[launcher] Add privileged launch policy

Privileged mode as a launch policy option allows workload authors to
specify whether they want the operator to grant more privileged
capabilities. It is a coarse launch policy, so workload authors need to
take care when setting it.

Privileged mode currently applies to allowing a namespaced rw cgroup
mount and adding new Linux capabilities.

.github/workflows/ci.yml

@@ -71,15 +71,20 @@ jobs:
       - name: Install Windows packages
         run: choco install openssl
         if: runner.os == 'Windows'
-      - name: Build all modules
+      - name: Build all modules for non-Mac OSes
         run: go build -v ./... ./cmd/... ./launcher/... ./verifier/...
+        if: runner.os != 'macOS'
+      - name: Build non-launcher modules for macOS
+        run: go build -v ./... ./cmd/... ./verifier/...
+        if: runner.os == 'macOS'
       - name: Run specific tests under root permission
         run: |
           GO_EXECUTABLE_PATH=$(which go)
           sudo $GO_EXECUTABLE_PATH test -v -run "TestFetchImageSignaturesDockerPublic" ./launcher
+        if: (runner.os == 'Linux')
       - name: Run all tests in launcher to capture potential data race
         run: go test -v -race ./launcher/...
-        if: (runner.os == 'Linux' || runner.os == 'macOS') && matrix.architecture == 'x64'
+        if: (runner.os == 'Linux') && matrix.architecture == 'x64'
       - name: Test all modules
         run: go test -v ./... ./cmd/... ./launcher/... ./verifier/... -skip='TestCacheConcurrentSetGet|TestHwAttestationPass|TestHardwareAttestationPass'
 

go.work

@@ -1,4 +1,4 @@
-go 1.21
+go 1.22.0
 
 use (
 	.

launcher/container_runner.go

@@ -90,6 +90,14 @@ func NewRunner(ctx context.Context, cdClient *containerd.Client, token oauth2.To
 		mounts = append(mounts, lsMnt.SpecsMount())
 	}
 	mounts = appendTokenMounts(mounts)
+	var cgroupOpts []oci.SpecOpts
+	if launchSpec.CgroupNamespace {
+		mounts = appendCgroupRw(mounts)
+		cgroupOpts = []oci.SpecOpts{
+			oci.WithNamespacedCgroup(),
+			oci.WithLinuxNamespace(specs.LinuxNamespace{Type: specs.CgroupNamespace}),
+		}
+	}
 
 	envs, err := formatEnvVars(launchSpec.Envs)
 	if err != nil {
@@ -121,9 +129,8 @@ func NewRunner(ctx context.Context, cdClient *containerd.Client, token oauth2.To
 
 	logger.Info(fmt.Sprintf("Image Labels               : %v\n", imageConfig.Labels))
 	launchPolicy, err := spec.GetLaunchPolicy(imageConfig.Labels, logger)
-
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("failed to parse image Launch Policy: %v: contact the image author", err)
 	}
 	if err := launchPolicy.Verify(launchSpec); err != nil {
 		return nil, err
@@ -165,12 +172,14 @@ func NewRunner(ctx context.Context, cdClient *containerd.Client, token oauth2.To
 		oci.WithHostResolvconf,
 		oci.WithHostNamespace(specs.NetworkNamespace),
 		oci.WithEnv([]string{fmt.Sprintf("HOSTNAME=%s", hostname)}),
+		oci.WithAddedCapabilities(launchSpec.AddedCapabilities),
 		withRlimits(rlimits),
 		withOOMScoreAdj(defaultOOMScore),
 	}
 	if launchSpec.DevShmSize != 0 {
 		specOpts = append(specOpts, oci.WithDevShmSize(launchSpec.DevShmSize))
 	}
+	specOpts = append(specOpts, cgroupOpts...)
 
 	container, err = cdClient.NewContainer(
 		ctx,
@@ -756,3 +765,15 @@ func withOOMScoreAdj(oomScore int) oci.SpecOpts {
 		return nil
 	}
 }
+
+// appendCgroupRw mount maps a cgroup as read-write.
+func appendCgroupRw(mounts []specs.Mount) []specs.Mount {
+	m := specs.Mount{
+		Destination: "/sys/fs/cgroup",
+		Type:        "cgroup",
+		Source:      "cgroup",
+		Options:     []string{"rw", "nosuid", "noexec", "nodev"},
+	}
+
+	return append(mounts, m)
+}

launcher/go.mod

@@ -1,12 +1,13 @@
 module github.com/google/go-tpm-tools/launcher
 
-go 1.21
+go 1.22.0
 
 require (
 	cloud.google.com/go/compute/metadata v0.5.2
 	cloud.google.com/go/logging v1.12.0
-	github.com/cenkalti/backoff/v4 v4.2.1
-	github.com/containerd/containerd v1.7.16
+	github.com/cenkalti/backoff/v4 v4.3.0
+	github.com/containerd/containerd v1.7.23
+	github.com/containerd/containerd/v2 v2.0.1
 	github.com/coreos/go-systemd/v22 v22.5.0
 	github.com/golang-jwt/jwt/v4 v4.5.1
 	github.com/google/go-cmp v0.6.0
@@ -15,7 +16,7 @@ require (
 	github.com/google/go-tpm-tools/verifier v0.4.4
 	github.com/opencontainers/go-digest v1.0.0
 	github.com/opencontainers/image-spec v1.1.0
-	github.com/opencontainers/runtime-spec v1.1.0
+	github.com/opencontainers/runtime-spec v1.2.0
 	golang.org/x/oauth2 v0.23.0
 	google.golang.org/api v0.205.0
 	google.golang.org/genproto/googleapis/api v0.0.0-20241015192408-796eee8c2d53
@@ -28,16 +29,21 @@ require (
 	cloud.google.com/go/auth/oauth2adapt v0.2.5 // indirect
 	cloud.google.com/go/confidentialcomputing v1.6.0 // indirect
 	cloud.google.com/go/longrunning v0.6.1 // indirect
-	github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 // indirect
-	github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20230306123547-8075edf89bb0 // indirect
-	github.com/Microsoft/go-winio v0.6.1 // indirect
-	github.com/Microsoft/hcsshim v0.11.4 // indirect
-	github.com/containerd/cgroups v1.1.0 // indirect
-	github.com/containerd/continuity v0.4.2 // indirect
+	github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6 // indirect
+	github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20231105174938-2b5cbb29f3e2 // indirect
+	github.com/Microsoft/go-winio v0.6.2 // indirect
+	github.com/Microsoft/hcsshim v0.12.9 // indirect
+	github.com/containerd/cgroups/v3 v3.0.3 // indirect
+	github.com/containerd/containerd/api v1.8.0 // indirect
+	github.com/containerd/continuity v0.4.4 // indirect
+	github.com/containerd/errdefs v1.0.0 // indirect
+	github.com/containerd/errdefs/pkg v0.3.0 // indirect
 	github.com/containerd/fifo v1.1.0 // indirect
 	github.com/containerd/log v0.1.0 // indirect
-	github.com/containerd/ttrpc v1.2.3 // indirect
-	github.com/containerd/typeurl/v2 v2.1.1 // indirect
+	github.com/containerd/platforms v1.0.0-rc.0 // indirect
+	github.com/containerd/ttrpc v1.2.6 // indirect
+	github.com/containerd/typeurl/v2 v2.2.3 // indirect
+	github.com/distribution/reference v0.6.0 // indirect
 	github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/go-logr/logr v1.4.2 // indirect
@@ -59,31 +65,30 @@ require (
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/googleapis/enterprise-certificate-proxy v0.3.4 // indirect
 	github.com/googleapis/gax-go/v2 v2.13.0 // indirect
-	github.com/klauspost/compress v1.16.7 // indirect
+	github.com/klauspost/compress v1.17.11 // indirect
 	github.com/moby/locker v1.0.1 // indirect
-	github.com/moby/sys/mountinfo v0.6.2 // indirect
-	github.com/moby/sys/sequential v0.5.0 // indirect
-	github.com/moby/sys/signal v0.7.0 // indirect
-	github.com/moby/sys/user v0.1.0 // indirect
-	github.com/opencontainers/selinux v1.11.0 // indirect
+	github.com/moby/sys/mountinfo v0.7.2 // indirect
+	github.com/moby/sys/sequential v0.6.0 // indirect
+	github.com/moby/sys/signal v0.7.1 // indirect
+	github.com/moby/sys/user v0.3.0 // indirect
+	github.com/moby/sys/userns v0.1.0 // indirect
+	github.com/opencontainers/selinux v1.11.1 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
 	go.opencensus.io v0.24.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.54.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.54.0 // indirect
-	go.opentelemetry.io/otel v1.29.0 // indirect
-	go.opentelemetry.io/otel/metric v1.29.0 // indirect
-	go.opentelemetry.io/otel/trace v1.29.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.56.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.56.0 // indirect
+	go.opentelemetry.io/otel v1.31.0 // indirect
+	go.opentelemetry.io/otel/metric v1.31.0 // indirect
+	go.opentelemetry.io/otel/trace v1.31.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	golang.org/x/crypto v0.31.0 // indirect
 	golang.org/x/exp v0.0.0-20240531132922-fd00a4e0eefc // indirect
-	golang.org/x/mod v0.17.0 // indirect
 	golang.org/x/net v0.30.0 // indirect
 	golang.org/x/sync v0.10.0 // indirect
 	golang.org/x/sys v0.28.0 // indirect
 	golang.org/x/text v0.21.0 // indirect
 	golang.org/x/time v0.7.0 // indirect
-	golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d // indirect
 	google.golang.org/genproto v0.0.0-20241021214115-324edc3d5d38 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20241021214115-324edc3d5d38 // indirect
 	google.golang.org/grpc v1.67.1 // indirect