Merge pull request #20517 from rhatdan/mask

Get masked paths and readonly masked patchs from containers/common @rhatdan
2023-11-29 02:12:37 +00:00 · 2023-11-29 02:12:37 +00:00 · 6d9d8f06ce
parent 828ef9e174 62060f3234
commit 6d9d8f06ce
2 changed files with 34 additions and 22 deletions
--- a/pkg/specgen/generate/config_linux.go
+++ b/pkg/specgen/generate/config_linux.go
@ -11,6 +11,7 @@ import (
 	"path/filepath"
 	"strings"

+	"github.com/containers/common/pkg/config"
 	"github.com/containers/podman/v4/libpod/define"
 	"github.com/containers/podman/v4/pkg/rootless"
 	"github.com/containers/podman/v4/pkg/util"
@ -93,34 +94,14 @@ func DevicesFromPath(g *generate.Generator, devicePath string) error {
 }

 func BlockAccessToKernelFilesystems(privileged, pidModeIsHost bool, mask, unmask []string, g *generate.Generator) {
-	defaultMaskPaths := []string{"/proc/acpi",
-		"/proc/kcore",
-		"/proc/keys",
-		"/proc/latency_stats",
-		"/proc/timer_list",
-		"/proc/timer_stats",
-		"/proc/sched_debug",
-		"/proc/scsi",
-		"/sys/firmware",
-		"/sys/fs/selinux",
-		"/sys/dev/block",
-	}
-
 	if !privileged {
-		for _, mp := range defaultMaskPaths {
+		for _, mp := range config.DefaultMaskedPaths {
 			// check that the path to mask is not in the list of paths to unmask
 			if shouldMask(mp, unmask) {
 				g.AddLinuxMaskedPaths(mp)
 			}
 		}
-		for _, rp := range []string{
-			"/proc/asound",
-			"/proc/bus",
-			"/proc/fs",
-			"/proc/irq",
-			"/proc/sys",
-			"/proc/sysrq-trigger",
-		} {
+		for _, rp := range config.DefaultReadOnlyPaths {
 			if shouldMask(rp, unmask) {
 				g.AddLinuxReadonlyPaths(rp)
 			}
--- a/test/e2e/run_test.go
+++ b/test/e2e/run_test.go
@ -11,6 +11,7 @@ import (
 	"time"

 	"github.com/containers/common/pkg/cgroups"
+	"github.com/containers/common/pkg/config"
 	"github.com/containers/podman/v4/libpod/define"
 	. "github.com/containers/podman/v4/test/utils"
 	"github.com/containers/storage/pkg/stringid"
@ -370,6 +371,36 @@ var _ = Describe("Podman run", func() {
 		return jsonFile
 	}

+	It("podman run default mask test", func() {
+		session := podmanTest.Podman([]string{"run", "-d", "--name=maskCtr", ALPINE, "sleep", "200"})
+		session.WaitWithDefaultTimeout()
+		Expect(session).Should(ExitCleanly())
+		for _, mask := range config.DefaultMaskedPaths {
+			if st, err := os.Stat(mask); err == nil {
+				if st.IsDir() {
+					session = podmanTest.Podman([]string{"exec", "maskCtr", "ls", mask})
+					session.WaitWithDefaultTimeout()
+					Expect(session).Should(ExitCleanly())
+					Expect(session.OutputToString()).To(BeEmpty())
+				} else {
+					session = podmanTest.Podman([]string{"exec", "maskCtr", "cat", mask})
+					session.WaitWithDefaultTimeout()
+					// Call can fail with permission denied, ignoring error or Not exist.
+					// key factor is there is no information leak
+					Expect(session.OutputToString()).To(BeEmpty())
+				}
+			}
+		}
+		for _, mask := range config.DefaultReadOnlyPaths {
+			if _, err := os.Stat(mask); err == nil {
+				session = podmanTest.Podman([]string{"exec", "maskCtr", "touch", mask})
+				session.WaitWithDefaultTimeout()
+				Expect(session).Should(Exit(1))
+				Expect(session.ErrorToString()).To(Equal(fmt.Sprintf("touch: %s: Read-only file system", mask)))
+			}
+		}
+	})
+
 	It("podman run mask and unmask path test", func() {
 		session := podmanTest.Podman([]string{"run", "-d", "--name=maskCtr1", "--security-opt", "unmask=ALL", "--security-opt", "mask=/proc/acpi", ALPINE, "sleep", "200"})
 		session.WaitWithDefaultTimeout()