Commit Graph

14 Commits

Author SHA1 Message Date
Kir Kolyshkin dbb9fc03ae libct/*: remove linux build tag from some pkgs
Only some libcontainer packages can be built on non-linux platforms
(not that it make sense, but at least go build succeeds). Let's call
these "good" packages.

For all other packages (i.e. ones that fail to build with GOOS other
than linux), it does not make sense to have linux build tag (as they
are broken already, and thus are not and can not be used on anything
other than Linux).

Remove linux build tag for all non-"good" packages.

This was mostly done by the following script, with just a few manual
fixes on top.

function list_good_pkgs() {
	for pkg in $(find . -type d -print); do
		GOOS=freebsd go build $pkg 2>/dev/null \
		&& GOOS=solaris go build $pkg 2>/dev/null \
		&& echo $pkg
	done | sed -e 's|^./||' | tr '\n' '|' | sed -e 's/|$//'
}

function remove_tag() {
	sed -i -e '\|^// +build linux$|d' $1
	go fmt $1
}

SKIP="^("$(list_good_pkgs)")"
for f in $(git ls-files . | grep .go$); do
	if echo $f | grep -qE "$SKIP"; then
		echo skip $f
		continue
	fi
	echo proc $f
	remove_tag $f
done

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-08-30 20:52:07 -07:00
Aleksa Sarai 09b80811f6 Revert "libct/devices: change devices.Type to be a string"
This reverts commit 814f3ae1d9. This
changed the on-disk state which breaks runc when it has to operate on
containers started with an older runc version. Working around this is
far more complicated than just reverting it.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2021-08-25 14:11:32 +10:00
Kir Kolyshkin bbcf96f91f libct/cg/devices: stop using regex
Looking into data generated by setting

	GODEBUG="inittrace=1"

I have noticed this line:

init github.com/opencontainers/runc/libcontainer/cgroups/devices @1.2 ms, 0.020 ms clock, 10512 bytes, 133 allocs

This is the leader for both bytes and allocs among the packages from
this repo, and all of it is caused by a single regex:

> var devicesListRegexp = regexp.MustCompile(`^([abc])\s+(\d+|\*):(\d+|\*)\s+([rwm]+)$`)

It seems that the same parsing can be done without relying on
a regular expression, no decrease in readability, and 2x faster
(according to the benchmark added), and also makes runc start
slightly faster and leaner.

Before:
    BenchmarkParseLine-4   	  176240	      6768 ns/op	    6576 B/op	      64 allocs/op

After:
    BenchmarkParseLine-4   	  322441	      3535 ns/op	    5520 B/op	      53 allocs/op

[v2: single split with SplitFunc; fix a typo in error message]
[v3: rebase after 3159 merge; re-ran benchmarks (results are similar)]

Co-authored-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-08-23 17:04:09 -07:00
Kir Kolyshkin 34df203d13 Merge pull request #3159 from thaJeztah/norunes
libct/devices: change devices.Type to be a string
2021-08-23 16:58:34 -07:00
Kir Kolyshkin 75761bccf7 Fix codespell warnings, add codespell to ci
The two exceptions I had to add to codespellrc are:
 - CLOS (used by intelrtd);
 - creat (syscall name used in tests/integration/testdata/seccomp_*.json).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-08-17 16:12:35 -07:00
Sebastiaan van Stijn 814f3ae1d9 libct/devices: change devices.Type to be a string
Possibly there was a specific reason to use a rune for this, but I noticed
that there's various parts in the code that has to convert values from a
string to this type. Using a string as type for this can simplify some of
that code.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-08-13 00:55:22 +02:00
Kir Kolyshkin f137aaa2c8 libct/cg/devices: stop using pkg/errors
Use Go native errors wrapping.

Introduce wrapErr helper to minimise the patch size.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2021-06-22 16:09:47 -07:00
Sebastiaan van Stijn 1fb56f9f1f libcontainer/cgroups/devices: if block ends with a return statement
libcontainer/cgroups/devices/devices_emulator.go:261:9: `if` block ends with a `return` statement, so drop this `else` and outdent its block (golint)
    	} else {
    	       ^

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-06-02 17:46:32 +02:00
Aleksa Sarai dcc1cf7c1c devices: add emulator.Rules shorthand
The devices cgroup emulator is also useful for removing unneeded rules
as well as computing what the final default-allow state of the filter
will be (allow-list or deny-list).

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2021-05-23 17:55:12 +10:00
Sebastiaan van Stijn 4fc2de77e9 libcontainer/devices: remove "Device" prefix from types
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-12-01 11:11:23 +01:00
Sebastiaan van Stijn 677baf22d2 libcontainer: isolate libcontainer/devices
Move the Device-related types to libcontainer/devices, so that
the package can be used in isolation. Aliases have been created
in libcontainer/configs for backward compatibility.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-12-01 11:11:21 +01:00
Aleksa Sarai dc9a7879f9 cgroups: add copyright header to devices.Emulator implementation
I forgot to include this in the original patchset.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2020-05-15 11:29:51 +10:00
Aleksa Sarai b810da1490 cgroups: systemd: make use of Device*= properties
It seems we missed that systemd added support for the devices cgroup, as
a result systemd would actually *write an allow-all rule each time you
did 'runc update'* if you used the systemd cgroup driver. This is
obviously ... bad and was a clear security bug. Luckily the commits which
introduced this were never in an actual runc release.

So we simply generate the cgroupv1-style rules (which is what systemd's
DeviceAllow wants) and default to a deny-all ruleset. Unfortunately it
turns out that systemd is susceptible to the same spurrious error
failure that we were, so that problem is out of our hands for systemd
cgroup users.

However, systemd has a similar bug to the one fixed in [1]. It will
happily write a disruptive deny-all rule when it is not necessary.
Unfortunately, we cannot even use devices.Emulator to generate a minimal
set of transition rules because the DBus API is limited (you can only
clear or append to the DeviceAllow= list -- so we are forced to always
clear it). To work around this, we simply freeze the container during
SetUnitProperties.

[1]: afe83489d4 ("cgroupv1: devices: use minimal transition rules with devices.Emulator")

Fixes: 1d4ccc8e0c ("fix data inconsistent when runc update in systemd driven cgroup v1")
Fixes: 7682a2b2a5 ("fix data inconsistent when runc update in systemd driven cgroup v2")
Signed-off-by: Aleksa Sarai <asarai@suse.de>
2020-05-13 17:43:56 +10:00
Aleksa Sarai 2353ffec2b cgroups: implement a devices cgroupv1 emulator
Okay, this requires a bit of explanation.

The reason for this emulation is to allow us to have seamless updates of
the devices cgroup for running containers. This was triggered by several
users having issues where our initial writing of a deny-all rule (in all
cases) results in spurrious errors.

The obvious solution would be to just remove the deny-all rule, right?
Well, it turns out that runc doesn't actually control the deny-all rule
because all users of runc have explicitly specified their own deny-all
rule for many years. This appears to have been done to work around a bug
in runc (which this series has fixed in [1]) where we would actually act
as a black-list despite this being a violation of the OCI spec.

This means that not adding our own deny-all rule in the case of updates
won't solve the issue. However, it will also not solve the issue in
several other cases (the most notable being where a container is being
switched between default-permission modes).

So in order to handle all of these cases, a way of tracking the relevant
internal cgroup state (given a certain state of "cgroups.list" and a set
of rules to apply) is necessary. That is the purpose of DevicesEmulator.
Reading "devices.list" is quite important because that's the only way we
can tell if it's safe to skip the troublesome deny-all rules without
making potentially-dangerous assumptions about the container.

We also are currently bug-compatible with the devices cgroup (namely,
removing rules that don't exist or having superfluous rules all works as
with the in-kernel implementation). The only exception to this is that
we give an error if a user requests to revoke part of a wildcard
exception, because allowing such configurations could result in security
holes (cgroupv1 silently ignores such rules, meaning in white-list mode
that the access is still permitted).

[1]: b2bec9806f ("cgroup: devices: eradicate the Allow/Deny lists")

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2020-05-13 17:42:20 +10:00