runc/libcontainer/setns_init_linux.go

// +build linux

package libcontainer

import (
	"fmt"
	"os"

	"github.com/opencontainers/runc/libcontainer/apparmor"
	"github.com/opencontainers/runc/libcontainer/keys"
	"github.com/opencontainers/runc/libcontainer/label"
	"github.com/opencontainers/runc/libcontainer/seccomp"
	"github.com/opencontainers/runc/libcontainer/system"
)

// linuxSetnsInit performs the container's initialization for running a new process
// inside an existing container.
type linuxSetnsInit struct {
	config *initConfig
}

func (l *linuxSetnsInit) getSessionRingName() string {
	return fmt.Sprintf("_ses.%s", l.config.ContainerId)
}

func (l *linuxSetnsInit) Init() error {
	// do not inherit the parent's session keyring
	if _, err := keyctl.JoinSessionKeyring(l.getSessionRingName()); err != nil {
		return err
	}
	if l.config.NoNewPrivileges {
		if err := system.Prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); err != nil {
			return err
		}
	}
	if l.config.Config.Seccomp != nil {
		if err := seccomp.InitSeccomp(l.config.Config.Seccomp); err != nil {
			return err
		}
	}
	if err := finalizeNamespace(l.config); err != nil {
		return err
	}
	if err := apparmor.ApplyProfile(l.config.AppArmorProfile); err != nil {
		return err
	}
	if l.config.ProcessLabel != "" {
		if err := label.SetProcessLabel(l.config.ProcessLabel); err != nil {
			return err
		}
	}
	return system.Execv(l.config.Args[0], l.config.Args[0:], os.Environ())
}
Refactor init actions into separate types Signed-off-by: Michael Crosby <crosbymichael@gmail.com> 2015-02-07 04:48:57 +08:00			`// +build linux`

			`package libcontainer`

			`import (`
Create unique session key name for every container Create a unique session key name for every container. Use the pattern _ses.<postfix> with postfix being the container's Id. This patch does not prevent containers from joining each other's session keyring. Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com> 2016-02-23 04:36:12 +08:00			`"fmt"`
Pass os.Environ() as environment to process from init. Replacement of #418 Signed-off-by: Alexander Morozov <lk4d4@docker.com> 2015-03-06 06:33:13 +08:00			`"os"`

Update import paths for new repository Signed-off-by: Michael Crosby <crosbymichael@gmail.com> 2015-06-22 10:29:59 +08:00			`"github.com/opencontainers/runc/libcontainer/apparmor"`
Create a new session key for every container Create a new session key ring '_ses' for every container. This avoids sharing the key structure with the process that created the container and the container inherits from. This patch fixes it init and exec. Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com> 2016-01-21 07:12:25 +08:00			`"github.com/opencontainers/runc/libcontainer/keys"`
Update import paths for new repository Signed-off-by: Michael Crosby <crosbymichael@gmail.com> 2015-06-22 10:29:59 +08:00			`"github.com/opencontainers/runc/libcontainer/label"`
Convert Seccomp support to use Libseccomp This removes the existing, native Go seccomp filter generation and replaces it with Libseccomp. Libseccomp is a C library which provides architecture independent generation of Seccomp filters for the Linux kernel. This adds a dependency on v2.2.1 or above of Libseccomp. Signed-off-by: Matthew Heon <mheon@redhat.com> 2015-06-30 02:12:54 +08:00			`"github.com/opencontainers/runc/libcontainer/seccomp"`
Update import paths for new repository Signed-off-by: Michael Crosby <crosbymichael@gmail.com> 2015-06-22 10:29:59 +08:00			`"github.com/opencontainers/runc/libcontainer/system"`
Refactor init actions into separate types Signed-off-by: Michael Crosby <crosbymichael@gmail.com> 2015-02-07 04:48:57 +08:00			`)`

			`// linuxSetnsInit performs the container's initialization for running a new process`
			`// inside an existing container.`
			`type linuxSetnsInit struct {`
Move Cwd and User to Process Signed-off-by: Michael Crosby <crosbymichael@gmail.com> 2015-02-10 05:11:57 +08:00			`config *initConfig`
Refactor init actions into separate types Signed-off-by: Michael Crosby <crosbymichael@gmail.com> 2015-02-07 04:48:57 +08:00			`}`

Create unique session key name for every container Create a unique session key name for every container. Use the pattern _ses.<postfix> with postfix being the container's Id. This patch does not prevent containers from joining each other's session keyring. Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com> 2016-02-23 04:36:12 +08:00			`func (l *linuxSetnsInit) getSessionRingName() string {`
			`return fmt.Sprintf("_ses.%s", l.config.ContainerId)`
			`}`

Refactor init actions into separate types Signed-off-by: Michael Crosby <crosbymichael@gmail.com> 2015-02-07 04:48:57 +08:00			`func (l *linuxSetnsInit) Init() error {`
Create a new session key for every container Create a new session key ring '_ses' for every container. This avoids sharing the key structure with the process that created the container and the container inherits from. This patch fixes it init and exec. Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com> 2016-01-21 07:12:25 +08:00			`// do not inherit the parent's session keyring`
Create unique session key name for every container Create a unique session key name for every container. Use the pattern _ses.<postfix> with postfix being the container's Id. This patch does not prevent containers from joining each other's session keyring. Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com> 2016-02-23 04:36:12 +08:00			`if _, err := keyctl.JoinSessionKeyring(l.getSessionRingName()); err != nil {`
Create a new session key for every container Create a new session key ring '_ses' for every container. This avoids sharing the key structure with the process that created the container and the container inherits from. This patch fixes it init and exec. Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com> 2016-01-21 07:12:25 +08:00			`return err`
			`}`
Add support for process overrides of settings This commit adds support to libcontainer to allow caps, no new privs, apparmor, and selinux process label to the process struct so that it can be used together of override the base settings on the container config per individual process. Signed-off-by: Michael Crosby <crosbymichael@gmail.com> 2016-03-04 02:44:33 +08:00			`if l.config.NoNewPrivileges {`
Implement NoNewPrivileges support in libcontainer Signed-off-by: Mrunal Patel <mrunalp@gmail.com> 2016-02-16 19:55:26 +08:00			`if err := system.Prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); err != nil {`
			`return err`
			`}`
			`}`
Convert Seccomp support to use Libseccomp This removes the existing, native Go seccomp filter generation and replaces it with Libseccomp. Libseccomp is a C library which provides architecture independent generation of Seccomp filters for the Linux kernel. This adds a dependency on v2.2.1 or above of Libseccomp. Signed-off-by: Matthew Heon <mheon@redhat.com> 2015-06-30 02:12:54 +08:00			`if l.config.Config.Seccomp != nil {`
			`if err := seccomp.InitSeccomp(l.config.Config.Seccomp); err != nil {`
			`return err`
			`}`
			`}`
Refactor init actions into separate types Signed-off-by: Michael Crosby <crosbymichael@gmail.com> 2015-02-07 04:48:57 +08:00			`if err := finalizeNamespace(l.config); err != nil {`
			`return err`
			`}`
Add support for process overrides of settings This commit adds support to libcontainer to allow caps, no new privs, apparmor, and selinux process label to the process struct so that it can be used together of override the base settings on the container config per individual process. Signed-off-by: Michael Crosby <crosbymichael@gmail.com> 2016-03-04 02:44:33 +08:00			`if err := apparmor.ApplyProfile(l.config.AppArmorProfile); err != nil {`
Refactor init actions into separate types Signed-off-by: Michael Crosby <crosbymichael@gmail.com> 2015-02-07 04:48:57 +08:00			`return err`
			`}`
Add support for process overrides of settings This commit adds support to libcontainer to allow caps, no new privs, apparmor, and selinux process label to the process struct so that it can be used together of override the base settings on the container config per individual process. Signed-off-by: Michael Crosby <crosbymichael@gmail.com> 2016-03-04 02:44:33 +08:00			`if l.config.ProcessLabel != "" {`
			`if err := label.SetProcessLabel(l.config.ProcessLabel); err != nil {`
Refactor init actions into separate types Signed-off-by: Michael Crosby <crosbymichael@gmail.com> 2015-02-07 04:48:57 +08:00			`return err`
			`}`
			`}`
Pass os.Environ() as environment to process from init. Replacement of #418 Signed-off-by: Alexander Morozov <lk4d4@docker.com> 2015-03-06 06:33:13 +08:00			`return system.Execv(l.config.Args[0], l.config.Args[0:], os.Environ())`
Refactor init actions into separate types Signed-off-by: Michael Crosby <crosbymichael@gmail.com> 2015-02-07 04:48:57 +08:00			`}`