summaryrefslogtreecommitdiffhomepage
path: root/runsc/fsgofer
diff options
context:
space:
mode:
Diffstat (limited to 'runsc/fsgofer')
-rw-r--r--runsc/fsgofer/filter/config.go23
-rw-r--r--runsc/fsgofer/filter/filter.go12
-rw-r--r--runsc/fsgofer/fsgofer.go18
3 files changed, 39 insertions, 14 deletions
diff --git a/runsc/fsgofer/filter/config.go b/runsc/fsgofer/filter/config.go
index 73407383d..8989cdb2f 100644
--- a/runsc/fsgofer/filter/config.go
+++ b/runsc/fsgofer/filter/config.go
@@ -26,16 +26,6 @@ import (
// allowedSyscalls is the set of syscalls executed by the gofer.
var allowedSyscalls = seccomp.SyscallRules{
syscall.SYS_ACCEPT: {},
- syscall.SYS_SOCKET: []seccomp.Rule{
- {
- seccomp.AllowValue(syscall.AF_UNIX),
- },
- },
- syscall.SYS_CONNECT: []seccomp.Rule{
- {
- seccomp.AllowAny{},
- },
- },
syscall.SYS_ARCH_PRCTL: []seccomp.Rule{
{seccomp.AllowValue(linux.ARCH_GET_FS)},
{seccomp.AllowValue(linux.ARCH_SET_FS)},
@@ -194,3 +184,16 @@ var allowedSyscalls = seccomp.SyscallRules{
syscall.SYS_UTIMENSAT: {},
syscall.SYS_WRITE: {},
}
+
+var udsSyscalls = seccomp.SyscallRules{
+ syscall.SYS_SOCKET: []seccomp.Rule{
+ {
+ seccomp.AllowValue(syscall.AF_UNIX),
+ },
+ },
+ syscall.SYS_CONNECT: []seccomp.Rule{
+ {
+ seccomp.AllowAny{},
+ },
+ },
+}
diff --git a/runsc/fsgofer/filter/filter.go b/runsc/fsgofer/filter/filter.go
index 65053415f..12ef19d18 100644
--- a/runsc/fsgofer/filter/filter.go
+++ b/runsc/fsgofer/filter/filter.go
@@ -31,3 +31,15 @@ func Install() error {
return seccomp.Install(s)
}
+
+// InstallUDS installs the standard Gofer seccomp filters along with filters
+// allowing the gofer to connect to a host UDS.
+func InstallUDS() error {
+ // Use the base syscall
+ s := allowedSyscalls
+
+ // Add additional filters required for connecting to the host's sockets.
+ s.Merge(udsSyscalls)
+
+ return seccomp.Install(s)
+}
diff --git a/runsc/fsgofer/fsgofer.go b/runsc/fsgofer/fsgofer.go
index 89171c811..d9f3ba8d6 100644
--- a/runsc/fsgofer/fsgofer.go
+++ b/runsc/fsgofer/fsgofer.go
@@ -85,6 +85,9 @@ type Config struct {
// PanicOnWrite panics on attempts to write to RO mounts.
PanicOnWrite bool
+
+ // HostUDS prevents
+ HostUDSAllowed bool
}
type attachPoint struct {
@@ -128,12 +131,21 @@ func (a *attachPoint) Attach() (p9.File, error) {
return nil, fmt.Errorf("stat file %q, err: %v", a.prefix, err)
}
+ // Acquire the attach point lock
+ a.attachedMu.Lock()
+ defer a.attachedMu.Unlock()
+
// Hold the file descriptor we are converting into a p9.File
var f *fd.FD
// Apply the S_IFMT bitmask so we can detect file type appropriately
switch fmtStat := stat.Mode & syscall.S_IFMT; {
case fmtStat == syscall.S_IFSOCK:
+ // Check to see if the CLI option has been set to allow the UDS mount
+ if !a.conf.HostUDSAllowed {
+ return nil, fmt.Errorf("host UDS support is disabled")
+ }
+
// Attempt to open a connection. Bubble up the failures.
f, err = fd.OpenUnix(a.prefix)
if err != nil {
@@ -144,7 +156,7 @@ func (a *attachPoint) Attach() (p9.File, error) {
// Default to Read/Write permissions.
mode := syscall.O_RDWR
- // If the configuration is Read Only & the mount point is a directory,
+ // If the configuration is Read Only or the mount point is a directory,
// set the mode to Read Only.
if a.conf.ROMount || fmtStat == syscall.S_IFDIR {
mode = syscall.O_RDONLY
@@ -157,9 +169,7 @@ func (a *attachPoint) Attach() (p9.File, error) {
}
}
- // Close the connection if the UDS is already attached.
- a.attachedMu.Lock()
- defer a.attachedMu.Unlock()
+ // Close the connection if already attached.
if a.attached {
f.Close()
return nil, fmt.Errorf("attach point already attached, prefix: %s", a.prefix)