func seccompSet(context *cli.Context, seccompFlag string, g *generate.Generator) error {
flagInput := context.String("seccomp-" + seccompFlag)
flagArgs := strings.Split(flagInput, ",")
setSyscallArgsSlice := []seccomp.SyscallOpts{}
for _, flagArg := range flagArgs {
comparisonArgs := strings.Split(flagArg, ":")
if len(comparisonArgs) == 5 {
setSyscallArgs := seccomp.SyscallOpts{
Action: seccompFlag,
Syscall: comparisonArgs[0],
Index: comparisonArgs[1],
Value: comparisonArgs[2],
ValueTwo: comparisonArgs[3],
Operator: comparisonArgs[4],
}
setSyscallArgsSlice = append(setSyscallArgsSlice, setSyscallArgs)
} else if len(comparisonArgs) == 1 {
setSyscallArgs := seccomp.SyscallOpts{
Action: seccompFlag,
Syscall: comparisonArgs[0],
}
setSyscallArgsSlice = append(setSyscallArgsSlice, setSyscallArgs)
} else {
return fmt.Errorf("invalid syscall argument formatting %v", comparisonArgs)
}
for _, r := range setSyscallArgsSlice {
err := g.SetSyscallAction(r)
if err != nil {
return err
}
}
}
return nil
}
func setupSpec(g *generate.Generator, context *cli.Context) error {
if context.GlobalBool("host-specific") {
g.HostSpecific = true
}
spec := g.Spec()
if len(spec.Version) == 0 {
g.SetVersion(rspec.Version)
}
if context.IsSet("hostname") {
g.SetHostname(context.String("hostname"))
}
g.SetPlatformOS(context.String("os"))
g.SetPlatformArch(context.String("arch"))
if context.IsSet("label") {
annotations := context.StringSlice("label")
for _, s := range annotations {
pair := strings.Split(s, "=")
if len(pair) != 2 {
return fmt.Errorf("incorrectly specified annotation: %s", s)
}
g.AddAnnotation(pair[0], pair[1])
}
}
g.SetRootPath(context.String("rootfs"))
if context.IsSet("read-only") {
g.SetRootReadonly(context.Bool("read-only"))
}
if context.IsSet("uid") {
g.SetProcessUID(uint32(context.Int("uid")))
}
if context.IsSet("gid") {
g.SetProcessGID(uint32(context.Int("gid")))
}
if context.IsSet("selinux-label") {
g.SetProcessSelinuxLabel(context.String("selinux-label"))
}
g.SetProcessCwd(context.String("cwd"))
if context.IsSet("apparmor") {
g.SetProcessApparmorProfile(context.String("apparmor"))
}
if context.IsSet("no-new-privileges") {
g.SetProcessNoNewPrivileges(context.Bool("no-new-privileges"))
}
if context.IsSet("tty") {
g.SetProcessTerminal(context.Bool("tty"))
}
if context.IsSet("args") {
g.SetProcessArgs(context.StringSlice("args"))
}
if context.IsSet("env") {
envs := context.StringSlice("env")
for _, env := range envs {
g.AddProcessEnv(env)
}
}
if context.IsSet("groups") {
groups := context.StringSlice("groups")
for _, group := range groups {
groupID, err := strconv.Atoi(group)
if err != nil {
return err
}
g.AddProcessAdditionalGid(uint32(groupID))
}
}
if context.IsSet("cgroups-path") {
g.SetLinuxCgroupsPath(context.String("cgroups-path"))
}
if context.IsSet("mount-label") {
g.SetLinuxMountLabel(context.String("mount-label"))
}
if context.IsSet("sysctl") {
sysctls := context.StringSlice("sysctl")
for _, s := range sysctls {
pair := strings.Split(s, "=")
if len(pair) != 2 {
return fmt.Errorf("incorrectly specified sysctl: %s", s)
}
g.AddLinuxSysctl(pair[0], pair[1])
}
}
privileged := false
if context.IsSet("privileged") {
privileged = context.Bool("privileged")
}
g.SetupPrivileged(privileged)
if context.IsSet("cap-add") {
addCaps := context.StringSlice("cap-add")
for _, cap := range addCaps {
if err := g.AddProcessCapability(cap); err != nil {
return err
}
}
}
if context.IsSet("cap-drop") {
dropCaps := context.StringSlice("cap-drop")
for _, cap := range dropCaps {
if err := g.DropProcessCapability(cap); err != nil {
return err
}
}
}
needsNewUser := false
var uidMaps, gidMaps []string
if context.IsSet("uidmappings") {
uidMaps = context.StringSlice("uidmappings")
}
if context.IsSet("gidmappings") {
gidMaps = context.StringSlice("gidmappings")
}
if len(uidMaps) > 0 || len(gidMaps) > 0 {
needsNewUser = true
}
setupLinuxNamespaces(context, g, needsNewUser)
if context.IsSet("tmpfs") {
tmpfsSlice := context.StringSlice("tmpfs")
for _, s := range tmpfsSlice {
dest, options, err := parseTmpfsMount(s)
if err != nil {
return err
}
g.AddTmpfsMount(dest, options)
}
}
mountCgroupOption := context.String("mount-cgroups")
if err := g.AddCgroupsMount(mountCgroupOption); err != nil {
return err
}
if context.IsSet("bind") {
binds := context.StringSlice("bind")
for _, bind := range binds {
source, dest, options, err := parseBindMount(bind)
if err != nil {
return err
}
g.AddBindMount(source, dest, options)
}
}
if context.IsSet("prestart") {
preStartHooks := context.StringSlice("prestart")
for _, hook := range preStartHooks {
path, args := parseHook(hook)
g.AddPreStartHook(path, args)
}
}
if context.IsSet("poststop") {
postStopHooks := context.StringSlice("poststop")
for _, hook := range postStopHooks {
path, args := parseHook(hook)
g.AddPostStopHook(path, args)
}
}
if context.IsSet("poststart") {
postStartHooks := context.StringSlice("poststart")
for _, hook := range postStartHooks {
path, args := parseHook(hook)
g.AddPostStartHook(path, args)
}
}
if context.IsSet("root-propagation") {
rp := context.String("root-propagation")
if err := g.SetLinuxRootPropagation(rp); err != nil {
return err
}
}
for _, uidMap := range uidMaps {
hid, cid, size, err := parseIDMapping(uidMap)
if err != nil {
return err
}
g.AddLinuxUIDMapping(hid, cid, size)
}
for _, gidMap := range gidMaps {
hid, cid, size, err := parseIDMapping(gidMap)
if err != nil {
return err
}
g.AddLinuxGIDMapping(hid, cid, size)
}
if context.IsSet("disable-oom-kill") {
g.SetLinuxResourcesDisableOOMKiller(context.Bool("disable-oom-kill"))
}
if context.IsSet("oom-score-adj") {
g.SetLinuxResourcesOOMScoreAdj(context.Int("oom-score-adj"))
}
if context.IsSet("linux-cpu-shares") {
g.SetLinuxResourcesCPUShares(context.Uint64("linux-cpu-shares"))
}
if context.IsSet("linux-cpu-period") {
g.SetLinuxResourcesCPUPeriod(context.Uint64("linux-cpu-period"))
}
if context.IsSet("linux-cpu-quota") {
g.SetLinuxResourcesCPUQuota(context.Uint64("linux-cpu-quota"))
}
if context.IsSet("linux-realtime-runtime") {
g.SetLinuxResourcesCPURealtimeRuntime(context.Uint64("linux-realtime-runtime"))
}
if context.IsSet("linux-realtime-period") {
g.SetLinuxResourcesCPURealtimePeriod(context.Uint64("linux-realtime-period"))
}
if context.IsSet("linux-cpus") {
g.SetLinuxResourcesCPUCpus(context.String("linux-cpus"))
}
if context.IsSet("linux-mems") {
g.SetLinuxResourcesCPUMems(context.String("linux-mems"))
}
if context.IsSet("linux-mem-limit") {
g.SetLinuxResourcesMemoryLimit(context.Uint64("linux-mem-limit"))
}
if context.IsSet("linux-mem-reservation") {
g.SetLinuxResourcesMemoryReservation(context.Uint64("linux-mem-reservation"))
}
if context.IsSet("linux-mem-swap") {
g.SetLinuxResourcesMemorySwap(context.Uint64("linux-mem-swap"))
}
if context.IsSet("linux-mem-kernel-limit") {
g.SetLinuxResourcesMemoryKernel(context.Uint64("linux-mem-kernel-limit"))
}
if context.IsSet("linux-mem-kernel-tcp") {
g.SetLinuxResourcesMemoryKernelTCP(context.Uint64("linux-mem-kernel-tcp"))
}
if context.IsSet("linux-mem-swappiness") {
g.SetLinuxResourcesMemorySwappiness(context.Uint64("linux-mem-swappiness"))
}
if context.IsSet("linux-pids-limit") {
g.SetLinuxResourcesPidsLimit(context.Int64("linux-pids-limit"))
}
var sd string
var sa, ss []string
if context.IsSet("seccomp-default") {
sd = context.String("seccomp-default")
}
if context.IsSet("seccomp-arch") {
sa = context.StringSlice("seccomp-arch")
}
if context.IsSet("seccomp-syscalls") {
ss = context.StringSlice("seccomp-syscalls")
}
if sd == "" && len(sa) == 0 && len(ss) == 0 {
return nil
}
// Set the DefaultAction of seccomp
if context.IsSet("seccomp-default") {
if err := g.SetLinuxSeccompDefault(sd); err != nil {
return err
}
}
// Add the additional architectures permitted to be used for system calls
if context.IsSet("seccomp-arch") {
for _, arch := range sa {
if err := g.AddLinuxSeccompArch(arch); err != nil {
return err
}
}
}
// Set syscall restrict in Seccomp
if context.IsSet("seccomp-syscalls") {
for _, syscall := range ss {
if err := g.AddLinuxSeccompSyscall(syscall); err != nil {
return err
}
}
}
if context.IsSet("seccomp-allow") {
seccompAllows := context.StringSlice("seccomp-allow")
for _, s := range seccompAllows {
g.AddLinuxSeccompSyscallAllow(s)
}
}
if context.IsSet("seccomp-errno") {
seccompErrnos := context.StringSlice("seccomp-errno")
for _, s := range seccompErrnos {
g.AddLinuxSeccompSyscallErrno(s)
}
}
return nil
}
func addSeccomp(context *cli.Context, g *generate.Generator) error {
// Set the DefaultAction of seccomp
if context.IsSet("seccomp-default") {
seccompDefault := context.String("seccomp-default")
err := g.SetDefaultSeccompAction(seccompDefault)
if err != nil {
return err
}
} else if context.IsSet("seccomp-default-force") {
seccompDefaultForced := context.String("seccomp-default-force")
err := g.SetDefaultSeccompActionForce(seccompDefaultForced)
if err != nil {
return err
}
}
// Add the additional architectures permitted to be used for system calls
if context.IsSet("seccomp-arch") {
seccompArch := context.String("seccomp-arch")
architectureArgs := strings.Split(seccompArch, ",")
for _, arg := range architectureArgs {
err := g.SetSeccompArchitecture(arg)
if err != nil {
return err
}
}
}
if context.IsSet("seccomp-errno") {
err := seccompSet(context, "errno", g)
if err != nil {
return err
}
}
if context.IsSet("seccomp-kill") {
err := seccompSet(context, "kill", g)
if err != nil {
return err
}
}
if context.IsSet("seccomp-trace") {
err := seccompSet(context, "trace", g)
if err != nil {
return err
}
}
if context.IsSet("seccomp-trap") {
err := seccompSet(context, "trap", g)
if err != nil {
return err
}
}
if context.IsSet("seccomp-allow") {
err := seccompSet(context, "allow", g)
if err != nil {
return err
}
}
if context.IsSet("seccomp-remove") {
seccompRemove := context.String("seccomp-remove")
err := g.RemoveSeccompRule(seccompRemove)
if err != nil {
return err
}
}
if context.IsSet("seccomp-remove-all") {
err := g.RemoveAllSeccompRules()
if err != nil {
return err
}
}
return nil
}
func setupLinuxNamespaces(context *cli.Context, g *generate.Generator, needsNewUser bool) {
for _, nsName := range generate.Namespaces {
if !context.IsSet(nsName) && !(needsNewUser && nsName == "user") {
continue
}
nsPath := context.String(nsName)
if nsPath == "host" {
g.RemoveLinuxNamespace(nsName)
continue
}
g.AddOrReplaceLinuxNamespace(nsName, nsPath)
}
}