Skip to content

Commit

Permalink
Do not validate paths on remote platforms
Browse files Browse the repository at this point in the history
Modify validate functions to work on a remote clients.
Any of the path checks will not work on remote machines or make
sense on remote clients. Therefore they should not be checked.

Signed-off-by: Daniel J Walsh <[email protected]>
  • Loading branch information
rhatdan committed May 28, 2020
1 parent 0e6180b commit 6dea667
Show file tree
Hide file tree
Showing 7 changed files with 126 additions and 92 deletions.
18 changes: 9 additions & 9 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ GO_BUILD=$(GO) build
ifeq ($(shell go help mod >/dev/null 2>&1 && echo true), true)
GO_BUILD=GO111MODULE=on $(GO) build -mod=vendor
endif
BUILDTAGS := ""
BUILDTAGS :=
DESTDIR ?=
PREFIX := /usr/local
CONFIGDIR := ${PREFIX}/share/containers
Expand All @@ -32,18 +32,18 @@ define go-get
endef

define go-build
GOOS=$(1) GOARCH=$(2) $(GO) build -tags $(BUILDTAGS) ./...
GOOS=$(1) GOARCH=$(2) $(GO) build -tags "$(3)" ./...
endef

.PHONY:
build-cross:
$(call go-build,linux,386)
$(call go-build,linux,arm)
$(call go-build,linux,arm64)
$(call go-build,linux,ppc64le)
$(call go-build,linux,s390x)
$(call go-build,windows,amd64)
$(call go-build,windows,386)
$(call go-build,linux,386,${BUILDTAGS})
$(call go-build,linux,arm,${BUILDTAGS})
$(call go-build,linux,arm64,${BUILDTAGS})
$(call go-build,linux,ppc64le,${BUILDTAGS})
$(call go-build,linux,s390x,${BUILDTAGS})
$(call go-build,windows,amd64,remote ${BUILDTAGS})
$(call go-build,windows,386,remote ${BUILDTAGS})

.PHONY: all
all: build-amd64 build-386
Expand Down
61 changes: 8 additions & 53 deletions pkg/config/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,6 @@ import (
"path/filepath"
"strings"
"sync"
"syscall"

"github.com/BurntSushi/toml"
"github.com/containers/common/pkg/capabilities"
Expand Down Expand Up @@ -540,17 +539,8 @@ func (c *Config) Validate() error {
// It returns an `error` on validation failure, otherwise
// `nil`.
func (c *EngineConfig) Validate() error {
// Relative paths can cause nasty bugs, because core paths we use could
// shift between runs (or even parts of the program - the OCI runtime
// uses a different working directory than we do, for example.
if c.StaticDir != "" && !filepath.IsAbs(c.StaticDir) {
return fmt.Errorf("static directory must be an absolute path - instead got %q", c.StaticDir)
}
if c.TmpDir != "" && !filepath.IsAbs(c.TmpDir) {
return fmt.Errorf("temporary directory must be an absolute path - instead got %q", c.TmpDir)
}
if c.VolumePath != "" && !filepath.IsAbs(c.VolumePath) {
return fmt.Errorf("volume path must be an absolute path - instead got %q", c.VolumePath)
if err := c.validatePaths(); err != nil {
return err
}

// Check if the pullPolicy from containers.conf is valid
Expand All @@ -566,22 +556,13 @@ func (c *EngineConfig) Validate() error {
// It returns an `error` on validation failure, otherwise
// `nil`.
func (c *ContainersConfig) Validate() error {
for _, u := range c.DefaultUlimits {
ul, err := units.ParseUlimit(u)
if err != nil {
return fmt.Errorf("unrecognized ulimit %s: %v", u, err)
}
_, err = ul.GetRlimit()
if err != nil {
return err
}

if err := c.validateUlimits(); err != nil {
return err
}

for _, d := range c.Devices {
_, _, _, err := Device(d)
if err != nil {
return err
}
if err := c.validateDevices(); err != nil {
return err
}

if c.LogSizeMax >= 0 && c.LogSizeMax < OCIBufSize {
Expand All @@ -600,8 +581,7 @@ func (c *ContainersConfig) Validate() error {
// execution checks. It returns an `error` on validation failure, otherwise
// `nil`.
func (c *NetworkConfig) Validate() error {

if c.NetworkConfigDir != cniConfigDir {
if c.NetworkConfigDir != _cniConfigDir {
err := isDirectory(c.NetworkConfigDir)
if err != nil {
return errors.Wrapf(err, "invalid network_config_dir: %s", c.NetworkConfigDir)
Expand Down Expand Up @@ -803,31 +783,6 @@ func resolveHomeDir(path string) (string, error) {
return strings.Replace(path, "~", home, 1), nil
}

// isDirectory tests whether the given path exists and is a directory. It
// follows symlinks.
func isDirectory(path string) error {
path, err := resolveHomeDir(path)
if err != nil {
return err
}

info, err := os.Stat(path)
if err != nil {
return err
}

if !info.Mode().IsDir() {
// Return a PathError to be consistent with os.Stat().
return &os.PathError{
Op: "stat",
Path: path,
Err: syscall.ENOTDIR,
}
}

return nil
}

func rootlessConfigPath() (string, error) {
if configHome := os.Getenv("XDG_CONFIG_HOME"); configHome != "" {
return filepath.Join(configHome, _configPath), nil
Expand Down
77 changes: 77 additions & 0 deletions pkg/config/config_local.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,77 @@
// +build !remote

package config

import (
"fmt"
"os"
"path/filepath"
"syscall"

units "github.com/docker/go-units"
)

// isDirectory tests whether the given path exists and is a directory. It
// follows symlinks.
func isDirectory(path string) error {
path, err := resolveHomeDir(path)
if err != nil {
return err
}

info, err := os.Stat(path)
if err != nil {
return err
}

if !info.Mode().IsDir() {
// Return a PathError to be consistent with os.Stat().
return &os.PathError{
Op: "stat",
Path: path,
Err: syscall.ENOTDIR,
}
}

return nil
}

func (c *EngineConfig) validatePaths() error {
// Relative paths can cause nasty bugs, because core paths we use could
// shift between runs or even parts of the program. - The OCI runtime
// uses a different working directory than we do, for example.
if c.StaticDir != "" && !filepath.IsAbs(c.StaticDir) {
return fmt.Errorf("static directory must be an absolute path - instead got %q", c.StaticDir)
}
if c.TmpDir != "" && !filepath.IsAbs(c.TmpDir) {
return fmt.Errorf("temporary directory must be an absolute path - instead got %q", c.TmpDir)
}
if c.VolumePath != "" && !filepath.IsAbs(c.VolumePath) {
return fmt.Errorf("volume path must be an absolute path - instead got %q", c.VolumePath)
}
return nil
}

func (c *ContainersConfig) validateDevices() error {
for _, d := range c.Devices {
_, _, _, err := Device(d)
if err != nil {
return err
}
}
return nil
}

func (c *ContainersConfig) validateUlimits() error {
for _, u := range c.DefaultUlimits {
ul, err := units.ParseUlimit(u)
if err != nil {
return fmt.Errorf("unrecognized ulimit %s: %v", u, err)
}
_, err = ul.GetRlimit()
if err != nil {
return err
}
}
return nil
}
21 changes: 21 additions & 0 deletions pkg/config/config_remote.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
// +build remote

package config

// isDirectory tests whether the given path exists and is a directory. It
// follows symlinks.
func isDirectory(path string) error {
return nil
}

func (c *EngineConfig) validatePaths() error {
return nil
}

func (c *ContainersConfig) validateDevices() error {
return nil
}

func (c *ContainersConfig) validateUlimits() error {
return nil
}
15 changes: 0 additions & 15 deletions pkg/config/config_unix.go

This file was deleted.

10 changes: 0 additions & 10 deletions pkg/config/config_windows.go

This file was deleted.

16 changes: 11 additions & 5 deletions pkg/config/default.go
Original file line number Diff line number Diff line change
Expand Up @@ -53,9 +53,6 @@ var (
// DefaultDetachKeys is the default keys sequence for detaching a
// container
DefaultDetachKeys = "ctrl-p,ctrl-q"
)

var (
// ErrConmonOutdated indicates the version of conmon found (whether via the configuration or $PATH)
// is out of date for the current podman version
ErrConmonOutdated = errors.New("outdated conmon version")
Expand All @@ -80,15 +77,24 @@ var (
"CAP_SETUID",
"CAP_SYS_CHROOT",
}

cniBinDir = []string{
"/usr/libexec/cni",
"/usr/lib/cni",
"/usr/local/lib/cni",
"/opt/cni/bin",
}
)

const (
// EtcDir is the sysconfdir where podman should look for system config files.
// _etcDir is the sysconfdir where podman should look for system config files.
// It can be overridden at build time.
_etcDir = "/etc"
// InstallPrefix is the prefix where podman will be installed.
// It can be overridden at build time.
_installPrefix = "/usr"
// _cniConfigDir is the directory where cni plugins are found
_cniConfigDir = "/etc/cni/net.d/"
// CgroupfsCgroupsManager represents cgroupfs native cgroup manager
CgroupfsCgroupsManager = "cgroupfs"
// DefaultApparmorProfile specifies the default apparmor profile for the container.
Expand Down Expand Up @@ -191,7 +197,7 @@ func DefaultConfig() (*Config, error) {
},
Network: NetworkConfig{
DefaultNetwork: "podman",
NetworkConfigDir: cniConfigDir,
NetworkConfigDir: _cniConfigDir,
CNIPluginDirs: cniBinDir,
},
Engine: *defaultEngineConfig,
Expand Down

0 comments on commit 6dea667

Please sign in to comment.