Merge pull request #41515 from thaJeztah/seccomp_unmarshal
seccomp: implement marshal/unmarshall for MinVersion
This commit is contained in:
commit
7cf6dfcb9e
|
@ -389,7 +389,7 @@ func DefaultProfile() *Seccomp {
|
||||||
Names: []string{"ptrace"},
|
Names: []string{"ptrace"},
|
||||||
Action: specs.ActAllow,
|
Action: specs.ActAllow,
|
||||||
Includes: Filter{
|
Includes: Filter{
|
||||||
MinKernel: "4.8",
|
MinKernel: &KernelVersion{4, 8},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
|
|
|
@ -8,20 +8,14 @@ import (
|
||||||
"golang.org/x/sys/unix"
|
"golang.org/x/sys/unix"
|
||||||
)
|
)
|
||||||
|
|
||||||
// kernelVersion holds information about the kernel.
|
|
||||||
type kernelVersion struct {
|
|
||||||
kernel uint // Version of the kernel (i.e., the "4" in "4.1.2-generic")
|
|
||||||
major uint // Major revision of the kernel (i.e., the "1" in "4.1.2-generic")
|
|
||||||
}
|
|
||||||
|
|
||||||
var (
|
var (
|
||||||
currentKernelVersion *kernelVersion
|
currentKernelVersion *KernelVersion
|
||||||
kernelVersionError error
|
kernelVersionError error
|
||||||
once sync.Once
|
once sync.Once
|
||||||
)
|
)
|
||||||
|
|
||||||
// getKernelVersion gets the current kernel version.
|
// getKernelVersion gets the current kernel version.
|
||||||
func getKernelVersion() (*kernelVersion, error) {
|
func getKernelVersion() (*KernelVersion, error) {
|
||||||
once.Do(func() {
|
once.Do(func() {
|
||||||
var uts unix.Utsname
|
var uts unix.Utsname
|
||||||
if err := unix.Uname(&uts); err != nil {
|
if err := unix.Uname(&uts); err != nil {
|
||||||
|
@ -33,13 +27,13 @@ func getKernelVersion() (*kernelVersion, error) {
|
||||||
return currentKernelVersion, kernelVersionError
|
return currentKernelVersion, kernelVersionError
|
||||||
}
|
}
|
||||||
|
|
||||||
// parseRelease parses a string and creates a kernelVersion based on it.
|
// parseRelease parses a string and creates a KernelVersion based on it.
|
||||||
func parseRelease(release string) (*kernelVersion, error) {
|
func parseRelease(release string) (*KernelVersion, error) {
|
||||||
var version = kernelVersion{}
|
var version = KernelVersion{}
|
||||||
|
|
||||||
// We're only make sure we get the "kernel" and "major revision". Sometimes we have
|
// We're only make sure we get the "kernel" and "major revision". Sometimes we have
|
||||||
// 3.12.25-gentoo, but sometimes we just have 3.12-1-amd64.
|
// 3.12.25-gentoo, but sometimes we just have 3.12-1-amd64.
|
||||||
_, err := fmt.Sscanf(release, "%d.%d", &version.kernel, &version.major)
|
_, err := fmt.Sscanf(release, "%d.%d", &version.Kernel, &version.Major)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, fmt.Errorf("failed to parse kernel version %q: %w", release, err)
|
return nil, fmt.Errorf("failed to parse kernel version %q: %w", release, err)
|
||||||
}
|
}
|
||||||
|
@ -50,19 +44,15 @@ func parseRelease(release string) (*kernelVersion, error) {
|
||||||
// equal to the given kernel version v. Only "kernel version" and "major revision"
|
// equal to the given kernel version v. Only "kernel version" and "major revision"
|
||||||
// can be specified (e.g., "3.12") and will be taken into account, which means
|
// can be specified (e.g., "3.12") and will be taken into account, which means
|
||||||
// that 3.12.25-gentoo and 3.12-1-amd64 are considered equal (kernel: 3, major: 12).
|
// that 3.12.25-gentoo and 3.12-1-amd64 are considered equal (kernel: 3, major: 12).
|
||||||
func kernelGreaterEqualThan(v string) (bool, error) {
|
func kernelGreaterEqualThan(minVersion KernelVersion) (bool, error) {
|
||||||
minVersion, err := parseRelease(v)
|
|
||||||
if err != nil {
|
|
||||||
return false, err
|
|
||||||
}
|
|
||||||
kv, err := getKernelVersion()
|
kv, err := getKernelVersion()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return false, err
|
return false, err
|
||||||
}
|
}
|
||||||
if kv.kernel > minVersion.kernel {
|
if kv.Kernel > minVersion.Kernel {
|
||||||
return true, nil
|
return true, nil
|
||||||
}
|
}
|
||||||
if kv.kernel == minVersion.kernel && kv.major >= minVersion.major {
|
if kv.Kernel == minVersion.Kernel && kv.Major >= minVersion.Major {
|
||||||
return true, nil
|
return true, nil
|
||||||
}
|
}
|
||||||
return false, nil
|
return false, nil
|
||||||
|
|
|
@ -13,7 +13,7 @@ func TestGetKernelVersion(t *testing.T) {
|
||||||
if version == nil {
|
if version == nil {
|
||||||
t.Fatal("version is nil")
|
t.Fatal("version is nil")
|
||||||
}
|
}
|
||||||
if version.kernel == 0 {
|
if version.Kernel == 0 {
|
||||||
t.Fatal("no kernel version")
|
t.Fatal("no kernel version")
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -22,18 +22,19 @@ func TestGetKernelVersion(t *testing.T) {
|
||||||
func TestParseRelease(t *testing.T) {
|
func TestParseRelease(t *testing.T) {
|
||||||
tests := []struct {
|
tests := []struct {
|
||||||
in string
|
in string
|
||||||
out kernelVersion
|
out KernelVersion
|
||||||
expectedErr error
|
expectedErr error
|
||||||
}{
|
}{
|
||||||
{in: "3.8", out: kernelVersion{kernel: 3, major: 8}},
|
{in: "3.8", out: KernelVersion{Kernel: 3, Major: 8}},
|
||||||
{in: "3.8.0", out: kernelVersion{kernel: 3, major: 8}},
|
{in: "3.8.0", out: KernelVersion{Kernel: 3, Major: 8}},
|
||||||
{in: "3.8.0-19-generic", out: kernelVersion{kernel: 3, major: 8}},
|
{in: "3.8.0-19-generic", out: KernelVersion{Kernel: 3, Major: 8}},
|
||||||
{in: "3.4.54.longterm-1", out: kernelVersion{kernel: 3, major: 4}},
|
{in: "3.4.54.longterm-1", out: KernelVersion{Kernel: 3, Major: 4}},
|
||||||
{in: "3.10.0-862.2.3.el7.x86_64", out: kernelVersion{kernel: 3, major: 10}},
|
{in: "3.10.0-862.2.3.el7.x86_64", out: KernelVersion{Kernel: 3, Major: 10}},
|
||||||
{in: "3.12.8tag", out: kernelVersion{kernel: 3, major: 12}},
|
{in: "3.12.8tag", out: KernelVersion{Kernel: 3, Major: 12}},
|
||||||
{in: "3.12-1-amd64", out: kernelVersion{kernel: 3, major: 12}},
|
{in: "3.12-1-amd64", out: KernelVersion{Kernel: 3, Major: 12}},
|
||||||
{in: "3.12foobar", out: kernelVersion{kernel: 3, major: 12}},
|
{in: "3.12foobar", out: KernelVersion{Kernel: 3, Major: 12}},
|
||||||
{in: "99.999.999-19-generic", out: kernelVersion{kernel: 99, major: 999}},
|
{in: "99.999.999-19-generic", out: KernelVersion{Kernel: 99, Major: 999}},
|
||||||
|
{in: "", expectedErr: fmt.Errorf(`failed to parse kernel version "": EOF`)},
|
||||||
{in: "3", expectedErr: fmt.Errorf(`failed to parse kernel version "3": unexpected EOF`)},
|
{in: "3", expectedErr: fmt.Errorf(`failed to parse kernel version "3": unexpected EOF`)},
|
||||||
{in: "3.", expectedErr: fmt.Errorf(`failed to parse kernel version "3.": EOF`)},
|
{in: "3.", expectedErr: fmt.Errorf(`failed to parse kernel version "3.": EOF`)},
|
||||||
{in: "3a", expectedErr: fmt.Errorf(`failed to parse kernel version "3a": input does not match format`)},
|
{in: "3a", expectedErr: fmt.Errorf(`failed to parse kernel version "3a": input does not match format`)},
|
||||||
|
@ -66,8 +67,8 @@ func TestParseRelease(t *testing.T) {
|
||||||
if version == nil {
|
if version == nil {
|
||||||
t.Fatal("version is nil")
|
t.Fatal("version is nil")
|
||||||
}
|
}
|
||||||
if version.kernel != tc.out.kernel || version.major != tc.out.major {
|
if version.Kernel != tc.out.Kernel || version.Major != tc.out.Major {
|
||||||
t.Fatalf("expected: %d.%d, got: %d.%d", tc.out.kernel, tc.out.major, version.kernel, version.major)
|
t.Fatalf("expected: %d.%d, got: %d.%d", tc.out.Kernel, tc.out.Major, version.Kernel, version.Major)
|
||||||
}
|
}
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
@ -82,33 +83,33 @@ func TestKernelGreaterEqualThan(t *testing.T) {
|
||||||
|
|
||||||
tests := []struct {
|
tests := []struct {
|
||||||
doc string
|
doc string
|
||||||
in string
|
in KernelVersion
|
||||||
expected bool
|
expected bool
|
||||||
}{
|
}{
|
||||||
{
|
{
|
||||||
doc: "same version",
|
doc: "same version",
|
||||||
in: fmt.Sprintf("%d.%d", v.kernel, v.major),
|
in: KernelVersion{v.Kernel, v.Major},
|
||||||
expected: true,
|
expected: true,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
doc: "kernel minus one",
|
doc: "kernel minus one",
|
||||||
in: fmt.Sprintf("%d.%d", v.kernel-1, v.major),
|
in: KernelVersion{v.Kernel - 1, v.Major},
|
||||||
expected: true,
|
expected: true,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
doc: "kernel plus one",
|
doc: "kernel plus one",
|
||||||
in: fmt.Sprintf("%d.%d", v.kernel+1, v.major),
|
in: KernelVersion{v.Kernel + 1, v.Major},
|
||||||
expected: false,
|
expected: false,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
doc: "major plus one",
|
doc: "major plus one",
|
||||||
in: fmt.Sprintf("%d.%d", v.kernel, v.major+1),
|
in: KernelVersion{v.Kernel, v.Major + 1},
|
||||||
expected: false,
|
expected: false,
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
for _, tc := range tests {
|
for _, tc := range tests {
|
||||||
tc := tc
|
tc := tc
|
||||||
t.Run(tc.doc+": "+tc.in, func(t *testing.T) {
|
t.Run(tc.doc+": "+tc.in.String(), func(t *testing.T) {
|
||||||
ok, err := kernelGreaterEqualThan(tc.in)
|
ok, err := kernelGreaterEqualThan(tc.in)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Fatal("unexpected error:", err)
|
t.Fatal("unexpected error:", err)
|
||||||
|
|
|
@ -1,6 +1,13 @@
|
||||||
package seccomp // import "github.com/docker/docker/profiles/seccomp"
|
package seccomp // import "github.com/docker/docker/profiles/seccomp"
|
||||||
|
|
||||||
import "github.com/opencontainers/runtime-spec/specs-go"
|
import (
|
||||||
|
"encoding/json"
|
||||||
|
"fmt"
|
||||||
|
"strconv"
|
||||||
|
"strings"
|
||||||
|
|
||||||
|
"github.com/opencontainers/runtime-spec/specs-go"
|
||||||
|
)
|
||||||
|
|
||||||
// Seccomp represents the config for a seccomp profile for syscall restriction.
|
// Seccomp represents the config for a seccomp profile for syscall restriction.
|
||||||
type Seccomp struct {
|
type Seccomp struct {
|
||||||
|
@ -30,7 +37,7 @@ type Filter struct {
|
||||||
// When matching the kernel version of the host, minor revisions, and distro-
|
// When matching the kernel version of the host, minor revisions, and distro-
|
||||||
// specific suffixes are ignored, which means that "3.12.25-gentoo", "3.12-1-amd64",
|
// specific suffixes are ignored, which means that "3.12.25-gentoo", "3.12-1-amd64",
|
||||||
// "3.12", and "3.12-rc5" are considered equal (kernel 3, major revision 12).
|
// "3.12", and "3.12-rc5" are considered equal (kernel 3, major revision 12).
|
||||||
MinKernel string `json:"minKernel,omitempty"`
|
MinKernel *KernelVersion `json:"minKernel,omitempty"`
|
||||||
}
|
}
|
||||||
|
|
||||||
// Syscall is used to match a group of syscalls in Seccomp
|
// Syscall is used to match a group of syscalls in Seccomp
|
||||||
|
@ -43,3 +50,52 @@ type Syscall struct {
|
||||||
Includes Filter `json:"includes"`
|
Includes Filter `json:"includes"`
|
||||||
Excludes Filter `json:"excludes"`
|
Excludes Filter `json:"excludes"`
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// KernelVersion holds information about the kernel.
|
||||||
|
type KernelVersion struct {
|
||||||
|
Kernel uint64 // Version of the Kernel (i.e., the "4" in "4.1.2-generic")
|
||||||
|
Major uint64 // Major revision of the Kernel (i.e., the "1" in "4.1.2-generic")
|
||||||
|
}
|
||||||
|
|
||||||
|
// String implements fmt.Stringer for KernelVersion
|
||||||
|
func (k *KernelVersion) String() string {
|
||||||
|
if k.Kernel > 0 || k.Major > 0 {
|
||||||
|
return fmt.Sprintf("%d.%d", k.Kernel, k.Major)
|
||||||
|
}
|
||||||
|
return ""
|
||||||
|
}
|
||||||
|
|
||||||
|
// MarshalJSON implements json.Unmarshaler for KernelVersion
|
||||||
|
func (k *KernelVersion) MarshalJSON() ([]byte, error) {
|
||||||
|
return json.Marshal(k.String())
|
||||||
|
}
|
||||||
|
|
||||||
|
// UnmarshalJSON implements json.Marshaler for KernelVersion
|
||||||
|
func (k *KernelVersion) UnmarshalJSON(version []byte) error {
|
||||||
|
var (
|
||||||
|
ver string
|
||||||
|
err error
|
||||||
|
)
|
||||||
|
|
||||||
|
// make sure we have a string
|
||||||
|
if err = json.Unmarshal(version, &ver); err != nil {
|
||||||
|
return fmt.Errorf(`invalid kernel version: %s, expected "<kernel>.<major>": %v`, string(version), err)
|
||||||
|
}
|
||||||
|
if ver == "" {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
parts := strings.SplitN(ver, ".", 3)
|
||||||
|
if len(parts) != 2 {
|
||||||
|
return fmt.Errorf(`invalid kernel version: %s, expected "<kernel>.<major>"`, string(version))
|
||||||
|
}
|
||||||
|
if k.Kernel, err = strconv.ParseUint(parts[0], 10, 8); err != nil {
|
||||||
|
return fmt.Errorf(`invalid kernel version: %s, expected "<kernel>.<major>": %v`, string(version), err)
|
||||||
|
}
|
||||||
|
if k.Major, err = strconv.ParseUint(parts[1], 10, 8); err != nil {
|
||||||
|
return fmt.Errorf(`invalid kernel version: %s, expected "<kernel>.<major>": %v`, string(version), err)
|
||||||
|
}
|
||||||
|
if k.Kernel == 0 && k.Major == 0 {
|
||||||
|
return fmt.Errorf(`invalid kernel version: %s, expected "<kernel>.<major>": version cannot be 0.0`, string(version))
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
|
@ -123,8 +123,8 @@ Loop:
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if call.Excludes.MinKernel != "" {
|
if call.Excludes.MinKernel != nil {
|
||||||
if ok, err := kernelGreaterEqualThan(call.Excludes.MinKernel); err != nil {
|
if ok, err := kernelGreaterEqualThan(*call.Excludes.MinKernel); err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
} else if ok {
|
} else if ok {
|
||||||
continue Loop
|
continue Loop
|
||||||
|
@ -142,8 +142,8 @@ Loop:
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if call.Includes.MinKernel != "" {
|
if call.Includes.MinKernel != nil {
|
||||||
if ok, err := kernelGreaterEqualThan(call.Includes.MinKernel); err != nil {
|
if ok, err := kernelGreaterEqualThan(*call.Includes.MinKernel); err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
} else if !ok {
|
} else if !ok {
|
||||||
continue Loop
|
continue Loop
|
||||||
|
|
|
@ -5,6 +5,7 @@ package seccomp // import "github.com/docker/docker/profiles/seccomp"
|
||||||
import (
|
import (
|
||||||
"encoding/json"
|
"encoding/json"
|
||||||
"io/ioutil"
|
"io/ioutil"
|
||||||
|
"strings"
|
||||||
"testing"
|
"testing"
|
||||||
|
|
||||||
"github.com/opencontainers/runtime-spec/specs-go"
|
"github.com/opencontainers/runtime-spec/specs-go"
|
||||||
|
@ -67,6 +68,58 @@ func TestUnmarshalDefaultProfile(t *testing.T) {
|
||||||
assert.DeepEqual(t, expected.Syscalls, profile.Syscalls)
|
assert.DeepEqual(t, expected.Syscalls, profile.Syscalls)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func TestMarshalUnmarshalFilter(t *testing.T) {
|
||||||
|
t.Parallel()
|
||||||
|
tests := []struct {
|
||||||
|
in string
|
||||||
|
out string
|
||||||
|
error bool
|
||||||
|
}{
|
||||||
|
{in: `{"arches":["s390x"],"minKernel":3}`, error: true},
|
||||||
|
{in: `{"arches":["s390x"],"minKernel":3.12}`, error: true},
|
||||||
|
{in: `{"arches":["s390x"],"minKernel":true}`, error: true},
|
||||||
|
{in: `{"arches":["s390x"],"minKernel":"0.0"}`, error: true},
|
||||||
|
{in: `{"arches":["s390x"],"minKernel":"3"}`, error: true},
|
||||||
|
{in: `{"arches":["s390x"],"minKernel":".3"}`, error: true},
|
||||||
|
{in: `{"arches":["s390x"],"minKernel":"3."}`, error: true},
|
||||||
|
{in: `{"arches":["s390x"],"minKernel":"true"}`, error: true},
|
||||||
|
{in: `{"arches":["s390x"],"minKernel":"3.12.1\""}`, error: true},
|
||||||
|
{in: `{"arches":["s390x"],"minKernel":"4.15abc"}`, error: true},
|
||||||
|
{in: `{"arches":["s390x"],"minKernel":null}`, out: `{"arches":["s390x"]}`},
|
||||||
|
{in: `{"arches":["s390x"],"minKernel":""}`, out: `{"arches":["s390x"],"minKernel":""}`}, // FIXME: try to fix omitempty for this
|
||||||
|
{in: `{"arches":["s390x"],"minKernel":"0.5"}`, out: `{"arches":["s390x"],"minKernel":"0.5"}`},
|
||||||
|
{in: `{"arches":["s390x"],"minKernel":"0.50"}`, out: `{"arches":["s390x"],"minKernel":"0.50"}`},
|
||||||
|
{in: `{"arches":["s390x"],"minKernel":"5.0"}`, out: `{"arches":["s390x"],"minKernel":"5.0"}`},
|
||||||
|
{in: `{"arches":["s390x"],"minKernel":"50.0"}`, out: `{"arches":["s390x"],"minKernel":"50.0"}`},
|
||||||
|
{in: `{"arches":["s390x"],"minKernel":"4.15"}`, out: `{"arches":["s390x"],"minKernel":"4.15"}`},
|
||||||
|
}
|
||||||
|
for _, tc := range tests {
|
||||||
|
tc := tc
|
||||||
|
t.Run(tc.in, func(t *testing.T) {
|
||||||
|
var filter Filter
|
||||||
|
err := json.Unmarshal([]byte(tc.in), &filter)
|
||||||
|
if tc.error {
|
||||||
|
if err == nil {
|
||||||
|
t.Fatal("expected an error")
|
||||||
|
} else if !strings.Contains(err.Error(), "invalid kernel version") {
|
||||||
|
t.Fatal("unexpected error:", err)
|
||||||
|
}
|
||||||
|
return
|
||||||
|
}
|
||||||
|
if err != nil {
|
||||||
|
t.Fatal(err)
|
||||||
|
}
|
||||||
|
out, err := json.Marshal(filter)
|
||||||
|
if err != nil {
|
||||||
|
t.Fatal(err)
|
||||||
|
}
|
||||||
|
if string(out) != tc.out {
|
||||||
|
t.Fatalf("expected %s, got %s", tc.out, string(out))
|
||||||
|
}
|
||||||
|
})
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
func TestLoadConditional(t *testing.T) {
|
func TestLoadConditional(t *testing.T) {
|
||||||
f, err := ioutil.ReadFile("fixtures/conditional_include.json")
|
f, err := ioutil.ReadFile("fixtures/conditional_include.json")
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|
Loading…
Reference in New Issue