Skip to content
This repository was archived by the owner on Dec 13, 2018. It is now read-only.

Add seccomp feature #529

Closed
keloyang wants to merge 5 commits into from
Closed

Add seccomp feature #529

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
b13d146
Add seccomp feature
Apr 16, 2015
656e4a0
seccomp surport filter args
May 22, 2015
0ad5156
add the generated go file
May 25, 2015
7995bcc
delete seccomp.Sys
May 30, 2015
ed4ddbf
Add maskequal surport
Jun 4, 2015
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,8 @@ direct-test-short:
go test $(TEST_TAGS) -cover -test.short -v $(GO_PACKAGES)

direct-build:
chmod 755 hack/seccomp.sh
hack/seccomp.sh
go build -v $(GO_PACKAGES)

direct-install:
Expand Down
7 changes: 7 additions & 0 deletions configs/config.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,10 @@ type IDMap struct {
Size int `json:"size"`
}

type SeccompConf struct {
SysCalls []string `json:"syscalls"`
}

// TODO Windows. Many of these fields should be factored out into those parts
// which are common across platforms, and those which are platform specific.

Expand Down Expand Up @@ -104,4 +108,7 @@ type Config struct {
// SystemProperties is a map of properties and their values. It is the equivalent of using
// sysctl -w my.property.name value in Linux.
SystemProperties map[string]string `json:"system_properties"`

// SysCalls specify the system calls to keep when executing the process inside the container
Seccomps SeccompConf `json:"seccomp"`
}
13 changes: 7 additions & 6 deletions configs/namespaces_linux.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,12 +5,13 @@ package configs
import "fmt"

const (
NEWNET NamespaceType = "NEWNET"
NEWPID NamespaceType = "NEWPID"
NEWNS NamespaceType = "NEWNS"
NEWUTS NamespaceType = "NEWUTS"
NEWIPC NamespaceType = "NEWIPC"
NEWUSER NamespaceType = "NEWUSER"
NEWNET NamespaceType = "NEWNET"
NEWPID NamespaceType = "NEWPID"
NEWNS NamespaceType = "NEWNS"
NEWUTS NamespaceType = "NEWUTS"
NEWIPC NamespaceType = "NEWIPC"
NEWUSER NamespaceType = "NEWUSER"
NEWSECCOMP NamespaceType = "NEWSECCOMP"
)

func NamespaceTypes() []NamespaceType {
Expand Down
17 changes: 11 additions & 6 deletions configs/namespaces_syscall.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,17 +4,22 @@ package configs

import "syscall"

var (
CLONE_SECCOMP = 0x10000 //diffrent from other flag, hard code
Copy link
Copy Markdown
Contributor

@LK4D4 LK4D4 May 22, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's actually CLONE_NEWUSER. Why we need this at all?

Copy link
Copy Markdown
Contributor Author

@keloyang keloyang May 25, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CLONE_NEWUSER = 0x10000000
CLONE_NEWSECCOMP is a pseudo flag, which is diffrent other CLONE_xx flag, and it can not pass to clone.

)

func (n *Namespace) Syscall() int {
return namespaceInfo[n.Type]
}

var namespaceInfo = map[NamespaceType]int{
NEWNET: syscall.CLONE_NEWNET,
NEWNS: syscall.CLONE_NEWNS,
NEWUSER: syscall.CLONE_NEWUSER,
NEWIPC: syscall.CLONE_NEWIPC,
NEWUTS: syscall.CLONE_NEWUTS,
NEWPID: syscall.CLONE_NEWPID,
NEWNET: syscall.CLONE_NEWNET,
NEWNS: syscall.CLONE_NEWNS,
NEWUSER: syscall.CLONE_NEWUSER,
NEWIPC: syscall.CLONE_NEWIPC,
NEWUTS: syscall.CLONE_NEWUTS,
NEWPID: syscall.CLONE_NEWPID,
NEWSECCOMP: CLONE_SECCOMP,
}

// CloneFlags parses the container's Namespaces options to set the correct
Expand Down
7 changes: 7 additions & 0 deletions container_linux.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -169,6 +169,13 @@ func (c *linuxContainer) newInitProcess(p *Process, cmd *exec.Cmd, parentPipe, c
cmd.SysProcAttr.Credential = &syscall.Credential{}
}
}
if cloneFlags&uintptr(configs.CLONE_SECCOMP) != 0 {
Copy link
Copy Markdown
Contributor

@LK4D4 LK4D4 May 22, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it should be done by client. Silently ignore security issue isn't good idea.

Copy link
Copy Markdown
Contributor Author

@keloyang keloyang May 25, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@crosbymichael @LK4D4

  • Can you disable certain flags passed to syscalls with this implementation. Like preventing the CLONE_NEW* flags to clone()?
    kernel don' surport for CLONE_SECCOMP, it is a pseudo flag which give a way to enable the seccomp feature. I misunderstand ?

//os don't surport for CLONE_SECCOMP, remote it
c.config.Namespaces.Remove(configs.NEWSECCOMP)
cloneFlags = c.config.Namespaces.CloneFlags()
} else {
c.config.Seccomps.SysCalls = []string{}
}
cmd.Env = append(cmd.Env, t)
cmd.SysProcAttr.Cloneflags = cloneFlags
return &initProcess{
Expand Down
58 changes: 58 additions & 0 deletions hack/seccomp.pl
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
#!/usr/bin/perl
Copy link
Copy Markdown
Contributor

@LK4D4 LK4D4 May 22, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you want I can help you rewrite this on go and use go generate for generating. So, developers won't be dependent on golang.

Copy link
Copy Markdown
Contributor

@LK4D4 LK4D4 May 22, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also, of course you should commit generated code and not rely on generation tool. It is pretty hard to track bugs this way.

Copy link
Copy Markdown
Contributor Author

@keloyang keloyang May 22, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok

Copy link
Copy Markdown
Contributor

@LK4D4 LK4D4 May 22, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cool, I'll prepare PR to your PR.


# ./seccomp.pl < syscall.sample > seccompsyscall.go

use strict;
use warnings;

my $pid = open(my $in, "-|") // die "Couldn't fork1 ($!)\n";

if($pid == 0) {
$pid = open(my $out, "|-") // die "Couldn't fork2 ($!)\n";
if($pid == 0) {
exec "cpp" or die "Couldn't exec cpp ($!)\n";
exit 1;
}

print $out "#include <sys/syscall.h>\n";
while(<>) {
if(/^\w/) {
my $name="$_";
chomp($name);

print $out $name;
print $out " = ";
print $out "__NR_$_";
}
}
close $out;
exit 0;
}
print "//";
system("uname -m");
print "package seccomp\r\n\r\n";
print "var syscallMap = map[string] int {\n";
while(<$in>) {
my $line=$_;

if($line =~ /^[\da-z_]/)
{
my @personal=split(/=/);
$personal[0] =~ s/[ ]//;
$personal[1] =~ s/[\r\n]//;
print " \"";
print $personal[0];
print "\"";
print " : ";
if (($personal[1] !~ /[0-9]/) || length($personal[1]) > 4)
{
print "-1,\r\n";
}else{
print $personal[1];
print ",\r\n";
}
}
}

print "}\r\n";

4 changes: 4 additions & 0 deletions hack/seccomp.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
#/bin/bash

chmod 755 hack/seccomp.pl
hack/seccomp.pl < hack/syscall.sample > seccomp/seccompsyscall.go
Loading