From f52468bea72471f08272019c7823f6aa5ee96cbe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Wed, 19 May 2021 09:38:32 +0200 Subject: [PATCH] agent/agent-ctl: Replace prctl crate by the capctl one MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit While evaluating the possibility of having kata-agent statically linked to the GNU libc, we've ended up facing some issues with prctl. When debugging the issues, we figured out that the crate hasn't been maintained since 2015 and that the capctl one is a good 1:1 replacement for what we need. Fixes: #1844 Signed-off-by: Fabiano FidĂȘncio --- src/agent/Cargo.lock | 24 ++++++++++++------------ src/agent/Cargo.toml | 2 +- src/agent/rustjail/Cargo.toml | 2 +- src/agent/rustjail/src/container.rs | 8 ++++---- src/agent/rustjail/src/lib.rs | 2 +- src/agent/src/main.rs | 2 +- src/agent/src/signal.rs | 4 ++-- tools/agent-ctl/Cargo.lock | 22 +++++++++++----------- 8 files changed, 33 insertions(+), 33 deletions(-) diff --git a/src/agent/Cargo.lock b/src/agent/Cargo.lock index 791fa88d8..633159b91 100644 --- a/src/agent/Cargo.lock +++ b/src/agent/Cargo.lock @@ -117,6 +117,16 @@ version = "1.0.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "b700ce4376041dcd0a327fd0097c41095743c4c8af8887265942faf1100bd040" +[[package]] +name = "capctl" +version = "0.2.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "eea0d91a34c56f0a0779e1cc2ec7040fa7f672819c4d3fe7d9dd4af3d2e78aca" +dependencies = [ + "bitflags", + "libc", +] + [[package]] name = "caps" version = "0.5.2" @@ -471,6 +481,7 @@ version = "0.1.0" dependencies = [ "anyhow", "async-trait", + "capctl", "cgroups-rs", "futures", "ipnetwork", @@ -482,7 +493,6 @@ dependencies = [ "netlink-sys", "nix 0.17.0", "oci", - "prctl", "procfs", "prometheus", "protobuf", @@ -865,16 +875,6 @@ version = "0.2.10" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "ac74c624d6b2d21f425f752262f42188365d7b8ff1aff74c82e45136510a4857" -[[package]] -name = "prctl" -version = "1.0.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "059a34f111a9dee2ce1ac2826a68b24601c4298cfeb1a587c3cb493d5ab46f52" -dependencies = [ - "libc", - "nix 0.20.0", -] - [[package]] name = "proc-macro-hack" version = "0.5.19" @@ -1159,6 +1159,7 @@ version = "0.1.0" dependencies = [ "anyhow", "async-trait", + "capctl", "caps", "cgroups-rs", "futures", @@ -1168,7 +1169,6 @@ dependencies = [ "nix 0.17.0", "oci", "path-absolutize", - "prctl", "protobuf", "protocols", "regex", diff --git a/src/agent/Cargo.toml b/src/agent/Cargo.toml index 6f292dcc3..47df6eaee 100644 --- a/src/agent/Cargo.toml +++ b/src/agent/Cargo.toml @@ -14,7 +14,7 @@ ttrpc = { version = "0.5.0", features = ["async", "protobuf-codec"], default-fea protobuf = "=2.14.0" libc = "0.2.58" nix = "0.17.0" -prctl = "1.0.0" +capctl = "0.2.0" serde_json = "1.0.39" scan_fmt = "0.2.3" scopeguard = "1.0.0" diff --git a/src/agent/rustjail/Cargo.toml b/src/agent/rustjail/Cargo.toml index 9d65edbf8..5b66b043a 100644 --- a/src/agent/rustjail/Cargo.toml +++ b/src/agent/rustjail/Cargo.toml @@ -13,7 +13,7 @@ protocols = { path ="../protocols" } caps = "0.5.0" nix = "0.17.0" scopeguard = "1.0.0" -prctl = "1.0.0" +capctl = "0.2.0" lazy_static = "1.3.0" libc = "0.2.58" protobuf = "=2.14.0" diff --git a/src/agent/rustjail/src/container.rs b/src/agent/rustjail/src/container.rs index 3546ee957..f55878ce1 100644 --- a/src/agent/rustjail/src/container.rs +++ b/src/agent/rustjail/src/container.rs @@ -469,7 +469,7 @@ fn do_init_child(cwfd: RawFd) -> Result<()> { // Ref: https://github.com/opencontainers/runc/commit/50a19c6ff828c58e5dab13830bd3dacde268afe5 // if !nses.is_empty() { - prctl::set_dumpable(false) + capctl::prctl::set_dumpable(false) .map_err(|e| anyhow!(e).context("set process non-dumpable failed"))?; } @@ -602,7 +602,7 @@ fn do_init_child(cwfd: RawFd) -> Result<()> { // NoNewPeiviledges, Drop capabilities if oci_process.no_new_privileges { - prctl::set_no_new_privileges(true).map_err(|_| anyhow!("cannot set no new privileges"))?; + capctl::prctl::set_no_new_privs().map_err(|_| anyhow!("cannot set no new privileges"))?; } if oci_process.capabilities.is_some() { @@ -1314,7 +1314,7 @@ fn write_mappings(logger: &Logger, path: &str, maps: &[LinuxIdMapping]) -> Resul fn setid(uid: Uid, gid: Gid) -> Result<()> { // set uid/gid - prctl::set_keep_capabilities(true) + capctl::prctl::set_keepcaps(true) .map_err(|e| anyhow!(e).context("set keep capabilities returned"))?; { @@ -1328,7 +1328,7 @@ fn setid(uid: Uid, gid: Gid) -> Result<()> { capabilities::reset_effective()?; } - prctl::set_keep_capabilities(false) + capctl::prctl::set_keepcaps(false) .map_err(|e| anyhow!(e).context("set keep capabilities returned"))?; Ok(()) diff --git a/src/agent/rustjail/src/lib.rs b/src/agent/rustjail/src/lib.rs index c0c66cb78..b9fadd403 100644 --- a/src/agent/rustjail/src/lib.rs +++ b/src/agent/rustjail/src/lib.rs @@ -23,7 +23,7 @@ extern crate caps; extern crate protocols; #[macro_use] extern crate scopeguard; -extern crate prctl; +extern crate capctl; #[macro_use] extern crate lazy_static; extern crate libc; diff --git a/src/agent/src/main.rs b/src/agent/src/main.rs index 595951bc5..cab67edcb 100644 --- a/src/agent/src/main.rs +++ b/src/agent/src/main.rs @@ -5,8 +5,8 @@ #[macro_use] extern crate lazy_static; +extern crate capctl; extern crate oci; -extern crate prctl; extern crate prometheus; extern crate protocols; extern crate regex; diff --git a/src/agent/src/signal.rs b/src/agent/src/signal.rs index 7f823b2f1..cde54af5e 100644 --- a/src/agent/src/signal.rs +++ b/src/agent/src/signal.rs @@ -6,10 +6,10 @@ use crate::sandbox::Sandbox; use anyhow::{anyhow, Result}; +use capctl::prctl::set_subreaper; use nix::sys::wait::WaitPidFlag; use nix::sys::wait::{self, WaitStatus}; use nix::unistd; -use prctl::set_child_subreaper; use slog::{error, info, o, Logger}; use std::sync::Arc; use tokio::select; @@ -88,7 +88,7 @@ pub async fn setup_signal_handler( ) -> Result<()> { let logger = logger.new(o!("subsystem" => "signals")); - set_child_subreaper(true) + set_subreaper(true) .map_err(|err| anyhow!(err).context("failed to setup agent as a child subreaper"))?; let mut sigchild_stream = signal(SignalKind::child())?; diff --git a/tools/agent-ctl/Cargo.lock b/tools/agent-ctl/Cargo.lock index 0751394c8..a52c722d3 100644 --- a/tools/agent-ctl/Cargo.lock +++ b/tools/agent-ctl/Cargo.lock @@ -116,6 +116,16 @@ version = "1.0.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "b700ce4376041dcd0a327fd0097c41095743c4c8af8887265942faf1100bd040" +[[package]] +name = "capctl" +version = "0.2.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "eea0d91a34c56f0a0779e1cc2ec7040fa7f672819c4d3fe7d9dd4af3d2e78aca" +dependencies = [ + "bitflags", + "libc", +] + [[package]] name = "caps" version = "0.5.2" @@ -710,16 +720,6 @@ version = "0.2.10" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "ac74c624d6b2d21f425f752262f42188365d7b8ff1aff74c82e45136510a4857" -[[package]] -name = "prctl" -version = "1.0.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "059a34f111a9dee2ce1ac2826a68b24601c4298cfeb1a587c3cb493d5ab46f52" -dependencies = [ - "libc", - "nix 0.20.0", -] - [[package]] name = "proc-macro-hack" version = "0.5.19" @@ -992,6 +992,7 @@ version = "0.1.0" dependencies = [ "anyhow", "async-trait", + "capctl", "caps", "cgroups-rs", "futures", @@ -1001,7 +1002,6 @@ dependencies = [ "nix 0.17.0", "oci", "path-absolutize", - "prctl", "protobuf", "protocols", "regex",