ibm-messaging
diff --git a/‎go.mod‎
Lines changed: 1 addition & 2 deletions b/‎go.mod‎
Lines changed: 1 addition & 2 deletions
diff --git a/‎go.sum‎
Lines changed: 0 additions & 2 deletions b/‎go.sum‎
Lines changed: 0 additions & 2 deletions
diff --git a/‎internal/containerruntime/amicontained.go‎
Lines changed: 276 additions & 0 deletions b/‎internal/containerruntime/amicontained.go‎
Lines changed: 276 additions & 0 deletions
diff --git a/‎internal/containerruntime/runtime.go‎
Lines changed: 9 additions & 12 deletions b/‎internal/containerruntime/runtime.go‎
Lines changed: 9 additions & 12 deletions
diff --git a/‎pkg/containerruntimelogger/logruntime.go‎
Lines changed: 8 additions & 10 deletions b/‎pkg/containerruntimelogger/logruntime.go‎
Lines changed: 8 additions & 10 deletions
@@ -3,10 +3,10 @@ module github.com/ibm-messaging/mq-container
 go 1.19
 
 require (
-	github.com/genuinetools/amicontained v0.4.3
 	github.com/ibm-messaging/mq-golang v2.0.0+incompatible
 	github.com/prometheus/client_golang v1.11.1
 	github.com/prometheus/client_model v0.2.0
+	github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635
 	golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d
 	golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1
 	software.sslmate.com/src/go-pkcs12 v0.0.0-20200830195227-52f69702a001
@@ -19,6 +19,5 @@ require (
 	github.com/matttproud/golang_protobuf_extensions v1.0.1 // indirect
 	github.com/prometheus/common v0.26.0 // indirect
 	github.com/prometheus/procfs v0.6.0 // indirect
-	github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635 // indirect
 	google.golang.org/protobuf v1.26.0-rc.1 // indirect
 )
@@ -12,8 +12,6 @@ github.com/cespare/xxhash/v2 v2.1.1 h1:6MnRN8NT7+YBpUIWxHtefFZOKTAPgGjpQSxqLNn0+
 github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/genuinetools/amicontained v0.4.3 h1:cqq9XiAHfWWY3dk8VU8bSJFu9yh8Il5coEdeTAPq72o=
-github.com/genuinetools/amicontained v0.4.3/go.mod h1:PAMZkg9CcUTa6gNyULQ6tOMTMEb2HTKJufvKeFqDw+o=
 github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
 github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
 github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vbaY=
 
@@ -0,0 +1,276 @@
+/*
+The MIT License (MIT)
+Copyright (c) 2018 Jessica Frazelle
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+*/
+
+/*
+  The code for amicontained.go is forked from
+  https://github.com/genuinetools/bpfd/blob/434b609b3d4a5aeb461109b1167b68e000b72f69/proc/proc.go
+  The code was forked when the latest details are as "Latest commit 871fc34 on Sep 18, 2018"
+*/
+
+package containerruntime
+
+import (
+	"fmt"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"regexp"
+	"strings"
+
+	"github.com/syndtr/gocapability/capability"
+	"golang.org/x/sys/unix"
+)
+
+// ContainerRuntime is the type for the various container runtime strings.
+type ContainerRuntime string
+
+// SeccompMode is the type for the various seccomp mode strings.
+type SeccompMode string
+
+const (
+	// RuntimeDocker is the string for the docker runtime.
+	RuntimeDocker ContainerRuntime = "docker"
+	// RuntimeRkt is the string for the rkt runtime.
+	RuntimeRkt ContainerRuntime = "rkt"
+	// RuntimeNspawn is the string for the systemd-nspawn runtime.
+	RuntimeNspawn ContainerRuntime = "systemd-nspawn"
+	// RuntimeLXC is the string for the lxc runtime.
+	RuntimeLXC ContainerRuntime = "lxc"
+	// RuntimeLXCLibvirt is the string for the lxc-libvirt runtime.
+	RuntimeLXCLibvirt ContainerRuntime = "lxc-libvirt"
+	// RuntimeOpenVZ is the string for the openvz runtime.
+	RuntimeOpenVZ ContainerRuntime = "openvz"
+	// RuntimeKubernetes is the string for the kubernetes runtime.
+	RuntimeKubernetes ContainerRuntime = "kube"
+	// RuntimeGarden is the string for the garden runtime.
+	RuntimeGarden ContainerRuntime = "garden"
+	// RuntimePodman is the string for the podman runtime.
+	RuntimePodman ContainerRuntime = "podman"
+	// RuntimeNotFound is the string for when no container runtime is found.
+	RuntimeNotFound ContainerRuntime = "not-found"
+
+	// SeccompModeDisabled is equivalent to "0" in the /proc/{pid}/status file.
+	SeccompModeDisabled SeccompMode = "disabled"
+	// SeccompModeStrict is equivalent to "1" in the /proc/{pid}/status file.
+	SeccompModeStrict SeccompMode = "strict"
+	// SeccompModeFiltering is equivalent to "2" in the /proc/{pid}/status file.
+	SeccompModeFiltering SeccompMode = "filtering"
+
+	apparmorUnconfined = "unconfined"
+
+	uint32Max = 4294967295
+
+	statusFileValue = ":(.*)"
+)
+
+var (
+	// ContainerRuntimes contains all the container runtimes.
+	ContainerRuntimes = []ContainerRuntime{
+		RuntimeDocker,
+		RuntimeRkt,
+		RuntimeNspawn,
+		RuntimeLXC,
+		RuntimeLXCLibvirt,
+		RuntimeOpenVZ,
+		RuntimeKubernetes,
+		RuntimeGarden,
+		RuntimePodman,
+	}
+
+	seccompModes = map[string]SeccompMode{
+		"0": SeccompModeDisabled,
+		"1": SeccompModeStrict,
+		"2": SeccompModeFiltering,
+	}
+
+	statusFileValueRegex = regexp.MustCompile(statusFileValue)
+)
+
+// GetContainerRuntime returns the container runtime the process is running in.
+// If pid is less than one, it returns the runtime for "self".
+func GetContainerRuntime(tgid, pid int) ContainerRuntime {
+	file := "/proc/self/cgroup"
+	if pid > 0 {
+		if tgid > 0 {
+			file = fmt.Sprintf("/proc/%d/task/%d/cgroup", tgid, pid)
+		} else {
+			file = fmt.Sprintf("/proc/%d/cgroup", pid)
+		}
+	}
+
+	// read the cgroups file
+	a := readFileString(file)
+	runtime := getContainerRuntime(a)
+	if runtime != RuntimeNotFound {
+		return runtime
+	}
+
+	// /proc/vz exists in container and outside of the container, /proc/bc only outside of the container.
+	if fileExists("/proc/vz") && !fileExists("/proc/bc") {
+		return RuntimeOpenVZ
+	}
+
+	a = os.Getenv("container")
+	runtime = getContainerRuntime(a)
+	if runtime != RuntimeNotFound {
+		return runtime
+	}
+
+	// PID 1 might have dropped this information into a file in /run.
+	// Read from /run/systemd/container since it is better than accessing /proc/1/environ,
+	// which needs CAP_SYS_PTRACE
+	a = readFileString("/run/systemd/container")
+	runtime = getContainerRuntime(a)
+	if runtime != RuntimeNotFound {
+		return runtime
+	}
+
+	return RuntimeNotFound
+}
+
+func getContainerRuntime(input string) ContainerRuntime {
+	if len(strings.TrimSpace(input)) < 1 {
+		return RuntimeNotFound
+	}
+
+	for _, runtime := range ContainerRuntimes {
+		if strings.Contains(input, string(runtime)) {
+			return runtime
+		}
+	}
+
+	return RuntimeNotFound
+}
+
+func fileExists(file string) bool {
+	if _, err := os.Stat(file); !os.IsNotExist(err) {
+		return true
+	}
+	return false
+}
+
+func readFile(file string) []byte {
+	if !fileExists(file) {
+		return nil
+	}
+	// filepath.clean was added to resolve the gosec build failure
+	// with error "Potential file inclusion via variable"
+	b, err := ioutil.ReadFile(filepath.Clean(file))
+	if err != nil {
+		return nil
+	}
+	return b
+}
+
+// GetCapabilities returns the allowed capabilities for the process.
+// If pid is less than one, it returns the capabilities for "self".
+func GetCapabilities(pid int) (map[string][]string, error) {
+	allCaps := capability.List()
+
+	caps, err := capability.NewPid(pid)
+	if err != nil {
+		return nil, err
+	}
+
+	allowedCaps := map[string][]string{}
+	allowedCaps["EFFECTIVE | PERMITTED | INHERITABLE"] = []string{}
+	allowedCaps["BOUNDING"] = []string{}
+	allowedCaps["AMBIENT"] = []string{}
+
+	for _, cap := range allCaps {
+		if caps.Get(capability.CAPS, cap) {
+			allowedCaps["EFFECTIVE | PERMITTED | INHERITABLE"] = append(allowedCaps["EFFECTIVE | PERMITTED | INHERITABLE"], cap.String())
+		}
+		if caps.Get(capability.BOUNDING, cap) {
+			allowedCaps["BOUNDING"] = append(allowedCaps["BOUNDING"], cap.String())
+		}
+		if caps.Get(capability.AMBIENT, cap) {
+			allowedCaps["AMBIENT"] = append(allowedCaps["AMBIENT"], cap.String())
+		}
+	}
+
+	return allowedCaps, nil
+}
+
+// GetSeccompEnforcingMode returns the seccomp enforcing level (disabled, filtering, strict)
+// for a process.
+// If pid is less than one, it returns the seccomp enforcing mode for "self".
+func GetSeccompEnforcingMode(pid int) SeccompMode {
+	file := "/proc/self/status"
+	if pid > 0 {
+		file = fmt.Sprintf("/proc/%d/status", pid)
+	}
+
+	return getSeccompEnforcingMode(readFileString(file))
+}
+
+func getSeccompEnforcingMode(input string) SeccompMode {
+	mode := getStatusEntry(input, "Seccomp:")
+	sm, ok := seccompModes[mode]
+	if ok {
+		return sm
+	}
+
+	// Pre linux 3.8, check if Seccomp is supported, via CONFIG_SECCOMP.
+	if err := unix.Prctl(unix.PR_GET_SECCOMP, 0, 0, 0, 0); err != unix.EINVAL {
+		// Make sure the kernel has CONFIG_SECCOMP_FILTER.
+		if err := unix.Prctl(unix.PR_SET_SECCOMP, unix.SECCOMP_MODE_FILTER, 0, 0, 0); err != unix.EINVAL {
+			return SeccompModeStrict
+		}
+	}
+
+	return SeccompModeDisabled
+}
+
+// TODO: make this function more efficient and read the file line by line.
+func getStatusEntry(input, find string) string {
+	// Split status file string by line
+	statusMappings := strings.Split(input, "\n")
+	statusMappings = deleteEmpty(statusMappings)
+
+	for _, line := range statusMappings {
+		if strings.Contains(line, find) {
+			matches := statusFileValueRegex.FindStringSubmatch(line)
+			if len(matches) > 1 {
+				return strings.TrimSpace(matches[1])
+			}
+		}
+	}
+
+	return ""
+}
+
+func deleteEmpty(s []string) []string {
+	var r []string
+	for _, str := range s {
+		if strings.TrimSpace(str) != "" {
+			r = append(r, strings.TrimSpace(str))
+		}
+	}
+	return r
+}
+
+func readFileString(file string) string {
+	b := readFile(file)
+	if b == nil {
+		return ""
+	}
+	return strings.TrimSpace(string(b))
+}
@@ -1,5 +1,5 @@
 /*
-© Copyright IBM Corporation 2019
+© Copyright IBM Corporation 2019,2023
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -20,11 +20,10 @@ import (
 	"io/ioutil"
 	"strings"
 
-	"github.com/genuinetools/amicontained/container"
 )
 
-func GetContainerRuntime() (string, error) {
-	return container.DetectRuntime()
+func DetectContainerRuntime() ContainerRuntime {
+	return GetContainerRuntime(0, 1)
 }
 
 func GetBaseImage() (string, error) {
@@ -45,17 +44,15 @@ func GetBaseImage() (string, error) {
 }
 
 // GetCapabilities gets the Linux capabilities (e.g. setuid, setgid).  See https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities
-func GetCapabilities() (map[string][]string, error) {
-	return container.Capabilities()
+func GetContainerCapabilities() (map[string][]string, error) {
+	//passing the pid as 1 since runmqserver initializes, creates and starts a queue manager, as PID 1 in a container
+	return GetCapabilities(1)
 }
 
 // GetSeccomp gets the seccomp enforcing mode, which affects which kernel calls can be made
-func GetSeccomp() (string, error) {
-	s, err := container.SeccompEnforcingMode()
-	if err != nil {
-		return "", fmt.Errorf("Failed to get container SeccompEnforcingMode: %v", err)
-	}
-	return s, nil
+func GetSeccomp() SeccompMode {
+	//passing the pid as 1 since runmqserver initializes, creates and starts a queue manager, as PID 1 in a container
+	return GetSeccompEnforcingMode(1)
 }
 
 // GetSecurityAttributes gets the security attributes of the current process.
 
@@ -1,5 +1,5 @@
 /*
-© Copyright IBM Corporation 2017, 2020
+© Copyright IBM Corporation 2017, 2023
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -36,10 +36,9 @@ func LogContainerDetails(log *logger.Logger) error {
 	if err == nil {
 		log.Printf("Linux kernel version: %v", kv)
 	}
-	cr, err := containerruntime.GetContainerRuntime()
-	if err == nil {
-		log.Printf("Container runtime: %v", cr)
-	}
+	cr := containerruntime.DetectContainerRuntime()
+	log.Printf("Container runtime: %v", cr)
+
 	bi, err := containerruntime.GetBaseImage()
 	if err == nil {
 		log.Printf("Base image: %v", bi)
@@ -55,7 +54,7 @@ func LogContainerDetails(log *logger.Logger) error {
 			log.Printf("Running as user ID %v with primary group %v, and supplementary groups %v", u.UID, u.PrimaryGID, strings.Trim(strings.Join(strings.Fields(fmt.Sprint(u.SupplementalGID)), ","), "[]"))
 		}
 	}
-	caps, err := containerruntime.GetCapabilities()
+	caps, err := containerruntime.GetCapabilities(1)
 	capLogged := false
 	if err == nil {
 		for k, v := range caps {
@@ -70,10 +69,9 @@ func LogContainerDetails(log *logger.Logger) error {
 	} else {
 		log.Errorf("Error getting capabilities: %v", err)
 	}
-	sc, err := containerruntime.GetSeccomp()
-	if err == nil {
-		log.Printf("seccomp enforcing mode: %v", sc)
-	}
+	sc := containerruntime.GetSeccomp()
+	log.Printf("seccomp enforcing mode: %v", sc)
+
 	log.Printf("Process security attributes: %v", containerruntime.GetSecurityAttributes())
 	m, err := containerruntime.GetMounts()
 	if err == nil {