talm

main.go
113 строк · 3.1 Кб
Перенос по словам
1
// This Source Code Form is subject to the terms of the Mozilla Public
2
// License, v. 2.0. If a copy of the MPL was not distributed with this
3
// file, You can obtain one at http://mozilla.org/MPL/2.0/.
4

5
// Package wrapperd provides a wrapper for running services.
6
package wrapperd
7

8
import (
9
	"flag"
10
	"log"
11
	"os"
12
	"strings"
13

14
	"github.com/containerd/cgroups/v3"
15
	"github.com/containerd/cgroups/v3/cgroup1"
16
	"github.com/containerd/cgroups/v3/cgroup2"
17
	"github.com/containerd/containerd/sys"
18
	"github.com/siderolabs/gen/xslices"
19
	"golang.org/x/sys/unix"
20
	"kernel.org/pub/linux/libs/security/libcap/cap"
21

22
	krnl "github.com/siderolabs/talos/pkg/kernel"
23
	"github.com/siderolabs/talos/pkg/machinery/kernel"
24
)
25

26
var (
27
	name        string
28
	droppedCaps string
29
	cgroupPath  string
30
	oomScore    int
31
	uid         int
32
)
33

34
// Main is the entrypoint into /sbin/wrapperd.
35
//
36
//nolint:gocyclo
37
func Main() {
38
	flag.StringVar(&name, "name", "", "process name")
39
	flag.StringVar(&droppedCaps, "dropped-caps", "", "comma-separated list of capabilities to drop")
40
	flag.StringVar(&cgroupPath, "cgroup-path", "", "cgroup path to use")
41
	flag.IntVar(&oomScore, "oom-score", 0, "oom score to set")
42
	flag.IntVar(&uid, "uid", 0, "uid to set for the process")
43
	flag.Parse()
44

45
	currentPid := os.Getpid()
46

47
	if oomScore != 0 {
48
		if err := sys.AdjustOOMScore(currentPid, oomScore); err != nil {
49
			log.Fatalf("Failed to change OOMScoreAdj of process %s to %d", name, oomScore)
50
		}
51
	}
52

53
	// load the cgroup and put the process into the cgroup
54
	if cgroupPath != "" {
55
		if cgroups.Mode() == cgroups.Unified {
56
			cgv2, err := cgroup2.Load(cgroupPath)
57
			if err != nil {
58
				log.Fatalf("failed to load cgroup %s: %v", cgroupPath, err)
59
			}
60

61
			if err := cgv2.AddProc(uint64(currentPid)); err != nil {
62
				log.Fatalf("Failed to move process %s to cgroup: %v", name, err)
63
			}
64
		} else {
65
			cgv1, err := cgroup1.Load(cgroup1.StaticPath(cgroupPath))
66
			if err != nil {
67
				log.Fatalf("failed to load cgroup %s: %v", cgroupPath, err)
68
			}
69

70
			if err := cgv1.Add(cgroup1.Process{
71
				Pid: currentPid,
72
			}); err != nil {
73
				log.Fatalf("Failed to move process %s to cgroup: %v", name, err)
74
			}
75
		}
76
	}
77

78
	prop, err := krnl.ReadParam(&kernel.Param{Key: "proc.sys.kernel.kexec_load_disabled"})
79
	if v := strings.TrimSpace(string(prop)); err == nil && v != "0" {
80
		log.Printf("kernel.kexec_load_disabled is %v, skipping dropping capabilities", v)
81
	} else if droppedCaps != "" {
82
		caps := strings.Split(droppedCaps, ",")
83
		dropCaps := xslices.Map(caps, func(c string) cap.Value {
84
			capability, capErr := cap.FromName(c)
85
			if capErr != nil {
86
				log.Fatalf("failed to parse capability: %v", capErr)
87
			}
88

89
			return capability
90
		})
91

92
		// drop capabilities
93
		iab := cap.IABGetProc()
94
		if err = iab.SetVector(cap.Bound, true, dropCaps...); err != nil {
95
			log.Fatalf("failed to set capabilities: %v", err)
96
		}
97

98
		if err = iab.SetProc(); err != nil {
99
			log.Fatalf("failed to apply capabilities: %v", err)
100
		}
101
	}
102

103
	if uid > 0 {
104
		err = unix.Setuid(uid)
105
		if err != nil {
106
			log.Fatalf("failed to setuid: %v", err)
107
		}
108
	}
109

110
	if err := unix.Exec(flag.Args()[0], flag.Args()[0:], os.Environ()); err != nil {
111
		log.Fatalf("failed to exec: %v", err)
112
	}
113
}
114
talm

Использование cookies
