From c319b360d134cff66000fd036fce8b3816c296ea Mon Sep 17 00:00:00 2001 From: Robert Tonic Date: Mon, 29 Jul 2019 14:57:14 -0700 Subject: First pass at implementing Unix Domain Socket support. No tests. This commit adds support for detecting the socket file type, connecting to a Unix Domain Socket, and providing bidirectional communication (without file descriptor transfer support). --- pkg/fd/fd.go | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) (limited to 'pkg/fd/fd.go') diff --git a/pkg/fd/fd.go b/pkg/fd/fd.go index 83bcfe220..c3acd0fe2 100644 --- a/pkg/fd/fd.go +++ b/pkg/fd/fd.go @@ -22,6 +22,7 @@ import ( "runtime" "sync/atomic" "syscall" + "net" ) // ReadWriter implements io.ReadWriter, io.ReaderAt, and io.WriterAt for fd. It @@ -185,6 +186,21 @@ func OpenAt(dir *FD, path string, flags int, mode uint32) (*FD, error) { return New(f), nil } +// OpenUnix TODO: DOC +func OpenUnix(path string) (*FD, error) { + addr, _ := net.ResolveUnixAddr("unix", path) + f, err := net.DialUnix("unix", nil, addr); if err != nil { + return nil, fmt.Errorf("unable to open socket: %q, err: %v", path, err) + } + fConnd, err := f.File(); if err != nil { + return nil, fmt.Errorf("unable to convert to os.File: %q, err: %v", path, err) + } + fdConnd, err := NewFromFile(fConnd); if err != nil { + return nil, fmt.Errorf("unable to convert os.File to fd.FD: %q, err: %v", path, err) + } + return fdConnd, nil +} + // Close closes the file descriptor contained in the FD. // // Close is safe to call multiple times, but will return an error after the -- cgit v1.2.3 From 4573efe84b2d52112a9370dd5a469e9d11959ab4 Mon Sep 17 00:00:00 2001 From: Robert Tonic Date: Thu, 5 Sep 2019 07:16:36 -0400 Subject: Switch from net to unet to open Unix Domain Sockets. --- pkg/fd/BUILD | 3 +++ pkg/fd/fd.go | 17 ++++------------- 2 files changed, 7 insertions(+), 13 deletions(-) (limited to 'pkg/fd/fd.go') diff --git a/pkg/fd/BUILD b/pkg/fd/BUILD index 785c685a0..eedaf12ee 100644 --- a/pkg/fd/BUILD +++ b/pkg/fd/BUILD @@ -7,6 +7,9 @@ go_library( srcs = ["fd.go"], importpath = "gvisor.dev/gvisor/pkg/fd", visibility = ["//visibility:public"], + deps = [ + "//pkg/unet", + ], ) go_test( diff --git a/pkg/fd/fd.go b/pkg/fd/fd.go index c3acd0fe2..7f1f9d984 100644 --- a/pkg/fd/fd.go +++ b/pkg/fd/fd.go @@ -22,7 +22,7 @@ import ( "runtime" "sync/atomic" "syscall" - "net" + "gvisor.dev/gvisor/pkg/unet" ) // ReadWriter implements io.ReadWriter, io.ReaderAt, and io.WriterAt for fd. It @@ -186,19 +186,10 @@ func OpenAt(dir *FD, path string, flags int, mode uint32) (*FD, error) { return New(f), nil } -// OpenUnix TODO: DOC +// OpenUnix Open a Unix Domain Socket and return the file descriptor for it. func OpenUnix(path string) (*FD, error) { - addr, _ := net.ResolveUnixAddr("unix", path) - f, err := net.DialUnix("unix", nil, addr); if err != nil { - return nil, fmt.Errorf("unable to open socket: %q, err: %v", path, err) - } - fConnd, err := f.File(); if err != nil { - return nil, fmt.Errorf("unable to convert to os.File: %q, err: %v", path, err) - } - fdConnd, err := NewFromFile(fConnd); if err != nil { - return nil, fmt.Errorf("unable to convert os.File to fd.FD: %q, err: %v", path, err) - } - return fdConnd, nil + socket, err := unet.Connect(path, false) + return New(socket.FD()), err } // Close closes the file descriptor contained in the FD. -- cgit v1.2.3 From 46beb919121f02d8bd110a54fb8f6de5dfd2891e Mon Sep 17 00:00:00 2001 From: Robert Tonic Date: Thu, 19 Sep 2019 17:10:50 -0400 Subject: Fix documentation, clean up seccomp filter installation, rename helpers. Filter installation has been streamlined and functions renamed. Documentation has been fixed to be standards compliant, and missing documentation added. gofmt has also been applied to modified files. --- pkg/fd/fd.go | 6 +++--- runsc/boot/config.go | 2 +- runsc/cmd/gofer.go | 12 +++++------- runsc/fsgofer/filter/filter.go | 19 ++++++------------- runsc/fsgofer/fsgofer.go | 21 +++++++++++---------- 5 files changed, 26 insertions(+), 34 deletions(-) (limited to 'pkg/fd/fd.go') diff --git a/pkg/fd/fd.go b/pkg/fd/fd.go index 7f1f9d984..24e959944 100644 --- a/pkg/fd/fd.go +++ b/pkg/fd/fd.go @@ -17,12 +17,12 @@ package fd import ( "fmt" + "gvisor.dev/gvisor/pkg/unet" "io" "os" "runtime" "sync/atomic" "syscall" - "gvisor.dev/gvisor/pkg/unet" ) // ReadWriter implements io.ReadWriter, io.ReaderAt, and io.WriterAt for fd. It @@ -186,8 +186,8 @@ func OpenAt(dir *FD, path string, flags int, mode uint32) (*FD, error) { return New(f), nil } -// OpenUnix Open a Unix Domain Socket and return the file descriptor for it. -func OpenUnix(path string) (*FD, error) { +// DialUnix connects to a Unix Domain Socket and return the file descriptor. +func DialUnix(path string) (*FD, error) { socket, err := unet.Connect(path, false) return New(socket.FD()), err } diff --git a/runsc/boot/config.go b/runsc/boot/config.go index 954ad2c2a..f1adaba01 100644 --- a/runsc/boot/config.go +++ b/runsc/boot/config.go @@ -138,7 +138,7 @@ type Config struct { // Overlay is whether to wrap the root filesystem in an overlay. Overlay bool - // fsGoferHostUDSAllowed enables the gofer to mount a host UDS + // FSGoferHostUDSAllowed enables the gofer to mount a host UDS. FSGoferHostUDSAllowed bool // Network indicates what type of network to use. diff --git a/runsc/cmd/gofer.go b/runsc/cmd/gofer.go index 8e63c80e0..fa4f0034d 100644 --- a/runsc/cmd/gofer.go +++ b/runsc/cmd/gofer.go @@ -204,13 +204,11 @@ func (g *Gofer) Execute(_ context.Context, f *flag.FlagSet, args ...interface{}) } if g.hostUDSAllowed { - if err := filter.InstallUDS(); err != nil { - Fatalf("installing UDS seccomp filters: %v", err) - } - } else { - if err := filter.Install(); err != nil { - Fatalf("installing seccomp filters: %v", err) - } + filter.InstallUDSFilters() + } + + if err := filter.Install(); err != nil { + Fatalf("installing seccomp filters: %v", err) } runServers(ats, g.ioFDs) diff --git a/runsc/fsgofer/filter/filter.go b/runsc/fsgofer/filter/filter.go index 12ef19d18..8d4ec9c24 100644 --- a/runsc/fsgofer/filter/filter.go +++ b/runsc/fsgofer/filter/filter.go @@ -23,23 +23,16 @@ import ( // Install installs seccomp filters. func Install() error { - s := allowedSyscalls - // Set of additional filters used by -race and -msan. Returns empty // when not enabled. - s.Merge(instrumentationFilters()) + allowedSyscalls.Merge(instrumentationFilters()) - return seccomp.Install(s) + return seccomp.Install(allowedSyscalls) } -// InstallUDS installs the standard Gofer seccomp filters along with filters -// allowing the gofer to connect to a host UDS. -func InstallUDS() error { - // Use the base syscall - s := allowedSyscalls - +// InstallUDSFilters installs the seccomp filters required to let the gofer connect +// to a host UDS. +func InstallUDSFilters() { // Add additional filters required for connecting to the host's sockets. - s.Merge(udsSyscalls) - - return seccomp.Install(s) + allowedSyscalls.Merge(udsSyscalls) } diff --git a/runsc/fsgofer/fsgofer.go b/runsc/fsgofer/fsgofer.go index d9f3ba8d6..357d712c6 100644 --- a/runsc/fsgofer/fsgofer.go +++ b/runsc/fsgofer/fsgofer.go @@ -21,6 +21,7 @@ package fsgofer import ( + "errors" "fmt" "io" "math" @@ -86,7 +87,7 @@ type Config struct { // PanicOnWrite panics on attempts to write to RO mounts. PanicOnWrite bool - // HostUDS prevents + // HostUDSAllowed signals whether the gofer can mount a host's UDS. HostUDSAllowed bool } @@ -131,23 +132,23 @@ func (a *attachPoint) Attach() (p9.File, error) { return nil, fmt.Errorf("stat file %q, err: %v", a.prefix, err) } - // Acquire the attach point lock + // Acquire the attach point lock. a.attachedMu.Lock() defer a.attachedMu.Unlock() - // Hold the file descriptor we are converting into a p9.File + // Hold the file descriptor we are converting into a p9.File. var f *fd.FD - // Apply the S_IFMT bitmask so we can detect file type appropriately - switch fmtStat := stat.Mode & syscall.S_IFMT; { - case fmtStat == syscall.S_IFSOCK: - // Check to see if the CLI option has been set to allow the UDS mount + // Apply the S_IFMT bitmask so we can detect file type appropriately. + switch fmtStat := stat.Mode & syscall.S_IFMT; fmtStat { + case syscall.S_IFSOCK: + // Check to see if the CLI option has been set to allow the UDS mount. if !a.conf.HostUDSAllowed { - return nil, fmt.Errorf("host UDS support is disabled") + return nil, errors.New("host UDS support is disabled") } // Attempt to open a connection. Bubble up the failures. - f, err = fd.OpenUnix(a.prefix) + f, err = fd.DialUnix(a.prefix) if err != nil { return nil, err } @@ -1058,7 +1059,7 @@ func (l *localFile) Flush() error { // Connect implements p9.File. func (l *localFile) Connect(p9.ConnectFlags) (*fd.FD, error) { - return fd.OpenUnix(l.hostPath) + return fd.DialUnix(l.hostPath) } // Close implements p9.File. -- cgit v1.2.3