Verify seccomp absolute path in dockershim

2017-11-22 02:49:52 +00:00
parent 2a2a875686
commit 7e21146096
2 changed files with 24 additions and 11 deletions
--- a/pkg/kubelet/dockershim/helpers_linux.go
+++ b/pkg/kubelet/dockershim/helpers_linux.go
@@ -62,7 +62,11 @@ func getSeccompDockerOpts(seccompProfile string) ([]dockerOpt, error) {
 		return nil, fmt.Errorf("unknown seccomp profile option: %s", seccompProfile)
 	}

-	fname := strings.TrimPrefix(seccompProfile, "localhost/") // by pod annotation validation, name is a valid subpath
+	// get the full path of seccomp profile when prefixed with 'localhost/'.
+	fname := strings.TrimPrefix(seccompProfile, "localhost/")
+	if !filepath.IsAbs(fname) {
+		return nil, fmt.Errorf("seccomp profile path must be absolute, but got relative path %q", fname)
+	}
 	file, err := ioutil.ReadFile(filepath.FromSlash(fname))
 	if err != nil {
 		return nil, fmt.Errorf("cannot load seccomp profile %q: %v", fname, err)
--- a/pkg/kubelet/dockershim/helpers_linux_test.go
+++ b/pkg/kubelet/dockershim/helpers_linux_test.go
@@ -20,9 +20,13 @@ package dockershim

 import (
 	"fmt"
+	"io/ioutil"
+	"os"
+	"path/filepath"
 	"testing"

 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )

 func TestGetSeccompSecurityOpts(t *testing.T) {
@@ -55,26 +59,31 @@ func TestGetSeccompSecurityOpts(t *testing.T) {
 }

 func TestLoadSeccompLocalhostProfiles(t *testing.T) {
+	tmpdir, err := ioutil.TempDir("", "seccomp-local-profile-test")
+	require.NoError(t, err)
+	defer os.RemoveAll(tmpdir)
+	testProfile := `{"foo": "bar"}`
+	err = ioutil.WriteFile(filepath.Join(tmpdir, "test"), []byte(testProfile), 0644)
+	require.NoError(t, err)
+
 	tests := []struct {
 		msg            string
 		seccompProfile string
 		expectedOpts   []string
 		expectErr      bool
 	}{{
-		msg: "Seccomp localhost/test profile",
-		// We are abusing localhost for loading test seccomp profiles.
-		// The profile should be an absolute path while we are using a relative one.
-		seccompProfile: "localhost/fixtures/seccomp/test",
+		msg:            "Seccomp localhost/test profile should return correct seccomp profiles",
+		seccompProfile: "localhost/" + filepath.Join(tmpdir, "test"),
 		expectedOpts:   []string{`seccomp={"foo":"bar"}`},
 		expectErr:      false,
 	}, {
-		msg:            "Seccomp localhost/sub/subtest profile",
-		seccompProfile: "localhost/fixtures/seccomp/sub/subtest",
-		expectedOpts:   []string{`seccomp={"abc":"def"}`},
-		expectErr:      false,
+		msg:            "Non-existent profile should return error",
+		seccompProfile: "localhost/" + filepath.Join(tmpdir, "fixtures/non-existent"),
+		expectedOpts:   nil,
+		expectErr:      true,
 	}, {
-		msg:            "Seccomp non-existent",
-		seccompProfile: "localhost/fixtures/seccomp/non-existent",
+		msg:            "Relative profile path should return error",
+		seccompProfile: "localhost/fixtures/test",
 		expectedOpts:   nil,
 		expectErr:      true,
 	}}