From a581d2a041bb028a6b6c02d6cc8dcbbc3fbd532e Mon Sep 17 00:00:00 2001
From: Giuseppe Scrivano <gscrivan@redhat.com>
Date: Sat, 14 Jan 2023 17:36:21 +0100
Subject: [PATCH] rootless: rename auth-scripts to preexec-hooks

to not give a false sense of security since these are not a security
mechanism but a hook to run arbitrary code before executing a
command.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
---
 pkg/rootless/rootless_linux.c      | 24 +++++++++++-----------
 test/system/950-auth-scripts.bats  | 33 ------------------------------
 test/system/950-preexec-hooks.bats | 33 ++++++++++++++++++++++++++++++
 3 files changed, 45 insertions(+), 45 deletions(-)
 delete mode 100644 test/system/950-auth-scripts.bats
 create mode 100644 test/system/950-preexec-hooks.bats

diff --git a/pkg/rootless/rootless_linux.c b/pkg/rootless/rootless_linux.c
index d6f09ded1f..7e8b3f78a6 100644
--- a/pkg/rootless/rootless_linux.c
+++ b/pkg/rootless/rootless_linux.c
@@ -20,7 +20,7 @@
 #include <sys/select.h>
 #include <stdio.h>
 
-#define ETC_AUTH_SCRIPTS "/etc/containers/auth-scripts"
+#define ETC_PREEXEC_HOOKS "/etc/containers/pre-exec-hooks"
 #define LIBEXECPODMAN "/usr/libexec/podman"
 
 #ifndef TEMP_FAILURE_RETRY
@@ -164,23 +164,23 @@ exec_binary (const char *path, char **argv, int argc)
     }
   if (WIFEXITED(status) && WEXITSTATUS (status))
     {
-      fprintf (stderr, "external auth script %s failed\n", path);
+      fprintf (stderr, "external preexec hook %s failed\n", path);
       exit (WEXITSTATUS(status));
     }
   if (WIFSIGNALED (status))
     {
-      fprintf (stderr, "external auth script %s failed\n", path);
+      fprintf (stderr, "external preexec hook %s failed\n", path);
       exit (127+WTERMSIG (status));
     }
   if (WIFSTOPPED (status))
     {
-      fprintf (stderr, "external auth script %s failed\n", path);
+      fprintf (stderr, "external preexec hook %s failed\n", path);
       exit (EXIT_FAILURE);
     }
 }
 
 static void
-do_auth_scripts_dir (const char *dir, char **argv, int argc)
+do_preexec_hooks_dir (const char *dir, char **argv, int argc)
 {
   cleanup_free char *buffer = NULL;
   cleanup_dir DIR *d = NULL;
@@ -261,13 +261,13 @@ do_auth_scripts_dir (const char *dir, char **argv, int argc)
 }
 
 static void
-do_auth_scripts (char **argv, int argc)
+do_preexec_hooks (char **argv, int argc)
 {
-  char *auth_scripts = getenv ("PODMAN_AUTH_SCRIPTS_DIR");
-  do_auth_scripts_dir (LIBEXECPODMAN "/auth-scripts", argv, argc);
-  do_auth_scripts_dir (ETC_AUTH_SCRIPTS, argv, argc);
-  if (auth_scripts && auth_scripts[0])
-    do_auth_scripts_dir (auth_scripts, argv, argc);
+  char *preexec_hooks = getenv ("PODMAN_PREEXEC_HOOKS_DIR");
+  do_preexec_hooks_dir (LIBEXECPODMAN "/pre-exec-hooks", argv, argc);
+  do_preexec_hooks_dir (ETC_PREEXEC_HOOKS, argv, argc);
+  if (preexec_hooks && preexec_hooks[0])
+    do_preexec_hooks_dir (preexec_hooks, argv, argc);
 }
 
 static void
@@ -498,7 +498,7 @@ static void __attribute__((constructor)) init()
     }
 
   if (geteuid () != 0 || getenv ("_CONTAINERS_USERNS_CONFIGURED") == NULL)
-    do_auth_scripts(argv, argc);
+    do_preexec_hooks(argv, argc);
 
   listen_pid = getenv("LISTEN_PID");
   listen_fds = getenv("LISTEN_FDS");
diff --git a/test/system/950-auth-scripts.bats b/test/system/950-auth-scripts.bats
deleted file mode 100644
index 17ce717998..0000000000
--- a/test/system/950-auth-scripts.bats
+++ /dev/null
@@ -1,33 +0,0 @@
-#!/usr/bin/env bats
-#
-# Tests for podman auth scripts
-#
-
-load helpers
-load helpers.network
-
-function setup() {
-    basic_setup
-}
-
-function teardown() {
-    basic_teardown
-}
-
-@test "podman auth script" {
-    auth_dir=$PODMAN_TMPDIR/auth
-    mkdir -p $auth_dir
-    auth_script=$auth_dir/pull_check.sh
-
-    cat > $auth_script <<EOF
-#!/bin/sh
-if echo \$@ | grep "pull foobar"; then
-    exit 42
-fi
-exit 43
-EOF
-    chmod +x $auth_script
-
-    PODMAN_AUTH_SCRIPTS_DIR=$auth_dir run_podman 42 pull foobar
-    PODMAN_AUTH_SCRIPTS_DIR=$auth_dir run_podman 43 pull barfoo
-}
diff --git a/test/system/950-preexec-hooks.bats b/test/system/950-preexec-hooks.bats
new file mode 100644
index 0000000000..9c2f75b596
--- /dev/null
+++ b/test/system/950-preexec-hooks.bats
@@ -0,0 +1,33 @@
+#!/usr/bin/env bats
+#
+# Tests for podman preexec hooks
+#
+
+load helpers
+load helpers.network
+
+function setup() {
+    basic_setup
+}
+
+function teardown() {
+    basic_teardown
+}
+
+@test "podman preexec hook" {
+    preexec_hook_dir=$PODMAN_TMPDIR/auth
+    mkdir -p $preexec_hook_dir
+    preexec_hook_script=$preexec_hook_dir/pull_check.sh
+
+    cat > $preexec_hook_script <<EOF
+#!/bin/sh
+if echo \$@ | grep "pull foobar"; then
+    exit 42
+fi
+exit 43
+EOF
+    chmod +x $preexec_hook_script
+
+    PODMAN_PREEXEC_HOOKS_DIR=$preexec_hook_dir run_podman 42 pull foobar
+    PODMAN_PREEXEC_HOOKS_DIR=$preexec_hook_dir run_podman 43 pull barfoo
+}