Merge pull request #18331 from TomSweeneyRedHat/dev/tsweeney/hooked

Add file switch for pre-exec hooks
2025-08-06 19:44:14 +08:00 · 2023-05-11 19:34:30 -04:00
parent 20b15f07ed c8e423b55e
commit 189b09d82e
2 changed files with 37 additions and 1 deletions
--- a/pkg/rootless/rootless_linux.c
+++ b/pkg/rootless/rootless_linux.c
@ -254,6 +254,13 @@ do_preexec_hooks_dir (const char *dir, char **argv, int argc)
 static void
 do_preexec_hooks (char **argv, int argc)
 {
+  // Access the preexec_hooks_dir indicator file
+  // return without processing if the file doesn't exist
+  char preexec_hooks_path[] = "/etc/containers/podman_preexec_hooks.txt";
+  if (access(preexec_hooks_path, F_OK) != 0) {
+    return;
+  }
+
  char *preexec_hooks = getenv ("PODMAN_PREEXEC_HOOKS_DIR");
  do_preexec_hooks_dir (LIBEXECPODMAN "/pre-exec-hooks", argv, argc);
  do_preexec_hooks_dir (ETC_PREEXEC_HOOKS, argv, argc);
--- a/test/system/950-preexec-hooks.bats
+++ b/test/system/950-preexec-hooks.bats
@ -6,15 +6,39 @@
 load helpers
 load helpers.network

+# The existence of this file allows preexec hooks to run.
+preexec_hook_ok_file=/etc/containers/podman_preexec_hooks.txt
+
 function setup() {
    basic_setup
 }

 function teardown() {
+    if [[ -n "$preexec_hook_ok_file" ]]; then
+        sudo -n rm -f $preexec_hook_ok_file || true
+    fi
+
    basic_teardown
 }

@test "podman preexec hook" {
+    # This file does not exist on any CI system nor any developer system
+    # nor actually anywhere in the universe except a small small set of
+    # places with very specific requirements. If we find this file on
+    # our test system, it could be a leftover from prior testing, or
+    # basically just something very weird. So, fail loudly if we see it.
+    # No podman developer ever wants this file to exist.
+    if [[ -e $preexec_hook_ok_file ]]; then
+        # Unset the variable, so we don't delete it in teardown
+        msg="File already exists (it should not): $preexec_hook_ok_file"
+        preexec_hook_ok_file=
+
+        die "$msg"
+    fi
+
+    # Good. File does not exist. Now see if we can TEMPORARILY create it.
+    sudo -n touch $preexec_hook_ok_file || skip "test requires sudo"
+
    preexec_hook_dir=$PODMAN_TMPDIR/auth
    mkdir -p $preexec_hook_dir
    preexec_hook_script=$preexec_hook_dir/pull_check.sh
@ -29,5 +53,10 @@ EOF
    chmod +x $preexec_hook_script

    PODMAN_PREEXEC_HOOKS_DIR=$preexec_hook_dir run_podman 42 pull foobar
-    PODMAN_PREEXEC_HOOKS_DIR=$preexec_hook_dir run_podman 43 pull barfoo
+    PODMAN_PREEXEC_HOOKS_DIR=$preexec_hook_dir run_podman 43 version
+
+    sudo -n rm -f $preexec_hook_ok_file || true
+
+    # no hooks-ok file, everything should now work again (HOOKS_DIR is ignored)
+    PODMAN_PREEXEC_HOOKS_DIR=$preexec_hook_dir run_podman version
 }