make image listing more resilient

Handle more TOCTOUs operating on listed images. Also pull in containers/common/pull/1520 and containers/common/pull/1522 which do the same on the internal layer tree. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2216700 Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
2025-09-29 01:35:06 +08:00 · 2023-06-23 13:43:36 +02:00
parent 1bca2d6a1e
commit db37d66cd1
11 changed files with 202 additions and 67 deletions
--- a/vendor/github.com/containers/common/pkg/hooks/exec/exec.go
+++ b/vendor/github.com/containers/common/pkg/hooks/exec/exec.go
@ -16,16 +16,50 @@ import (
 // DefaultPostKillTimeout is the recommended default post-kill timeout.
 const DefaultPostKillTimeout = time.Duration(10) * time.Second

+type RunOptions struct {
+	// The hook to run
+	Hook *rspec.Hook
+	// The workdir to change when invoking the hook
+	Dir string
+	// The container state data to pass into the hook process
+	State []byte
+	// Stdout from the hook process
+	Stdout io.Writer
+	// Stderr from the hook process
+	Stderr io.Writer
+	// Timeout for waiting process killed
+	PostKillTimeout time.Duration
+}
+
 // Run executes the hook and waits for it to complete or for the
 // context or hook-specified timeout to expire.
+//
+// Deprecated: Too many arguments, has been refactored and replaced by RunWithOptions instead
 func Run(ctx context.Context, hook *rspec.Hook, state []byte, stdout io.Writer, stderr io.Writer, postKillTimeout time.Duration) (hookErr, err error) {
+	return RunWithOptions(
+		ctx,
+		RunOptions{
+			Hook:            hook,
+			State:           state,
+			Stdout:          stdout,
+			Stderr:          stderr,
+			PostKillTimeout: postKillTimeout,
+		},
+	)
+}
+
+// RunWithOptions executes the hook and waits for it to complete or for the
+// context or hook-specified timeout to expire.
+func RunWithOptions(ctx context.Context, options RunOptions) (hookErr, err error) {
+	hook := options.Hook
 	cmd := osexec.Cmd{
 		Path:   hook.Path,
 		Args:   hook.Args,
 		Env:    hook.Env,
-		Stdin:  bytes.NewReader(state),
-		Stdout: stdout,
-		Stderr: stderr,
+		Dir:    options.Dir,
+		Stdin:  bytes.NewReader(options.State),
+		Stdout: options.Stdout,
+		Stderr: options.Stderr,
 	}
 	if cmd.Env == nil {
 		cmd.Env = []string{}
@ -57,11 +91,11 @@ func Run(ctx context.Context, hook *rspec.Hook, state []byte, stdout io.Writer,
 		if err := cmd.Process.Kill(); err != nil {
 			logrus.Errorf("Failed to kill pid %v", cmd.Process)
 		}
-		timer := time.NewTimer(postKillTimeout)
+		timer := time.NewTimer(options.PostKillTimeout)
 		defer timer.Stop()
 		select {
 		case <-timer.C:
-			err = fmt.Errorf("failed to reap process within %s of the kill signal", postKillTimeout)
+			err = fmt.Errorf("failed to reap process within %s of the kill signal", options.PostKillTimeout)
 		case err = <-exit:
 		}
 		return err, ctx.Err()
--- a/vendor/github.com/containers/common/pkg/hooks/exec/runtimeconfigfilter.go
+++ b/vendor/github.com/containers/common/pkg/hooks/exec/runtimeconfigfilter.go
@ -21,19 +21,44 @@ var spewConfig = spew.ConfigState{
 	SortKeys:                true,
 }

+type RuntimeConfigFilterOptions struct {
+	// The hooks to run
+	Hooks []spec.Hook
+	// The workdir to change when invoking the hook
+	Dir string
+	// The container config spec to pass into the hook processes and potentially get modified by them
+	Config *spec.Spec
+	// Timeout for waiting process killed
+	PostKillTimeout time.Duration
+}
+
 // RuntimeConfigFilter calls a series of hooks.  But instead of
 // passing container state on their standard input,
 // RuntimeConfigFilter passes the proposed runtime configuration (and
 // reads back a possibly-altered form from their standard output).
+//
+// Deprecated: Too many arguments, has been refactored and replaced by RuntimeConfigFilterWithOptions instead
 func RuntimeConfigFilter(ctx context.Context, hooks []spec.Hook, config *spec.Spec, postKillTimeout time.Duration) (hookErr, err error) {
-	data, err := json.Marshal(config)
+	return RuntimeConfigFilterWithOptions(ctx, RuntimeConfigFilterOptions{
+		Hooks:           hooks,
+		Config:          config,
+		PostKillTimeout: postKillTimeout,
+	})
+}
+
+// RuntimeConfigFilterWithOptions calls a series of hooks.  But instead of
+// passing container state on their standard input,
+// RuntimeConfigFilterWithOptions passes the proposed runtime configuration (and
+// reads back a possibly-altered form from their standard output).
+func RuntimeConfigFilterWithOptions(ctx context.Context, options RuntimeConfigFilterOptions) (hookErr, err error) {
+	data, err := json.Marshal(options.Config)
 	if err != nil {
 		return nil, err
 	}
-	for i, hook := range hooks {
+	for i, hook := range options.Hooks {
 		hook := hook
 		var stdout bytes.Buffer
-		hookErr, err = Run(ctx, &hook, data, &stdout, nil, postKillTimeout)
+		hookErr, err = RunWithOptions(ctx, RunOptions{Hook: &hook, Dir: options.Dir, State: data, Stdout: &stdout, PostKillTimeout: options.PostKillTimeout})
 		if err != nil {
 			return hookErr, err
 		}
@ -46,8 +71,8 @@ func RuntimeConfigFilter(ctx context.Context, hooks []spec.Hook, config *spec.Sp
 			return nil, fmt.Errorf("unmarshal output from config-filter hook %d: %w", i, err)
 		}

-		if !reflect.DeepEqual(config, &newConfig) {
-			oldConfig := spewConfig.Sdump(config)
+		if !reflect.DeepEqual(options.Config, &newConfig) {
+			oldConfig := spewConfig.Sdump(options.Config)
 			newConfig := spewConfig.Sdump(&newConfig)
 			diff, err := difflib.GetUnifiedDiffString(difflib.UnifiedDiff{
 				A:        difflib.SplitLines(oldConfig),
@ -65,7 +90,7 @@ func RuntimeConfigFilter(ctx context.Context, hooks []spec.Hook, config *spec.Sp
 			}
 		}

-		*config = newConfig
+		*options.Config = newConfig
 	}

 	return nil, nil