Пример #1
0
func (d *Daemon) PolicyInit() error {
	for k, v := range labels.ResDec {

		key := labels.ReservedID(uint32(v)).String()
		lbl := labels.NewLabel(
			key, "", common.ReservedLabelSource,
		)
		secLbl := labels.NewSecCtxLabel()
		secLbl.ID = uint32(v)
		secLbl.AddOrUpdateContainer(lbl.String())
		secLbl.Labels[k] = lbl

		policyMapPath := fmt.Sprintf("%sreserved_%d", common.PolicyMapPath, uint32(v))

		policyMap, _, err := policymap.OpenMap(policyMapPath)
		if err != nil {
			return fmt.Errorf("Could not create policy BPF map '%s': %s", policyMapPath, err)
		}

		if c := policy.GetConsumable(uint32(v), secLbl); c == nil {
			return fmt.Errorf("Unable to initialize consumable for %v", secLbl)
		} else {
			d.reservedConsumables = append(d.reservedConsumables, c)
			c.AddMap(policyMap)
		}
	}

	return nil
}
Пример #2
0
// PutLabels stores to given labels in consul and returns the SecCtxLabels created for
// the given labels.
func (d *Daemon) PutLabels(lbls labels.Labels, contID string) (*labels.SecCtxLabel, bool, error) {
	log.Debugf("Resolving labels %+v of %s", lbls, contID)

	isNew := false

	// Retrieve unique SHA256Sum for labels
	sha256Sum, err := lbls.SHA256Sum()
	if err != nil {
		return nil, false, err
	}
	lblPath := path.Join(common.LabelsKeyPath, sha256Sum)

	// Lock that sha256Sum
	lockKey, err := d.kvClient.LockPath(lblPath)
	if err != nil {
		return nil, false, err
	}
	defer lockKey.Unlock()

	// After lock complete, get label's path
	rmsg, err := d.kvClient.GetValue(lblPath)
	if err != nil {
		return nil, false, err
	}

	secCtxLbls := labels.NewSecCtxLabel()
	if rmsg == nil {
		secCtxLbls.Labels = lbls
		isNew = true
	} else {
		if err := json.Unmarshal(rmsg, &secCtxLbls); err != nil {
			return nil, false, err
		}
		// If RefCount is 0 then we have to retrieve a new ID
		if secCtxLbls.RefCount() == 0 {
			isNew = true
			secCtxLbls.Containers = make(map[string]time.Time)
		}
	}

	secCtxLbls.AddOrUpdateContainer(contID)

	if isNew {
		if err := d.gasNewSecLabelID(secCtxLbls); err != nil {
			return nil, false, err
		}
	} else if err := d.updateSecLabelIDRef(*secCtxLbls); err != nil {
		return nil, false, err
	}

	log.Debugf("Incrementing label %d ref-count to %d\n", secCtxLbls.ID, secCtxLbls.RefCount())

	d.AddOrUpdateUINode(secCtxLbls.ID, secCtxLbls.Labels.ToSlice(), secCtxLbls.RefCount())

	err = d.kvClient.SetValue(lblPath, secCtxLbls)

	return secCtxLbls, isNew, err
}
Пример #3
0
// GetLabels returns the SecCtxLabels that belongs to the given id.
func (d *Daemon) GetLabels(id uint32) (*labels.SecCtxLabel, error) {
	if id > 0 && id < common.FirstFreeLabelID {
		key := labels.ReservedID(id).String()
		if key == "" {
			return nil, nil
		}

		lbl := labels.NewLabel(
			key, "", common.ReservedLabelSource,
		)
		secLbl := labels.NewSecCtxLabel()
		secLbl.AddOrUpdateContainer(lbl.String())
		secLbl.ID = id
		secLbl.Labels = labels.Labels{
			common.ReservedLabelSource: lbl,
		}

		return secLbl, nil
	}

	strID := strconv.FormatUint(uint64(id), 10)
	rmsg, err := d.kvClient.GetValue(path.Join(common.LabelIDKeyPath, strID))
	if err != nil {
		return nil, err
	}
	if rmsg == nil {
		return nil, nil
	}

	var secCtxLabels labels.SecCtxLabel
	if err := json.Unmarshal(rmsg, &secCtxLabels); err != nil {
		return nil, err
	}
	if secCtxLabels.RefCount() == 0 {
		return nil, nil
	}
	return &secCtxLabels, nil
}