mirror of
https://github.com/containers/podman.git
synced 2025-11-29 09:37:38 +08:00
5283f956a5
When certain directories, like /tmp, get mounted over, FCOS/Linux can act in unexpected ways. Added a sanity check for a list of directories think might be impacted by this. Also, moved the volume parsing earlier in the init process so we can catch problems before the expensive decompression of machine images. The following destinations are forbidden for volumes: `/bin`, `/boot`, `/dev`, `/etc`, `/home`, `/proc`, `/root`, `/run`, `/sbin`, `/sys`, `/tmp`, `/usr`, and `/var`. Subdirectories Fixes: #18230 Signed-off-by: Brent Baude <bbaude@redhat.com>
62 lines
1.1 KiB
Go
62 lines
1.1 KiB
Go
package shim
|
|
|
|
import (
|
|
"testing"
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
)
|
|
|
|
func Test_validateDestinationPaths(t *testing.T) {
|
|
tests := []struct {
|
|
name string
|
|
dest string
|
|
wantErr bool
|
|
}{
|
|
{
|
|
name: "Expect fail - /tmp",
|
|
dest: "/tmp",
|
|
wantErr: true,
|
|
},
|
|
{
|
|
name: "Expect fail trailing /",
|
|
dest: "/tmp/",
|
|
wantErr: true,
|
|
},
|
|
{
|
|
name: "Expect fail double /",
|
|
dest: "//tmp",
|
|
wantErr: true,
|
|
},
|
|
{
|
|
name: "/var should fail",
|
|
dest: "/var",
|
|
wantErr: true,
|
|
},
|
|
{
|
|
name: "/etc should fail",
|
|
dest: "/etc",
|
|
wantErr: true,
|
|
},
|
|
{
|
|
name: "/tmp subdir OK",
|
|
dest: "/tmp/foobar",
|
|
wantErr: false,
|
|
},
|
|
{
|
|
name: "/foobar OK",
|
|
dest: "/foobar",
|
|
wantErr: false,
|
|
},
|
|
}
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
err := validateDestinationPaths(tt.dest)
|
|
if tt.wantErr {
|
|
assert.ErrorContainsf(t, err, "onsider another location or a subdirectory of an existing location", "illegal mount target")
|
|
} else {
|
|
assert.NoError(t, err, "mounts to subdirs or non-critical dirs should succeed")
|
|
}
|
|
})
|
|
}
|
|
}
|