From 686984c344a0ea90f4ecc32c0201ba4b87393214 Mon Sep 17 00:00:00 2001 From: infiniteregrets Date: Thu, 6 Oct 2022 01:36:15 -0400 Subject: [PATCH 1/7] Add SIP protection check --- Cargo.lock | 7 ++++++- mirrord-agent/Cargo.toml | 2 +- mirrord-cli/Cargo.toml | 2 ++ mirrord-cli/src/main.rs | 36 +++++++++++++++++++++++++++++++++++- mirrord-layer/Cargo.toml | 2 +- mirrord-protocol/Cargo.toml | 2 +- tests/Cargo.toml | 2 +- 7 files changed, 47 insertions(+), 6 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 0cdfc3f77e7..503b2df4635 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1515,10 +1515,12 @@ dependencies = [ "mirrord-auth", "mirrord-layer", "rand 0.8.5", + "regex", "reqwest", "semver", "tracing", "tracing-subscriber", + "which 4.3.0", ] [[package]] @@ -3032,8 +3034,8 @@ dependencies = [ "serde", "serde_json", "tempdir", - "tokio", "tokio-util 0.7.4", + "trust-dns-resolver", "wsl", ] @@ -3424,6 +3426,7 @@ dependencies = [ "ipnet", "lazy_static", "rand 0.8.5", + "serde", "smallvec", "thiserror", "tinyvec", @@ -3445,6 +3448,7 @@ dependencies = [ "lru-cache", "parking_lot", "resolv-conf", + "serde", "smallvec", "thiserror", "tokio", @@ -3537,6 +3541,7 @@ dependencies = [ "form_urlencoded", "idna 0.3.0", "percent-encoding", + "serde", ] [[package]] diff --git a/mirrord-agent/Cargo.toml b/mirrord-agent/Cargo.toml index 904aad139ff..5e89873fa31 100644 --- a/mirrord-agent/Cargo.toml +++ b/mirrord-agent/Cargo.toml @@ -30,7 +30,7 @@ tracing.workspace = true tracing-subscriber.workspace = true tokio-stream.workspace = true thiserror.workspace = true -trust-dns-resolver.worspace = true +trust-dns-resolver = "0.22.0" num-traits = "0.2" bollard = "0.13" tokio-util.workspace = true diff --git a/mirrord-cli/Cargo.toml b/mirrord-cli/Cargo.toml index da3ca668179..7d44a2e93d0 100644 --- a/mirrord-cli/Cargo.toml +++ b/mirrord-cli/Cargo.toml @@ -22,6 +22,8 @@ clap.workspace = true tracing.workspace = true rand.workspace = true tracing-subscriber.workspace = true +regex = "1.6.0" +which = "4.3.0" exec = "0.3" anyhow.workspace = true reqwest.workspace = true diff --git a/mirrord-cli/src/main.rs b/mirrord-cli/src/main.rs index 52973f6d452..97343445301 100644 --- a/mirrord-cli/src/main.rs +++ b/mirrord-cli/src/main.rs @@ -11,9 +11,11 @@ use config::*; use exec::execvp; use mirrord_auth::AuthConfig; use rand::distributions::{Alphanumeric, DistString}; +use regex::RegexSet; use semver::Version; use tracing::{debug, error, info, warn}; use tracing_subscriber::{fmt, prelude::*, registry, EnvFilter}; +use which::which; mod config; @@ -93,11 +95,44 @@ fn add_to_preload(path: &str) -> Result<()> { } } +#[cfg(target_os = "macos")] +fn sip_check(binary_path: &str) -> Result<()> { + info!("Checking SIP status"); + let sip_set = RegexSet::new(&[ + r"/System/.*", + r"/bin/.*", + r"/sbin/.*", + r"/usr/.*", + r"/var/.*", + r"/Applications/.*", + ])?; + let complete_path = which(binary_path)?; + + let sliced_path = complete_path.to_str().ok_or_else(|| { + anyhow!( + "Failed to convert path to string: {}", + binary_path.to_string() + ) + })?; + + if sip_set.is_match(sliced_path) { + println!("[WARNING]: Provided binary: {:?} is located in a SIP directory. mirrord might fail to load into it. + >> for more info visit https://support.apple.com/en-us/HT204899", binary_path); + } + + Ok(()) +} + fn exec(args: &ExecArgs) -> Result<()> { info!( "Launching {:?} with arguments {:?}", args.binary, args.binary_args ); + + if cfg!(target_os = "macos") { + sip_check(&args.binary)?; + } + if !(args.no_tcp_outgoing || args.no_udp_outgoing) && args.no_remote_dns { warn!("TCP/UDP outgoing enabled without remote DNS might cause issues when local machine has IPv6 enabled but remote cluster doesn't") } @@ -107,7 +142,6 @@ fn exec(args: &ExecArgs) -> Result<()> { } if let Some(pod) = &args.pod_name { - // TODO: do we need a print here or just a log is fine? println!("[WARNING]: DEPRECATED - `--pod-name` is deprecated, consider using `--target instead.\nDeprecated since: [28/09/2022] | Scheduled removal: [28/10/2022]"); std::env::set_var("MIRRORD_AGENT_IMPERSONATED_POD_NAME", pod); } diff --git a/mirrord-layer/Cargo.toml b/mirrord-layer/Cargo.toml index 358304185c3..fb0a66ee625 100644 --- a/mirrord-layer/Cargo.toml +++ b/mirrord-layer/Cargo.toml @@ -37,7 +37,7 @@ bytes.workspace = true tokio-stream.workspace = true tokio-util.workspace = true thiserror.workspace = true -trust-dns-resolver.worspace = true +trust-dns-resolver.workspace = true rand = "0.8" regex = "1" errno = "0.2" diff --git a/mirrord-protocol/Cargo.toml b/mirrord-protocol/Cargo.toml index 69c593d7c0b..552af4ca6b4 100644 --- a/mirrord-protocol/Cargo.toml +++ b/mirrord-protocol/Cargo.toml @@ -17,6 +17,6 @@ edition.workspace = true actix-codec.workspace = true bytes.workspace = true thiserror.workspace = true -trust-dns-resolver.worspace = true +trust-dns-resolver.workspace = true serde = { version = "1", features = ["derive"] } bincode = { version = "2.0.0-rc.1", features = ["serde"] } diff --git a/tests/Cargo.toml b/tests/Cargo.toml index 043da8a648e..5e7d4e3504a 100644 --- a/tests/Cargo.toml +++ b/tests/Cargo.toml @@ -12,7 +12,7 @@ doctest = false k8s-openapi.workspace = true kube.workspace = true reqwest.workspace = true -tokio.workspace = true +trust-dns-resolver.workspace = true serde_json.workspace = true mirrord = { artifact = "bin", bin = true, path = "../mirrord-cli" } serde = "1" From 433a0967bc7f1d33b8ec1fc1574d0c6ff83a41ec Mon Sep 17 00:00:00 2001 From: infiniteregrets Date: Thu, 6 Oct 2022 01:40:07 -0400 Subject: [PATCH 2/7] Changelog --- CHANGELOG.md | 2 ++ mirrord-agent/Cargo.toml | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index bc27eb45d37..f1e98c17bfc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,6 +9,7 @@ Check [Keep a Changelog](http://keepachangelog.com/) for recommendations on how ### Added - Release CI: add extensions as artifacts, closes [[#355](https://github.com/metalbear-co/mirrord/issues/355)] +- mirrord-cli: added a SIP protection check for macos binaries [[#412](https://github.com/metalbear-co/mirrord/issues/412)] ### Changed - Remote operations that fail logged on `info` level instead of `error` because having a file not found, connection failed, etc can be part of a valid successful flow. @@ -18,6 +19,7 @@ Check [Keep a Changelog](http://keepachangelog.com/) for recommendations on how ### Fixed - `getaddrinfo` now uses [`trust-dns-resolver`](https://docs.rs/trust-dns-resolver/latest/trust_dns_resolver/) when resolving DNS (previously it would do a `getaddrinfo` call in mirrord-agent that could result in incompatibility between the mirrored pod and the user environments). - Support clusters running Istio. Closes [[#485](https://github.com/metalbear-co/mirrord/issues/485)]. +- Fixed unused dependencies issue, closes [[#494](https://github.com/metalbear-co/mirrord/issues/494)] ## 3.0.11-alpha diff --git a/mirrord-agent/Cargo.toml b/mirrord-agent/Cargo.toml index 5e89873fa31..6e34bcda5f5 100644 --- a/mirrord-agent/Cargo.toml +++ b/mirrord-agent/Cargo.toml @@ -30,7 +30,7 @@ tracing.workspace = true tracing-subscriber.workspace = true tokio-stream.workspace = true thiserror.workspace = true -trust-dns-resolver = "0.22.0" +trust-dns-resolver.workspace = true num-traits = "0.2" bollard = "0.13" tokio-util.workspace = true From ee08bd844438576d119c27260348384c92b14467 Mon Sep 17 00:00:00 2001 From: infiniteregrets Date: Thu, 6 Oct 2022 09:54:19 -0400 Subject: [PATCH 3/7] Fix compile issue --- mirrord-cli/src/main.rs | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/mirrord-cli/src/main.rs b/mirrord-cli/src/main.rs index 97343445301..004e302e9d6 100644 --- a/mirrord-cli/src/main.rs +++ b/mirrord-cli/src/main.rs @@ -110,7 +110,7 @@ fn sip_check(binary_path: &str) -> Result<()> { let sliced_path = complete_path.to_str().ok_or_else(|| { anyhow!( - "Failed to convert path to string: {}", + "Failed to convert path to a string slice: {}", binary_path.to_string() ) })?; @@ -129,9 +129,8 @@ fn exec(args: &ExecArgs) -> Result<()> { args.binary, args.binary_args ); - if cfg!(target_os = "macos") { - sip_check(&args.binary)?; - } + #[cfg(target_os = "macos")] + sip_check(&args.binary)?; if !(args.no_tcp_outgoing || args.no_udp_outgoing) && args.no_remote_dns { warn!("TCP/UDP outgoing enabled without remote DNS might cause issues when local machine has IPv6 enabled but remote cluster doesn't") From 8a9b91761c06b2672914ac9ee370d76e78b0bae1 Mon Sep 17 00:00:00 2001 From: infiniteregrets Date: Thu, 6 Oct 2022 11:27:23 -0400 Subject: [PATCH 4/7] Imports --- mirrord-cli/src/main.rs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/mirrord-cli/src/main.rs b/mirrord-cli/src/main.rs index 004e302e9d6..f8c3ca6a853 100644 --- a/mirrord-cli/src/main.rs +++ b/mirrord-cli/src/main.rs @@ -11,11 +11,11 @@ use config::*; use exec::execvp; use mirrord_auth::AuthConfig; use rand::distributions::{Alphanumeric, DistString}; -use regex::RegexSet; use semver::Version; use tracing::{debug, error, info, warn}; use tracing_subscriber::{fmt, prelude::*, registry, EnvFilter}; -use which::which; +#[cfg(target_os = "macos")] +use {regex::RegexSet, which::which}; mod config; From 56d296b58d4961331938e9df8a8ed8627cbcc770 Mon Sep 17 00:00:00 2001 From: infiniteregrets Date: Thu, 6 Oct 2022 11:29:25 -0400 Subject: [PATCH 5/7] / --- mirrord-cli/src/main.rs | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/mirrord-cli/src/main.rs b/mirrord-cli/src/main.rs index f8c3ca6a853..621a2ec2c76 100644 --- a/mirrord-cli/src/main.rs +++ b/mirrord-cli/src/main.rs @@ -96,8 +96,7 @@ fn add_to_preload(path: &str) -> Result<()> { } #[cfg(target_os = "macos")] -fn sip_check(binary_path: &str) -> Result<()> { - info!("Checking SIP status"); +fn sip_check(binary_path: &str) -> Result<()> { let sip_set = RegexSet::new(&[ r"/System/.*", r"/bin/.*", From 57cc886a843ff1530d8ed77d977376d95e090a3d Mon Sep 17 00:00:00 2001 From: infiniteregrets Date: Thu, 6 Oct 2022 11:29:43 -0400 Subject: [PATCH 6/7] . --- mirrord-cli/src/main.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mirrord-cli/src/main.rs b/mirrord-cli/src/main.rs index 621a2ec2c76..ba245911aa7 100644 --- a/mirrord-cli/src/main.rs +++ b/mirrord-cli/src/main.rs @@ -96,7 +96,7 @@ fn add_to_preload(path: &str) -> Result<()> { } #[cfg(target_os = "macos")] -fn sip_check(binary_path: &str) -> Result<()> { +fn sip_check(binary_path: &str) -> Result<()> { let sip_set = RegexSet::new(&[ r"/System/.*", r"/bin/.*", From 7b5a1ba56e925e9fb8652326758651b32b9a2924 Mon Sep 17 00:00:00 2001 From: infiniteregrets Date: Thu, 6 Oct 2022 11:41:54 -0400 Subject: [PATCH 7/7] . --- Cargo.lock | 2 +- tests/Cargo.toml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 6a91aae9457..6af803a43fb 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -3034,8 +3034,8 @@ dependencies = [ "serde", "serde_json", "tempdir", + "tokio", "tokio-util 0.7.4", - "trust-dns-resolver", "wsl", ] diff --git a/tests/Cargo.toml b/tests/Cargo.toml index 5e7d4e3504a..043da8a648e 100644 --- a/tests/Cargo.toml +++ b/tests/Cargo.toml @@ -12,7 +12,7 @@ doctest = false k8s-openapi.workspace = true kube.workspace = true reqwest.workspace = true -trust-dns-resolver.workspace = true +tokio.workspace = true serde_json.workspace = true mirrord = { artifact = "bin", bin = true, path = "../mirrord-cli" } serde = "1"