From f52468bea72471f08272019c7823f6aa5ee96cbe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Wed, 19 May 2021 09:38:32 +0200 Subject: [PATCH] agent/agent-ctl: Replace prctl crate by the capctl one MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit While evaluating the possibility of having kata-agent statically linked to the GNU libc, we've ended up facing some issues with prctl. When debugging the issues, we figured out that the crate hasn't been maintained since 2015 and that the capctl one is a good 1:1 replacement for what we need. Fixes: #1844 Signed-off-by: Fabiano FidĂȘncio --- src/agent/Cargo.lock | 24 ++++++++++++------------ src/agent/Cargo.toml | 2 +- src/agent/rustjail/Cargo.toml | 2 +- src/agent/rustjail/src/container.rs | 8 ++++---- src/agent/rustjail/src/lib.rs | 2 +- src/agent/src/main.rs | 2 +- src/agent/src/signal.rs | 4 ++-- tools/agent-ctl/Cargo.lock | 22 +++++++++++----------- 8 files changed, 33 insertions(+), 33 deletions(-) diff --git a/src/agent/Cargo.lock b/src/agent/Cargo.lock index 791fa88d8f..633159b913 100644 --- a/src/agent/Cargo.lock +++ b/src/agent/Cargo.lock @@ -117,6 +117,16 @@ version = "1.0.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "b700ce4376041dcd0a327fd0097c41095743c4c8af8887265942faf1100bd040" +[[package]] +name = "capctl" +version = "0.2.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "eea0d91a34c56f0a0779e1cc2ec7040fa7f672819c4d3fe7d9dd4af3d2e78aca" +dependencies = [ + "bitflags", + "libc", +] + [[package]] name = "caps" version = "0.5.2" @@ -471,6 +481,7 @@ version = "0.1.0" dependencies = [ "anyhow", "async-trait", + "capctl", "cgroups-rs", "futures", "ipnetwork", @@ -482,7 +493,6 @@ dependencies = [ "netlink-sys", "nix 0.17.0", "oci", - "prctl", "procfs", "prometheus", "protobuf", @@ -865,16 +875,6 @@ version = "0.2.10" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "ac74c624d6b2d21f425f752262f42188365d7b8ff1aff74c82e45136510a4857" -[[package]] -name = "prctl" -version = "1.0.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "059a34f111a9dee2ce1ac2826a68b24601c4298cfeb1a587c3cb493d5ab46f52" -dependencies = [ - "libc", - "nix 0.20.0", -] - [[package]] name = "proc-macro-hack" version = "0.5.19" @@ -1159,6 +1159,7 @@ version = "0.1.0" dependencies = [ "anyhow", "async-trait", + "capctl", "caps", "cgroups-rs", "futures", @@ -1168,7 +1169,6 @@ dependencies = [ "nix 0.17.0", "oci", "path-absolutize", - "prctl", "protobuf", "protocols", "regex", diff --git a/src/agent/Cargo.toml b/src/agent/Cargo.toml index 6f292dcc32..47df6eaee0 100644 --- a/src/agent/Cargo.toml +++ b/src/agent/Cargo.toml @@ -14,7 +14,7 @@ ttrpc = { version = "0.5.0", features = ["async", "protobuf-codec"], default-fea protobuf = "=2.14.0" libc = "0.2.58" nix = "0.17.0" -prctl = "1.0.0" +capctl = "0.2.0" serde_json = "1.0.39" scan_fmt = "0.2.3" scopeguard = "1.0.0" diff --git a/src/agent/rustjail/Cargo.toml b/src/agent/rustjail/Cargo.toml index 9d65edbf89..5b66b043a8 100644 --- a/src/agent/rustjail/Cargo.toml +++ b/src/agent/rustjail/Cargo.toml @@ -13,7 +13,7 @@ protocols = { path ="../protocols" } caps = "0.5.0" nix = "0.17.0" scopeguard = "1.0.0" -prctl = "1.0.0" +capctl = "0.2.0" lazy_static = "1.3.0" libc = "0.2.58" protobuf = "=2.14.0" diff --git a/src/agent/rustjail/src/container.rs b/src/agent/rustjail/src/container.rs index 3546ee957c..f55878ce1c 100644 --- a/src/agent/rustjail/src/container.rs +++ b/src/agent/rustjail/src/container.rs @@ -469,7 +469,7 @@ fn do_init_child(cwfd: RawFd) -> Result<()> { // Ref: https://github.com/opencontainers/runc/commit/50a19c6ff828c58e5dab13830bd3dacde268afe5 // if !nses.is_empty() { - prctl::set_dumpable(false) + capctl::prctl::set_dumpable(false) .map_err(|e| anyhow!(e).context("set process non-dumpable failed"))?; } @@ -602,7 +602,7 @@ fn do_init_child(cwfd: RawFd) -> Result<()> { // NoNewPeiviledges, Drop capabilities if oci_process.no_new_privileges { - prctl::set_no_new_privileges(true).map_err(|_| anyhow!("cannot set no new privileges"))?; + capctl::prctl::set_no_new_privs().map_err(|_| anyhow!("cannot set no new privileges"))?; } if oci_process.capabilities.is_some() { @@ -1314,7 +1314,7 @@ fn write_mappings(logger: &Logger, path: &str, maps: &[LinuxIdMapping]) -> Resul fn setid(uid: Uid, gid: Gid) -> Result<()> { // set uid/gid - prctl::set_keep_capabilities(true) + capctl::prctl::set_keepcaps(true) .map_err(|e| anyhow!(e).context("set keep capabilities returned"))?; { @@ -1328,7 +1328,7 @@ fn setid(uid: Uid, gid: Gid) -> Result<()> { capabilities::reset_effective()?; } - prctl::set_keep_capabilities(false) + capctl::prctl::set_keepcaps(false) .map_err(|e| anyhow!(e).context("set keep capabilities returned"))?; Ok(()) diff --git a/src/agent/rustjail/src/lib.rs b/src/agent/rustjail/src/lib.rs index c0c66cb78f..b9fadd4038 100644 --- a/src/agent/rustjail/src/lib.rs +++ b/src/agent/rustjail/src/lib.rs @@ -23,7 +23,7 @@ extern crate caps; extern crate protocols; #[macro_use] extern crate scopeguard; -extern crate prctl; +extern crate capctl; #[macro_use] extern crate lazy_static; extern crate libc; diff --git a/src/agent/src/main.rs b/src/agent/src/main.rs index 595951bc5e..cab67edcbb 100644 --- a/src/agent/src/main.rs +++ b/src/agent/src/main.rs @@ -5,8 +5,8 @@ #[macro_use] extern crate lazy_static; +extern crate capctl; extern crate oci; -extern crate prctl; extern crate prometheus; extern crate protocols; extern crate regex; diff --git a/src/agent/src/signal.rs b/src/agent/src/signal.rs index 7f823b2f19..cde54af5e8 100644 --- a/src/agent/src/signal.rs +++ b/src/agent/src/signal.rs @@ -6,10 +6,10 @@ use crate::sandbox::Sandbox; use anyhow::{anyhow, Result}; +use capctl::prctl::set_subreaper; use nix::sys::wait::WaitPidFlag; use nix::sys::wait::{self, WaitStatus}; use nix::unistd; -use prctl::set_child_subreaper; use slog::{error, info, o, Logger}; use std::sync::Arc; use tokio::select; @@ -88,7 +88,7 @@ pub async fn setup_signal_handler( ) -> Result<()> { let logger = logger.new(o!("subsystem" => "signals")); - set_child_subreaper(true) + set_subreaper(true) .map_err(|err| anyhow!(err).context("failed to setup agent as a child subreaper"))?; let mut sigchild_stream = signal(SignalKind::child())?; diff --git a/tools/agent-ctl/Cargo.lock b/tools/agent-ctl/Cargo.lock index 0751394c8f..a52c722d3c 100644 --- a/tools/agent-ctl/Cargo.lock +++ b/tools/agent-ctl/Cargo.lock @@ -116,6 +116,16 @@ version = "1.0.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "b700ce4376041dcd0a327fd0097c41095743c4c8af8887265942faf1100bd040" +[[package]] +name = "capctl" +version = "0.2.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "eea0d91a34c56f0a0779e1cc2ec7040fa7f672819c4d3fe7d9dd4af3d2e78aca" +dependencies = [ + "bitflags", + "libc", +] + [[package]] name = "caps" version = "0.5.2" @@ -710,16 +720,6 @@ version = "0.2.10" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "ac74c624d6b2d21f425f752262f42188365d7b8ff1aff74c82e45136510a4857" -[[package]] -name = "prctl" -version = "1.0.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "059a34f111a9dee2ce1ac2826a68b24601c4298cfeb1a587c3cb493d5ab46f52" -dependencies = [ - "libc", - "nix 0.20.0", -] - [[package]] name = "proc-macro-hack" version = "0.5.19" @@ -992,6 +992,7 @@ version = "0.1.0" dependencies = [ "anyhow", "async-trait", + "capctl", "caps", "cgroups-rs", "futures", @@ -1001,7 +1002,6 @@ dependencies = [ "nix 0.17.0", "oci", "path-absolutize", - "prctl", "protobuf", "protocols", "regex",