From 02fb18ed5a17b74820141e9d502d5cc7068d3fdf Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Thu, 27 May 2021 17:00:14 +0200 Subject: [PATCH 1/9] libcontainer/user: remove unused ErrUnsupported Signed-off-by: Sebastiaan van Stijn --- libcontainer/user/user.go | 3 --- 1 file changed, 3 deletions(-) diff --git a/libcontainer/user/user.go b/libcontainer/user/user.go index 110860b4e02..5b013eb3e45 100644 --- a/libcontainer/user/user.go +++ b/libcontainer/user/user.go @@ -16,9 +16,6 @@ const ( ) var ( - // The current operating system does not provide the required data for user lookups. - ErrUnsupported = errors.New("user lookup: operating system does not provide passwd-formatted data") - // No matching entries found in file. ErrNoPasswdEntries = errors.New("no matching entries in passwd file") ErrNoGroupEntries = errors.New("no matching entries in group file") From c06430469213ab4430ea08aa9a76b8344e2322a5 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Thu, 27 May 2021 18:51:19 +0200 Subject: [PATCH 2/9] libcontainer/apparmor: split api (exported) from implementation This prevents having to maintain GoDoc for the stub implementations, and makes sure that the "stub" implementations have the same signature as the "non-stub" versions. Signed-off-by: Sebastiaan van Stijn --- libcontainer/apparmor/apparmor.go | 16 ++++++++++++++++ libcontainer/apparmor/apparmor_linux.go | 11 ++++++----- libcontainer/apparmor/apparmor_unsupported.go | 10 ++-------- 3 files changed, 24 insertions(+), 13 deletions(-) create mode 100644 libcontainer/apparmor/apparmor.go diff --git a/libcontainer/apparmor/apparmor.go b/libcontainer/apparmor/apparmor.go new file mode 100644 index 00000000000..4b03d4c715c --- /dev/null +++ b/libcontainer/apparmor/apparmor.go @@ -0,0 +1,16 @@ +package apparmor + +import "errors" + +var ( + // IsEnabled returns true if apparmor is enabled for the host. + IsEnabled = isEnabled + + // ApplyProfile will apply the profile with the specified name to the process after + // the next exec. It is only supported on Linux and produces an ErrApparmorNotEnabled + // on other platforms. + ApplyProfile = applyProfile + + // ErrApparmorNotEnabled indicates that AppArmor is not enabled or not supported. + ErrApparmorNotEnabled = errors.New("apparmor: config provided but apparmor not supported") +) diff --git a/libcontainer/apparmor/apparmor_linux.go b/libcontainer/apparmor/apparmor_linux.go index 5da14fb3b16..744d4e57054 100644 --- a/libcontainer/apparmor/apparmor_linux.go +++ b/libcontainer/apparmor/apparmor_linux.go @@ -15,8 +15,8 @@ var ( checkAppArmor sync.Once ) -// IsEnabled returns true if apparmor is enabled for the host. -func IsEnabled() bool { +// isEnabled returns true if apparmor is enabled for the host. +func isEnabled() bool { checkAppArmor.Do(func() { if _, err := os.Stat("/sys/kernel/security/apparmor"); err == nil { buf, err := ioutil.ReadFile("/sys/module/apparmor/parameters/enabled") @@ -57,9 +57,10 @@ func changeOnExec(name string) error { return nil } -// ApplyProfile will apply the profile with the specified name to the process after -// the next exec. -func ApplyProfile(name string) error { +// applyProfile will apply the profile with the specified name to the process after +// the next exec. It is only supported on Linux and produces an error on other +// platforms. +func applyProfile(name string) error { if name == "" { return nil } diff --git a/libcontainer/apparmor/apparmor_unsupported.go b/libcontainer/apparmor/apparmor_unsupported.go index 0bc473f810b..1adadafec8e 100644 --- a/libcontainer/apparmor/apparmor_unsupported.go +++ b/libcontainer/apparmor/apparmor_unsupported.go @@ -2,17 +2,11 @@ package apparmor -import ( - "errors" -) - -var ErrApparmorNotEnabled = errors.New("apparmor: config provided but apparmor not supported") - -func IsEnabled() bool { +func isEnabled() bool { return false } -func ApplyProfile(name string) error { +func applyProfile(name string) error { if name != "" { return ErrApparmorNotEnabled } From e204d6a9e7196948d75766bffbc24290baf227d5 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Tue, 1 Jun 2021 13:07:22 +0200 Subject: [PATCH 3/9] libcontainer/configs: add / fix godoc (golint) Signed-off-by: Sebastiaan van Stijn --- .../cgroups/ebpf/{ebpf.go => ebpf_linux.go} | 0 libcontainer/configs/cgroup_linux.go | 6 +++--- libcontainer/configs/cgroup_unsupported.go | 1 + libcontainer/configs/mount.go | 2 +- libcontainer/configs/network.go | 13 ++++++++----- 5 files changed, 13 insertions(+), 9 deletions(-) rename libcontainer/cgroups/ebpf/{ebpf.go => ebpf_linux.go} (100%) diff --git a/libcontainer/cgroups/ebpf/ebpf.go b/libcontainer/cgroups/ebpf/ebpf_linux.go similarity index 100% rename from libcontainer/cgroups/ebpf/ebpf.go rename to libcontainer/cgroups/ebpf/ebpf_linux.go diff --git a/libcontainer/configs/cgroup_linux.go b/libcontainer/configs/cgroup_linux.go index 87d0da84288..715ec1cb9a6 100644 --- a/libcontainer/configs/cgroup_linux.go +++ b/libcontainer/configs/cgroup_linux.go @@ -13,12 +13,12 @@ const ( Thawed FreezerState = "THAWED" ) +// Cgroup holds properties of a cgroup on Linux. type Cgroup struct { - // Deprecated, use Path instead + // Name specifies the name of the cgroup Name string `json:"name,omitempty"` - // name of parent of cgroup or slice - // Deprecated, use Path instead + // Parent specifies the name of parent of cgroup or slice Parent string `json:"parent,omitempty"` // Path specifies the path to cgroups that are created and/or joined by the container. diff --git a/libcontainer/configs/cgroup_unsupported.go b/libcontainer/configs/cgroup_unsupported.go index afbc05004ce..2a519f582d2 100644 --- a/libcontainer/configs/cgroup_unsupported.go +++ b/libcontainer/configs/cgroup_unsupported.go @@ -2,6 +2,7 @@ package configs +// Cgroup holds properties of a cgroup on Linux // TODO Windows: This can ultimately be entirely factored out on Windows as // cgroups are a Unix-specific construct. type Cgroup struct{} diff --git a/libcontainer/configs/mount.go b/libcontainer/configs/mount.go index 670757ddb5f..a75ff10ec9d 100644 --- a/libcontainer/configs/mount.go +++ b/libcontainer/configs/mount.go @@ -3,7 +3,7 @@ package configs const ( // EXT_COPYUP is a directive to copy up the contents of a directory when // a tmpfs is mounted over it. - EXT_COPYUP = 1 << iota + EXT_COPYUP = 1 << iota //nolint:golint // ignore "don't use ALL_CAPS" warning ) type Mount struct { diff --git a/libcontainer/configs/network.go b/libcontainer/configs/network.go index ccdb228e14c..c44c3ea71b8 100644 --- a/libcontainer/configs/network.go +++ b/libcontainer/configs/network.go @@ -50,7 +50,10 @@ type Network struct { HairpinMode bool `json:"hairpin_mode"` } -// Routes can be specified to create entries in the route table as the container is started +// Route defines a routing table entry. +// +// Routes can be specified to create entries in the routing table as the container +// is started. // // All of destination, source, and gateway should be either IPv4 or IPv6. // One of the three options must be present, and omitted entries will use their @@ -58,15 +61,15 @@ type Network struct { // gateway to 1.2.3.4 and the interface to eth0 will set up a standard // destination of 0.0.0.0(or *) when viewed in the route table. type Route struct { - // Sets the destination and mask, should be a CIDR. Accepts IPv4 and IPv6 + // Destination specifies the destination IP address and mask in the CIDR form. Destination string `json:"destination"` - // Sets the source and mask, should be a CIDR. Accepts IPv4 and IPv6 + // Source specifies the source IP address and mask in the CIDR form. Source string `json:"source"` - // Sets the gateway. Accepts IPv4 and IPv6 + // Gateway specifies the gateway IP address. Gateway string `json:"gateway"` - // The device to set this route up for, for example: eth0 + // InterfaceName specifies the device to set this route up for, for example eth0. InterfaceName string `json:"interface_name"` } From 81fc5c87256105edea4184faa451453f18e6879c Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Tue, 1 Jun 2021 13:09:03 +0200 Subject: [PATCH 4/9] libcontainer/user: fix capitalization (golint) Signed-off-by: Sebastiaan van Stijn --- libcontainer/user/user.go | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/libcontainer/user/user.go b/libcontainer/user/user.go index 5b013eb3e45..d2c16f7fd36 100644 --- a/libcontainer/user/user.go +++ b/libcontainer/user/user.go @@ -11,16 +11,17 @@ import ( ) const ( - minId = 0 - maxId = 1<<31 - 1 // for 32-bit systems compatibility + minID = 0 + maxID = 1<<31 - 1 // for 32-bit systems compatibility ) var ( - // No matching entries found in file. + // ErrNoPasswdEntries is returned if no matching entries were found in /etc/group. ErrNoPasswdEntries = errors.New("no matching entries in passwd file") - ErrNoGroupEntries = errors.New("no matching entries in group file") - - ErrRange = fmt.Errorf("uids and gids must be in range %d-%d", minId, maxId) + // ErrNoGroupEntries is returned if no matching entries were found in /etc/passwd. + ErrNoGroupEntries = errors.New("no matching entries in group file") + // ErrRange is returned if a UID or GID is outside of the valid range. + ErrRange = fmt.Errorf("uids and gids must be in range %d-%d", minID, maxID) ) type User struct { @@ -325,7 +326,7 @@ func GetExecUser(userSpec string, defaults *ExecUser, passwd, group io.Reader) ( user.Uid = uidArg // Must be inside valid uid range. - if user.Uid < minId || user.Uid > maxId { + if user.Uid < minID || user.Uid > maxID { return nil, ErrRange } @@ -374,7 +375,7 @@ func GetExecUser(userSpec string, defaults *ExecUser, passwd, group io.Reader) ( user.Gid = gidArg // Must be inside valid gid range. - if user.Gid < minId || user.Gid > maxId { + if user.Gid < minID || user.Gid > maxID { return nil, ErrRange } @@ -436,7 +437,7 @@ func GetAdditionalGroups(additionalGroups []string, group io.Reader) ([]int, err return nil, fmt.Errorf("Unable to find group %s", ag) } // Ensure gid is inside gid range. - if gid < minId || gid > maxId { + if gid < minID || gid > maxID { return nil, ErrRange } gidMap[int(gid)] = struct{}{} From 340fdd9366301b49e532424efda1ca6228f5d619 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Tue, 1 Jun 2021 13:09:44 +0200 Subject: [PATCH 5/9] libcontainer/nsenter: fix captalization (golint) Signed-off-by: Sebastiaan van Stijn --- libcontainer/nsenter/test/escape.go | 6 +++--- libcontainer/nsenter/test/escape_test.go | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/libcontainer/nsenter/test/escape.go b/libcontainer/nsenter/test/escape.go index 4accf967a47..f85d9e211fe 100644 --- a/libcontainer/nsenter/test/escape.go +++ b/libcontainer/nsenter/test/escape.go @@ -14,7 +14,7 @@ import ( "unsafe" ) -func testEscapeJsonString(t *testing.T, input, want string) { +func testEscapeJSONString(t *testing.T, input, want string) { in := C.CString(input) out := C.escape_json_string(in) got := C.GoString(out) @@ -25,7 +25,7 @@ func testEscapeJsonString(t *testing.T, input, want string) { } } -func testEscapeJson(t *testing.T) { +func testEscapeJSON(t *testing.T) { testCases := []struct { input, output string }{ @@ -48,6 +48,6 @@ func testEscapeJson(t *testing.T) { } for _, tc := range testCases { - testEscapeJsonString(t, tc.input, tc.output) + testEscapeJSONString(t, tc.input, tc.output) } } diff --git a/libcontainer/nsenter/test/escape_test.go b/libcontainer/nsenter/test/escape_test.go index eefd5ecf11a..3841cd09793 100644 --- a/libcontainer/nsenter/test/escape_test.go +++ b/libcontainer/nsenter/test/escape_test.go @@ -6,6 +6,6 @@ import "testing" // so that it can use cgo (import "C"). // This wrapper is here for gotest to find. -func TestEscapeJson(t *testing.T) { - testEscapeJson(t) +func TestEscapeJSON(t *testing.T) { + testEscapeJSON(t) } From 9be156cb9dd63aae02efd55a5403bde4677a7986 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Tue, 1 Jun 2021 13:10:17 +0200 Subject: [PATCH 6/9] libcontainer/devices: fix godoc (golint) Signed-off-by: Sebastiaan van Stijn --- libcontainer/devices/device_unix.go | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libcontainer/devices/device_unix.go b/libcontainer/devices/device_unix.go index c7fb2f1a925..6d5b3d09df3 100644 --- a/libcontainer/devices/device_unix.go +++ b/libcontainer/devices/device_unix.go @@ -27,8 +27,9 @@ func mkDev(d *Rule) (uint64, error) { return unix.Mkdev(uint32(d.Major), uint32(d.Minor)), nil } -// Given the path to a device and its cgroup_permissions(which cannot be easily queried) look up the -// information about a linux device and return that information as a Device struct. +// DeviceFromPath takes the path to a device and its cgroup_permissions (which +// cannot be easily queried) to look up the information about a linux device +// and returns that information as a Device struct. func DeviceFromPath(path, permissions string) (*Device, error) { var stat unix.Stat_t err := unixLstat(path, &stat) From c2416fb4d49542e8900136202dca0ddd253ee835 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Tue, 1 Jun 2021 13:10:40 +0200 Subject: [PATCH 7/9] libcontainer/system: fix godoc (golint) Signed-off-by: Sebastiaan van Stijn --- libcontainer/system/userns_deprecated.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libcontainer/system/userns_deprecated.go b/libcontainer/system/userns_deprecated.go index 2de3462a506..465c1a69323 100644 --- a/libcontainer/system/userns_deprecated.go +++ b/libcontainer/system/userns_deprecated.go @@ -2,4 +2,6 @@ package system import "github.com/opencontainers/runc/libcontainer/userns" +// RunningInUserNS detects whether we are currently running in a user namespace. +// Deprecated: use github.com/opencontainers/runc/libcontainer/userns.RunningInUserNS instead var RunningInUserNS = userns.RunningInUserNS From 1fb56f9f1faa6617f9ea2a66bcc08c66c4d25da3 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Tue, 1 Jun 2021 13:15:28 +0200 Subject: [PATCH 8/9] libcontainer/cgroups/devices: if block ends with a return statement libcontainer/cgroups/devices/devices_emulator.go:261:9: `if` block ends with a `return` statement, so drop this `else` and outdent its block (golint) } else { ^ Signed-off-by: Sebastiaan van Stijn --- libcontainer/cgroups/devices/devices_emulator.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libcontainer/cgroups/devices/devices_emulator.go b/libcontainer/cgroups/devices/devices_emulator.go index 6f29ef0371e..c08477cbb35 100644 --- a/libcontainer/cgroups/devices/devices_emulator.go +++ b/libcontainer/cgroups/devices/devices_emulator.go @@ -258,9 +258,9 @@ func (e *Emulator) Apply(rule devices.Rule) error { if rule.Allow { return e.allow(innerRule) - } else { - return e.deny(innerRule) } + + return e.deny(innerRule) } // EmulatorFromList takes a reader to a "devices.list"-like source, and returns From 3e1bcb1f5d24ccf8f5a316ce52b50104172a928c Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Tue, 1 Jun 2021 13:16:35 +0200 Subject: [PATCH 9/9] libcontainer/keys: var should be sessKeyID/ringID (golint) libcontainer/keys/keyctl.go:17:2: var `sessKeyId` should be `sessKeyID` (golint) sessKeyId, err := unix.KeyctlJoinSessionKeyring(name) ^ libcontainer/keys/keyctl.go:27:21: func parameter `ringId` should be `ringID` (golint) func ModKeyringPerm(ringId KeySerial, mask, setbits uint32) error { ^ Signed-off-by: Sebastiaan van Stijn --- libcontainer/keys/keyctl.go | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libcontainer/keys/keyctl.go b/libcontainer/keys/keyctl.go index e73af7ae2dc..4a60c34b842 100644 --- a/libcontainer/keys/keyctl.go +++ b/libcontainer/keys/keyctl.go @@ -14,18 +14,18 @@ import ( type KeySerial uint32 func JoinSessionKeyring(name string) (KeySerial, error) { - sessKeyId, err := unix.KeyctlJoinSessionKeyring(name) + sessKeyID, err := unix.KeyctlJoinSessionKeyring(name) if err != nil { return 0, errors.Wrap(err, "create session key") } - return KeySerial(sessKeyId), nil + return KeySerial(sessKeyID), nil } // ModKeyringPerm modifies permissions on a keyring by reading the current permissions, // anding the bits with the given mask (clearing permissions) and setting // additional permission bits -func ModKeyringPerm(ringId KeySerial, mask, setbits uint32) error { - dest, err := unix.KeyctlString(unix.KEYCTL_DESCRIBE, int(ringId)) +func ModKeyringPerm(ringID KeySerial, mask, setbits uint32) error { + dest, err := unix.KeyctlString(unix.KEYCTL_DESCRIBE, int(ringID)) if err != nil { return err } @@ -43,5 +43,5 @@ func ModKeyringPerm(ringId KeySerial, mask, setbits uint32) error { perm := (uint32(perm64) & mask) | setbits - return unix.KeyctlSetperm(int(ringId), perm) + return unix.KeyctlSetperm(int(ringID), perm) }