Use lastest OCI runtime-spec PR

This uses the runtime-spec from latest iteration from upstream PR: opencontainers/runtime-spec#1074 To reference the new commit I just run: go mod edit -replace=github.com/opencontainers/runtime-spec=github.com/kinvolk/runtime-spec@58798e75e9803d99bff5837ff39e9afe2e2efec8 go mod vendor And commited the changes. I also update the code to match the new spec. While doing that, I rewrote the code to close fds in case of failures (so we don't have open fds we are not using). Signed-off-by: Rodrigo Campos <rodrigo@kinvolk.io>
kinvolk · Mar 12, 2021 · cf3fb66 · cf3fb66
1 parent 7ae14be
commit cf3fb66
Show file tree

Hide file tree

Showing 6 changed files with 68 additions and 27 deletions.
diff --git a/go.mod b/go.mod
@@ -17,6 +17,6 @@ require (
 	k8s.io/klog/v2 v2.6.0 // indirect
 )
 
-replace github.com/opencontainers/runtime-spec => github.com/kinvolk/runtime-spec v1.0.2-0.20201110202115-2755fc508653
+replace github.com/opencontainers/runtime-spec => github.com/kinvolk/runtime-spec v1.0.2-0.20210309175439-58798e75e980
 
 replace github.com/seccomp/libseccomp-golang => github.com/kinvolk/libseccomp-golang v0.9.2-0.20201113182948-883917843313
diff --git a/go.sum b/go.sum
@@ -143,8 +143,8 @@ github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1
 github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk=
 github.com/kinvolk/libseccomp-golang v0.9.2-0.20201113182948-883917843313 h1:Yksjjb26OqF2mRph6uc7HUJA3p/UqbehaxfV9g1wx2k=
 github.com/kinvolk/libseccomp-golang v0.9.2-0.20201113182948-883917843313/go.mod h1:JA8cRccbGaA1s33RQf7Y1+q9gHmZX1yB/z9WDN1C6fg=
-github.com/kinvolk/runtime-spec v1.0.2-0.20201110202115-2755fc508653 h1:amSDd4i3F4aNzi9TmDRDjW31ZQ6T9LN1lXVOazoTjQ8=
-github.com/kinvolk/runtime-spec v1.0.2-0.20201110202115-2755fc508653/go.mod h1:x0jDMgm6GEAbohE2lugQZrRwSe07FpeoUJm9jP2a5Sk=
+github.com/kinvolk/runtime-spec v1.0.2-0.20210309175439-58798e75e980 h1:d0LC/se/28Agl/3NeFZSpV1BA3ZXDVTLzp3RDrqTNM0=
+github.com/kinvolk/runtime-spec v1.0.2-0.20210309175439-58798e75e980/go.mod h1:x0jDMgm6GEAbohE2lugQZrRwSe07FpeoUJm9jP2a5Sk=
 github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00=
 github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=

diff --git a/pkg/agent/agent.go b/pkg/agent/agent.go
@@ -14,6 +14,58 @@ import (
 	"github.com/kinvolk/seccompagent/pkg/registry"
 )
 
+func closeStateFds(recvFds []int) {
+	// If performance becomes an issue, we can fallback to the new syscall closerange().
+	for i := range recvFds {
+		// Ignore the return code. There isn't anything better to do.
+		unix.Close(i)
+	}
+}
+
+// parseContainerProcessState returns the seccomp-fd and closes the rest of the fds in recvFds.
+// In case of error, all recvFds are closed.
+// StateFds is assumed to be formated as specs.ContainerProcessState.Fds and
+// recvFds the corresponding list of received fds in the same SCM_RIGHT message.
+func parseStateFds(stateFds []string, recvFds []int) (uintptr, error) {
+	// Lets find the index in stateFds of the seccomp-fd.
+	idx := -1
+	err := false
+
+	for i, name := range stateFds {
+		if name == specs.SeccompFdName && idx == -1 {
+			idx = i
+			continue
+		}
+
+		// We found the seccompFdName two times. Error out!
+		if name == specs.SeccompFdName && idx != -1 {
+			err = true
+		}
+	}
+
+	if idx == -1 || err {
+		closeStateFds(recvFds)
+		return 0, fmt.Errorf("seccomp fd not found or malformed containerProcessState.Fds")
+	}
+
+	if idx >= len(recvFds) || idx < 0 {
+		closeStateFds(recvFds)
+		return 0, fmt.Errorf("seccomp fd index out of range")
+	}
+
+	fd := uintptr(recvFds[idx])
+
+	for i := range recvFds {
+		if i == idx {
+			continue
+		}
+
+		unix.Close(recvFds[i])
+	}
+
+	return fd, nil
+}
+
 func receiveNewSeccompFile(resolver registry.ResolverFunc, sockfd int) (*registry.Registry, *os.File, error) {
 	MaxNameLen := 4096
 
@@ -43,10 +95,6 @@ func receiveNewSeccompFile(resolver registry.ResolverFunc, sockfd int) (*registr
 	if err != nil {
 		return nil, nil, fmt.Errorf("cannot parse OCI state: %v\n", err)
 	}
-	seccompFdIndex, ok := containerProcessState.FdIndexes["seccompFd"]
-	if !ok || seccompFdIndex < 0 {
-		return nil, nil, fmt.Errorf("recvfd: didn't receive seccomp fd")
-	}
 
 	scms, err := unix.ParseSocketControlMessage(oob)
 	if err != nil {
@@ -61,10 +109,11 @@ func receiveNewSeccompFile(resolver registry.ResolverFunc, sockfd int) (*registr
 	if err != nil {
 		return nil, nil, err
 	}
-	if seccompFdIndex >= len(fds) {
-		return nil, nil, fmt.Errorf("recvfd: number of fds is %d and seccompFdIndex is %d", len(fds), seccompFdIndex)
+
+	fd, err := parseStateFds(containerProcessState.Fds, fds)
+	if err != nil {
+		return nil, nil, err
 	}
-	fd := uintptr(fds[seccompFdIndex])
 
 	log.WithFields(log.Fields{
 		"fd":          fd,
@@ -74,12 +123,6 @@ func receiveNewSeccompFile(resolver registry.ResolverFunc, sockfd int) (*registr
 		"annotations": containerProcessState.State.Annotations,
 	}).Debug("New seccomp fd received on socket")
 
-	for i := 0; i < len(fds); i++ {
-		if i != seccompFdIndex {
-			unix.Close(fds[i])
-		}
-	}
-
 	var reg *registry.Registry
 	if resolver != nil {
 		reg = resolver(containerProcessState)

diff --git a/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go b/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go
diff --git a/vendor/github.com/opencontainers/runtime-spec/specs-go/state.go b/vendor/github.com/opencontainers/runtime-spec/specs-go/state.go
diff --git a/vendor/modules.txt b/vendor/modules.txt
@@ -26,7 +26,7 @@ github.com/json-iterator/go
 github.com/modern-go/concurrent
 # github.com/modern-go/reflect2 v1.0.1
 github.com/modern-go/reflect2
-# github.com/opencontainers/runtime-spec v1.0.3-0.20200929063507-e6143ca7d51d => github.com/kinvolk/runtime-spec v1.0.2-0.20201110202115-2755fc508653
+# github.com/opencontainers/runtime-spec v1.0.3-0.20200929063507-e6143ca7d51d => github.com/kinvolk/runtime-spec v1.0.2-0.20210309175439-58798e75e980
 ## explicit
 github.com/opencontainers/runtime-spec/specs-go
 # github.com/seccomp/libseccomp-golang v0.9.1 => github.com/kinvolk/libseccomp-golang v0.9.2-0.20201113182948-883917843313
@@ -258,5 +258,5 @@ k8s.io/utils/integer
 sigs.k8s.io/structured-merge-diff/v4/value
 # sigs.k8s.io/yaml v1.2.0
 sigs.k8s.io/yaml
-# github.com/opencontainers/runtime-spec => github.com/kinvolk/runtime-spec v1.0.2-0.20201110202115-2755fc508653
+# github.com/opencontainers/runtime-spec => github.com/kinvolk/runtime-spec v1.0.2-0.20210309175439-58798e75e980
 # github.com/seccomp/libseccomp-golang => github.com/kinvolk/libseccomp-golang v0.9.2-0.20201113182948-883917843313