diff options
-rw-r--r-- | runsc/cli/main.go | 1 | ||||
-rw-r--r-- | runsc/cmd/BUILD | 2 | ||||
-rw-r--r-- | runsc/cmd/mitigate.go | 72 | ||||
-rw-r--r-- | runsc/mitigate/BUILD | 15 | ||||
-rw-r--r-- | runsc/mitigate/mitigate.go | 58 | ||||
-rw-r--r-- | runsc/mitigate/mitigate_conf.go | 37 | ||||
-rw-r--r-- | runsc/mitigate/mitigate_test.go | 15 |
7 files changed, 198 insertions, 2 deletions
diff --git a/runsc/cli/main.go b/runsc/cli/main.go index 6c3bf4d21..bf6928941 100644 --- a/runsc/cli/main.go +++ b/runsc/cli/main.go @@ -85,6 +85,7 @@ func Main(version string) { subcommands.Register(new(cmd.Start), "") subcommands.Register(new(cmd.Symbolize), "") subcommands.Register(new(cmd.Wait), "") + subcommands.Register(new(cmd.Mitigate), "") // Register internal commands with the internal group name. This causes // them to be sorted below the user-facing commands with empty group. diff --git a/runsc/cmd/BUILD b/runsc/cmd/BUILD index 19520d7ab..e3e289da3 100644 --- a/runsc/cmd/BUILD +++ b/runsc/cmd/BUILD @@ -22,6 +22,7 @@ go_library( "install.go", "kill.go", "list.go", + "mitigate.go", "path.go", "pause.go", "ps.go", @@ -59,6 +60,7 @@ go_library( "//runsc/flag", "//runsc/fsgofer", "//runsc/fsgofer/filter", + "//runsc/mitigate", "//runsc/specutils", "@com_github_google_subcommands//:go_default_library", "@com_github_opencontainers_runtime_spec//specs-go:go_default_library", diff --git a/runsc/cmd/mitigate.go b/runsc/cmd/mitigate.go new file mode 100644 index 000000000..9052f091d --- /dev/null +++ b/runsc/cmd/mitigate.go @@ -0,0 +1,72 @@ +// Copyright 2021 The gVisor Authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package cmd + +import ( + "context" + "io/ioutil" + + "github.com/google/subcommands" + "gvisor.dev/gvisor/pkg/log" + "gvisor.dev/gvisor/runsc/flag" + "gvisor.dev/gvisor/runsc/mitigate" +) + +// Mitigate implements subcommands.Command for the "mitigate" command. +type Mitigate struct { + mitigate mitigate.Mitigate +} + +// Name implements subcommands.command.name. +func (*Mitigate) Name() string { + return "mitigate" +} + +// Synopsis implements subcommands.Command.Synopsis. +func (*Mitigate) Synopsis() string { + return "mitigate mitigates the underlying system against side channel attacks" +} + +// Usage implements subcommands.Command.Usage. +func (m *Mitigate) Usage() string { + return m.mitigate.Usage() +} + +// SetFlags implements subcommands.Command.SetFlags. +func (m *Mitigate) SetFlags(f *flag.FlagSet) { + m.mitigate.SetFlags(f) +} + +// Execute implements subcommands.Command.Execute. +func (m *Mitigate) Execute(_ context.Context, f *flag.FlagSet, args ...interface{}) subcommands.ExitStatus { + if f.NArg() != 0 { + f.Usage() + return subcommands.ExitUsageError + } + + const path = "/proc/cpuinfo" + data, err := ioutil.ReadFile(path) + if err != nil { + log.Warningf("Failed to read %s: %v", path, err) + return subcommands.ExitFailure + } + + if err := m.mitigate.Execute(data); err != nil { + log.Warningf("Execute failed: %v", err) + return subcommands.ExitFailure + } + + return subcommands.ExitSuccess +} diff --git a/runsc/mitigate/BUILD b/runsc/mitigate/BUILD index 3b0342d18..561854e66 100644 --- a/runsc/mitigate/BUILD +++ b/runsc/mitigate/BUILD @@ -7,14 +7,25 @@ go_library( srcs = [ "cpu.go", "mitigate.go", + "mitigate_conf.go", + ], + visibility = [ + "//runsc:__subpackages__", + ], + deps = [ + "//pkg/log", + "//runsc/flag", + "@in_gopkg_yaml_v2//:go_default_library", ], - deps = ["@in_gopkg_yaml_v2//:go_default_library"], ) go_test( name = "mitigate_test", size = "small", - srcs = ["cpu_test.go"], + srcs = [ + "cpu_test.go", + "mitigate_test.go", + ], library = ":mitigate", deps = ["@com_github_google_go_cmp//cmp:go_default_library"], ) diff --git a/runsc/mitigate/mitigate.go b/runsc/mitigate/mitigate.go index 51d5449b6..5be66f5f3 100644 --- a/runsc/mitigate/mitigate.go +++ b/runsc/mitigate/mitigate.go @@ -18,3 +18,61 @@ // the mitigate also handles computing available CPU in kubernetes kube_config // files. package mitigate + +import ( + "fmt" + + "gvisor.dev/gvisor/pkg/log" + "gvisor.dev/gvisor/runsc/flag" +) + +// Mitigate handles high level mitigate operations provided to runsc. +type Mitigate struct { + dryRun bool // Run the command without changing the underlying system. + other mitigate // Struct holds extra mitigate logic. +} + +// Usage implments Usage for cmd.Mitigate. +func (m Mitigate) Usage() string { + usageString := `mitigate [flags] + +This command mitigates an underlying system against side channel attacks. +The command checks /proc/cpuinfo for cpus having key vulnerablilities (meltdown, +l1tf, mds, swapgs, taa). If cpus are found to have one of the vulnerabilities, +all but one cpu is shutdown on each core via +/sys/devices/system/cpu/cpu{N}/online. +` + return usageString + m.other.usage() +} + +// SetFlags sets flags for the command Mitigate. +func (m Mitigate) SetFlags(f *flag.FlagSet) { + f.BoolVar(&m.dryRun, "dryrun", false, "run the command without changing system") + m.other.setFlags(f) +} + +// Execute executes the Mitigate command. +func (m Mitigate) Execute(data []byte) error { + set, err := newCPUSet(data, m.other.vulnerable) + if err != nil { + return err + } + + log.Infof("Mitigate found the following CPUs...") + log.Infof("%s", set) + + shutdownList := set.getShutdownList() + log.Infof("Shutting down threads on thread pairs.") + for _, t := range shutdownList { + log.Infof("Shutting down thread: %s", t) + if m.dryRun { + continue + } + if err := t.shutdown(); err != nil { + return fmt.Errorf("error shutting down thread: %s err: %v", t, err) + } + } + log.Infof("Shutdown successful.") + m.other.execute(set, m.dryRun) + return nil +} diff --git a/runsc/mitigate/mitigate_conf.go b/runsc/mitigate/mitigate_conf.go new file mode 100644 index 000000000..1e74f5891 --- /dev/null +++ b/runsc/mitigate/mitigate_conf.go @@ -0,0 +1,37 @@ +// Copyright 2021 The gVisor Authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package mitigate + +import ( + "gvisor.dev/gvisor/runsc/flag" +) + +type mitigate struct { +} + +// usage returns the usage string portion for the mitigate. +func (m mitigate) usage() string { return "" } + +// setFlags sets additional flags for the Mitigate command. +func (m mitigate) setFlags(f *flag.FlagSet) {} + +// execute performs additional parts of Execute for Mitigate. +func (m mitigate) execute(set cpuSet, dryrun bool) error { + return nil +} + +func (m mitigate) vulnerable(other *thread) bool { + return other.isVulnerable() +} diff --git a/runsc/mitigate/mitigate_test.go b/runsc/mitigate/mitigate_test.go new file mode 100644 index 000000000..c6c825b72 --- /dev/null +++ b/runsc/mitigate/mitigate_test.go @@ -0,0 +1,15 @@ +// Copyright 2021 The gVisor Authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package mitigate |