Merge pull request #17272 from openshift-cherrypick-robot/cherry-pick…

…-17265-to-v4.4 [v4.4] Match VT device paths to be blocked from mounting exactly
containers · Jan 30, 2023 · 871c67c · 871c67c
2 parents 1f96d03 + 579c5dc
commit 871c67c
Show file tree

Hide file tree

Showing 2 changed files with 68 additions and 10 deletions.
diff --git a/pkg/util/utils_linux.go b/pkg/util/utils_linux.go
@@ -5,8 +5,9 @@ import (
 	"fmt"
 	"io/fs"
 	"os"
-	"path"
 	"path/filepath"
+	"strconv"
+	"strings"
 	"syscall"
 
 	"github.com/containers/podman/v4/libpod/define"
@@ -70,20 +71,23 @@ func FindDeviceNodes() (map[string]string, error) {
 	return nodes, nil
 }
 
-func isVirtualConsoleDevice(device string) bool {
+// isVirtualConsoleDevice returns true if path is a virtual console device
+// (/dev/tty\d+).
+// The passed path must be clean (filepath.Clean).
+func isVirtualConsoleDevice(path string) bool {
 	/*
 		Virtual consoles are of the form `/dev/tty\d+`, any other device such as
 		/dev/tty, ttyUSB0, or ttyACM0 should not be matched.
 		See `man 4 console` for more information.
-
-		NOTE: Matching is done using path.Match even though a regular expression
-		      would have been more accurate. This is because a regular
-			  expression would have required pre-compilation, which would have
-			  increase the startup time needlessly or made the code more complex
-			  than needed.
 	*/
-	matched, _ := path.Match("/dev/tty[0-9]*", device)
-	return matched
+	suffix := strings.TrimPrefix(path, "/dev/tty")
+	if suffix == path || suffix == "" {
+		return false
+	}
+
+	// 16bit because, max. supported TTY devices is 512 in Linux 6.1.5.
+	_, err := strconv.ParseUint(suffix, 10, 16)
+	return err == nil
 }
 
 func AddPrivilegedDevices(g *generate.Generator, systemdMode bool) error {

diff --git a/pkg/util/utils_linux_test.go b/pkg/util/utils_linux_test.go
@@ -0,0 +1,54 @@
+package util
+
+import (
+	"testing"
+)
+
+func TestIsVirtualConsoleDevice(t *testing.T) {
+	testcases := []struct {
+		expectedResult bool
+		path           string
+	}{
+		{
+			expectedResult: true,
+			path:           "/dev/tty10",
+		},
+		{
+			expectedResult: false,
+			path:           "/dev/tty",
+		},
+		{
+			expectedResult: false,
+			path:           "/dev/ttyUSB0",
+		},
+		{
+			expectedResult: false,
+			path:           "/dev/tty0abcd",
+		},
+		{
+			expectedResult: false,
+			path:           "1234",
+		},
+		{
+			expectedResult: false,
+			path:           "abc",
+		},
+		{
+			expectedResult: false,
+			path:           " ",
+		},
+		{
+			expectedResult: false,
+			path:           "",
+		},
+	}
+
+	for _, tc := range testcases {
+		t.Run(tc.path, func(t *testing.T) {
+			result := isVirtualConsoleDevice(tc.path)
+			if result != tc.expectedResult {
+				t.Errorf("isVirtualConsoleDevice returned %t, expected %t", result, tc.expectedResult)
+			}
+		})
+	}
+}