package main import ( "bufio" "bytes" "fmt" "os" "runtime" "strconv" "strings" "unicode" "unicode/utf8" rspec "github.com/opencontainers/runtime-spec/specs-go" "github.com/opencontainers/runtime-tools/generate" "github.com/opencontainers/runtime-tools/generate/seccomp" "github.com/urfave/cli" ) var generateFlags = []cli.Flag{ cli.StringFlag{Name: "apparmor", Usage: "specifies the the apparmor profile for the container"}, cli.StringFlag{Name: "arch", Value: runtime.GOARCH, Usage: "architecture the container is created for"}, cli.StringSliceFlag{Name: "args", Usage: "command to run in the container"}, cli.StringSliceFlag{Name: "bind", Usage: "bind mount directories src:dest[:options...]"}, cli.StringSliceFlag{Name: "cap-add", Usage: "add Linux capabilities"}, cli.StringSliceFlag{Name: "cap-drop", Usage: "drop Linux capabilities"}, cli.BoolFlag{Name: "cap-drop-all", Usage: "drop all Linux capabilities"}, cli.StringFlag{Name: "cgroups-path", Usage: "specify the path to the cgroups"}, cli.StringFlag{Name: "cwd", Value: "/", Usage: "current working directory for the process"}, cli.StringSliceFlag{Name: "device-add", Usage: "add a device which must be made available in the container"}, cli.StringSliceFlag{Name: "device-remove", Usage: "remove a device which must be made available in the container"}, cli.BoolFlag{Name: "device-remove-all", Usage: "remove all devices which must be made available in the container"}, cli.BoolFlag{Name: "disable-oom-kill", Usage: "disable OOM Killer"}, cli.StringSliceFlag{Name: "env", Usage: "add environment variable e.g. key=value"}, cli.StringSliceFlag{Name: "env-file", Usage: "read in a file of environment variables"}, cli.IntFlag{Name: "gid", Usage: "gid for the process"}, cli.StringSliceFlag{Name: "gidmappings", Usage: "add GIDMappings e.g HostID:ContainerID:Size"}, cli.StringSliceFlag{Name: "groups", Usage: "supplementary groups for the process"}, cli.StringFlag{Name: "hostname", Usage: "hostname value for the container"}, cli.StringSliceFlag{Name: "label", Usage: "add annotations to the configuration e.g. key=value"}, cli.Uint64Flag{Name: "linux-cpu-shares", Usage: "the relative share of CPU time available to the tasks in a cgroup"}, cli.Uint64Flag{Name: "linux-cpu-period", Usage: "the CPU period to be used for hardcapping (in usecs)"}, cli.Uint64Flag{Name: "linux-cpu-quota", Usage: "the allowed CPU time in a given period (in usecs)"}, cli.StringFlag{Name: "linux-cpus", Usage: "CPUs to use within the cpuset (default is to use any CPU available)"}, cli.Uint64Flag{Name: "linux-mem-kernel-limit", Usage: "kernel memory limit (in bytes)"}, cli.Uint64Flag{Name: "linux-mem-kernel-tcp", Usage: "kernel memory limit for tcp (in bytes)"}, cli.Uint64Flag{Name: "linux-mem-limit", Usage: "memory limit (in bytes)"}, cli.Uint64Flag{Name: "linux-mem-reservation", Usage: "memory reservation or soft limit (in bytes)"}, cli.Uint64Flag{Name: "linux-mem-swap", Usage: "total memory limit (memory + swap) (in bytes)"}, cli.Uint64Flag{Name: "linux-mem-swappiness", Usage: "how aggressive the kernel will swap memory pages (Range from 0 to 100)"}, cli.StringFlag{Name: "linux-mems", Usage: "list of memory nodes in the cpuset (default is to use any available memory node)"}, cli.StringSliceFlag{Name: "linux-namespace-add", Usage: "adds a namespace to the set of namespaces to create or join of the form 'ns[:path]'"}, cli.StringSliceFlag{Name: "linux-namespace-remove", Usage: "removes a namespace from the set of namespaces to create or join of the form 'ns'"}, cli.BoolFlag{Name: "linux-namespace-remove-all", Usage: "removes all namespaces from the set of namespaces created or joined"}, cli.IntFlag{Name: "linux-network-classid", Usage: "specifies class identifier tagged by container's network packets"}, cli.StringSliceFlag{Name: "linux-network-priorities", Usage: "specifies priorities of network traffic"}, cli.Int64Flag{Name: "linux-pids-limit", Usage: "maximum number of PIDs"}, cli.Int64Flag{Name: "linux-realtime-period", Usage: "CPU period to be used for realtime scheduling (in usecs)"}, cli.Int64Flag{Name: "linux-realtime-runtime", Usage: "the time realtime scheduling may use (in usecs)"}, cli.StringSliceFlag{Name: "masked-paths", Usage: "specifies paths can not be read inside container"}, cli.StringFlag{Name: "mount-cgroups", Value: "no", Usage: "mount cgroups (rw,ro,no)"}, cli.StringFlag{Name: "mount-label", Usage: "selinux mount context label"}, cli.BoolFlag{Name: "no-new-privileges", Usage: "set no new privileges bit for the container process"}, cli.IntFlag{Name: "oom-score-adj", Usage: "oom_score_adj for the container"}, cli.StringFlag{Name: "os", Value: runtime.GOOS, Usage: "operating system the container is created for"}, cli.StringFlag{Name: "output", Usage: "output file (defaults to stdout)"}, cli.StringSliceFlag{Name: "poststart", Usage: "set command to run in poststart hooks"}, cli.StringSliceFlag{Name: "poststop", Usage: "set command to run in poststop hooks"}, cli.StringSliceFlag{Name: "prestart", Usage: "set command to run in prestart hooks"}, cli.BoolFlag{Name: "privileged", Usage: "enable privileged container settings"}, cli.StringSliceFlag{Name: "readonly-paths", Usage: "specifies paths readonly inside container"}, cli.StringFlag{Name: "rootfs-path", Value: "rootfs", Usage: "path to the root filesystem"}, cli.StringFlag{Name: "rootfs-propagation", Usage: "mount propagation for rootfs"}, cli.BoolFlag{Name: "rootfs-readonly", Usage: "make the container's rootfs readonly"}, cli.StringSliceFlag{Name: "rlimits-add", Usage: "specifies resource limits for processes inside the container. "}, cli.StringSliceFlag{Name: "rlimits-remove", Usage: "remove specified resource limits for processes inside the container. "}, cli.BoolFlag{Name: "rlimits-remove-all", Usage: "remove all resource limits for processes inside the container. "}, cli.StringFlag{Name: "seccomp-allow", Usage: "specifies syscalls to respond with allow"}, cli.StringFlag{Name: "seccomp-arch", Usage: "specifies additional architectures permitted to be used for system calls"}, cli.StringFlag{Name: "seccomp-default", Usage: "specifies default action to be used for system calls and removes existing rules with specified action"}, cli.StringFlag{Name: "seccomp-default-force", Usage: "same as seccomp-default but does not remove existing rules with specified action"}, cli.StringFlag{Name: "seccomp-errno", Usage: "specifies syscalls to respond with errno"}, cli.StringFlag{Name: "seccomp-kill", Usage: "specifies syscalls to respond with kill"}, cli.BoolFlag{Name: "seccomp-only", Usage: "specifies to export just a seccomp configuration file"}, cli.StringFlag{Name: "seccomp-remove", Usage: "specifies syscalls to remove seccomp rules for"}, cli.BoolFlag{Name: "seccomp-remove-all", Usage: "removes all syscall rules from seccomp configuration"}, cli.StringFlag{Name: "seccomp-trace", Usage: "specifies syscalls to respond with trace"}, cli.StringFlag{Name: "seccomp-trap", Usage: "specifies syscalls to respond with trap"}, cli.StringFlag{Name: "selinux-label", Usage: "process selinux label"}, cli.StringSliceFlag{Name: "sysctl", Usage: "add sysctl settings e.g net.ipv4.forward=1"}, cli.StringFlag{Name: "template", Usage: "base template to use for creating the configuration"}, cli.StringSliceFlag{Name: "tmpfs", Usage: "mount tmpfs e.g. ContainerDIR[:OPTIONS...]"}, cli.BoolFlag{Name: "tty", Usage: "allocate a new tty for the container process"}, cli.IntFlag{Name: "uid", Usage: "uid for the process"}, cli.StringSliceFlag{Name: "uidmappings", Usage: "add UIDMappings e.g HostID:ContainerID:Size"}, } var generateCommand = cli.Command{ Name: "generate", Usage: "generate an OCI spec file", Flags: generateFlags, Before: before, Action: func(context *cli.Context) error { // Start from the default template. specgen := generate.New() var template string if context.IsSet("template") { template = context.String("template") } if template != "" { var err error specgen, err = generate.NewFromFile(template) if err != nil { return err } } err := setupSpec(&specgen, context) if err != nil { return err } var exportOpts generate.ExportOptions exportOpts.Seccomp = context.Bool("seccomp-only") if context.IsSet("output") { err = specgen.SaveToFile(context.String("output"), exportOpts) } else { err = specgen.Save(os.Stdout, exportOpts) } if err != nil { return err } return nil }, } func setupSpec(g *generate.Generator, context *cli.Context) error { if context.GlobalBool("host-specific") { g.HostSpecific = true } spec := g.Spec() if len(spec.Version) == 0 { g.SetVersion(rspec.Version) } if context.IsSet("hostname") { g.SetHostname(context.String("hostname")) } g.SetPlatformOS(context.String("os")) g.SetPlatformArch(context.String("arch")) if context.IsSet("label") { annotations := context.StringSlice("label") for _, s := range annotations { pair := strings.SplitN(s, "=", 2) if len(pair) != 2 || pair[0] == "" { return fmt.Errorf("incorrectly specified annotation: %s", s) } g.AddAnnotation(pair[0], pair[1]) } } g.SetRootPath(context.String("rootfs-path")) if context.IsSet("rootfs-readonly") { g.SetRootReadonly(context.Bool("rootfs-readonly")) } if context.IsSet("uid") { g.SetProcessUID(uint32(context.Int("uid"))) } if context.IsSet("gid") { g.SetProcessGID(uint32(context.Int("gid"))) } if context.IsSet("selinux-label") { g.SetProcessSelinuxLabel(context.String("selinux-label")) } g.SetProcessCwd(context.String("cwd")) if context.IsSet("apparmor") { g.SetProcessApparmorProfile(context.String("apparmor")) } if context.IsSet("no-new-privileges") { g.SetProcessNoNewPrivileges(context.Bool("no-new-privileges")) } if context.IsSet("tty") { g.SetProcessTerminal(context.Bool("tty")) } if context.IsSet("args") { g.SetProcessArgs(context.StringSlice("args")) } { envs, err := readKVStrings(context.StringSlice("env-file"), context.StringSlice("env")) if err != nil { return err } for _, env := range envs { name, value, err := parseEnv(env) if err != nil { return err } g.AddProcessEnv(name, value) } } if context.IsSet("groups") { groups := context.StringSlice("groups") for _, group := range groups { groupID, err := strconv.Atoi(group) if err != nil { return err } g.AddProcessAdditionalGid(uint32(groupID)) } } if context.IsSet("cgroups-path") { g.SetLinuxCgroupsPath(context.String("cgroups-path")) } if context.IsSet("masked-paths") { paths := context.StringSlice("masked-paths") for _, path := range paths { g.AddLinuxMaskedPaths(path) } } if context.IsSet("readonly-paths") { paths := context.StringSlice("readonly-paths") for _, path := range paths { g.AddLinuxReadonlyPaths(path) } } if context.IsSet("mount-label") { g.SetLinuxMountLabel(context.String("mount-label")) } if context.IsSet("sysctl") { sysctls := context.StringSlice("sysctl") for _, s := range sysctls { pair := strings.Split(s, "=") if len(pair) != 2 { return fmt.Errorf("incorrectly specified sysctl: %s", s) } g.AddLinuxSysctl(pair[0], pair[1]) } } g.SetupPrivileged(context.Bool("privileged")) if context.IsSet("cap-add") { addCaps := context.StringSlice("cap-add") for _, cap := range addCaps { if err := g.AddProcessCapability(cap); err != nil { return err } } } if context.IsSet("cap-drop") { dropCaps := context.StringSlice("cap-drop") for _, cap := range dropCaps { if err := g.DropProcessCapability(cap); err != nil { return err } } } if context.Bool("cap-drop-all") { g.ClearProcessCapabilities() } var uidMaps, gidMaps []string if context.IsSet("uidmappings") { uidMaps = context.StringSlice("uidmappings") } if context.IsSet("gidmappings") { gidMaps = context.StringSlice("gidmappings") } // Add default user namespace. if len(uidMaps) > 0 || len(gidMaps) > 0 { g.AddOrReplaceLinuxNamespace("user", "") } if context.IsSet("tmpfs") { tmpfsSlice := context.StringSlice("tmpfs") for _, s := range tmpfsSlice { dest, options, err := parseTmpfsMount(s) if err != nil { return err } g.AddTmpfsMount(dest, options) } } mountCgroupOption := context.String("mount-cgroups") if err := g.AddCgroupsMount(mountCgroupOption); err != nil { return err } if context.IsSet("bind") { binds := context.StringSlice("bind") for _, bind := range binds { source, dest, options, err := parseBindMount(bind) if err != nil { return err } g.AddBindMount(source, dest, options) } } if context.IsSet("prestart") { preStartHooks := context.StringSlice("prestart") for _, hook := range preStartHooks { path, args := parseHook(hook) g.AddPreStartHook(path, args) } } if context.IsSet("poststop") { postStopHooks := context.StringSlice("poststop") for _, hook := range postStopHooks { path, args := parseHook(hook) g.AddPostStopHook(path, args) } } if context.IsSet("poststart") { postStartHooks := context.StringSlice("poststart") for _, hook := range postStartHooks { path, args := parseHook(hook) g.AddPostStartHook(path, args) } } if context.IsSet("rootfs-propagation") { rp := context.String("rootfs-propagation") if err := g.SetLinuxRootPropagation(rp); err != nil { return err } } for _, uidMap := range uidMaps { hid, cid, size, err := parseIDMapping(uidMap) if err != nil { return err } g.AddLinuxUIDMapping(hid, cid, size) } for _, gidMap := range gidMaps { hid, cid, size, err := parseIDMapping(gidMap) if err != nil { return err } g.AddLinuxGIDMapping(hid, cid, size) } if context.IsSet("disable-oom-kill") { g.SetLinuxResourcesDisableOOMKiller(context.Bool("disable-oom-kill")) } if context.IsSet("oom-score-adj") { g.SetLinuxResourcesOOMScoreAdj(context.Int("oom-score-adj")) } if context.IsSet("linux-cpu-shares") { g.SetLinuxResourcesCPUShares(context.Uint64("linux-cpu-shares")) } if context.IsSet("linux-cpu-period") { g.SetLinuxResourcesCPUPeriod(context.Uint64("linux-cpu-period")) } if context.IsSet("linux-cpu-quota") { g.SetLinuxResourcesCPUQuota(context.Int64("linux-cpu-quota")) } if context.IsSet("linux-realtime-runtime") { g.SetLinuxResourcesCPURealtimeRuntime(context.Int64("linux-realtime-runtime")) } if context.IsSet("linux-pids-limit") { g.SetLinuxResourcesPidsLimit(context.Int64("linux-pids-limit")) } if context.IsSet("linux-realtime-period") { g.SetLinuxResourcesCPURealtimePeriod(context.Uint64("linux-realtime-period")) } if context.IsSet("linux-cpus") { g.SetLinuxResourcesCPUCpus(context.String("linux-cpus")) } if context.IsSet("linux-mems") { g.SetLinuxResourcesCPUMems(context.String("linux-mems")) } if context.IsSet("linux-mem-limit") { g.SetLinuxResourcesMemoryLimit(context.Uint64("linux-mem-limit")) } if context.IsSet("linux-mem-reservation") { g.SetLinuxResourcesMemoryReservation(context.Uint64("linux-mem-reservation")) } if context.IsSet("linux-mem-swap") { g.SetLinuxResourcesMemorySwap(context.Uint64("linux-mem-swap")) } if context.IsSet("linux-mem-kernel-limit") { g.SetLinuxResourcesMemoryKernel(context.Uint64("linux-mem-kernel-limit")) } if context.IsSet("linux-mem-kernel-tcp") { g.SetLinuxResourcesMemoryKernelTCP(context.Uint64("linux-mem-kernel-tcp")) } if context.IsSet("linux-mem-swappiness") { g.SetLinuxResourcesMemorySwappiness(context.Uint64("linux-mem-swappiness")) } if context.IsSet("linux-network-classid") { g.SetLinuxResourcesNetworkClassID(uint32(context.Int("linux-network-classid"))) } if context.IsSet("linux-network-priorities") { priorities := context.StringSlice("linux-network-priorities") for _, p := range priorities { name, priority, err := parseNetworkPriority(p) if err != nil { return err } if priority == -1 { g.DropLinuxResourcesNetworkPriorities(name) } else { g.AddLinuxResourcesNetworkPriorities(name, uint32(priority)) } } } if context.IsSet("linux-namespace-add") { namespaces := context.StringSlice("linux-namespace-add") for _, ns := range namespaces { name, path, err := parseNamespace(ns) if err != nil { return err } if err := g.AddOrReplaceLinuxNamespace(name, path); err != nil { return err } } } if context.IsSet("linux-namespace-remove") { namespaces := context.StringSlice("linux-namespace-remove") for _, name := range namespaces { if err := g.RemoveLinuxNamespace(name); err != nil { return err } } } if context.Bool("linux-namespace-remove-all") { g.ClearLinuxNamespaces() } if context.IsSet("rlimits-add") { rlimits := context.StringSlice("rlimits-add") for _, rlimit := range rlimits { rType, rHard, rSoft, err := parseRlimit(rlimit) if err != nil { return err } g.AddProcessRlimits(rType, rHard, rSoft) } } if context.IsSet("rlimits-remove") { rlimits := context.StringSlice("rlimits-remove") for _, rlimit := range rlimits { err := g.RemoveProcessRlimits(rlimit) if err != nil { return err } } } if context.Bool("rlimits-remove-all") { g.ClearProcessRlimits() } if context.IsSet("device-add") { devices := context.StringSlice("device-add") for _, deviceArg := range devices { dev, err := parseDevice(deviceArg, g) if err != nil { return err } g.AddDevice(dev) } } if context.IsSet("device-remove") { devices := context.StringSlice("device-remove") for _, device := range devices { err := g.RemoveDevice(device) if err != nil { return err } } } if context.Bool("device-remove-all") { g.ClearLinuxDevices() } err := addSeccomp(context, g) return err } func parseIDMapping(idms string) (uint32, uint32, uint32, error) { idm := strings.Split(idms, ":") if len(idm) != 3 { return 0, 0, 0, fmt.Errorf("idmappings error: %s", idms) } hid, err := strconv.Atoi(idm[0]) if err != nil { return 0, 0, 0, err } cid, err := strconv.Atoi(idm[1]) if err != nil { return 0, 0, 0, err } size, err := strconv.Atoi(idm[2]) if err != nil { return 0, 0, 0, err } return uint32(hid), uint32(cid), uint32(size), nil } func parseHook(s string) (string, []string) { parts := strings.Split(s, ":") args := []string{} path := parts[0] if len(parts) > 1 { args = parts[1:] } return path, args } func parseNetworkPriority(np string) (string, int32, error) { var err error parts := strings.Split(np, ":") if len(parts) != 2 { return "", 0, fmt.Errorf("invalid value %v for --linux-network-priorities", np) } priority, err := strconv.Atoi(parts[1]) if err != nil { return "", 0, err } return parts[0], int32(priority), nil } func parseTmpfsMount(s string) (string, []string, error) { var dest string var options []string var err error parts := strings.Split(s, ":") if len(parts) == 2 { dest = parts[0] options = strings.Split(parts[1], ",") } else if len(parts) == 1 { dest = parts[0] options = []string{"rw", "noexec", "nosuid", "nodev", "size=65536k"} } else { err = fmt.Errorf("invalid value for --tmpfs") } return dest, options, err } func parseBindMount(s string) (string, string, []string, error) { var source, dest string options := []string{} bparts := strings.SplitN(s, ":", 3) switch len(bparts) { case 2: source, dest = bparts[0], bparts[1] case 3: source, dest, options = bparts[0], bparts[1], strings.Split(bparts[2], ":") default: return source, dest, options, fmt.Errorf("--bind should have format src:dest[:options...]") } return source, dest, options, nil } func parseRlimit(rlimit string) (string, uint64, uint64, error) { parts := strings.Split(rlimit, ":") if len(parts) != 3 { return "", 0, 0, fmt.Errorf("invalid rlimits value: %s", rlimit) } hard, err := strconv.Atoi(parts[1]) if err != nil { return "", 0, 0, err } soft, err := strconv.Atoi(parts[2]) if err != nil { return "", 0, 0, err } return parts[0], uint64(hard), uint64(soft), nil } func parseNamespace(ns string) (string, string, error) { parts := strings.SplitN(ns, ":", 2) if len(parts) == 0 || parts[0] == "" { return "", "", fmt.Errorf("invalid namespace value: %s", ns) } nsType := parts[0] nsPath := "" if len(parts) == 2 { nsPath = parts[1] } return nsType, nsPath, nil } var deviceType = map[string]bool{ "b": true, // a block (buffered) special file "c": true, // a character special file "u": true, // a character (unbuffered) special file "p": true, // a FIFO } // parseDevice takes the raw string passed with the --device-add flag func parseDevice(device string, g *generate.Generator) (rspec.LinuxDevice, error) { dev := rspec.LinuxDevice{} // The required part and optional part are separated by ":" argsParts := strings.Split(device, ":") if len(argsParts) < 4 { return dev, fmt.Errorf("Incomplete device arguments: %s", device) } requiredPart := argsParts[0:4] optionalPart := argsParts[4:] // The required part must contain type, major, minor, and path dev.Type = requiredPart[0] if !deviceType[dev.Type] { return dev, fmt.Errorf("Invalid device type: %s", dev.Type) } i, err := strconv.ParseInt(requiredPart[1], 10, 64) if err != nil { return dev, err } dev.Major = i i, err = strconv.ParseInt(requiredPart[2], 10, 64) if err != nil { return dev, err } dev.Minor = i dev.Path = requiredPart[3] // The optional part include all optional property for _, s := range optionalPart { parts := strings.SplitN(s, "=", 2) if len(parts) != 2 { return dev, fmt.Errorf("Incomplete device arguments: %s", s) } name, value := parts[0], parts[1] switch name { case "fileMode": i, err := strconv.ParseInt(value, 10, 32) if err != nil { return dev, err } mode := os.FileMode(i) dev.FileMode = &mode case "uid": i, err := strconv.ParseInt(value, 10, 32) if err != nil { return dev, err } uid := uint32(i) dev.UID = &uid case "gid": i, err := strconv.ParseInt(value, 10, 32) if err != nil { return dev, err } gid := uint32(i) dev.GID = &gid default: return dev, fmt.Errorf("'%s' is not supported by device section", name) } } return dev, nil } func addSeccomp(context *cli.Context, g *generate.Generator) error { // Set the DefaultAction of seccomp if context.IsSet("seccomp-default") { seccompDefault := context.String("seccomp-default") err := g.SetDefaultSeccompAction(seccompDefault) if err != nil { return err } } else if context.IsSet("seccomp-default-force") { seccompDefaultForced := context.String("seccomp-default-force") err := g.SetDefaultSeccompActionForce(seccompDefaultForced) if err != nil { return err } } // Add the additional architectures permitted to be used for system calls if context.IsSet("seccomp-arch") { seccompArch := context.String("seccomp-arch") architectureArgs := strings.Split(seccompArch, ",") for _, arg := range architectureArgs { err := g.SetSeccompArchitecture(arg) if err != nil { return err } } } if context.IsSet("seccomp-errno") { err := seccompSet(context, "errno", g) if err != nil { return err } } if context.IsSet("seccomp-kill") { err := seccompSet(context, "kill", g) if err != nil { return err } } if context.IsSet("seccomp-trace") { err := seccompSet(context, "trace", g) if err != nil { return err } } if context.IsSet("seccomp-trap") { err := seccompSet(context, "trap", g) if err != nil { return err } } if context.IsSet("seccomp-allow") { err := seccompSet(context, "allow", g) if err != nil { return err } } if context.IsSet("seccomp-remove") { seccompRemove := context.String("seccomp-remove") err := g.RemoveSeccompRule(seccompRemove) if err != nil { return err } } if context.Bool("seccomp-remove-all") { err := g.RemoveAllSeccompRules() if err != nil { return err } } return nil } func seccompSet(context *cli.Context, seccompFlag string, g *generate.Generator) error { flagInput := context.String("seccomp-" + seccompFlag) flagArgs := strings.Split(flagInput, ",") setSyscallArgsSlice := []seccomp.SyscallOpts{} for _, flagArg := range flagArgs { comparisonArgs := strings.Split(flagArg, ":") if len(comparisonArgs) == 5 { setSyscallArgs := seccomp.SyscallOpts{ Action: seccompFlag, Syscall: comparisonArgs[0], Index: comparisonArgs[1], Value: comparisonArgs[2], ValueTwo: comparisonArgs[3], Operator: comparisonArgs[4], } setSyscallArgsSlice = append(setSyscallArgsSlice, setSyscallArgs) } else if len(comparisonArgs) == 1 { setSyscallArgs := seccomp.SyscallOpts{ Action: seccompFlag, Syscall: comparisonArgs[0], } setSyscallArgsSlice = append(setSyscallArgsSlice, setSyscallArgs) } else { return fmt.Errorf("invalid syscall argument formatting %v", comparisonArgs) } for _, r := range setSyscallArgsSlice { err := g.SetSyscallAction(r) if err != nil { return err } } } return nil } // readKVStrings reads a file of line terminated key=value pairs, and overrides any keys // present in the file with additional pairs specified in the override parameter // // This function is copied from github.com/docker/docker/runconfig/opts/parse.go func readKVStrings(files []string, override []string) ([]string, error) { envVariables := []string{} for _, ef := range files { parsedVars, err := parseEnvFile(ef) if err != nil { return nil, err } envVariables = append(envVariables, parsedVars...) } // parse the '-e' and '--env' after, to allow override envVariables = append(envVariables, override...) return envVariables, nil } // parseEnv splits a given environment variable (of the form name=value) into // (name, value). An error is returned if there is no "=" in the line or if the // name is empty. func parseEnv(env string) (string, string, error) { parts := strings.SplitN(env, "=", 2) if len(parts) != 2 { return "", "", fmt.Errorf("environment variable must contain '=': %s", env) } name, value := parts[0], parts[1] if name == "" { return "", "", fmt.Errorf("environment variable must have non-empty name: %s", env) } return name, value, nil } // parseEnvFile reads a file with environment variables enumerated by lines // // ``Environment variable names used by the utilities in the Shell and // Utilities volume of IEEE Std 1003.1-2001 consist solely of uppercase // letters, digits, and the '_' (underscore) from the characters defined in // Portable Character Set and do not begin with a digit. *But*, other // characters may be permitted by an implementation; applications shall // tolerate the presence of such names.'' // -- http://pubs.opengroup.org/onlinepubs/009695399/basedefs/xbd_chap08.html // // As of #16585, it's up to application inside docker to validate or not // environment variables, that's why we just strip leading whitespace and // nothing more. // // This function is copied from github.com/docker/docker/runconfig/opts/envfile.go func parseEnvFile(filename string) ([]string, error) { fh, err := os.Open(filename) if err != nil { return []string{}, err } defer fh.Close() lines := []string{} scanner := bufio.NewScanner(fh) currentLine := 0 utf8bom := []byte{0xEF, 0xBB, 0xBF} for scanner.Scan() { scannedBytes := scanner.Bytes() if !utf8.Valid(scannedBytes) { return []string{}, fmt.Errorf("env file %s contains invalid utf8 bytes at line %d: %v", filename, currentLine+1, scannedBytes) } // We trim UTF8 BOM if currentLine == 0 { scannedBytes = bytes.TrimPrefix(scannedBytes, utf8bom) } // trim the line from all leading whitespace first line := strings.TrimLeftFunc(string(scannedBytes), unicode.IsSpace) currentLine++ // line is not empty, and not starting with '#' if len(line) > 0 && !strings.HasPrefix(line, "#") { data := strings.SplitN(line, "=", 2) // trim the front of a variable, but nothing else variable := strings.TrimLeft(data[0], whiteSpaces) if strings.ContainsAny(variable, whiteSpaces) { return []string{}, ErrBadEnvVariable{fmt.Sprintf("variable '%s' has white spaces", variable)} } if len(data) > 1 { // pass the value through, no trimming lines = append(lines, fmt.Sprintf("%s=%s", variable, data[1])) } else { // if only a pass-through variable is given, clean it up. lines = append(lines, fmt.Sprintf("%s=%s", strings.TrimSpace(line), os.Getenv(line))) } } } return lines, scanner.Err() } var whiteSpaces = " \t" // ErrBadEnvVariable typed error for bad environment variable type ErrBadEnvVariable struct { msg string } func (e ErrBadEnvVariable) Error() string { return fmt.Sprintf("poorly formatted environment: %s", e.msg) }