func handleConfigshow(c *cli.Context) { config, err := oz.LoadConfig(oz.DefaultConfigPath) useDefaults := false if err != nil { if os.IsNotExist(err) { config = oz.NewDefaultConfig() useDefaults = true } else { fmt.Fprintf(os.Stderr, "Could not load configuration `%s`: %v\n", oz.DefaultConfigPath, err) os.Exit(1) } } v := reflect.ValueOf(*config) vt := reflect.TypeOf(*config) maxFieldLength := 0 for i := 0; i < v.NumField(); i++ { flen := len(vt.Field(i).Tag.Get("json")) if flen > maxFieldLength { maxFieldLength = flen } } maxValueLength := 0 for i := 0; i < v.NumField(); i++ { sval := fmt.Sprintf("%v", v.Field(i).Interface()) flen := len(sval) if flen > maxValueLength { maxValueLength = flen } } sfmt := "%-" + strconv.Itoa(maxFieldLength) + "s: %-" + strconv.Itoa(maxValueLength) + "v" hfmt := "%-" + strconv.Itoa(maxFieldLength) + "s: %s\n" if !useDefaults { fmt.Printf(hfmt, "Config file", oz.DefaultConfigPath) } else { fmt.Printf(hfmt, "Config file", "Not found - using defaults") } for i := 0; i < len(fmt.Sprintf(sfmt, "", ""))+2; i++ { fmt.Print("#") } fmt.Println("") for i := 0; i < v.NumField(); i++ { fval := fmt.Sprintf("%v", v.Field(i).Interface()) fmt.Printf(sfmt, vt.Field(i).Tag.Get("json"), fval) desc := vt.Field(i).Tag.Get("desc") if desc != "" { fmt.Printf(" # %s", desc) } fmt.Println("") } os.Exit(0) }
func loadConfig() (*oz.Config, error) { config, err := oz.LoadConfig(oz.DefaultConfigPath) if err != nil { if os.IsNotExist(err) { config = oz.NewDefaultConfig() } else { return nil, err } } return config, nil }
func (d *daemonState) loadConfig() (*oz.Config, error) { config, err := oz.LoadConfig(oz.DefaultConfigPath) if err != nil { if os.IsNotExist(err) { d.log.Info("Configuration file (%s) is missing, using defaults.", oz.DefaultConfigPath) config = oz.NewDefaultConfig() } else { return nil, err } } d.log.Info("Oz Global Config: %+v", config) return config, nil }
func loadConfig() *oz.Config { config, err := oz.LoadConfig(oz.DefaultConfigPath) if err != nil { if os.IsNotExist(err) { fmt.Fprintln(os.Stderr, "Configuration file (%s) is missing, using defaults.", oz.DefaultConfigPath) config = oz.NewDefaultConfig() } else { fmt.Fprintln(os.Stderr, "Could not load configuration: %s", oz.DefaultConfigPath, err) os.Exit(1) } } return config }
func Main() { if len(os.Args) < 3 { log.Error("seccomp-wrapper: Not enough arguments.") os.Exit(1) } cmd := os.Args[2] cmdArgs := os.Args[2:] config, err := oz.LoadConfig(oz.DefaultConfigPath) if err != nil { if os.IsNotExist(err) { log.Info("Configuration file (%s) is missing, using defaults.", oz.DefaultConfigPath) config = oz.NewDefaultConfig() } else { log.Error("Could not load configuration: %s", oz.DefaultConfigPath, err) os.Exit(1) } } p := new(oz.Profile) if err := json.NewDecoder(os.Stdin).Decode(&p); err != nil { log.Error("unable to decode profile data: %v", err) os.Exit(1) } switch os.Args[1] { case "-w": if p.Seccomp.Seccomp_Whitelist == "" { log.Error("No seccomp policy file.") os.Exit(1) } filter, err := seccomp.Compile(p.Seccomp.Seccomp_Whitelist, p.Seccomp.Enforce) if err != nil { log.Error("Seccomp filter compile failed: %v", err) os.Exit(1) } err = seccomp.Install(filter) if err != nil { log.Error("Error (seccomp): %v", err) os.Exit(1) } err = syscall.Exec(cmd, cmdArgs, os.Environ()) if err != nil { log.Error("Error (exec): %v %s", err, cmd) os.Exit(1) } case "-b": if p.Seccomp.Seccomp_Blacklist == "" { p.Seccomp.Seccomp_Blacklist = path.Join(config.EtcPrefix, "blacklist-generic.seccomp") } filter, err := seccomp.CompileBlacklist(p.Seccomp.Seccomp_Blacklist, p.Seccomp.Enforce) if err != nil { log.Error("Seccomp blacklist filter compile failed: %v", err) os.Exit(1) } err = seccomp.InstallBlacklist(filter) if err != nil { log.Error("Error (seccomp): %v", err) os.Exit(1) } err = syscall.Exec(cmd, cmdArgs, os.Environ()) if err != nil { log.Error("Error (exec): %v %s", err, cmd) os.Exit(1) } default: fmt.Println("Bad switch.") os.Exit(1) } }
func parseArgs() *initState { log := createLogger() if os.Getuid() != 0 { log.Error("oz-init must run as root\n") os.Exit(1) } if os.Getpid() != 1 { log.Error("oz-init must be launched in new pid namespace.") os.Exit(1) } getvar := func(name string) string { val := os.Getenv(name) if val == "" { log.Error("Error: missing required '%s' argument", name) os.Exit(1) } return val } pname := getvar("INIT_PROFILE") sockaddr := getvar("INIT_SOCKET") uidval := getvar("INIT_UID") dispval := os.Getenv("INIT_DISPLAY") stnip := os.Getenv("INIT_ADDR") stnvhost := os.Getenv("INIT_VHOST") stnvguest := os.Getenv("INIT_VGUEST") stngateway := os.Getenv("INIT_GATEWAY") var config *oz.Config config, err := oz.LoadConfig(oz.DefaultConfigPath) if err != nil { if os.IsNotExist(err) { log.Info("Configuration file (%s) is missing, using defaults.", oz.DefaultConfigPath) config = oz.NewDefaultConfig() } else { log.Error("Could not load configuration: %s", oz.DefaultConfigPath, err) os.Exit(1) } } p, err := loadProfile(config.ProfileDir, pname) if err != nil { log.Error("Could not load profile %s: %v", pname, err) os.Exit(1) } uid, err := strconv.Atoi(uidval) if err != nil { log.Error("Could not parse INIT_UID argument (%s) into an integer: %v", uidval, err) os.Exit(1) } u, err := user.LookupId(uidval) if err != nil { log.Error("Failed to look up user with uid=%s: %v", uidval, err) os.Exit(1) } gid, err := strconv.Atoi(u.Gid) if err != nil { log.Error("Failed to parse gid value (%s) from user struct: %v", u.Gid, err) os.Exit(1) } display := 0 if dispval != "" { d, err := strconv.Atoi(dispval) if err != nil { log.Error("Unable to parse display (%s) into an integer: %v", dispval, err) os.Exit(1) } display = d } stn := new(network.SandboxNetwork) if stnip != "" { gateway, _, err := net.ParseCIDR(stngateway) if err != nil { log.Error("Unable to parse network configuration gateway (%s): %v", stngateway, err) os.Exit(1) } stn.Ip = stnip stn.VethHost = stnvhost stn.VethGuest = stnvguest stn.Gateway = gateway } env := []string{} for _, e := range os.Environ() { if strings.HasPrefix(e, EnvPrefix) { e = e[len(EnvPrefix):] log.Debug("Adding (%s) to launch environment", e) env = append(env, e) } } env = append(env, "PATH=/usr/bin:/bin") if p.XServer.Enabled { env = append(env, "DISPLAY=:"+strconv.Itoa(display)) } return &initState{ log: log, config: config, sockaddr: sockaddr, launchEnv: env, profile: p, children: make(map[int]*exec.Cmd), uid: uid, gid: gid, user: u, display: display, fs: fs.NewFilesystem(config, log), network: stn, } }
func Main() { modeptr := flag.String("mode", "whitelist", "Mode: whitelist, blacklist, train") policyptr := flag.String("policy", "", "Policy path") flag.Parse() args := flag.Args() cmdArgs := []string{args[0]} if len(args) < 1 { log.Error("oz-seccomp: no command.") os.Exit(1) } cmd := args[0] cmdArgs = args fpath := "" config, err := oz.LoadConfig(oz.DefaultConfigPath) if err != nil { if os.IsNotExist(err) { log.Info("Configuration file (%s) is missing, using defaults.", oz.DefaultConfigPath) config = oz.NewDefaultConfig() } else { log.Error("Could not load configuration: %s", oz.DefaultConfigPath, err) os.Exit(1) } } p := new(oz.Profile) if *modeptr != "train" { if err := json.NewDecoder(os.Stdin).Decode(&p); err != nil { log.Error("unable to decode profile data: %v", err) os.Exit(1) } } switch *modeptr { case "train": if *policyptr == "" { fpath = path.Join(config.EtcPrefix, "training-generic.seccomp") } else { fpath = *policyptr } filter, err := seccomp.Compile(fpath, false) if err != nil { log.Error("Seccomp filter compile failed: %v", err) os.Exit(1) } err = seccomp.Install(filter) if err != nil { log.Error("Error (seccomp): %v", err) os.Exit(1) } err = syscall.Exec(cmd, cmdArgs, os.Environ()) if err != nil { log.Error("Error (exec): %v %s", err, cmd) os.Exit(1) } case "whitelist": enforce := true fpath := "" if p.Seccomp.Mode == oz.PROFILE_SECCOMP_WHITELIST { if p.Seccomp.Whitelist == "" { log.Error("No seccomp policy file.") os.Exit(1) } fpath = p.Seccomp.Whitelist enforce = p.Seccomp.Enforce } else if p.Seccomp.Mode == oz.PROFILE_SECCOMP_TRAIN { if enforce == true { log.Error("Oz profile configured for seccomp enforcement while training. Enforce mode set to false.") enforce = false } fpath = path.Join(config.EtcPrefix, "training-generic.seccomp") } filter, err := seccomp.Compile(fpath, enforce) if err != nil { log.Error("Seccomp filter compile failed: %v", err) os.Exit(1) } err = seccomp.Install(filter) if err != nil { log.Error("Error (seccomp): %v", err) os.Exit(1) } err = syscall.Exec(cmd, cmdArgs, os.Environ()) if err != nil { log.Error("Error (exec): %v %s", err, cmd) os.Exit(1) } case "blacklist": if p.Seccomp.Blacklist == "" { p.Seccomp.Blacklist = path.Join(config.EtcPrefix, "blacklist-generic.seccomp") } filter, err := seccomp.CompileBlacklist(p.Seccomp.Blacklist, p.Seccomp.Enforce) if err != nil { log.Error("Seccomp blacklist filter compile failed: %v", err) os.Exit(1) } err = seccomp.InstallBlacklist(filter) if err != nil { log.Error("Error (seccomp): %v", err) os.Exit(1) } log.Info("%s %v\n", cmd, cmdArgs) err = syscall.Exec(cmd, cmdArgs, os.Environ()) if err != nil { log.Error("Error (exec): %v %s", err, cmd) os.Exit(1) } default: fmt.Println("Bad switch.") os.Exit(1) } }