Quadlet: Fix userLevelFilter when UnitDirAdmin is a symlink

[lelemka0]

Problem

Rootless unit placed in /etc/containers/systemd/users/$(UID) will be loaded for root when /etc/containers/systemd is a symlink.
Fix: #23483

Fix

Try evaluate the path of UnitDirAdmin as a symbolic link.

Does this PR introduce a user-facing change?

None

[rhatdan]

Please fix your commit message.

[lelemka0]

Additionally, I found that a similar situation exists in nonNumericFilter.
If UnitDirAdmin/users is a symbolic link, any user will load other users' units.
I will push another commit later.

[packit-as-a-service]

Ephemeral COPR build failed. @containers/packit-build please check.

[ygalblum]

Maybe I'm missing something here, but can't this code (and the one in userLevelFilter) be executed once somewhere else?

[ygalblum]

I guess I wasn't clear on my first comment. I wonder if we can compute UnitDirAdminUser and resolvedUnitDirAdmin once instead of every time the filter function is called.

[ygalblum]

Thanks for the PR.
As you may have noticed, you will also need to add some sort of a test to make sure the functionality works and not less more importantly does not break in future PRs

[ygalblum]

I guess I wasn't clear on my first comment. I wonder if we can compute UnitDirAdminUser and resolvedUnitDirAdmin once instead of every time the filter function is called.

[lelemka0]

UnitDirAdminUser and resolvedUnitDirAdmin are computed in getUnitDirs now, so that they will be computed only once during the whole process.
test added.

podman/cmd/quadlet/main_test.go

Lines 102 to 104 in 0bd43f4

	t.Setenv("QUADLET_UNIT_DIRS", actualDir)
	unitDirs = getUnitDirs(true)
	assert.Equal(t, unitDirs, []string{actualDir, innerDir}, "directory resolution should follow symlink")

In the original test for symlinks, because the env is set to actualDir, the test result will always pass. Fixed.
https://github.com/containers/podman/blob/209f1cd9c08c248678d6a73166f1d05bcfb1eeb7/cmd/quadlet/main_test.go#L116

[ygalblum]

Sorry for the nit. But, is there a reason why UnitDirAdminUser and SystemUserDirLevel are exposed and resolvedUnitDirAdminUser isn't? Are they used outside of the module?

[lelemka0]

It looks like my test fails in Windows Cross because I use syscall.Chroot which doesn't exist in windows.
I think chroot is necessary to verify a specific path, otherwise it will cause modifications to the system.
Actually quadlet is not used in windows, can this part be skipped?

[rhatdan]

Yes this package should only be compiled on Linux (Really for systemd based systems.)

[rhatdan]

@lelemka0 could you answer @ygalblum question on variable naming.

[lelemka0]

@rhatdan I have already answered. Actually all three variables are exposed, I don't understand why @ygalblum says resolvedUnitDirAdminUser is not exposed.
https://github.com/containers/podman/blob/e159a025dda19a0a9af0caca364d084c565d7cea/cmd/quadlet/main.go#L58-L62

test works without privilege now.

[rhatdan]

He wants you to change:

 (
	UnitDirAdminUser         string 
 	resolvedUnitDirAdminUser string 
 	SystemUserDirLevel       int 
 ) 

to

 (
	unitDirAdminUser         string 
 	resolvedUnitDirAdminUser string 
 	systemUserDirLevel       int 
 ) 

[lelemka0]

@rhatdan Sorry, I misunderstood.
corrected.

[rhatdan]

LGTM
@ygalblum PTAL

[lelemka0]

test with coverage works now.

[ygalblum]

LGTM

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: lelemka0, ygalblum

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [ygalblum]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[ygalblum]

@lelemka0 sorry for not being clear. Please rebase you branch, it should fix the test failures

[ygalblum]

/lgtm