mirror of https://github.com/containers/podman.git
				
				
				
			Merge pull request #20517 from rhatdan/mask
Get masked paths and readonly masked patchs from containers/common @rhatdan
This commit is contained in:
		
						commit
						6d9d8f06ce
					
				|  | @ -11,6 +11,7 @@ import ( | ||||||
| 	"path/filepath" | 	"path/filepath" | ||||||
| 	"strings" | 	"strings" | ||||||
| 
 | 
 | ||||||
|  | 	"github.com/containers/common/pkg/config" | ||||||
| 	"github.com/containers/podman/v4/libpod/define" | 	"github.com/containers/podman/v4/libpod/define" | ||||||
| 	"github.com/containers/podman/v4/pkg/rootless" | 	"github.com/containers/podman/v4/pkg/rootless" | ||||||
| 	"github.com/containers/podman/v4/pkg/util" | 	"github.com/containers/podman/v4/pkg/util" | ||||||
|  | @ -93,34 +94,14 @@ func DevicesFromPath(g *generate.Generator, devicePath string) error { | ||||||
| } | } | ||||||
| 
 | 
 | ||||||
| func BlockAccessToKernelFilesystems(privileged, pidModeIsHost bool, mask, unmask []string, g *generate.Generator) { | func BlockAccessToKernelFilesystems(privileged, pidModeIsHost bool, mask, unmask []string, g *generate.Generator) { | ||||||
| 	defaultMaskPaths := []string{"/proc/acpi", |  | ||||||
| 		"/proc/kcore", |  | ||||||
| 		"/proc/keys", |  | ||||||
| 		"/proc/latency_stats", |  | ||||||
| 		"/proc/timer_list", |  | ||||||
| 		"/proc/timer_stats", |  | ||||||
| 		"/proc/sched_debug", |  | ||||||
| 		"/proc/scsi", |  | ||||||
| 		"/sys/firmware", |  | ||||||
| 		"/sys/fs/selinux", |  | ||||||
| 		"/sys/dev/block", |  | ||||||
| 	} |  | ||||||
| 
 |  | ||||||
| 	if !privileged { | 	if !privileged { | ||||||
| 		for _, mp := range defaultMaskPaths { | 		for _, mp := range config.DefaultMaskedPaths { | ||||||
| 			// check that the path to mask is not in the list of paths to unmask
 | 			// check that the path to mask is not in the list of paths to unmask
 | ||||||
| 			if shouldMask(mp, unmask) { | 			if shouldMask(mp, unmask) { | ||||||
| 				g.AddLinuxMaskedPaths(mp) | 				g.AddLinuxMaskedPaths(mp) | ||||||
| 			} | 			} | ||||||
| 		} | 		} | ||||||
| 		for _, rp := range []string{ | 		for _, rp := range config.DefaultReadOnlyPaths { | ||||||
| 			"/proc/asound", |  | ||||||
| 			"/proc/bus", |  | ||||||
| 			"/proc/fs", |  | ||||||
| 			"/proc/irq", |  | ||||||
| 			"/proc/sys", |  | ||||||
| 			"/proc/sysrq-trigger", |  | ||||||
| 		} { |  | ||||||
| 			if shouldMask(rp, unmask) { | 			if shouldMask(rp, unmask) { | ||||||
| 				g.AddLinuxReadonlyPaths(rp) | 				g.AddLinuxReadonlyPaths(rp) | ||||||
| 			} | 			} | ||||||
|  |  | ||||||
|  | @ -11,6 +11,7 @@ import ( | ||||||
| 	"time" | 	"time" | ||||||
| 
 | 
 | ||||||
| 	"github.com/containers/common/pkg/cgroups" | 	"github.com/containers/common/pkg/cgroups" | ||||||
|  | 	"github.com/containers/common/pkg/config" | ||||||
| 	"github.com/containers/podman/v4/libpod/define" | 	"github.com/containers/podman/v4/libpod/define" | ||||||
| 	. "github.com/containers/podman/v4/test/utils" | 	. "github.com/containers/podman/v4/test/utils" | ||||||
| 	"github.com/containers/storage/pkg/stringid" | 	"github.com/containers/storage/pkg/stringid" | ||||||
|  | @ -370,6 +371,36 @@ var _ = Describe("Podman run", func() { | ||||||
| 		return jsonFile | 		return jsonFile | ||||||
| 	} | 	} | ||||||
| 
 | 
 | ||||||
|  | 	It("podman run default mask test", func() { | ||||||
|  | 		session := podmanTest.Podman([]string{"run", "-d", "--name=maskCtr", ALPINE, "sleep", "200"}) | ||||||
|  | 		session.WaitWithDefaultTimeout() | ||||||
|  | 		Expect(session).Should(ExitCleanly()) | ||||||
|  | 		for _, mask := range config.DefaultMaskedPaths { | ||||||
|  | 			if st, err := os.Stat(mask); err == nil { | ||||||
|  | 				if st.IsDir() { | ||||||
|  | 					session = podmanTest.Podman([]string{"exec", "maskCtr", "ls", mask}) | ||||||
|  | 					session.WaitWithDefaultTimeout() | ||||||
|  | 					Expect(session).Should(ExitCleanly()) | ||||||
|  | 					Expect(session.OutputToString()).To(BeEmpty()) | ||||||
|  | 				} else { | ||||||
|  | 					session = podmanTest.Podman([]string{"exec", "maskCtr", "cat", mask}) | ||||||
|  | 					session.WaitWithDefaultTimeout() | ||||||
|  | 					// Call can fail with permission denied, ignoring error or Not exist.
 | ||||||
|  | 					// key factor is there is no information leak
 | ||||||
|  | 					Expect(session.OutputToString()).To(BeEmpty()) | ||||||
|  | 				} | ||||||
|  | 			} | ||||||
|  | 		} | ||||||
|  | 		for _, mask := range config.DefaultReadOnlyPaths { | ||||||
|  | 			if _, err := os.Stat(mask); err == nil { | ||||||
|  | 				session = podmanTest.Podman([]string{"exec", "maskCtr", "touch", mask}) | ||||||
|  | 				session.WaitWithDefaultTimeout() | ||||||
|  | 				Expect(session).Should(Exit(1)) | ||||||
|  | 				Expect(session.ErrorToString()).To(Equal(fmt.Sprintf("touch: %s: Read-only file system", mask))) | ||||||
|  | 			} | ||||||
|  | 		} | ||||||
|  | 	}) | ||||||
|  | 
 | ||||||
| 	It("podman run mask and unmask path test", func() { | 	It("podman run mask and unmask path test", func() { | ||||||
| 		session := podmanTest.Podman([]string{"run", "-d", "--name=maskCtr1", "--security-opt", "unmask=ALL", "--security-opt", "mask=/proc/acpi", ALPINE, "sleep", "200"}) | 		session := podmanTest.Podman([]string{"run", "-d", "--name=maskCtr1", "--security-opt", "unmask=ALL", "--security-opt", "mask=/proc/acpi", ALPINE, "sleep", "200"}) | ||||||
| 		session.WaitWithDefaultTimeout() | 		session.WaitWithDefaultTimeout() | ||||||
|  |  | ||||||
		Loading…
	
		Reference in New Issue