particle-os/debian-forge-composer
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

rhel85: enable multi-level mountpoints

Browse source 
Previously it was only possible to configure separate partitions
for mountpoints in the allow list and their immediate subdirectories
only i.e. /var & /var/log
This fix allows for an arbitrary level of mountpoints, i.e. /var/log/audit,
/var/a/b/c/d/e and so on
This commit is contained in:
Gianluca Zuccarelli 2021-08-31 18:15:41 +01:00 committed by Ondřej Budai
parent 5a9d8c792b
commit 16e80ffa33
2 changed files with 95 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

18
internal/distro/rhel85/distro.go
View file

@ -7,6 +7,7 @@ import (
"math/rand" "math/rand"
"path" "path"
"sort" "sort"
"strings"
"github.com/osbuild/osbuild-composer/internal/blueprint" "github.com/osbuild/osbuild-composer/internal/blueprint"
"github.com/osbuild/osbuild-composer/internal/disk" "github.com/osbuild/osbuild-composer/internal/disk"
@ -42,9 +43,7 @@ const (
) )
var mountpointAllowList = []string{ var mountpointAllowList = []string{
"/", "/var", "/var/*", "/home", "/home/*", "/opt", "/opt/*", "/", "/var", "/opt", "/srv", "/usr", "/app", "/data", "/home",
"/srv", "/srv/*", "/usr", "/usr/*", "/app", "/app/*",
"/data", "/data/*",
} }
type distribution struct { type distribution struct {
@ -394,10 +393,17 @@ func (t *imageType) sources(packages []rpmmd.PackageSpec, ostreeCommits []ostree
func isMountpointAllowed(mountpoint string) bool { func isMountpointAllowed(mountpoint string) bool {
for _, allowed := range mountpointAllowList { for _, allowed := range mountpointAllowList {
// check if the path and its subdirectories
// is in the allow list
match, _ := path.Match(allowed, mountpoint) match, _ := path.Match(allowed, mountpoint)
if mountpoint == "/" || match { if match {
return true
}
// ensure that only clean mountpoints
// are valid
if strings.Contains(mountpoint, "//") {
return false
}
match = strings.HasPrefix(mountpoint, allowed+"/")
if allowed != "/" && match {
return true return true
} }
} }

87
internal/distro/rhel85/distro_test.go
View file

@ -2,6 +2,7 @@ package rhel85_test
import ( import (
"fmt" "fmt"
"strings"
"testing" "testing"
"github.com/stretchr/testify/assert" "github.com/stretchr/testify/assert"
@ -627,6 +628,10 @@ func TestDistro_CustomFileSystemSubDirectories(t *testing.T) {
MinSize: 1024, MinSize: 1024,
Mountpoint: "/var/log", Mountpoint: "/var/log",
}, },
{
MinSize: 1024,
Mountpoint: "/var/log/audit",
},
}, },
}, },
} }
@ -635,9 +640,7 @@ func TestDistro_CustomFileSystemSubDirectories(t *testing.T) {
for _, imgTypeName := range arch.ListImageTypes() { for _, imgTypeName := range arch.ListImageTypes() {
imgType, _ := arch.GetImageType(imgTypeName) imgType, _ := arch.GetImageType(imgTypeName)
_, err := imgType.Manifest(bp.Customizations, distro.ImageOptions{}, nil, nil, 0) _, err := imgType.Manifest(bp.Customizations, distro.ImageOptions{}, nil, nil, 0)
if imgTypeName == "edge-commit" || imgTypeName == "edge-container" { if strings.HasPrefix(imgTypeName, "edge-") {
assert.EqualError(t, err, "Custom mountpoints are not supported for ostree types")
} else if imgTypeName == "edge-installer" || imgTypeName == "edge-simplified-installer" || imgTypeName == "edge-raw-image" {
continue continue
} else { } else {
assert.NoError(t, err) assert.NoError(t, err)
@ -646,6 +649,78 @@ func TestDistro_CustomFileSystemSubDirectories(t *testing.T) {
} }
} }
func TestDistro_MountpointsWithArbitraryDepthAllowed(t *testing.T) {
r8distro := rhel85.New()
bp := blueprint.Blueprint{
Customizations: &blueprint.Customizations{
Filesystem: []blueprint.FilesystemCustomization{
{
MinSize: 1024,
Mountpoint: "/var/a",
},
{
MinSize: 1024,
Mountpoint: "/var/a/b",
},
{
MinSize: 1024,
Mountpoint: "/var/a/b/c",
},
{
MinSize: 1024,
Mountpoint: "/var/a/b/c/d",
},
},
},
}
for _, archName := range r8distro.ListArches() {
arch, _ := r8distro.GetArch(archName)
for _, imgTypeName := range arch.ListImageTypes() {
imgType, _ := arch.GetImageType(imgTypeName)
_, err := imgType.Manifest(bp.Customizations, distro.ImageOptions{}, nil, nil, 0)
if strings.HasPrefix(imgTypeName, "edge-") {
continue
} else {
assert.NoError(t, err)
}
}
}
}
func TestDistro_DirtyMountpointsNotAllowed(t *testing.T) {
r8distro := rhel85.New()
bp := blueprint.Blueprint{
Customizations: &blueprint.Customizations{
Filesystem: []blueprint.FilesystemCustomization{
{
MinSize: 1024,
Mountpoint: "//",
},
{
MinSize: 1024,
Mountpoint: "/var//",
},
{
MinSize: 1024,
Mountpoint: "/var//log/audit/",
},
},
},
}
for _, archName := range r8distro.ListArches() {
arch, _ := r8distro.GetArch(archName)
for _, imgTypeName := range arch.ListImageTypes() {
imgType, _ := arch.GetImageType(imgTypeName)
_, err := imgType.Manifest(bp.Customizations, distro.ImageOptions{}, nil, nil, 0)
if strings.HasPrefix(imgTypeName, "edge-") {
continue
} else {
assert.EqualError(t, err, "The following custom mountpoints are not supported [\"//\" \"/var//\" \"/var//log/audit/\"]")
}
}
}
}
func TestDistro_CustomFileSystemPatternMatching(t *testing.T) { func TestDistro_CustomFileSystemPatternMatching(t *testing.T) {
r8distro := rhel85.New() r8distro := rhel85.New()
bp := blueprint.Blueprint{ bp := blueprint.Blueprint{
@ -655,6 +730,10 @@ func TestDistro_CustomFileSystemPatternMatching(t *testing.T) {
MinSize: 1024, MinSize: 1024,
Mountpoint: "/variable", Mountpoint: "/variable",
}, },
{
MinSize: 1024,
Mountpoint: "/variable/log/audit",
},
}, },
}, },
} }
@ -668,7 +747,7 @@ func TestDistro_CustomFileSystemPatternMatching(t *testing.T) {
} else if imgTypeName == "edge-installer" || imgTypeName == "edge-simplified-installer" || imgTypeName == "edge-raw-image" { } else if imgTypeName == "edge-installer" || imgTypeName == "edge-simplified-installer" || imgTypeName == "edge-raw-image" {
continue continue
} else { } else {
assert.EqualError(t, err, "The following custom mountpoints are not supported [\"/variable\"]") assert.EqualError(t, err, "The following custom mountpoints are not supported [\"/variable\" \"/variable/log/audit\"]")
} }
} }
} }