github.com/apptainer/singularity@v3.1.1+incompatible/internal/pkg/runtime/engines/imgbuild/engine.go

github.com/apptainer/singularity@v3.1.1+incompatible/internal/pkg/runtime/engines/imgbuild/engine.go (about)

     1  // Copyright (c) 2019, Sylabs Inc. All rights reserved.
     2  // This software is licensed under a 3-clause BSD license. Please consult the
     3  // LICENSE.md file distributed with the sources of this project regarding your
     4  // rights to use or distribute this software.
     5  
     6  package imgbuild
     7  
     8  import (
     9  	"fmt"
    10  	"syscall"
    11  
    12  	specs "github.com/opencontainers/runtime-spec/specs-go"
    13  
    14  	"github.com/sylabs/singularity/internal/pkg/runtime/engines/config"
    15  	"github.com/sylabs/singularity/internal/pkg/runtime/engines/config/starter"
    16  	imgbuildConfig "github.com/sylabs/singularity/internal/pkg/runtime/engines/imgbuild/config"
    17  	"github.com/sylabs/singularity/pkg/util/capabilities"
    18  )
    19  
    20  // EngineOperations implements the engines.EngineOperations interface for
    21  // the image build process
    22  type EngineOperations struct {
    23  	CommonConfig *config.Common               `json:"-"`
    24  	EngineConfig *imgbuildConfig.EngineConfig `json:"engineConfig"`
    25  }
    26  
    27  // InitConfig initializes engines config internals
    28  func (e *EngineOperations) InitConfig(cfg *config.Common) {
    29  	e.CommonConfig = cfg
    30  }
    31  
    32  // Config returns the EngineConfig
    33  func (e *EngineOperations) Config() config.EngineConfig {
    34  	return e.EngineConfig
    35  }
    36  
    37  // PrepareConfig validates/prepares EngineConfig setup
    38  func (e *EngineOperations) PrepareConfig(starterConfig *starter.Config) error {
    39  	e.EngineConfig.OciConfig.SetProcessNoNewPrivileges(true)
    40  	starterConfig.SetNoNewPrivs(e.EngineConfig.OciConfig.Process.NoNewPrivileges)
    41  
    42  	if syscall.Getuid() != 0 {
    43  		return fmt.Errorf("unable to run imgbuild engine as non-root user")
    44  	}
    45  
    46  	if starterConfig.GetIsSUID() {
    47  		return fmt.Errorf("%s don't allow SUID workflow", e.CommonConfig.EngineName)
    48  	}
    49  
    50  	e.EngineConfig.OciConfig.SetupPrivileged(true)
    51  
    52  	e.EngineConfig.OciConfig.AddOrReplaceLinuxNamespace(specs.MountNamespace, "")
    53  
    54  	if e.EngineConfig.OciConfig.Linux != nil {
    55  		starterConfig.SetNsFlagsFromSpec(e.EngineConfig.OciConfig.Linux.Namespaces)
    56  	}
    57  	if e.EngineConfig.OciConfig.Process != nil && e.EngineConfig.OciConfig.Process.Capabilities != nil {
    58  		starterConfig.SetCapabilities(capabilities.Permitted, e.EngineConfig.OciConfig.Process.Capabilities.Permitted)
    59  		starterConfig.SetCapabilities(capabilities.Effective, e.EngineConfig.OciConfig.Process.Capabilities.Effective)
    60  		starterConfig.SetCapabilities(capabilities.Inheritable, e.EngineConfig.OciConfig.Process.Capabilities.Inheritable)
    61  		starterConfig.SetCapabilities(capabilities.Bounding, e.EngineConfig.OciConfig.Process.Capabilities.Bounding)
    62  		starterConfig.SetCapabilities(capabilities.Ambient, e.EngineConfig.OciConfig.Process.Capabilities.Ambient)
    63  	}
    64  
    65  	starterConfig.SetMountPropagation("rslave")
    66  	starterConfig.SetSharedMount(true)
    67  
    68  	return nil
    69  }