func seccompSet(context *cli.Context, seccompFlag string, g *generate.Generator) error { flagInput := context.String("seccomp-" + seccompFlag) flagArgs := strings.Split(flagInput, ",") setSyscallArgsSlice := []seccomp.SyscallOpts{} for _, flagArg := range flagArgs { comparisonArgs := strings.Split(flagArg, ":") if len(comparisonArgs) == 5 { setSyscallArgs := seccomp.SyscallOpts{ Action: seccompFlag, Syscall: comparisonArgs[0], Index: comparisonArgs[1], Value: comparisonArgs[2], ValueTwo: comparisonArgs[3], Operator: comparisonArgs[4], } setSyscallArgsSlice = append(setSyscallArgsSlice, setSyscallArgs) } else if len(comparisonArgs) == 1 { setSyscallArgs := seccomp.SyscallOpts{ Action: seccompFlag, Syscall: comparisonArgs[0], } setSyscallArgsSlice = append(setSyscallArgsSlice, setSyscallArgs) } else { return fmt.Errorf("invalid syscall argument formatting %v", comparisonArgs) } for _, r := range setSyscallArgsSlice { err := g.SetSyscallAction(r) if err != nil { return err } } } return nil }
func setupSpec(g *generate.Generator, context *cli.Context) error { if context.GlobalBool("host-specific") { g.HostSpecific = true } spec := g.Spec() if len(spec.Version) == 0 { g.SetVersion(rspec.Version) } if context.IsSet("hostname") { g.SetHostname(context.String("hostname")) } g.SetPlatformOS(context.String("os")) g.SetPlatformArch(context.String("arch")) if context.IsSet("label") { annotations := context.StringSlice("label") for _, s := range annotations { pair := strings.Split(s, "=") if len(pair) != 2 { return fmt.Errorf("incorrectly specified annotation: %s", s) } g.AddAnnotation(pair[0], pair[1]) } } g.SetRootPath(context.String("rootfs")) if context.IsSet("read-only") { g.SetRootReadonly(context.Bool("read-only")) } if context.IsSet("uid") { g.SetProcessUID(uint32(context.Int("uid"))) } if context.IsSet("gid") { g.SetProcessGID(uint32(context.Int("gid"))) } if context.IsSet("selinux-label") { g.SetProcessSelinuxLabel(context.String("selinux-label")) } g.SetProcessCwd(context.String("cwd")) if context.IsSet("apparmor") { g.SetProcessApparmorProfile(context.String("apparmor")) } if context.IsSet("no-new-privileges") { g.SetProcessNoNewPrivileges(context.Bool("no-new-privileges")) } if context.IsSet("tty") { g.SetProcessTerminal(context.Bool("tty")) } if context.IsSet("args") { g.SetProcessArgs(context.StringSlice("args")) } if context.IsSet("env") { envs := context.StringSlice("env") for _, env := range envs { g.AddProcessEnv(env) } } if context.IsSet("groups") { groups := context.StringSlice("groups") for _, group := range groups { groupID, err := strconv.Atoi(group) if err != nil { return err } g.AddProcessAdditionalGid(uint32(groupID)) } } if context.IsSet("cgroups-path") { g.SetLinuxCgroupsPath(context.String("cgroups-path")) } if context.IsSet("mount-label") { g.SetLinuxMountLabel(context.String("mount-label")) } if context.IsSet("sysctl") { sysctls := context.StringSlice("sysctl") for _, s := range sysctls { pair := strings.Split(s, "=") if len(pair) != 2 { return fmt.Errorf("incorrectly specified sysctl: %s", s) } g.AddLinuxSysctl(pair[0], pair[1]) } } privileged := false if context.IsSet("privileged") { privileged = context.Bool("privileged") } g.SetupPrivileged(privileged) if context.IsSet("cap-add") { addCaps := context.StringSlice("cap-add") for _, cap := range addCaps { if err := g.AddProcessCapability(cap); err != nil { return err } } } if context.IsSet("cap-drop") { dropCaps := context.StringSlice("cap-drop") for _, cap := range dropCaps { if err := g.DropProcessCapability(cap); err != nil { return err } } } needsNewUser := false var uidMaps, gidMaps []string if context.IsSet("uidmappings") { uidMaps = context.StringSlice("uidmappings") } if context.IsSet("gidmappings") { gidMaps = context.StringSlice("gidmappings") } if len(uidMaps) > 0 || len(gidMaps) > 0 { needsNewUser = true } setupLinuxNamespaces(context, g, needsNewUser) if context.IsSet("tmpfs") { tmpfsSlice := context.StringSlice("tmpfs") for _, s := range tmpfsSlice { dest, options, err := parseTmpfsMount(s) if err != nil { return err } g.AddTmpfsMount(dest, options) } } mountCgroupOption := context.String("mount-cgroups") if err := g.AddCgroupsMount(mountCgroupOption); err != nil { return err } if context.IsSet("bind") { binds := context.StringSlice("bind") for _, bind := range binds { source, dest, options, err := parseBindMount(bind) if err != nil { return err } g.AddBindMount(source, dest, options) } } if context.IsSet("prestart") { preStartHooks := context.StringSlice("prestart") for _, hook := range preStartHooks { path, args := parseHook(hook) g.AddPreStartHook(path, args) } } if context.IsSet("poststop") { postStopHooks := context.StringSlice("poststop") for _, hook := range postStopHooks { path, args := parseHook(hook) g.AddPostStopHook(path, args) } } if context.IsSet("poststart") { postStartHooks := context.StringSlice("poststart") for _, hook := range postStartHooks { path, args := parseHook(hook) g.AddPostStartHook(path, args) } } if context.IsSet("root-propagation") { rp := context.String("root-propagation") if err := g.SetLinuxRootPropagation(rp); err != nil { return err } } for _, uidMap := range uidMaps { hid, cid, size, err := parseIDMapping(uidMap) if err != nil { return err } g.AddLinuxUIDMapping(hid, cid, size) } for _, gidMap := range gidMaps { hid, cid, size, err := parseIDMapping(gidMap) if err != nil { return err } g.AddLinuxGIDMapping(hid, cid, size) } if context.IsSet("disable-oom-kill") { g.SetLinuxResourcesDisableOOMKiller(context.Bool("disable-oom-kill")) } if context.IsSet("oom-score-adj") { g.SetLinuxResourcesOOMScoreAdj(context.Int("oom-score-adj")) } if context.IsSet("linux-cpu-shares") { g.SetLinuxResourcesCPUShares(context.Uint64("linux-cpu-shares")) } if context.IsSet("linux-cpu-period") { g.SetLinuxResourcesCPUPeriod(context.Uint64("linux-cpu-period")) } if context.IsSet("linux-cpu-quota") { g.SetLinuxResourcesCPUQuota(context.Uint64("linux-cpu-quota")) } if context.IsSet("linux-realtime-runtime") { g.SetLinuxResourcesCPURealtimeRuntime(context.Uint64("linux-realtime-runtime")) } if context.IsSet("linux-realtime-period") { g.SetLinuxResourcesCPURealtimePeriod(context.Uint64("linux-realtime-period")) } if context.IsSet("linux-cpus") { g.SetLinuxResourcesCPUCpus(context.String("linux-cpus")) } if context.IsSet("linux-mems") { g.SetLinuxResourcesCPUMems(context.String("linux-mems")) } if context.IsSet("linux-mem-limit") { g.SetLinuxResourcesMemoryLimit(context.Uint64("linux-mem-limit")) } if context.IsSet("linux-mem-reservation") { g.SetLinuxResourcesMemoryReservation(context.Uint64("linux-mem-reservation")) } if context.IsSet("linux-mem-swap") { g.SetLinuxResourcesMemorySwap(context.Uint64("linux-mem-swap")) } if context.IsSet("linux-mem-kernel-limit") { g.SetLinuxResourcesMemoryKernel(context.Uint64("linux-mem-kernel-limit")) } if context.IsSet("linux-mem-kernel-tcp") { g.SetLinuxResourcesMemoryKernelTCP(context.Uint64("linux-mem-kernel-tcp")) } if context.IsSet("linux-mem-swappiness") { g.SetLinuxResourcesMemorySwappiness(context.Uint64("linux-mem-swappiness")) } if context.IsSet("linux-pids-limit") { g.SetLinuxResourcesPidsLimit(context.Int64("linux-pids-limit")) } var sd string var sa, ss []string if context.IsSet("seccomp-default") { sd = context.String("seccomp-default") } if context.IsSet("seccomp-arch") { sa = context.StringSlice("seccomp-arch") } if context.IsSet("seccomp-syscalls") { ss = context.StringSlice("seccomp-syscalls") } if sd == "" && len(sa) == 0 && len(ss) == 0 { return nil } // Set the DefaultAction of seccomp if context.IsSet("seccomp-default") { if err := g.SetLinuxSeccompDefault(sd); err != nil { return err } } // Add the additional architectures permitted to be used for system calls if context.IsSet("seccomp-arch") { for _, arch := range sa { if err := g.AddLinuxSeccompArch(arch); err != nil { return err } } } // Set syscall restrict in Seccomp if context.IsSet("seccomp-syscalls") { for _, syscall := range ss { if err := g.AddLinuxSeccompSyscall(syscall); err != nil { return err } } } if context.IsSet("seccomp-allow") { seccompAllows := context.StringSlice("seccomp-allow") for _, s := range seccompAllows { g.AddLinuxSeccompSyscallAllow(s) } } if context.IsSet("seccomp-errno") { seccompErrnos := context.StringSlice("seccomp-errno") for _, s := range seccompErrnos { g.AddLinuxSeccompSyscallErrno(s) } } return nil }
func addSeccomp(context *cli.Context, g *generate.Generator) error { // Set the DefaultAction of seccomp if context.IsSet("seccomp-default") { seccompDefault := context.String("seccomp-default") err := g.SetDefaultSeccompAction(seccompDefault) if err != nil { return err } } else if context.IsSet("seccomp-default-force") { seccompDefaultForced := context.String("seccomp-default-force") err := g.SetDefaultSeccompActionForce(seccompDefaultForced) if err != nil { return err } } // Add the additional architectures permitted to be used for system calls if context.IsSet("seccomp-arch") { seccompArch := context.String("seccomp-arch") architectureArgs := strings.Split(seccompArch, ",") for _, arg := range architectureArgs { err := g.SetSeccompArchitecture(arg) if err != nil { return err } } } if context.IsSet("seccomp-errno") { err := seccompSet(context, "errno", g) if err != nil { return err } } if context.IsSet("seccomp-kill") { err := seccompSet(context, "kill", g) if err != nil { return err } } if context.IsSet("seccomp-trace") { err := seccompSet(context, "trace", g) if err != nil { return err } } if context.IsSet("seccomp-trap") { err := seccompSet(context, "trap", g) if err != nil { return err } } if context.IsSet("seccomp-allow") { err := seccompSet(context, "allow", g) if err != nil { return err } } if context.IsSet("seccomp-remove") { seccompRemove := context.String("seccomp-remove") err := g.RemoveSeccompRule(seccompRemove) if err != nil { return err } } if context.IsSet("seccomp-remove-all") { err := g.RemoveAllSeccompRules() if err != nil { return err } } return nil }
func setupLinuxNamespaces(context *cli.Context, g *generate.Generator, needsNewUser bool) { for _, nsName := range generate.Namespaces { if !context.IsSet(nsName) && !(needsNewUser && nsName == "user") { continue } nsPath := context.String(nsName) if nsPath == "host" { g.RemoveLinuxNamespace(nsName) continue } g.AddOrReplaceLinuxNamespace(nsName, nsPath) } }