github/containerd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

Remove escalated privileges

Browse Source 
Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com>
This commit is contained in:
Gabriel Adrian Samfira 2023-03-30 06:07:28 -07:00
parent 54f8abe553
commit 4012c1b853
6 changed files with 18 additions and 90 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
integration/client/go.mod
View File

@ -4,7 +4,7 @@ go 1.19
require ( require (
github.com/AdaLogics/go-fuzz-headers v0.0.0-20230106234847-43070de90fa1 github.com/AdaLogics/go-fuzz-headers v0.0.0-20230106234847-43070de90fa1
github.com/Microsoft/go-winio v0.6.1-0.20230228163719-dd5de6900b62 github.com/Microsoft/go-winio v0.6.1-0.20230228163719-dd5de6900b62 // indirect
github.com/Microsoft/hcsshim v0.10.0-rc.7 github.com/Microsoft/hcsshim v0.10.0-rc.7
github.com/Microsoft/hcsshim/test v0.0.0-20210408205431-da33ecd607e1 github.com/Microsoft/hcsshim/test v0.0.0-20210408205431-da33ecd607e1
github.com/containerd/cgroups/v3 v3.0.1 github.com/containerd/cgroups/v3 v3.0.1

7
integration/client/snapshot_test.go
View File

@ -22,6 +22,7 @@ import (
. "github.com/containerd/containerd" . "github.com/containerd/containerd"
"github.com/containerd/containerd/snapshots" "github.com/containerd/containerd/snapshots"
"github.com/containerd/containerd/snapshots/testsuite"
) )
func newSnapshotter(ctx context.Context, root string) (snapshots.Snapshotter, func() error, error) { func newSnapshotter(ctx context.Context, root string) (snapshots.Snapshotter, func() error, error) {
@ -39,5 +40,9 @@ func newSnapshotter(ctx context.Context, root string) (snapshots.Snapshotter, fu
} }
func TestSnapshotterClient(t *testing.T) { func TestSnapshotterClient(t *testing.T) {
runTestSnapshotterClient(t) if testing.Short() {
t.Skip()
}
testsuite.SnapshotterSuite(t, DefaultSnapshotter, newSnapshotter)
} }

35
integration/client/snapshot_unix_test.go
View File

@ -1,35 +0,0 @@
//go:build !windows
// +build !windows
/*
Copyright The containerd Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package client
import (
"testing"
. "github.com/containerd/containerd"
"github.com/containerd/containerd/snapshots/testsuite"
)
func runTestSnapshotterClient(t *testing.T) {
if testing.Short() {
t.Skip()
}
testsuite.SnapshotterSuite(t, DefaultSnapshotter, newSnapshotter)
}

42
integration/client/snapshot_windows_test.go
View File

@ -1,42 +0,0 @@
//go:build windows
// +build windows
/*
Copyright The containerd Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package client
import (
"testing"
winio "github.com/Microsoft/go-winio"
. "github.com/containerd/containerd"
"github.com/containerd/containerd/snapshots/testsuite"
)
func runTestSnapshotterClient(t *testing.T) {
if testing.Short() {
t.Skip()
}
// The SeBackupPrivilege and SeRestorePrivilege gives us access to system files inside the container mount points
// (and everywhere on the system), without having to explicitly set DACLs on each location inside the mount point.
if err := winio.EnableProcessPrivileges([]string{winio.SeBackupPrivilege, winio.SeRestorePrivilege}); err != nil {
t.Fatal(err)
}
defer winio.DisableProcessPrivileges([]string{winio.SeBackupPrivilege, winio.SeRestorePrivilege})
testsuite.SnapshotterSuite(t, DefaultSnapshotter, newSnapshotter)
}

16
mount/mount_windows.go
View File

@ -39,7 +39,7 @@ var (
) )
// Mount to the provided target. // Mount to the provided target.
func (m *Mount) mount(target string) error { func (m *Mount) mount(target string) (retErr error) {
readOnly := false readOnly := false
for _, option := range m.Options { for _, option := range m.Options {
if option == "ro" { if option == "ro" {
@ -70,23 +70,23 @@ func (m *Mount) mount(target string) error {
HomeDir: home, HomeDir: home,
} }
if err = hcsshim.ActivateLayer(di, layerID); err != nil { if err := hcsshim.ActivateLayer(di, layerID); err != nil {
return fmt.Errorf("failed to activate layer %s: %w", m.Source, err) return fmt.Errorf("failed to activate layer %s: %w", m.Source, err)
} }
defer func() { defer func() {
if err != nil { if retErr != nil {
if layerErr := hcsshim.DeactivateLayer(di, layerID); layerErr != nil { if layerErr := hcsshim.DeactivateLayer(di, layerID); layerErr != nil {
log.G(context.TODO()).WithError(layerErr).Error("failed to deactivate layer during mount failure cleanup") log.G(context.TODO()).WithError(layerErr).Error("failed to deactivate layer during mount failure cleanup")
} }
} }
}() }()
if err = hcsshim.PrepareLayer(di, layerID, parentLayerPaths); err != nil { if err := hcsshim.PrepareLayer(di, layerID, parentLayerPaths); err != nil {
return fmt.Errorf("failed to prepare layer %s: %w", m.Source, err) return fmt.Errorf("failed to prepare layer %s: %w", m.Source, err)
} }
defer func() { defer func() {
if err != nil { if retErr != nil {
if layerErr := hcsshim.UnprepareLayer(di, layerID); layerErr != nil { if layerErr := hcsshim.UnprepareLayer(di, layerID); layerErr != nil {
log.G(context.TODO()).WithError(layerErr).Error("failed to unprepare layer during mount failure cleanup") log.G(context.TODO()).WithError(layerErr).Error("failed to unprepare layer during mount failure cleanup")
} }
@ -98,11 +98,11 @@ func (m *Mount) mount(target string) error {
return fmt.Errorf("failed to get volume path for layer %s: %w", m.Source, err) return fmt.Errorf("failed to get volume path for layer %s: %w", m.Source, err)
} }
if err = bindfilter.ApplyFileBinding(target, volume, readOnly); err != nil { if err := bindfilter.ApplyFileBinding(target, volume, readOnly); err != nil {
return fmt.Errorf("failed to set volume mount path for layer %s: %w", m.Source, err) return fmt.Errorf("failed to set volume mount path for layer %s: %w", m.Source, err)
} }
defer func() { defer func() {
if err != nil { if retErr != nil {
if bindErr := bindfilter.RemoveFileBinding(target); bindErr != nil { if bindErr := bindfilter.RemoveFileBinding(target); bindErr != nil {
log.G(context.TODO()).WithError(bindErr).Error("failed to remove binding during mount failure cleanup") log.G(context.TODO()).WithError(bindErr).Error("failed to remove binding during mount failure cleanup")
} }
@ -112,7 +112,7 @@ func (m *Mount) mount(target string) error {
// Add an Alternate Data Stream to record the layer source. // Add an Alternate Data Stream to record the layer source.
// See https://docs.microsoft.com/en-au/archive/blogs/askcore/alternate-data-streams-in-ntfs // See https://docs.microsoft.com/en-au/archive/blogs/askcore/alternate-data-streams-in-ntfs
// for details on Alternate Data Streams. // for details on Alternate Data Streams.
if err = os.WriteFile(filepath.Clean(target)+":"+sourceStreamName, []byte(m.Source), 0666); err != nil { if err := os.WriteFile(filepath.Clean(target)+":"+sourceStreamName, []byte(m.Source), 0666); err != nil {
return fmt.Errorf("failed to record source for layer %s: %w", m.Source, err) return fmt.Errorf("failed to record source for layer %s: %w", m.Source, err)
} }

6
snapshots/testsuite/testsuite.go
View File

@ -820,13 +820,13 @@ func checkSnapshotterViewReadonly(ctx context.Context, t *testing.T, snapshotter
} }
testfile := filepath.Join(viewMountPoint, "testfile") testfile := filepath.Join(viewMountPoint, "testfile")
if err := os.WriteFile(testfile, []byte("testcontent"), 0777); err != nil { err = os.WriteFile(testfile, []byte("testcontent"), 0777)
testutil.Unmount(t, viewMountPoint)
if err != nil {
t.Logf("write to %q failed with %v (EROFS is expected but can be other error code)", testfile, err) t.Logf("write to %q failed with %v (EROFS is expected but can be other error code)", testfile, err)
} else { } else {
testutil.Unmount(t, viewMountPoint)
t.Fatalf("write to %q should fail (EROFS) but did not fail", testfile) t.Fatalf("write to %q should fail (EROFS) but did not fail", testfile)
} }
testutil.Unmount(t, viewMountPoint)
assert.Nil(t, snapshotter.Remove(ctx, view)) assert.Nil(t, snapshotter.Remove(ctx, view))
assert.Nil(t, snapshotter.Remove(ctx, committed)) assert.Nil(t, snapshotter.Remove(ctx, committed))
} }