summaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
-rw-r--r--runsc/cli/main.go1
-rw-r--r--runsc/cmd/BUILD2
-rw-r--r--runsc/cmd/mitigate.go72
-rw-r--r--runsc/mitigate/BUILD15
-rw-r--r--runsc/mitigate/mitigate.go58
-rw-r--r--runsc/mitigate/mitigate_conf.go37
-rw-r--r--runsc/mitigate/mitigate_test.go15
7 files changed, 198 insertions, 2 deletions
diff --git a/runsc/cli/main.go b/runsc/cli/main.go
index 6c3bf4d21..bf6928941 100644
--- a/runsc/cli/main.go
+++ b/runsc/cli/main.go
@@ -85,6 +85,7 @@ func Main(version string) {
subcommands.Register(new(cmd.Start), "")
subcommands.Register(new(cmd.Symbolize), "")
subcommands.Register(new(cmd.Wait), "")
+ subcommands.Register(new(cmd.Mitigate), "")
// Register internal commands with the internal group name. This causes
// them to be sorted below the user-facing commands with empty group.
diff --git a/runsc/cmd/BUILD b/runsc/cmd/BUILD
index 19520d7ab..e3e289da3 100644
--- a/runsc/cmd/BUILD
+++ b/runsc/cmd/BUILD
@@ -22,6 +22,7 @@ go_library(
"install.go",
"kill.go",
"list.go",
+ "mitigate.go",
"path.go",
"pause.go",
"ps.go",
@@ -59,6 +60,7 @@ go_library(
"//runsc/flag",
"//runsc/fsgofer",
"//runsc/fsgofer/filter",
+ "//runsc/mitigate",
"//runsc/specutils",
"@com_github_google_subcommands//:go_default_library",
"@com_github_opencontainers_runtime_spec//specs-go:go_default_library",
diff --git a/runsc/cmd/mitigate.go b/runsc/cmd/mitigate.go
new file mode 100644
index 000000000..9052f091d
--- /dev/null
+++ b/runsc/cmd/mitigate.go
@@ -0,0 +1,72 @@
+// Copyright 2021 The gVisor Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package cmd
+
+import (
+ "context"
+ "io/ioutil"
+
+ "github.com/google/subcommands"
+ "gvisor.dev/gvisor/pkg/log"
+ "gvisor.dev/gvisor/runsc/flag"
+ "gvisor.dev/gvisor/runsc/mitigate"
+)
+
+// Mitigate implements subcommands.Command for the "mitigate" command.
+type Mitigate struct {
+ mitigate mitigate.Mitigate
+}
+
+// Name implements subcommands.command.name.
+func (*Mitigate) Name() string {
+ return "mitigate"
+}
+
+// Synopsis implements subcommands.Command.Synopsis.
+func (*Mitigate) Synopsis() string {
+ return "mitigate mitigates the underlying system against side channel attacks"
+}
+
+// Usage implements subcommands.Command.Usage.
+func (m *Mitigate) Usage() string {
+ return m.mitigate.Usage()
+}
+
+// SetFlags implements subcommands.Command.SetFlags.
+func (m *Mitigate) SetFlags(f *flag.FlagSet) {
+ m.mitigate.SetFlags(f)
+}
+
+// Execute implements subcommands.Command.Execute.
+func (m *Mitigate) Execute(_ context.Context, f *flag.FlagSet, args ...interface{}) subcommands.ExitStatus {
+ if f.NArg() != 0 {
+ f.Usage()
+ return subcommands.ExitUsageError
+ }
+
+ const path = "/proc/cpuinfo"
+ data, err := ioutil.ReadFile(path)
+ if err != nil {
+ log.Warningf("Failed to read %s: %v", path, err)
+ return subcommands.ExitFailure
+ }
+
+ if err := m.mitigate.Execute(data); err != nil {
+ log.Warningf("Execute failed: %v", err)
+ return subcommands.ExitFailure
+ }
+
+ return subcommands.ExitSuccess
+}
diff --git a/runsc/mitigate/BUILD b/runsc/mitigate/BUILD
index 3b0342d18..561854e66 100644
--- a/runsc/mitigate/BUILD
+++ b/runsc/mitigate/BUILD
@@ -7,14 +7,25 @@ go_library(
srcs = [
"cpu.go",
"mitigate.go",
+ "mitigate_conf.go",
+ ],
+ visibility = [
+ "//runsc:__subpackages__",
+ ],
+ deps = [
+ "//pkg/log",
+ "//runsc/flag",
+ "@in_gopkg_yaml_v2//:go_default_library",
],
- deps = ["@in_gopkg_yaml_v2//:go_default_library"],
)
go_test(
name = "mitigate_test",
size = "small",
- srcs = ["cpu_test.go"],
+ srcs = [
+ "cpu_test.go",
+ "mitigate_test.go",
+ ],
library = ":mitigate",
deps = ["@com_github_google_go_cmp//cmp:go_default_library"],
)
diff --git a/runsc/mitigate/mitigate.go b/runsc/mitigate/mitigate.go
index 51d5449b6..5be66f5f3 100644
--- a/runsc/mitigate/mitigate.go
+++ b/runsc/mitigate/mitigate.go
@@ -18,3 +18,61 @@
// the mitigate also handles computing available CPU in kubernetes kube_config
// files.
package mitigate
+
+import (
+ "fmt"
+
+ "gvisor.dev/gvisor/pkg/log"
+ "gvisor.dev/gvisor/runsc/flag"
+)
+
+// Mitigate handles high level mitigate operations provided to runsc.
+type Mitigate struct {
+ dryRun bool // Run the command without changing the underlying system.
+ other mitigate // Struct holds extra mitigate logic.
+}
+
+// Usage implments Usage for cmd.Mitigate.
+func (m Mitigate) Usage() string {
+ usageString := `mitigate [flags]
+
+This command mitigates an underlying system against side channel attacks.
+The command checks /proc/cpuinfo for cpus having key vulnerablilities (meltdown,
+l1tf, mds, swapgs, taa). If cpus are found to have one of the vulnerabilities,
+all but one cpu is shutdown on each core via
+/sys/devices/system/cpu/cpu{N}/online.
+`
+ return usageString + m.other.usage()
+}
+
+// SetFlags sets flags for the command Mitigate.
+func (m Mitigate) SetFlags(f *flag.FlagSet) {
+ f.BoolVar(&m.dryRun, "dryrun", false, "run the command without changing system")
+ m.other.setFlags(f)
+}
+
+// Execute executes the Mitigate command.
+func (m Mitigate) Execute(data []byte) error {
+ set, err := newCPUSet(data, m.other.vulnerable)
+ if err != nil {
+ return err
+ }
+
+ log.Infof("Mitigate found the following CPUs...")
+ log.Infof("%s", set)
+
+ shutdownList := set.getShutdownList()
+ log.Infof("Shutting down threads on thread pairs.")
+ for _, t := range shutdownList {
+ log.Infof("Shutting down thread: %s", t)
+ if m.dryRun {
+ continue
+ }
+ if err := t.shutdown(); err != nil {
+ return fmt.Errorf("error shutting down thread: %s err: %v", t, err)
+ }
+ }
+ log.Infof("Shutdown successful.")
+ m.other.execute(set, m.dryRun)
+ return nil
+}
diff --git a/runsc/mitigate/mitigate_conf.go b/runsc/mitigate/mitigate_conf.go
new file mode 100644
index 000000000..1e74f5891
--- /dev/null
+++ b/runsc/mitigate/mitigate_conf.go
@@ -0,0 +1,37 @@
+// Copyright 2021 The gVisor Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package mitigate
+
+import (
+ "gvisor.dev/gvisor/runsc/flag"
+)
+
+type mitigate struct {
+}
+
+// usage returns the usage string portion for the mitigate.
+func (m mitigate) usage() string { return "" }
+
+// setFlags sets additional flags for the Mitigate command.
+func (m mitigate) setFlags(f *flag.FlagSet) {}
+
+// execute performs additional parts of Execute for Mitigate.
+func (m mitigate) execute(set cpuSet, dryrun bool) error {
+ return nil
+}
+
+func (m mitigate) vulnerable(other *thread) bool {
+ return other.isVulnerable()
+}
diff --git a/runsc/mitigate/mitigate_test.go b/runsc/mitigate/mitigate_test.go
new file mode 100644
index 000000000..c6c825b72
--- /dev/null
+++ b/runsc/mitigate/mitigate_test.go
@@ -0,0 +1,15 @@
+// Copyright 2021 The gVisor Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package mitigate