github.com/apptainer/singularity@v3.1.1+incompatible/internal/pkg/security/security.go

github.com/apptainer/singularity@v3.1.1+incompatible/internal/pkg/security/security.go (about)

     1  // Copyright (c) 2018, Sylabs Inc. All rights reserved.
     2  // This software is licensed under a 3-clause BSD license. Please consult the
     3  // LICENSE.md file distributed with the sources of this project regarding your
     4  // rights to use or distribute this software.
     5  
     6  package security
     7  
     8  import (
     9  	"fmt"
    10  	"strings"
    11  
    12  	specs "github.com/opencontainers/runtime-spec/specs-go"
    13  	"github.com/sylabs/singularity/internal/pkg/security/apparmor"
    14  	"github.com/sylabs/singularity/internal/pkg/security/seccomp"
    15  	"github.com/sylabs/singularity/internal/pkg/security/selinux"
    16  	"github.com/sylabs/singularity/internal/pkg/sylog"
    17  )
    18  
    19  // Configure applies security related configuration to current process
    20  func Configure(config *specs.Spec) error {
    21  	if config.Process != nil {
    22  		if config.Process.SelinuxLabel != "" && config.Process.ApparmorProfile != "" {
    23  			return fmt.Errorf("You can't specify both an apparmor profile and a SELinux label")
    24  		}
    25  		if config.Process.SelinuxLabel != "" {
    26  			if selinux.Enabled() {
    27  				if err := selinux.SetExecLabel(config.Process.SelinuxLabel); err != nil {
    28  					return err
    29  				}
    30  			} else {
    31  				sylog.Warningf("selinux is not enabled or supported on this system")
    32  			}
    33  		} else if config.Process.ApparmorProfile != "" {
    34  			if apparmor.Enabled() {
    35  				if err := apparmor.LoadProfile(config.Process.ApparmorProfile); err != nil {
    36  					return err
    37  				}
    38  			} else {
    39  				sylog.Warningf("apparmor is not enabled or supported on this system")
    40  			}
    41  		}
    42  	}
    43  	if config.Linux != nil && config.Linux.Seccomp != nil {
    44  		if seccomp.Enabled() {
    45  			if err := seccomp.LoadSeccompConfig(config.Linux.Seccomp, config.Process.NoNewPrivileges); err != nil {
    46  				return err
    47  			}
    48  		} else {
    49  			sylog.Warningf("seccomp requested but not enabled")
    50  		}
    51  	}
    52  	return nil
    53  }
    54  
    55  // GetParam iterates over security argument and returns parameters
    56  // for the security feature
    57  func GetParam(security []string, feature string) string {
    58  	for _, param := range security {
    59  		splitted := strings.SplitN(param, ":", 2)
    60  		if splitted[0] == feature {
    61  			if len(splitted) != 2 {
    62  				sylog.Warningf("bad format for parameter %s (format is <security>:<arg>)", param)
    63  			}
    64  			return splitted[1]
    65  		}
    66  	}
    67  	return ""
    68  }