Exemple #1
0
func (d *Daemon) PolicyInit() error {
	for k, v := range labels.ResDec {

		key := labels.ReservedID(uint32(v)).String()
		lbl := labels.NewLabel(
			key, "", common.ReservedLabelSource,
		)
		secLbl := labels.NewSecCtxLabel()
		secLbl.ID = uint32(v)
		secLbl.AddOrUpdateContainer(lbl.String())
		secLbl.Labels[k] = lbl

		policyMapPath := fmt.Sprintf("%sreserved_%d", common.PolicyMapPath, uint32(v))

		policyMap, _, err := policymap.OpenMap(policyMapPath)
		if err != nil {
			return fmt.Errorf("Could not create policy BPF map '%s': %s", policyMapPath, err)
		}

		if c := policy.GetConsumable(uint32(v), secLbl); c == nil {
			return fmt.Errorf("Unable to initialize consumable for %v", secLbl)
		} else {
			d.reservedConsumables = append(d.reservedConsumables, c)
			c.AddMap(policyMap)
		}
	}

	return nil
}
Exemple #2
0
func updatePolicyKey(ctx *cli.Context, add bool) {
	if len(ctx.Args()) < 2 {
		fmt.Fprintf(os.Stderr, "Incorrect number of arguments.\n")
		return
	}

	lbl := ctx.Args().Get(0)

	if lbl != "" {
		if id := labels.GetID(lbl); id != labels.ID_UNKNOWN {
			lbl = "reserved_" + strconv.FormatUint(uint64(id), 10)
		}
	} else {
		fmt.Fprintf(os.Stderr, "Need ID or label\n")
		return
	}

	file := common.PolicyMapPath + lbl
	policyMap, _, err := policymap.OpenMap(file)
	if err != nil {
		fmt.Fprintf(os.Stderr, "Could not open policymap '%s' : %s", file, err)
		return
	}

	peer_lbl, err := strconv.ParseUint(ctx.Args().Get(1), 10, 32)
	if add == true {
		err = policyMap.AllowConsumer(uint32(peer_lbl))
	} else {
		err = policyMap.DeleteConsumer(uint32(peer_lbl))
	}

	if err != nil {
		fmt.Fprintf(os.Stderr, "allow label %d failed for %s", peer_lbl, lbl)
		return
	}
}
Exemple #3
0
// regenerateBPF rewrites all headers and updates all BPF maps to reflect the
// specified endpoint.
//
// If endpointSuffix is set, it will be appended to the container directory to
// allow writing to a temporary directory and then atomically rename it.
func (d *Daemon) regenerateBPF(ep *endpoint.Endpoint, lxcDir string) error {
	var err error
	createdPolicyMap := false

	policyMapPath := ep.PolicyMapPath()

	// Cleanup on failure
	defer func() {
		if err != nil {
			if createdPolicyMap {
				// Remove policy map file only if it was created
				// in this update cycle
				if ep.Consumable != nil {
					ep.Consumable.RemoveMap(ep.PolicyMap)
				}

				os.RemoveAll(policyMapPath)
				ep.PolicyMap = nil
			}

			// Always remove endpoint directory, if this was a subsequent
			// update call, it was the responsibility of the updater to
			// to provide an endpoint suffix to not bluntly overwrite the
			// existing directory.
			os.RemoveAll(lxcDir)
		}
	}()

	if !d.conf.DryMode {
		if ep.PolicyMap == nil {
			ep.PolicyMap, createdPolicyMap, err = policymap.OpenMap(policyMapPath)
			if err != nil {
				return err
			}
		}
	}

	// Only generate & populate policy map if a seclabel and consumer model is set up
	if ep.Consumable != nil {
		if !d.conf.DryMode {
			ep.Consumable.AddMap(ep.PolicyMap)
		}

		// The policy is only regenerated but the endpoint is not
		// regenerated as we regenerate below anyway.
		if err := d.regenerateEndpointPolicy(ep, false); err != nil {
			return fmt.Errorf("Unable to regenerate policy for '%s': %s",
				ep.PolicyMap.String(), err)
		}
	}

	if err := os.MkdirAll(lxcDir, 0777); err != nil {
		return fmt.Errorf("Failed to create endpoint directory: %s", err)
	}

	geneveOpts, err := writeGeneve(lxcDir, ep)
	if err != nil {
		return err
	}

	err = d.writeBPFHeader(lxcDir, ep, geneveOpts)
	if err != nil {
		return fmt.Errorf("failed to create temporary directory: %s", err)
	}

	if !d.conf.DryMode {
		if err := d.conf.LXCMap.WriteEndpoint(ep); err != nil {
			return fmt.Errorf("Unable to update eBPF map: %s", err)
		}

		args := []string{d.conf.LibDir, d.conf.RunDir, lxcDir, ep.IfName}
		out, err := exec.Command(filepath.Join(d.conf.LibDir, "join_ep.sh"), args...).CombinedOutput()
		if err != nil {
			log.Warningf("Command execution failed: %s", err)
			log.Warningf("Command output:\n%s", out)
			return fmt.Errorf("error: %q command output: %q", err, out)
		}

		log.Infof("Command successful:\n%s", out)
	}

	return nil
}