v1 runtime: reduce permissions for bundle dir
Bundle directory permissions should be 0700 by default. On Linux with user namespaces enabled, the remapped root also needs access to the bundle directory. In this case, the bundle directory is modified to 0710 and group ownership is changed to the remapped root group. Port of the same change for the v2 runtime Signed-off-by: Samuel Karp <skarp@amazon.com>
This commit is contained in:
Samuel Karp
parent
7d56b24f1a
commit
6886c6a2ec
@ -22,6 +22,7 @@ package linux
|
||||
import (
|
||||
"context"
|
||||
"crypto/sha256"
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"io/ioutil"
|
||||
"os"
|
||||
@ -31,6 +32,7 @@ import (
|
||||
"github.com/containerd/containerd/runtime/linux/runctypes"
|
||||
"github.com/containerd/containerd/runtime/v1/shim"
|
||||
"github.com/containerd/containerd/runtime/v1/shim/client"
|
||||
"github.com/opencontainers/runtime-spec/specs-go"
|
||||
"github.com/pkg/errors"
|
||||
)
|
||||
|
||||
@ -49,7 +51,7 @@ func newBundle(id, path, workDir string, spec []byte) (b *bundle, err error) {
|
||||
return nil, err
|
||||
}
|
||||
path = filepath.Join(path, id)
|
||||
if err := os.Mkdir(path, 0711); err != nil {
|
||||
if err := os.Mkdir(path, 0700); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
defer func() {
|
||||
@ -57,6 +59,9 @@ func newBundle(id, path, workDir string, spec []byte) (b *bundle, err error) {
|
||||
os.RemoveAll(path)
|
||||
}
|
||||
}()
|
||||
if err := prepareBundleDirectoryPermissions(path, spec); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
workDir = filepath.Join(workDir, id)
|
||||
if err := os.MkdirAll(workDir, 0711); err != nil {
|
||||
return nil, err
|
||||
@ -78,6 +83,55 @@ func newBundle(id, path, workDir string, spec []byte) (b *bundle, err error) {
|
||||
}, err
|
||||
}
|
||||
|
||||
// prepareBundleDirectoryPermissions prepares the permissions of the bundle
|
||||
// directory. When user namespaces are enabled, the permissions are modified
|
||||
// to allow the remapped root GID to access the bundle.
|
||||
func prepareBundleDirectoryPermissions(path string, spec []byte) error {
|
||||
gid, err := remappedGID(spec)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if gid == 0 {
|
||||
return nil
|
||||
}
|
||||
if err := os.Chown(path, -1, int(gid)); err != nil {
|
||||
return err
|
||||
}
|
||||
return os.Chmod(path, 0710)
|
||||
}
|
||||
|
||||
// ociSpecUserNS is a subset of specs.Spec used to reduce garbage during
|
||||
// unmarshal.
|
||||
type ociSpecUserNS struct {
|
||||
Linux *linuxSpecUserNS
|
||||
}
|
||||
|
||||
// linuxSpecUserNS is a subset of specs.Linux used to reduce garbage during
|
||||
// unmarshal.
|
||||
type linuxSpecUserNS struct {
|
||||
GIDMappings []specs.LinuxIDMapping
|
||||
}
|
||||
|
||||
// remappedGID reads the remapped GID 0 from the OCI spec, if it exists. If
|
||||
// there is no remapping, remappedGID returns 0. If the spec cannot be parsed,
|
||||
// remappedGID returns an error.
|
||||
func remappedGID(spec []byte) (uint32, error) {
|
||||
var ociSpec ociSpecUserNS
|
||||
err := json.Unmarshal(spec, &ociSpec)
|
||||
if err != nil {
|
||||
return 0, err
|
||||
}
|
||||
if ociSpec.Linux == nil || len(ociSpec.Linux.GIDMappings) == 0 {
|
||||
return 0, nil
|
||||
}
|
||||
for _, mapping := range ociSpec.Linux.GIDMappings {
|
||||
if mapping.ContainerID == 0 {
|
||||
return mapping.HostID, nil
|
||||
}
|
||||
}
|
||||
return 0, nil
|
||||
}
|
||||
|
||||
type bundle struct {
|
||||
id string
|
||||
path string
|
||||
|
||||
145
runtime/v1/linux/bundle_test.go
Normal file
145
runtime/v1/linux/bundle_test.go
Normal file
@ -0,0 +1,145 @@
|
||||
//go:build linux
|
||||
// +build linux
|
||||
|
||||
/*
|
||||
Copyright The containerd Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
package linux
|
||||
|
||||
import (
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"io/ioutil"
|
||||
"os"
|
||||
"path/filepath"
|
||||
"strconv"
|
||||
"syscall"
|
||||
"testing"
|
||||
|
||||
"github.com/containerd/containerd/oci"
|
||||
"github.com/containerd/continuity/testutil"
|
||||
"github.com/opencontainers/runtime-spec/specs-go"
|
||||
"github.com/stretchr/testify/assert"
|
||||
"github.com/stretchr/testify/require"
|
||||
)
|
||||
|
||||
func TestNewBundle(t *testing.T) {
|
||||
testutil.RequiresRoot(t)
|
||||
tests := []struct {
|
||||
userns bool
|
||||
}{{
|
||||
userns: false,
|
||||
}, {
|
||||
userns: true,
|
||||
}}
|
||||
const usernsGID = 4200
|
||||
|
||||
for i, tc := range tests {
|
||||
t.Run(strconv.Itoa(i), func(t *testing.T) {
|
||||
dir, err := ioutil.TempDir("", "test-new-bundle")
|
||||
require.NoError(t, err, "failed to create test directory")
|
||||
defer os.RemoveAll(dir)
|
||||
work := filepath.Join(dir, "work")
|
||||
state := filepath.Join(dir, "state")
|
||||
id := fmt.Sprintf("new-bundle-%d", i)
|
||||
spec := oci.Spec{}
|
||||
if tc.userns {
|
||||
spec.Linux = &specs.Linux{
|
||||
GIDMappings: []specs.LinuxIDMapping{{ContainerID: 0, HostID: usernsGID}},
|
||||
}
|
||||
}
|
||||
specBytes, err := json.Marshal(&spec)
|
||||
require.NoError(t, err, "failed to marshal spec")
|
||||
|
||||
b, err := newBundle(id, work, state, specBytes)
|
||||
require.NoError(t, err, "newBundle should succeed")
|
||||
require.NotNil(t, b, "bundle should not be nil")
|
||||
|
||||
fi, err := os.Stat(b.path)
|
||||
assert.NoError(t, err, "should be able to stat bundle path")
|
||||
if tc.userns {
|
||||
assert.Equal(t, os.ModeDir|0710, fi.Mode(), "bundle path should be a directory with perm 0710")
|
||||
} else {
|
||||
assert.Equal(t, os.ModeDir|0700, fi.Mode(), "bundle path should be a directory with perm 0700")
|
||||
}
|
||||
stat, ok := fi.Sys().(*syscall.Stat_t)
|
||||
require.True(t, ok, "should assert to *syscall.Stat_t")
|
||||
expectedGID := uint32(0)
|
||||
if tc.userns {
|
||||
expectedGID = usernsGID
|
||||
}
|
||||
assert.Equal(t, expectedGID, stat.Gid, "gid should match")
|
||||
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestRemappedGID(t *testing.T) {
|
||||
tests := []struct {
|
||||
spec oci.Spec
|
||||
gid uint32
|
||||
}{{
|
||||
// empty spec
|
||||
spec: oci.Spec{},
|
||||
gid: 0,
|
||||
}, {
|
||||
// empty Linux section
|
||||
spec: oci.Spec{
|
||||
Linux: &specs.Linux{},
|
||||
},
|
||||
gid: 0,
|
||||
}, {
|
||||
// empty ID mappings
|
||||
spec: oci.Spec{
|
||||
Linux: &specs.Linux{
|
||||
GIDMappings: make([]specs.LinuxIDMapping, 0),
|
||||
},
|
||||
},
|
||||
gid: 0,
|
||||
}, {
|
||||
// valid ID mapping
|
||||
spec: oci.Spec{
|
||||
Linux: &specs.Linux{
|
||||
GIDMappings: []specs.LinuxIDMapping{{
|
||||
ContainerID: 0,
|
||||
HostID: 1000,
|
||||
}},
|
||||
},
|
||||
},
|
||||
gid: 1000,
|
||||
}, {
|
||||
// missing ID mapping
|
||||
spec: oci.Spec{
|
||||
Linux: &specs.Linux{
|
||||
GIDMappings: []specs.LinuxIDMapping{{
|
||||
ContainerID: 100,
|
||||
HostID: 1000,
|
||||
}},
|
||||
},
|
||||
},
|
||||
gid: 0,
|
||||
}}
|
||||
|
||||
for i, tc := range tests {
|
||||
t.Run(strconv.Itoa(i), func(t *testing.T) {
|
||||
s, err := json.Marshal(tc.spec)
|
||||
require.NoError(t, err, "failed to marshal spec")
|
||||
gid, err := remappedGID(s)
|
||||
assert.NoError(t, err, "should unmarshal successfully")
|
||||
assert.Equal(t, tc.gid, gid, "expected GID to match")
|
||||
})
|
||||
}
|
||||
}
|
||||
Loading…
Reference in New Issue
Block a user