1
// This Source Code Form is subject to the terms of the Mozilla Public
2
// License, v. 2.0. If a copy of the MPL was not distributed with this
3
// file, You can obtain one at http://mozilla.org/MPL/2.0/.
5
// Package wrapperd provides a wrapper for running services.
14
"github.com/containerd/cgroups/v3"
15
"github.com/containerd/cgroups/v3/cgroup1"
16
"github.com/containerd/cgroups/v3/cgroup2"
17
"github.com/containerd/containerd/sys"
18
"github.com/siderolabs/gen/xslices"
19
"golang.org/x/sys/unix"
20
"kernel.org/pub/linux/libs/security/libcap/cap"
22
krnl "github.com/siderolabs/talos/pkg/kernel"
23
"github.com/siderolabs/talos/pkg/machinery/kernel"
34
// Main is the entrypoint into /sbin/wrapperd.
38
flag.StringVar(&name, "name", "", "process name")
39
flag.StringVar(&droppedCaps, "dropped-caps", "", "comma-separated list of capabilities to drop")
40
flag.StringVar(&cgroupPath, "cgroup-path", "", "cgroup path to use")
41
flag.IntVar(&oomScore, "oom-score", 0, "oom score to set")
42
flag.IntVar(&uid, "uid", 0, "uid to set for the process")
45
currentPid := os.Getpid()
48
if err := sys.AdjustOOMScore(currentPid, oomScore); err != nil {
49
log.Fatalf("Failed to change OOMScoreAdj of process %s to %d", name, oomScore)
53
// load the cgroup and put the process into the cgroup
55
if cgroups.Mode() == cgroups.Unified {
56
cgv2, err := cgroup2.Load(cgroupPath)
58
log.Fatalf("failed to load cgroup %s: %v", cgroupPath, err)
61
if err := cgv2.AddProc(uint64(currentPid)); err != nil {
62
log.Fatalf("Failed to move process %s to cgroup: %v", name, err)
65
cgv1, err := cgroup1.Load(cgroup1.StaticPath(cgroupPath))
67
log.Fatalf("failed to load cgroup %s: %v", cgroupPath, err)
70
if err := cgv1.Add(cgroup1.Process{
73
log.Fatalf("Failed to move process %s to cgroup: %v", name, err)
78
prop, err := krnl.ReadParam(&kernel.Param{Key: "proc.sys.kernel.kexec_load_disabled"})
79
if v := strings.TrimSpace(string(prop)); err == nil && v != "0" {
80
log.Printf("kernel.kexec_load_disabled is %v, skipping dropping capabilities", v)
81
} else if droppedCaps != "" {
82
caps := strings.Split(droppedCaps, ",")
83
dropCaps := xslices.Map(caps, func(c string) cap.Value {
84
capability, capErr := cap.FromName(c)
86
log.Fatalf("failed to parse capability: %v", capErr)
93
iab := cap.IABGetProc()
94
if err = iab.SetVector(cap.Bound, true, dropCaps...); err != nil {
95
log.Fatalf("failed to set capabilities: %v", err)
98
if err = iab.SetProc(); err != nil {
99
log.Fatalf("failed to apply capabilities: %v", err)
104
err = unix.Setuid(uid)
106
log.Fatalf("failed to setuid: %v", err)
110
if err := unix.Exec(flag.Args()[0], flag.Args()[0:], os.Environ()); err != nil {
111
log.Fatalf("failed to exec: %v", err)