From 6d2dbbc973c24875c53c0558aa1d6f6a57d1a3ed Mon Sep 17 00:00:00 2001 From: zhouhao Date: Wed, 11 Oct 2017 14:05:08 +0800 Subject: [PATCH 1/2] runtimetest: fix nil deference Signed-off-by: zhouhao --- cmd/runtimetest/main.go | 50 ++++++++++++++++++++++++++++------------- 1 file changed, 34 insertions(+), 16 deletions(-) diff --git a/cmd/runtimetest/main.go b/cmd/runtimetest/main.go index 39484f27f..ec6481b21 100644 --- a/cmd/runtimetest/main.go +++ b/cmd/runtimetest/main.go @@ -105,6 +105,10 @@ func validateGeneralProcess(spec *rspec.Spec) error { } func validateLinuxProcess(spec *rspec.Spec) error { + if spec.Process == nil { + return nil + } + validateGeneralProcess(spec) uid := os.Getuid() @@ -162,6 +166,10 @@ func validateLinuxProcess(spec *rspec.Spec) error { } func validateCapabilities(spec *rspec.Spec) error { + if spec.Process == nil || spec.Process.Capabilities == nil { + return nil + } + last := capability.CAP_LAST_CAP // workaround for RHEL6 which has no /proc/sys/kernel/cap_last_cap if last == capability.Cap(63) { @@ -178,22 +186,20 @@ func validateCapabilities(spec *rspec.Spec) error { expectedCaps3 := make(map[string]bool) expectedCaps4 := make(map[string]bool) expectedCaps5 := make(map[string]bool) - if spec.Process.Capabilities != nil { - for _, ec := range spec.Process.Capabilities.Bounding { - expectedCaps1[ec] = true - } - for _, ec := range spec.Process.Capabilities.Effective { - expectedCaps2[ec] = true - } - for _, ec := range spec.Process.Capabilities.Inheritable { - expectedCaps3[ec] = true - } - for _, ec := range spec.Process.Capabilities.Permitted { - expectedCaps4[ec] = true - } - for _, ec := range spec.Process.Capabilities.Ambient { - expectedCaps5[ec] = true - } + for _, ec := range spec.Process.Capabilities.Bounding { + expectedCaps1[ec] = true + } + for _, ec := range spec.Process.Capabilities.Effective { + expectedCaps2[ec] = true + } + for _, ec := range spec.Process.Capabilities.Inheritable { + expectedCaps3[ec] = true + } + for _, ec := range spec.Process.Capabilities.Permitted { + expectedCaps4[ec] = true + } + for _, ec := range spec.Process.Capabilities.Ambient { + expectedCaps5[ec] = true } for _, cap := range capability.List() { @@ -259,6 +265,10 @@ func validateHostname(spec *rspec.Spec) error { } func validateRlimits(spec *rspec.Spec) error { + if spec.Process == nil { + return nil + } + for _, r := range spec.Process.Rlimits { rl, err := strToRlimit(r.Type) if err != nil { @@ -311,6 +321,10 @@ func testWriteAccess(path string) error { } func validateRootFS(spec *rspec.Spec) error { + if spec.Root == nil { + return nil + } + if spec.Root.Readonly { err := testWriteAccess("/") if err == nil { @@ -422,6 +436,10 @@ func validateDefaultSymlinks(spec *rspec.Spec) error { } func validateDefaultDevices(spec *rspec.Spec) error { + if spec.Process == nil { + return nil + } + if spec.Process.Terminal { defaultDevices = append(defaultDevices, "/dev/console") } From 19b061c3603aa0053a236fc30acdd9653c60d071 Mon Sep 17 00:00:00 2001 From: zhouhao Date: Thu, 12 Oct 2017 12:53:53 +0800 Subject: [PATCH 2/2] generate: fix nil deference Signed-off-by: zhouhao --- generate/generate.go | 25 ++++++++----------------- 1 file changed, 8 insertions(+), 17 deletions(-) diff --git a/generate/generate.go b/generate/generate.go index 754cca26f..d6a4d74c6 100644 --- a/generate/generate.go +++ b/generate/generate.go @@ -398,7 +398,7 @@ func (g *Generator) SetProcessArgs(args []string) { // ClearProcessEnv clears g.spec.Process.Env. func (g *Generator) ClearProcessEnv() { - if g.spec == nil { + if g.spec == nil || g.spec.Process == nil { return } g.spec.Process.Env = []string{} @@ -440,7 +440,7 @@ func (g *Generator) AddProcessRlimits(rType string, rHard uint64, rSoft uint64) // RemoveProcessRlimits removes a rlimit from g.spec.Process.Rlimits. func (g *Generator) RemoveProcessRlimits(rType string) error { - if g.spec == nil { + if g.spec == nil || g.spec.Process == nil { return nil } for i, rlimit := range g.spec.Process.Rlimits { @@ -454,7 +454,7 @@ func (g *Generator) RemoveProcessRlimits(rType string) error { // ClearProcessRlimits clear g.spec.Process.Rlimits. func (g *Generator) ClearProcessRlimits() { - if g.spec == nil { + if g.spec == nil || g.spec.Process == nil { return } g.spec.Process.Rlimits = []rspec.POSIXRlimit{} @@ -462,7 +462,7 @@ func (g *Generator) ClearProcessRlimits() { // ClearProcessAdditionalGids clear g.spec.Process.AdditionalGids. func (g *Generator) ClearProcessAdditionalGids() { - if g.spec == nil { + if g.spec == nil || g.spec.Process == nil { return } g.spec.Process.User.AdditionalGids = []uint32{} @@ -737,10 +737,7 @@ func (g *Generator) SetLinuxRootPropagation(rp string) error { // ClearPreStartHooks clear g.spec.Hooks.Prestart. func (g *Generator) ClearPreStartHooks() { - if g.spec == nil { - return - } - if g.spec.Hooks == nil { + if g.spec == nil || g.spec.Hooks == nil { return } g.spec.Hooks.Prestart = []rspec.Hook{} @@ -787,10 +784,7 @@ func (g *Generator) AddPreStartHookTimeout(path string, timeout int) { // ClearPostStopHooks clear g.spec.Hooks.Poststop. func (g *Generator) ClearPostStopHooks() { - if g.spec == nil { - return - } - if g.spec.Hooks == nil { + if g.spec == nil || g.spec.Hooks == nil { return } g.spec.Hooks.Poststop = []rspec.Hook{} @@ -837,10 +831,7 @@ func (g *Generator) AddPostStopHookTimeout(path string, timeout int) { // ClearPostStartHooks clear g.spec.Hooks.Poststart. func (g *Generator) ClearPostStartHooks() { - if g.spec == nil { - return - } - if g.spec.Hooks == nil { + if g.spec == nil || g.spec.Hooks == nil { return } g.spec.Hooks.Poststart = []rspec.Hook{} @@ -976,7 +967,7 @@ func (g *Generator) SetupPrivileged(privileged bool) { // ClearProcessCapabilities clear g.spec.Process.Capabilities. func (g *Generator) ClearProcessCapabilities() { - if g.spec == nil { + if g.spec == nil || g.spec.Process == nil || g.spec.Process.Capabilities == nil { return } g.spec.Process.Capabilities.Bounding = []string{}