seccomp: implement marshal/unmarshall for MinVersion
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This commit is contained in:
Sebastiaan van Stijn
parent
266bf2b2f5
commit
4539e7f0eb
6 changed files with 145 additions and 45 deletions
|
|
@ -389,7 +389,7 @@ func DefaultProfile() *Seccomp {
|
|||
Names: []string{"ptrace"},
|
||||
Action: specs.ActAllow,
|
||||
Includes: Filter{
|
||||
MinKernel: "4.8",
|
||||
MinKernel: &KernelVersion{4, 8},
|
||||
},
|
||||
},
|
||||
{
|
||||
|
|
|
|||
|
|
@ -8,20 +8,14 @@ import (
|
|||
"golang.org/x/sys/unix"
|
||||
)
|
||||
|
||||
// kernelVersion holds information about the kernel.
|
||||
type kernelVersion struct {
|
||||
kernel uint // Version of the kernel (i.e., the "4" in "4.1.2-generic")
|
||||
major uint // Major revision of the kernel (i.e., the "1" in "4.1.2-generic")
|
||||
}
|
||||
|
||||
var (
|
||||
currentKernelVersion *kernelVersion
|
||||
currentKernelVersion *KernelVersion
|
||||
kernelVersionError error
|
||||
once sync.Once
|
||||
)
|
||||
|
||||
// getKernelVersion gets the current kernel version.
|
||||
func getKernelVersion() (*kernelVersion, error) {
|
||||
func getKernelVersion() (*KernelVersion, error) {
|
||||
once.Do(func() {
|
||||
var uts unix.Utsname
|
||||
if err := unix.Uname(&uts); err != nil {
|
||||
|
|
@ -33,13 +27,13 @@ func getKernelVersion() (*kernelVersion, error) {
|
|||
return currentKernelVersion, kernelVersionError
|
||||
}
|
||||
|
||||
// parseRelease parses a string and creates a kernelVersion based on it.
|
||||
func parseRelease(release string) (*kernelVersion, error) {
|
||||
var version = kernelVersion{}
|
||||
// parseRelease parses a string and creates a KernelVersion based on it.
|
||||
func parseRelease(release string) (*KernelVersion, error) {
|
||||
var version = KernelVersion{}
|
||||
|
||||
// We're only make sure we get the "kernel" and "major revision". Sometimes we have
|
||||
// 3.12.25-gentoo, but sometimes we just have 3.12-1-amd64.
|
||||
_, err := fmt.Sscanf(release, "%d.%d", &version.kernel, &version.major)
|
||||
_, err := fmt.Sscanf(release, "%d.%d", &version.Kernel, &version.Major)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to parse kernel version %q: %w", release, err)
|
||||
}
|
||||
|
|
@ -50,19 +44,15 @@ func parseRelease(release string) (*kernelVersion, error) {
|
|||
// equal to the given kernel version v. Only "kernel version" and "major revision"
|
||||
// can be specified (e.g., "3.12") and will be taken into account, which means
|
||||
// that 3.12.25-gentoo and 3.12-1-amd64 are considered equal (kernel: 3, major: 12).
|
||||
func kernelGreaterEqualThan(v string) (bool, error) {
|
||||
minVersion, err := parseRelease(v)
|
||||
if err != nil {
|
||||
return false, err
|
||||
}
|
||||
func kernelGreaterEqualThan(minVersion KernelVersion) (bool, error) {
|
||||
kv, err := getKernelVersion()
|
||||
if err != nil {
|
||||
return false, err
|
||||
}
|
||||
if kv.kernel > minVersion.kernel {
|
||||
if kv.Kernel > minVersion.Kernel {
|
||||
return true, nil
|
||||
}
|
||||
if kv.kernel == minVersion.kernel && kv.major >= minVersion.major {
|
||||
if kv.Kernel == minVersion.Kernel && kv.Major >= minVersion.Major {
|
||||
return true, nil
|
||||
}
|
||||
return false, nil
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@ func TestGetKernelVersion(t *testing.T) {
|
|||
if version == nil {
|
||||
t.Fatal("version is nil")
|
||||
}
|
||||
if version.kernel == 0 {
|
||||
if version.Kernel == 0 {
|
||||
t.Fatal("no kernel version")
|
||||
}
|
||||
}
|
||||
|
|
@ -22,18 +22,19 @@ func TestGetKernelVersion(t *testing.T) {
|
|||
func TestParseRelease(t *testing.T) {
|
||||
tests := []struct {
|
||||
in string
|
||||
out kernelVersion
|
||||
out KernelVersion
|
||||
expectedErr error
|
||||
}{
|
||||
{in: "3.8", out: kernelVersion{kernel: 3, major: 8}},
|
||||
{in: "3.8.0", out: kernelVersion{kernel: 3, major: 8}},
|
||||
{in: "3.8.0-19-generic", out: kernelVersion{kernel: 3, major: 8}},
|
||||
{in: "3.4.54.longterm-1", out: kernelVersion{kernel: 3, major: 4}},
|
||||
{in: "3.10.0-862.2.3.el7.x86_64", out: kernelVersion{kernel: 3, major: 10}},
|
||||
{in: "3.12.8tag", out: kernelVersion{kernel: 3, major: 12}},
|
||||
{in: "3.12-1-amd64", out: kernelVersion{kernel: 3, major: 12}},
|
||||
{in: "3.12foobar", out: kernelVersion{kernel: 3, major: 12}},
|
||||
{in: "99.999.999-19-generic", out: kernelVersion{kernel: 99, major: 999}},
|
||||
{in: "3.8", out: KernelVersion{Kernel: 3, Major: 8}},
|
||||
{in: "3.8.0", out: KernelVersion{Kernel: 3, Major: 8}},
|
||||
{in: "3.8.0-19-generic", out: KernelVersion{Kernel: 3, Major: 8}},
|
||||
{in: "3.4.54.longterm-1", out: KernelVersion{Kernel: 3, Major: 4}},
|
||||
{in: "3.10.0-862.2.3.el7.x86_64", out: KernelVersion{Kernel: 3, Major: 10}},
|
||||
{in: "3.12.8tag", out: KernelVersion{Kernel: 3, Major: 12}},
|
||||
{in: "3.12-1-amd64", out: KernelVersion{Kernel: 3, Major: 12}},
|
||||
{in: "3.12foobar", out: KernelVersion{Kernel: 3, Major: 12}},
|
||||
{in: "99.999.999-19-generic", out: KernelVersion{Kernel: 99, Major: 999}},
|
||||
{in: "", expectedErr: fmt.Errorf(`failed to parse kernel version "": EOF`)},
|
||||
{in: "3", expectedErr: fmt.Errorf(`failed to parse kernel version "3": unexpected EOF`)},
|
||||
{in: "3.", expectedErr: fmt.Errorf(`failed to parse kernel version "3.": EOF`)},
|
||||
{in: "3a", expectedErr: fmt.Errorf(`failed to parse kernel version "3a": input does not match format`)},
|
||||
|
|
@ -66,8 +67,8 @@ func TestParseRelease(t *testing.T) {
|
|||
if version == nil {
|
||||
t.Fatal("version is nil")
|
||||
}
|
||||
if version.kernel != tc.out.kernel || version.major != tc.out.major {
|
||||
t.Fatalf("expected: %d.%d, got: %d.%d", tc.out.kernel, tc.out.major, version.kernel, version.major)
|
||||
if version.Kernel != tc.out.Kernel || version.Major != tc.out.Major {
|
||||
t.Fatalf("expected: %d.%d, got: %d.%d", tc.out.Kernel, tc.out.Major, version.Kernel, version.Major)
|
||||
}
|
||||
})
|
||||
}
|
||||
|
|
@ -82,33 +83,33 @@ func TestKernelGreaterEqualThan(t *testing.T) {
|
|||
|
||||
tests := []struct {
|
||||
doc string
|
||||
in string
|
||||
in KernelVersion
|
||||
expected bool
|
||||
}{
|
||||
{
|
||||
doc: "same version",
|
||||
in: fmt.Sprintf("%d.%d", v.kernel, v.major),
|
||||
in: KernelVersion{v.Kernel, v.Major},
|
||||
expected: true,
|
||||
},
|
||||
{
|
||||
doc: "kernel minus one",
|
||||
in: fmt.Sprintf("%d.%d", v.kernel-1, v.major),
|
||||
in: KernelVersion{v.Kernel - 1, v.Major},
|
||||
expected: true,
|
||||
},
|
||||
{
|
||||
doc: "kernel plus one",
|
||||
in: fmt.Sprintf("%d.%d", v.kernel+1, v.major),
|
||||
in: KernelVersion{v.Kernel + 1, v.Major},
|
||||
expected: false,
|
||||
},
|
||||
{
|
||||
doc: "major plus one",
|
||||
in: fmt.Sprintf("%d.%d", v.kernel, v.major+1),
|
||||
in: KernelVersion{v.Kernel, v.Major + 1},
|
||||
expected: false,
|
||||
},
|
||||
}
|
||||
for _, tc := range tests {
|
||||
tc := tc
|
||||
t.Run(tc.doc+": "+tc.in, func(t *testing.T) {
|
||||
t.Run(tc.doc+": "+tc.in.String(), func(t *testing.T) {
|
||||
ok, err := kernelGreaterEqualThan(tc.in)
|
||||
if err != nil {
|
||||
t.Fatal("unexpected error:", err)
|
||||
|
|
|
|||
|
|
@ -1,6 +1,13 @@
|
|||
package seccomp // import "github.com/docker/docker/profiles/seccomp"
|
||||
|
||||
import "github.com/opencontainers/runtime-spec/specs-go"
|
||||
import (
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"strconv"
|
||||
"strings"
|
||||
|
||||
"github.com/opencontainers/runtime-spec/specs-go"
|
||||
)
|
||||
|
||||
// Seccomp represents the config for a seccomp profile for syscall restriction.
|
||||
type Seccomp struct {
|
||||
|
|
@ -30,7 +37,7 @@ type Filter struct {
|
|||
// When matching the kernel version of the host, minor revisions, and distro-
|
||||
// specific suffixes are ignored, which means that "3.12.25-gentoo", "3.12-1-amd64",
|
||||
// "3.12", and "3.12-rc5" are considered equal (kernel 3, major revision 12).
|
||||
MinKernel string `json:"minKernel,omitempty"`
|
||||
MinKernel *KernelVersion `json:"minKernel,omitempty"`
|
||||
}
|
||||
|
||||
// Syscall is used to match a group of syscalls in Seccomp
|
||||
|
|
@ -43,3 +50,52 @@ type Syscall struct {
|
|||
Includes Filter `json:"includes"`
|
||||
Excludes Filter `json:"excludes"`
|
||||
}
|
||||
|
||||
// KernelVersion holds information about the kernel.
|
||||
type KernelVersion struct {
|
||||
Kernel uint64 // Version of the Kernel (i.e., the "4" in "4.1.2-generic")
|
||||
Major uint64 // Major revision of the Kernel (i.e., the "1" in "4.1.2-generic")
|
||||
}
|
||||
|
||||
// String implements fmt.Stringer for KernelVersion
|
||||
func (k *KernelVersion) String() string {
|
||||
if k.Kernel > 0 || k.Major > 0 {
|
||||
return fmt.Sprintf("%d.%d", k.Kernel, k.Major)
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
// MarshalJSON implements json.Unmarshaler for KernelVersion
|
||||
func (k *KernelVersion) MarshalJSON() ([]byte, error) {
|
||||
return json.Marshal(k.String())
|
||||
}
|
||||
|
||||
// UnmarshalJSON implements json.Marshaler for KernelVersion
|
||||
func (k *KernelVersion) UnmarshalJSON(version []byte) error {
|
||||
var (
|
||||
ver string
|
||||
err error
|
||||
)
|
||||
|
||||
// make sure we have a string
|
||||
if err = json.Unmarshal(version, &ver); err != nil {
|
||||
return fmt.Errorf(`invalid kernel version: %s, expected "<kernel>.<major>": %v`, string(version), err)
|
||||
}
|
||||
if ver == "" {
|
||||
return nil
|
||||
}
|
||||
parts := strings.SplitN(ver, ".", 3)
|
||||
if len(parts) != 2 {
|
||||
return fmt.Errorf(`invalid kernel version: %s, expected "<kernel>.<major>"`, string(version))
|
||||
}
|
||||
if k.Kernel, err = strconv.ParseUint(parts[0], 10, 8); err != nil {
|
||||
return fmt.Errorf(`invalid kernel version: %s, expected "<kernel>.<major>": %v`, string(version), err)
|
||||
}
|
||||
if k.Major, err = strconv.ParseUint(parts[1], 10, 8); err != nil {
|
||||
return fmt.Errorf(`invalid kernel version: %s, expected "<kernel>.<major>": %v`, string(version), err)
|
||||
}
|
||||
if k.Kernel == 0 && k.Major == 0 {
|
||||
return fmt.Errorf(`invalid kernel version: %s, expected "<kernel>.<major>": version cannot be 0.0`, string(version))
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
|
|
|||
|
|
@ -123,8 +123,8 @@ Loop:
|
|||
}
|
||||
}
|
||||
}
|
||||
if call.Excludes.MinKernel != "" {
|
||||
if ok, err := kernelGreaterEqualThan(call.Excludes.MinKernel); err != nil {
|
||||
if call.Excludes.MinKernel != nil {
|
||||
if ok, err := kernelGreaterEqualThan(*call.Excludes.MinKernel); err != nil {
|
||||
return nil, err
|
||||
} else if ok {
|
||||
continue Loop
|
||||
|
|
@ -142,8 +142,8 @@ Loop:
|
|||
}
|
||||
}
|
||||
}
|
||||
if call.Includes.MinKernel != "" {
|
||||
if ok, err := kernelGreaterEqualThan(call.Includes.MinKernel); err != nil {
|
||||
if call.Includes.MinKernel != nil {
|
||||
if ok, err := kernelGreaterEqualThan(*call.Includes.MinKernel); err != nil {
|
||||
return nil, err
|
||||
} else if !ok {
|
||||
continue Loop
|
||||
|
|
|
|||
|
|
@ -5,6 +5,7 @@ package seccomp // import "github.com/docker/docker/profiles/seccomp"
|
|||
import (
|
||||
"encoding/json"
|
||||
"io/ioutil"
|
||||
"strings"
|
||||
"testing"
|
||||
|
||||
"github.com/opencontainers/runtime-spec/specs-go"
|
||||
|
|
@ -67,6 +68,58 @@ func TestUnmarshalDefaultProfile(t *testing.T) {
|
|||
assert.DeepEqual(t, expected.Syscalls, profile.Syscalls)
|
||||
}
|
||||
|
||||
func TestMarshalUnmarshalFilter(t *testing.T) {
|
||||
t.Parallel()
|
||||
tests := []struct {
|
||||
in string
|
||||
out string
|
||||
error bool
|
||||
}{
|
||||
{in: `{"arches":["s390x"],"minKernel":3}`, error: true},
|
||||
{in: `{"arches":["s390x"],"minKernel":3.12}`, error: true},
|
||||
{in: `{"arches":["s390x"],"minKernel":true}`, error: true},
|
||||
{in: `{"arches":["s390x"],"minKernel":"0.0"}`, error: true},
|
||||
{in: `{"arches":["s390x"],"minKernel":"3"}`, error: true},
|
||||
{in: `{"arches":["s390x"],"minKernel":".3"}`, error: true},
|
||||
{in: `{"arches":["s390x"],"minKernel":"3."}`, error: true},
|
||||
{in: `{"arches":["s390x"],"minKernel":"true"}`, error: true},
|
||||
{in: `{"arches":["s390x"],"minKernel":"3.12.1\""}`, error: true},
|
||||
{in: `{"arches":["s390x"],"minKernel":"4.15abc"}`, error: true},
|
||||
{in: `{"arches":["s390x"],"minKernel":null}`, out: `{"arches":["s390x"]}`},
|
||||
{in: `{"arches":["s390x"],"minKernel":""}`, out: `{"arches":["s390x"],"minKernel":""}`}, // FIXME: try to fix omitempty for this
|
||||
{in: `{"arches":["s390x"],"minKernel":"0.5"}`, out: `{"arches":["s390x"],"minKernel":"0.5"}`},
|
||||
{in: `{"arches":["s390x"],"minKernel":"0.50"}`, out: `{"arches":["s390x"],"minKernel":"0.50"}`},
|
||||
{in: `{"arches":["s390x"],"minKernel":"5.0"}`, out: `{"arches":["s390x"],"minKernel":"5.0"}`},
|
||||
{in: `{"arches":["s390x"],"minKernel":"50.0"}`, out: `{"arches":["s390x"],"minKernel":"50.0"}`},
|
||||
{in: `{"arches":["s390x"],"minKernel":"4.15"}`, out: `{"arches":["s390x"],"minKernel":"4.15"}`},
|
||||
}
|
||||
for _, tc := range tests {
|
||||
tc := tc
|
||||
t.Run(tc.in, func(t *testing.T) {
|
||||
var filter Filter
|
||||
err := json.Unmarshal([]byte(tc.in), &filter)
|
||||
if tc.error {
|
||||
if err == nil {
|
||||
t.Fatal("expected an error")
|
||||
} else if !strings.Contains(err.Error(), "invalid kernel version") {
|
||||
t.Fatal("unexpected error:", err)
|
||||
}
|
||||
return
|
||||
}
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
out, err := json.Marshal(filter)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
if string(out) != tc.out {
|
||||
t.Fatalf("expected %s, got %s", tc.out, string(out))
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestLoadConditional(t *testing.T) {
|
||||
f, err := ioutil.ReadFile("fixtures/conditional_include.json")
|
||||
if err != nil {
|
||||
|
|
|
|||
Loading…
Reference in a new issue