Skip to content
Permalink
Browse files Browse the repository at this point in the history
Merge pull request from GHSA-j4rf-7357-f4cg
add "allow setuid-mount" options
  • Loading branch information
DrDaveD committed Apr 25, 2023
2 parents 458f0dc + c74323f commit 5a4964f
Show file tree
Hide file tree
Showing 8 changed files with 345 additions and 98 deletions.
6 changes: 6 additions & 0 deletions e2e/actions/actions.go
Expand Up @@ -790,6 +790,9 @@ func (c actionTests) PersistentOverlay(t *testing.T) {
e2e.ExpectExit(0),
)

e2e.SetDirective(t, c.env, "allow setuid-mount extfs", "yes")
defer e2e.ResetDirective(t, c.env, "allow setuid-mount extfs")

tests := []struct {
name string
argv []string
Expand Down Expand Up @@ -1934,6 +1937,9 @@ func (c actionTests) bindImage(t *testing.T) {
e2e.ExpectExit(0),
)

e2e.SetDirective(t, c.env, "allow setuid-mount extfs", "yes")
defer e2e.ResetDirective(t, c.env, "allow setuid-mount extfs")

tests := []struct {
name string
profile e2e.Profile
Expand Down
242 changes: 196 additions & 46 deletions e2e/config/config.go
Expand Up @@ -25,14 +25,15 @@ import (
)

type configTests struct {
env e2e.TestEnv
sifImage string
encryptedImage string
squashfsImage string
ext3Image string
sandboxImage string
pemPublic string
pemPrivate string
env e2e.TestEnv
sifImage string
encryptedImage string
squashfsImage string
ext3Image string
ext3OverlayImage string
sandboxImage string
pemPublic string
pemPrivate string
}

// prepImages creates containers covering all image formats to test the
Expand Down Expand Up @@ -96,6 +97,20 @@ func (c *configTests) prepImages(t *testing.T) (cleanup func(t *testing.T)) {
}
})

// An ext3 overlay embedded in a SIF
c.ext3OverlayImage = filepath.Join(tmpDir, "ext3Overlay.img")
if err := fs.CopyFile(c.sifImage, c.ext3OverlayImage, 0o755); err != nil {
t.Fatalf("Could not copy test image file: %v", err)
}
c.env.RunApptainer(
t,
e2e.AsSubtest("PrepareExt3Overlay"),
e2e.WithProfile(e2e.UserProfile),
e2e.WithCommand("overlay"),
e2e.WithArgs("create", c.ext3OverlayImage),
e2e.ExpectExit(0),
)

return cleanup
}

Expand All @@ -104,24 +119,8 @@ func (c configTests) configGlobal(t *testing.T) {
cleanup := c.prepImages(t)
defer cleanup(t)

setDirective := func(t *testing.T, directive, value string) {
c.env.RunApptainer(
t,
e2e.WithProfile(e2e.RootProfile),
e2e.WithCommand("config global"),
e2e.WithArgs("--set", directive, value),
e2e.ExpectExit(0),
)
}
resetDirective := func(t *testing.T, directive string) {
c.env.RunApptainer(
t,
e2e.WithProfile(e2e.RootProfile),
e2e.WithCommand("config global"),
e2e.WithArgs("--reset", directive),
e2e.ExpectExit(0),
)
}
e2e.SetDirective(t, c.env, "allow setuid-mount extfs", "yes")
defer e2e.ResetDirective(t, c.env, "allow setuid-mount extfs")

u := e2e.UserProfile.HostUser(t)
g, err := user.GetGrGID(u.GID)
Expand Down Expand Up @@ -504,6 +503,169 @@ func (c configTests) configGlobal(t *testing.T) {
directiveValue: "yes",
exit: 0,
},
// NOTE: the "allow setuid-mount" tests have to stay after the
// "allow container" tests because they will be left in their
// default settings which can interfere with "allow container" tests.
{
name: "AllowSetuidMountEncryptedNo",
argv: []string{"--pem-path", c.pemPrivate, c.encryptedImage, "true"},
profile: e2e.UserProfile,
directive: "allow setuid-mount encrypted",
directiveValue: "no",
exit: 255,
},
{
name: "AllowSetuidMountEncryptedYes",
argv: []string{"--pem-path", c.pemPrivate, c.encryptedImage, "true"},
profile: e2e.UserProfile,
directive: "allow setuid-mount encrypted",
directiveValue: "yes",
exit: 0,
},
{
name: "AllowSetuidMountSquashfsNo",
argv: []string{c.squashfsImage, "true"},
profile: e2e.UserProfile,
directive: "allow setuid-mount squashfs",
directiveValue: "no",
exit: 255,
},
{
name: "AllowSetuidMountSquashfsNoSif",
argv: []string{c.sifImage, "true"},
profile: e2e.UserProfile,
directive: "allow setuid-mount squashfs",
directiveValue: "no",
exit: 255,
},
{
name: "AllowSetuidMountSquashfsNoBind",
argv: []string{"-B", c.squashfsImage + ":/sqsh:image-src=/", c.sifImage, "true"},
profile: e2e.UserProfile,
directive: "allow setuid-mount squashfs",
directiveValue: "no",
exit: 255,
},
{
name: "AllowSetuidMountSquashfsNoUserns",
argv: []string{c.squashfsImage, "true"},
profile: e2e.UserNamespaceProfile,
directive: "allow setuid-mount squashfs",
directiveValue: "no",
exit: 0,
},
{
name: "AllowSetuidMountSquashfsNoUsernsSif",
argv: []string{c.sifImage, "true"},
profile: e2e.UserNamespaceProfile,
directive: "allow setuid-mount squashfs",
directiveValue: "no",
exit: 0,
},
{
name: "AllowSetuidMountSquashfsNoUsernsBind",
argv: []string{"-B", c.squashfsImage + ":/sqsh:image-src=/", c.sifImage, "true"},
profile: e2e.UserNamespaceProfile,
directive: "allow setuid-mount squashfs",
directiveValue: "no",
exit: 0,
},
{
name: "AllowSetuidMountSquashfsYes",
argv: []string{c.squashfsImage, "true"},
profile: e2e.UserProfile,
directive: "allow setuid-mount squashfs",
directiveValue: "yes",
exit: 0,
},
{
name: "AllowSetuidMountSquashfsYesSif",
argv: []string{c.sifImage, "true"},
profile: e2e.UserProfile,
directive: "allow setuid-mount squashfs",
directiveValue: "yes",
exit: 0,
},
{
name: "AllowSetuidMountSquashfsYesBind",
argv: []string{"-B", c.squashfsImage + ":/sqsh:image-src=/", c.sifImage, "true"},
profile: e2e.UserProfile,
directive: "allow setuid-mount squashfs",
directiveValue: "yes",
exit: 0,
},
{
name: "AllowSetuidMountExtfsNo",
argv: []string{c.ext3Image, "true"},
profile: e2e.UserProfile,
directive: "allow setuid-mount extfs",
directiveValue: "no",
exit: 255,
},
{
name: "AllowSetuidMountExtfsNoSif",
argv: []string{c.ext3OverlayImage, "true"},
profile: e2e.UserProfile,
directive: "allow setuid-mount extfs",
directiveValue: "no",
exit: 255,
},
{
name: "AllowSetuidMountExtfsNoBind",
argv: []string{"-B", c.ext3Image + ":/ext3:image-src=/", c.sifImage, "true"},
profile: e2e.UserProfile,
directive: "allow setuid-mount extfs",
directiveValue: "no",
exit: 255,
},
{
name: "AllowSetuidMountExtfsNoUserns",
argv: []string{c.ext3Image, "true"},
profile: e2e.UserNamespaceProfile,
directive: "allow setuid-mount extfs",
directiveValue: "no",
exit: 0,
},
{
name: "AllowSetuidMountExtfsNoUsernsSif",
argv: []string{c.ext3OverlayImage, "true"},
profile: e2e.UserNamespaceProfile,
directive: "allow setuid-mount extfs",
directiveValue: "no",
exit: 0,
},
{
name: "AllowSetuidMountExtfsNoUsernsBind",
argv: []string{"-B", c.ext3Image + ":/ext3:image-src=/", c.sifImage, "true"},
profile: e2e.UserNamespaceProfile,
directive: "allow setuid-mount extfs",
directiveValue: "no",
exit: 0,
},
{
name: "AllowSetuidMountExtfsYes",
argv: []string{c.ext3Image, "true"},
profile: e2e.UserProfile,
directive: "allow setuid-mount extfs",
directiveValue: "yes",
exit: 0,
},
{
name: "AllowSetuidMountExtfsYesSif",
argv: []string{c.ext3OverlayImage, "true"},
profile: e2e.UserProfile,
directive: "allow setuid-mount extfs",
directiveValue: "yes",
exit: 0,
},
{
name: "AllowSetuidMountExtfsYesBind",
argv: []string{"-B", c.ext3Image + ":/ext3:image-src=/", c.sifImage, "true"},
profile: e2e.UserProfile,
directive: "allow setuid-mount extfs",
directiveValue: "yes",
exit: 0,
},
// FIXME
// The e2e tests currently run inside a PID namespace.
// (see internal/init/init_linux.go)
Expand Down Expand Up @@ -537,10 +699,10 @@ func (c configTests) configGlobal(t *testing.T) {
if tt.addRequirementsFn != nil {
tt.addRequirementsFn(t)
}
setDirective(t, tt.directive, tt.directiveValue)
e2e.SetDirective(t, c.env, tt.directive, tt.directiveValue)
}),
e2e.PostRun(func(t *testing.T) {
resetDirective(t, tt.directive)
e2e.ResetDirective(t, c.env, tt.directive)
}),
e2e.WithCommand("exec"),
e2e.WithArgs(tt.argv...),
Expand All @@ -553,26 +715,14 @@ func (c configTests) configGlobal(t *testing.T) {
func (c configTests) configGlobalCombination(t *testing.T) {
e2e.EnsureImage(t, c.env)

setDirective := func(t *testing.T, directives map[string]string) {
setDirectives := func(t *testing.T, directives map[string]string) {
for k, v := range directives {
c.env.RunApptainer(
t,
e2e.WithProfile(e2e.RootProfile),
e2e.WithCommand("config global"),
e2e.WithArgs("--set", k, v),
e2e.ExpectExit(0),
)
e2e.SetDirective(t, c.env, k, v)
}
}
resetDirective := func(t *testing.T, directives map[string]string) {
resetDirectives := func(t *testing.T, directives map[string]string) {
for k := range directives {
c.env.RunApptainer(
t,
e2e.WithProfile(e2e.RootProfile),
e2e.WithCommand("config global"),
e2e.WithArgs("--reset", k),
e2e.ExpectExit(0),
)
e2e.ResetDirective(t, c.env, k)
}
}

Expand Down Expand Up @@ -741,10 +891,10 @@ func (c configTests) configGlobalCombination(t *testing.T) {
if tt.addRequirementsFn != nil {
tt.addRequirementsFn(t)
}
setDirective(t, tt.directives)
setDirectives(t, tt.directives)
}),
e2e.PostRun(func(t *testing.T) {
resetDirective(t, tt.directives)
resetDirectives(t, tt.directives)
}),
e2e.WithCommand("exec"),
e2e.WithArgs(tt.argv...),
Expand Down
20 changes: 20 additions & 0 deletions e2e/internal/e2e/config.go
Expand Up @@ -43,3 +43,23 @@ func SetupDefaultConfig(t *testing.T, path string) {
}
})(t)
}

func SetDirective(t *testing.T, env TestEnv, directive, value string) {
env.RunApptainer(
t,
WithProfile(RootProfile),
WithCommand("config global"),
WithArgs("--set", directive, value),
ExpectExit(0),
)
}

func ResetDirective(t *testing.T, env TestEnv, directive string) {
env.RunApptainer(
t,
WithProfile(RootProfile),
WithCommand("config global"),
WithArgs("--reset", directive),
ExpectExit(0),
)
}
3 changes: 3 additions & 0 deletions e2e/overlay/overlay.go
Expand Up @@ -74,6 +74,9 @@ func (c ctx) testOverlayCreate(t *testing.T) {
e2e.ExpectExit(0),
)

e2e.SetDirective(t, c.env, "allow setuid-mount extfs", "yes")
defer e2e.ResetDirective(t, c.env, "allow setuid-mount extfs")

type test struct {
name string
profile e2e.Profile
Expand Down
3 changes: 3 additions & 0 deletions e2e/run/run.go
Expand Up @@ -286,6 +286,9 @@ func (c ctx) testFuseExt3Mount(t *testing.T) {
t.Fatalf(err.Error())
}

e2e.SetDirective(t, c.env, "allow setuid-mount extfs", "yes")
defer e2e.ResetDirective(t, c.env, "allow setuid-mount extfs")

c.env.RunApptainer(
t,
e2e.WithProfile(e2e.UserProfile),
Expand Down

0 comments on commit 5a4964f

Please sign in to comment.