Merge pull request #9054 from macOScontainers/canonicalize-filter-mount-path

Fix usages of `mountinfo.PrefixFilter`

mount/lookup_unix.go

@@ -20,18 +20,15 @@ package mount
 
 import (
 	"fmt"
-	"path/filepath"
 
 	"github.com/moby/sys/mountinfo"
 )
 
 // Lookup returns the mount info corresponds to the path.
 func Lookup(dir string) (Info, error) {
-	dir = filepath.Clean(dir)
+	resolvedDir, err := CanonicalizePath(dir)
-
-	resolvedDir, err := filepath.EvalSymlinks(dir)
 	if err != nil {
-		return Info{}, fmt.Errorf("failed to resolve symlink for %q: %w", dir, err)
+		return Info{}, err
 	}
 
 	m, err := mountinfo.GetMounts(mountinfo.ParentsFilter(resolvedDir))

mount/mount.go

@@ -18,6 +18,7 @@ package mount
 
 import (
 	"fmt"
+	"path/filepath"
 	"strings"
 
 	"github.com/containerd/containerd/api/types"
@@ -69,6 +70,18 @@ func UnmountMounts(mounts []Mount, target string, flags int) error {
 	return nil
 }
 
+// CanonicalizePath makes path absolute and resolves symlinks in it.
+// Path must exist.
+func CanonicalizePath(path string) (string, error) {
+	// Abs also does Clean, so we do not need to call it separately
+	path, err := filepath.Abs(path)
+	if err != nil {
+		return "", err
+	}
+
+	return filepath.EvalSymlinks(path)
+}
+
 // ReadOnly returns a boolean value indicating whether this mount has the "ro"
 // option set.
 func (m *Mount) ReadOnly() bool {

mount/mount_unix.go

@@ -30,6 +30,12 @@ func UnmountRecursive(target string, flags int) error {
 	if target == "" {
 		return nil
 	}
+
+	target, err := CanonicalizePath(target)
+	if err != nil {
+		return err
+	}
+
 	mounts, err := mountinfo.GetMounts(mountinfo.PrefixFilter(target))
 	if err != nil {
 		return err

mount/temp_unix.go

@@ -20,7 +20,6 @@ package mount
 
 import (
 	"os"
-	"path/filepath"
 	"sort"
 
 	"github.com/moby/sys/mountinfo"
@@ -28,15 +27,13 @@ import (
 
 // SetTempMountLocation sets the temporary mount location
 func SetTempMountLocation(root string) error {
-	root, err := filepath.Abs(root)
+	err := os.MkdirAll(root, 0700)
 	if err != nil {
 		return err
 	}
-	if err := os.MkdirAll(root, 0700); err != nil {
+	// We need to pass canonicalized path to mountinfo.PrefixFilter in CleanupTempMounts
-		return err
+	tempMountLocation, err = CanonicalizePath(root)
-	}
+	return err
-	tempMountLocation = root
-	return nil
 }
 
 // CleanupTempMounts all temp mounts and remove the directories
@@ -45,6 +42,7 @@ func CleanupTempMounts(flags int) (warnings []error, err error) {
 	if err != nil {
 		return nil, err
 	}
+
 	// Make the deepest mount be first
 	sort.Slice(mounts, func(i, j int) bool {
 		return len(mounts[i].Mountpoint) > len(mounts[j].Mountpoint)

pkg/cri/sbserver/helpers_linux.go

@@ -65,6 +65,11 @@ func openLogFile(path string) (*os.File, error) {
 // unmountRecursive unmounts the target and all mounts underneath, starting with
 // the deepest mount first.
 func unmountRecursive(ctx context.Context, target string) error {
+	target, err := mount.CanonicalizePath(target)
+	if err != nil {
+		return err
+	}
+
 	toUnmount, err := mountinfo.GetMounts(mountinfo.PrefixFilter(target))
 	if err != nil {
 		return err

pkg/cri/sbserver/podsandbox/helpers_linux.go

@@ -143,6 +143,11 @@ func (c *Controller) seccompEnabled() bool {
 // unmountRecursive unmounts the target and all mounts underneath, starting with
 // the deepest mount first.
 func unmountRecursive(ctx context.Context, target string) error {
+	target, err := mount.CanonicalizePath(target)
+	if err != nil {
+		return err
+	}
+
 	toUnmount, err := mountinfo.GetMounts(mountinfo.PrefixFilter(target))
 	if err != nil {
 		return err

pkg/cri/server/helpers_linux.go

@@ -164,6 +164,11 @@ func openLogFile(path string) (*os.File, error) {
 // unmountRecursive unmounts the target and all mounts underneath, starting with
 // the deepest mount first.
 func unmountRecursive(ctx context.Context, target string) error {
+	target, err := mount.CanonicalizePath(target)
+	if err != nil {
+		return err
+	}
+
 	toUnmount, err := mountinfo.GetMounts(mountinfo.PrefixFilter(target))
 	if err != nil {
 		return err