gvisor.dev/gvisor@v0.0.0-20240520182842-f9d4d51c7e0f/runsc/boot/filter/filter.go

gvisor.dev/gvisor@v0.0.0-20240520182842-f9d4d51c7e0f/runsc/boot/filter/filter.go (about)

     1  // Copyright 2018 The gVisor Authors.
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //     http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  // Package filter installs seccomp filters to prevent prohibited syscalls
    16  // in case it's compromised.
    17  package filter
    18  
    19  import (
    20  	"fmt"
    21  
    22  	"gvisor.dev/gvisor/pkg/abi/linux"
    23  	"gvisor.dev/gvisor/pkg/log"
    24  	"gvisor.dev/gvisor/pkg/seccomp"
    25  	"gvisor.dev/gvisor/runsc/boot/filter/config"
    26  )
    27  
    28  // ***   DEBUG TIP   ***
    29  // If you suspect the Sentry is getting killed due to a seccomp violation,
    30  // change this to `true` to get a panic stack trace when there is a
    31  // violation.
    32  const debugFilter = false
    33  
    34  // Options is a re-export of the config Options type under this package.
    35  type Options = config.Options
    36  
    37  // Install seccomp filters based on the given platform.
    38  func Install(opt Options) error {
    39  	for _, warning := range config.Warnings(opt) {
    40  		log.Warningf("*** SECCOMP WARNING: %s", warning)
    41  	}
    42  	key := opt.ConfigKey()
    43  	precompiled, usePrecompiled := GetPrecompiled(key)
    44  	if usePrecompiled && !debugFilter {
    45  		vars := opt.Vars()
    46  		log.Debugf("Loaded precompiled seccomp instructions for options %v, using variables: %v", key, vars)
    47  		insns, err := precompiled.RenderInstructions(vars)
    48  		if err != nil {
    49  			return fmt.Errorf("cannot render precompiled program for options %v / vars %v: %w", key, vars, err)
    50  		}
    51  		return seccomp.SetFilter(insns)
    52  	}
    53  	seccompOpts := config.SeccompOptions(opt)
    54  	if debugFilter {
    55  		log.Infof("Seccomp filter debugging is enabled; seccomp failures will result in a panic stack trace.")
    56  		seccompOpts.DefaultAction = linux.SECCOMP_RET_TRAP
    57  	} else {
    58  		log.Infof("No precompiled program found for config options %v, building seccomp program from scratch. This may slow down container startup.", key)
    59  	}
    60  	rules, denyRules := config.Rules(opt)
    61  	return seccomp.Install(rules, denyRules, seccompOpts)
    62  }