From b05e0754aab7279393d372d4b5547e6281c33dad Mon Sep 17 00:00:00 2001 From: Nitesh Konkar Date: Thu, 6 Dec 2018 14:44:25 +0530 Subject: [PATCH] virtcontainers: Conditionally pass seccomp profile Pass Seccomp profile to the agent only if the configuration.toml allows it to be passed and the agent/image is seccomp capable. Fixes: #688 Signed-off-by: Nitesh Konkar niteshkonkar@in.ibm.com --- Makefile | 5 +++++ cli/config/configuration.toml.in | 7 +++++++ cli/kata-env.go | 26 ++++++++++++++------------ pkg/katautils/config.go | 11 +++++++---- virtcontainers/kata_agent.go | 22 ++++++++++++++++------ virtcontainers/kata_agent_test.go | 2 +- virtcontainers/pkg/oci/utils.go | 5 +++++ virtcontainers/sandbox.go | 2 ++ 8 files changed, 57 insertions(+), 23 deletions(-) diff --git a/Makefile b/Makefile index 354ab66c66..e4c2931e47 100644 --- a/Makefile +++ b/Makefile @@ -141,6 +141,9 @@ DEFMEMSLOTS := 10 DEFBRIDGES := 1 #Default network model DEFNETWORKMODEL := macvtap + +DEFDISABLEGUESTSECCOMP := true + #Default entropy source DEFENTROPYSOURCE := /dev/urandom @@ -223,6 +226,7 @@ USER_VARS += DEFMEMSZ USER_VARS += DEFMEMSLOTS USER_VARS += DEFBRIDGES USER_VARS += DEFNETWORKMODEL +USER_VARS += DEFDISABLEGUESTSECCOMP USER_VARS += DEFDISABLEBLOCK USER_VARS += DEFBLOCKSTORAGEDRIVER USER_VARS += DEFENABLEIOTHREADS @@ -392,6 +396,7 @@ $(GENERATED_FILES): %: %.in Makefile VERSION -e "s|@DEFMEMSLOTS@|$(DEFMEMSLOTS)|g" \ -e "s|@DEFBRIDGES@|$(DEFBRIDGES)|g" \ -e "s|@DEFNETWORKMODEL@|$(DEFNETWORKMODEL)|g" \ + -e "s|@DEFDISABLEGUESTSECCOMP@|$(DEFDISABLEGUESTSECCOMP)|g" \ -e "s|@DEFDISABLEBLOCK@|$(DEFDISABLEBLOCK)|g" \ -e "s|@DEFBLOCKSTORAGEDRIVER@|$(DEFBLOCKSTORAGEDRIVER)|g" \ -e "s|@DEFENABLEIOTHREADS@|$(DEFENABLEIOTHREADS)|g" \ diff --git a/cli/config/configuration.toml.in b/cli/config/configuration.toml.in index 89ea3e560e..822198237a 100644 --- a/cli/config/configuration.toml.in +++ b/cli/config/configuration.toml.in @@ -259,6 +259,13 @@ path = "@NETMONPATH@" # internetworking_model="@DEFNETWORKMODEL@" +# disable guest seccomp +# Determines whether container seccomp profiles are passed to the virtual +# machine and applied by the kata agent. If set to true, seccomp is not applied +# within the guest +# (default: true) +disable_guest_seccomp=@DEFDISABLEGUESTSECCOMP@ + # If enabled, the runtime will create opentracing.io traces and spans. # (See https://www.jaegertracing.io/docs/getting-started). # (default: disabled) diff --git a/cli/kata-env.go b/cli/kata-env.go index 8db1b8ae4f..8bf2d05760 100644 --- a/cli/kata-env.go +++ b/cli/kata-env.go @@ -63,12 +63,13 @@ type RuntimeConfigInfo struct { // RuntimeInfo stores runtime details. type RuntimeInfo struct { - Version RuntimeVersionInfo - Config RuntimeConfigInfo - Debug bool - Trace bool - DisableNewNetNs bool - Path string + Version RuntimeVersionInfo + Config RuntimeConfigInfo + Debug bool + Trace bool + DisableGuestSeccomp bool + DisableNewNetNs bool + Path string } // RuntimeVersionInfo stores details of the runtime version @@ -174,12 +175,13 @@ func getRuntimeInfo(configFile string, config oci.RuntimeConfig) RuntimeInfo { runtimePath, _ := os.Executable() return RuntimeInfo{ - Debug: config.Debug, - Trace: config.Trace, - Version: runtimeVersion, - Config: runtimeConfig, - Path: runtimePath, - DisableNewNetNs: config.DisableNewNetNs, + Debug: config.Debug, + Trace: config.Trace, + Version: runtimeVersion, + Config: runtimeConfig, + Path: runtimePath, + DisableNewNetNs: config.DisableNewNetNs, + DisableGuestSeccomp: config.DisableGuestSeccomp, } } diff --git a/pkg/katautils/config.go b/pkg/katautils/config.go index b1703bbe83..4ba70754e6 100644 --- a/pkg/katautils/config.go +++ b/pkg/katautils/config.go @@ -114,10 +114,11 @@ type proxy struct { } type runtime struct { - Debug bool `toml:"enable_debug"` - Tracing bool `toml:"enable_tracing"` - DisableNewNetNs bool `toml:"disable_new_netns"` - InterNetworkModel string `toml:"internetworking_model"` + Debug bool `toml:"enable_debug"` + Tracing bool `toml:"enable_tracing"` + DisableNewNetNs bool `toml:"disable_new_netns"` + DisableGuestSeccomp bool `toml:"disable_guest_seccomp"` + InterNetworkModel string `toml:"internetworking_model"` } type shim struct { @@ -651,6 +652,8 @@ func LoadConfiguration(configPath string, ignoreLogging, builtIn bool) (resolved return "", config, err } + config.DisableGuestSeccomp = tomlConf.Runtime.DisableGuestSeccomp + // use no proxy if HypervisorConfig.UseVSock is true if config.HypervisorConfig.UseVSock { kataUtilsLogger.Info("VSOCK supported, configure to not use proxy") diff --git a/virtcontainers/kata_agent.go b/virtcontainers/kata_agent.go index 2cfa365736..112f0e938d 100644 --- a/virtcontainers/kata_agent.go +++ b/virtcontainers/kata_agent.go @@ -720,16 +720,17 @@ func (k *kataAgent) replaceOCIMountsForStorages(spec *specs.Spec, volumeStorages return nil } -func constraintGRPCSpec(grpcSpec *grpc.Spec, systemdCgroup bool) { +func constraintGRPCSpec(grpcSpec *grpc.Spec, systemdCgroup bool, passSeccomp bool) { // Disable Hooks since they have been handled on the host and there is // no reason to send them to the agent. It would make no sense to try // to apply them on the guest. grpcSpec.Hooks = nil - // Disable Seccomp since they cannot be handled properly by the agent - // until we provide a guest image with libseccomp support. More details - // here: https://github.com/kata-containers/agent/issues/104 - grpcSpec.Linux.Seccomp = nil + // Pass seccomp only if disable_guest_seccomp is set to false in + // configuration.toml and guest image is seccomp capable. + if passSeccomp == false { + grpcSpec.Linux.Seccomp = nil + } // By now only CPU constraints are supported // Issue: https://github.com/kata-containers/runtime/issues/158 @@ -986,9 +987,18 @@ func (k *kataAgent) createContainer(sandbox *Sandbox, c *Container) (p *Process, return nil, err } + request := &grpc.GuestDetailsRequest{ + MemBlockSize: true, + } + + // passSeccomp only if disable_guest_seccomp is set to false in configuration.toml and + // agent/image is seccomp-capable. + guestDetails, err := k.getGuestDetails(request) + passSeccomp := !sandbox.config.DisableGuestSeccomp && guestDetails.AgentDetails.SupportsSeccomp + // We need to constraint the spec to make sure we're not passing // irrelevant information to the agent. - constraintGRPCSpec(grpcSpec, sandbox.config.SystemdCgroup) + constraintGRPCSpec(grpcSpec, sandbox.config.SystemdCgroup, passSeccomp) k.handleShm(grpcSpec, sandbox) diff --git a/virtcontainers/kata_agent_test.go b/virtcontainers/kata_agent_test.go index b57b13f610..51d9a52bb0 100644 --- a/virtcontainers/kata_agent_test.go +++ b/virtcontainers/kata_agent_test.go @@ -455,7 +455,7 @@ func TestConstraintGRPCSpec(t *testing.T) { }, } - constraintGRPCSpec(g, true) + constraintGRPCSpec(g, true, true) // check nil fields assert.Nil(g.Hooks) diff --git a/virtcontainers/pkg/oci/utils.go b/virtcontainers/pkg/oci/utils.go index e0f431bb4d..4e0a53a10d 100644 --- a/virtcontainers/pkg/oci/utils.go +++ b/virtcontainers/pkg/oci/utils.go @@ -123,6 +123,9 @@ type RuntimeConfig struct { Debug bool Trace bool + //Determines if seccomp should be applied inside guest + DisableGuestSeccomp bool + //Determines if create a netns for hypervisor process DisableNewNetNs bool } @@ -490,6 +493,8 @@ func SandboxConfig(ocispec CompatOCISpec, runtime RuntimeConfig, bundlePath, cid ShmSize: shmSize, SystemdCgroup: systemdCgroup, + + DisableGuestSeccomp: runtime.DisableGuestSeccomp, } addAssetAnnotations(ocispec, &sandboxConfig) diff --git a/virtcontainers/sandbox.go b/virtcontainers/sandbox.go index c6cf596992..10d5a6cd70 100644 --- a/virtcontainers/sandbox.go +++ b/virtcontainers/sandbox.go @@ -359,6 +359,8 @@ type SandboxConfig struct { // SystemdCgroup enables systemd cgroup support SystemdCgroup bool + + DisableGuestSeccomp bool } func (s *Sandbox) trace(name string) (opentracing.Span, context.Context) {