github.com/pwn-term/docker@v0.0.0-20210616085119-6e977cce2565/moby/plugin/v2/plugin_linux.go

github.com/pwn-term/docker@v0.0.0-20210616085119-6e977cce2565/moby/plugin/v2/plugin_linux.go (about)

     1  package v2 // import "github.com/docker/docker/plugin/v2"
     2  
     3  import (
     4  	"os"
     5  	"path/filepath"
     6  	"runtime"
     7  	"strings"
     8  
     9  	"github.com/docker/docker/api/types"
    10  	"github.com/docker/docker/oci"
    11  	"github.com/docker/docker/pkg/system"
    12  	specs "github.com/opencontainers/runtime-spec/specs-go"
    13  	"github.com/pkg/errors"
    14  )
    15  
    16  // InitSpec creates an OCI spec from the plugin's config.
    17  func (p *Plugin) InitSpec(execRoot string) (*specs.Spec, error) {
    18  	s := oci.DefaultSpec()
    19  
    20  	s.Root = &specs.Root{
    21  		Path:     p.Rootfs,
    22  		Readonly: false, // TODO: all plugins should be readonly? settable in config?
    23  	}
    24  
    25  	userMounts := make(map[string]struct{}, len(p.PluginObj.Settings.Mounts))
    26  	for _, m := range p.PluginObj.Settings.Mounts {
    27  		userMounts[m.Destination] = struct{}{}
    28  	}
    29  
    30  	execRoot = filepath.Join(execRoot, p.PluginObj.ID)
    31  	if err := os.MkdirAll(execRoot, 0700); err != nil {
    32  		return nil, errors.WithStack(err)
    33  	}
    34  
    35  	if p.PluginObj.Config.PropagatedMount != "" {
    36  		pRoot := filepath.Join(filepath.Dir(p.Rootfs), "propagated-mount")
    37  		s.Mounts = append(s.Mounts, specs.Mount{
    38  			Source:      pRoot,
    39  			Destination: p.PluginObj.Config.PropagatedMount,
    40  			Type:        "bind",
    41  			Options:     []string{"rbind", "rw", "rshared"},
    42  		})
    43  		s.Linux.RootfsPropagation = "rshared"
    44  	}
    45  
    46  	mounts := append(p.PluginObj.Config.Mounts, types.PluginMount{
    47  		Source:      &execRoot,
    48  		Destination: defaultPluginRuntimeDestination,
    49  		Type:        "bind",
    50  		Options:     []string{"rbind", "rshared"},
    51  	})
    52  
    53  	if p.PluginObj.Config.Network.Type != "" {
    54  		// TODO: if net == bridge, use libnetwork controller to create a new plugin-specific bridge, bind mount /data/data/hilled.pwnterm/files/usr/etc/hosts and /data/data/hilled.pwnterm/files/usr/etc/resolv.conf look at the docker code (allocateNetwork, initialize)
    55  		if p.PluginObj.Config.Network.Type == "host" {
    56  			oci.RemoveNamespace(&s, specs.LinuxNamespaceType("network"))
    57  		}
    58  		etcHosts := "/data/data/hilled.pwnterm/files/usr/etc/hosts"
    59  		resolvConf := "/data/data/hilled.pwnterm/files/usr/etc/resolv.conf"
    60  		mounts = append(mounts,
    61  			types.PluginMount{
    62  				Source:      &etcHosts,
    63  				Destination: etcHosts,
    64  				Type:        "bind",
    65  				Options:     []string{"rbind", "ro"},
    66  			},
    67  			types.PluginMount{
    68  				Source:      &resolvConf,
    69  				Destination: resolvConf,
    70  				Type:        "bind",
    71  				Options:     []string{"rbind", "ro"},
    72  			})
    73  	}
    74  	if p.PluginObj.Config.PidHost {
    75  		oci.RemoveNamespace(&s, specs.LinuxNamespaceType("pid"))
    76  	}
    77  
    78  	if p.PluginObj.Config.IpcHost {
    79  		oci.RemoveNamespace(&s, specs.LinuxNamespaceType("ipc"))
    80  	}
    81  
    82  	for _, mnt := range mounts {
    83  		m := specs.Mount{
    84  			Destination: mnt.Destination,
    85  			Type:        mnt.Type,
    86  			Options:     mnt.Options,
    87  		}
    88  		if mnt.Source == nil {
    89  			return nil, errors.New("mount source is not specified")
    90  		}
    91  		m.Source = *mnt.Source
    92  		s.Mounts = append(s.Mounts, m)
    93  	}
    94  
    95  	for i, m := range s.Mounts {
    96  		if strings.HasPrefix(m.Destination, "/dev/") {
    97  			if _, ok := userMounts[m.Destination]; ok {
    98  				s.Mounts = append(s.Mounts[:i], s.Mounts[i+1:]...)
    99  			}
   100  		}
   101  	}
   102  
   103  	if p.PluginObj.Config.Linux.AllowAllDevices {
   104  		s.Linux.Resources.Devices = []specs.LinuxDeviceCgroup{{Allow: true, Access: "rwm"}}
   105  	}
   106  	for _, dev := range p.PluginObj.Settings.Devices {
   107  		path := *dev.Path
   108  		d, dPermissions, err := oci.DevicesFromPath(path, path, "rwm")
   109  		if err != nil {
   110  			return nil, errors.WithStack(err)
   111  		}
   112  		s.Linux.Devices = append(s.Linux.Devices, d...)
   113  		s.Linux.Resources.Devices = append(s.Linux.Resources.Devices, dPermissions...)
   114  	}
   115  
   116  	envs := make([]string, 1, len(p.PluginObj.Settings.Env)+1)
   117  	envs[0] = "PATH=" + system.DefaultPathEnv("linux")
   118  	envs = append(envs, p.PluginObj.Settings.Env...)
   119  
   120  	args := append(p.PluginObj.Config.Entrypoint, p.PluginObj.Settings.Args...)
   121  	cwd := p.PluginObj.Config.WorkDir
   122  	if len(cwd) == 0 {
   123  		cwd = "/"
   124  	}
   125  	s.Process.Terminal = false
   126  	s.Process.Args = args
   127  	s.Process.Cwd = cwd
   128  	s.Process.Env = envs
   129  
   130  	caps := s.Process.Capabilities
   131  	caps.Bounding = append(caps.Bounding, p.PluginObj.Config.Linux.Capabilities...)
   132  	caps.Permitted = append(caps.Permitted, p.PluginObj.Config.Linux.Capabilities...)
   133  	caps.Inheritable = append(caps.Inheritable, p.PluginObj.Config.Linux.Capabilities...)
   134  	caps.Effective = append(caps.Effective, p.PluginObj.Config.Linux.Capabilities...)
   135  
   136  	if p.modifyRuntimeSpec != nil {
   137  		p.modifyRuntimeSpec(&s)
   138  	}
   139  
   140  	return &s, nil
   141  }