PR feedback

Signed-off-by: Maksim An <maksiman@microsoft.com>
microsoft · Feb 17, 2022 · a5d40c5 · a5d40c5
1 parent ed606f5
commit a5d40c5
Show file tree

Hide file tree

Showing 13 changed files with 41 additions and 52 deletions.
diff --git a/cmd/hooks/wait-paths/main.go b/cmd/hooks/wait-paths/main.go
@@ -38,8 +38,7 @@ func main() {
  }
  app.Action = run
  if err := app.Run(os.Args); err != nil {
- logrus.Errorf("%s", err)
- os.Exit(1)
+ logrus.Fatalf("%s\n", err)
  }
  os.Exit(0)
 }

diff --git a/internal/devices/drivers.go b/internal/devices/drivers.go
@@ -46,7 +46,7 @@ func InstallKernelDriver(ctx context.Context, vm *uvm.UtilityVM, driver string)
  }
  return closer, execPnPInstallDriver(ctx, vm, uvmPath)
  }
- uvmPathForShare := fmt.Sprintf(guestpath.LCOWGlobalMountPrefix, vm.UVMMountCounter())
+ uvmPathForShare := fmt.Sprintf(guestpath.LCOWGlobalMountPrefixFmt, vm.UVMMountCounter())
  scsiCloser, err := vm.AddSCSI(ctx, driver, uvmPathForShare, true, false, []string{}, uvm.VMAccessTypeIndividual)
  if err != nil {
  return closer, fmt.Errorf("failed to add SCSI disk to utility VM for path %+v: %s", driver, err)

diff --git a/internal/guestpath/paths.go b/internal/guestpath/paths.go
@@ -12,13 +12,13 @@ const (
  SandboxMountPrefix = "sandbox://"
  // HugePagesMountPrefix is mount prefix used in container spec to mark a huge-pages mount
  HugePagesMountPrefix = "hugepages://"
- // LCOWMountPathPrefix is the path format in the LCOW UVM where non global mounts, such
+ // LCOWMountPathPrefixFmt is the path format in the LCOW UVM where non global mounts, such
  // as Plan9 mounts are added
- LCOWMountPathPrefix = "/mounts/m%d"
- // LCOWGlobalMountPrefix is the path format in the LCOW UVM where global mounts are added
- LCOWGlobalMountPrefix = "/run/mounts/m%d"
- // WCOWGlobalMountPrefix is the path prefix format in the WCOW UVM where mounts are added
- WCOWGlobalMountPrefix = "C:\\mounts\\m%d"
+ LCOWMountPathPrefixFmt = "/mounts/m%d"
+ // LCOWGlobalMountPrefixFmt is the path format in the LCOW UVM where global mounts are added
+ LCOWGlobalMountPrefixFmt = "/run/mounts/m%d"
+ // WCOWGlobalMountPrefixFmt is the path prefix format in the WCOW UVM where mounts are added
+ WCOWGlobalMountPrefixFmt = "C:\\mounts\\m%d"
  // RootfsPath is part of the container's rootfs path
  RootfsPath = "rootfs"
 )
diff --git a/internal/hcsoci/resources_lcow.go b/internal/hcsoci/resources_lcow.go
@@ -67,7 +67,7 @@ func allocateLinuxResources(ctx context.Context, coi *createOptionsInternal, r *
 
  if coi.HostingSystem != nil {
  hostPath := mount.Source
- uvmPathForShare := path.Join(containerRootInUVM, fmt.Sprintf(guestpath.LCOWMountPathPrefix, i))
+ uvmPathForShare := path.Join(containerRootInUVM, fmt.Sprintf(guestpath.LCOWMountPathPrefixFmt, i))
  uvmPathForFile := uvmPathForShare
 
  readOnly := false
@@ -81,7 +81,7 @@ func allocateLinuxResources(ctx context.Context, coi *createOptionsInternal, r *
  l := log.G(ctx).WithField("mount", fmt.Sprintf("%+v", mount))
  if mount.Type == "physical-disk" {
  l.Debug("hcsshim::allocateLinuxResources Hot-adding SCSI physical disk for OCI mount")
- uvmPathForShare = fmt.Sprintf(guestpath.LCOWGlobalMountPrefix, coi.HostingSystem.UVMMountCounter())
+ uvmPathForShare = fmt.Sprintf(guestpath.LCOWGlobalMountPrefixFmt, coi.HostingSystem.UVMMountCounter())
  scsiMount, err := coi.HostingSystem.AddSCSIPhysicalDisk(ctx, hostPath, uvmPathForShare, readOnly, mount.Options)
  if err != nil {
  return errors.Wrapf(err, "adding SCSI physical disk mount %+v", mount)
@@ -92,7 +92,7 @@ func allocateLinuxResources(ctx context.Context, coi *createOptionsInternal, r *
  coi.Spec.Mounts[i].Type = "none"
  } else if mount.Type == "virtual-disk" {
  l.Debug("hcsshim::allocateLinuxResources Hot-adding SCSI virtual disk for OCI mount")
- uvmPathForShare = fmt.Sprintf(guestpath.LCOWGlobalMountPrefix, coi.HostingSystem.UVMMountCounter())
+ uvmPathForShare = fmt.Sprintf(guestpath.LCOWGlobalMountPrefixFmt, coi.HostingSystem.UVMMountCounter())
 
  // if the scsi device is already attached then we take the uvm path that the function below returns
  // that is where it was previously mounted in UVM

diff --git a/internal/hcsoci/resources_wcow.go b/internal/hcsoci/resources_wcow.go
@@ -142,7 +142,7 @@ func setupMounts(ctx context.Context, coi *createOptionsInternal, r *resources.R
  }
 
  if coi.HostingSystem != nil && schemaversion.IsV21(coi.actualSchemaVersion) {
- uvmPath := fmt.Sprintf(guestpath.WCOWGlobalMountPrefix, coi.HostingSystem.UVMMountCounter())
+ uvmPath := fmt.Sprintf(guestpath.WCOWGlobalMountPrefixFmt, coi.HostingSystem.UVMMountCounter())
  readOnly := false
  for _, o := range mount.Options {
  if strings.ToLower(o) == "ro" {

diff --git a/internal/layers/layers.go b/internal/layers/layers.go
@@ -291,7 +291,7 @@ func addLCOWLayer(ctx context.Context, vm *uvm.UtilityVM, layerPath string) (uvm
  }
 
  options := []string{"ro"}
- uvmPath = fmt.Sprintf(guestpath.LCOWGlobalMountPrefix, vm.UVMMountCounter())
+ uvmPath = fmt.Sprintf(guestpath.LCOWGlobalMountPrefixFmt, vm.UVMMountCounter())
  sm, err := vm.AddSCSI(ctx, layerPath, uvmPath, true, false, options, uvm.VMAccessTypeNoop)
  if err != nil {
  return "", fmt.Errorf("failed to add SCSI layer: %s", err)

diff --git a/pkg/securitypolicy/securitypolicyenforcer.go b/pkg/securitypolicy/securitypolicyenforcer.go
@@ -6,16 +6,16 @@ import (
  "os"
  "path/filepath"
  "regexp"
- "runtime"
  "strconv"
  "strings"
  "sync"
 
+ "github.com/google/go-cmp/cmp"
+ oci "github.com/opencontainers/runtime-spec/specs-go"
+
  "github.com/Microsoft/hcsshim/internal/guestpath"
  "github.com/Microsoft/hcsshim/internal/hooks"
  "github.com/Microsoft/hcsshim/pkg/annotations"
- "github.com/google/go-cmp/cmp"
- oci "github.com/opencontainers/runtime-spec/specs-go"
 )
 
 type SecurityPolicyEnforcer interface {
@@ -470,15 +470,10 @@ func possibleIndexesForID(containerID string, mapping map[int]map[string]struct{
  return possibles
 }
 
-func getContainerRootInUVM(id string) string {
- switch runtime.GOOS {
- case "windows":
- return filepath.Join(guestpath.WCOWRootPrefixInUVM, id)
- default:
- return filepath.Join(guestpath.LCOWRootPrefixInUVM, id)
- }
-}
-
+// EnforceExpectedMountsPolicy for StandardSecurityPolicyEnforcer injects a
+// hooks.CreateRuntime hook into container spec and the hook ensures that
+// the expected mounts appear prior container start. At the moment enforcement
+// is expected to take place inside LCOW UVM.
 func (pe *StandardSecurityPolicyEnforcer) EnforceExpectedMountsPolicy(containerID string, spec *oci.Spec) error {
  pe.mutex.Lock()
  defer pe.mutex.Unlock()
@@ -517,7 +512,7 @@ func (pe *StandardSecurityPolicyEnforcer) EnforceExpectedMountsPolicy(containerI
  wp := ""
  if strings.HasPrefix(mount, guestpath.SandboxMountPrefix) {
  sandboxPath := strings.TrimPrefix(mount, guestpath.SandboxMountPrefix)
- wp = filepath.Join(getContainerRootInUVM(sandboxID), "sandboxMounts", sandboxPath)
+ wp = filepath.Join(guestpath.LCOWRootPrefixInUVM, "sandboxMounts", sandboxPath)
  } else {
  // Find the corresponding sandbox mount and resolve the path inside UVM.
  for _, m := range spec.Mounts {

diff --git a/test/vendor/github.com/Microsoft/hcsshim/internal/devices/drivers.go b/test/vendor/github.com/Microsoft/hcsshim/internal/devices/drivers.go
diff --git a/test/vendor/github.com/Microsoft/hcsshim/internal/guestpath/paths.go b/test/vendor/github.com/Microsoft/hcsshim/internal/guestpath/paths.go
diff --git a/test/vendor/github.com/Microsoft/hcsshim/internal/hcsoci/resources_lcow.go b/test/vendor/github.com/Microsoft/hcsshim/internal/hcsoci/resources_lcow.go
diff --git a/test/vendor/github.com/Microsoft/hcsshim/internal/hcsoci/resources_wcow.go b/test/vendor/github.com/Microsoft/hcsshim/internal/hcsoci/resources_wcow.go
diff --git a/test/vendor/github.com/Microsoft/hcsshim/internal/layers/layers.go b/test/vendor/github.com/Microsoft/hcsshim/internal/layers/layers.go
diff --git a/test/vendor/github.com/Microsoft/hcsshim/pkg/securitypolicy/securitypolicyenforcer.go b/test/vendor/github.com/Microsoft/hcsshim/pkg/securitypolicy/securitypolicyenforcer.go