mirror of
https://github.com/containers/podman.git
synced 2025-12-12 01:38:04 +08:00
7c8c945496
Pull in updates made to the filters code for images. Filters now perform an AND operation except for th reference filter which does an OR operation for positive case but an AND operation for negative cases. Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
419 lines
13 KiB
Go
419 lines
13 KiB
Go
package subscriptions
|
|
|
|
import (
|
|
"bufio"
|
|
"errors"
|
|
"fmt"
|
|
"os"
|
|
"path/filepath"
|
|
"strings"
|
|
|
|
"github.com/containers/common/pkg/umask"
|
|
"github.com/containers/storage/pkg/idtools"
|
|
rspec "github.com/opencontainers/runtime-spec/specs-go"
|
|
"github.com/opencontainers/selinux/go-selinux/label"
|
|
"github.com/sirupsen/logrus"
|
|
)
|
|
|
|
var (
|
|
// DefaultMountsFile holds the default mount paths in the form
|
|
// "host_path:container_path"
|
|
DefaultMountsFile = "/usr/share/containers/mounts.conf"
|
|
// OverrideMountsFile holds the default mount paths in the form
|
|
// "host_path:container_path" overridden by the user
|
|
OverrideMountsFile = "/etc/containers/mounts.conf"
|
|
// UserOverrideMountsFile holds the default mount paths in the form
|
|
// "host_path:container_path" overridden by the rootless user
|
|
UserOverrideMountsFile = filepath.Join(os.Getenv("HOME"), ".config/containers/mounts.conf")
|
|
)
|
|
|
|
// subscriptionData stores the relative name of the file and the content read from it
|
|
type subscriptionData struct {
|
|
// relPath is the relative path to the file
|
|
relPath string
|
|
data []byte
|
|
mode os.FileMode
|
|
dirMode os.FileMode
|
|
}
|
|
|
|
// saveTo saves subscription data to given directory
|
|
func (s subscriptionData) saveTo(dir string) error {
|
|
// We need to join the path here and create all parent directories, only
|
|
// creating dir is not good enough as relPath could also contain directories.
|
|
path := filepath.Join(dir, s.relPath)
|
|
if err := umask.MkdirAllIgnoreUmask(filepath.Dir(path), s.dirMode); err != nil {
|
|
return fmt.Errorf("create subscription directory: %w", err)
|
|
}
|
|
if err := umask.WriteFileIgnoreUmask(path, s.data, s.mode); err != nil {
|
|
return fmt.Errorf("write subscription data: %w", err)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func readAll(root, prefix string, parentMode os.FileMode) ([]subscriptionData, error) {
|
|
path := filepath.Join(root, prefix)
|
|
|
|
data := []subscriptionData{}
|
|
|
|
files, err := os.ReadDir(path)
|
|
if err != nil {
|
|
if errors.Is(err, os.ErrNotExist) {
|
|
return data, nil
|
|
}
|
|
|
|
return nil, err
|
|
}
|
|
|
|
for _, f := range files {
|
|
fileData, err := readFileOrDir(root, filepath.Join(prefix, f.Name()), parentMode)
|
|
if err != nil {
|
|
// If the file did not exist, might be a dangling symlink
|
|
// Ignore the error
|
|
if errors.Is(err, os.ErrNotExist) {
|
|
continue
|
|
}
|
|
return nil, err
|
|
}
|
|
data = append(data, fileData...)
|
|
}
|
|
|
|
return data, nil
|
|
}
|
|
|
|
func readFileOrDir(root, name string, parentMode os.FileMode) ([]subscriptionData, error) {
|
|
path := filepath.Join(root, name)
|
|
|
|
s, err := os.Stat(path)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
if s.IsDir() {
|
|
dirData, err := readAll(root, name, s.Mode())
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return dirData, nil
|
|
}
|
|
bytes, err := os.ReadFile(path)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return []subscriptionData{{
|
|
relPath: name,
|
|
data: bytes,
|
|
mode: s.Mode(),
|
|
dirMode: parentMode,
|
|
}}, nil
|
|
}
|
|
|
|
func getHostSubscriptionData(hostDir string, mode os.FileMode) ([]subscriptionData, error) {
|
|
var allSubscriptions []subscriptionData
|
|
hostSubscriptions, err := readAll(hostDir, "", mode)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to read subscriptions from %q: %w", hostDir, err)
|
|
}
|
|
return append(allSubscriptions, hostSubscriptions...), nil
|
|
}
|
|
|
|
func getMounts(filePath string) []string {
|
|
file, err := os.Open(filePath)
|
|
if err != nil {
|
|
// This is expected on most systems
|
|
logrus.Debugf("File %q not found, skipping...", filePath)
|
|
return nil
|
|
}
|
|
defer file.Close()
|
|
scanner := bufio.NewScanner(file)
|
|
if err = scanner.Err(); err != nil {
|
|
logrus.Errorf("Reading file %q, %v skipping...", filePath, err)
|
|
return nil
|
|
}
|
|
var mounts []string
|
|
for scanner.Scan() {
|
|
if strings.HasPrefix(strings.TrimSpace(scanner.Text()), "/") {
|
|
mounts = append(mounts, scanner.Text())
|
|
} else {
|
|
logrus.Debugf("Skipping unrecognized mount in %v: %q",
|
|
filePath, scanner.Text())
|
|
}
|
|
}
|
|
return mounts
|
|
}
|
|
|
|
// getHostAndCtrDir separates the host:container paths
|
|
func getMountsMap(path string) (string, string, error) { //nolint
|
|
arr := strings.SplitN(path, ":", 2)
|
|
switch len(arr) {
|
|
case 1:
|
|
return arr[0], arr[0], nil
|
|
case 2:
|
|
return arr[0], arr[1], nil
|
|
}
|
|
return "", "", fmt.Errorf("unable to get host and container dir from path: %s", path)
|
|
}
|
|
|
|
// MountsWithUIDGID copies, adds, and mounts the subscriptions to the container root filesystem
|
|
// mountLabel: MAC/SELinux label for container content
|
|
// containerRunDir: Private data for storing subscriptions on the host mounted in container.
|
|
// mountFile: Additional mount points required for the container.
|
|
// mountPoint: Container image mountpoint, or the directory from the hosts perspective that
|
|
//
|
|
// corresponds to `/` in the container.
|
|
//
|
|
// uid: to assign to content created for subscriptions
|
|
// gid: to assign to content created for subscriptions
|
|
// rootless: indicates whether container is running in rootless mode
|
|
// disableFips: indicates whether system should ignore fips mode
|
|
func MountsWithUIDGID(mountLabel, containerRunDir, mountFile, mountPoint string, uid, gid int, rootless, disableFips bool) []rspec.Mount {
|
|
var (
|
|
subscriptionMounts []rspec.Mount
|
|
mountFiles []string
|
|
)
|
|
// Add subscriptions from paths given in the mounts.conf files
|
|
// mountFile will have a value if the hidden --default-mounts-file flag is set
|
|
// Note for testing purposes only
|
|
if mountFile == "" {
|
|
mountFiles = append(mountFiles, []string{OverrideMountsFile, DefaultMountsFile}...)
|
|
if rootless {
|
|
mountFiles = append([]string{UserOverrideMountsFile}, mountFiles...)
|
|
}
|
|
} else {
|
|
mountFiles = append(mountFiles, mountFile)
|
|
}
|
|
for _, file := range mountFiles {
|
|
if _, err := os.Stat(file); err == nil {
|
|
mounts, err := addSubscriptionsFromMountsFile(file, mountLabel, containerRunDir, uid, gid)
|
|
if err != nil {
|
|
logrus.Warnf("Failed to mount subscriptions, skipping entry in %s: %v", file, err)
|
|
}
|
|
subscriptionMounts = mounts
|
|
break
|
|
}
|
|
}
|
|
|
|
// Only add FIPS subscription mount if disableFips=false
|
|
if disableFips {
|
|
return subscriptionMounts
|
|
}
|
|
// Add FIPS mode subscription if /etc/system-fips exists on the host
|
|
_, err := os.Stat("/etc/system-fips")
|
|
switch {
|
|
case err == nil:
|
|
if err := addFIPSModeSubscription(&subscriptionMounts, containerRunDir, mountPoint, mountLabel, uid, gid); err != nil {
|
|
logrus.Errorf("Adding FIPS mode subscription to container: %v", err)
|
|
}
|
|
case errors.Is(err, os.ErrNotExist):
|
|
logrus.Debug("/etc/system-fips does not exist on host, not mounting FIPS mode subscription")
|
|
default:
|
|
logrus.Errorf("stat /etc/system-fips failed for FIPS mode subscription: %v", err)
|
|
}
|
|
return subscriptionMounts
|
|
}
|
|
|
|
func rchown(chowndir string, uid, gid int) error {
|
|
return filepath.Walk(chowndir, func(filePath string, f os.FileInfo, err error) error {
|
|
return os.Lchown(filePath, uid, gid)
|
|
})
|
|
}
|
|
|
|
// addSubscriptionsFromMountsFile copies the contents of host directory to container directory
|
|
// and returns a list of mounts
|
|
func addSubscriptionsFromMountsFile(filePath, mountLabel, containerRunDir string, uid, gid int) ([]rspec.Mount, error) {
|
|
defaultMountsPaths := getMounts(filePath)
|
|
mounts := make([]rspec.Mount, 0, len(defaultMountsPaths))
|
|
for _, path := range defaultMountsPaths {
|
|
hostDirOrFile, ctrDirOrFile, err := getMountsMap(path)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
// skip if the hostDirOrFile path doesn't exist
|
|
fileInfo, err := os.Stat(hostDirOrFile)
|
|
if err != nil {
|
|
if errors.Is(err, os.ErrNotExist) {
|
|
logrus.Infof("Path %q from %q doesn't exist, skipping", hostDirOrFile, filePath)
|
|
continue
|
|
}
|
|
return nil, err
|
|
}
|
|
|
|
ctrDirOrFileOnHost := filepath.Join(containerRunDir, ctrDirOrFile)
|
|
|
|
// In the event of a restart, don't want to copy subscriptions over again as they already would exist in ctrDirOrFileOnHost
|
|
_, err = os.Stat(ctrDirOrFileOnHost)
|
|
if errors.Is(err, os.ErrNotExist) {
|
|
hostDirOrFile, err = resolveSymbolicLink(hostDirOrFile)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
switch mode := fileInfo.Mode(); {
|
|
case mode.IsDir():
|
|
if err = umask.MkdirAllIgnoreUmask(ctrDirOrFileOnHost, mode.Perm()); err != nil {
|
|
return nil, fmt.Errorf("making container directory: %w", err)
|
|
}
|
|
data, err := getHostSubscriptionData(hostDirOrFile, mode.Perm())
|
|
if err != nil {
|
|
return nil, fmt.Errorf("getting host subscription data: %w", err)
|
|
}
|
|
for _, s := range data {
|
|
if err := s.saveTo(ctrDirOrFileOnHost); err != nil {
|
|
return nil, fmt.Errorf("saving data to container filesystem on host %q: %w", ctrDirOrFileOnHost, err)
|
|
}
|
|
}
|
|
case mode.IsRegular():
|
|
data, err := readFileOrDir("", hostDirOrFile, mode.Perm())
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
for _, s := range data {
|
|
dir := filepath.Dir(ctrDirOrFileOnHost)
|
|
if err := umask.MkdirAllIgnoreUmask(dir, s.dirMode); err != nil {
|
|
return nil, fmt.Errorf("create container dir: %w", err)
|
|
}
|
|
if err := umask.WriteFileIgnoreUmask(ctrDirOrFileOnHost, s.data, s.mode); err != nil {
|
|
return nil, fmt.Errorf("saving data to container filesystem: %w", err)
|
|
}
|
|
}
|
|
default:
|
|
return nil, fmt.Errorf("unsupported file type for: %q", hostDirOrFile)
|
|
}
|
|
|
|
err = label.Relabel(ctrDirOrFileOnHost, mountLabel, false)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("applying correct labels: %w", err)
|
|
}
|
|
if uid != 0 || gid != 0 {
|
|
if err := rchown(ctrDirOrFileOnHost, uid, gid); err != nil {
|
|
return nil, err
|
|
}
|
|
}
|
|
} else if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
m := rspec.Mount{
|
|
Source: ctrDirOrFileOnHost,
|
|
Destination: ctrDirOrFile,
|
|
Type: "bind",
|
|
Options: []string{"bind", "rprivate"},
|
|
}
|
|
|
|
mounts = append(mounts, m)
|
|
}
|
|
return mounts, nil
|
|
}
|
|
|
|
// addFIPSModeSubscription adds mounts to the `mounts` slice that are needed for the container to run openssl in FIPs mode
|
|
// (i.e: be FIPs compliant).
|
|
// It should only be called if /etc/system-fips exists on host.
|
|
// It primarily does two things:
|
|
// - creates /run/secrets/system-fips in the container root filesystem, and adds it to the `mounts` slice.
|
|
// - If `/etc/crypto-policies/back-ends` already exists inside of the container, it creates
|
|
// `/usr/share/crypto-policies/back-ends/FIPS` inside the container as well.
|
|
// It is done from within the container to ensure to avoid policy incompatibility between the container and host.
|
|
func addFIPSModeSubscription(mounts *[]rspec.Mount, containerRunDir, mountPoint, mountLabel string, uid, gid int) error {
|
|
subscriptionsDir := "/run/secrets"
|
|
ctrDirOnHost := filepath.Join(containerRunDir, subscriptionsDir)
|
|
if _, err := os.Stat(ctrDirOnHost); errors.Is(err, os.ErrNotExist) {
|
|
if err = idtools.MkdirAllAs(ctrDirOnHost, 0o755, uid, gid); err != nil { //nolint
|
|
return err
|
|
}
|
|
if err = label.Relabel(ctrDirOnHost, mountLabel, false); err != nil {
|
|
return fmt.Errorf("applying correct labels on %q: %w", ctrDirOnHost, err)
|
|
}
|
|
}
|
|
fipsFile := filepath.Join(ctrDirOnHost, "system-fips")
|
|
// In the event of restart, it is possible for the FIPS mode file to already exist
|
|
if _, err := os.Stat(fipsFile); errors.Is(err, os.ErrNotExist) {
|
|
file, err := os.Create(fipsFile)
|
|
if err != nil {
|
|
return fmt.Errorf("creating system-fips file in container for FIPS mode: %w", err)
|
|
}
|
|
file.Close()
|
|
}
|
|
|
|
if !mountExists(*mounts, subscriptionsDir) {
|
|
m := rspec.Mount{
|
|
Source: ctrDirOnHost,
|
|
Destination: subscriptionsDir,
|
|
Type: "bind",
|
|
Options: []string{"bind", "rprivate"},
|
|
}
|
|
*mounts = append(*mounts, m)
|
|
}
|
|
|
|
srcBackendDir := "/usr/share/crypto-policies/back-ends/FIPS"
|
|
destDir := "/etc/crypto-policies/back-ends"
|
|
srcOnHost := filepath.Join(mountPoint, srcBackendDir)
|
|
if _, err := os.Stat(srcOnHost); err != nil {
|
|
if errors.Is(err, os.ErrNotExist) {
|
|
return nil
|
|
}
|
|
return fmt.Errorf("FIPS Backend directory: %w", err)
|
|
}
|
|
|
|
if !mountExists(*mounts, destDir) {
|
|
m := rspec.Mount{
|
|
Source: srcOnHost,
|
|
Destination: destDir,
|
|
Type: "bind",
|
|
Options: []string{"bind", "rprivate"},
|
|
}
|
|
*mounts = append(*mounts, m)
|
|
}
|
|
|
|
// Make sure we set the config to FIPS so that the container does not overwrite
|
|
// /etc/crypto-policies/back-ends when crypto-policies-scripts is reinstalled.
|
|
cryptoPoliciesConfigFile := filepath.Join(containerRunDir, "fips-config")
|
|
file, err := os.Create(cryptoPoliciesConfigFile)
|
|
if err != nil {
|
|
return fmt.Errorf("creating fips config file in container for FIPS mode: %w", err)
|
|
}
|
|
defer file.Close()
|
|
if _, err := file.WriteString("FIPS\n"); err != nil {
|
|
return fmt.Errorf("writing fips config file in container for FIPS mode: %w", err)
|
|
}
|
|
if err = label.Relabel(cryptoPoliciesConfigFile, mountLabel, false); err != nil {
|
|
return fmt.Errorf("applying correct labels on fips-config file: %w", err)
|
|
}
|
|
if err := file.Chown(uid, gid); err != nil {
|
|
return fmt.Errorf("chown fips-config file: %w", err)
|
|
}
|
|
|
|
policyConfig := "/etc/crypto-policies/config"
|
|
if !mountExists(*mounts, policyConfig) {
|
|
m := rspec.Mount{
|
|
Source: cryptoPoliciesConfigFile,
|
|
Destination: policyConfig,
|
|
Type: "bind",
|
|
Options: []string{"bind", "rprivate"},
|
|
}
|
|
*mounts = append(*mounts, m)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// mountExists checks if a mount already exists in the spec
|
|
func mountExists(mounts []rspec.Mount, dest string) bool {
|
|
for _, mount := range mounts {
|
|
if mount.Destination == dest {
|
|
return true
|
|
}
|
|
}
|
|
return false
|
|
}
|
|
|
|
// resolveSymbolicLink resolves symlink paths. If the path is a symlink, returns resolved
|
|
// path; if not, returns the original path.
|
|
func resolveSymbolicLink(path string) (string, error) {
|
|
info, err := os.Lstat(path)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
if info.Mode()&os.ModeSymlink != os.ModeSymlink {
|
|
return path, nil
|
|
}
|
|
return filepath.EvalSymlinks(path)
|
|
}
|