Merge pull request #10185 from rhatdan/volume

Add filepath glob support to --security-opt unmask
2026-03-13 08:01:19 +08:00 · 2021-05-05 15:38:11 -04:00
parent 0bd5da5b7f 4fd1965ab4
commit 404bc2684e
7 changed files with 82 additions and 30 deletions
--- a/pkg/specgen/generate/config_linux.go
+++ b/pkg/specgen/generate/config_linux.go
@@ -10,7 +10,6 @@ import (

 	"github.com/containers/podman/v3/libpod/define"
 	"github.com/containers/podman/v3/pkg/rootless"
-	"github.com/containers/podman/v3/pkg/util"
 	spec "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/opencontainers/runtime-tools/generate"
 	"github.com/pkg/errors"
@@ -151,30 +150,23 @@ func BlockAccessToKernelFilesystems(privileged, pidModeIsHost bool, mask, unmask
 		"/sys/dev/block",
 	}

-	unmaskAll := false
-	if unmask != nil && unmask[0] == "ALL" {
-		unmaskAll = true
-	}
-
 	if !privileged {
-		if !unmaskAll {
-			for _, mp := range defaultMaskPaths {
-				// check that the path to mask is not in the list of paths to unmask
-				if !util.StringInSlice(mp, unmask) {
-					g.AddLinuxMaskedPaths(mp)
-				}
+		for _, mp := range defaultMaskPaths {
+			// check that the path to mask is not in the list of paths to unmask
+			if shouldMask(mp, unmask) {
+				g.AddLinuxMaskedPaths(mp)
 			}
-			for _, rp := range []string{
-				"/proc/asound",
-				"/proc/bus",
-				"/proc/fs",
-				"/proc/irq",
-				"/proc/sys",
-				"/proc/sysrq-trigger",
-			} {
-				if !util.StringInSlice(rp, unmask) {
-					g.AddLinuxReadonlyPaths(rp)
-				}
+		}
+		for _, rp := range []string{
+			"/proc/asound",
+			"/proc/bus",
+			"/proc/fs",
+			"/proc/irq",
+			"/proc/sys",
+			"/proc/sysrq-trigger",
+		} {
+			if shouldMask(rp, unmask) {
+				g.AddLinuxReadonlyPaths(rp)
 			}
 		}

@@ -376,3 +368,21 @@ func supportAmbientCapabilities() bool {
 	err := unix.Prctl(unix.PR_CAP_AMBIENT, unix.PR_CAP_AMBIENT_IS_SET, 0, 0, 0)
 	return err == nil
 }
+
+func shouldMask(mask string, unmask []string) bool {
+	for _, m := range unmask {
+		if strings.ToLower(m) == "all" {
+			return false
+		}
+		for _, m1 := range strings.Split(m, ":") {
+			match, err := filepath.Match(m1, mask)
+			if err != nil {
+				logrus.Errorf(err.Error())
+			}
+			if match {
+				return false
+			}
+		}
+	}
+	return true
+}
--- a/pkg/specgen/generate/config_linux_test.go
+++ b/pkg/specgen/generate/config_linux_test.go
@@ -0,0 +1,28 @@
+package generate
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestShouldMask(t *testing.T) {
+	tests := []struct {
+		mask       string
+		unmask     []string
+		shouldMask bool
+	}{
+		{"/proc/foo", []string{"all"}, false},
+		{"/proc/foo", []string{"ALL"}, false},
+		{"/proc/foo", []string{"/proc/foo"}, false},
+		{"/proc/foo", []string{"/proc/*"}, false},
+		{"/proc/foo", []string{"/proc/bar", "all"}, false},
+		{"/proc/foo", []string{"/proc/f*"}, false},
+		{"/proc/foo", []string{"/proc/b*"}, true},
+		{"/proc/foo", []string{}, true},
+	}
+	for _, test := range tests {
+		val := shouldMask(test.mask, test.unmask)
+		assert.Equal(t, val, test.shouldMask)
+	}
+}