Skip to content

Tap plugin - alternative PR #794

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 1 commit into from
Closed

Tap plugin - alternative PR #794

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ module github.com/containernetworking/plugins
go 1.17

require (
bou.ke/monkey v1.0.2
github.com/Microsoft/hcsshim v0.8.20
github.com/alexflint/go-filemutex v1.1.0
github.com/buger/jsonparser v1.1.1
Expand All @@ -17,6 +18,7 @@ require (
github.com/networkplumbing/go-nft v0.2.0
github.com/onsi/ginkgo v1.16.4
github.com/onsi/gomega v1.15.0
github.com/opencontainers/selinux v1.8.0
github.com/safchain/ethtool v0.0.0-20210803160452-9aa261dae9b1
github.com/vishvananda/netlink v1.2.0-beta
golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e
Expand All @@ -32,6 +34,7 @@ require (
github.com/pkg/errors v0.9.1 // indirect
github.com/sirupsen/logrus v1.8.1 // indirect
github.com/vishvananda/netns v0.0.0-20210104183010-2eb08e3e575f // indirect
github.com/willf/bitset v1.1.11 // indirect
go.opencensus.io v0.22.3 // indirect
golang.org/x/net v0.0.0-20210428140749-89ef3d95e781 // indirect
golang.org/x/text v0.3.6 // indirect
Expand Down
4 changes: 4 additions & 0 deletions go.sum
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,6 @@
bazil.org/fuse v0.0.0-20160811212531-371fbbdaa898/go.mod h1:Xbm+BRKSBEpa4q4hTSxohYNQpsxXPbPry4JJWOB3LB8=
bou.ke/monkey v1.0.2 h1:kWcnsrCNUatbxncxR/ThdYqbytgOIArtYWqcQLQzKLI=
bou.ke/monkey v1.0.2/go.mod h1:OqickVX3tNx6t33n1xvtTtu85YN5s6cKwVug+oHMaIA=
cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU=
Expand Down Expand Up @@ -478,6 +480,7 @@ github.com/opencontainers/runtime-spec v1.0.2/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/
github.com/opencontainers/runtime-spec v1.0.3-0.20200929063507-e6143ca7d51d/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
github.com/opencontainers/runtime-tools v0.0.0-20181011054405-1d69bd0f9c39/go.mod h1:r3f7wjNzSs2extwzU3Y+6pKfobzPh+kKFJ3ofN+3nfs=
github.com/opencontainers/selinux v1.6.0/go.mod h1:VVGKuOLlE7v4PJyT6h7mNWvq1rzqiriPsEqVhc+svHE=
github.com/opencontainers/selinux v1.8.0 h1:+77ba4ar4jsCbL1GLbFL8fFM57w6suPfSS9PDLDY7KM=
github.com/opencontainers/selinux v1.8.0/go.mod h1:RScLhm78qiWa2gbVCcGkC7tCGdgk3ogry1nUQF8Evvo=
github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
github.com/pelletier/go-toml v1.8.1/go.mod h1:T2/BmBdy8dvIRq1a/8aqjN41wvWlN4lrapLU/GW4pbc=
Expand Down Expand Up @@ -590,6 +593,7 @@ github.com/vishvananda/netns v0.0.0-20200728191858-db3c7e526aae/go.mod h1:DD4vA1
github.com/vishvananda/netns v0.0.0-20210104183010-2eb08e3e575f h1:p4VB7kIXpOQvVn1ZaTIVp+3vuYAXFe3OJEvjbUYJLaA=
github.com/vishvananda/netns v0.0.0-20210104183010-2eb08e3e575f/go.mod h1:DD4vA1DwXk04H54A1oHXtwZmA0grkVMdPxx/VGLCah0=
github.com/willf/bitset v1.1.11-0.20200630133818-d5bec3311243/go.mod h1:RjeCKbqT1RxIR/KWY6phxZiaY1IyutSBfGjNPySAYV4=
github.com/willf/bitset v1.1.11 h1:N7Z7E9UvjW+sGsEl7k/SJrvY2reP1A07MrGuCjIOjRE=
github.com/willf/bitset v1.1.11/go.mod h1:83CECat5yLh5zVOf4P1ErAgKA5UDvKtgyUABdr3+MjI=
github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ=
Expand Down
83 changes: 83 additions & 0 deletions pkg/security/security.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,83 @@
package security

import (
"fmt"
"github.com/opencontainers/selinux/go-selinux"
"os"
"os/exec"
"strconv"
"strings"
"syscall"
)

type SecurityModule interface {
PrepareSecurityModule() error
RequiresReboot() bool
ReRunCommandWithSecurityLabels(addLinkString string, tmpName string, mtu int, nsFd int, multique bool, mac string) error
}

type NoSecurityModel struct {
}

type SELinuxSecurityModel struct {
}

func GetSecurityModule() SecurityModule {
if selinux.EnforceMode() != -1 {
return SELinuxSecurityModel{}
}
return NoSecurityModel{}
}

func (sm NoSecurityModel) PrepareSecurityModule() error {
return nil
}
func (sm NoSecurityModel) RequiresReboot() bool {
return false
}
func (sm NoSecurityModel) ReRunCommandWithSecurityLabels(addLinkString string, tmpName string, mtu int, nsFd int, multique bool, mac string) error {
return nil
}

func (sm SELinuxSecurityModel) PrepareSecurityModule() error {
output, err := exec.Command("getsebool", "container_use_devices").CombinedOutput()
if err != nil {
return fmt.Errorf("failed to run getsebool command %s: %v", string(output), err)
}
if strings.Contains(string(output), "off") {
output, err := exec.Command("setsebool", "-P", "container_use_devices", "true").CombinedOutput()
if err != nil {
return fmt.Errorf("failed to run setsebool command %s: %v", string(output), err)
}
}
return nil
}
func (sm SELinuxSecurityModel) RequiresReboot() bool {
return true
}

// This is a workaround for a SELinux issue when creating taps in containers.
// The tap device must be created with approperiate SE Linux labels, which the plugin is missing.
// To achieve this we run another copy of the plugin with the required labels applied. This will
// create the tap device from a process with the correct labels. The controll then returns to the
// main instance of the plugin which performs the rest of the configuration.
func (sm SELinuxSecurityModel) ReRunCommandWithSecurityLabels(addLinkString string, tmpName string, mtu int, nsFd int, multique bool, mac string) error {
// Apply the appropriate se linux label. This will affect the newly executed plugin process.
if err := selinux.SetExecLabel("system_u:system_r:container_t:s0"); err != nil {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see these labels are hard-coded; is that the norm?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is specific to just the selinux security module. Other modules would of course have different mechanisms (if present).
This PR was a proposal on how to extract the security module specific items from the main plugin code, but it seems this approach has not met with approval either, so I'm closing it.

return fmt.Errorf("failed set socket label: %v", err)
}
minFDToCloseOnExec := 3
maxFDToCloseOnExec := 256
// we want to share the parent process std{in|out|err} - fds 0 through 2.
// Since the FDs are inherited on fork / exec, we close on exec all others.
for fd := minFDToCloseOnExec; fd < maxFDToCloseOnExec; fd++ {
syscall.CloseOnExec(fd)
}

args := []string{addLinkString, tmpName, strconv.Itoa(mtu), strconv.Itoa(nsFd), strconv.FormatBool(multique), mac}
output, err := exec.Command(os.Args[0], args...).CombinedOutput()
if err != nil {
return fmt.Errorf("failed to run a nested plugin call (%s %s) to add link: %s: %v", os.Args[0], strings.Join(args, ", "), output, err)
}
return nil
}
Loading