diff options
Diffstat (limited to 'runsc/specutils')
-rw-r--r-- | runsc/specutils/fs.go | 78 | ||||
-rw-r--r-- | runsc/specutils/namespace.go | 12 | ||||
-rw-r--r-- | runsc/specutils/seccomp/BUILD | 2 | ||||
-rw-r--r-- | runsc/specutils/seccomp/seccomp.go | 6 | ||||
-rw-r--r-- | runsc/specutils/seccomp/seccomp_test.go | 40 | ||||
-rw-r--r-- | runsc/specutils/specutils.go | 14 |
6 files changed, 77 insertions, 75 deletions
diff --git a/runsc/specutils/fs.go b/runsc/specutils/fs.go index 138aa4dd1..b62504a8c 100644 --- a/runsc/specutils/fs.go +++ b/runsc/specutils/fs.go @@ -18,9 +18,9 @@ import ( "fmt" "math/bits" "path" - "syscall" specs "github.com/opencontainers/runtime-spec/specs-go" + "golang.org/x/sys/unix" ) type mapping struct { @@ -31,48 +31,48 @@ type mapping struct { // optionsMap maps mount propagation-related OCI filesystem options to mount(2) // syscall flags. var optionsMap = map[string]mapping{ - "acl": {set: true, val: syscall.MS_POSIXACL}, - "async": {set: false, val: syscall.MS_SYNCHRONOUS}, - "atime": {set: false, val: syscall.MS_NOATIME}, - "bind": {set: true, val: syscall.MS_BIND}, + "acl": {set: true, val: unix.MS_POSIXACL}, + "async": {set: false, val: unix.MS_SYNCHRONOUS}, + "atime": {set: false, val: unix.MS_NOATIME}, + "bind": {set: true, val: unix.MS_BIND}, "defaults": {set: true, val: 0}, - "dev": {set: false, val: syscall.MS_NODEV}, - "diratime": {set: false, val: syscall.MS_NODIRATIME}, - "dirsync": {set: true, val: syscall.MS_DIRSYNC}, - "exec": {set: false, val: syscall.MS_NOEXEC}, - "noexec": {set: true, val: syscall.MS_NOEXEC}, - "iversion": {set: true, val: syscall.MS_I_VERSION}, - "loud": {set: false, val: syscall.MS_SILENT}, - "mand": {set: true, val: syscall.MS_MANDLOCK}, - "noacl": {set: false, val: syscall.MS_POSIXACL}, - "noatime": {set: true, val: syscall.MS_NOATIME}, - "nodev": {set: true, val: syscall.MS_NODEV}, - "nodiratime": {set: true, val: syscall.MS_NODIRATIME}, - "noiversion": {set: false, val: syscall.MS_I_VERSION}, - "nomand": {set: false, val: syscall.MS_MANDLOCK}, - "norelatime": {set: false, val: syscall.MS_RELATIME}, - "nostrictatime": {set: false, val: syscall.MS_STRICTATIME}, - "nosuid": {set: true, val: syscall.MS_NOSUID}, - "rbind": {set: true, val: syscall.MS_BIND | syscall.MS_REC}, - "relatime": {set: true, val: syscall.MS_RELATIME}, - "remount": {set: true, val: syscall.MS_REMOUNT}, - "ro": {set: true, val: syscall.MS_RDONLY}, - "rw": {set: false, val: syscall.MS_RDONLY}, - "silent": {set: true, val: syscall.MS_SILENT}, - "strictatime": {set: true, val: syscall.MS_STRICTATIME}, - "suid": {set: false, val: syscall.MS_NOSUID}, - "sync": {set: true, val: syscall.MS_SYNCHRONOUS}, + "dev": {set: false, val: unix.MS_NODEV}, + "diratime": {set: false, val: unix.MS_NODIRATIME}, + "dirsync": {set: true, val: unix.MS_DIRSYNC}, + "exec": {set: false, val: unix.MS_NOEXEC}, + "noexec": {set: true, val: unix.MS_NOEXEC}, + "iversion": {set: true, val: unix.MS_I_VERSION}, + "loud": {set: false, val: unix.MS_SILENT}, + "mand": {set: true, val: unix.MS_MANDLOCK}, + "noacl": {set: false, val: unix.MS_POSIXACL}, + "noatime": {set: true, val: unix.MS_NOATIME}, + "nodev": {set: true, val: unix.MS_NODEV}, + "nodiratime": {set: true, val: unix.MS_NODIRATIME}, + "noiversion": {set: false, val: unix.MS_I_VERSION}, + "nomand": {set: false, val: unix.MS_MANDLOCK}, + "norelatime": {set: false, val: unix.MS_RELATIME}, + "nostrictatime": {set: false, val: unix.MS_STRICTATIME}, + "nosuid": {set: true, val: unix.MS_NOSUID}, + "rbind": {set: true, val: unix.MS_BIND | unix.MS_REC}, + "relatime": {set: true, val: unix.MS_RELATIME}, + "remount": {set: true, val: unix.MS_REMOUNT}, + "ro": {set: true, val: unix.MS_RDONLY}, + "rw": {set: false, val: unix.MS_RDONLY}, + "silent": {set: true, val: unix.MS_SILENT}, + "strictatime": {set: true, val: unix.MS_STRICTATIME}, + "suid": {set: false, val: unix.MS_NOSUID}, + "sync": {set: true, val: unix.MS_SYNCHRONOUS}, } // propOptionsMap is similar to optionsMap, but it lists propagation options // that cannot be used together with other flags. var propOptionsMap = map[string]mapping{ - "private": {set: true, val: syscall.MS_PRIVATE}, - "rprivate": {set: true, val: syscall.MS_PRIVATE | syscall.MS_REC}, - "slave": {set: true, val: syscall.MS_SLAVE}, - "rslave": {set: true, val: syscall.MS_SLAVE | syscall.MS_REC}, - "unbindable": {set: true, val: syscall.MS_UNBINDABLE}, - "runbindable": {set: true, val: syscall.MS_UNBINDABLE | syscall.MS_REC}, + "private": {set: true, val: unix.MS_PRIVATE}, + "rprivate": {set: true, val: unix.MS_PRIVATE | unix.MS_REC}, + "slave": {set: true, val: unix.MS_SLAVE}, + "rslave": {set: true, val: unix.MS_SLAVE | unix.MS_REC}, + "unbindable": {set: true, val: unix.MS_UNBINDABLE}, + "runbindable": {set: true, val: unix.MS_UNBINDABLE | unix.MS_REC}, } // invalidOptions list options not allowed. @@ -139,7 +139,7 @@ func ValidateMountOptions(opts []string) error { // correct. func validateRootfsPropagation(opt string) error { flags := PropOptionsToFlags([]string{opt}) - if flags&(syscall.MS_SLAVE|syscall.MS_PRIVATE) == 0 { + if flags&(unix.MS_SLAVE|unix.MS_PRIVATE) == 0 { return fmt.Errorf("root mount propagation option must specify private or slave: %q", opt) } return validatePropagation(opt) @@ -147,7 +147,7 @@ func validateRootfsPropagation(opt string) error { func validatePropagation(opt string) error { flags := PropOptionsToFlags([]string{opt}) - exclusive := flags & (syscall.MS_SLAVE | syscall.MS_PRIVATE | syscall.MS_SHARED | syscall.MS_UNBINDABLE) + exclusive := flags & (unix.MS_SLAVE | unix.MS_PRIVATE | unix.MS_SHARED | unix.MS_UNBINDABLE) if bits.OnesCount32(exclusive) > 1 { return fmt.Errorf("mount propagation options are mutually exclusive: %q", opt) } diff --git a/runsc/specutils/namespace.go b/runsc/specutils/namespace.go index 23001d67c..69d7ba5c4 100644 --- a/runsc/specutils/namespace.go +++ b/runsc/specutils/namespace.go @@ -109,7 +109,7 @@ func FilterNS(filter []specs.LinuxNamespaceType, s *specs.Spec) []specs.LinuxNam // setNS sets the namespace of the given type. It must be called with // OSThreadLocked. func setNS(fd, nsType uintptr) error { - if _, _, err := syscall.RawSyscall(unix.SYS_SETNS, fd, nsType, 0); err != 0 { + if _, _, err := unix.RawSyscall(unix.SYS_SETNS, fd, nsType, 0); err != 0 { return err } return nil @@ -158,7 +158,7 @@ func StartInNS(cmd *exec.Cmd, nss []specs.LinuxNamespace) error { defer runtime.UnlockOSThread() if cmd.SysProcAttr == nil { - cmd.SysProcAttr = &syscall.SysProcAttr{} + cmd.SysProcAttr = &unix.SysProcAttr{} } for _, ns := range nss { @@ -185,7 +185,7 @@ func SetUIDGIDMappings(cmd *exec.Cmd, s *specs.Spec) { return } if cmd.SysProcAttr == nil { - cmd.SysProcAttr = &syscall.SysProcAttr{} + cmd.SysProcAttr = &unix.SysProcAttr{} } for _, idMap := range s.Linux.UIDMappings { log.Infof("Mapping host uid %d to container uid %d (size=%d)", idMap.HostID, idMap.ContainerID, idMap.Size) @@ -241,8 +241,8 @@ func MaybeRunAsRoot() error { cmd := exec.Command("/proc/self/exe", os.Args[1:]...) - cmd.SysProcAttr = &syscall.SysProcAttr{ - Cloneflags: syscall.CLONE_NEWUSER | syscall.CLONE_NEWNS, + cmd.SysProcAttr = &unix.SysProcAttr{ + Cloneflags: unix.CLONE_NEWUSER | unix.CLONE_NEWNS, // Set current user/group as root inside the namespace. Since we may not // have CAP_SETUID/CAP_SETGID, just map root to the current user/group. UidMappings: []syscall.SysProcIDMap{ @@ -255,7 +255,7 @@ func MaybeRunAsRoot() error { GidMappingsEnableSetgroups: false, // Make sure child is killed when the parent terminates. - Pdeathsig: syscall.SIGKILL, + Pdeathsig: unix.SIGKILL, } cmd.Env = os.Environ() diff --git a/runsc/specutils/seccomp/BUILD b/runsc/specutils/seccomp/BUILD index 3520f2d6d..e9e647d82 100644 --- a/runsc/specutils/seccomp/BUILD +++ b/runsc/specutils/seccomp/BUILD @@ -18,6 +18,7 @@ go_library( "//pkg/sentry/kernel", "//pkg/sentry/syscalls/linux", "@com_github_opencontainers_runtime_spec//specs-go:go_default_library", + "@org_golang_x_sys//unix:go_default_library", ], ) @@ -30,5 +31,6 @@ go_test( "//pkg/binary", "//pkg/bpf", "@com_github_opencontainers_runtime_spec//specs-go:go_default_library", + "@org_golang_x_sys//unix:go_default_library", ], ) diff --git a/runsc/specutils/seccomp/seccomp.go b/runsc/specutils/seccomp/seccomp.go index 5932f7a41..0ef7a4d54 100644 --- a/runsc/specutils/seccomp/seccomp.go +++ b/runsc/specutils/seccomp/seccomp.go @@ -18,9 +18,9 @@ package seccomp import ( "fmt" - "syscall" specs "github.com/opencontainers/runtime-spec/specs-go" + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/abi/linux" "gvisor.dev/gvisor/pkg/bpf" "gvisor.dev/gvisor/pkg/log" @@ -33,9 +33,9 @@ var ( killThreadAction = linux.SECCOMP_RET_KILL_THREAD trapAction = linux.SECCOMP_RET_TRAP // runc always returns EPERM as the errorcode for SECCOMP_RET_ERRNO - errnoAction = linux.SECCOMP_RET_ERRNO.WithReturnCode(uint16(syscall.EPERM)) + errnoAction = linux.SECCOMP_RET_ERRNO.WithReturnCode(uint16(unix.EPERM)) // runc always returns EPERM as the errorcode for SECCOMP_RET_TRACE - traceAction = linux.SECCOMP_RET_TRACE.WithReturnCode(uint16(syscall.EPERM)) + traceAction = linux.SECCOMP_RET_TRACE.WithReturnCode(uint16(unix.EPERM)) allowAction = linux.SECCOMP_RET_ALLOW ) diff --git a/runsc/specutils/seccomp/seccomp_test.go b/runsc/specutils/seccomp/seccomp_test.go index 850c237ba..11a6c8daa 100644 --- a/runsc/specutils/seccomp/seccomp_test.go +++ b/runsc/specutils/seccomp/seccomp_test.go @@ -16,10 +16,10 @@ package seccomp import ( "fmt" - "syscall" "testing" specs "github.com/opencontainers/runtime-spec/specs-go" + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/binary" "gvisor.dev/gvisor/pkg/bpf" ) @@ -184,7 +184,7 @@ var ( Args: []specs.LinuxSeccompArg{ { Index: 0, - Value: syscall.CLONE_FS, + Value: unix.CLONE_FS, Op: specs.OpEqualTo, }, }, @@ -192,7 +192,7 @@ var ( }, }, }, - input: testInput(nativeArchAuditNo, "clone", &[6]uint64{syscall.CLONE_FS}), + input: testInput(nativeArchAuditNo, "clone", &[6]uint64{unix.CLONE_FS}), expected: uint32(errnoAction), }, { @@ -207,12 +207,12 @@ var ( Args: []specs.LinuxSeccompArg{ { Index: 0, - Value: syscall.CLONE_FS, + Value: unix.CLONE_FS, Op: specs.OpEqualTo, }, { Index: 0, - Value: syscall.CLONE_VM, + Value: unix.CLONE_VM, Op: specs.OpEqualTo, }, }, @@ -220,7 +220,7 @@ var ( }, }, }, - input: testInput(nativeArchAuditNo, "clone", &[6]uint64{syscall.CLONE_FS}), + input: testInput(nativeArchAuditNo, "clone", &[6]uint64{unix.CLONE_FS}), expected: uint32(errnoAction), }, { @@ -235,12 +235,12 @@ var ( Args: []specs.LinuxSeccompArg{ { Index: 1, - Value: syscall.SOL_SOCKET, + Value: unix.SOL_SOCKET, Op: specs.OpEqualTo, }, { Index: 2, - Value: syscall.SO_PEERCRED, + Value: unix.SO_PEERCRED, Op: specs.OpEqualTo, }, }, @@ -248,7 +248,7 @@ var ( }, }, }, - input: testInput(nativeArchAuditNo, "getsockopt", &[6]uint64{0, syscall.SOL_SOCKET, syscall.SO_PEERCRED}), + input: testInput(nativeArchAuditNo, "getsockopt", &[6]uint64{0, unix.SOL_SOCKET, unix.SO_PEERCRED}), expected: uint32(errnoAction), }, { @@ -263,12 +263,12 @@ var ( Args: []specs.LinuxSeccompArg{ { Index: 1, - Value: syscall.SOL_SOCKET, + Value: unix.SOL_SOCKET, Op: specs.OpEqualTo, }, { Index: 2, - Value: syscall.SO_PEERCRED, + Value: unix.SO_PEERCRED, Op: specs.OpEqualTo, }, }, @@ -276,7 +276,7 @@ var ( }, }, }, - input: testInput(nativeArchAuditNo, "getsockopt", &[6]uint64{0, syscall.SOL_SOCKET}), + input: testInput(nativeArchAuditNo, "getsockopt", &[6]uint64{0, unix.SOL_SOCKET}), expected: uint32(allowAction), }, { @@ -291,7 +291,7 @@ var ( Args: []specs.LinuxSeccompArg{ { Index: 0, - Value: syscall.CLONE_FS, + Value: unix.CLONE_FS, Op: specs.OpEqualTo, }, }, @@ -299,7 +299,7 @@ var ( }, }, }, - input: testInput(nativeArchAuditNo, "clone", &[6]uint64{syscall.CLONE_VM}), + input: testInput(nativeArchAuditNo, "clone", &[6]uint64{unix.CLONE_VM}), expected: uint32(allowAction), }, { @@ -314,8 +314,8 @@ var ( Args: []specs.LinuxSeccompArg{ { Index: 0, - Value: syscall.CLONE_FS, - ValueTwo: syscall.CLONE_FS, + Value: unix.CLONE_FS, + ValueTwo: unix.CLONE_FS, Op: specs.OpMaskedEqual, }, }, @@ -323,7 +323,7 @@ var ( }, }, }, - input: testInput(nativeArchAuditNo, "clone", &[6]uint64{syscall.CLONE_FS | syscall.CLONE_VM}), + input: testInput(nativeArchAuditNo, "clone", &[6]uint64{unix.CLONE_FS | unix.CLONE_VM}), expected: uint32(errnoAction), }, { @@ -338,8 +338,8 @@ var ( Args: []specs.LinuxSeccompArg{ { Index: 0, - Value: syscall.CLONE_FS | syscall.CLONE_VM, - ValueTwo: syscall.CLONE_FS | syscall.CLONE_VM, + Value: unix.CLONE_FS | unix.CLONE_VM, + ValueTwo: unix.CLONE_FS | unix.CLONE_VM, Op: specs.OpMaskedEqual, }, }, @@ -347,7 +347,7 @@ var ( }, }, }, - input: testInput(nativeArchAuditNo, "clone", &[6]uint64{syscall.CLONE_FS}), + input: testInput(nativeArchAuditNo, "clone", &[6]uint64{unix.CLONE_FS}), expected: uint32(allowAction), }, { diff --git a/runsc/specutils/specutils.go b/runsc/specutils/specutils.go index ea55bbc7d..5ba38bfe4 100644 --- a/runsc/specutils/specutils.go +++ b/runsc/specutils/specutils.go @@ -26,12 +26,12 @@ import ( "path/filepath" "strconv" "strings" - "syscall" "time" "github.com/cenkalti/backoff" "github.com/mohae/deepcopy" specs "github.com/opencontainers/runtime-spec/specs-go" + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/abi/linux" "gvisor.dev/gvisor/pkg/bits" "gvisor.dev/gvisor/pkg/log" @@ -375,9 +375,9 @@ func WaitForReady(pid int, timeout time.Duration, ready func() (bool, error)) er // Check if the process is still running. // If the process is alive, child is 0 because of the NOHANG option. // If the process has terminated, child equals the process id. - var ws syscall.WaitStatus - var ru syscall.Rusage - child, err := syscall.Wait4(pid, &ws, syscall.WNOHANG, &ru) + var ws unix.WaitStatus + var ru unix.Rusage + child, err := unix.Wait4(pid, &ws, unix.WNOHANG, &ru) if err != nil { return backoff.Permanent(fmt.Errorf("error waiting for process: %v", err)) } else if child == pid { @@ -437,7 +437,7 @@ func Mount(src, dst, typ string, flags uint32) error { return fmt.Errorf("mkdir(%q) failed: %v", parent, err) } // Create the destination file if it does not exist. - f, err := os.OpenFile(dst, syscall.O_CREAT, 0777) + f, err := os.OpenFile(dst, unix.O_CREAT, 0777) if err != nil { return fmt.Errorf("open(%q) failed: %v", dst, err) } @@ -445,7 +445,7 @@ func Mount(src, dst, typ string, flags uint32) error { } // Do the mount. - if err := syscall.Mount(src, dst, typ, uintptr(flags), ""); err != nil { + if err := unix.Mount(src, dst, typ, uintptr(flags), ""); err != nil { return fmt.Errorf("mount(%q, %q, %d) failed: %v", src, dst, flags, err) } return nil @@ -466,7 +466,7 @@ func ContainsStr(strs []string, str string) bool { func RetryEintr(f func() (uintptr, uintptr, error)) (uintptr, uintptr, error) { for { r1, r2, err := f() - if err != syscall.EINTR { + if err != unix.EINTR { return r1, r2, err } } |