gvisor.dev/gvisor@v0.0.0-20240520182842-f9d4d51c7e0f/pkg/sentry/kernel/seccheck.go (about) 1 // Copyright 2022 The gVisor Authors. 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 package kernel 16 17 import ( 18 "gvisor.dev/gvisor/pkg/sentry/seccheck" 19 pb "gvisor.dev/gvisor/pkg/sentry/seccheck/points/points_go_proto" 20 ) 21 22 func getTaskCurrentWorkingDirectory(t *Task) string { 23 // Grab the filesystem context first since it needs tasks.mu to be locked. 24 // It's safe to unlock and use the values obtained here as long as there's 25 // no way to modify root and wd from a separate task. 26 t.k.tasks.mu.RLock() 27 root := t.FSContext().RootDirectory() 28 wd := t.FSContext().WorkingDirectory() 29 t.k.tasks.mu.RUnlock() 30 31 // Perform VFS operations outside of task mutex to avoid circular locking with 32 // filesystem mutexes. 33 var cwd string 34 if root.Ok() { 35 defer root.DecRef(t) 36 if wd.Ok() { 37 defer wd.DecRef(t) 38 vfsObj := root.Mount().Filesystem().VirtualFilesystem() 39 cwd, _ = vfsObj.PathnameWithDeleted(t, root, wd) 40 } 41 } 42 return cwd 43 } 44 45 // LoadSeccheckData sets info from the task based on mask. 46 func LoadSeccheckData(t *Task, mask seccheck.FieldMask, info *pb.ContextData) { 47 var cwd string 48 if mask.Contains(seccheck.FieldCtxtCwd) { 49 cwd = getTaskCurrentWorkingDirectory(t) 50 } 51 t.k.tasks.mu.RLock() 52 defer t.k.tasks.mu.RUnlock() 53 LoadSeccheckDataLocked(t, mask, info, cwd) 54 } 55 56 // LoadSeccheckDataLocked sets info from the task based on mask. 57 // 58 // Preconditions: The TaskSet mutex must be locked. 59 func LoadSeccheckDataLocked(t *Task, mask seccheck.FieldMask, info *pb.ContextData, cwd string) { 60 if mask.Contains(seccheck.FieldCtxtTime) { 61 info.TimeNs = t.k.RealtimeClock().Now().Nanoseconds() 62 } 63 if mask.Contains(seccheck.FieldCtxtThreadID) { 64 info.ThreadId = int32(t.k.tasks.Root.tids[t]) 65 } 66 if mask.Contains(seccheck.FieldCtxtThreadStartTime) { 67 info.ThreadStartTimeNs = t.startTime.Nanoseconds() 68 } 69 if mask.Contains(seccheck.FieldCtxtThreadGroupID) { 70 info.ThreadGroupId = int32(t.k.tasks.Root.tgids[t.tg]) 71 } 72 if mask.Contains(seccheck.FieldCtxtThreadGroupStartTime) { 73 info.ThreadGroupStartTimeNs = t.tg.leader.startTime.Nanoseconds() 74 } 75 if mask.Contains(seccheck.FieldCtxtContainerID) { 76 info.ContainerId = t.tg.leader.ContainerID() 77 } 78 if mask.Contains(seccheck.FieldCtxtCwd) { 79 info.Cwd = cwd 80 } 81 if mask.Contains(seccheck.FieldCtxtProcessName) { 82 info.ProcessName = t.Name() 83 } 84 t.Credentials().LoadSeccheckData(mask, info) 85 }