Merge pull request #18542 from mheon/remove_image_annotations

Do not include image annotations when building spec
2025-05-17 23:26:08 +08:00 · 2023-05-13 06:04:35 -04:00
parent 2783651005 2c0f404826
commit d989c63751
3 changed files with 31 additions and 7 deletions
--- a/pkg/specgen/generate/container.go
+++ b/pkg/specgen/generate/container.go
@ -166,7 +166,6 @@ func CompleteSpec(ctx context.Context, r *libpod.Runtime, s *specgen.SpecGenerat
 	s.Env = envLib.Join(defaultEnvs, s.Env)

 	// Labels and Annotations
-	annotations := make(map[string]string)
 	if newImage != nil {
 		labels, err := newImage.Labels(ctx)
 		if err != nil {
@ -183,12 +182,8 @@ func CompleteSpec(ctx context.Context, r *libpod.Runtime, s *specgen.SpecGenerat
 			}
 		}

-		// Add annotations from the image
-		for k, v := range inspectData.Annotations {
-			if !define.IsReservedAnnotation(k) {
-				annotations[k] = v
-			}
-		}
+		// Do NOT include image annotations - these can have security
+		// implications, we don't want untrusted images setting them.
 	}

 	// in the event this container is in a pod, and the pod has an infra container
@ -199,6 +194,7 @@ func CompleteSpec(ctx context.Context, r *libpod.Runtime, s *specgen.SpecGenerat
 	//   VM, which is the default behavior
 	// - "container" denotes the container should join the VM of the SandboxID
 	//   (the infra container)
+	annotations := make(map[string]string)
 	if len(s.Pod) > 0 {
 		p, err := r.LookupPod(s.Pod)
 		if err != nil {
--- a/test/e2e/build/basicalpine/Containerfile.with_label
+++ b/test/e2e/build/basicalpine/Containerfile.with_label
@ -0,0 +1,2 @@
+FROM quay.io/libpod/alpine:latest
+LABEL testlabel=testvalue
--- a/test/e2e/run_test.go
+++ b/test/e2e/run_test.go
@ -2099,4 +2099,30 @@ WORKDIR /madethis`, BB)
 		Expect(t).To(BeTrue(), "found /run/lock")
 		Expect(strings[0]).Should(ContainSubstring("size=10240k"))
 	})
+
+	It("podman run does not preserve image annotations", func() {
+		annoName := "test.annotation.present"
+		annoValue := "annovalue"
+		imgName := "basicalpine"
+		build := podmanTest.Podman([]string{"build", "-f", "build/basicalpine/Containerfile.with_label", "--annotation", fmt.Sprintf("%s=%s", annoName, annoValue), "-t", imgName})
+		build.WaitWithDefaultTimeout()
+		Expect(build).Should(Exit(0))
+		Expect(build.ErrorToString()).To(BeEmpty(), "build error logged")
+
+		ctrName := "ctr1"
+		run := podmanTest.Podman([]string{"run", "-d", "--name", ctrName, imgName, "top"})
+		run.WaitWithDefaultTimeout()
+		Expect(run).Should(Exit(0))
+		Expect(run.ErrorToString()).To(BeEmpty(), "run error logged")
+
+		inspect := podmanTest.Podman([]string{"inspect", ctrName})
+		inspect.WaitWithDefaultTimeout()
+		Expect(inspect).Should(Exit(0))
+		Expect(inspect.ErrorToString()).To(BeEmpty(), "inspect error logged")
+
+		inspectData := inspect.InspectContainerToJSON()
+		Expect(inspectData).To(HaveLen(1))
+		Expect(inspectData[0].Config.Annotations).To(Not(HaveKey(annoName)))
+		Expect(inspectData[0].Config.Annotations).To(Not(HaveKey("testlabel")))
+	})
 })