Merge pull request #57 from przemeklal/static_analysis_and_hardening

garyloug · web-flow · commit 387fb2be6a32 · 2020-10-14T14:20:26.000+01:00
fix static analysis errors and build hardened binary
diff --git a/build-args b/build-args
@@ -0,0 +1 @@
+go build -o hardened-binary -buildmode=pie -ldflags "-s -w -extldflags=-Wl,-z,now,-z,relro" userspace/userspace.go
diff --git a/docker/dpdk-app-centos/Dockerfile b/docker/dpdk-app-centos/Dockerfile
@@ -4,12 +4,14 @@
 
 
 # -------- Builder stage.
-FROM centos
-MAINTAINER Billy McFall <bmcfall@redhat.com>
+FROM centos:7
 
 #
 # Install required packages
 #
+SHELL ["/bin/bash", "-o", "pipefail", "-c"]
+
+
 RUN rpm --import https://mirror.go-repo.io/centos/RPM-GPG-KEY-GO-REPO && curl -s https://mirror.go-repo.io/centos/go-repo.repo | tee /etc/yum.repos.d/go-repo.repo
 RUN yum groupinstall -y "Development Tools"
 RUN yum install -y wget numactl-devel git golang make; yum clean all
@@ -20,7 +22,7 @@ RUN yum install -y wget numactl-devel git golang make; yum clean all
 # Download and Build APP-NetUtil
 #
 WORKDIR /root/go/src/
-RUN go get github.com/openshift/app-netutil 2>&1 > /tmp/UserspaceDockerBuild.log || echo "Can ignore no GO files."
+RUN go get github.com/openshift/app-netutil  > /tmp/UserspaceDockerBuild.log 2>&1 || echo "Can ignore no GO files."
 WORKDIR /root/go/src/github.com/openshift/app-netutil
 RUN make c_sample
 RUN cp bin/libnetutil_api.so /lib64/libnetutil_api.so; cp bin/libnetutil_api.h /usr/include/libnetutil_api.h
@@ -31,7 +33,7 @@ RUN cp bin/libnetutil_api.so /lib64/libnetutil_api.so; cp bin/libnetutil_api.h /
 ENV DPDK_VER 19.08
 ENV DPDK_DIR /usr/src/dpdk-${DPDK_VER}
 WORKDIR /usr/src/
-RUN wget http://fast.dpdk.org/rel/dpdk-${DPDK_VER}.tar.xz
+RUN curl --output dpdk-${DPDK_VER}.tar.xz http://fast.dpdk.org/rel/dpdk-${DPDK_VER}.tar.xz
 RUN tar -xpvf dpdk-${DPDK_VER}.tar.xz
 
 ENV RTE_TARGET=x86_64-native-linuxapp-gcc
diff --git a/docker/vpp-centos-userspace-cni/Dockerfile b/docker/vpp-centos-userspace-cni/Dockerfile
@@ -5,8 +5,9 @@
 
 
 # -------- Builder stage.
-FROM centos
-MAINTAINER Billy McFall <bmcfall@redhat.com>
+FROM centos:7
+
+SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 
 # Install VPP - Needed by CNI-VPP
 RUN curl -s https://packagecloud.io/install/repositories/fdio/release/script.rpm.sh | bash
@@ -23,7 +24,7 @@ RUN yum install -y git golang make
 
 # Build the usrsp-app
 WORKDIR /root/go/src/
-RUN go get github.com/intel/userspace-cni-network-plugin 2>&1 > /tmp/UserspaceDockerBuild.log || echo "Can ignore no GO files."
+RUN go get github.com/intel/userspace-cni-network-plugin > /tmp/UserspaceDockerBuild.log 2>&1 || echo "Can ignore no GO files."
 WORKDIR /root/go/src/github.com/intel/userspace-cni-network-plugin
 RUN make extras
 RUN cp docker/usrsp-app/usrsp-app /usr/sbin/usrsp-app
@@ -61,5 +62,5 @@ COPY vppcni.sh vppcni.sh
 #COPY usrsp-app /usr/sbin/usrsp-app
 
 
-CMD bash -C './vppcni.sh'
+CMD ["bash", "-C", "./vppcni.sh"]
 #CMD [ "./vppcni.sh" ]
diff --git a/hardened-binary b/hardened-binary
diff --git a/scripts/.usrsp-docker-run.sh.swp b/scripts/.usrsp-docker-run.sh.swp
diff --git a/scripts/dpdk-docker-run.sh b/scripts/dpdk-docker-run.sh
@@ -13,17 +13,17 @@
 #
 
 scriptpath=$GOPATH/src/github.com/containernetworking/cni/scripts
-echo $scriptpath
+echo "$scriptpath"
 
-contid=$(docker run -d --net=none $@ /bin/sleep 10000000)
-pid=$(docker inspect -f '{{ .State.Pid }}' $contid)
+contid=$(docker run -d --net=none "$@" /bin/sleep 10000000)
+pid=$(docker inspect -f '{{ .State.Pid }}' "$contid")
 netnspath=/proc/$pid/ns/net
 
-$scriptpath/exec-plugins.sh add $contid $netnspath
+"$scriptpath"/exec-plugins.sh add "$contid" "$netnspath"
 
 function cleanup() {
-	$scriptpath/exec-plugins.sh del $contid $netnspath
-	docker rm -f $contid >/dev/null
+	"$scriptpath"/exec-plugins.sh del "$contid" "$netnspath"
+	docker rm -f "$contid" >/dev/null
 }
 trap cleanup EXIT
 
@@ -35,7 +35,7 @@ trucContid=${contid:0:12}
 docker run -i -t -v /var/lib/cni/usrspcni/shared:/var/lib/cni/usrspcni/shared:rw \
     -v /dev/hugepages:/dev/hugepages \
     dpdk-app-testpmd testpmd -l 0-1 -n 4 -m 1024 --no-pci \
-    --vdev=virtio_user0,path=/var/lib/cni/usrspcni/shared/$trucContid-eth0 \
+    --vdev=virtio_user0,path=/var/lib/cni/usrspcni/shared/"$trucContid"-eth0 \
     --file-prefix=container \
     -- -i --txqflags=0xf00 --disable-hw-vlan --port-topology=chained
 
diff --git a/scripts/usrsp-docker-run.sh b/scripts/usrsp-docker-run.sh
@@ -17,23 +17,23 @@
 #
 
 scriptpath=$GOPATH/src/github.com/containernetworking/cni/scripts
-echo $scriptpath
+echo "$scriptpath"
 
-contid=$(docker run -d --net=none $@ /bin/sleep 10000000)
-pid=$(docker inspect -f '{{ .State.Pid }}' $contid)
+contid=$(docker run -d --net=none "$@" /bin/sleep 10000000)
+pid=$(docker inspect -f '{{ .State.Pid }}' "$contid")
 netnspath=/proc/$pid/ns/net
 
-$scriptpath/exec-plugins.sh add $contid $netnspath
+"$scriptpath"/exec-plugins.sh add "$contid" "$netnspath"
 
 function cleanup() {
-	$scriptpath/exec-plugins.sh del $contid $netnspath
-	docker rm -f $contid >/dev/null
+	"$scriptpath"/exec-plugins.sh del "$contid" "$netnspath"
+	docker rm -f "$contid" >/dev/null
 }
 trap cleanup EXIT
 
 docker run \
  -v /var/lib/cni/usrspcni/shared:/var/lib/cni/usrspcni/shared:rw \
- -v /var/lib/cni/usrspcni/$contid:/var/lib/cni/usrspcni/data:rw \
+ -v /var/lib/cni/usrspcni/"$contid":/var/lib/cni/usrspcni/data:rw \
  --device=/dev/hugepages:/dev/hugepages \
- --net=container:$contid $@
+ --net=container:"$contid" "$@"
 
diff --git a/usrspcni/usrspcni.go b/usrspcni/usrspcni.go
@@ -19,7 +19,6 @@ import (
 	"k8s.io/client-go/kubernetes"
 
 	"github.com/containernetworking/cni/pkg/skel"
-	_ "github.com/containernetworking/cni/pkg/types"
 	"github.com/containernetworking/cni/pkg/types/current"
 
 	"github.com/intel/userspace-cni-network-plugin/pkg/types"
@@ -30,22 +29,21 @@ import (
 //
 type UsrSpCni interface {
 	AddOnHost(conf *types.NetConf,
-			  args *skel.CmdArgs,
-			  kubeClient kubernetes.Interface,
-			  sharedDir string,
-			  ipResult *current.Result) error
+		args *skel.CmdArgs,
+		kubeClient kubernetes.Interface,
+		sharedDir string,
+		ipResult *current.Result) error
 	AddOnContainer(conf *types.NetConf,
-				   args *skel.CmdArgs,
-				   kubeClient kubernetes.Interface,
-				   sharedDir string,
-				   pod *v1.Pod,
-				   ipResult *current.Result) (*v1.Pod, error)
+		args *skel.CmdArgs,
+		kubeClient kubernetes.Interface,
+		sharedDir string,
+		pod *v1.Pod,
+		ipResult *current.Result) (*v1.Pod, error)
 	DelFromHost(conf *types.NetConf,
-				args *skel.CmdArgs,
-				sharedDir string) error
+		args *skel.CmdArgs,
+		sharedDir string) error
 	DelFromContainer(conf *types.NetConf,
-		             args *skel.CmdArgs,
-		             sharedDir string,
-		             pod *v1.Pod) error
+		args *skel.CmdArgs,
+		sharedDir string,
+		pod *v1.Pod) error
 }
-

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+go build -o hardened-binary -buildmode=pie -ldflags "-s -w -extldflags=-Wl,-z,now,-z,relro" userspace/userspace.go`