From 55d3c136d940a5dbed8fd226c988b641f27bf48c Mon Sep 17 00:00:00 2001 From: Frantisek Sumsal Date: Mon, 15 May 2023 14:01:58 +0200 Subject: nspawn: fix a typo in an error message --- src/nspawn/nspawn-oci.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/nspawn/nspawn-oci.c b/src/nspawn/nspawn-oci.c index 3c6bfd3eaf..e9de257407 100644 --- a/src/nspawn/nspawn-oci.c +++ b/src/nspawn/nspawn-oci.c @@ -605,7 +605,7 @@ static int oci_namespace_type(const char *name, JsonVariant *v, JsonDispatchFlag *nsflags = CLONE_NEWCGROUP; else return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL), - "Unknown cgroup type, refusing: %s", n); + "Unknown namespace type, refusing: %s", n); return 0; } -- cgit v1.2.1 From 3426ec8efb7f075f71768e993dfe8c3c104b68ab Mon Sep 17 00:00:00 2001 From: Frantisek Sumsal Date: Mon, 15 May 2023 14:05:15 +0200 Subject: nspawn: file system namespace -> mount namespace --- src/nspawn/nspawn-oci.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/nspawn/nspawn-oci.c b/src/nspawn/nspawn-oci.c index e9de257407..e8bbb6db2a 100644 --- a/src/nspawn/nspawn-oci.c +++ b/src/nspawn/nspawn-oci.c @@ -663,7 +663,7 @@ static int oci_namespaces(const char *name, JsonVariant *v, JsonDispatchFlags fl if (!FLAGS_SET(n, CLONE_NEWNS)) return json_log(v, flags, SYNTHETIC_ERRNO(EOPNOTSUPP), - "Containers without file system namespace aren't supported."); + "Containers without a mount namespace aren't supported."); s->private_network = FLAGS_SET(n, CLONE_NEWNET); s->userns_mode = FLAGS_SET(n, CLONE_NEWUSER) ? USER_NAMESPACE_FIXED : USER_NAMESPACE_NO; -- cgit v1.2.1 From 825210d4e5d52655ff893d600da2d2c8e5c0c8e1 Mon Sep 17 00:00:00 2001 From: Frantisek Sumsal Date: Tue, 16 May 2023 08:18:32 +0200 Subject: nspawn: avoid NULL pointer dereference When merging the settings we take the pointer to the array of extra devices, but don't reset the array counter to zero. This later leads to a NULL pointer dereference, where device_node_array_free() attempts to loop over a NULL pointer: + systemd-nspawn --oci-bundle=/var/lib/machines/testsuite-13.oci-bundle.Npo ../src/nspawn/nspawn-settings.c:118:29: runtime error: member access within null pointer of type 'struct DeviceNode' #0 0x4b91ee in device_node_array_free ../src/nspawn/nspawn-settings.c:118 #1 0x4ba42a in settings_free ../src/nspawn/nspawn-settings.c:161 #2 0x410b79 in settings_freep ../src/nspawn/nspawn-settings.h:249 #3 0x446ce8 in load_oci_bundle ../src/nspawn/nspawn.c:4733 #4 0x44ff42 in run ../src/nspawn/nspawn.c:5476 #5 0x455296 in main ../src/nspawn/nspawn.c:5919 #6 0x7f0cb7a4a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f) #7 0x7f0cb7a4a5c8 in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x275c8) #8 0x40d284 in _start (/usr/bin/systemd-nspawn+0x40d284) SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../src/nspawn/nspawn-settings.c:118:29 in Also, add an appropriate assert to catch such issues in the future. --- src/nspawn/nspawn-settings.c | 2 ++ src/nspawn/nspawn.c | 1 + 2 files changed, 3 insertions(+) diff --git a/src/nspawn/nspawn-settings.c b/src/nspawn/nspawn-settings.c index 7500eabd18..94a4c80ed6 100644 --- a/src/nspawn/nspawn-settings.c +++ b/src/nspawn/nspawn-settings.c @@ -114,6 +114,8 @@ static void free_oci_hooks(OciHook *h, size_t n) { void device_node_array_free(DeviceNode *node, size_t n) { size_t i; + assert(node || n == 0); + for (i = 0; i < n; i++) free(node[i].path); diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c index 49802d6fdf..5d49e05064 100644 --- a/src/nspawn/nspawn.c +++ b/src/nspawn/nspawn.c @@ -4651,6 +4651,7 @@ static int merge_settings(Settings *settings, const char *path) { device_node_array_free(arg_extra_nodes, arg_n_extra_nodes); arg_extra_nodes = TAKE_PTR(settings->extra_nodes); arg_n_extra_nodes = settings->n_extra_nodes; + settings->n_extra_nodes = 0; return 0; } -- cgit v1.2.1 From 53ac7f1d54b925f7aeda47a9f26ac4a1bc0b3987 Mon Sep 17 00:00:00 2001 From: Frantisek Sumsal Date: Tue, 16 May 2023 08:19:09 +0200 Subject: nspawn: modernize the cleanup functions a bit --- src/nspawn/nspawn-settings.c | 28 ++++++++++++---------------- 1 file changed, 12 insertions(+), 16 deletions(-) diff --git a/src/nspawn/nspawn-settings.c b/src/nspawn/nspawn-settings.c index 94a4c80ed6..161b1c1c70 100644 --- a/src/nspawn/nspawn-settings.c +++ b/src/nspawn/nspawn-settings.c @@ -97,29 +97,25 @@ int settings_load(FILE *f, const char *path, Settings **ret) { return 0; } -static void free_oci_hooks(OciHook *h, size_t n) { - size_t i; +static void free_oci_hooks(OciHook *hooks, size_t n) { + assert(hooks || n == 0); - assert(h || n == 0); - - for (i = 0; i < n; i++) { - free(h[i].path); - strv_free(h[i].args); - strv_free(h[i].env); + FOREACH_ARRAY(hook, hooks, n) { + free(hook->path); + strv_free(hook->args); + strv_free(hook->env); } - free(h); + free(hooks); } -void device_node_array_free(DeviceNode *node, size_t n) { - size_t i; - - assert(node || n == 0); +void device_node_array_free(DeviceNode *nodes, size_t n) { + assert(nodes || n == 0); - for (i = 0; i < n; i++) - free(node[i].path); + FOREACH_ARRAY(node, nodes, n) + free(node->path); - free(node); + free(nodes); } Settings* settings_free(Settings *s) { -- cgit v1.2.1 From ec0d7e0dd5c2fecfdbe7c02573b22a28200479f6 Mon Sep 17 00:00:00 2001 From: Frantisek Sumsal Date: Mon, 15 May 2023 18:42:08 +0200 Subject: nspawn: disableOOMKiller should be boolean, not int See: https://github.com/opencontainers/runtime-spec/blob/v1.0.0/config-linux.md#memory --- src/nspawn/nspawn-oci.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/src/nspawn/nspawn-oci.c b/src/nspawn/nspawn-oci.c index e8bbb6db2a..fc9b763a96 100644 --- a/src/nspawn/nspawn-oci.c +++ b/src/nspawn/nspawn-oci.c @@ -1177,13 +1177,13 @@ static int oci_cgroup_memory(const char *name, JsonVariant *v, JsonDispatchFlags }; static const JsonDispatch table[] = { - { "limit", JSON_VARIANT_NUMBER, oci_cgroup_memory_limit, offsetof(struct memory_data, limit), 0 }, - { "reservation", JSON_VARIANT_NUMBER, oci_cgroup_memory_limit, offsetof(struct memory_data, reservation), 0 }, - { "swap", JSON_VARIANT_NUMBER, oci_cgroup_memory_limit, offsetof(struct memory_data, swap), 0 }, - { "kernel", JSON_VARIANT_NUMBER, oci_unsupported, 0, JSON_PERMISSIVE }, - { "kernelTCP", JSON_VARIANT_NUMBER, oci_unsupported, 0, JSON_PERMISSIVE }, - { "swapiness", JSON_VARIANT_NUMBER, oci_unsupported, 0, JSON_PERMISSIVE }, - { "disableOOMKiller", JSON_VARIANT_NUMBER, oci_unsupported, 0, JSON_PERMISSIVE }, + { "limit", JSON_VARIANT_NUMBER, oci_cgroup_memory_limit, offsetof(struct memory_data, limit), 0 }, + { "reservation", JSON_VARIANT_NUMBER, oci_cgroup_memory_limit, offsetof(struct memory_data, reservation), 0 }, + { "swap", JSON_VARIANT_NUMBER, oci_cgroup_memory_limit, offsetof(struct memory_data, swap), 0 }, + { "kernel", JSON_VARIANT_NUMBER, oci_unsupported, 0, JSON_PERMISSIVE }, + { "kernelTCP", JSON_VARIANT_NUMBER, oci_unsupported, 0, JSON_PERMISSIVE }, + { "swapiness", JSON_VARIANT_NUMBER, oci_unsupported, 0, JSON_PERMISSIVE }, + { "disableOOMKiller", JSON_VARIANT_BOOLEAN, oci_unsupported, 0, JSON_PERMISSIVE }, {} }; -- cgit v1.2.1 From e5c275fedc0ab416730fe288a8754a20a014e200 Mon Sep 17 00:00:00 2001 From: Frantisek Sumsal Date: Mon, 15 May 2023 19:06:14 +0200 Subject: nspawn: use the just returned errno in the log message Use the returned errno even though we are going to ignore it, otherwise the log message is just confusing: config.json:119:13: Failed to resolve device node 4:2, ignoring: Success --- src/nspawn/nspawn-oci.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/nspawn/nspawn-oci.c b/src/nspawn/nspawn-oci.c index fc9b763a96..2b1fae0df4 100644 --- a/src/nspawn/nspawn-oci.c +++ b/src/nspawn/nspawn-oci.c @@ -874,7 +874,7 @@ static int oci_devices(const char *name, JsonVariant *v, JsonDispatchFlags flags /* Suppress a couple of implicit device nodes */ r = devname_from_devnum(node->mode, makedev(node->major, node->minor), &path); if (r < 0) - json_log(e, flags|JSON_DEBUG, 0, "Failed to resolve device node %u:%u, ignoring: %m", node->major, node->minor); + json_log(e, flags|JSON_DEBUG, r, "Failed to resolve device node %u:%u, ignoring: %m", node->major, node->minor); else { if (PATH_IN_SET(path, "/dev/null", -- cgit v1.2.1 From 3590d95b2b18e5a12ff1a3a4e037423e879dbaa1 Mon Sep 17 00:00:00 2001 From: Frantisek Sumsal Date: Mon, 15 May 2023 19:44:15 +0200 Subject: nspawn: all hooks should be arrays of objects, not just objects See: https://github.com/opencontainers/runtime-spec/blob/v1.0.0/config.md#posix-platform-hooks --- src/nspawn/nspawn-oci.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/nspawn/nspawn-oci.c b/src/nspawn/nspawn-oci.c index 2b1fae0df4..ae733139a4 100644 --- a/src/nspawn/nspawn-oci.c +++ b/src/nspawn/nspawn-oci.c @@ -2100,9 +2100,9 @@ static int oci_hooks_array(const char *name, JsonVariant *v, JsonDispatchFlags f static int oci_hooks(const char *name, JsonVariant *v, JsonDispatchFlags flags, void *userdata) { static const JsonDispatch table[] = { - { "prestart", JSON_VARIANT_OBJECT, oci_hooks_array, 0, 0 }, - { "poststart", JSON_VARIANT_OBJECT, oci_hooks_array, 0, 0 }, - { "poststop", JSON_VARIANT_OBJECT, oci_hooks_array, 0, 0 }, + { "prestart", JSON_VARIANT_ARRAY, oci_hooks_array, 0, 0 }, + { "poststart", JSON_VARIANT_ARRAY, oci_hooks_array, 0, 0 }, + { "poststop", JSON_VARIANT_ARRAY, oci_hooks_array, 0, 0 }, {} }; -- cgit v1.2.1 From f4e5c042c9a5659a5eebb4c91c0f1132f02a2c59 Mon Sep 17 00:00:00 2001 From: Frantisek Sumsal Date: Mon, 15 May 2023 19:45:13 +0200 Subject: nspawn: call json_dispatch() with a correct pointer Otherwise hilarity ensues: AddressSanitizer:DEADLYSIGNAL ================================================================= ==722==ERROR: AddressSanitizer: SEGV on unknown address 0xffffffff00000000 (pc 0x7f8d50ca9ffb bp 0x7fff11b0d4a0 sp 0x7fff11b0cc30 T0) ==722==The signal is caused by a READ memory access. #0 0x7f8d50ca9ffb in __interceptor_strcmp.part.0 (/lib64/libasan.so.8+0xa9ffb) #1 0x7f8d4f9cf5a1 in strcmp_ptr ../src/fundamental/string-util-fundamental.h:33 #2 0x7f8d4f9cf5f8 in streq_ptr ../src/fundamental/string-util-fundamental.h:46 #3 0x7f8d4f9d74d2 in free_and_strdup ../src/basic/string-util.c:948 #4 0x49139a in free_and_strdup_warn ../src/basic/string-util.h:197 #5 0x4923eb in oci_absolute_path ../src/nspawn/nspawn-oci.c:139 #6 0x7f8d4f6bd359 in json_dispatch ../src/shared/json.c:4395 #7 0x4a8831 in oci_hooks_array ../src/nspawn/nspawn-oci.c:2089 #8 0x7f8d4f6bd359 in json_dispatch ../src/shared/json.c:4395 #9 0x4a8b56 in oci_hooks ../src/nspawn/nspawn-oci.c:2112 #10 0x7f8d4f6bd359 in json_dispatch ../src/shared/json.c:4395 #11 0x4aa298 in oci_load ../src/nspawn/nspawn-oci.c:2197 #12 0x446cec in load_oci_bundle ../src/nspawn/nspawn.c:4744 #13 0x44ffa7 in run ../src/nspawn/nspawn.c:5477 #14 0x4552fb in main ../src/nspawn/nspawn.c:5920 #15 0x7f8d4e04a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f) #16 0x7f8d4e04a5c8 in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x275c8) #17 0x40d284 in _start (/usr/bin/systemd-nspawn+0x40d284) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV (/lib64/libasan.so.8+0xa9ffb) in __interceptor_strcmp.part.0 ==722==ABORTING --- src/nspawn/nspawn-oci.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/nspawn/nspawn-oci.c b/src/nspawn/nspawn-oci.c index ae733139a4..c67516f2c1 100644 --- a/src/nspawn/nspawn-oci.c +++ b/src/nspawn/nspawn-oci.c @@ -2083,7 +2083,7 @@ static int oci_hooks_array(const char *name, JsonVariant *v, JsonDispatchFlags f .timeout = USEC_INFINITY, }; - r = json_dispatch(e, table, oci_unexpected, flags, userdata); + r = json_dispatch(e, table, oci_unexpected, flags, new_item); if (r < 0) { free(new_item->path); strv_free(new_item->args); -- cgit v1.2.1 From fc832965476d106fb3d5a6c9a43f5ff3166987b2 Mon Sep 17 00:00:00 2001 From: Frantisek Sumsal Date: Mon, 15 May 2023 20:10:05 +0200 Subject: nspawn: fix inverted condition --- src/nspawn/nspawn-oci.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/nspawn/nspawn-oci.c b/src/nspawn/nspawn-oci.c index c67516f2c1..22ac1e2ebf 100644 --- a/src/nspawn/nspawn-oci.c +++ b/src/nspawn/nspawn-oci.c @@ -1589,7 +1589,7 @@ static int oci_sysctl(const char *name, JsonVariant *v, JsonDispatchFlags flags, assert_se(m = json_variant_string(w)); - if (sysctl_key_valid(k)) + if (!sysctl_key_valid(k)) return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL), "sysctl key invalid, refusing: %s", k); -- cgit v1.2.1 From 525c3e3438a7e4cd78b42f5f6ccdc3df1e363ca9 Mon Sep 17 00:00:00 2001 From: Frantisek Sumsal Date: Mon, 15 May 2023 20:25:43 +0200 Subject: nspawn: fix a global-buffer-overflow Whoopsie. ================================================================= ==3789231==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000051d0b8 at pc 0x7f70850bc904 bp 0x7ffd9bbdf660 sp 0x7ffd9bbdf658 READ of size 8 at 0x00000051d0b8 thread T0 #0 0x7f70850bc903 in json_dispatch ../src/shared/json.c:4347 #1 0x4a5b54 in oci_seccomp_syscalls ../src/nspawn/nspawn-oci.c:1838 #2 0x7f70850bd359 in json_dispatch ../src/shared/json.c:4395 #3 0x4a668c in oci_seccomp ../src/nspawn/nspawn-oci.c:1905 #4 0x7f70850bd359 in json_dispatch ../src/shared/json.c:4395 #5 0x4a7d8c in oci_linux ../src/nspawn/nspawn-oci.c:2030 #6 0x7f70850bd359 in json_dispatch ../src/shared/json.c:4395 #7 0x4aa31c in oci_load ../src/nspawn/nspawn-oci.c:2198 #8 0x446cec in load_oci_bundle ../src/nspawn/nspawn.c:4744 #9 0x44ffa7 in run ../src/nspawn/nspawn.c:5477 #10 0x4552fb in main ../src/nspawn/nspawn.c:5920 #11 0x7f7083a4a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f) #12 0x7f7083a4a5c8 in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x275c8) #13 0x40d284 in _start (/home/fsumsal/repos/@systemd/systemd/build-san/systemd-nspawn+0x40d284) 0x00000051d0b8 is located 40 bytes to the left of global variable 'bus_standard_errors_copy_0' defined in '../src/libsystemd/sd-bus/bus-error.h:57:1' (0x51d0e0) of size 8 0x00000051d0b8 is located 0 bytes to the right of global variable 'table' defined in '../src/nspawn/nspawn-oci.c:1829:43' (0x51d040) of size 120 SUMMARY: AddressSanitizer: global-buffer-overflow ../src/shared/json.c:4347 in json_dispatch Shadow bytes around the buggy address: 0x00008009b9c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x00008009b9d0: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 00 00 00 00 0x00008009b9e0: 00 00 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00 0x00008009b9f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x00008009ba00: 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00 =>0x00008009ba10: 00 00 00 00 00 00 00[f9]f9 f9 f9 f9 00 f9 f9 f9 0x00008009ba20: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00 0x00008009ba30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x00008009ba40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x00008009ba50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x00008009ba60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==3789231==ABORTING --- src/nspawn/nspawn-oci.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/nspawn/nspawn-oci.c b/src/nspawn/nspawn-oci.c index 22ac1e2ebf..c79f9c62d7 100644 --- a/src/nspawn/nspawn-oci.c +++ b/src/nspawn/nspawn-oci.c @@ -1829,6 +1829,7 @@ static int oci_seccomp_syscalls(const char *name, JsonVariant *v, JsonDispatchFl { "names", JSON_VARIANT_ARRAY, json_dispatch_strv, offsetof(struct syscall_rule, names), JSON_MANDATORY }, { "action", JSON_VARIANT_STRING, oci_seccomp_action, offsetof(struct syscall_rule, action), JSON_MANDATORY }, { "args", JSON_VARIANT_ARRAY, oci_seccomp_args, 0, 0 }, + {} }; struct syscall_rule rule = { .action = UINT32_MAX, -- cgit v1.2.1 From 0d5896a949b28d3b7743ee39a412b24d5d858178 Mon Sep 17 00:00:00 2001 From: Frantisek Sumsal Date: Mon, 15 May 2023 18:57:55 +0200 Subject: test: add a couple of tests for nspawn's OCI stuff --- test/units/testsuite-13.nspawn-oci.sh | 383 ++++++++++++++++++++++++++++++++++ test/units/testsuite-13.nspawn.sh | 21 +- 2 files changed, 384 insertions(+), 20 deletions(-) create mode 100755 test/units/testsuite-13.nspawn-oci.sh diff --git a/test/units/testsuite-13.nspawn-oci.sh b/test/units/testsuite-13.nspawn-oci.sh new file mode 100755 index 0000000000..cbfdb18290 --- /dev/null +++ b/test/units/testsuite-13.nspawn-oci.sh @@ -0,0 +1,383 @@ +#!/usr/bin/env bash +# SPDX-License-Identifier: LGPL-2.1-or-later +# shellcheck disable=SC2016 +set -eux +set -o pipefail + +export SYSTEMD_LOG_LEVEL=debug +export SYSTEMD_LOG_TARGET=journal +CREATE_BB_CONTAINER="/usr/lib/systemd/tests/testdata/create-busybox-container" + +# shellcheck disable=SC2317 +at_exit() { + set +e + + mountpoint -q /var/lib/machines && umount /var/lib/machines + [[ -n "${DEV:-}" ]] && rm -f "$DEV" + [[ -n "${NETNS:-}" ]] && umount "$NETNS" && rm -f "$NETNS" + [[ -n "${TMPDIR:-}" ]] && rm -fr "$TMPDIR" +} + +trap at_exit EXIT + +# Mount tmpfs over /var/lib/machines to not pollute the image +mkdir -p /var/lib/machines +mount -t tmpfs tmpfs /var/lib/machines + +# Setup a couple of dirs/devices for the OCI containers +DEV="$(mktemp -u /dev/oci-dev-XXX)" +mknod -m 666 "$DEV" b 42 42 +NETNS="$(mktemp /var/tmp/netns.XXX)" +mount --bind /proc/self/ns/net "$NETNS" +TMPDIR="$(mktemp -d)" +touch "$TMPDIR/hello" +OCI="$(mktemp -d /var/lib/machines/testsuite-13.oci-bundle.XXX)" +"$CREATE_BB_CONTAINER" "$OCI/rootfs" +mkdir -p "$OCI/rootfs/opt/var" +mkdir -p "$OCI/rootfs/opt/readonly" + +# Let's start with a simple config +cat >"$OCI/config.json" <"$OCI/config.json" </prestart" + ], + "env" : [ + "PRESTART_FOO=prestart_bar", + "ALSO_FOO=also_bar" + ], + "timeout" : 666 + }, + { + "path" : "/bin/touch", + "args" : [ + "/tmp/also-prestart" + ] + } + ], + "poststart" : [ + { + "path" : "/bin/sh", + "args" : [ + "touch", + "/poststart" + ] + } + ], + "poststop" : [ + { + "path" : "/bin/sh", + "args" : [ + "touch", + "/poststop" + ] + } + ] + }, + "annotations" : { + "hello.world" : "1", + "foo" : "bar" + } +} +EOF +# Create a simple "entrypoint" script that validates that the container +# is created correctly according to the OCI config +cat >"$OCI/rootfs/entrypoint.sh" <"$oci/config.json" < Date: Mon, 15 May 2023 21:10:07 +0200 Subject: fuzz: update the base JSON for fuzz-nspawn-oci --- test/fuzz/fuzz-nspawn-oci/basic.json | 247 ++++++++++++++++++++++++++++++++--- 1 file changed, 227 insertions(+), 20 deletions(-) diff --git a/test/fuzz/fuzz-nspawn-oci/basic.json b/test/fuzz/fuzz-nspawn-oci/basic.json index f42739e03a..24bacf39c1 100644 --- a/test/fuzz/fuzz-nspawn-oci/basic.json +++ b/test/fuzz/fuzz-nspawn-oci/basic.json @@ -1,6 +1,8 @@ { "ociVersion": "1.0.0", + "hostname" : "foo", + "root": { "path": "rootfs", "readonly": true @@ -33,11 +35,42 @@ "cwd": "/tmp/src", - "rlimits": [ + "noNewPrivileges" : true, + "oomScoreAdj" : 20, + "capabilities" : { + "bounding" : [ + "CAP_AUDIT_WRITE", + "CAP_KILL", + "CAP_NET_BIND_SERVICE" + ], + "permitted" : [ + "CAP_AUDIT_WRITE", + "CAP_KILL", + "CAP_NET_BIND_SERVICE" + ], + "inheritable" : [ + "CAP_AUDIT_WRITE", + "CAP_KILL", + "CAP_NET_BIND_SERVICE" + ], + "effective" : [ + "CAP_AUDIT_WRITE", + "CAP_KILL" + ], + "ambient" : [ + "CAP_NET_BIND_SERVICE" + ] + }, + "rlimits" : [ { - "type": "RLIMIT_NOFILE", - "hard": 1020, - "soft": 1020 + "type" : "RLIMIT_NOFILE", + "soft" : 1024, + "hard" : 1024 + }, + { + "type" : "RLIMIT_RTPRIO", + "soft" : 5, + "hard" : 10 } ] }, @@ -110,32 +143,206 @@ } ], - "hooks": {}, - - "linux": { - "resources": { - "devices": [ + "linux" : { + "namespaces" : [ + { + "type" : "mount" + }, + { + "type" : "network", + "path" : "$NETNS" + }, + { + "type" : "pid" + }, + { + "type" : "uts" + } + ], + "uidMappings" : [ + { + "containerID" : 0, + "hostID" : 1000, + "size" : 100 + } + ], + "gidMappings" : [ + { + "containerID" : 0, + "hostID" : 1000, + "size" : 100 + } + ], + "devices" : [ + { + "type" : "c", + "path" : "/dev/zero", + "major" : 1, + "minor" : 5, + "fileMode" : 444 + }, + { + "type" : "b", + "path" : "$DEV", + "major" : 4, + "minor" : 2, + "fileMode" : 666, + "uid" : 0, + "gid" : 0 + } + ], + "resources" : { + "devices" : [ + { + "allow" : false, + "access" : "m" + }, + { + "allow" : true, + "type" : "b", + "major" : 4, + "minor" : 2, + "access" : "rwm" + } + ], + "memory" : { + "limit" : 134217728, + "reservation" : 33554432, + "swap" : 268435456 + }, + "cpu" : { + "shares" : 1024, + "quota" : 1000000, + "period" : 500000, + "cpus" : "0-7" + }, + "blockIO" : { + "weight" : 10, + "weightDevice" : [ + { + "major" : 4, + "minor" : 2, + "weight" : 500 + } + ], + "throttleReadBpsDevice" : [ + { + "major" : 4, + "minor" : 2, + "rate" : 500 + } + ], + "throttleWriteBpsDevice" : [ + { + "major" : 4, + "minor" : 2, + "rate" : 500 + } + ], + "throttleReadIOPSDevice" : [ + { + "major" : 4, + "minor" : 2, + "rate" : 500 + } + ], + "throttleWriteIOPSDevice" : [ + { + "major" : 4, + "minor" : 2, + "rate" : 500 + } + ] + }, + "pids" : { + "limit" : 1024 + } + }, + "sysctl" : { + "kernel.domainname" : "foo.bar", + "vm.swappiness" : "60" + }, + "seccomp" : { + "defaultAction" : "SCMP_ACT_ALLOW", + "architectures" : [ + "SCMP_ARCH_ARM", + "SCMP_ARCH_X86_64" + ], + "syscalls" : [ { - "allow": false, - "access": "rwm" + "names" : [ + "lchown", + "chmod" + ], + "action" : "SCMP_ACT_ERRNO", + "args" : [ + { + "index" : 0, + "value" : 1, + "op" : "SCMP_CMP_NE" + }, + { + "index" : 1, + "value" : 2, + "valueTwo" : 3, + "op" : "SCMP_CMP_MASKED_EQ" + } + ] } ] }, - "namespaces": [ + "rootfsPropagation" : "shared", + "maskedPaths" : [ + "/proc/kcore", + "/root/nonexistent" + ], + "readonlyPaths" : [ + "/proc/sys", + "/opt/readonly" + ] + }, + "hooks" : { + "prestart" : [ { - "type": "pid" + "path" : "/bin/sh", + "args" : [ + "-xec", + "echo $PRESTART_FOO >/prestart" + ], + "env" : [ + "PRESTART_FOO=prestart_bar", + "ALSO_FOO=also_bar" + ], + "timeout" : 666 }, { - "type": "ipc" - }, + "path" : "/bin/touch", + "args" : [ + "/tmp/also-prestart" + ] + } + ], + "poststart" : [ { - "type": "mount" + "path" : "/bin/sh", + "args" : [ + "touch", + "/poststart" + ] + } + ], + "poststop" : [ + { + "path" : "/bin/sh", + "args" : [ + "touch", + "/poststop" + ] } ] }, - - "annotations": { - "com.example.key1": "value1", - "com.example.key2": "value2" + "annotations" : { + "hello.world" : "1", + "foo" : "bar" } } -- cgit v1.2.1 From cd70372b934bded2249f26c72d4b6ab9bdf50a13 Mon Sep 17 00:00:00 2001 From: Frantisek Sumsal Date: Tue, 16 May 2023 11:40:33 +0200 Subject: nspawn: make sure the device type survives when setting device mode --- src/nspawn/nspawn-oci.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/nspawn/nspawn-oci.c b/src/nspawn/nspawn-oci.c index c79f9c62d7..5e21538597 100644 --- a/src/nspawn/nspawn-oci.c +++ b/src/nspawn/nspawn-oci.c @@ -819,7 +819,7 @@ static int oci_device_file_mode(const char *name, JsonVariant *v, JsonDispatchFl return json_log(v, flags, SYNTHETIC_ERRNO(ERANGE), "fileMode out of range, refusing."); - *mode = m; + *mode = (*mode & ~07777) | m; return 0; } -- cgit v1.2.1