Remove restrict package

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2015-02-09 14:42:21 -08:00 · 2015-02-09 14:42:21 -08:00 · 6a04779b41
parent 1c895b409a
commit 6a04779b41
5 changed files with 55 additions and 78 deletions
--- a/linux_rootfs.go
+++ b/linux_rootfs.go
@ -8,6 +8,7 @@ import (
 	"os"
 	"path/filepath"
 	"syscall"
 	"time"
 	"github.com/docker/docker/pkg/symlink"
 	"github.com/docker/libcontainer/configs"
@ -350,14 +351,13 @@ func tmpfsMount(m *configs.Mount, rootfs, mountLabel string) error {
 	return syscall.Mount("tmpfs", dest, "tmpfs", uintptr(defaultMountFlags), l)
 }
 // createIfNotExists creates a file or a directory only if it does not already exist.
 func createIfNotExists(path string, isDir bool) error {
 	if _, err := os.Stat(path); err != nil {
 		if os.IsNotExist(err) {
 			if isDir {
-				if err := os.MkdirAll(path, 0755); err != nil {
+				return os.MkdirAll(path, 0755)
 					return err
 			}
 			} else {
 			if err := os.MkdirAll(filepath.Dir(path), 0755); err != nil {
 				return err
 			}
@ -368,6 +368,37 @@ func createIfNotExists(path string, isDir bool) error {
 			f.Close()
 		}
 	}
 	return nil
 }
 // remountReadonly will bind over the top of an existing path and ensure that it is read-only.
 func remountReadonly(path string) error {
 	for i := 0; i < 5; i++ {
 		if err := syscall.Mount("", path, "", syscall.MS_REMOUNT|syscall.MS_RDONLY, ""); err != nil && !os.IsNotExist(err) {
 			switch err {
 			case syscall.EINVAL:
 				// Probably not a mountpoint, use bind-mount
 				if err := syscall.Mount(path, path, "", syscall.MS_BIND, ""); err != nil {
 					return err
 				}
 				return syscall.Mount(path, path, "", syscall.MS_BIND|syscall.MS_REMOUNT|syscall.MS_RDONLY|syscall.MS_REC|defaultMountFlags, "")
 			case syscall.EBUSY:
 				time.Sleep(100 * time.Millisecond)
 				continue
 			default:
 				return err
 			}
 		}
 		return nil
 	}
 	return fmt.Errorf("unable to mount %s as readonly max retries reached", path)
 }
 // maskProckcore bind mounts /dev/null over the top of /proc/kcore inside a container to avoid security
 // issues from processes reading memory information.
 func maskProckcore() error {
 	if err := syscall.Mount("/dev/null", "/proc/kcore", "", syscall.MS_BIND, ""); err != nil && !os.IsNotExist(err) {
 		return fmt.Errorf("unable to bind-mount /dev/null over /proc/kcore: %s", err)
 	}
 	return nil
 }
--- a/linux_standard_init.go
+++ b/linux_standard_init.go
@ -8,7 +8,6 @@ import (
 	"github.com/docker/libcontainer/apparmor"
 	"github.com/docker/libcontainer/configs"
 	"github.com/docker/libcontainer/label"
 	"github.com/docker/libcontainer/security/restrict"
 	"github.com/docker/libcontainer/system"
 )
@ -64,7 +63,12 @@ func (l *linuxStandardInit) Init() error {
 		return err
 	}
 	if l.config.Config.RestrictSys {
-		if err := restrict.Restrict("proc/sys", "proc/sysrq-trigger", "proc/irq", "proc/bus"); err != nil {
+		for _, path := range []string{"proc/sys", "proc/sysrq-trigger", "proc/irq", "proc/bus"} {
 			if err := remountReadonly(path); err != nil {
 				return err
 			}
 		}
 		if err := maskProckcore(); err != nil {
 			return err
 		}
 	}
--- a/linux_userns_init.go
+++ b/linux_userns_init.go
@ -7,7 +7,6 @@ import (
 	"github.com/docker/libcontainer/apparmor"
 	"github.com/docker/libcontainer/label"
 	"github.com/docker/libcontainer/security/restrict"
 	"github.com/docker/libcontainer/system"
 )
@ -53,7 +52,12 @@ func (l *linuxUsernsInit) Init() error {
 		return err
 	}
 	if l.config.Config.RestrictSys {
-		if err := restrict.Restrict("proc/sys", "proc/sysrq-trigger", "proc/irq", "proc/bus"); err != nil {
+		for _, path := range []string{"proc/sys", "proc/sysrq-trigger", "proc/irq", "proc/bus"} {
 			if err := remountReadonly(path); err != nil {
 				return err
 			}
 		}
 		if err := maskProckcore(); err != nil {
 			return err
 		}
 	}
--- a/security/restrict/restrict.go
+++ b/security/restrict/restrict.go
@ -1,53 +0,0 @@
 // +build linux
 package restrict
 import (
 	"fmt"
 	"os"
 	"syscall"
 	"time"
 )
 const defaultMountFlags = syscall.MS_NOEXEC | syscall.MS_NOSUID | syscall.MS_NODEV
 func mountReadonly(path string) error {
 	for i := 0; i < 5; i++ {
 		if err := syscall.Mount("", path, "", syscall.MS_REMOUNT|syscall.MS_RDONLY, ""); err != nil && !os.IsNotExist(err) {
 			switch err {
 			case syscall.EINVAL:
 				// Probably not a mountpoint, use bind-mount
 				if err := syscall.Mount(path, path, "", syscall.MS_BIND, ""); err != nil {
 					return err
 				}
 				return syscall.Mount(path, path, "", syscall.MS_BIND|syscall.MS_REMOUNT|syscall.MS_RDONLY|syscall.MS_REC|defaultMountFlags, "")
 			case syscall.EBUSY:
 				time.Sleep(100 * time.Millisecond)
 				continue
 			default:
 				return err
 			}
 		}
 		return nil
 	}
 	return fmt.Errorf("unable to mount %s as readonly max retries reached", path)
 }
 // This has to be called while the container still has CAP_SYS_ADMIN (to be able to perform mounts).
 // However, afterwards, CAP_SYS_ADMIN should be dropped (otherwise the user will be able to revert those changes).
 func Restrict(mounts ...string) error {
 	for _, dest := range mounts {
 		if err := mountReadonly(dest); err != nil {
 			return fmt.Errorf("unable to remount %s readonly: %s", dest, err)
 		}
 	}
 	if err := syscall.Mount("/dev/null", "/proc/kcore", "", syscall.MS_BIND, ""); err != nil && !os.IsNotExist(err) {
 		return fmt.Errorf("unable to bind-mount /dev/null over /proc/kcore: %s", err)
 	}
 	return nil
 }
--- a/security/restrict/unsupported.go
+++ b/security/restrict/unsupported.go
@ -1,9 +0,0 @@
 // +build !linux
 package restrict
 import "fmt"
 func Restrict() error {
 	return fmt.Errorf("not supported")
 }