SCMP_ACT_TRAP":
case "SCMP_ACT_ERRNO":
case "SCMP_ACT_TRACE":
case "SCMP_ACT_ALLOW":
default:
return fmt.Errorf("seccomp-syscall action must be empty or " +
"one of SCMP_ACT_KILL|SCMP_ACT_TRAP|SCMP_ACT_ERRNO|" +
"SCMP_ACT_TRACE|SCMP_ACT_ALLOW")
}
return nil
}
func checkSeccompSyscallArg(arg string) error {
switch arg {
case "":
case "SCMP_CMP_NE":
case "SCMP_CMP_LT":
case "SCMP_CMP_LE":
case "SCMP_CMP_EQ":
case "SCMP_CMP_GE":
case "SCMP_CMP_GT":
case "SCMP_CMP_MASKED_EQ":
default:
return fmt.Errorf("seccomp-syscall args must be " +
"empty or one of SCMP_CMP_NE|SCMP_CMP_LT|" +
"SCMP_CMP_LE|SCMP_CMP_EQ|SCMP_CMP_GE|" +
"SCMP_CMP_GT|SCMP_CMP_MASKED_EQ")
}
return nil
}
func parseSeccompSyscall(s string) (rspec.Syscall, error) {
syscall := strings.Split(s, ":")
if len(syscall) != 3 {
return rspec.Syscall{}, fmt.Errorf("seccomp sysctl must consist of 3 parameters")
}
name := syscall[0]
if err := checkSeccompSyscallAction(syscall[1]); err != nil {
return rspec.Syscall{}, err
}
action := rspec.Action(syscall[1])
var Args []rspec.Arg
if strings.EqualFold(syscall[2], "") {
Args = nil
} else {
argsslice := strings.Split(syscall[2], ",")
for _, argsstru := range argsslice {
args := strings.Split(argsstru, "/")
if len(args) == 4 {
index, err := strconv.Atoi(args[0])
value, err := strconv.Atoi(args[1])
value2, err := strconv.Atoi(args[2])
if err != nil {
return rspec.Syscall{}, err
}
if err := checkSeccompSyscallArg(args[3]); err != nil {
return rspec.Syscall{}, err
}
op := rspec.Operator(args[3])
Arg := rspec.Arg{
Index: uint(index),
Value: uint64(value),
ValueTwo: uint64(value2),
Op: op,
}
Args = append(Args, Arg)
} else {
return rspec.Syscall{}, fmt.Errorf("seccomp-sysctl args error: %s", argsstru)
}
}
}
return rspec.Syscall{
Name: name,
Action: action,
Args: Args,
}, nil
}
// ClearLinuxSeccompSyscall clears g.spec.Linux.Seccomp.Syscalls.
func (g *Generator) ClearLinuxSeccompSyscall() {
if g.spec == nil || g.spec.Linux == nil || g.spec.Linux.Seccomp == nil {
return
}
g.spec.Linux.Seccomp.Syscalls = []rspec.Syscall{}
}
// AddLinuxSeccompSyscall adds sSyscall into g.spec.Linux.Seccomp.Syscalls.
func (g *Generator) AddLinuxSeccompSyscall(sSyscall string) error {
f, err := parseSeccompSyscall(sSyscall)
if err != nil {
return err
}
g.initSpecLinuxSeccomp()
g.spec.Linux.Seccomp.Syscalls = append(g.spec.Linux.Seccomp.Syscalls, f)
return nil
}
// AddLinuxSeccompSyscallAllow adds seccompAllow into g.spec.Linux.Seccomp.Syscalls.
func (g *Generator) AddLinuxSeccompSyscallAllow(seccompAllow string) {
syscall := rspec.Syscall{
Name: seccompAllow,
Action: "SCMP_ACT_ALLOW",
}
g.initSpecLinuxSeccomp()
g.spec.Linux.Seccomp.Syscalls = append(g.spec.Linux.Seccomp.Syscalls, syscall)
}
// AddLinuxSeccompSyscallErrno adds seccompErrno into g.spec.Linux.Seccomp.Syscalls.
func (g *Generator) AddLinuxSeccompSyscallErrno(seccompErrno string) {
syscall := rspec.Syscall{
Name: seccompErrno,
Action: "SCMP_ACT_ERRNO",
}
g.initSpecLinuxSeccomp()
g.spec.Linux.Seccomp.Syscalls = append(g.spec.Linux.Seccomp.Syscalls, syscall)
}
// RemoveSeccompSyscallByName removes all the seccomp syscalls with the given
// name from g.spec.Linux.Seccomp.Syscalls.
func (g *Generator) RemoveSeccompSyscallByName(name string) error {
if g.spec == nil || g.spec.Linux == nil || g.spec.Linux.Seccomp == nil {
return nil
}
var r []rspec.Syscall
for _, syscall := range g.spec.Linux.Seccomp.Syscalls {
if strings.Compare(name, syscall.Name) != 0 {
r = append(r, syscall)
}
}
g.spec.Linux.Seccomp.Syscalls = r
return nil
}
// RemoveSeccompSyscallByAction removes all the seccomp syscalls with the given
// action from g.spec.Linux.Seccomp.Syscalls.
func (g *Generator) RemoveSeccompSyscallByAction(action string) error {
if g.spec == nil || g.spec.Linux == nil || g.spec.Linux.Seccomp == nil {
return nil
}
if err := checkSeccompSyscallAction(action); err != nil {
return err
}
var r []rspec.Syscall
for _, syscall := range g.spec.Linux.Seccomp.Syscalls {
if strings.Compare(action, string(syscall.Action)) != 0 {
r = append(r, syscall)
}
}
g.spec.Linux.Seccomp.Syscalls = r
return nil
}
// RemoveSeccompSyscall removes all the seccomp syscalls with the given
// name and action from g.spec.Linux.Seccomp.Syscalls.
func (g *Generator) RemoveSeccompSyscall(name string, action string) error {
if g.spec == nil || g.spec.Linux == nil || g.spec.Linux.Seccomp == nil {
return nil
}
if err := checkSeccompSyscallAction(action); err != nil {
return err
}
var r []rspec.Syscall
for _, syscall := range g.spec.Linux.Seccomp.Syscalls {
if !(strings.Compare(name, syscall.Name) == 0 &&
strings.Compare(action, string(syscall.Action)) == 0) {
r = append(r, syscall)
}
}
g.spec.Linux.Seccomp.Syscalls = r
return nil
}
// ClearLinuxUIDMappings clear g.spec.Linux.UIDMappings. // ClearLinuxUIDMappings clear g.spec.Linux.UIDMappings.
func (g *Generator) ClearLinuxUIDMappings() { func (g *Generator) ClearLinuxUIDMappings() {
if g.spec == nil || g.spec.Linux == nil { if g.spec == nil || g.spec.Linux == nil {
@ -881,24 +706,35 @@ func (g *Generator) AddCgroupsMount(mountCgroupOption string) error {
} }
// AddBindMount adds a bind mount into g.spec.Mounts. // AddBindMount adds a bind mount into g.spec.Mounts.
func (g *Generator) AddBindMount(source, dest, options string) { func (g *Generator) AddBindMount(source, dest string, options []string) {
if options == "" { if len(options) == 0 {
options = "ro" options = []string{"rw"}
} }
defaultOptions := []string{"bind"} // We have to make sure that there is a bind option set, otherwise it won't
// be an actual bindmount.
foundBindOption := false
for _, opt := range options {
if opt == "bind" || opt == "rbind" {
foundBindOption = true
break
}
}
if !foundBindOption {
options = append(options, "bind")
}
mnt := rspec.Mount{ mnt := rspec.Mount{
Destination: dest, Destination: dest,
Type: "bind", Type: "bind",
Source: source, Source: source,
Options: append(defaultOptions, options), Options: options,
} }
g.initSpec() g.initSpec()
g.spec.Mounts = append(g.spec.Mounts, mnt) g.spec.Mounts = append(g.spec.Mounts, mnt)
} }
// SetupPrivileged sets up the priviledge-related fields inside g.spec. // SetupPrivileged sets up the privilege-related fields inside g.spec.
func (g *Generator) SetupPrivileged(privileged bool) { func (g *Generator) SetupPrivileged(privileged bool) {
if privileged { if privileged {
// Add all capabilities in privileged mode. // Add all capabilities in privileged mode.
@ -1063,42 +899,51 @@ func (g *Generator) RemoveLinuxNamespace(ns string) error {
// strPtr returns the pointer pointing to the string s. // strPtr returns the pointer pointing to the string s.
func strPtr(s string) *string { return &s } func strPtr(s string) *string { return &s }
// FIXME: this function is not used. // SetSyscallAction adds rules for syscalls with the specified action
func parseArgs(args2parse string) ([]*rspec.Arg, error) { func (g *Generator) SetSyscallAction(arguments seccomp.SyscallOpts) error {
var Args []*rspec.Arg g.initSpecLinuxSeccomp()
argstrslice := strings.Split(args2parse, ",") return seccomp.ParseSyscallFlag(arguments, g.spec.Linux.Seccomp)
for _, argstr := range argstrslice { }
args := strings.Split(argstr, "/")
if len(args) == 4 { // SetDefaultSeccompAction sets the default action for all syscalls not defined
index, err := strconv.Atoi(args[0]) // and then removes any syscall rules with this action already specified.
value, err := strconv.Atoi(args[1]) func (g *Generator) SetDefaultSeccompAction(action string) error {
value2, err := strconv.Atoi(args[2]) g.initSpecLinuxSeccomp()
if err != nil { return seccomp.ParseDefaultAction(action, g.spec.Linux.Seccomp)
return nil, err }
}
switch args[3] { // SetDefaultSeccompActionForce only sets the default action for all syscalls not defined
case "": func (g *Generator) SetDefaultSeccompActionForce(action string) error {
case "SCMP_CMP_NE": g.initSpecLinuxSeccomp()
case "SCMP_CMP_LT": return seccomp.ParseDefaultActionForce(action, g.spec.Linux.Seccomp)
case "SCMP_CMP_LE": }
case "SCMP_CMP_EQ":
case "SCMP_CMP_GE": // SetSeccompArchitecture sets the supported seccomp architectures
case "SCMP_CMP_GT": func (g *Generator) SetSeccompArchitecture(architecture string) error {
case "SCMP_CMP_MASKED_EQ": g.initSpecLinuxSeccomp()
default: return seccomp.ParseArchitectureFlag(architecture, g.spec.Linux.Seccomp)
return nil, fmt.Errorf("seccomp-sysctl args must be empty or one of SCMP_CMP_NE|SCMP_CMP_LT|SCMP_CMP_LE|SCMP_CMP_EQ|SCMP_CMP_GE|SCMP_CMP_GT|SCMP_CMP_MASKED_EQ") }
}
op := rspec.Operator(args[3]) // RemoveSeccompRule removes rules for any specified syscalls
Arg := rspec.Arg{ func (g *Generator) RemoveSeccompRule(arguments string) error {
Index: uint(index), g.initSpecLinuxSeccomp()
Value: uint64(value), return seccomp.RemoveAction(arguments, g.spec.Linux.Seccomp)
ValueTwo: uint64(value2), }
Op: op,
} // RemoveAllSeccompRules removes all syscall rules
Args = append(Args, &Arg) func (g *Generator) RemoveAllSeccompRules() error {
} else { g.initSpecLinuxSeccomp()
return nil, fmt.Errorf("seccomp-sysctl args error: %s", argstr) return seccomp.RemoveAllSeccompRules(g.spec.Linux.Seccomp)
} }
}
return Args, nil // AddLinuxMaskedPaths adds masked paths into g.spec.Linux.MaskedPaths.
func (g *Generator) AddLinuxMaskedPaths(path string) {
g.initSpecLinux()
g.spec.Linux.MaskedPaths = append(g.spec.Linux.MaskedPaths, path)
}
// AddLinuxReadonlyPaths adds readonly paths into g.spec.Linux.MaskedPaths.
func (g *Generator) AddLinuxReadonlyPaths(path string) {
g.initSpecLinux()
g.spec.Linux.ReadonlyPaths = append(g.spec.Linux.ReadonlyPaths, path)
} }

12
vendor/src/github.com/opencontainers/runtime-tools/generate/seccomp/consts.go vendored Normal file
View file

@ -0,0 +1,12 @@
package seccomp
const (
seccompOverwrite = "overwrite"
seccompAppend = "append"
nothing = "nothing"
kill = "kill"
trap = "trap"
trace = "trace"
allow = "allow"
errno = "errno"
)

127
vendor/src/github.com/opencontainers/runtime-tools/generate/seccomp/parse_action.go vendored Normal file
View file

@ -0,0 +1,127 @@
package seccomp
import (
"fmt"
"strconv"
"strings"
rspec "github.com/opencontainers/runtime-spec/specs-go"
)
// SyscallOpts contain options for parsing syscall rules
type SyscallOpts struct {
Action string
Syscall string
Index string
Value string
ValueTwo string
Operator string
}
// ParseSyscallFlag takes a SyscallOpts struct and the seccomp configuration
// and sets the new syscall rule accordingly
func ParseSyscallFlag(args SyscallOpts, config *rspec.Seccomp) error {
var arguments []string
if args.Index != "" && args.Value != "" && args.ValueTwo != "" && args.Operator != "" {
arguments = []string{args.Action, args.Syscall, args.Index, args.Value,
args.ValueTwo, args.Operator}
} else {
arguments = []string{args.Action, args.Syscall}
}
action, _ := parseAction(arguments[0])
if action == config.DefaultAction {
return fmt.Errorf("default action already set as %s", action)
}
var newSyscall rspec.Syscall
numOfArgs := len(arguments)
if numOfArgs == 6 || numOfArgs == 2 {
argStruct, err := parseArguments(arguments[1:])
if err != nil {
return err
}
newSyscall = newSyscallStruct(arguments[1], action, argStruct)
} else {
return fmt.Errorf("incorrect number of arguments to ParseSyscall: %d", numOfArgs)
}
descison, err := decideCourseOfAction(&newSyscall, config.Syscalls)
if err != nil {
return err
}
delimDescison := strings.Split(descison, ":")
if delimDescison[0] == seccompAppend {
config.Syscalls = append(config.Syscalls, newSyscall)
}
if delimDescison[0] == seccompOverwrite {
indexForOverwrite, err := strconv.ParseInt(delimDescison[1], 10, 32)
if err != nil {
return err
}
config.Syscalls[indexForOverwrite] = newSyscall
}
return nil
}
var actions = map[string]rspec.Action{
"allow": rspec.ActAllow,
"errno": rspec.ActErrno,
"kill": rspec.ActKill,
"trace": rspec.ActTrace,
"trap": rspec.ActTrap,
}
// Take passed action, return the SCMP_ACT_<ACTION> version of it
func parseAction(action string) (rspec.Action, error) {
a, ok := actions[action]
if !ok {
return "", fmt.Errorf("unrecognized action: %s", action)
}
return a, nil
}
// ParseDefaultAction sets the default action of the seccomp configuration
// and then removes any rules that were already specified with this action
func ParseDefaultAction(action string, config *rspec.Seccomp) error {
if action == "" {
return nil
}
defaultAction, err := parseAction(action)
if err != nil {
return err
}
config.DefaultAction = defaultAction
err = RemoveAllMatchingRules(config, action)
if err != nil {
return err
}
return nil
}
// ParseDefaultActionForce simply sets the default action of the seccomp configuration
func ParseDefaultActionForce(action string, config *rspec.Seccomp) error {
if action == "" {
return nil
}
defaultAction, err := parseAction(action)
if err != nil {
return err
}
config.DefaultAction = defaultAction
return nil
}
func newSyscallStruct(name string, action rspec.Action, args []rspec.Arg) rspec.Syscall {
syscallStruct := rspec.Syscall{
Name: name,
Action: action,
Args: args,
}
return syscallStruct
}

53
vendor/src/github.com/opencontainers/runtime-tools/generate/seccomp/parse_architecture.go vendored Normal file
View file

@ -0,0 +1,53 @@
package seccomp
import (
"fmt"
rspec "github.com/opencontainers/runtime-spec/specs-go"
)
// ParseArchitectureFlag takes the raw string passed with the --arch flag, parses it
// and updates the Seccomp config accordingly
func ParseArchitectureFlag(architectureArg string, config *rspec.Seccomp) error {
correctedArch, err := parseArch(architectureArg)
if err != nil {
return err
}
shouldAppend := true
for _, alreadySpecified := range config.Architectures {
if correctedArch == alreadySpecified {
shouldAppend = false
}
}
if shouldAppend {
config.Architectures = append(config.Architectures, correctedArch)
}
return nil
}
func parseArch(arch string) (rspec.Arch, error) {
arches := map[string]rspec.Arch{
"x86": rspec.ArchX86,
"amd64": rspec.ArchX86_64,
"x32": rspec.ArchX32,
"arm": rspec.ArchARM,
"arm64": rspec.ArchAARCH64,
"mips": rspec.ArchMIPS,
"mips64": rspec.ArchMIPS64,
"mips64n32": rspec.ArchMIPS64N32,
"mipsel": rspec.ArchMIPSEL,
"mipsel64": rspec.ArchMIPSEL64,
"mipsel64n32": rspec.ArchMIPSEL64N32,
"ppc": rspec.ArchPPC,
"ppc64": rspec.ArchPPC64,
"ppc64le": rspec.ArchPPC64LE,
"s390": rspec.ArchS390,
"s390x": rspec.ArchS390X,
}
a, ok := arches[arch]
if !ok {
return "", fmt.Errorf("unrecognized architecture: %s", arch)
}
return a, nil
}

73
vendor/src/github.com/opencontainers/runtime-tools/generate/seccomp/parse_arguments.go vendored Normal file
View file

@ -0,0 +1,73 @@
package seccomp
import (
"fmt"
"strconv"
rspec "github.com/opencontainers/runtime-spec/specs-go"
)
// parseArguments takes a list of arguments (delimArgs). It parses and fills out
// the argument information and returns a slice of arg structs
func parseArguments(delimArgs []string) ([]rspec.Arg, error) {
nilArgSlice := []rspec.Arg{}
numberOfArgs := len(delimArgs)
// No parameters passed with syscall
if numberOfArgs == 1 {
return nilArgSlice, nil
}
// Correct number of parameters passed with syscall
if numberOfArgs == 5 {
syscallIndex, err := strconv.ParseUint(delimArgs[1], 10, 0)
if err != nil {
return nilArgSlice, err
}
syscallValue, err := strconv.ParseUint(delimArgs[2], 10, 64)
if err != nil {
return nilArgSlice, err
}
syscallValueTwo, err := strconv.ParseUint(delimArgs[3], 10, 64)
if err != nil {
return nilArgSlice, err
}
syscallOp, err := parseOperator(delimArgs[4])
if err != nil {
return nilArgSlice, err
}
argStruct := rspec.Arg{
Index: uint(syscallIndex),
Value: syscallValue,
ValueTwo: syscallValueTwo,
Op: syscallOp,
}
argSlice := []rspec.Arg{}
argSlice = append(argSlice, argStruct)
return argSlice, nil
}
return nilArgSlice, fmt.Errorf("incorrect number of arguments passed with syscall: %d", numberOfArgs)
}
func parseOperator(operator string) (rspec.Operator, error) {
operators := map[string]rspec.Operator{
"NE": rspec.OpNotEqual,
"LT": rspec.OpLessThan,
"LE": rspec.OpLessEqual,
"EQ": rspec.OpEqualTo,
"GE": rspec.OpGreaterEqual,
"GT": rspec.OpGreaterThan,
"ME": rspec.OpMaskedEqual,
}
o, ok := operators[operator]
if !ok {
return "", fmt.Errorf("unrecognized operator: %s", operator)
}
return o, nil
}

68
vendor/src/github.com/opencontainers/runtime-tools/generate/seccomp/parse_remove.go vendored Normal file
View file

@ -0,0 +1,68 @@
package seccomp
import (
"fmt"
"reflect"
"strings"
rspec "github.com/opencontainers/runtime-spec/specs-go"
)
// RemoveAction takes the argument string that was passed with the --remove flag,
// parses it, and updates the Seccomp config accordingly
func RemoveAction(arguments string, config *rspec.Seccomp) error {
if config == nil {
return fmt.Errorf("Cannot remove action from nil Seccomp pointer")
}
var syscallsToRemove []string
if strings.Contains(arguments, ",") {
syscallsToRemove = strings.Split(arguments, ",")
} else {
syscallsToRemove = append(syscallsToRemove, arguments)
}
for _, syscall := range syscallsToRemove {
for counter, syscallStruct := range config.Syscalls {
if syscallStruct.Name == syscall {
config.Syscalls = append(config.Syscalls[:counter], config.Syscalls[counter+1:]...)
}
}
}
return nil
}
// RemoveAllSeccompRules removes all seccomp syscall rules
func RemoveAllSeccompRules(config *rspec.Seccomp) error {
if config == nil {
return fmt.Errorf("Cannot remove action from nil Seccomp pointer")
}
newSyscallSlice := []rspec.Syscall{}
config.Syscalls = newSyscallSlice
return nil
}
// RemoveAllMatchingRules will remove any syscall rules that match the specified action
func RemoveAllMatchingRules(config *rspec.Seccomp, action string) error {
if config == nil {
return fmt.Errorf("Cannot remove action from nil Seccomp pointer")
}
seccompAction, err := parseAction(action)
if err != nil {
return err
}
syscallsToRemove := []string{}
for _, syscall := range config.Syscalls {
if reflect.DeepEqual(syscall.Action, seccompAction) {
syscallsToRemove = append(syscallsToRemove, syscall.Name)
}
}
for i := range syscallsToRemove {
RemoveAction(syscallsToRemove[i], config)
}
return nil
}

1870
vendor/src/github.com/opencontainers/runtime-tools/generate/seccomp/seccomp_default.go vendored Normal file
View file

File diff suppressed because it is too large Load diff

140
vendor/src/github.com/opencontainers/runtime-tools/generate/seccomp/syscall_compare.go vendored Normal file
View file

@ -0,0 +1,140 @@
package seccomp
import (
"fmt"
"reflect"
"strconv"
"strings"
rspec "github.com/opencontainers/runtime-spec/specs-go"
)
// Determine if a new syscall rule should be appended, overwrite an existing rule
// or if no action should be taken at all
func decideCourseOfAction(newSyscall *rspec.Syscall, syscalls []rspec.Syscall) (string, error) {
ruleForSyscallAlreadyExists := false
var sliceOfDeterminedActions []string
for i, syscall := range syscalls {
if syscall.Name == newSyscall.Name {
ruleForSyscallAlreadyExists = true
if identical(newSyscall, &syscall) {
sliceOfDeterminedActions = append(sliceOfDeterminedActions, nothing)
}
if sameAction(newSyscall, &syscall) {
if bothHaveArgs(newSyscall, &syscall) {
sliceOfDeterminedActions = append(sliceOfDeterminedActions, seccompAppend)
}
if onlyOneHasArgs(newSyscall, &syscall) {
if firstParamOnlyHasArgs(newSyscall, &syscall) {
sliceOfDeterminedActions = append(sliceOfDeterminedActions, "overwrite:"+strconv.Itoa(i))
} else {
sliceOfDeterminedActions = append(sliceOfDeterminedActions, nothing)
}
}
}
if !sameAction(newSyscall, &syscall) {
if bothHaveArgs(newSyscall, &syscall) {
if sameArgs(newSyscall, &syscall) {
sliceOfDeterminedActions = append(sliceOfDeterminedActions, "overwrite:"+strconv.Itoa(i))
}
if !sameArgs(newSyscall, &syscall) {
sliceOfDeterminedActions = append(sliceOfDeterminedActions, seccompAppend)
}
}
if onlyOneHasArgs(newSyscall, &syscall) {
sliceOfDeterminedActions = append(sliceOfDeterminedActions, seccompAppend)
}
if neitherHasArgs(newSyscall, &syscall) {
sliceOfDeterminedActions = append(sliceOfDeterminedActions, "overwrite:"+strconv.Itoa(i))
}
}
}
}
if !ruleForSyscallAlreadyExists {
sliceOfDeterminedActions = append(sliceOfDeterminedActions, seccompAppend)
}
// Nothing has highest priority
for _, determinedAction := range sliceOfDeterminedActions {
if determinedAction == nothing {
return determinedAction, nil
}
}
// Overwrite has second highest priority
for _, determinedAction := range sliceOfDeterminedActions {
if strings.Contains(determinedAction, seccompOverwrite) {
return determinedAction, nil
}
}
// Append has the lowest priority
for _, determinedAction := range sliceOfDeterminedActions {
if determinedAction == seccompAppend {
return determinedAction, nil
}
}
return "", fmt.Errorf("Trouble determining action: %s", sliceOfDeterminedActions)
}
func hasArguments(config *rspec.Syscall) bool {
nilSyscall := new(rspec.Syscall)
return !sameArgs(nilSyscall, config)
}
func identical(config1, config2 *rspec.Syscall) bool {
return reflect.DeepEqual(config1, config2)
}
func identicalExceptAction(config1, config2 *rspec.Syscall) bool {
samename := sameName(config1, config2)
sameAction := sameAction(config1, config2)
sameArgs := sameArgs(config1, config2)
return samename && !sameAction && sameArgs
}
func identicalExceptArgs(config1, config2 *rspec.Syscall) bool {
samename := sameName(config1, config2)
sameAction := sameAction(config1, config2)
sameArgs := sameArgs(config1, config2)
return samename && sameAction && !sameArgs
}
func sameName(config1, config2 *rspec.Syscall) bool {
return config1.Name == config2.Name
}
func sameAction(config1, config2 *rspec.Syscall) bool {
return config1.Action == config2.Action
}
func sameArgs(config1, config2 *rspec.Syscall) bool {
return reflect.DeepEqual(config1.Args, config2.Args)
}
func bothHaveArgs(config1, config2 *rspec.Syscall) bool {
return hasArguments(config1) && hasArguments(config2)
}
func onlyOneHasArgs(config1, config2 *rspec.Syscall) bool {
conf1 := hasArguments(config1)
conf2 := hasArguments(config2)
return (conf1 && !conf2) || (!conf1 && conf2)
}
func neitherHasArgs(config1, config2 *rspec.Syscall) bool {
return !hasArguments(config1) && !hasArguments(config2)
}
func firstParamOnlyHasArgs(config1, config2 *rspec.Syscall) bool {
return !hasArguments(config1) && hasArguments(config2)
}

14
vendor/src/github.com/opencontainers/runtime-tools/generate/spec.go vendored
View file

@ -58,3 +58,17 @@ func (g *Generator) initSpecLinuxResourcesMemory() {
g.spec.Linux.Resources.Memory = &rspec.Memory{} g.spec.Linux.Resources.Memory = &rspec.Memory{}
} }
} }
func (g *Generator) initSpecLinuxResourcesNetwork() {
g.initSpecLinuxResources()
if g.spec.Linux.Resources.Network == nil {
g.spec.Linux.Resources.Network = &rspec.Network{}
}
}
func (g *Generator) initSpecLinuxResourcesPids() {
g.initSpecLinuxResources()
if g.spec.Linux.Resources.Pids == nil {
g.spec.Linux.Resources.Pids = &rspec.Pids{}
}
}