security entitlement support

Signed-off-by: Kunal Kushwaha <[email protected]>

Author: kunalkushwaha

api/services/control/control.proto

@@ -62,11 +62,7 @@ message SolveRequest {
 	string Frontend = 6;
 	map<string, string> FrontendAttrs = 7;
 	CacheOptions Cache = 8 [(gogoproto.nullable) = false];
-<<<<<<< af46188e9b3e8c78cfee8a223919498680276122
 	repeated string Entitlements = 9 [(gogoproto.customtype) = "github.com/moby/buildkit/util/entitlements.Entitlement" ];
-=======
-	repeated string Entitlements = 9 [(gogoproto.customtype) = "github.com/moby/buildkit/util/entitlements.Entitlement"];
->>>>>>> proto defination
 }
 
 message CacheOptions {

client/llb/exec.go

@@ -18,6 +18,7 @@ type Meta struct {
 	ProxyEnv   *ProxyEnv
 	ExtraHosts []HostIP
 	Network    pb.NetMode
+	Security   pb.SecMode
 }
 
 func NewExecOp(root Output, meta Meta, readOnly bool, c Constraints) *ExecOp {
@@ -526,3 +527,8 @@ const (
 	NetModeHost    = pb.NetMode_HOST
 	NetModeNone    = pb.NetMode_NONE
 )
+
+const (
+	SecurityModeUnconfined = pb.SecMode_UNCONFINED
+	SecurityModeConfined   = pb.SecMode_CONFINED
+)

client/llb/meta.go

@@ -21,6 +21,7 @@ var (
 	keyExtraHost = contextKeyT("llb.exec.extrahost")
 	keyPlatform  = contextKeyT("llb.platform")
 	keyNetwork   = contextKeyT("llb.network")
+	keySecurity  = contextKeyT("llb.security")
 )
 
 func addEnv(key, value string) StateOption {
@@ -152,7 +153,6 @@ func network(v pb.NetMode) StateOption {
 		return s.WithValue(keyNetwork, v)
 	}
 }
-
 func getNetwork(s State) pb.NetMode {
 	v := s.Value(keyNetwork)
 	if v != nil {
@@ -162,6 +162,20 @@ func getNetwork(s State) pb.NetMode {
 	return NetModeSandbox
 }
 
+func security(v pb.SecMode) StateOption {
+	return func(s State) State {
+		return s.WithValue(keySecurity, v)
+	}
+}
+func getSecurity(s State) pb.SecMode {
+	v := s.Value(keySecurity)
+	if v != nil {
+		n := v.(pb.SecMode)
+		return n
+	}
+	return SecurityModeConfined
+}
+
 type EnvList []KeyValue
 
 type KeyValue struct {

client/llb/state.go

@@ -189,6 +189,7 @@ func (s State) Run(ro ...RunOption) ExecState {
 		ProxyEnv:   ei.ProxyEnv,
 		ExtraHosts: getExtraHosts(ei.State),
 		Network:    getNetwork(ei.State),
+		Security:   getSecurity(ei.State),
 	}
 
 	exec := NewExecOp(s.Output(), meta, ei.ReadonlyRootFS, ei.Constraints)
@@ -257,6 +258,13 @@ func (s State) Network(n pb.NetMode) State {
 func (s State) GetNetwork() pb.NetMode {
 	return getNetwork(s)
 }
+func (s State) Security(n pb.SecMode) State {
+	return security(n)(s)
+}
+
+func (s State) GetSecurity() pb.SecMode {
+	return getSecurity(s)
+}
 
 func (s State) With(so ...StateOption) State {
 	for _, o := range so {

executor/containerdexecutor/executor.go

@@ -8,7 +8,6 @@ import (
 
 	"github.com/containerd/containerd"
 	"github.com/containerd/containerd/cio"
-	"github.com/containerd/containerd/contrib/seccomp"
 	containerdoci "github.com/containerd/containerd/oci"
 	"github.com/moby/buildkit/cache"
 	"github.com/moby/buildkit/executor"
@@ -17,7 +16,6 @@ import (
 	"github.com/moby/buildkit/snapshot"
 	"github.com/moby/buildkit/solver/pb"
 	"github.com/moby/buildkit/util/network"
-	"github.com/moby/buildkit/util/system"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 )
@@ -105,9 +103,7 @@ func (w containerdExecutor) Exec(ctx context.Context, meta executor.Meta, root c
 	if meta.ReadonlyRootFS {
 		opts = append(opts, containerdoci.WithRootFSReadonly())
 	}
-	if system.SeccompSupported() {
-		opts = append(opts, seccomp.WithDefaultProfile())
-	}
+
 	spec, cleanup, err := oci.GenerateSpec(ctx, meta, mounts, id, resolvConf, hostsFile, meta.NetMode == pb.NetMode_HOST, opts...)
 	if err != nil {
 		return err

executor/executor.go

@@ -18,6 +18,7 @@ type Meta struct {
 	ReadonlyRootFS bool
 	ExtraHosts     []HostIP
 	NetMode        pb.NetMode
+	SecMode        pb.SecMode
 }
 
 type Mount struct {

executor/oci/spec_unix.go

@@ -8,12 +8,16 @@ import (
 	"sync"
 
 	"github.com/containerd/containerd/containers"
+	"github.com/containerd/containerd/contrib/seccomp"
 	"github.com/containerd/containerd/mount"
 	"github.com/containerd/containerd/namespaces"
 	"github.com/containerd/containerd/oci"
 	"github.com/mitchellh/hashstructure"
 	"github.com/moby/buildkit/executor"
 	"github.com/moby/buildkit/snapshot"
+	"github.com/moby/buildkit/solver/pb"
+	"github.com/moby/buildkit/util/entitlements"
+	"github.com/moby/buildkit/util/system"
 	specs "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/pkg/errors"
 )
@@ -34,12 +38,22 @@ func GenerateSpec(ctx context.Context, meta executor.Meta, mounts []executor.Mou
 		opts = append(opts, oci.WithHostNamespace(specs.NetworkNamespace))
 	}
 
+	if system.SeccompSupported() {
+		if meta.SecMode == pb.SecMode_CONFINED {
+			opts = append(opts, seccomp.WithDefaultProfile())
+		}
+		if meta.SecMode == pb.SecMode_UNCONFINED {
+			opts = append(opts, entitlements.WithDefaultAdminProfile())
+		}
+	}
+
 	// Note that containerd.GenerateSpec is namespaced so as to make
 	// specs.Linux.CgroupsPath namespaced
 	s, err := oci.GenerateSpec(ctx, nil, c, opts...)
 	if err != nil {
 		return nil, nil, err
 	}
+
 	s.Process.Args = meta.Args
 	s.Process.Env = meta.Env
 	s.Process.Cwd = meta.Cwd

executor/runcexecutor/executor.go

@@ -13,7 +13,6 @@ import (
 	"sync"
 	"syscall"
 
-	"github.com/containerd/containerd/contrib/seccomp"
 	"github.com/containerd/containerd/mount"
 	containerdoci "github.com/containerd/containerd/oci"
 	"github.com/containerd/continuity/fs"
@@ -25,7 +24,6 @@ import (
 	"github.com/moby/buildkit/solver/pb"
 	"github.com/moby/buildkit/util/network"
 	rootlessspecconv "github.com/moby/buildkit/util/rootless/specconv"
-	"github.com/moby/buildkit/util/system"
 	runcsystem "github.com/opencontainers/runc/libcontainer/system"
 	specs "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/pkg/errors"
@@ -181,9 +179,7 @@ func (w *runcExecutor) Exec(ctx context.Context, meta executor.Meta, root cache.
 	defer f.Close()
 
 	opts := []containerdoci.SpecOpts{oci.WithUIDGID(uid, gid, sgids)}
-	if system.SeccompSupported() {
-		opts = append(opts, seccomp.WithDefaultProfile())
-	}
+
 	if meta.ReadonlyRootFS {
 		opts = append(opts, containerdoci.WithRootFSReadonly())
 	}

frontend/dockerfile/builder/build.go

@@ -471,3 +471,17 @@ func parseNetMode(v string) (pb.NetMode, error) {
 		return 0, errors.Errorf("invalid netmode %s", v)
 	}
 }
+
+func parseSecMode(v string) (pb.SecMode, error) {
+	if v == "" {
+		return llb.SecurityModeConfined, nil
+	}
+	switch v {
+	case "confined":
+		return llb.SecurityModeConfined, nil
+	case "unconfined":
+		return llb.SecurityModeUnconfined, nil
+	default:
+		return 0, errors.Errorf("invalid secmode %s", v)
+	}
+}

frontend/dockerfile/dockerfile2llb/convert.go

@@ -55,6 +55,7 @@ type ConvertOpt struct {
 	PrefixPlatform   bool
 	ExtraHosts       []llb.HostIP
 	ForceNetMode     pb.NetMode
+	ForceSecMode     pb.SecMode
 }
 
 func Dockerfile2LLB(ctx context.Context, dt []byte, opt ConvertOpt) (*llb.State, *Image, error) {