Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

new(libscap): gVisor sandboxes trace session set up with runsc #393

Merged
merged 14 commits into from
Jun 17, 2022
Merged

new(libscap): gVisor sandboxes trace session set up with runsc #393

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
7e1afa5
new(gvisor): add a generic utility function to interact with the runs…
loresuso Jun 7, 2022
1cd3db3
new(gvisor): add functionality to list all running gVisor sandboxes
loresuso Jun 7, 2022
d9c400a
new(gvisor): add ability to create a new trace session for a given ru…
loresuso Jun 7, 2022
1423bb0
new(gvisor): actually create trace sessions for gVisor sandboxes
loresuso Jun 8, 2022
ac276b5
update(gvisor): compile against jsoncpp lib
loresuso Jun 8, 2022
2b0331b
update(gvisor): move constants to scap_gvisor.cpp
loresuso Jun 13, 2022
9300b3a
style(gvisor): remove useless typedef and usage of struct keyword on …
loresuso Jun 13, 2022
69ead01
new(gvisor): add trace session delete command
loresuso Jun 13, 2022
d7b87cc
new(gvisor): handle graceful exiting using trace delete command
loresuso Jun 13, 2022
65951c6
fix(build): fix linking when not using bundled deps
loresuso Jun 14, 2022
197e893
update(gvisor): use vfork instead of fork
loresuso Jun 14, 2022
8960237
update(gvisor): check runsc return value and if it is correctly insta…
loresuso Jun 15, 2022
b1ff8a0
update(gvisor): zero initialize remaining parse_results
loresuso Jun 15, 2022
15882b5
update(gvisor): correctly check wait status
loresuso Jun 17, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 4 additions & 1 deletion userspace/libscap/engine/gvisor/CMakeLists.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
include(protobuf)
include(jsoncpp)

include_directories(${LIBSCAP_INCLUDE_DIRS} ${CMAKE_CURRENT_BINARY_DIR})
include_directories(${LIBSCAP_INCLUDE_DIRS} ${CMAKE_CURRENT_BINARY_DIR} ${JSONCPP_INCLUDE})

add_library(scap_engine_gvisor STATIC
pkg/sentry/seccheck/points/syscall.pb.cc
Expand All @@ -10,6 +11,7 @@ add_library(scap_engine_gvisor STATIC
parsers.cpp
gvisor.cpp
scap_gvisor.cpp
${JSONCPP_LIB_SRC}
)

if(USE_BUNDLED_PROTOBUF)
Expand All @@ -21,6 +23,7 @@ find_package(Threads)
target_link_libraries(scap_engine_gvisor
${CMAKE_THREAD_LIBS_INIT}
${PROTOBUF_LIB}
${JSONCPP_LIB}
FedeDP marked this conversation as resolved.
Show resolved Hide resolved
scap
)

Expand Down
2 changes: 1 addition & 1 deletion userspace/libscap/engine/gvisor/gvisor.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@ static SCAP_HANDLE_T *gvisor_alloc_handle(scap_t* main_handle, char *lasterr_ptr
static int32_t gvisor_init(scap_t* main_handle, scap_open_args* open_args)
{
scap_gvisor::engine *gv = main_handle->m_engine.m_handle;
return gv->init(open_args->gvisor_socket);
return gv->init(open_args->gvisor_socket, open_args->gvisor_root_path, open_args->gvisor_trace_session_path);
}

static void gvisor_free_handle(struct scap_engine_handle engine)
Expand Down
16 changes: 14 additions & 2 deletions userspace/libscap/engine/gvisor/gvisor.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,6 @@ struct parse_result {
// pointers to each encoded event within the supplied output buffer
std::vector<scap_evt*> scap_events;
};
typedef struct parse_result parse_result;
Andreagit97 marked this conversation as resolved.
Show resolved Hide resolved

/*!
\brief Translate a gVisor seccheck protobuf into one, or more, scap events
Expand Down Expand Up @@ -89,7 +88,7 @@ class engine {
public:
engine(char *lasterr);
~engine();
int32_t init(std::string socket_path);
int32_t init(std::string socket_path, std::string root_path, std::string trace_session_path);
int32_t close();

int32_t start_capture();
Expand All @@ -104,6 +103,17 @@ class engine {
int32_t process_message_from_fd(int fd);
void free_sandbox_buffers();

struct runsc_result {
int error;
std::vector<std::string> output;
};

runsc_result runsc(char *argv[]);
runsc_result runsc_version();
runsc_result runsc_list();
runsc_result runsc_trace_create(const std::string &sandbox_id, bool force);
runsc_result runsc_trace_delete(const std::string &session_name, const std::string &sandbox_id);

char *m_lasterr;
int m_listenfd = 0;
int m_epollfd = 0;
Expand All @@ -122,6 +132,8 @@ class engine {
// when get_threadinfos() is called. They are only updated upon get_threadinfos()
std::vector<scap_threadinfo> m_threadinfos_threads;
std::unordered_map<uint64_t, std::vector<scap_fdinfo>> m_threadinfos_fds;
std::string m_root_path;
std::string m_trace_session_path;
};

} // namespace scap_gvisor
34 changes: 17 additions & 17 deletions userspace/libscap/engine/gvisor/parsers.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,7 +70,7 @@ static void fill_context_data(scap_evt *evt, T& gvisor_evt)

static parse_result parse_container_start(const char *proto, size_t proto_size, scap_sized_buffer scap_buf)
{
struct parse_result ret;
parse_result ret = {0};
FedeDP marked this conversation as resolved.
Show resolved Hide resolved
ret.status = SCAP_SUCCESS;
ret.size = 0;
char scap_err[SCAP_LASTERR_SIZE];
Expand Down Expand Up @@ -246,9 +246,9 @@ static parse_result parse_container_start(const char *proto, size_t proto_size,
return ret;
}

static struct parse_result parse_execve(const char *proto, size_t proto_size, scap_sized_buffer scap_buf)
static parse_result parse_execve(const char *proto, size_t proto_size, scap_sized_buffer scap_buf)
{
struct parse_result ret;
parse_result ret = {0};
ret.status = SCAP_SUCCESS;
ret.size = 0;
char scap_err[SCAP_LASTERR_SIZE];
Expand Down Expand Up @@ -326,9 +326,9 @@ static struct parse_result parse_execve(const char *proto, size_t proto_size, sc
return ret;
}

static struct parse_result parse_clone(const gvisor::syscall::Syscall &gvisor_evt, scap_sized_buffer scap_buf, bool is_fork)
static parse_result parse_clone(const gvisor::syscall::Syscall &gvisor_evt, scap_sized_buffer scap_buf, bool is_fork)
{
struct parse_result ret;
parse_result ret = {0};
ret.status = SCAP_SUCCESS;
ret.size = 0;
char scap_err[SCAP_LASTERR_SIZE];
Expand Down Expand Up @@ -376,9 +376,9 @@ static struct parse_result parse_clone(const gvisor::syscall::Syscall &gvisor_ev
return ret;
}

static struct parse_result parse_sentry_clone(const char *proto, size_t proto_size, scap_sized_buffer scap_buf)
static parse_result parse_sentry_clone(const char *proto, size_t proto_size, scap_sized_buffer scap_buf)
{
struct parse_result ret;
parse_result ret = {0};
ret.status = SCAP_SUCCESS;
ret.size = 0;
char scap_err[SCAP_LASTERR_SIZE];
Expand Down Expand Up @@ -430,9 +430,9 @@ static struct parse_result parse_sentry_clone(const char *proto, size_t proto_si
return ret;
}

static struct parse_result parse_read(const char *proto, size_t proto_size, scap_sized_buffer scap_buf)
static parse_result parse_read(const char *proto, size_t proto_size, scap_sized_buffer scap_buf)
{
struct parse_result ret = {0};
parse_result ret = {0};
char scap_err[SCAP_LASTERR_SIZE];
gvisor::syscall::Read gvisor_evt;
if(!gvisor_evt.ParseFromArray(proto, proto_size))
Expand Down Expand Up @@ -469,9 +469,9 @@ static struct parse_result parse_read(const char *proto, size_t proto_size, scap
return ret;
}

static struct parse_result parse_connect(const char *proto, size_t proto_size, scap_sized_buffer scap_buf)
static parse_result parse_connect(const char *proto, size_t proto_size, scap_sized_buffer scap_buf)
{
struct parse_result ret = {0};
parse_result ret = {0};
char scap_err[SCAP_LASTERR_SIZE];
gvisor::syscall::Connect gvisor_evt;
if(!gvisor_evt.ParseFromArray(proto, proto_size))
Expand Down Expand Up @@ -560,9 +560,9 @@ static struct parse_result parse_connect(const char *proto, size_t proto_size, s
return ret;
}

static struct parse_result parse_socket(const char *proto, size_t proto_size, scap_sized_buffer event_buf)
static parse_result parse_socket(const char *proto, size_t proto_size, scap_sized_buffer event_buf)
{
struct parse_result ret = {0};
parse_result ret = {0};
char scap_err[SCAP_LASTERR_SIZE];
gvisor::syscall::Socket gvisor_evt;
if(!gvisor_evt.ParseFromArray(proto, proto_size))
Expand Down Expand Up @@ -594,7 +594,7 @@ static struct parse_result parse_socket(const char *proto, size_t proto_size, sc
return ret;
}

static struct parse_result parse_generic_syscall(const char *proto, size_t proto_size, scap_sized_buffer scap_buf)
static parse_result parse_generic_syscall(const char *proto, size_t proto_size, scap_sized_buffer scap_buf)
{
parse_result ret = {0};
gvisor::syscall::Syscall gvisor_evt;
Expand Down Expand Up @@ -622,7 +622,7 @@ static struct parse_result parse_generic_syscall(const char *proto, size_t proto
}


static struct parse_result parse_open(const char *proto, size_t proto_size, scap_sized_buffer scap_buf)
static parse_result parse_open(const char *proto, size_t proto_size, scap_sized_buffer scap_buf)
{
parse_result ret = {0};
char scap_err[SCAP_LASTERR_SIZE];
Expand Down Expand Up @@ -679,9 +679,9 @@ std::vector<Callback> dispatchers = {
parse_socket,
};

struct parse_result parse_gvisor_proto(struct scap_const_sized_buffer gvisor_buf, struct scap_sized_buffer scap_buf)
parse_result parse_gvisor_proto(scap_const_sized_buffer gvisor_buf, scap_sized_buffer scap_buf)
{
struct parse_result ret = {0};
parse_result ret = {0};
const char *buf = static_cast<const char*>(gvisor_buf.buf);

const header *hdr = reinterpret_cast<const header *>(buf);
Expand Down
Loading