-
Notifications
You must be signed in to change notification settings - Fork 294
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
apparmor: Fix wrong determination whether crun is confined #1409
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
I don't have much idea about apparmor
but this strstr
could find the unconfined
value not related to the current scope, since now this will return true
even if unconfined
is found anywere in string. Is this expected ?
8a767ae
to
7352464
Compare
src/libcrun/utils.c
Outdated
@@ -941,7 +941,7 @@ is_current_process_confined (libcrun_error_t *err) | |||
if (UNLIKELY (bytes_read < 0)) | |||
return crun_make_error (err, errno, "error reading file `%s`", attr_path); | |||
|
|||
return (strncmp (buf, "unconfined", bytes_read) != 0 && buf[0] != '\0'); | |||
return (strncmp (buf, "unconfined", 10) != 0); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it can use unitialized data.
We need to enforce bytes_read >= 10
and we could even use memcmp
since we know the size, something like:
#define UNCONFINED "unconfined"
#define UNCONFINED_LEN (sizeof (UNCONFINED) - 1)
return bytes_read >= UNCONFINED_LEN && memcmp (buf, UNCONFINED, UNCONFINED_LEN));
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sounds much better :)
Thanks
@hswong3i what do you think about this 3rd option? :-) |
I could replace the patch to my OBS package and put my production server to death for a try 🤪 |
98deadd
to
278a23d
Compare
Closes: containers#1385 Signed-off-by: 😎Mostafa Emami <mustafaemami@gmail.com>
278a23d
to
cb3ffb5
Compare
@hswong3i please let us know if this solves your problem :-) |
git clean -xdf git submodule sync --recursive git submodule update --recursive git submodule foreach --recursive git clean -xdf tar zcvf ../crun_1.14.orig.tar.gz --exclude=.git . debuild -uc -us cp crun.spec ../crun_1.14-1.spec cp ../crun*1.14*.{gz,xz,spec,dsc} /osc/home\:alvistack/containers-crun-1.14/ rm -rf ../crun*1.14*.* See containers#1405 See containers#1409 Signed-off-by: Wong Hoi Sing Edison <hswong3i@pantarei-design.com>
Yes it works (alvistack@96cf21b and https://build.opensuse.org/package/show/home:alvistack/containers-crun-1.14):
|
wonderful, let's merge it! |
git clean -xdf git submodule sync --recursive git submodule update --recursive git submodule foreach --recursive git clean -xdf tar zcvf ../crun_1.14.orig.tar.gz --exclude=.git . debuild -uc -us cp crun.spec ../crun_1.14-1.spec cp ../crun*1.14*.{gz,xz,spec,dsc} /osc/home\:alvistack/containers-crun-1.14/ rm -rf ../crun*1.14*.* See containers#1405 See containers#1409 Signed-off-by: Wong Hoi Sing Edison <hswong3i@pantarei-design.com>
git clean -xdf git submodule sync --recursive git submodule update --recursive git submodule foreach --recursive git clean -xdf tar zcvf ../crun_1.14.orig.tar.gz --exclude=.git . debuild -uc -us cp crun.spec ../crun_1.14-1.spec cp ../crun*1.14*.{gz,xz,spec,dsc} /osc/home\:alvistack/containers-crun-1.14/ rm -rf ../crun*1.14*.* See containers#1405 See containers#1409 Signed-off-by: Wong Hoi Sing Edison <hswong3i@pantarei-design.com>
makes #1408 and #1406 unnecessary
Closes: #1385