gvisor.dev/gvisor@v0.0.0-20240520182842-f9d4d51c7e0f/pkg/sentry/kernel/seccheck.go (about)

     1  // Copyright 2022 The gVisor Authors.
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //     http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  package kernel
    16  
    17  import (
    18  	"gvisor.dev/gvisor/pkg/sentry/seccheck"
    19  	pb "gvisor.dev/gvisor/pkg/sentry/seccheck/points/points_go_proto"
    20  )
    21  
    22  func getTaskCurrentWorkingDirectory(t *Task) string {
    23  	// Grab the filesystem context first since it needs tasks.mu to be locked.
    24  	// It's safe to unlock and use the values obtained here as long as there's
    25  	// no way to modify root and wd from a separate task.
    26  	t.k.tasks.mu.RLock()
    27  	root := t.FSContext().RootDirectory()
    28  	wd := t.FSContext().WorkingDirectory()
    29  	t.k.tasks.mu.RUnlock()
    30  
    31  	// Perform VFS operations outside of task mutex to avoid circular locking with
    32  	// filesystem mutexes.
    33  	var cwd string
    34  	if root.Ok() {
    35  		defer root.DecRef(t)
    36  		if wd.Ok() {
    37  			defer wd.DecRef(t)
    38  			vfsObj := root.Mount().Filesystem().VirtualFilesystem()
    39  			cwd, _ = vfsObj.PathnameWithDeleted(t, root, wd)
    40  		}
    41  	}
    42  	return cwd
    43  }
    44  
    45  // LoadSeccheckData sets info from the task based on mask.
    46  func LoadSeccheckData(t *Task, mask seccheck.FieldMask, info *pb.ContextData) {
    47  	var cwd string
    48  	if mask.Contains(seccheck.FieldCtxtCwd) {
    49  		cwd = getTaskCurrentWorkingDirectory(t)
    50  	}
    51  	t.k.tasks.mu.RLock()
    52  	defer t.k.tasks.mu.RUnlock()
    53  	LoadSeccheckDataLocked(t, mask, info, cwd)
    54  }
    55  
    56  // LoadSeccheckDataLocked sets info from the task based on mask.
    57  //
    58  // Preconditions: The TaskSet mutex must be locked.
    59  func LoadSeccheckDataLocked(t *Task, mask seccheck.FieldMask, info *pb.ContextData, cwd string) {
    60  	if mask.Contains(seccheck.FieldCtxtTime) {
    61  		info.TimeNs = t.k.RealtimeClock().Now().Nanoseconds()
    62  	}
    63  	if mask.Contains(seccheck.FieldCtxtThreadID) {
    64  		info.ThreadId = int32(t.k.tasks.Root.tids[t])
    65  	}
    66  	if mask.Contains(seccheck.FieldCtxtThreadStartTime) {
    67  		info.ThreadStartTimeNs = t.startTime.Nanoseconds()
    68  	}
    69  	if mask.Contains(seccheck.FieldCtxtThreadGroupID) {
    70  		info.ThreadGroupId = int32(t.k.tasks.Root.tgids[t.tg])
    71  	}
    72  	if mask.Contains(seccheck.FieldCtxtThreadGroupStartTime) {
    73  		info.ThreadGroupStartTimeNs = t.tg.leader.startTime.Nanoseconds()
    74  	}
    75  	if mask.Contains(seccheck.FieldCtxtContainerID) {
    76  		info.ContainerId = t.tg.leader.ContainerID()
    77  	}
    78  	if mask.Contains(seccheck.FieldCtxtCwd) {
    79  		info.Cwd = cwd
    80  	}
    81  	if mask.Contains(seccheck.FieldCtxtProcessName) {
    82  		info.ProcessName = t.Name()
    83  	}
    84  	t.Credentials().LoadSeccheckData(mask, info)
    85  }