Merge pull request #13 from kolyshkin/17.06_backport_update_libseccom…

…p_golang [17.06 backport] update libseccomp golang
docker-archive · Sep 5, 2019 · c2bda4a · c2bda4a
2 parents 728371c + a6b4b0c
commit c2bda4a
Show file tree

Hide file tree

Showing 9 changed files with 309 additions and 155 deletions.
diff --git a/.travis.yml b/.travis.yml
@@ -1,7 +1,8 @@
 language: go
 go:
-  - 1.7.x
-  - 1.8.x
+  - 1.9.x
+  - 1.10.x
+  - 1.11.x
   - tip
 
 matrix:
@@ -18,8 +19,9 @@ env:
     - BUILDTAGS="seccomp apparmor selinux ambient"
 
 before_install:
+  - echo "deb http://archive.ubuntu.com/ubuntu trusty-backports main restricted universe multiverse" | sudo tee -a /etc/apt/sources.list
   - sudo apt-get -qq update
-  - sudo apt-get install -y libseccomp-dev libapparmor-dev
+  - sudo apt-get install -y libseccomp-dev/trusty-backports
   - env | grep TRAVIS_
 
 script:

diff --git a/Dockerfile b/Dockerfile
@@ -1,7 +1,4 @@
-FROM golang:1.8.0
-
-# libseccomp in jessie is not _quite_ new enough -- need backports version
-RUN echo 'deb http://httpredir.debian.org/debian jessie-backports main' > /etc/apt/sources.list.d/backports.list
+FROM golang:1.10-stretch
 
 RUN apt-get update && apt-get install -y \
     build-essential \
@@ -15,8 +12,10 @@ RUN apt-get update && apt-get install -y \
     libcap-dev \
     libprotobuf-dev \
     libprotobuf-c0-dev \
-    libseccomp2/jessie-backports \
-    libseccomp-dev/jessie-backports \
+    libnl-3-dev \
+    libnet-dev \
+    libseccomp2 \
+    libseccomp-dev \
     protobuf-c-compiler \
     protobuf-compiler \
     python-minimal \
@@ -38,7 +37,7 @@ RUN cd /tmp \
     && rm -rf /tmp/bats
 
 # install criu
-ENV CRIU_VERSION 1.7
+ENV CRIU_VERSION 2.12
 RUN mkdir -p /usr/src/criu \
     && curl -sSL https://github.com/xemul/criu/archive/v${CRIU_VERSION}.tar.gz | tar -v -C /usr/src/criu/ -xz --strip-components=1 \
     && cd /usr/src/criu \

diff --git a/README.md b/README.md
@@ -56,7 +56,7 @@ make BUILDTAGS='seccomp apparmor'
 |-----------|------------------------------------|-------------|
 | seccomp   | Syscall filtering                  | libseccomp  |
 | selinux   | selinux process and mount labeling | <none>      |
-| apparmor  | apparmor profile support           | libapparmor |
+| apparmor  | apparmor profile support           | <none>      |
 | ambient   | ambient capability support         | kernel 4.3  |
 
 

diff --git a/libcontainer/apparmor/apparmor.go b/libcontainer/apparmor/apparmor.go
@@ -2,15 +2,10 @@
 
 package apparmor
 
-// #cgo LDFLAGS: -lapparmor
-// #include <sys/apparmor.h>
-// #include <stdlib.h>
-import "C"
 import (
 	"fmt"
 	"io/ioutil"
 	"os"
-	"unsafe"
 )
 
 // IsEnabled returns true if apparmor is enabled for the host.
@@ -24,16 +19,36 @@ func IsEnabled() bool {
 	return false
 }
 
+func setprocattr(attr, value string) error {
+	// Under AppArmor you can only change your own attr, so use /proc/self/
+	// instead of /proc/<tid>/ like libapparmor does
+	path := fmt.Sprintf("/proc/self/attr/%s", attr)
+
+	f, err := os.OpenFile(path, os.O_WRONLY, 0)
+	if err != nil {
+		return err
+	}
+	defer f.Close()
+
+	_, err = fmt.Fprintf(f, "%s", value)
+	return err
+}
+
+// changeOnExec reimplements aa_change_onexec from libapparmor in Go
+func changeOnExec(name string) error {
+	value := "exec " + name
+	if err := setprocattr("exec", value); err != nil {
+		return fmt.Errorf("apparmor failed to apply profile: %s", err)
+	}
+	return nil
+}
+
 // ApplyProfile will apply the profile with the specified name to the process after
 // the next exec.
 func ApplyProfile(name string) error {
 	if name == "" {
 		return nil
 	}
-	cName := C.CString(name)
-	defer C.free(unsafe.Pointer(cName))
-	if _, err := C.aa_change_onexec(cName); err != nil {
-		return fmt.Errorf("apparmor failed to apply profile: %s", err)
-	}
-	return nil
+
+	return changeOnExec(name)
 }
diff --git a/libcontainer/integration/seccomp_test.go b/libcontainer/integration/seccomp_test.go
@@ -217,3 +217,107 @@ func TestSeccompDenyWriteConditional(t *testing.T) {
 		t.Fatalf("Expected output %s but got %s\n", expected, actual)
 	}
 }
+
+func TestSeccompPermitWriteMultipleConditions(t *testing.T) {
+	if testing.Short() {
+		return
+	}
+
+	rootfs, err := newRootfs()
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer remove(rootfs)
+
+	config := newTemplateConfig(rootfs)
+	config.Seccomp = &configs.Seccomp{
+		DefaultAction: configs.Allow,
+		Syscalls: []*configs.Syscall{
+			{
+				Name:   "write",
+				Action: configs.Errno,
+				Args: []*configs.Arg{
+					{
+						Index: 0,
+						Value: 2,
+						Op:    configs.EqualTo,
+					},
+					{
+						Index: 2,
+						Value: 0,
+						Op:    configs.NotEqualTo,
+					},
+				},
+			},
+		},
+	}
+
+	buffers, exitCode, err := runContainer(config, "", "ls", "/")
+	if err != nil {
+		t.Fatalf("%s: %s", buffers, err)
+	}
+	if exitCode != 0 {
+		t.Fatalf("exit code not 0. code %d buffers %s", exitCode, buffers)
+	}
+	// We don't need to verify the actual thing printed
+	// Just that something was written to stdout
+	if len(buffers.Stdout.String()) == 0 {
+		t.Fatalf("Nothing was written to stdout, write call failed!\n")
+	}
+}
+
+func TestSeccompDenyWriteMultipleConditions(t *testing.T) {
+	if testing.Short() {
+		return
+	}
+
+	// Only test if library version is v2.2.1 or higher
+	// Conditional filtering will always error in v2.2.0 and lower
+	major, minor, micro := libseccomp.GetLibraryVersion()
+	if (major == 2 && minor < 2) || (major == 2 && minor == 2 && micro < 1) {
+		return
+	}
+
+	rootfs, err := newRootfs()
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer remove(rootfs)
+
+	config := newTemplateConfig(rootfs)
+	config.Seccomp = &configs.Seccomp{
+		DefaultAction: configs.Allow,
+		Syscalls: []*configs.Syscall{
+			{
+				Name:   "write",
+				Action: configs.Errno,
+				Args: []*configs.Arg{
+					{
+						Index: 0,
+						Value: 2,
+						Op:    configs.EqualTo,
+					},
+					{
+						Index: 2,
+						Value: 0,
+						Op:    configs.NotEqualTo,
+					},
+				},
+			},
+		},
+	}
+
+	buffers, exitCode, err := runContainer(config, "", "ls", "/does_not_exist")
+	if err == nil {
+		t.Fatalf("Expecting error return, instead got 0")
+	}
+	if exitCode == 0 {
+		t.Fatalf("Busybox should fail with negative exit code, instead got %d!", exitCode)
+	}
+
+	expected := ""
+	actual := strings.Trim(buffers.Stderr.String(), "\n")
+	if actual != expected {
+		t.Fatalf("Expected output %s but got %s\n", expected, actual)
+	}
+}
diff --git a/vendor.conf b/vendor.conf
@@ -5,7 +5,7 @@ github.com/opencontainers/runtime-spec a45ba0989fc26c695fe166a49c45bb8b7618ab36
 # Core libcontainer functionality.
 github.com/mrunalp/fileutils ed869b029674c0e9ce4c0dfa781405c2d9946d08
 github.com/opencontainers/selinux v1.0.0-rc1
-github.com/seccomp/libseccomp-golang 32f571b70023028bd57d9288c20efbcb237f3ce0
+github.com/seccomp/libseccomp-golang 84e90a91acea0f4e51e62bc1a75de18b1fc0790f
 github.com/Sirupsen/logrus 26709e2714106fb8ad40b773b711ebce25b78914
 github.com/syndtr/gocapability e7cb7fa329f456b3855136a2642b197bad7366ba
 github.com/vishvananda/netlink 1e2e08e8a2dcdacaae3f14ac44c5cfa31361f270

diff --git a/vendor/github.com/seccomp/libseccomp-golang/README b/vendor/github.com/seccomp/libseccomp-golang/README