Add support for shm-size.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #206 Approved by: TomSweeneyRedHat
author: Daniel J Walsh <dwalsh@redhat.com> 2018-01-10 15:58:18 -0500
committer: Atomic Bot <atomic-devel@projectatomic.io> 2018-01-11 12:39:06 +0000
commit: dd0d35deb098b63f8c5be7ef9d8d63c16760221b (patch)
tree: 695d44a49d636e45e4121c9aecfb3d8c0e1cca06 /vendor/github.com/opencontainers/runtime-tools/validate/validate.go
parent: e6be800ec633342aef656e0a2ed0bdc4519796d9 (diff)
download: podman-dd0d35deb098b63f8c5be7ef9d8d63c16760221b.tar.gz
podman-dd0d35deb098b63f8c5be7ef9d8d63c16760221b.tar.bz2
podman-dd0d35deb098b63f8c5be7ef9d8d63c16760221b.zip
1 files changed, 69 insertions, 163 deletions
diff --git a/vendor/github.com/opencontainers/runtime-tools/validate/validate.go b/vendor/github.com/opencontainers/runtime-tools/validate/validate.go
index 0914bc691..1030099df 100644
--- a/vendor/github.com/opencontainers/runtime-tools/validate/validate.go
+++ b/vendor/github.com/opencontainers/runtime-tools/validate/validate.go
@@ -66,23 +66,20 @@ type Validator struct {
 }
 
 // NewValidator creates a Validator
-func NewValidator(spec *rspec.Spec, bundlePath string, hostSpecific bool, platform string) Validator {
+func NewValidator(spec *rspec.Spec, bundlePath string, hostSpecific bool, platform string) (Validator, error) {
 	if hostSpecific && platform != runtime.GOOS {
-		platform = runtime.GOOS
+		return Validator{}, fmt.Errorf("When hostSpecific is set, platform must be same as the host platform")
 	}
 	return Validator{
 		spec:         spec,
 		bundlePath:   bundlePath,
 		HostSpecific: hostSpecific,
 		platform:     platform,
-	}
+	}, nil
 }
 
 // NewValidatorFromPath creates a Validator with specified bundle path
 func NewValidatorFromPath(bundlePath string, hostSpecific bool, platform string) (Validator, error) {
-	if hostSpecific && platform != runtime.GOOS {
-		platform = runtime.GOOS
-	}
 	if bundlePath == "" {
 		return Validator{}, fmt.Errorf("bundle path shouldn't be empty")
 	}
@@ -104,7 +101,7 @@ func NewValidatorFromPath(bundlePath string, hostSpecific bool, platform string)
 		return Validator{}, err
 	}
 
-	return NewValidator(&spec, bundlePath, hostSpecific, platform), nil
+	return NewValidator(&spec, bundlePath, hostSpecific, platform)
 }
 
 // CheckAll checks all parts of runtime bundle
@@ -117,8 +114,10 @@ func (v *Validator) CheckAll() error {
 	errs = multierror.Append(errs, v.CheckSemVer())
 	errs = multierror.Append(errs, v.CheckMounts())
 	errs = multierror.Append(errs, v.CheckProcess())
-	errs = multierror.Append(errs, v.CheckHooks())
 	errs = multierror.Append(errs, v.CheckLinux())
+	if v.platform == "linux" || v.platform == "solaris" {
+		errs = multierror.Append(errs, v.CheckHooks())
+	}
 
 	return errs.ErrorOrNil()
 }
@@ -264,6 +263,11 @@ func (v *Validator) CheckSemVer() (errs error) {
 func (v *Validator) CheckHooks() (errs error) {
 	logrus.Debugf("check hooks")
 
+	if v.platform != "linux" && v.platform != "solaris" {
+		errs = multierror.Append(errs, fmt.Errorf("For %q platform, the configuration structure does not support hooks", v.platform))
+		return
+	}
+
 	if v.spec.Hooks != nil {
 		errs = multierror.Append(errs, v.checkEventHooks("prestart", v.spec.Hooks.Prestart, v.HostSpecific))
 		errs = multierror.Append(errs, v.checkEventHooks("poststart", v.spec.Hooks.Poststart, v.HostSpecific))
@@ -334,7 +338,7 @@ func (v *Validator) CheckProcess() (errs error) {
 				fmt.Errorf("args must not be empty"),
 				rspec.Version))
 	} else {
-		if filepath.IsAbs(process.Args[0]) {
+		if filepath.IsAbs(process.Args[0]) && v.spec.Root != nil {
 			var rootfsPath string
 			if filepath.IsAbs(v.spec.Root.Path) {
 				rootfsPath = v.spec.Root.Path
@@ -356,12 +360,15 @@ func (v *Validator) CheckProcess() (errs error) {
 		}
 	}
 
-	if v.spec.Process.Capabilities != nil {
-		errs = multierror.Append(errs, v.CheckCapabilities())
+	if v.platform == "linux" || v.platform == "solaris" {
+		errs = multierror.Append(errs, v.CheckRlimits())
 	}
-	errs = multierror.Append(errs, v.CheckRlimits())
 
 	if v.platform == "linux" {
+		if v.spec.Process.Capabilities != nil {
+			errs = multierror.Append(errs, v.CheckCapabilities())
+		}
+
 		if len(process.ApparmorProfile) > 0 {
 			profilePath := filepath.Join(v.bundlePath, v.spec.Root.Path, "/etc/apparmor.d", process.ApparmorProfile)
 			_, err := os.Stat(profilePath)
@@ -376,60 +383,61 @@ func (v *Validator) CheckProcess() (errs error) {
 
 // CheckCapabilities checks v.spec.Process.Capabilities
 func (v *Validator) CheckCapabilities() (errs error) {
+	if v.platform != "linux" {
+		errs = multierror.Append(errs, fmt.Errorf("For %q platform, the configuration structure does not support process.capabilities", v.platform))
+		return
+	}
+
 	process := v.spec.Process
-	if v.platform == "linux" {
-		var effective, permitted, inheritable, ambient bool
-		caps := make(map[string][]string)
+	var effective, permitted, inheritable, ambient bool
+	caps := make(map[string][]string)
 
-		for _, cap := range process.Capabilities.Bounding {
-			caps[cap] = append(caps[cap], "bounding")
-		}
-		for _, cap := range process.Capabilities.Effective {
-			caps[cap] = append(caps[cap], "effective")
-		}
-		for _, cap := range process.Capabilities.Inheritable {
-			caps[cap] = append(caps[cap], "inheritable")
-		}
-		for _, cap := range process.Capabilities.Permitted {
-			caps[cap] = append(caps[cap], "permitted")
-		}
-		for _, cap := range process.Capabilities.Ambient {
-			caps[cap] = append(caps[cap], "ambient")
+	for _, cap := range process.Capabilities.Bounding {
+		caps[cap] = append(caps[cap], "bounding")
+	}
+	for _, cap := range process.Capabilities.Effective {
+		caps[cap] = append(caps[cap], "effective")
+	}
+	for _, cap := range process.Capabilities.Inheritable {
+		caps[cap] = append(caps[cap], "inheritable")
+	}
+	for _, cap := range process.Capabilities.Permitted {
+		caps[cap] = append(caps[cap], "permitted")
+	}
+	for _, cap := range process.Capabilities.Ambient {
+		caps[cap] = append(caps[cap], "ambient")
+	}
+
+	for capability, owns := range caps {
+		if err := CapValid(capability, v.HostSpecific); err != nil {
+			errs = multierror.Append(errs, fmt.Errorf("capability %q is not valid, man capabilities(7)", capability))
 		}
 
-		for capability, owns := range caps {
-			if err := CapValid(capability, v.HostSpecific); err != nil {
-				errs = multierror.Append(errs, fmt.Errorf("capability %q is not valid, man capabilities(7)", capability))
+		effective, permitted, ambient, inheritable = false, false, false, false
+		for _, set := range owns {
+			if set == "effective" {
+				effective = true
+				continue
 			}
-
-			effective, permitted, ambient, inheritable = false, false, false, false
-			for _, set := range owns {
-				if set == "effective" {
-					effective = true
-					continue
-				}
-				if set == "inheritable" {
-					inheritable = true
-					continue
-				}
-				if set == "permitted" {
-					permitted = true
-					continue
-				}
-				if set == "ambient" {
-					ambient = true
-					continue
-				}
+			if set == "inheritable" {
+				inheritable = true
+				continue
 			}
-			if effective && !permitted {
-				errs = multierror.Append(errs, fmt.Errorf("effective capability %q is not allowed, as it's not permitted", capability))
+			if set == "permitted" {
+				permitted = true
+				continue
 			}
-			if ambient && !(permitted && inheritable) {
-				errs = multierror.Append(errs, fmt.Errorf("ambient capability %q is not allowed, as it's not permitted and inheribate", capability))
+			if set == "ambient" {
+				ambient = true
+				continue
 			}
 		}
-	} else {
-		logrus.Warnf("process.capabilities validation not yet implemented for OS %q", v.platform)
+		if effective && !permitted {
+			errs = multierror.Append(errs, fmt.Errorf("effective capability %q is not allowed, as it's not permitted", capability))
+		}
+		if ambient && !(permitted && inheritable) {
+			errs = multierror.Append(errs, fmt.Errorf("ambient capability %q is not allowed, as it's not permitted and inheribate", capability))
+		}
 	}
 
 	return
@@ -437,7 +445,8 @@ func (v *Validator) CheckCapabilities() (errs error) {
 
 // CheckRlimits checks v.spec.Process.Rlimits
 func (v *Validator) CheckRlimits() (errs error) {
-	if v.platform == "windows" {
+	if v.platform != "linux" && v.platform != "solaris" {
+		errs = multierror.Append(errs, fmt.Errorf("For %q platform, the configuration structure does not support process.rlimits", v.platform))
 		return
 	}
 
@@ -597,8 +606,8 @@ func (v *Validator) CheckLinux() (errs error) {
 
 	for index := 0; index < len(v.spec.Linux.Namespaces); index++ {
 		ns := v.spec.Linux.Namespaces[index]
-		if !v.namespaceValid(ns) {
-			errs = multierror.Append(errs, fmt.Errorf("namespace %v is invalid", ns))
+		if ns.Path != "" && !osFilepath.IsAbs(v.platform, ns.Path) {
+			errs = multierror.Append(errs, specerror.NewError(specerror.NSPathAbs, fmt.Errorf("namespace.path %q is not an absolute path", ns.Path), rspec.Version))
 		}
 
 		tmpItem := nsTypeList[ns.Type]
@@ -615,10 +624,6 @@ func (v *Validator) CheckLinux() (errs error) {
 
 	if (len(v.spec.Linux.UIDMappings) > 0 || len(v.spec.Linux.GIDMappings) > 0) && !nsTypeList[rspec.UserNamespace].newExist {
 		errs = multierror.Append(errs, errors.New("the UID/GID mappings requires a new User namespace to be specified as well"))
-	} else if len(v.spec.Linux.UIDMappings) > 5 {
-		errs = multierror.Append(errs, errors.New("only 5 UID mappings are allowed (linux kernel restriction)"))
-	} else if len(v.spec.Linux.GIDMappings) > 5 {
-		errs = multierror.Append(errs, errors.New("only 5 GID mappings are allowed (linux kernel restriction)"))
 	}
 
 	for k := range v.spec.Linux.Sysctl {
@@ -738,10 +743,6 @@ func (v *Validator) CheckLinux() (errs error) {
 		errs = multierror.Append(errs, v.CheckLinuxResources())
 	}
 
-	if v.spec.Linux.Seccomp != nil {
-		errs = multierror.Append(errs, v.CheckSeccomp())
-	}
-
 	for _, maskedPath := range v.spec.Linux.MaskedPaths {
 		if !strings.HasPrefix(maskedPath, "/") {
 			errs = multierror.Append(errs,
@@ -819,47 +820,6 @@ func (v *Validator) CheckLinuxResources() (errs error) {
 	return
 }
 
-// CheckSeccomp checkc v.spec.Linux.Seccomp
-func (v *Validator) CheckSeccomp() (errs error) {
-	logrus.Debugf("check linux seccomp")
-
-	s := v.spec.Linux.Seccomp
-	if !seccompActionValid(s.DefaultAction) {
-		errs = multierror.Append(errs, fmt.Errorf("seccomp defaultAction %q is invalid", s.DefaultAction))
-	}
-	for index := 0; index < len(s.Syscalls); index++ {
-		if !syscallValid(s.Syscalls[index]) {
-			errs = multierror.Append(errs, fmt.Errorf("syscall %v is invalid", s.Syscalls[index]))
-		}
-	}
-	for index := 0; index < len(s.Architectures); index++ {
-		switch s.Architectures[index] {
-		case rspec.ArchX86:
-		case rspec.ArchX86_64:
-		case rspec.ArchX32:
-		case rspec.ArchARM:
-		case rspec.ArchAARCH64:
-		case rspec.ArchMIPS:
-		case rspec.ArchMIPS64:
-		case rspec.ArchMIPS64N32:
-		case rspec.ArchMIPSEL:
-		case rspec.ArchMIPSEL64:
-		case rspec.ArchMIPSEL64N32:
-		case rspec.ArchPPC:
-		case rspec.ArchPPC64:
-		case rspec.ArchPPC64LE:
-		case rspec.ArchS390:
-		case rspec.ArchS390X:
-		case rspec.ArchPARISC:
-		case rspec.ArchPARISC64:
-		default:
-			errs = multierror.Append(errs, fmt.Errorf("seccomp architecture %q is invalid", s.Architectures[index]))
-		}
-	}
-
-	return
-}
-
 // CapValid checks whether a capability is valid
 func CapValid(c string, hostSpecific bool) error {
 	isValid := false
@@ -936,26 +896,6 @@ func (v *Validator) rlimitValid(rlimit rspec.POSIXRlimit) (errs error) {
 	return
 }
 
-func (v *Validator) namespaceValid(ns rspec.LinuxNamespace) bool {
-	switch ns.Type {
-	case rspec.PIDNamespace:
-	case rspec.NetworkNamespace:
-	case rspec.MountNamespace:
-	case rspec.IPCNamespace:
-	case rspec.UTSNamespace:
-	case rspec.UserNamespace:
-	case rspec.CgroupNamespace:
-	default:
-		return false
-	}
-
-	if ns.Path != "" && !osFilepath.IsAbs(v.platform, ns.Path) {
-		return false
-	}
-
-	return true
-}
-
 func deviceValid(d rspec.LinuxDevice) bool {
 	switch d.Type {
 	case "b", "c", "u":
@@ -972,40 +912,6 @@ func deviceValid(d rspec.LinuxDevice) bool {
 	return true
 }
 
-func seccompActionValid(secc rspec.LinuxSeccompAction) bool {
-	switch secc {
-	case rspec.ActKill:
-	case rspec.ActTrap:
-	case rspec.ActErrno:
-	case rspec.ActTrace:
-	case rspec.ActAllow:
-	default:
-		return false
-	}
-	return true
-}
-
-func syscallValid(s rspec.LinuxSyscall) bool {
-	if !seccompActionValid(s.Action) {
-		return false
-	}
-	for index := 0; index < len(s.Args); index++ {
-		arg := s.Args[index]
-		switch arg.Op {
-		case rspec.OpNotEqual:
-		case rspec.OpLessThan:
-		case rspec.OpLessEqual:
-		case rspec.OpEqualTo:
-		case rspec.OpGreaterEqual:
-		case rspec.OpGreaterThan:
-		case rspec.OpMaskedEqual:
-		default:
-			return false
-		}
-	}
-	return true
-}
-
 func isStruct(t reflect.Type) bool {
 	return t.Kind() == reflect.Struct
 }
author	Daniel J Walsh <dwalsh@redhat.com>	2018-01-10 15:58:18 -0500
committer	Atomic Bot <atomic-devel@projectatomic.io>	2018-01-11 12:39:06 +0000
commit	dd0d35deb098b63f8c5be7ef9d8d63c16760221b (patch)
tree	695d44a49d636e45e4121c9aecfb3d8c0e1cca06 /vendor/github.com/opencontainers/runtime-tools/validate/validate.go
parent	e6be800ec633342aef656e0a2ed0bdc4519796d9 (diff)
download	podman-dd0d35deb098b63f8c5be7ef9d8d63c16760221b.tar.gz podman-dd0d35deb098b63f8c5be7ef9d8d63c16760221b.tar.bz2 podman-dd0d35deb098b63f8c5be7ef9d8d63c16760221b.zip