func (d *Daemon) PolicyInit() error {
for k, v := range labels.ResDec {
key := labels.ReservedID(uint32(v)).String()
lbl := labels.NewLabel(
key, "", common.ReservedLabelSource,
)
secLbl := labels.NewSecCtxLabel()
secLbl.ID = uint32(v)
secLbl.AddOrUpdateContainer(lbl.String())
secLbl.Labels[k] = lbl
policyMapPath := fmt.Sprintf("%sreserved_%d", common.PolicyMapPath, uint32(v))
policyMap, _, err := policymap.OpenMap(policyMapPath)
if err != nil {
return fmt.Errorf("Could not create policy BPF map '%s': %s", policyMapPath, err)
}
if c := policy.GetConsumable(uint32(v), secLbl); c == nil {
return fmt.Errorf("Unable to initialize consumable for %v", secLbl)
} else {
d.reservedConsumables = append(d.reservedConsumables, c)
c.AddMap(policyMap)
}
}
return nil
}
func updatePolicyKey(ctx *cli.Context, add bool) {
if len(ctx.Args()) < 2 {
fmt.Fprintf(os.Stderr, "Incorrect number of arguments.\n")
return
}
lbl := ctx.Args().Get(0)
if lbl != "" {
if id := labels.GetID(lbl); id != labels.ID_UNKNOWN {
lbl = "reserved_" + strconv.FormatUint(uint64(id), 10)
}
} else {
fmt.Fprintf(os.Stderr, "Need ID or label\n")
return
}
file := common.PolicyMapPath + lbl
policyMap, _, err := policymap.OpenMap(file)
if err != nil {
fmt.Fprintf(os.Stderr, "Could not open policymap '%s' : %s", file, err)
return
}
peer_lbl, err := strconv.ParseUint(ctx.Args().Get(1), 10, 32)
if add == true {
err = policyMap.AllowConsumer(uint32(peer_lbl))
} else {
err = policyMap.DeleteConsumer(uint32(peer_lbl))
}
if err != nil {
fmt.Fprintf(os.Stderr, "allow label %d failed for %s", peer_lbl, lbl)
return
}
}
// regenerateBPF rewrites all headers and updates all BPF maps to reflect the
// specified endpoint.
//
// If endpointSuffix is set, it will be appended to the container directory to
// allow writing to a temporary directory and then atomically rename it.
func (d *Daemon) regenerateBPF(ep *endpoint.Endpoint, lxcDir string) error {
var err error
createdPolicyMap := false
policyMapPath := ep.PolicyMapPath()
// Cleanup on failure
defer func() {
if err != nil {
if createdPolicyMap {
// Remove policy map file only if it was created
// in this update cycle
if ep.Consumable != nil {
ep.Consumable.RemoveMap(ep.PolicyMap)
}
os.RemoveAll(policyMapPath)
ep.PolicyMap = nil
}
// Always remove endpoint directory, if this was a subsequent
// update call, it was the responsibility of the updater to
// to provide an endpoint suffix to not bluntly overwrite the
// existing directory.
os.RemoveAll(lxcDir)
}
}()
if !d.conf.DryMode {
if ep.PolicyMap == nil {
ep.PolicyMap, createdPolicyMap, err = policymap.OpenMap(policyMapPath)
if err != nil {
return err
}
}
}
// Only generate & populate policy map if a seclabel and consumer model is set up
if ep.Consumable != nil {
if !d.conf.DryMode {
ep.Consumable.AddMap(ep.PolicyMap)
}
// The policy is only regenerated but the endpoint is not
// regenerated as we regenerate below anyway.
if err := d.regenerateEndpointPolicy(ep, false); err != nil {
return fmt.Errorf("Unable to regenerate policy for '%s': %s",
ep.PolicyMap.String(), err)
}
}
if err := os.MkdirAll(lxcDir, 0777); err != nil {
return fmt.Errorf("Failed to create endpoint directory: %s", err)
}
geneveOpts, err := writeGeneve(lxcDir, ep)
if err != nil {
return err
}
err = d.writeBPFHeader(lxcDir, ep, geneveOpts)
if err != nil {
return fmt.Errorf("failed to create temporary directory: %s", err)
}
if !d.conf.DryMode {
if err := d.conf.LXCMap.WriteEndpoint(ep); err != nil {
return fmt.Errorf("Unable to update eBPF map: %s", err)
}
args := []string{d.conf.LibDir, d.conf.RunDir, lxcDir, ep.IfName}
out, err := exec.Command(filepath.Join(d.conf.LibDir, "join_ep.sh"), args...).CombinedOutput()
if err != nil {
log.Warningf("Command execution failed: %s", err)
log.Warningf("Command output:\n%s", out)
return fmt.Errorf("error: %q command output: %q", err, out)
}
log.Infof("Command successful:\n%s", out)
}
return nil
}