!98 Add errnoRet in Syscall struct to sovle k3s function defect
From: @wang--ge Reviewed-by: @Vanient, @duguhaotian Signed-off-by: @duguhaotian
This commit is contained in:
openeuler-ci-bot
Gitee
commit
202438daf9
182
patch/0134-runc-add-errnoRet-in-Syscall-struct.patch
Normal file
182
patch/0134-runc-add-errnoRet-in-Syscall-struct.patch
Normal file
@ -0,0 +1,182 @@
|
||||
From f3daefee2a044dac912afccb52a724a7fe710caf Mon Sep 17 00:00:00 2001
|
||||
From: wang--ge <wang__ge@126.com>
|
||||
Date: Sat, 19 Nov 2022 15:43:51 +0800
|
||||
Subject: [PATCH] honor seccomp errnoRet
|
||||
|
||||
---
|
||||
libcontainer/configs/config.go | 1 +
|
||||
libcontainer/integration/seccomp_test.go | 72 +++++++++++++++++++
|
||||
libcontainer/seccomp/seccomp_linux.go | 12 +++-
|
||||
libcontainer/specconv/spec_linux.go | 1 +
|
||||
.../runtime-spec/specs-go/config.go | 1 +
|
||||
5 files changed, 84 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/libcontainer/configs/config.go b/libcontainer/configs/config.go
|
||||
index 9074c86..7dd4bde 100644
|
||||
--- a/libcontainer/configs/config.go
|
||||
+++ b/libcontainer/configs/config.go
|
||||
@@ -78,6 +78,7 @@ type Arg struct {
|
||||
type Syscall struct {
|
||||
Name string `json:"name"`
|
||||
Action Action `json:"action"`
|
||||
+ ErrnoRet *uint `json:"errnoRet"`
|
||||
Priority uint8 `json:"priority,omitempty"`
|
||||
Args []*Arg `json:"args"`
|
||||
}
|
||||
diff --git a/libcontainer/integration/seccomp_test.go b/libcontainer/integration/seccomp_test.go
|
||||
index 8e2c7cd..72d0d96 100644
|
||||
--- a/libcontainer/integration/seccomp_test.go
|
||||
+++ b/libcontainer/integration/seccomp_test.go
|
||||
@@ -12,6 +12,78 @@ import (
|
||||
libseccomp "github.com/seccomp/libseccomp-golang"
|
||||
)
|
||||
|
||||
+func TestSeccompDenyGetcwdWithErrno(t *testing.T) {
|
||||
+ if testing.Short() {
|
||||
+ return
|
||||
+ }
|
||||
+
|
||||
+ rootfs, err := newRootfs()
|
||||
+ if err != nil {
|
||||
+ t.Fatal(err)
|
||||
+ }
|
||||
+ defer remove(rootfs)
|
||||
+
|
||||
+ errnoRet := uint(syscall.ESRCH)
|
||||
+
|
||||
+ config := newTemplateConfig(rootfs)
|
||||
+ config.Seccomp = &configs.Seccomp{
|
||||
+ DefaultAction: configs.Allow,
|
||||
+ Syscalls: []*configs.Syscall{
|
||||
+ {
|
||||
+ Name: "getcwd",
|
||||
+ Action: configs.Errno,
|
||||
+ ErrnoRet: &errnoRet,
|
||||
+ },
|
||||
+ },
|
||||
+ }
|
||||
+
|
||||
+ container, err := newContainer(config)
|
||||
+ if err != nil {
|
||||
+ t.Fatal(err)
|
||||
+ }
|
||||
+ defer container.Destroy()
|
||||
+
|
||||
+ buffers := newStdBuffers()
|
||||
+ pwd := &libcontainer.Process{
|
||||
+ Cwd: "/",
|
||||
+ Args: []string{"pwd"},
|
||||
+ Env: standardEnvironment,
|
||||
+ Stdin: buffers.Stdin,
|
||||
+ Stdout: buffers.Stdout,
|
||||
+ Stderr: buffers.Stderr,
|
||||
+ Init: true,
|
||||
+ }
|
||||
+
|
||||
+ err = container.Run(pwd)
|
||||
+ if err != nil {
|
||||
+ t.Fatal(err)
|
||||
+ }
|
||||
+ ps, err := pwd.Wait()
|
||||
+ if err == nil {
|
||||
+ t.Fatal("Expecting error (negative return code); instead exited cleanly!")
|
||||
+ }
|
||||
+
|
||||
+ var exitCode int
|
||||
+ status := ps.Sys().(syscall.WaitStatus)
|
||||
+ if status.Exited() {
|
||||
+ exitCode = status.ExitStatus()
|
||||
+ } else if status.Signaled() {
|
||||
+ exitCode = -int(status.Signal())
|
||||
+ } else {
|
||||
+ t.Fatalf("Unrecognized exit reason!")
|
||||
+ }
|
||||
+
|
||||
+ if exitCode == 0 {
|
||||
+ t.Fatalf("Getcwd should fail with negative exit code, instead got %d!", exitCode)
|
||||
+ }
|
||||
+
|
||||
+ expected := "pwd: getcwd: No such process"
|
||||
+ actual := strings.Trim(buffers.Stderr.String(), "\n")
|
||||
+ if actual != expected {
|
||||
+ t.Fatalf("Expected output %s but got %s\n", expected, actual)
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
func TestSeccompDenyGetcwd(t *testing.T) {
|
||||
if testing.Short() {
|
||||
return
|
||||
diff --git a/libcontainer/seccomp/seccomp_linux.go b/libcontainer/seccomp/seccomp_linux.go
|
||||
index 0c97da6..26cec43 100644
|
||||
--- a/libcontainer/seccomp/seccomp_linux.go
|
||||
+++ b/libcontainer/seccomp/seccomp_linux.go
|
||||
@@ -36,7 +36,7 @@ func InitSeccomp(config *configs.Seccomp) error {
|
||||
return fmt.Errorf("cannot initialize Seccomp - nil config passed")
|
||||
}
|
||||
|
||||
- defaultAction, err := getAction(config.DefaultAction)
|
||||
+ defaultAction, err := getAction(config.DefaultAction, nil)
|
||||
if err != nil {
|
||||
return fmt.Errorf("error initializing seccomp - invalid default action")
|
||||
}
|
||||
@@ -100,17 +100,23 @@ func IsEnabled() bool {
|
||||
}
|
||||
|
||||
// Convert Libcontainer Action to Libseccomp ScmpAction
|
||||
-func getAction(act configs.Action) (libseccomp.ScmpAction, error) {
|
||||
+func getAction(act configs.Action, errnoRet *uint) (libseccomp.ScmpAction, error) {
|
||||
switch act {
|
||||
case configs.Kill:
|
||||
return actKill, nil
|
||||
case configs.Errno:
|
||||
+ if errnoRet != nil {
|
||||
+ return libseccomp.ActErrno.SetReturnCode(int16(*errnoRet)), nil
|
||||
+ }
|
||||
return actErrno, nil
|
||||
case configs.Trap:
|
||||
return actTrap, nil
|
||||
case configs.Allow:
|
||||
return actAllow, nil
|
||||
case configs.Trace:
|
||||
+ if errnoRet != nil {
|
||||
+ return libseccomp.ActTrace.SetReturnCode(int16(*errnoRet)), nil
|
||||
+ }
|
||||
return actTrace, nil
|
||||
default:
|
||||
return libseccomp.ActInvalid, fmt.Errorf("invalid action, cannot use in rule")
|
||||
@@ -173,7 +179,7 @@ func matchCall(filter *libseccomp.ScmpFilter, call *configs.Syscall) error {
|
||||
}
|
||||
|
||||
// Convert the call's action to the libseccomp equivalent
|
||||
- callAct, err := getAction(call.Action)
|
||||
+ callAct, err := getAction(call.Action, call.ErrnoRet)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
diff --git a/libcontainer/specconv/spec_linux.go b/libcontainer/specconv/spec_linux.go
|
||||
index 0cbc66f..8177739 100644
|
||||
--- a/libcontainer/specconv/spec_linux.go
|
||||
+++ b/libcontainer/specconv/spec_linux.go
|
||||
@@ -758,6 +758,7 @@ func setupSeccomp(config *specs.LinuxSeccomp) (*configs.Seccomp, error) {
|
||||
newCall := configs.Syscall{
|
||||
Name: name,
|
||||
Action: newAction,
|
||||
+ ErrnoRet: call.ErrnoRet,
|
||||
Priority: call.Priority,
|
||||
Args: []*configs.Arg{},
|
||||
}
|
||||
diff --git a/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go b/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go
|
||||
index 8439744..ec8096a 100644
|
||||
--- a/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go
|
||||
+++ b/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go
|
||||
@@ -556,6 +556,7 @@ type LinuxSeccompArg struct {
|
||||
type LinuxSyscall struct {
|
||||
Names []string `json:"names"`
|
||||
Action LinuxSeccompAction `json:"action"`
|
||||
+ ErrnoRet *uint `json:"errnoRet,omitempty"`
|
||||
Priority uint8 `json:"priority,omitempty"`
|
||||
Args []LinuxSeccompArg `json:"args"`
|
||||
Comment string `json:"comment"`
|
||||
--
|
||||
2.27.0
|
||||
|
||||
@ -4,7 +4,7 @@
|
||||
|
||||
Name: docker-runc
|
||||
Version: 1.0.0.rc3
|
||||
Release: 305
|
||||
Release: 306
|
||||
Summary: runc is a CLI tool for spawning and running containers according to the OCI specification.
|
||||
|
||||
License: ASL 2.0
|
||||
@ -53,6 +53,12 @@ install -p -m 755 runc $RPM_BUILD_ROOT/%{_bindir}/runc
|
||||
%{_bindir}/runc
|
||||
|
||||
%changelog
|
||||
* Mon Nov 21 2022 Ge Wang <wangge20@h-partners.com> - 1.0.0.rc3-306
|
||||
- Type:bugfix
|
||||
- CVE:NA
|
||||
- SUG:NA
|
||||
- DESC:add errnoRet in Syscall struct
|
||||
|
||||
* Wed Sep 28 2022 zhongjiawei<zhongjiawei1@huawei.com> - 1.0.0.rc3-305
|
||||
- Type:bugfix
|
||||
- CVE:NA
|
||||
|
||||
@ -132,4 +132,5 @@ patch/0128-runc-fix-CVE-2022-29162.patch
|
||||
patch/0131-runc-change-Umask-to-0022.patch
|
||||
patch/0132-runc-fix-systemd-cgroup-after-memory-type-changed.patch
|
||||
patch/0133-runc-add-CGO-sercuity-build-options.patch
|
||||
patch/0134-runc-add-errnoRet-in-Syscall-struct.patch
|
||||
#end
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user