func handleConfigshow(c *cli.Context) {
config, err := oz.LoadConfig(oz.DefaultConfigPath)
useDefaults := false
if err != nil {
if os.IsNotExist(err) {
config = oz.NewDefaultConfig()
useDefaults = true
} else {
fmt.Fprintf(os.Stderr, "Could not load configuration `%s`: %v\n", oz.DefaultConfigPath, err)
os.Exit(1)
}
}
v := reflect.ValueOf(*config)
vt := reflect.TypeOf(*config)
maxFieldLength := 0
for i := 0; i < v.NumField(); i++ {
flen := len(vt.Field(i).Tag.Get("json"))
if flen > maxFieldLength {
maxFieldLength = flen
}
}
maxValueLength := 0
for i := 0; i < v.NumField(); i++ {
sval := fmt.Sprintf("%v", v.Field(i).Interface())
flen := len(sval)
if flen > maxValueLength {
maxValueLength = flen
}
}
sfmt := "%-" + strconv.Itoa(maxFieldLength) + "s: %-" + strconv.Itoa(maxValueLength) + "v"
hfmt := "%-" + strconv.Itoa(maxFieldLength) + "s: %s\n"
if !useDefaults {
fmt.Printf(hfmt, "Config file", oz.DefaultConfigPath)
} else {
fmt.Printf(hfmt, "Config file", "Not found - using defaults")
}
for i := 0; i < len(fmt.Sprintf(sfmt, "", ""))+2; i++ {
fmt.Print("#")
}
fmt.Println("")
for i := 0; i < v.NumField(); i++ {
fval := fmt.Sprintf("%v", v.Field(i).Interface())
fmt.Printf(sfmt, vt.Field(i).Tag.Get("json"), fval)
desc := vt.Field(i).Tag.Get("desc")
if desc != "" {
fmt.Printf(" # %s", desc)
}
fmt.Println("")
}
os.Exit(0)
}
func loadConfig() (*oz.Config, error) {
config, err := oz.LoadConfig(oz.DefaultConfigPath)
if err != nil {
if os.IsNotExist(err) {
config = oz.NewDefaultConfig()
} else {
return nil, err
}
}
return config, nil
}
func (d *daemonState) loadConfig() (*oz.Config, error) {
config, err := oz.LoadConfig(oz.DefaultConfigPath)
if err != nil {
if os.IsNotExist(err) {
d.log.Info("Configuration file (%s) is missing, using defaults.", oz.DefaultConfigPath)
config = oz.NewDefaultConfig()
} else {
return nil, err
}
}
d.log.Info("Oz Global Config: %+v", config)
return config, nil
}
func loadConfig() *oz.Config {
config, err := oz.LoadConfig(oz.DefaultConfigPath)
if err != nil {
if os.IsNotExist(err) {
fmt.Fprintln(os.Stderr, "Configuration file (%s) is missing, using defaults.", oz.DefaultConfigPath)
config = oz.NewDefaultConfig()
} else {
fmt.Fprintln(os.Stderr, "Could not load configuration: %s", oz.DefaultConfigPath, err)
os.Exit(1)
}
}
return config
}
func handleConfigcheck(c *cli.Context) {
_, err := oz.LoadConfig(oz.DefaultConfigPath)
if err != nil {
if !os.IsNotExist(err) {
fmt.Fprintf(os.Stderr, "Could not load configuration `%s`: %v\n", oz.DefaultConfigPath, err)
os.Exit(1)
}
}
OzConfig = loadConfig()
_, err = oz.LoadProfiles(OzConfig.ProfileDir)
if err != nil {
fmt.Fprintf(os.Stderr, "Unable to load profiles from `%s`: %v\n", OzConfig.ProfileDir, err)
os.Exit(1)
}
fmt.Println("Configurations and profiles ok!")
os.Exit(0)
}
func Main() {
if len(os.Args) < 3 {
log.Error("seccomp-wrapper: Not enough arguments.")
os.Exit(1)
}
cmd := os.Args[2]
cmdArgs := os.Args[2:]
config, err := oz.LoadConfig(oz.DefaultConfigPath)
if err != nil {
if os.IsNotExist(err) {
log.Info("Configuration file (%s) is missing, using defaults.", oz.DefaultConfigPath)
config = oz.NewDefaultConfig()
} else {
log.Error("Could not load configuration: %s", oz.DefaultConfigPath, err)
os.Exit(1)
}
}
p := new(oz.Profile)
if err := json.NewDecoder(os.Stdin).Decode(&p); err != nil {
log.Error("unable to decode profile data: %v", err)
os.Exit(1)
}
switch os.Args[1] {
case "-w":
if p.Seccomp.Seccomp_Whitelist == "" {
log.Error("No seccomp policy file.")
os.Exit(1)
}
filter, err := seccomp.Compile(p.Seccomp.Seccomp_Whitelist, p.Seccomp.Enforce)
if err != nil {
log.Error("Seccomp filter compile failed: %v", err)
os.Exit(1)
}
err = seccomp.Install(filter)
if err != nil {
log.Error("Error (seccomp): %v", err)
os.Exit(1)
}
err = syscall.Exec(cmd, cmdArgs, os.Environ())
if err != nil {
log.Error("Error (exec): %v %s", err, cmd)
os.Exit(1)
}
case "-b":
if p.Seccomp.Seccomp_Blacklist == "" {
p.Seccomp.Seccomp_Blacklist = path.Join(config.EtcPrefix, "blacklist-generic.seccomp")
}
filter, err := seccomp.CompileBlacklist(p.Seccomp.Seccomp_Blacklist, p.Seccomp.Enforce)
if err != nil {
log.Error("Seccomp blacklist filter compile failed: %v", err)
os.Exit(1)
}
err = seccomp.InstallBlacklist(filter)
if err != nil {
log.Error("Error (seccomp): %v", err)
os.Exit(1)
}
err = syscall.Exec(cmd, cmdArgs, os.Environ())
if err != nil {
log.Error("Error (exec): %v %s", err, cmd)
os.Exit(1)
}
default:
fmt.Println("Bad switch.")
os.Exit(1)
}
}
func parseArgs() *initState {
log := createLogger()
if os.Getuid() != 0 {
log.Error("oz-init must run as root\n")
os.Exit(1)
}
if os.Getpid() != 1 {
log.Error("oz-init must be launched in new pid namespace.")
os.Exit(1)
}
getvar := func(name string) string {
val := os.Getenv(name)
if val == "" {
log.Error("Error: missing required '%s' argument", name)
os.Exit(1)
}
return val
}
pname := getvar("INIT_PROFILE")
sockaddr := getvar("INIT_SOCKET")
uidval := getvar("INIT_UID")
dispval := os.Getenv("INIT_DISPLAY")
stnip := os.Getenv("INIT_ADDR")
stnvhost := os.Getenv("INIT_VHOST")
stnvguest := os.Getenv("INIT_VGUEST")
stngateway := os.Getenv("INIT_GATEWAY")
var config *oz.Config
config, err := oz.LoadConfig(oz.DefaultConfigPath)
if err != nil {
if os.IsNotExist(err) {
log.Info("Configuration file (%s) is missing, using defaults.", oz.DefaultConfigPath)
config = oz.NewDefaultConfig()
} else {
log.Error("Could not load configuration: %s", oz.DefaultConfigPath, err)
os.Exit(1)
}
}
p, err := loadProfile(config.ProfileDir, pname)
if err != nil {
log.Error("Could not load profile %s: %v", pname, err)
os.Exit(1)
}
uid, err := strconv.Atoi(uidval)
if err != nil {
log.Error("Could not parse INIT_UID argument (%s) into an integer: %v", uidval, err)
os.Exit(1)
}
u, err := user.LookupId(uidval)
if err != nil {
log.Error("Failed to look up user with uid=%s: %v", uidval, err)
os.Exit(1)
}
gid, err := strconv.Atoi(u.Gid)
if err != nil {
log.Error("Failed to parse gid value (%s) from user struct: %v", u.Gid, err)
os.Exit(1)
}
display := 0
if dispval != "" {
d, err := strconv.Atoi(dispval)
if err != nil {
log.Error("Unable to parse display (%s) into an integer: %v", dispval, err)
os.Exit(1)
}
display = d
}
stn := new(network.SandboxNetwork)
if stnip != "" {
gateway, _, err := net.ParseCIDR(stngateway)
if err != nil {
log.Error("Unable to parse network configuration gateway (%s): %v", stngateway, err)
os.Exit(1)
}
stn.Ip = stnip
stn.VethHost = stnvhost
stn.VethGuest = stnvguest
stn.Gateway = gateway
}
env := []string{}
for _, e := range os.Environ() {
if strings.HasPrefix(e, EnvPrefix) {
e = e[len(EnvPrefix):]
log.Debug("Adding (%s) to launch environment", e)
env = append(env, e)
}
}
env = append(env, "PATH=/usr/bin:/bin")
if p.XServer.Enabled {
env = append(env, "DISPLAY=:"+strconv.Itoa(display))
}
return &initState{
log: log,
config: config,
sockaddr: sockaddr,
launchEnv: env,
profile: p,
children: make(map[int]*exec.Cmd),
uid: uid,
gid: gid,
user: u,
display: display,
fs: fs.NewFilesystem(config, log),
network: stn,
}
}
func Main() {
modeptr := flag.String("mode", "whitelist", "Mode: whitelist, blacklist, train")
policyptr := flag.String("policy", "", "Policy path")
flag.Parse()
args := flag.Args()
cmdArgs := []string{args[0]}
if len(args) < 1 {
log.Error("oz-seccomp: no command.")
os.Exit(1)
}
cmd := args[0]
cmdArgs = args
fpath := ""
config, err := oz.LoadConfig(oz.DefaultConfigPath)
if err != nil {
if os.IsNotExist(err) {
log.Info("Configuration file (%s) is missing, using defaults.", oz.DefaultConfigPath)
config = oz.NewDefaultConfig()
} else {
log.Error("Could not load configuration: %s", oz.DefaultConfigPath, err)
os.Exit(1)
}
}
p := new(oz.Profile)
if *modeptr != "train" {
if err := json.NewDecoder(os.Stdin).Decode(&p); err != nil {
log.Error("unable to decode profile data: %v", err)
os.Exit(1)
}
}
switch *modeptr {
case "train":
if *policyptr == "" {
fpath = path.Join(config.EtcPrefix, "training-generic.seccomp")
} else {
fpath = *policyptr
}
filter, err := seccomp.Compile(fpath, false)
if err != nil {
log.Error("Seccomp filter compile failed: %v", err)
os.Exit(1)
}
err = seccomp.Install(filter)
if err != nil {
log.Error("Error (seccomp): %v", err)
os.Exit(1)
}
err = syscall.Exec(cmd, cmdArgs, os.Environ())
if err != nil {
log.Error("Error (exec): %v %s", err, cmd)
os.Exit(1)
}
case "whitelist":
enforce := true
fpath := ""
if p.Seccomp.Mode == oz.PROFILE_SECCOMP_WHITELIST {
if p.Seccomp.Whitelist == "" {
log.Error("No seccomp policy file.")
os.Exit(1)
}
fpath = p.Seccomp.Whitelist
enforce = p.Seccomp.Enforce
} else if p.Seccomp.Mode == oz.PROFILE_SECCOMP_TRAIN {
if enforce == true {
log.Error("Oz profile configured for seccomp enforcement while training. Enforce mode set to false.")
enforce = false
}
fpath = path.Join(config.EtcPrefix, "training-generic.seccomp")
}
filter, err := seccomp.Compile(fpath, enforce)
if err != nil {
log.Error("Seccomp filter compile failed: %v", err)
os.Exit(1)
}
err = seccomp.Install(filter)
if err != nil {
log.Error("Error (seccomp): %v", err)
os.Exit(1)
}
err = syscall.Exec(cmd, cmdArgs, os.Environ())
if err != nil {
log.Error("Error (exec): %v %s", err, cmd)
os.Exit(1)
}
case "blacklist":
if p.Seccomp.Blacklist == "" {
p.Seccomp.Blacklist = path.Join(config.EtcPrefix, "blacklist-generic.seccomp")
}
filter, err := seccomp.CompileBlacklist(p.Seccomp.Blacklist, p.Seccomp.Enforce)
if err != nil {
log.Error("Seccomp blacklist filter compile failed: %v", err)
os.Exit(1)
}
err = seccomp.InstallBlacklist(filter)
if err != nil {
log.Error("Error (seccomp): %v", err)
os.Exit(1)
}
log.Info("%s %v\n", cmd, cmdArgs)
err = syscall.Exec(cmd, cmdArgs, os.Environ())
if err != nil {
log.Error("Error (exec): %v %s", err, cmd)
os.Exit(1)
}
default:
fmt.Println("Bad switch.")
os.Exit(1)
}
}