diff --git a/cli/command/service/opts.go b/cli/command/service/opts.go index 9298cfb13145..5ef2ea1f4ad0 100644 --- a/cli/command/service/opts.go +++ b/cli/command/service/opts.go @@ -5,7 +5,10 @@ package service import ( "context" + "encoding/json" "fmt" + "os" + "path/filepath" "sort" "strconv" "strings" @@ -531,6 +534,10 @@ type serviceOptions struct { ulimits opts.UlimitOpt oomScoreAdj int64 + seccomp string + appArmor string + noNewPrivileges bool + resources resourceOptions stopGrace opts.DurationOpt @@ -660,6 +667,109 @@ func (options *serviceOptions) makeEnv() ([]string, error) { return currentEnv, nil } +func (options *serviceOptions) ToPrivileges(flags *pflag.FlagSet) (*swarm.Privileges, error) { + // we're going to go through several possible uses of the Privileges + // struct, which may or may not be used. If some stage uses it (after the + // first), we'll check if it's nil and create it if it hasn't been created + // yet. + var privileges *swarm.Privileges + if options.credentialSpec.String() != "" && options.credentialSpec.Value() != nil { + privileges = &swarm.Privileges{ + CredentialSpec: options.credentialSpec.Value(), + } + } + + if flags.Changed(flagNoNewPrivileges) { + if privileges == nil { + privileges = &swarm.Privileges{} + } + privileges.NoNewPrivileges = options.noNewPrivileges + } + + if flags.Changed(flagAppArmor) { + if privileges == nil { + privileges = &swarm.Privileges{} + } + switch options.appArmor { + case "default": + privileges.AppArmor = &swarm.AppArmorOpts{ + Mode: swarm.AppArmorModeDefault, + } + case "disabled": + privileges.AppArmor = &swarm.AppArmorOpts{ + Mode: swarm.AppArmorModeDisabled, + } + default: + return nil, errors.Errorf( + "unknown AppArmor mode %q. Supported modes are %q and %q", + options.appArmor, + swarm.AppArmorModeDefault, + swarm.AppArmorModeDisabled, + ) + } + } + + if flags.Changed(flagSeccomp) { + if privileges == nil { + privileges = &swarm.Privileges{} + } + seccomp, err := options.ToSeccompOpts() + if err != nil { + return nil, err + } + privileges.Seccomp = seccomp + } + + return privileges, nil +} + +func (options *serviceOptions) ToSeccompOpts() (*swarm.SeccompOpts, error) { + switch arg := options.seccomp; arg { + case "default": + return &swarm.SeccompOpts{ + Mode: swarm.SeccompModeDefault, + }, nil + case "unconfined": + return &swarm.SeccompOpts{ + Mode: swarm.SeccompModeUnconfined, + }, nil + default: + dir, _ := filepath.Split(arg) + // if the directory is empty, this isn't a file path. Even though + // the user may be referring to a file in the local directory, for + // disambiguation's sake, we require a custom profile file to be + // given as a path. + if dir == "" { + // check if the file exists locally + if _, err := os.Stat(arg); errors.Is(err, os.ErrNotExist) { + return nil, errors.Errorf("unknown seccomp mode %q.", arg) + } + return nil, errors.Errorf( + "unknown seccomp mode %q. (did you mean custom a seccomp profile \"./%s\"?)", + arg, arg, + ) + } + data, err := os.ReadFile(options.seccomp) + if err != nil { + // TODO(dperny): return this, or return "unrecognized option" or some such? + return nil, errors.Wrap(err, "unable to read seccomp custom profile file") + } + // we're doing the user a favor here by refusing to pass garbage if + // they give invalid json. + if !json.Valid(data) { + return nil, errors.Errorf( + "unable to read seccomp custom profile file %q: not valid json", + options.seccomp, + ) + } + + return &swarm.SeccompOpts{ + Mode: swarm.SeccompModeCustom, + Profile: data, + }, nil + } +} + // ToService takes the set of flags passed to the command and converts them // into a service spec. // @@ -712,6 +822,11 @@ func (options *serviceOptions) ToService(ctx context.Context, apiClient client.N return service, err } + privileges, err := options.ToPrivileges(flags) + if err != nil { + return service, err + } + capAdd, capDrop := opts.EffectiveCapAddCapDrop(options.capAdd.GetAll(), options.capDrop.GetAll()) service = swarm.ServiceSpec{ @@ -730,6 +845,7 @@ func (options *serviceOptions) ToService(ctx context.Context, apiClient client.N Dir: options.workdir, User: options.user, Groups: options.groups.GetAll(), + Privileges: privileges, StopSignal: options.stopSignal, TTY: options.tty, ReadOnly: options.readOnly, @@ -766,12 +882,6 @@ func (options *serviceOptions) ToService(ctx context.Context, apiClient client.N EndpointSpec: options.endpoint.ToEndpointSpec(), } - if options.credentialSpec.String() != "" && options.credentialSpec.Value() != nil { - service.TaskTemplate.ContainerSpec.Privileges = &swarm.Privileges{ - CredentialSpec: options.credentialSpec.Value(), - } - } - return service, nil } @@ -886,6 +996,10 @@ func addServiceFlags(flags *pflag.FlagSet, options *serviceOptions, defaultFlagV flags.StringVar(&options.update.order, flagUpdateOrder, "", flagDesc(flagUpdateOrder, `Update order ("start-first", "stop-first")`)) flags.SetAnnotation(flagUpdateOrder, "version", []string{"1.29"}) + flags.StringVar(&options.seccomp, flagSeccomp, "", flagDesc(flagSeccomp, `Seccomp configuration ("default", "unconfined", or a path to a json custom seccomp profile)`)) + flags.StringVar(&options.appArmor, flagAppArmor, "", flagDesc(flagAppArmor, `AppArmor mode ("default" or "disabled"`)) + flags.BoolVar(&options.noNewPrivileges, flagNoNewPrivileges, false, flagDesc(flagNoNewPrivileges, "Disable container processes from gaining new privileges")) + flags.Uint64Var(&options.rollback.parallelism, flagRollbackParallelism, defaultFlagValues.getUint64(flagRollbackParallelism), "Maximum number of tasks rolled back simultaneously (0 to roll back all at once)") flags.SetAnnotation(flagRollbackParallelism, "version", []string{"1.28"}) @@ -937,6 +1051,7 @@ func addServiceFlags(flags *pflag.FlagSet, options *serviceOptions, defaultFlagV } const ( + flagAppArmor = "apparmor" flagCredentialSpec = "credential-spec" //nolint:gosec // ignore G101: Potential hardcoded credentials flagPlacementPref = "placement-pref" flagPlacementPrefAdd = "placement-pref-add" @@ -1008,6 +1123,7 @@ const ( flagRollbackOrder = "rollback-order" flagRollbackParallelism = "rollback-parallelism" flagInit = "init" + flagSeccomp = "seccomp" flagSysCtl = "sysctl" flagSysCtlAdd = "sysctl-add" flagSysCtlRemove = "sysctl-rm" @@ -1023,6 +1139,7 @@ const ( flagUser = "user" flagWorkdir = "workdir" flagRegistryAuth = "with-registry-auth" + flagNoNewPrivileges = "no-new-privileges" flagNoResolveImage = "no-resolve-image" flagLogDriver = "log-driver" flagLogOpt = "log-opt" diff --git a/cli/command/service/opts_test.go b/cli/command/service/opts_test.go index 799d32cebd2d..a43968a005b3 100644 --- a/cli/command/service/opts_test.go +++ b/cli/command/service/opts_test.go @@ -3,6 +3,8 @@ package service import ( "context" "fmt" + "os" + "strings" "testing" "time" @@ -326,3 +328,142 @@ func TestToServiceSysCtls(t *testing.T) { assert.NilError(t, err) assert.Check(t, is.DeepEqual(service.TaskTemplate.ContainerSpec.Sysctls, expected)) } + +func TestToPrivilegesAppArmor(t *testing.T) { + for _, mode := range []string{"default", "disabled"} { + flags := newCreateCommand(nil).Flags() + flags.Set("apparmor", mode) + o := newServiceOptions() + o.appArmor = mode + privileges, err := o.ToPrivileges(flags) + assert.NilError(t, err) + enumMode := swarm.AppArmorMode(mode) + assert.Check(t, is.DeepEqual(privileges, &swarm.Privileges{ + AppArmor: &swarm.AppArmorOpts{ + Mode: enumMode, + }, + })) + } +} + +func TestToPrivilegesAppArmorInvalid(t *testing.T) { + flags := newCreateCommand(nil).Flags() + flags.Set("apparmor", "invalid") + o := newServiceOptions() + o.appArmor = "invalid" + + privileges, err := o.ToPrivileges(flags) + assert.ErrorContains(t, err, "AppArmor") + assert.Check(t, is.Nil(privileges)) +} + +func TestToPrivilegesSeccomp(t *testing.T) { + for _, mode := range []string{"default", "unconfined"} { + flags := newCreateCommand(nil).Flags() + flags.Set("seccomp", mode) + o := newServiceOptions() + o.seccomp = mode + + privileges, err := o.ToPrivileges(flags) + assert.NilError(t, err) + enumMode := swarm.SeccompMode(mode) + assert.Check(t, is.DeepEqual(privileges, &swarm.Privileges{ + Seccomp: &swarm.SeccompOpts{ + Mode: enumMode, + }, + })) + } +} + +const testJSON = `{ + "json": "you betcha" +} +` + +func TestToPrivilegesSeccompCustomProfile(t *testing.T) { + flags := newCreateCommand(nil).Flags() + flags.Set("seccomp", "testdata/test-seccomp-valid.json") + o := newServiceOptions() + o.seccomp = "testdata/test-seccomp-valid.json" + + privileges, err := o.ToPrivileges(flags) + assert.NilError(t, err) + assert.Check(t, is.DeepEqual(privileges, &swarm.Privileges{ + Seccomp: &swarm.SeccompOpts{ + Mode: swarm.SeccompModeCustom, + Profile: []byte(testJSON), + }, + })) +} + +func TestToPrivilegesSeccompInvalidJson(t *testing.T) { + flags := newCreateCommand(nil).Flags() + // why make an invalid json file when we have one lying right there? + flags.Set("seccomp", "testdata/service-context-write-raw.golden") + o := newServiceOptions() + o.seccomp = "testdata/service-context-write-raw.golden" + + privileges, err := o.ToPrivileges(flags) + assert.ErrorContains(t, err, "json") + assert.Check(t, is.Nil(privileges)) +} + +// TestToPrivilegesSeccompNotPath tests that if the user provides a valid +// filename but not as a path, we both fail the command (as the argument isn't +// a valid seccomp mode) and hint that the user should provide the path as a +// relative path. +func TestToPrivilegesSeccompNotPath(t *testing.T) { + // change the working directory in this test so that the file with no + // separators is a valid file. This will revert at the end of the test. + // Cannot use this with t.Parallel() tests. + // TODO(dperny): When we get to go 1.24, use t.Chdir instead. + oldwd, err := os.Getwd() + if err != nil { + t.Fatal(err) + } + if err := os.Chdir("testdata"); err != nil { + t.Fatal(err) + } + t.Cleanup(func() { + if err := os.Chdir(oldwd); err != nil { + panic(err) + } + }) + flags := newCreateCommand(nil).Flags() + flags.Set("seccomp", "test-seccomp-valid.json") + o := newServiceOptions() + o.seccomp = "test-seccomp-valid.json" + + privileges, err := o.ToPrivileges(flags) + assert.ErrorContains(t, err, "unknown seccomp mode") + assert.ErrorContains(t, err, "did you mean") + t.Logf("%s", err) + assert.Check(t, is.Nil(privileges)) +} + +// TestToPrivilegesSeccompNotPathNotValid is like +// TestToPrivilegesSeccompNotPath except the argument isn't a valid file at +// all, so there's no hint. +func TestToPrivilegesSeccompNotPathNotValid(t *testing.T) { + flags := newCreateCommand(nil).Flags() + flags.Set("seccomp", "test-seccomp-valid.json") + o := newServiceOptions() + o.seccomp = "test-seccomp-valid.json" + + privileges, err := o.ToPrivileges(flags) + assert.ErrorContains(t, err, "unknown seccomp mode") + t.Logf("%s", err) + assert.Check(t, is.Nil(privileges)) + assert.Check(t, !strings.Contains(err.Error(), "did you mean")) +} + +func TestToPrivilegesNoNewPrivileges(t *testing.T) { + flags := newCreateCommand(nil).Flags() + flags.Set("no-new-privileges", "true") + o := newServiceOptions() + o.noNewPrivileges = true + + privileges, err := o.ToPrivileges(flags) + assert.NilError(t, err) + assert.Check(t, is.DeepEqual(privileges, &swarm.Privileges{NoNewPrivileges: true})) +} diff --git a/cli/command/service/testdata/test-seccomp-valid.json b/cli/command/service/testdata/test-seccomp-valid.json new file mode 100644 index 000000000000..521aa8eddb4f --- /dev/null +++ b/cli/command/service/testdata/test-seccomp-valid.json @@ -0,0 +1,3 @@ +{ + "json": "you betcha" +} diff --git a/docs/reference/commandline/service_create.md b/docs/reference/commandline/service_create.md index d059f141831c..afd1de2aff1e 100644 --- a/docs/reference/commandline/service_create.md +++ b/docs/reference/commandline/service_create.md @@ -7,6 +7,7 @@ Create a new service | Name | Type | Default | Description | |:----------------------------------------------------|:------------------|:-------------|:----------------------------------------------------------------------------------------------------| +| `--apparmor` | `string` | | AppArmor mode (`default` or `disabled` | | `--cap-add` | `list` | | Add Linux capabilities | | `--cap-drop` | `list` | | Drop Linux capabilities | | [`--config`](#config) | `config` | | Specify configurations to expose to the service | @@ -45,6 +46,7 @@ Create a new service | `--name` | `string` | | Service name | | [`--network`](#network) | `network` | | Network attachments | | `--no-healthcheck` | `bool` | | Disable any container-specified HEALTHCHECK | +| `--no-new-privileges` | `bool` | | Disable container processes from gaining new privileges | | `--no-resolve-image` | `bool` | | Do not query the registry to resolve image digest and supported platforms | | `--oom-score-adj` | `int64` | `0` | Tune host's OOM preferences (-1000 to 1000) | | [`--placement-pref`](#placement-pref) | `pref` | | Add a placement preference | @@ -65,6 +67,7 @@ Create a new service | `--rollback-monitor` | `duration` | `0s` | Duration after each task rollback to monitor for failure (ns\|us\|ms\|s\|m\|h) (default 5s) | | `--rollback-order` | `string` | | Rollback order (`start-first`, `stop-first`) (default `stop-first`) | | `--rollback-parallelism` | `uint64` | `1` | Maximum number of tasks rolled back simultaneously (0 to roll back all at once) | +| `--seccomp` | `string` | | Seccomp configuration (`default`, `unconfined`, or a path to a json custom seccomp profile) | | [`--secret`](#secret) | `secret` | | Specify secrets to expose to the service | | `--stop-grace-period` | `duration` | | Time to wait before force killing a container (ns\|us\|ms\|s\|m\|h) (default 10s) | | `--stop-signal` | `string` | | Signal to stop the container | diff --git a/docs/reference/commandline/service_update.md b/docs/reference/commandline/service_update.md index f3564bcc1f24..ac4d7f19139a 100644 --- a/docs/reference/commandline/service_update.md +++ b/docs/reference/commandline/service_update.md @@ -7,6 +7,7 @@ Update a service | Name | Type | Default | Description | |:----------------------------------------------|:------------------|:--------|:----------------------------------------------------------------------------------------------------| +| `--apparmor` | `string` | | AppArmor mode (`default` or `disabled` | | `--args` | `command` | | Service command args | | `--cap-add` | `list` | | Add Linux capabilities | | `--cap-drop` | `list` | | Drop Linux capabilities | @@ -58,6 +59,7 @@ Update a service | [`--network-add`](#network-add) | `network` | | Add a network | | `--network-rm` | `list` | | Remove a network | | `--no-healthcheck` | `bool` | | Disable any container-specified HEALTHCHECK | +| `--no-new-privileges` | `bool` | | Disable container processes from gaining new privileges | | `--no-resolve-image` | `bool` | | Do not query the registry to resolve image digest and supported platforms | | `--oom-score-adj` | `int64` | `0` | Tune host's OOM preferences (-1000 to 1000) | | `--placement-pref-add` | `pref` | | Add a placement preference | @@ -81,6 +83,7 @@ Update a service | `--rollback-monitor` | `duration` | `0s` | Duration after each task rollback to monitor for failure (ns\|us\|ms\|s\|m\|h) | | `--rollback-order` | `string` | | Rollback order (`start-first`, `stop-first`) | | `--rollback-parallelism` | `uint64` | `0` | Maximum number of tasks rolled back simultaneously (0 to roll back all at once) | +| `--seccomp` | `string` | | Seccomp configuration (`default`, `unconfined`, or a path to a json custom seccomp profile) | | [`--secret-add`](#secret-add) | `secret` | | Add or update a secret on a service | | `--secret-rm` | `list` | | Remove a secret | | `--stop-grace-period` | `duration` | | Time to wait before force killing a container (ns\|us\|ms\|s\|m\|h) |