Merge pull request #20 from kinvolk/alban_freeze2

Implement freeze handler
kinvolk · Feb 16, 2022 · bc435a1 · bc435a1
2 parents d847582 + d0d02ac
commit bc435a1
Show file tree

Hide file tree

Showing 446 changed files with 52,786 additions and 8,764 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,6 +1,6 @@
 # We need alpine edge for libseccomp-2.5.0
 
-FROM golang:1.15-alpine as builder
+FROM golang:1.17-alpine as builder
 RUN apk add alpine-sdk
 
 RUN \

diff --git a/cmd/seccompagent/seccompagent.go b/cmd/seccompagent/seccompagent.go
@@ -124,6 +124,8 @@ func main() {
 				// container instead of just the process making the syscall.
 				case "kill-container":
 					r.DefaultHandler = handlers.KillContainer(podCtx.Pid1)
+				case "freeze-container":
+					r.DefaultHandler = handlers.FreezeContainer(podCtx.Pid1)
 				default:
 					log.WithFields(log.Fields{
 						"pod":            podCtx,

diff --git a/deploy/seccompagent.yaml b/deploy/seccompagent.yaml
@@ -51,6 +51,9 @@ spec:
               fieldRef:
                 fieldPath: spec.nodeName
         securityContext:
+          # We need to keep 'privileged' to opt out of cgroupns, so we can
+          # inspect containers' cgroups via their /proc/$pid/cgroup files.
+          privileged: true
           capabilities:
             add:
             # CAP_SYS_PTRACE is useful to read arguments of a processes with
@@ -65,6 +68,10 @@ spec:
           mountPath: /host/seccomp
         - name: run
           mountPath: /run
+        # the freezer handler needs write access to the cgroup filesystems to
+        # write "FROZEN" on "freezer.state" interface file.
+        - name: cgroup
+          mountPath: /sys/fs/cgroup
       tolerations:
       - effect: NoSchedule
         operator: Exists
@@ -77,3 +84,6 @@ spec:
       - name: run
         hostPath:
           path: /run
+      - name: cgroup
+        hostPath:
+          path: /sys/fs/cgroup
diff --git a/docs/profiles/notify-dangerous.json b/docs/profiles/notify-dangerous.json
@@ -4,7 +4,7 @@
     "SCMP_ARCH_X86_64"
   ],
   "listenerPath": "/run/seccomp-agent.socket",
-  "listenerMetadata": "DEFAULT_ACTION=kill-container",
+  "listenerMetadata": "DEFAULT_ACTION=freeze-container",
   "syscalls": [
     {
       "action": "SCMP_ACT_NOTIFY",

diff --git a/docs/profiles/notify-dangerous.yaml b/docs/profiles/notify-dangerous.yaml
@@ -9,7 +9,8 @@ spec:
   architectures:
   - SCMP_ARCH_X86_64
   listenerPath: "/run/seccomp-agent.socket"
-  listenerMetadata: "DEFAULT_ACTION=kill-container"
+  #listenerMetadata: "DEFAULT_ACTION=kill-container"
+  listenerMetadata: "DEFAULT_ACTION=freeze-container"
 
   syscalls:
 

diff --git a/go.mod b/go.mod
@@ -4,12 +4,12 @@ go 1.15
 
 require (
 	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/google/go-cmp v0.5.4 // indirect
-	github.com/opencontainers/runtime-spec v1.0.3-0.20210319114652-9c848d91e8cf
+	github.com/opencontainers/runc v1.1.0
+	github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417
 	github.com/seccomp/libseccomp-golang v0.9.2-0.20210429002308-3879420cc921
-	github.com/sirupsen/logrus v1.7.0
+	github.com/sirupsen/logrus v1.8.1
 	golang.org/x/crypto v0.0.0-20220112180741-5e0467b6c7ce // indirect
-	golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1
+	golang.org/x/sys v0.0.0-20211116061358-0a5406a5449c
 	k8s.io/api v0.20.4
 	k8s.io/apimachinery v0.20.4
 	k8s.io/client-go v0.20.4

diff --git a/go.sum b/go.sum
diff --git a/pkg/handlers/default.go b/pkg/handlers/default.go
@@ -15,8 +15,14 @@
 package handlers
 
 import (
+	"bufio"
+	"fmt"
 	"os"
+	"path/filepath"
+	"strings"
 
+	libctManager "github.com/opencontainers/runc/libcontainer/cgroups/manager"
+	libctConfig "github.com/opencontainers/runc/libcontainer/configs"
 	libseccomp "github.com/seccomp/libseccomp-golang"
 	log "github.com/sirupsen/logrus"
 	"golang.org/x/sys/unix"
@@ -49,3 +55,90 @@ func KillContainer(pid int) registry.HandlerFunc {
 		return registry.HandlerResultErrno(unix.EPERM)
 	}
 }
+
+// freezerCgroupPath parses /proc/$pid/cgroup and find the cgroup path from
+// - either the freezer cgroup (starting with '%d:freezer:'), or
+// - the unified hierarchy (starting with '0::')
+func freezerCgroupPath(pid int) string {
+	var err error
+	var cgroupFile *os.File
+	if cgroupFile, err = os.Open(filepath.Join("/proc", fmt.Sprintf("%d", pid), "cgroup")); err != nil {
+		log.WithFields(log.Fields{
+			"pid": pid,
+			"err": err,
+		}).Error("cannot parse cgroup")
+		return ""
+	}
+	defer cgroupFile.Close()
+
+	reader := bufio.NewReader(cgroupFile)
+	for {
+		line, err := reader.ReadString('\n')
+		if err != nil {
+			break
+		}
+		line = strings.TrimSuffix(line, "\n")
+		fields := strings.SplitN(line, ":", 3)
+		if len(fields) != 3 {
+			continue
+		}
+		cgroupHierarchyID := fields[0]
+		cgroupControllerList := fields[1]
+		cgroupPath := fields[2]
+
+		for _, cgroupController := range strings.Split(cgroupControllerList, ",") {
+			if cgroupController == "freezer" {
+				return cgroupPath
+			}
+		}
+		if cgroupHierarchyID == "0" && cgroupControllerList == "" {
+			return cgroupPath
+		}
+	}
+	return ""
+}
+
+func FreezeContainer(pid int) registry.HandlerFunc {
+	cgroupPath := freezerCgroupPath(pid)
+	return func(fd libseccomp.ScmpFd, req *libseccomp.ScmpNotifReq) (result registry.HandlerResult) {
+		if cgroupPath == "" {
+			log.WithFields(log.Fields{
+				"pid": pid,
+			}).Error("cgroup path not found")
+			return registry.HandlerResultErrno(unix.EPERM)
+		}
+
+		if cgroupPath == "/" {
+			log.WithFields(log.Fields{
+				"pid": pid,
+			}).Error("refuse to use root cgroup")
+			return registry.HandlerResultErrno(unix.EPERM)
+		}
+
+		cgroup := &libctConfig.Cgroup{
+			Path:      cgroupPath,
+			Resources: &libctConfig.Resources{},
+		}
+
+		m, err := libctManager.New(cgroup)
+		if err != nil {
+			log.WithFields(log.Fields{
+				"pid":        pid,
+				"cgroupPath": cgroupPath,
+				"err":        err,
+			}).Error("cannot create new cgroup manager")
+			return registry.HandlerResultErrno(unix.EPERM)
+		}
+
+		if err := m.Freeze(libctConfig.Frozen); err != nil {
+			log.WithFields(log.Fields{
+				"pid":        pid,
+				"cgroupPath": cgroupPath,
+				"err":        err,
+			}).Error("cannot freeze cgroup")
+			return registry.HandlerResultErrno(unix.EPERM)
+		}
+
+		return registry.HandlerResultErrno(unix.EPERM)
+	}
+}
diff --git a/pkg/kuberesolver/kuberesolver.go b/pkg/kuberesolver/kuberesolver.go
@@ -120,7 +120,7 @@ func KubeResolver(f KubeResolverFunc) (registry.ResolverFunc, error) {
 				"container": podCtx.Container,
 				"err":       err,
 			}).Trace("Pod details found from annotations")
-			return f(nil, vars)
+			return f(podCtx, vars)
 		}
 
 		pod, err := k8sClient.ContainerLookup(state.State.Pid)
@@ -129,7 +129,7 @@ func KubeResolver(f KubeResolverFunc) (registry.ResolverFunc, error) {
 				"pid": state.State.Pid,
 				"err": err,
 			}).Error("Cannot find container in Kubernetes")
-			return f(nil, vars)
+			return f(podCtx, vars)
 		}
 		podCtx.Namespace = pod.ObjectMeta.Namespace
 		podCtx.Pod = pod.ObjectMeta.Name

diff --git a/vendor/github.com/cilium/ebpf/.clang-format b/vendor/github.com/cilium/ebpf/.clang-format
diff --git a/vendor/github.com/cilium/ebpf/.gitignore b/vendor/github.com/cilium/ebpf/.gitignore
diff --git a/vendor/github.com/cilium/ebpf/.golangci.yaml b/vendor/github.com/cilium/ebpf/.golangci.yaml
diff --git a/vendor/github.com/cilium/ebpf/ARCHITECTURE.md b/vendor/github.com/cilium/ebpf/ARCHITECTURE.md
diff --git a/vendor/github.com/cilium/ebpf/CODE_OF_CONDUCT.md b/vendor/github.com/cilium/ebpf/CODE_OF_CONDUCT.md