refs #1: Adopt gobwas/glob package for flexible path patterns

Author: achimnol

Dockerfile

@@ -2,9 +2,10 @@ FROM golang:1.8-alpine
 # This container is for daily development.
 
 RUN apk add --no-cache build-base git libseccomp-dev linux-headers
-RUN go get github.com/seccomp/libseccomp-golang
-RUN go get github.com/fatih/color
-RUN go get gopkg.in/yaml.v2
+RUN go get github.com/seccomp/libseccomp-golang && \
+    go get github.com/fatih/color && \
+    go get github.com/gobwas/glob && \
+    go get gopkg.in/yaml.v2
 
 # When running this image, mount the working copy root to
 # /go/src/github.com/lablup/sorna-jail

Dockerfile.builder-manylinux

@@ -4,6 +4,7 @@ RUN echo "deb http://ftp.debian.org/debian jessie-backports main" > /etc/apt/sou
     && apt update && apt -t jessie-backports install -y libseccomp-dev
 RUN go get -u github.com/fatih/color && \
     go get -u github.com/seccomp/libseccomp-golang && \
+    go get -u github.com/gobwas/glob && \
     go get -u gopkg.in/yaml.v2
 CMD ["make", "inside-container"]
 

Dockerfile.builder-musllinux

@@ -2,6 +2,7 @@ FROM golang:1.8-alpine
 RUN apk add --no-cache build-base libseccomp-dev git linux-headers
 RUN go get -u github.com/fatih/color && \
     go get -u github.com/seccomp/libseccomp-golang && \
+    go get -u github.com/gobwas/glob && \
     go get -u gopkg.in/yaml.v2
 CMD ["make", "inside-container"]
 

example_policy.yml

@@ -3,11 +3,11 @@
 #  - https://filippo.io/linux-syscall-table/
 
 whitelist_paths:
-  OP_OPEN: []
-  OP_ACCESS: []
-  OP_EXEC: []
-  OP_STAT: []
-  OP_CHMOD: ["/home/work/", "/tmp/"]
+  OP_OPEN: ["*"]
+  OP_ACCESS: ["*"]
+  OP_EXEC: ["*"]
+  OP_STAT: ["*"]
+  OP_CHMOD: ["/home/work/*", "/tmp/*"]
 exec_allowance: 0
 fork_allowance: -1
 max_child_procs: 32

policy/filebased.go

@@ -3,9 +3,8 @@ package policy
 import (
 	"io/ioutil"
 	"log"
-	"strings"
 
-	"gopkg.in/yaml.v2"
+	yaml "gopkg.in/yaml.v2"
 )
 
 type FileBasedPolicy struct {
@@ -14,22 +13,12 @@ type FileBasedPolicy struct {
 }
 
 func (p FileBasedPolicy) CheckPathOp(path string, op PathOps, mode int) bool {
-	var allow bool
-	switch op {
-	case OP_CHMOD:
-		allow = false
-		for _, prefix := range p.conf.WhitelistPaths[op] {
-			if strings.HasPrefix(path, prefix) {
-				allow = true
-				break
-			}
+	for _, matcher := range p.conf.WhitelistPaths[op] {
+		if matcher.Match(path) {
+			return true
 		}
-	case OP_EXEC:
-		allow = true
-	default:
-		allow = true
 	}
-	return allow
+	return false
 }
 
 func (p FileBasedPolicy) GetExecAllowance() int {

policy/interfaces.go

@@ -2,6 +2,8 @@ package policy
 
 import (
 	"fmt"
+
+	glob "github.com/gobwas/glob"
 )
 
 type SandboxPolicy interface {
@@ -39,15 +41,33 @@ func (o *PathOps) UnmarshalYAML(unmarshal func(interface{}) error) error {
 	return nil
 }
 
+type PatternMatcher struct {
+	glob.Glob
+}
+
+func (p *PatternMatcher) UnmarshalYAML(unmarshal func(interface{}) error) error {
+	var raw string
+	var err error
+	if err = unmarshal(&raw); err != nil {
+		return err
+	}
+	var g glob.Glob
+	if g, err = glob.Compile(raw); err != nil {
+		return err
+	}
+	*p = PatternMatcher{g}
+	return nil
+}
+
 type PolicyConf struct {
-	WhitelistPaths   map[PathOps][]string `yaml:"whitelist_paths"`
-	ExecAllowance    int                  `yaml:"exec_allowance"`
-	ForkAllowance    int                  `yaml:"fork_allowance"`
-	MaxChildProcs    uint                 `yaml:"max_child_procs"`
-	ExtraEnvs        []string             `yaml:"extra_envs"`
-	PreservedEnvKeys []string             `yaml:"preserved_env_keys"`
-	TracedSyscalls   []string             `yaml:"traced_syscalls"`
-	AllowedSyscalls  []string             `yaml:"allowed_syscalls"`
+	WhitelistPaths   map[PathOps][]PatternMatcher `yaml:"whitelist_paths"`
+	ExecAllowance    int                          `yaml:"exec_allowance"`
+	ForkAllowance    int                          `yaml:"fork_allowance"`
+	MaxChildProcs    uint                         `yaml:"max_child_procs"`
+	ExtraEnvs        []string                     `yaml:"extra_envs"`
+	PreservedEnvKeys []string                     `yaml:"preserved_env_keys"`
+	TracedSyscalls   []string                     `yaml:"traced_syscalls"`
+	AllowedSyscalls  []string                     `yaml:"allowed_syscalls"`
 }
 
 var defaultConf PolicyConf
@@ -64,12 +84,12 @@ func init() {
 		"OP_STAT":   OP_STAT,
 		"OP_CHMOD":  OP_CHMOD,
 	}
-	defaultConf.WhitelistPaths = map[PathOps][]string{
-		OP_OPEN:   []string{},
-		OP_ACCESS: []string{},
-		OP_EXEC:   []string{},
-		OP_STAT:   []string{},
-		OP_CHMOD:  []string{"/home/work/", "/tmp/"},
+	defaultConf.WhitelistPaths = map[PathOps][]PatternMatcher{
+		OP_OPEN:   []PatternMatcher{PatternMatcher{glob.MustCompile("*")}},
+		OP_ACCESS: []PatternMatcher{PatternMatcher{glob.MustCompile("*")}},
+		OP_EXEC:   []PatternMatcher{PatternMatcher{glob.MustCompile("*")}},
+		OP_STAT:   []PatternMatcher{PatternMatcher{glob.MustCompile("*")}},
+		OP_CHMOD:  []PatternMatcher{PatternMatcher{glob.MustCompile("/home/work/*")}, PatternMatcher{glob.MustCompile("/tmp/*")}},
 	}
 	defaultConf.ExecAllowance = 0
 	defaultConf.ForkAllowance = -1

policy/julia.go

@@ -1,27 +1,15 @@
 package policy
 
-import (
-	"strings"
-)
-
 type JuliaPolicy struct {
 }
 
 func (p JuliaPolicy) CheckPathOp(path string, op PathOps, mode int) bool {
-	var allow bool
-	switch op {
-	case OP_CHMOD:
-		allow = false
-		for _, prefix := range defaultConf.WhitelistPaths[op] {
-			if strings.HasPrefix(path, prefix) {
-				allow = true
-				break
-			}
+	for _, matcher := range defaultConf.WhitelistPaths[op] {
+		if matcher.Match(path) {
+			return true
 		}
-	default:
-		allow = true
 	}
-	return allow
+	return false
 }
 
 func (p JuliaPolicy) GetExecAllowance() int {

policy/python-tensorflow.go

@@ -1,27 +1,15 @@
 package policy
 
-import (
-	"strings"
-)
-
 type PythonTensorFlowPolicy struct {
 }
 
 func (p PythonTensorFlowPolicy) CheckPathOp(path string, op PathOps, mode int) bool {
-	var allow bool
-	switch op {
-	case OP_CHMOD:
-		allow = false
-		for _, prefix := range defaultConf.WhitelistPaths[op] {
-			if strings.HasPrefix(path, prefix) {
-				allow = true
-				break
-			}
+	for _, matcher := range defaultConf.WhitelistPaths[op] {
+		if matcher.Match(path) {
+			return true
 		}
-	default:
-		allow = true
 	}
-	return allow
+	return false
 }
 
 func (p PythonTensorFlowPolicy) GetExecAllowance() int {

policy/python.go

@@ -1,21 +1,15 @@
 package policy
 
-import (
-	"strings"
-)
-
 type PythonPolicy struct {
 }
 
 func (p PythonPolicy) CheckPathOp(path string, op PathOps, mode int) bool {
-	var allow bool
-	switch op {
-	case OP_CHMOD:
-		allow = strings.HasPrefix(path, "/home/work/")
-	default:
-		allow = true
+	for _, matcher := range defaultConf.WhitelistPaths[op] {
+		if matcher.Match(path) {
+			return true
+		}
 	}
-	return allow
+	return false
 }
 
 func (p PythonPolicy) GetExecAllowance() int {