Use lastest OCI runtime-spec

The runtime-spec changes were already merged in this PR:
        opencontainers/runtime-spec#1074

To reference the new merge commit with the latest fixes I just run:
	go get 'github.com/opencontainers/runtime-spec@9c848d91e8cf872e7453296832d66de6325e1e25
        go mod vendor

And commited the changes.

I also update the code to match the new spec. While doing that, I
rewrote the code to close fds in _most_ cases. It is tricky to close
them before we have a reference to the `fds` slice, so that is left as a
follow-up improvement.

Signed-off-by: Rodrigo Campos <[email protected]>

Author: rata

go.mod

@@ -5,7 +5,7 @@ go 1.15
 require (
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/google/go-cmp v0.5.4 // indirect
-	github.com/opencontainers/runtime-spec v1.0.3-0.20200929063507-e6143ca7d51d
+	github.com/opencontainers/runtime-spec v1.0.3-0.20210319114652-9c848d91e8cf
 	github.com/seccomp/libseccomp-golang v0.9.1
 	github.com/sirupsen/logrus v1.7.0
 	golang.org/x/net v0.0.0-20201224014010-6772e930b67b // indirect
@@ -17,6 +17,4 @@ require (
 	k8s.io/klog/v2 v2.6.0 // indirect
 )
 
-replace github.com/opencontainers/runtime-spec => github.com/kinvolk/runtime-spec v1.0.2-0.20201110202115-2755fc508653
-
 replace github.com/seccomp/libseccomp-golang => github.com/kinvolk/libseccomp-golang v0.9.2-0.20201113182948-883917843313

go.sum

@@ -143,8 +143,6 @@ github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1
 github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk=
 github.com/kinvolk/libseccomp-golang v0.9.2-0.20201113182948-883917843313 h1:Yksjjb26OqF2mRph6uc7HUJA3p/UqbehaxfV9g1wx2k=
 github.com/kinvolk/libseccomp-golang v0.9.2-0.20201113182948-883917843313/go.mod h1:JA8cRccbGaA1s33RQf7Y1+q9gHmZX1yB/z9WDN1C6fg=
-github.com/kinvolk/runtime-spec v1.0.2-0.20201110202115-2755fc508653 h1:amSDd4i3F4aNzi9TmDRDjW31ZQ6T9LN1lXVOazoTjQ8=
-github.com/kinvolk/runtime-spec v1.0.2-0.20201110202115-2755fc508653/go.mod h1:x0jDMgm6GEAbohE2lugQZrRwSe07FpeoUJm9jP2a5Sk=
 github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00=
 github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
@@ -172,6 +170,8 @@ github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+W
 github.com/onsi/ginkgo v1.11.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA=
 github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
+github.com/opencontainers/runtime-spec v1.0.3-0.20210319114652-9c848d91e8cf h1:mLvxOVCb87NHTjM+IYwG2xtYtdaC8zjix+yqDx0Av/Q=
+github.com/opencontainers/runtime-spec v1.0.3-0.20210319114652-9c848d91e8cf/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
 github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=

pkg/agent/agent.go

@@ -30,6 +30,56 @@ import (
 	"github.com/kinvolk/seccompagent/pkg/registry"
 )
 
+func closeStateFds(recvFds []int) {
+	// If performance becomes an issue, we can fallback to the new syscall closerange().
+	for i := range recvFds {
+		// Ignore the return code. There isn't anything better to do.
+		unix.Close(i)
+	}
+}
+
+// parseContainerProcessState returns the seccomp-fd and closes the rest of the fds in recvFds.
+// In case of error, no fd is closed.
+// StateFds is assumed to be formated as specs.ContainerProcessState.Fds and
+// recvFds the corresponding list of received fds in the same SCM_RIGHT message.
+func parseStateFds(stateFds []string, recvFds []int) (uintptr, error) {
+	// Lets find the index in stateFds of the seccomp-fd.
+	idx := -1
+	err := false
+
+	for i, name := range stateFds {
+		if name == specs.SeccompFdName && idx == -1 {
+			idx = i
+			continue
+		}
+
+		// We found the seccompFdName two times. Error out!
+		if name == specs.SeccompFdName && idx != -1 {
+			err = true
+		}
+	}
+
+	if idx == -1 || err {
+		return 0, fmt.Errorf("seccomp fd not found or malformed containerProcessState.Fds")
+	}
+
+	if idx >= len(recvFds) || idx < 0 {
+		return 0, fmt.Errorf("seccomp fd index out of range")
+	}
+
+	fd := uintptr(recvFds[idx])
+
+	for i := range recvFds {
+		if i == idx {
+			continue
+		}
+
+		unix.Close(recvFds[i])
+	}
+
+	return fd, nil
+}
+
 func receiveNewSeccompFile(resolver registry.ResolverFunc, sockfd int) (*registry.Registry, *os.File, error) {
 	MaxNameLen := 4096
 
@@ -56,16 +106,6 @@ func receiveNewSeccompFile(resolver registry.ResolverFunc, sockfd int) (*registr
 	stateBuf = stateBuf[:n]
 	oob = oob[:oobn]
 
-	containerProcessState := &specs.ContainerProcessState{}
-	err = json.Unmarshal(stateBuf, containerProcessState)
-	if err != nil {
-		return nil, nil, fmt.Errorf("cannot parse OCI state: %v\n", err)
-	}
-	seccompFdIndex, ok := containerProcessState.FdIndexes["seccompFd"]
-	if !ok || seccompFdIndex < 0 {
-		return nil, nil, fmt.Errorf("recvfd: didn't receive seccomp fd")
-	}
-
 	scms, err := unix.ParseSocketControlMessage(oob)
 	if err != nil {
 		return nil, nil, err
@@ -75,14 +115,28 @@ func receiveNewSeccompFile(resolver registry.ResolverFunc, sockfd int) (*registr
 	}
 	scm := scms[0]
 
+	// The fds are added just after executing recvmsg(). So, since then
+	// until here, if we return, we are leaking fds.
+	// However, it is tricky to close the fds before we have a reference to
+	// the fds slice, that we create just here.
+	// TODO: Close fds if we return before this too.
 	fds, err := unix.ParseUnixRights(&scm)
 	if err != nil {
 		return nil, nil, err
 	}
-	if seccompFdIndex >= len(fds) {
-		return nil, nil, fmt.Errorf("recvfd: number of fds is %d and seccompFdIndex is %d", len(fds), seccompFdIndex)
+
+	containerProcessState := &specs.ContainerProcessState{}
+	err = json.Unmarshal(stateBuf, containerProcessState)
+	if err != nil {
+		closeStateFds(fds)
+		return nil, nil, fmt.Errorf("cannot parse OCI state: %v\n", err)
+	}
+
+	fd, err := parseStateFds(containerProcessState.Fds, fds)
+	if err != nil {
+		closeStateFds(fds)
+		return nil, nil, err
 	}
-	fd := uintptr(fds[seccompFdIndex])
 
 	log.WithFields(log.Fields{
 		"fd":          fd,
@@ -92,12 +146,6 @@ func receiveNewSeccompFile(resolver registry.ResolverFunc, sockfd int) (*registr
 		"annotations": containerProcessState.State.Annotations,
 	}).Debug("New seccomp fd received on socket")
 
-	for i := 0; i < len(fds); i++ {
-		if i != seccompFdIndex {
-			unix.Close(fds[i])
-		}
-	}
-
 	var reg *registry.Registry
 	if resolver != nil {
 		reg = resolver(containerProcessState)

vendor/github.com/opencontainers/runtime-spec/specs-go/config.go

@@ -26,7 +26,7 @@ github.com/json-iterator/go
 github.com/modern-go/concurrent
 # github.com/modern-go/reflect2 v1.0.1
 github.com/modern-go/reflect2
-# github.com/opencontainers/runtime-spec v1.0.3-0.20200929063507-e6143ca7d51d => github.com/kinvolk/runtime-spec v1.0.2-0.20201110202115-2755fc508653
+# github.com/opencontainers/runtime-spec v1.0.3-0.20210319114652-9c848d91e8cf
 ## explicit
 github.com/opencontainers/runtime-spec/specs-go
 # github.com/seccomp/libseccomp-golang v0.9.1 => github.com/kinvolk/libseccomp-golang v0.9.2-0.20201113182948-883917843313
@@ -258,5 +258,4 @@ k8s.io/utils/integer
 sigs.k8s.io/structured-merge-diff/v4/value
 # sigs.k8s.io/yaml v1.2.0
 sigs.k8s.io/yaml
-# github.com/opencontainers/runtime-spec => github.com/kinvolk/runtime-spec v1.0.2-0.20201110202115-2755fc508653
 # github.com/seccomp/libseccomp-golang => github.com/kinvolk/libseccomp-golang v0.9.2-0.20201113182948-883917843313