Remove escalated privileges
Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com>
This commit is contained in:
Gabriel Adrian Samfira
parent
54f8abe553
commit
4012c1b853
@ -4,7 +4,7 @@ go 1.19
|
||||
|
||||
require (
|
||||
github.com/AdaLogics/go-fuzz-headers v0.0.0-20230106234847-43070de90fa1
|
||||
github.com/Microsoft/go-winio v0.6.1-0.20230228163719-dd5de6900b62
|
||||
github.com/Microsoft/go-winio v0.6.1-0.20230228163719-dd5de6900b62 // indirect
|
||||
github.com/Microsoft/hcsshim v0.10.0-rc.7
|
||||
github.com/Microsoft/hcsshim/test v0.0.0-20210408205431-da33ecd607e1
|
||||
github.com/containerd/cgroups/v3 v3.0.1
|
||||
|
||||
@ -22,6 +22,7 @@ import (
|
||||
|
||||
. "github.com/containerd/containerd"
|
||||
"github.com/containerd/containerd/snapshots"
|
||||
"github.com/containerd/containerd/snapshots/testsuite"
|
||||
)
|
||||
|
||||
func newSnapshotter(ctx context.Context, root string) (snapshots.Snapshotter, func() error, error) {
|
||||
@ -39,5 +40,9 @@ func newSnapshotter(ctx context.Context, root string) (snapshots.Snapshotter, fu
|
||||
}
|
||||
|
||||
func TestSnapshotterClient(t *testing.T) {
|
||||
runTestSnapshotterClient(t)
|
||||
if testing.Short() {
|
||||
t.Skip()
|
||||
}
|
||||
|
||||
testsuite.SnapshotterSuite(t, DefaultSnapshotter, newSnapshotter)
|
||||
}
|
||||
|
||||
@ -1,35 +0,0 @@
|
||||
//go:build !windows
|
||||
// +build !windows
|
||||
|
||||
/*
|
||||
Copyright The containerd Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
package client
|
||||
|
||||
import (
|
||||
"testing"
|
||||
|
||||
. "github.com/containerd/containerd"
|
||||
"github.com/containerd/containerd/snapshots/testsuite"
|
||||
)
|
||||
|
||||
func runTestSnapshotterClient(t *testing.T) {
|
||||
if testing.Short() {
|
||||
t.Skip()
|
||||
}
|
||||
|
||||
testsuite.SnapshotterSuite(t, DefaultSnapshotter, newSnapshotter)
|
||||
}
|
||||
@ -1,42 +0,0 @@
|
||||
//go:build windows
|
||||
// +build windows
|
||||
|
||||
/*
|
||||
Copyright The containerd Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
package client
|
||||
|
||||
import (
|
||||
"testing"
|
||||
|
||||
winio "github.com/Microsoft/go-winio"
|
||||
|
||||
. "github.com/containerd/containerd"
|
||||
"github.com/containerd/containerd/snapshots/testsuite"
|
||||
)
|
||||
|
||||
func runTestSnapshotterClient(t *testing.T) {
|
||||
if testing.Short() {
|
||||
t.Skip()
|
||||
}
|
||||
// The SeBackupPrivilege and SeRestorePrivilege gives us access to system files inside the container mount points
|
||||
// (and everywhere on the system), without having to explicitly set DACLs on each location inside the mount point.
|
||||
if err := winio.EnableProcessPrivileges([]string{winio.SeBackupPrivilege, winio.SeRestorePrivilege}); err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
defer winio.DisableProcessPrivileges([]string{winio.SeBackupPrivilege, winio.SeRestorePrivilege})
|
||||
testsuite.SnapshotterSuite(t, DefaultSnapshotter, newSnapshotter)
|
||||
}
|
||||
@ -39,7 +39,7 @@ var (
|
||||
)
|
||||
|
||||
// Mount to the provided target.
|
||||
func (m *Mount) mount(target string) error {
|
||||
func (m *Mount) mount(target string) (retErr error) {
|
||||
readOnly := false
|
||||
for _, option := range m.Options {
|
||||
if option == "ro" {
|
||||
@ -70,23 +70,23 @@ func (m *Mount) mount(target string) error {
|
||||
HomeDir: home,
|
||||
}
|
||||
|
||||
if err = hcsshim.ActivateLayer(di, layerID); err != nil {
|
||||
if err := hcsshim.ActivateLayer(di, layerID); err != nil {
|
||||
return fmt.Errorf("failed to activate layer %s: %w", m.Source, err)
|
||||
}
|
||||
defer func() {
|
||||
if err != nil {
|
||||
if retErr != nil {
|
||||
if layerErr := hcsshim.DeactivateLayer(di, layerID); layerErr != nil {
|
||||
log.G(context.TODO()).WithError(layerErr).Error("failed to deactivate layer during mount failure cleanup")
|
||||
}
|
||||
}
|
||||
}()
|
||||
|
||||
if err = hcsshim.PrepareLayer(di, layerID, parentLayerPaths); err != nil {
|
||||
if err := hcsshim.PrepareLayer(di, layerID, parentLayerPaths); err != nil {
|
||||
return fmt.Errorf("failed to prepare layer %s: %w", m.Source, err)
|
||||
}
|
||||
|
||||
defer func() {
|
||||
if err != nil {
|
||||
if retErr != nil {
|
||||
if layerErr := hcsshim.UnprepareLayer(di, layerID); layerErr != nil {
|
||||
log.G(context.TODO()).WithError(layerErr).Error("failed to unprepare layer during mount failure cleanup")
|
||||
}
|
||||
@ -98,11 +98,11 @@ func (m *Mount) mount(target string) error {
|
||||
return fmt.Errorf("failed to get volume path for layer %s: %w", m.Source, err)
|
||||
}
|
||||
|
||||
if err = bindfilter.ApplyFileBinding(target, volume, readOnly); err != nil {
|
||||
if err := bindfilter.ApplyFileBinding(target, volume, readOnly); err != nil {
|
||||
return fmt.Errorf("failed to set volume mount path for layer %s: %w", m.Source, err)
|
||||
}
|
||||
defer func() {
|
||||
if err != nil {
|
||||
if retErr != nil {
|
||||
if bindErr := bindfilter.RemoveFileBinding(target); bindErr != nil {
|
||||
log.G(context.TODO()).WithError(bindErr).Error("failed to remove binding during mount failure cleanup")
|
||||
}
|
||||
@ -112,7 +112,7 @@ func (m *Mount) mount(target string) error {
|
||||
// Add an Alternate Data Stream to record the layer source.
|
||||
// See https://docs.microsoft.com/en-au/archive/blogs/askcore/alternate-data-streams-in-ntfs
|
||||
// for details on Alternate Data Streams.
|
||||
if err = os.WriteFile(filepath.Clean(target)+":"+sourceStreamName, []byte(m.Source), 0666); err != nil {
|
||||
if err := os.WriteFile(filepath.Clean(target)+":"+sourceStreamName, []byte(m.Source), 0666); err != nil {
|
||||
return fmt.Errorf("failed to record source for layer %s: %w", m.Source, err)
|
||||
}
|
||||
|
||||
|
||||
@ -820,13 +820,13 @@ func checkSnapshotterViewReadonly(ctx context.Context, t *testing.T, snapshotter
|
||||
}
|
||||
|
||||
testfile := filepath.Join(viewMountPoint, "testfile")
|
||||
if err := os.WriteFile(testfile, []byte("testcontent"), 0777); err != nil {
|
||||
err = os.WriteFile(testfile, []byte("testcontent"), 0777)
|
||||
testutil.Unmount(t, viewMountPoint)
|
||||
if err != nil {
|
||||
t.Logf("write to %q failed with %v (EROFS is expected but can be other error code)", testfile, err)
|
||||
} else {
|
||||
testutil.Unmount(t, viewMountPoint)
|
||||
t.Fatalf("write to %q should fail (EROFS) but did not fail", testfile)
|
||||
}
|
||||
testutil.Unmount(t, viewMountPoint)
|
||||
assert.Nil(t, snapshotter.Remove(ctx, view))
|
||||
assert.Nil(t, snapshotter.Remove(ctx, committed))
|
||||
}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user