github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-07-12 22:58:58 +00:00
Code Issues Projects Releases Wiki Activity

agent/rustjail: Use anyhow for error handling

Browse Source 
Convert all Errors and Results to `anyhow::Error` and `anyhow::Result`
respectively

Signed-off-by: Julio Montes <julio.montes@intel.com>
This commit is contained in:
Julio Montes 2020-08-28 11:16:34 -05:00
parent 2e3e2ce114
commit c192446a59
5 changed files with 88 additions and 116 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
src/agent/rustjail/src/configs/mod.rs
View File

@ -10,7 +10,6 @@ use serde_json;
use protocols::oci::State as OCIState; use protocols::oci::State as OCIState;
use crate::errors::*;
use std::collections::HashMap; use std::collections::HashMap;
use std::fmt; use std::fmt;
use std::path::PathBuf; use std::path::PathBuf;

80
src/agent/rustjail/src/container.rs
View File

@ -14,6 +14,7 @@ use std::os::unix::io::RawFd;
use std::path::{Path, PathBuf}; use std::path::{Path, PathBuf};
use std::time::SystemTime; use std::time::SystemTime;
// use crate::sync::Cond; // use crate::sync::Cond;
use anyhow::{anyhow, Context, Result};
use libc::pid_t; use libc::pid_t;
use oci::{LinuxDevice, LinuxIDMapping}; use oci::{LinuxDevice, LinuxIDMapping};
use std::clone::Clone; use std::clone::Clone;
@ -24,7 +25,6 @@ use std::process::{Child, Command};
use crate::cgroups::Manager as CgroupManager; use crate::cgroups::Manager as CgroupManager;
use crate::process::Process; use crate::process::Process;
// use crate::intelrdt::Manager as RdtManager; // use crate::intelrdt::Manager as RdtManager;
use crate::errors::*;
use crate::log_child; use crate::log_child;
use crate::specconv::CreateOpts; use crate::specconv::CreateOpts;
use crate::sync::*; use crate::sync::*;
@ -44,7 +44,6 @@ use nix::sched::{self, CloneFlags};
use nix::sys::signal::{self, Signal}; use nix::sys::signal::{self, Signal};
use nix::sys::stat::{self, Mode}; use nix::sys::stat::{self, Mode};
use nix::unistd::{self, ForkResult, Gid, Pid, Uid}; use nix::unistd::{self, ForkResult, Gid, Pid, Uid};
use nix::Error;
use libc; use libc;
use protobuf::SingularPtrField; use protobuf::SingularPtrField;
@ -294,11 +293,10 @@ impl Container for LinuxContainer {
fn pause(&mut self) -> Result<()> { fn pause(&mut self) -> Result<()> {
let status = self.status(); let status = self.status();
if status != Status::RUNNING && status != Status::CREATED { if status != Status::RUNNING && status != Status::CREATED {
return Err(ErrorKind::ErrorCode(format!( return Err(anyhow!(
"failed to pause container: current status is: {:?}", "failed to pause container: current status is: {:?}",
status status
)) ));
.into());
} }
if self.cgroup_manager.is_some() { if self.cgroup_manager.is_some() {
@ -310,17 +308,13 @@ impl Container for LinuxContainer {
self.status.transition(Status::PAUSED); self.status.transition(Status::PAUSED);
return Ok(()); return Ok(());
} }
Err(ErrorKind::ErrorCode(String::from("failed to get container's cgroup manager")).into()) Err(anyhow!("failed to get container's cgroup manager"))
} }
fn resume(&mut self) -> Result<()> { fn resume(&mut self) -> Result<()> {
let status = self.status(); let status = self.status();
if status != Status::PAUSED { if status != Status::PAUSED {
return Err(ErrorKind::ErrorCode(format!( return Err(anyhow!("container status is: {:?}, not paused", status));
"container status is: {:?}, not paused",
status
))
.into());
} }
if self.cgroup_manager.is_some() { if self.cgroup_manager.is_some() {
@ -332,7 +326,7 @@ impl Container for LinuxContainer {
self.status.transition(Status::RUNNING); self.status.transition(Status::RUNNING);
return Ok(()); return Ok(());
} }
Err(ErrorKind::ErrorCode(String::from("failed to get container's cgroup manager")).into()) Err(anyhow!("failed to get container's cgroup manager"))
} }
} }
@ -383,11 +377,11 @@ fn do_init_child(cwfd: RawFd) -> Result<()> {
let p = if spec.process.is_some() { let p = if spec.process.is_some() {
spec.process.as_ref().unwrap() spec.process.as_ref().unwrap()
} else { } else {
return Err(ErrorKind::ErrorCode("didn't find process in Spec".to_string()).into()); return Err(anyhow!("didn't find process in Spec"));
}; };
if spec.linux.is_none() { if spec.linux.is_none() {
return Err(ErrorKind::ErrorCode("no linux config".to_string()).into()); return Err(anyhow!("no linux config"));
} }
let linux = spec.linux.as_ref().unwrap(); let linux = spec.linux.as_ref().unwrap();
@ -401,7 +395,7 @@ fn do_init_child(cwfd: RawFd) -> Result<()> {
for ns in &nses { for ns in &nses {
let s = NAMESPACES.get(&ns.r#type.as_str()); let s = NAMESPACES.get(&ns.r#type.as_str());
if s.is_none() { if s.is_none() {
return Err(ErrorKind::ErrorCode("invalid ns type".to_string()).into()); return Err(anyhow!("invalid ns type"));
} }
let s = s.unwrap(); let s = s.unwrap();
@ -569,7 +563,7 @@ fn do_init_child(cwfd: RawFd) -> Result<()> {
// NoNewPeiviledges, Drop capabilities // NoNewPeiviledges, Drop capabilities
if oci_process.no_new_privileges { if oci_process.no_new_privileges {
if let Err(_) = prctl::set_no_new_privileges(true) { if let Err(_) = prctl::set_no_new_privileges(true) {
return Err(ErrorKind::ErrorCode("cannot set no new privileges".to_string()).into()); return Err(anyhow!("cannot set no new privileges"));
} }
} }
@ -621,9 +615,7 @@ fn do_init_child(cwfd: RawFd) -> Result<()> {
match find_file(exec_file) { match find_file(exec_file) {
Some(_) => (), Some(_) => (),
None => { None => {
return Err( return Err(anyhow!("the file {} is not exist", &args[0]));
ErrorKind::ErrorCode(format!("the file {} is not exist", &args[0])).into(),
);
} }
} }
} }
@ -655,7 +647,7 @@ fn do_init_child(cwfd: RawFd) -> Result<()> {
do_exec(&args); do_exec(&args);
Err(ErrorKind::ErrorCode("fail to create container".to_string()).into()) Err(anyhow!("fail to create container"))
} }
impl BaseContainer for LinuxContainer { impl BaseContainer for LinuxContainer {
@ -668,7 +660,7 @@ impl BaseContainer for LinuxContainer {
} }
fn state(&self) -> Result<State> { fn state(&self) -> Result<State> {
Err(ErrorKind::ErrorCode(String::from("not suppoerted")).into()) Err(anyhow!("not suppoerted"))
} }
fn oci_state(&self) -> Result<OCIState> { fn oci_state(&self) -> Result<OCIState> {
@ -708,7 +700,7 @@ impl BaseContainer for LinuxContainer {
} }
} }
Err(ErrorKind::ErrorCode(format!("invalid eid {}", eid)).into()) Err(anyhow!("invalid eid {}", eid))
} }
fn stats(&self) -> Result<StatsContainerResponse> { fn stats(&self) -> Result<StatsContainerResponse> {
@ -747,7 +739,7 @@ impl BaseContainer for LinuxContainer {
let mut fifofd: RawFd = -1; let mut fifofd: RawFd = -1;
if p.init { if p.init {
if let Ok(_) = stat::stat(fifo_file.as_str()) { if let Ok(_) = stat::stat(fifo_file.as_str()) {
return Err(ErrorKind::ErrorCode("exec fifo exists".to_string()).into()); return Err(anyhow!("exec fifo exists"));
} }
unistd::mkfifo(fifo_file.as_str(), Mode::from_bits(0o622).unwrap())?; unistd::mkfifo(fifo_file.as_str(), Mode::from_bits(0o622).unwrap())?;
// defer!(fs::remove_file(&fifo_file)?); // defer!(fs::remove_file(&fifo_file)?);
@ -763,18 +755,18 @@ impl BaseContainer for LinuxContainer {
fscgroup::init_static(); fscgroup::init_static();
if self.config.spec.is_none() { if self.config.spec.is_none() {
return Err(ErrorKind::ErrorCode("no spec".to_string()).into()); return Err(anyhow!("no spec"));
} }
let spec = self.config.spec.as_ref().unwrap(); let spec = self.config.spec.as_ref().unwrap();
if spec.linux.is_none() { if spec.linux.is_none() {
return Err(ErrorKind::ErrorCode("no linux config".to_string()).into()); return Err(anyhow!("no linux config"));
} }
let linux = spec.linux.as_ref().unwrap(); let linux = spec.linux.as_ref().unwrap();
let st = self.oci_state()?; let st = self.oci_state()?;
let (pfd_log, cfd_log) = unistd::pipe().chain_err(|| "failed to create pipe")?; let (pfd_log, cfd_log) = unistd::pipe().context("failed to create pipe")?;
fcntl::fcntl(pfd_log, FcntlArg::F_SETFD(FdFlag::FD_CLOEXEC)); fcntl::fcntl(pfd_log, FcntlArg::F_SETFD(FdFlag::FD_CLOEXEC));
let child_logger = logger.new(o!("action" => "child process log")); let child_logger = logger.new(o!("action" => "child process log"));
@ -802,8 +794,8 @@ impl BaseContainer for LinuxContainer {
}); });
info!(logger, "exec fifo opened!"); info!(logger, "exec fifo opened!");
let (prfd, cwfd) = unistd::pipe().chain_err(|| "failed to create pipe")?; let (prfd, cwfd) = unistd::pipe().context("failed to create pipe")?;
let (crfd, pwfd) = unistd::pipe().chain_err(|| "failed to create pipe")?; let (crfd, pwfd) = unistd::pipe().context("failed to create pipe")?;
fcntl::fcntl(prfd, FcntlArg::F_SETFD(FdFlag::FD_CLOEXEC)); fcntl::fcntl(prfd, FcntlArg::F_SETFD(FdFlag::FD_CLOEXEC));
fcntl::fcntl(pwfd, FcntlArg::F_SETFD(FdFlag::FD_CLOEXEC)); fcntl::fcntl(pwfd, FcntlArg::F_SETFD(FdFlag::FD_CLOEXEC));
@ -858,7 +850,7 @@ impl BaseContainer for LinuxContainer {
if pidns.is_some() { if pidns.is_some() {
sched::setns(pidns.unwrap(), CloneFlags::CLONE_NEWPID) sched::setns(pidns.unwrap(), CloneFlags::CLONE_NEWPID)
.chain_err(|| "failed to join pidns")?; .context("failed to join pidns")?;
unistd::close(pidns.unwrap())?; unistd::close(pidns.unwrap())?;
} else { } else {
sched::unshare(CloneFlags::CLONE_NEWPID)?; sched::unshare(CloneFlags::CLONE_NEWPID)?;
@ -923,7 +915,7 @@ impl BaseContainer for LinuxContainer {
// create the pipes for notify process exited // create the pipes for notify process exited
let (exit_pipe_r, exit_pipe_w) = unistd::pipe2(OFlag::O_CLOEXEC) let (exit_pipe_r, exit_pipe_w) = unistd::pipe2(OFlag::O_CLOEXEC)
.chain_err(|| "failed to create pipe") .context("failed to create pipe")
.map_err(|e| { .map_err(|e| {
signal::kill(Pid::from_raw(child.id() as i32), Some(Signal::SIGKILL)); signal::kill(Pid::from_raw(child.id() as i32), Some(Signal::SIGKILL));
e e
@ -1056,11 +1048,7 @@ fn do_exec(args: &[String]) -> Result<()> {
fn update_namespaces(logger: &Logger, spec: &mut Spec, init_pid: RawFd) -> Result<()> { fn update_namespaces(logger: &Logger, spec: &mut Spec, init_pid: RawFd) -> Result<()> {
let linux = match spec.linux.as_mut() { let linux = match spec.linux.as_mut() {
None => { None => return Err(anyhow!("Spec didn't container linux field")),
return Err(
ErrorKind::ErrorCode("Spec didn't container linux field".to_string()).into(),
)
}
Some(l) => l, Some(l) => l,
}; };
@ -1107,7 +1095,7 @@ fn get_pid_namespace(logger: &Logger, linux: &Linux) -> Result<Option<RawFd>> {
} }
} }
Err(ErrorKind::ErrorCode("cannot find the pid ns".to_string()).into()) Err(anyhow!("cannot find the pid ns"))
} }
fn is_userns_enabled(linux: &Linux) -> bool { fn is_userns_enabled(linux: &Linux) -> bool {
@ -1271,7 +1259,7 @@ fn write_mappings(logger: &Logger, path: &str, maps: &[LinuxIDMapping]) -> Resul
fn setid(uid: Uid, gid: Gid) -> Result<()> { fn setid(uid: Uid, gid: Gid) -> Result<()> {
// set uid/gid // set uid/gid
if let Err(e) = prctl::set_keep_capabilities(true) { if let Err(e) = prctl::set_keep_capabilities(true) {
bail!(format!("set keep capabilities returned {}", e)); bail!(anyhow!(e).context("set keep capabilities returned"));
}; };
{ {
unistd::setresgid(gid, gid, gid)?; unistd::setresgid(gid, gid, gid)?;
@ -1285,7 +1273,7 @@ fn setid(uid: Uid, gid: Gid) -> Result<()> {
} }
if let Err(e) = prctl::set_keep_capabilities(false) { if let Err(e) = prctl::set_keep_capabilities(false) {
bail!(format!("set keep capabilities returned {}", e)); bail!(anyhow!(e).context("set keep capabilities returned"));
}; };
Ok(()) Ok(())
} }
@ -1306,10 +1294,10 @@ impl LinuxContainer {
if let Err(e) = fs::create_dir_all(root.as_str()) { if let Err(e) = fs::create_dir_all(root.as_str()) {
if e.kind() == std::io::ErrorKind::AlreadyExists { if e.kind() == std::io::ErrorKind::AlreadyExists {
return Err(e).chain_err(|| format!("container {} already exists", id.as_str())); return Err(e).context(format!("container {} already exists", id.as_str()));
} }
return Err(e).chain_err(|| format!("fail to create container directory {}", root)); return Err(e).context(format!("fail to create container directory {}", root));
} }
unistd::chown( unistd::chown(
@ -1317,7 +1305,7 @@ impl LinuxContainer {
Some(unistd::getuid()), Some(unistd::getuid()),
Some(unistd::getgid()), Some(unistd::getgid()),
) )
.chain_err(|| format!("cannot change onwer of container {} root", id))?; .context(format!("cannot change onwer of container {} root", id))?;
if config.spec.is_none() { if config.spec.is_none() {
return Err(nix::Error::Sys(Errno::EINVAL).into()); return Err(nix::Error::Sys(Errno::EINVAL).into());
@ -1359,7 +1347,7 @@ impl LinuxContainer {
} }
fn load<T: Into<String>>(_id: T, _base: T) -> Result<Self> { fn load<T: Into<String>>(_id: T, _base: T) -> Result<Self> {
Err(ErrorKind::ErrorCode("not supported".to_string()).into()) Err(anyhow!("not supported"))
} }
/* /*
fn new_parent_process(&self, p: &Process) -> Result<Box<ParentProcess>> { fn new_parent_process(&self, p: &Process) -> Result<Box<ParentProcess>> {
@ -1500,7 +1488,7 @@ fn execute_hook(logger: &Logger, h: &Hook, st: &OCIState) -> Result<()> {
let binary = PathBuf::from(h.path.as_str()); let binary = PathBuf::from(h.path.as_str());
let path = binary.canonicalize()?; let path = binary.canonicalize()?;
if !path.exists() { if !path.exists() {
return Err(ErrorKind::Nix(Error::from_errno(Errno::EINVAL)).into()); return Err(anyhow!(nix::Error::from_errno(Errno::EINVAL)));
} }
let args = h.args.clone(); let args = h.args.clone();
@ -1531,11 +1519,11 @@ fn execute_hook(logger: &Logger, h: &Hook, st: &OCIState) -> Result<()> {
if status != 0 { if status != 0 {
if status == -libc::ETIMEDOUT { if status == -libc::ETIMEDOUT {
return Err(ErrorKind::Nix(Error::from_errno(Errno::ETIMEDOUT)).into()); return Err(anyhow!(nix::Error::from_errno(Errno::ETIMEDOUT)));
} else if status == -libc::EPIPE { } else if status == -libc::EPIPE {
return Err(ErrorKind::Nix(Error::from_errno(Errno::EPIPE)).into()); return Err(anyhow!(nix::Error::from_errno(Errno::EPIPE)));
} else { } else {
return Err(ErrorKind::Nix(Error::from_errno(Errno::UnknownErrno)).into()); return Err(anyhow!(nix::Error::from_errno(Errno::UnknownErrno)));
} }
} }

33
src/agent/rustjail/src/mount.rs
View File

@ -3,6 +3,7 @@
// SPDX-License-Identifier: Apache-2.0 // SPDX-License-Identifier: Apache-2.0
// //
use anyhow::{anyhow, Context, Error, Result};
use libc::uid_t; use libc::uid_t;
use nix::errno::Errno; use nix::errno::Errno;
use nix::fcntl::{self, OFlag}; use nix::fcntl::{self, OFlag};
@ -23,7 +24,6 @@ use std::fs::File;
use std::io::{BufRead, BufReader}; use std::io::{BufRead, BufReader};
use crate::container::DEFAULT_DEVICES; use crate::container::DEFAULT_DEVICES;
use crate::errors::*;
use crate::sync::write_count; use crate::sync::write_count;
use lazy_static; use lazy_static;
use std::string::ToString; use std::string::ToString;
@ -139,7 +139,7 @@ pub fn init_rootfs(
for m in &spec.mounts { for m in &spec.mounts {
let (mut flags, data) = parse_mount(&m); let (mut flags, data) = parse_mount(&m);
if !m.destination.starts_with("/") || m.destination.contains("..") { if !m.destination.starts_with("/") || m.destination.contains("..") {
return Err(ErrorKind::Nix(nix::Error::Sys(Errno::EINVAL)).into()); return Err(anyhow!(nix::Error::Sys(Errno::EINVAL)));
} }
if m.r#type == "cgroup" { if m.r#type == "cgroup" {
mount_cgroups(cfd_log, &m, rootfs, flags, &data, cpath, mounts)?; mount_cgroups(cfd_log, &m, rootfs, flags, &data, cpath, mounts)?;
@ -289,7 +289,7 @@ pub fn pivot_rootfs<P: ?Sized + NixPath + std::fmt::Debug>(path: &P) -> Result<(
// Change to the new root so that the pivot_root actually acts on it. // Change to the new root so that the pivot_root actually acts on it.
unistd::fchdir(newroot)?; unistd::fchdir(newroot)?;
unistd::pivot_root(".", ".").chain_err(|| format!("failed to pivot_root on {:?}", path))?; unistd::pivot_root(".", ".").context(format!("failed to pivot_root on {:?}", path))?;
// Currently our "." is oldroot (according to the current kernel code). // Currently our "." is oldroot (according to the current kernel code).
// However, purely for safety, we will fchdir(oldroot) since there isn't // However, purely for safety, we will fchdir(oldroot) since there isn't
@ -311,7 +311,7 @@ pub fn pivot_rootfs<P: ?Sized + NixPath + std::fmt::Debug>(path: &P) -> Result<(
)?; )?;
// Preform the unmount. MNT_DETACH allows us to unmount /proc/self/cwd. // Preform the unmount. MNT_DETACH allows us to unmount /proc/self/cwd.
mount::umount2(".", MntFlags::MNT_DETACH).chain_err(|| "failed to do umount2")?; mount::umount2(".", MntFlags::MNT_DETACH).context("failed to do umount2")?;
// Switch back to our shiny new root. // Switch back to our shiny new root.
unistd::chdir("/")?; unistd::chdir("/")?;
@ -395,7 +395,7 @@ fn parse_mount_table() -> Result<Vec<Info>> {
infos.push(info); infos.push(info);
} else { } else {
return Err(ErrorKind::ErrorCode("failed to parse mount info file".to_string()).into()); return Err(anyhow!("failed to parse mount info file".to_string()));
} }
} }
@ -408,20 +408,17 @@ pub fn ms_move_root(rootfs: &str) -> Result<bool> {
let root_path = Path::new(rootfs); let root_path = Path::new(rootfs);
let abs_root_buf = root_path.absolutize()?; let abs_root_buf = root_path.absolutize()?;
let abs_root = abs_root_buf.to_str().ok_or::<Error>( let abs_root = abs_root_buf
ErrorKind::ErrorCode(format!("failed to parse {} to absolute path", rootfs)).into(), .to_str()
)?; .ok_or::<Error>(anyhow!("failed to parse {} to absolute path", rootfs))?;
for info in mount_infos.iter() { for info in mount_infos.iter() {
let mount_point = Path::new(&info.mount_point); let mount_point = Path::new(&info.mount_point);
let abs_mount_buf = mount_point.absolutize()?; let abs_mount_buf = mount_point.absolutize()?;
let abs_mount_point = abs_mount_buf.to_str().ok_or::<Error>( let abs_mount_point = abs_mount_buf.to_str().ok_or::<Error>(anyhow!(
ErrorKind::ErrorCode(format!( "failed to parse {} to absolute path",
"failed to parse {} to absolute path", info.mount_point
info.mount_point ))?;
))
.into(),
)?;
let abs_mount_point_string = String::from(abs_mount_point); let abs_mount_point_string = String::from(abs_mount_point);
// Umount every syfs and proc file systems, except those under the container rootfs // Umount every syfs and proc file systems, except those under the container rootfs
@ -443,7 +440,7 @@ pub fn ms_move_root(rootfs: &str) -> Result<bool> {
Ok(_) => (), Ok(_) => (),
Err(e) => { Err(e) => {
if e.ne(&nix::Error::from(Errno::EINVAL)) && e.ne(&nix::Error::from(Errno::EPERM)) { if e.ne(&nix::Error::from(Errno::EINVAL)) && e.ne(&nix::Error::from(Errno::EPERM)) {
return Err(ErrorKind::ErrorCode(e.to_string()).into()); return Err(anyhow!(e));
} }
// If we have not privileges for umounting (e.g. rootless), then // If we have not privileges for umounting (e.g. rootless), then
@ -630,7 +627,7 @@ fn create_devices(devices: &[LinuxDevice], bind: bool) -> Result<()> {
for dev in devices { for dev in devices {
if !dev.path.starts_with("/dev") || dev.path.contains("..") { if !dev.path.starts_with("/dev") || dev.path.contains("..") {
let msg = format!("{} is not a valid device path", dev.path); let msg = format!("{} is not a valid device path", dev.path);
bail!(ErrorKind::ErrorCode(msg)); bail!(anyhow!(msg));
} }
op(dev)?; op(dev)?;
} }
@ -661,7 +658,7 @@ lazy_static! {
fn mknod_dev(dev: &LinuxDevice) -> Result<()> { fn mknod_dev(dev: &LinuxDevice) -> Result<()> {
let f = match LINUXDEVICETYPE.get(dev.r#type.as_str()) { let f = match LINUXDEVICETYPE.get(dev.r#type.as_str()) {
Some(v) => v, Some(v) => v,
None => return Err(ErrorKind::ErrorCode("invalid spec".to_string()).into()), None => return Err(anyhow!("invalid spec".to_string())),
}; };
stat::mknod( stat::mknod(

43
src/agent/rustjail/src/sync.rs
View File

@ -3,13 +3,13 @@
// SPDX-License-Identifier: Apache-2.0 // SPDX-License-Identifier: Apache-2.0
// //
use crate::errors::*;
use nix::errno::Errno; use nix::errno::Errno;
use nix::unistd; use nix::unistd;
use nix::Error;
use std::mem; use std::mem;
use std::os::unix::io::RawFd; use std::os::unix::io::RawFd;
use anyhow::{anyhow, Result};
pub const SYNC_SUCCESS: i32 = 1; pub const SYNC_SUCCESS: i32 = 1;
pub const SYNC_FAILED: i32 = 2; pub const SYNC_FAILED: i32 = 2;
pub const SYNC_DATA: i32 = 3; pub const SYNC_DATA: i32 = 3;
@ -40,7 +40,7 @@ pub fn write_count(fd: RawFd, buf: &[u8], count: usize) -> Result<usize> {
} }
Err(e) => { Err(e) => {
if e != Error::from_errno(Errno::EINTR) { if e != nix::Error::from_errno(Errno::EINTR) {
return Err(e.into()); return Err(e.into());
} }
} }
@ -64,7 +64,7 @@ fn read_count(fd: RawFd, count: usize) -> Result<Vec<u8>> {
} }
Err(e) => { Err(e) => {
if e != Error::from_errno(Errno::EINTR) { if e != nix::Error::from_errno(Errno::EINTR) {
return Err(e.into()); return Err(e.into());
} }
} }
@ -77,13 +77,12 @@ fn read_count(fd: RawFd, count: usize) -> Result<Vec<u8>> {
pub fn read_sync(fd: RawFd) -> Result<Vec<u8>> { pub fn read_sync(fd: RawFd) -> Result<Vec<u8>> {
let buf = read_count(fd, MSG_SIZE)?; let buf = read_count(fd, MSG_SIZE)?;
if buf.len() != MSG_SIZE { if buf.len() != MSG_SIZE {
return Err(ErrorKind::ErrorCode(format!( return Err(anyhow!(
"process: {} failed to receive sync message from peer: got msg length: {}, expected: {}", "process: {} failed to receive sync message from peer: got msg length: {}, expected: {}",
std::process::id(), std::process::id(),
buf.len(), buf.len(),
MSG_SIZE MSG_SIZE
)) ));
.into());
} }
let buf_array: [u8; MSG_SIZE] = [buf[0], buf[1], buf[2], buf[3]]; let buf_array: [u8; MSG_SIZE] = [buf[0], buf[1], buf[2], buf[3]];
let msg: i32 = i32::from_be_bytes(buf_array); let msg: i32 = i32::from_be_bytes(buf_array);
@ -111,19 +110,17 @@ pub fn read_sync(fd: RawFd) -> Result<Vec<u8>> {
} }
let error_str = match std::str::from_utf8(&error_buf) { let error_str = match std::str::from_utf8(&error_buf) {
Ok(v) => v, Ok(v) => String::from(v),
Err(e) => { Err(e) => {
return Err(ErrorKind::ErrorCode(format!( return Err(
"receive error message from child process failed: {:?}", anyhow!(e).context("receive error message from child process failed")
e );
))
.into())
} }
}; };
return Err(ErrorKind::ErrorCode(String::from(error_str)).into()); return Err(anyhow!(error_str));
} }
_ => return Err(ErrorKind::ErrorCode("error in receive sync message".to_string()).into()), _ => return Err(anyhow!("error in receive sync message")),
} }
} }
@ -132,7 +129,7 @@ pub fn write_sync(fd: RawFd, msg_type: i32, data_str: &str) -> Result<()> {
let count = write_count(fd, &buf, MSG_SIZE)?; let count = write_count(fd, &buf, MSG_SIZE)?;
if count != MSG_SIZE { if count != MSG_SIZE {
return Err(ErrorKind::ErrorCode("error in send sync message".to_string()).into()); return Err(anyhow!("error in send sync message"));
} }
match msg_type { match msg_type {
@ -140,9 +137,7 @@ pub fn write_sync(fd: RawFd, msg_type: i32, data_str: &str) -> Result<()> {
Ok(_count) => unistd::close(fd)?, Ok(_count) => unistd::close(fd)?,
Err(e) => { Err(e) => {
unistd::close(fd)?; unistd::close(fd)?;
return Err( return Err(anyhow!(e).context("error in send message to process"));
ErrorKind::ErrorCode("error in send message to process".to_string()).into(),
);
} }
}, },
SYNC_DATA => { SYNC_DATA => {
@ -151,10 +146,7 @@ pub fn write_sync(fd: RawFd, msg_type: i32, data_str: &str) -> Result<()> {
Ok(_count) => (), Ok(_count) => (),
Err(e) => { Err(e) => {
unistd::close(fd)?; unistd::close(fd)?;
return Err(ErrorKind::ErrorCode( return Err(anyhow!(e).context("error in send message to process"));
"error in send message to process".to_string(),
)
.into());
} }
} }
@ -162,10 +154,7 @@ pub fn write_sync(fd: RawFd, msg_type: i32, data_str: &str) -> Result<()> {
Ok(_count) => (), Ok(_count) => (),
Err(e) => { Err(e) => {
unistd::close(fd)?; unistd::close(fd)?;
return Err(ErrorKind::ErrorCode( return Err(anyhow!(e).context("error in send message to process"));
"error in send message to process".to_string(),
)
.into());
} }
} }
} }

47
src/agent/rustjail/src/validator.rs
View File

@ -4,10 +4,9 @@
// //
use crate::container::Config; use crate::container::Config;
use crate::errors::*; use anyhow::{anyhow, Result};
use lazy_static; use lazy_static;
use nix::errno::Errno; use nix::errno::Errno;
use nix::Error;
use oci::{LinuxIDMapping, LinuxNamespace, Spec}; use oci::{LinuxIDMapping, LinuxNamespace, Spec};
use protobuf::RepeatedField; use protobuf::RepeatedField;
use std::collections::HashMap; use std::collections::HashMap;
@ -30,14 +29,14 @@ fn get_namespace_path(nses: &Vec<LinuxNamespace>, key: &str) -> Result<String> {
} }
} }
Err(ErrorKind::Nix(Error::from_errno(Errno::EINVAL)).into()) Err(anyhow!(nix::Error::from_errno(Errno::EINVAL)))
} }
fn rootfs(root: &str) -> Result<()> { fn rootfs(root: &str) -> Result<()> {
let path = PathBuf::from(root); let path = PathBuf::from(root);
// not absolute path or not exists // not absolute path or not exists
if !path.exists() || !path.is_absolute() { if !path.exists() || !path.is_absolute() {
return Err(ErrorKind::Nix(Error::from_errno(Errno::EINVAL)).into()); return Err(anyhow!(nix::Error::from_errno(Errno::EINVAL)));
} }
// symbolic link? ..? // symbolic link? ..?
@ -65,7 +64,7 @@ fn rootfs(root: &str) -> Result<()> {
let canon = path.canonicalize()?; let canon = path.canonicalize()?;
if cleaned != canon { if cleaned != canon {
// There is symbolic in path // There is symbolic in path
return Err(ErrorKind::Nix(Error::from_errno(Errno::EINVAL)).into()); return Err(anyhow!(nix::Error::from_errno(Errno::EINVAL)));
} }
Ok(()) Ok(())
@ -81,11 +80,11 @@ fn hostname(oci: &Spec) -> Result<()> {
} }
if oci.linux.is_none() { if oci.linux.is_none() {
return Err(ErrorKind::Nix(Error::from_errno(Errno::EINVAL)).into()); return Err(anyhow!(nix::Error::from_errno(Errno::EINVAL)));
} }
let linux = oci.linux.as_ref().unwrap(); let linux = oci.linux.as_ref().unwrap();
if !contain_namespace(&linux.namespaces, "uts") { if !contain_namespace(&linux.namespaces, "uts") {
return Err(ErrorKind::Nix(Error::from_errno(Errno::EINVAL)).into()); return Err(anyhow!(nix::Error::from_errno(Errno::EINVAL)));
} }
Ok(()) Ok(())
@ -98,7 +97,7 @@ fn security(oci: &Spec) -> Result<()> {
} }
if !contain_namespace(&linux.namespaces, "mount") { if !contain_namespace(&linux.namespaces, "mount") {
return Err(ErrorKind::Nix(Error::from_errno(Errno::EINVAL)).into()); return Err(anyhow!(nix::Error::from_errno(Errno::EINVAL)));
} }
// don't care about selinux at present // don't care about selinux at present
@ -113,7 +112,7 @@ fn idmapping(maps: &Vec<LinuxIDMapping>) -> Result<()> {
} }
} }
Err(ErrorKind::Nix(Error::from_errno(Errno::EINVAL)).into()) Err(anyhow!(nix::Error::from_errno(Errno::EINVAL)))
} }
fn usernamespace(oci: &Spec) -> Result<()> { fn usernamespace(oci: &Spec) -> Result<()> {
@ -121,7 +120,7 @@ fn usernamespace(oci: &Spec) -> Result<()> {
if contain_namespace(&linux.namespaces, "user") { if contain_namespace(&linux.namespaces, "user") {
let user_ns = PathBuf::from("/proc/self/ns/user"); let user_ns = PathBuf::from("/proc/self/ns/user");
if !user_ns.exists() { if !user_ns.exists() {
return Err(ErrorKind::ErrorCode("user namespace not supported!".to_string()).into()); return Err(anyhow!("user namespace not supported!"));
} }
// check if idmappings is correct, at least I saw idmaps // check if idmappings is correct, at least I saw idmaps
// with zero size was passed to agent // with zero size was passed to agent
@ -130,7 +129,7 @@ fn usernamespace(oci: &Spec) -> Result<()> {
} else { } else {
// no user namespace but idmap // no user namespace but idmap
if linux.uid_mappings.len() != 0 || linux.gid_mappings.len() != 0 { if linux.uid_mappings.len() != 0 || linux.gid_mappings.len() != 0 {
return Err(ErrorKind::Nix(Error::from_errno(Errno::EINVAL)).into()); return Err(anyhow!(nix::Error::from_errno(Errno::EINVAL)));
} }
} }
@ -142,7 +141,7 @@ fn cgroupnamespace(oci: &Spec) -> Result<()> {
if contain_namespace(&linux.namespaces, "cgroup") { if contain_namespace(&linux.namespaces, "cgroup") {
let path = PathBuf::from("/proc/self/ns/cgroup"); let path = PathBuf::from("/proc/self/ns/cgroup");
if !path.exists() { if !path.exists() {
return Err(ErrorKind::ErrorCode("cgroup unsupported!".to_string()).into()); return Err(anyhow!("cgroup unsupported!"));
} }
} }
Ok(()) Ok(())
@ -176,7 +175,7 @@ fn check_host_ns(path: &str) -> Result<()> {
} }
let real_cpath = cpath.read_link()?; let real_cpath = cpath.read_link()?;
if real_cpath == real_hpath { if real_cpath == real_hpath {
return Err(ErrorKind::Nix(Error::from_errno(Errno::EINVAL)).into()); return Err(anyhow!(nix::Error::from_errno(Errno::EINVAL)));
} }
Ok(()) Ok(())
@ -189,13 +188,13 @@ fn sysctl(oci: &Spec) -> Result<()> {
if contain_namespace(&linux.namespaces, "ipc") { if contain_namespace(&linux.namespaces, "ipc") {
continue; continue;
} else { } else {
return Err(ErrorKind::Nix(Error::from_errno(Errno::EINVAL)).into()); return Err(anyhow!(nix::Error::from_errno(Errno::EINVAL)));
} }
} }
if key.starts_with("net.") { if key.starts_with("net.") {
if !contain_namespace(&linux.namespaces, "network") { if !contain_namespace(&linux.namespaces, "network") {
return Err(ErrorKind::Nix(Error::from_errno(Errno::EINVAL)).into()); return Err(anyhow!(nix::Error::from_errno(Errno::EINVAL)));
} }
let net = get_namespace_path(&linux.namespaces, "network")?; let net = get_namespace_path(&linux.namespaces, "network")?;
@ -212,11 +211,11 @@ fn sysctl(oci: &Spec) -> Result<()> {
} }
if key == "kernel.hostname" { if key == "kernel.hostname" {
return Err(ErrorKind::Nix(Error::from_errno(Errno::EINVAL)).into()); return Err(anyhow!(nix::Error::from_errno(Errno::EINVAL)));
} }
} }
return Err(ErrorKind::Nix(Error::from_errno(Errno::EINVAL)).into()); return Err(anyhow!(nix::Error::from_errno(Errno::EINVAL)));
} }
Ok(()) Ok(())
} }
@ -224,11 +223,11 @@ fn sysctl(oci: &Spec) -> Result<()> {
fn rootless_euid_mapping(oci: &Spec) -> Result<()> { fn rootless_euid_mapping(oci: &Spec) -> Result<()> {
let linux = oci.linux.as_ref().unwrap(); let linux = oci.linux.as_ref().unwrap();
if !contain_namespace(&linux.namespaces, "user") { if !contain_namespace(&linux.namespaces, "user") {
return Err(ErrorKind::Nix(Error::from_errno(Errno::EINVAL)).into()); return Err(anyhow!(nix::Error::from_errno(Errno::EINVAL)));
} }
if linux.gid_mappings.len() == 0 || linux.gid_mappings.len() == 0 { if linux.gid_mappings.len() == 0 || linux.gid_mappings.len() == 0 {
return Err(ErrorKind::Nix(Error::from_errno(Errno::EINVAL)).into()); return Err(anyhow!(nix::Error::from_errno(Errno::EINVAL)));
} }
Ok(()) Ok(())
@ -252,20 +251,20 @@ fn rootless_euid_mount(oci: &Spec) -> Result<()> {
let fields: Vec<&str> = opt.split('=').collect(); let fields: Vec<&str> = opt.split('=').collect();
if fields.len() != 2 { if fields.len() != 2 {
return Err(ErrorKind::Nix(Error::from_errno(Errno::EINVAL)).into()); return Err(anyhow!(nix::Error::from_errno(Errno::EINVAL)));
} }
let id = fields[1].trim().parse::<u32>()?; let id = fields[1].trim().parse::<u32>()?;
if opt.starts_with("uid=") { if opt.starts_with("uid=") {
if !has_idmapping(&linux.uid_mappings, id) { if !has_idmapping(&linux.uid_mappings, id) {
return Err(ErrorKind::Nix(Error::from_errno(Errno::EINVAL)).into()); return Err(anyhow!(nix::Error::from_errno(Errno::EINVAL)));
} }
} }
if opt.starts_with("gid=") { if opt.starts_with("gid=") {
if !has_idmapping(&linux.gid_mappings, id) { if !has_idmapping(&linux.gid_mappings, id) {
return Err(ErrorKind::Nix(Error::from_errno(Errno::EINVAL)).into()); return Err(anyhow!(nix::Error::from_errno(Errno::EINVAL)));
} }
} }
} }
@ -285,11 +284,11 @@ pub fn validate(conf: &Config) -> Result<()> {
let oci = conf.spec.as_ref().unwrap(); let oci = conf.spec.as_ref().unwrap();
if oci.linux.is_none() { if oci.linux.is_none() {
return Err(ErrorKind::Nix(Error::from_errno(Errno::EINVAL)).into()); return Err(anyhow!(nix::Error::from_errno(Errno::EINVAL)));
} }
if oci.root.is_none() { if oci.root.is_none() {
return Err(ErrorKind::Nix(Error::from_errno(Errno::EINVAL)).into()); return Err(anyhow!(nix::Error::from_errno(Errno::EINVAL)));
} }
let root = oci.root.as_ref().unwrap().path.as_str(); let root = oci.root.as_ref().unwrap().path.as_str();