From 62060f32343290e27b149c578584da1d90a25b47 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Fri, 10 Nov 2023 04:44:12 -0600 Subject: [PATCH] Get masked paths and readonly masked patchs from containers/common Signed-off-by: Daniel J Walsh --- pkg/specgen/generate/config_linux.go | 25 +++------------------- test/e2e/run_test.go | 31 ++++++++++++++++++++++++++++ 2 files changed, 34 insertions(+), 22 deletions(-) diff --git a/pkg/specgen/generate/config_linux.go b/pkg/specgen/generate/config_linux.go index 0737552933..04a5caf895 100644 --- a/pkg/specgen/generate/config_linux.go +++ b/pkg/specgen/generate/config_linux.go @@ -11,6 +11,7 @@ import ( "path/filepath" "strings" + "github.com/containers/common/pkg/config" "github.com/containers/podman/v4/libpod/define" "github.com/containers/podman/v4/pkg/rootless" "github.com/containers/podman/v4/pkg/util" @@ -93,34 +94,14 @@ func DevicesFromPath(g *generate.Generator, devicePath string) error { } func BlockAccessToKernelFilesystems(privileged, pidModeIsHost bool, mask, unmask []string, g *generate.Generator) { - defaultMaskPaths := []string{"/proc/acpi", - "/proc/kcore", - "/proc/keys", - "/proc/latency_stats", - "/proc/timer_list", - "/proc/timer_stats", - "/proc/sched_debug", - "/proc/scsi", - "/sys/firmware", - "/sys/fs/selinux", - "/sys/dev/block", - } - if !privileged { - for _, mp := range defaultMaskPaths { + for _, mp := range config.DefaultMaskedPaths { // check that the path to mask is not in the list of paths to unmask if shouldMask(mp, unmask) { g.AddLinuxMaskedPaths(mp) } } - for _, rp := range []string{ - "/proc/asound", - "/proc/bus", - "/proc/fs", - "/proc/irq", - "/proc/sys", - "/proc/sysrq-trigger", - } { + for _, rp := range config.DefaultReadOnlyPaths { if shouldMask(rp, unmask) { g.AddLinuxReadonlyPaths(rp) } diff --git a/test/e2e/run_test.go b/test/e2e/run_test.go index b923fd5fbe..6789961634 100644 --- a/test/e2e/run_test.go +++ b/test/e2e/run_test.go @@ -11,6 +11,7 @@ import ( "time" "github.com/containers/common/pkg/cgroups" + "github.com/containers/common/pkg/config" "github.com/containers/podman/v4/libpod/define" . "github.com/containers/podman/v4/test/utils" "github.com/containers/storage/pkg/stringid" @@ -370,6 +371,36 @@ var _ = Describe("Podman run", func() { return jsonFile } + It("podman run default mask test", func() { + session := podmanTest.Podman([]string{"run", "-d", "--name=maskCtr", ALPINE, "sleep", "200"}) + session.WaitWithDefaultTimeout() + Expect(session).Should(ExitCleanly()) + for _, mask := range config.DefaultMaskedPaths { + if st, err := os.Stat(mask); err == nil { + if st.IsDir() { + session = podmanTest.Podman([]string{"exec", "maskCtr", "ls", mask}) + session.WaitWithDefaultTimeout() + Expect(session).Should(ExitCleanly()) + Expect(session.OutputToString()).To(BeEmpty()) + } else { + session = podmanTest.Podman([]string{"exec", "maskCtr", "cat", mask}) + session.WaitWithDefaultTimeout() + // Call can fail with permission denied, ignoring error or Not exist. + // key factor is there is no information leak + Expect(session.OutputToString()).To(BeEmpty()) + } + } + } + for _, mask := range config.DefaultReadOnlyPaths { + if _, err := os.Stat(mask); err == nil { + session = podmanTest.Podman([]string{"exec", "maskCtr", "touch", mask}) + session.WaitWithDefaultTimeout() + Expect(session).Should(Exit(1)) + Expect(session.ErrorToString()).To(Equal(fmt.Sprintf("touch: %s: Read-only file system", mask))) + } + } + }) + It("podman run mask and unmask path test", func() { session := podmanTest.Podman([]string{"run", "-d", "--name=maskCtr1", "--security-opt", "unmask=ALL", "--security-opt", "mask=/proc/acpi", ALPINE, "sleep", "200"}) session.WaitWithDefaultTimeout()