gvisor.dev/gvisor@v0.0.0-20240520182842-f9d4d51c7e0f/runsc/boot/seccheck.go (about)

     1  // Copyright 2021 The gVisor Authors.
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //     http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  package boot
    16  
    17  import (
    18  	"encoding/json"
    19  	"io"
    20  	"os"
    21  
    22  	"gvisor.dev/gvisor/pkg/fd"
    23  	"gvisor.dev/gvisor/pkg/sentry/seccheck"
    24  
    25  	// Register supported of sinks.
    26  	_ "gvisor.dev/gvisor/pkg/sentry/seccheck/sinks/null"
    27  	_ "gvisor.dev/gvisor/pkg/sentry/seccheck/sinks/remote"
    28  )
    29  
    30  // InitConfig represents the configuration to apply during pod creation. For
    31  // now, it supports setting up a seccheck session.
    32  type InitConfig struct {
    33  	TraceSession seccheck.SessionConfig `json:"trace_session"`
    34  }
    35  
    36  func setupSeccheck(configFD int, sinkFDs []int) error {
    37  	config := fd.New(configFD)
    38  	defer config.Close()
    39  
    40  	initConf, err := loadInitConfig(config)
    41  	if err != nil {
    42  		return err
    43  	}
    44  	return initConf.create(sinkFDs)
    45  }
    46  
    47  // LoadInitConfig loads an InitConfig struct from a json formatted file.
    48  func LoadInitConfig(path string) (*InitConfig, error) {
    49  	config, err := os.Open(path)
    50  	if err != nil {
    51  		return nil, err
    52  	}
    53  	defer config.Close()
    54  	return loadInitConfig(config)
    55  }
    56  
    57  func loadInitConfig(reader io.Reader) (*InitConfig, error) {
    58  	decoder := json.NewDecoder(reader)
    59  	decoder.DisallowUnknownFields()
    60  	init := &InitConfig{}
    61  	if err := decoder.Decode(init); err != nil {
    62  		return nil, err
    63  	}
    64  	return init, nil
    65  }
    66  
    67  // Setup performs the actions defined in the InitConfig, e.g. setup seccheck
    68  // session.
    69  func (c *InitConfig) Setup() ([]*os.File, error) {
    70  	return seccheck.SetupSinks(c.TraceSession.Sinks)
    71  }
    72  
    73  func (c *InitConfig) create(sinkFDs []int) error {
    74  	for i, sinkFD := range sinkFDs {
    75  		if sinkFD >= 0 {
    76  			c.TraceSession.Sinks[i].FD = fd.New(sinkFD)
    77  		}
    78  	}
    79  	return seccheck.Create(&c.TraceSession, false)
    80  }