workspackit: put the workspace id into seccomp handler's log to trace.

Author: utam0k

components/workspacekit/cmd/rings.go

@@ -120,7 +120,6 @@ var ring0Cmd = &cobra.Command{
 		cmd.Env = append(os.Environ(),
 			"WORKSPACEKIT_FSSHIFT="+prep.FsShift.String(),
 			fmt.Sprintf("WORKSPACEKIT_NO_WORKSPACE_MOUNT=%v", prep.FullWorkspaceBackup || prep.PersistentVolumeClaim),
-			"GITPOD_WORKSPACE_ID="+wsid,
 		)
 
 		if err := cmd.Start(); err != nil {
@@ -373,7 +372,6 @@ var ring1Cmd = &cobra.Command{
 		}
 
 		env = append(env, "WORKSPACEKIT_WRAP_NETNS=true")
-		env = append(env, "GITPOD_WORKSPACE_ID="+wsid)
 
 		socketFN := filepath.Join(os.TempDir(), fmt.Sprintf("workspacekit-ring1-%d.unix", time.Now().UnixNano()))
 		skt, err := net.Listen("unix", socketFN)
@@ -521,6 +519,7 @@ var ring1Cmd = &cobra.Command{
 				Ring2PID:    cmd.Process.Pid,
 				Ring2Rootfs: ring2Root,
 				BindEvents:  make(chan seccomp.BindEvent),
+				WorkspaceId: wsid,
 			}
 
 			stp, errchan := seccomp.Handle(scmpfd, handler)

components/workspacekit/pkg/seccomp/notify.go

@@ -186,6 +186,7 @@ type InWorkspaceHandler struct {
 	Ring2PID    int
 	Ring2Rootfs string
 	BindEvents  chan<- BindEvent
+	WorkspaceId string
 }
 
 // BindEvent describes a process binding to a socket
@@ -196,9 +197,10 @@ type BindEvent struct {
 // Mount handles mount syscalls
 func (h *InWorkspaceHandler) Mount(req *libseccomp.ScmpNotifReq) (val uint64, errno int32, flags uint32) {
 	log := log.WithFields(map[string]interface{}{
-		"syscall": "mount",
-		"pid":     req.Pid,
-		"id":      req.ID,
+		"syscall":     "mount",
+		"worksapceId": h.WorkspaceId,
+		"pid":         req.Pid,
+		"id":          req.ID,
 	})
 
 	memFile, err := readarg.OpenMem(req.Pid)
@@ -301,9 +303,10 @@ func (h *InWorkspaceHandler) Mount(req *libseccomp.ScmpNotifReq) (val uint64, er
 func (h *InWorkspaceHandler) Umount(req *libseccomp.ScmpNotifReq) (val uint64, errno int32, flags uint32) {
 	nme, _ := req.Data.Syscall.GetName()
 	log := log.WithFields(map[string]interface{}{
-		"syscall": nme,
-		"pid":     req.Pid,
-		"id":      req.ID,
+		"syscall":     nme,
+		"workspaceId": h.WorkspaceId,
+		"pid":         req.Pid,
+		"id":          req.ID,
 	})
 
 	memFile, err := readarg.OpenMem(req.Pid)
@@ -380,9 +383,10 @@ func (h *InWorkspaceHandler) Umount(req *libseccomp.ScmpNotifReq) (val uint64, e
 
 func (h *InWorkspaceHandler) Bind(req *libseccomp.ScmpNotifReq) (val uint64, errno int32, flags uint32) {
 	log := log.WithFields(map[string]interface{}{
-		"syscall": "bind",
-		"pid":     req.Pid,
-		"id":      req.ID,
+		"syscall":     "bind",
+		"workspaceId": h.WorkspaceId,
+		"pid":         req.Pid,
+		"id":          req.ID,
 	})
 	// We want the syscall to succeed, no matter what we do in this handler.
 	// The Kernel will execute the syscall for us.
@@ -425,9 +429,10 @@ func (h *InWorkspaceHandler) Bind(req *libseccomp.ScmpNotifReq) (val uint64, err
 
 func (h *InWorkspaceHandler) Chown(req *libseccomp.ScmpNotifReq) (val uint64, errno int32, flags uint32) {
 	log := log.WithFields(map[string]interface{}{
-		"syscall": "chown",
-		"pid":     req.Pid,
-		"id":      req.ID,
+		"syscall":     "chown",
+		"workspaceId": h.WorkspaceId,
+		"pid":         req.Pid,
+		"id":          req.ID,
 	})
 
 	memFile, err := readarg.OpenMem(req.Pid)