[v4.4.1-rhel] Add file switch for pre-exec hooks

[TomSweeneyRedHat]

The long term goal was to provide the customer with a way to turn on the
preexec_hooks processing of scripts by having some kind of configuration
that could be read. I had tried putting it into containers.conf to
start, but that turned out to be unyieldly quickly, and time is of
the essence for this fix. That is mostly due to the fact that this
code is preexecution and in C, the containers.conf file is read in
Go much further down the stack.

After first trying this process using an ENVVAR, I have
thought it over and chatted with others, and will now look for a
/etc/containers/podman_preexec_hooks.txt file to exist. If the admin
had put one in there, we will then process the files in the
directories /usr/libexec/podman/pre-exec-hooks
and /etc/containers/pre-exec-hooks.

Thoughts/suggestions gratefully accepted. This will be a 8.8/9.2 ZeroDay
fix and will need to be backported to the v4.4.1-rhel branch.

[NO NEW TESTS NEEDED]
Signed-off-by: tomsweeneyredhat tsweeney@redhat.com

Does this PR introduce a user-facing change?

None

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: TomSweeneyRedHat

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [TomSweeneyRedHat]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[TomSweeneyRedHat]

I need to make some BZs for this, WIP, and I'll add links here.

[TomSweeneyRedHat]

Addresses: https://bugzilla.redhat.com/show_bug.cgi?id=2189593 and https://bugzilla.redhat.com/show_bug.cgi?id=2189592

[mheon]

We didn't document these at all, right?

[TomSweeneyRedHat]

No, we are documenting these as of 8.8/9.2. That's why the change, RH Security Alerts, didn't like the default directories.

[TomSweeneyRedHat]

@edsantiago the smoke test keeps smoking and I need to get this merged today if at all possible. Anything I can do to clear the smoke other than pressing the button once more?

[edsantiago]

@TomSweeneyRedHat you might be asking the wrong person: I know nothing whatsoever about Windows. It's pretty clear that it's not a flake, though, so whoever reviews can just press the Merge button.

[TomSweeneyRedHat]

@edsantiago just double checking your phraseology, "pretty clear that it's not a flake", should have been "pretty clear that it's a flake", correct?

[edsantiago]

I meant "not a flake", as in, I expect it to fail repeatedly. The windows smoke test constantly starts failing, for some reason or another that I've never paid attention to, and requires hand-tuning by a Windows expert. I do not believe it is worth your or my or anyone's time to worry about this failure.

[TomSweeneyRedHat]

Thanks for the clarification Ed.

[mheon]

LGTM

[mtrmac]

My 2c, I can’t see how the Windows failure could be related and I’m fine with not blocking on that test.

As for the change itself, discussed elsewhere.

[TomSweeneyRedHat]

I've been poking at some things, and I'm going to try a slightly different approach. I'll check for a podman_preexec_hooks.txt file in /etc/containers. If the file is found, then we'll do the reads of the file as we had prior to this change.

[edsantiago]

I think you forgot to actually read the file.

Since I don't understand the threat model that this addresses, I'm going to ask: how paranoid do we need to get here? Do we need to check all parent directories to make sure they're not group/world writable? That this file, and all parents, are owned by root?

[TomSweeneyRedHat]

I've reworked this based on @giuseppe 's comments in #18331. I'm using access() now, it's a lot more straightforward, plus you don't have to mess with the file ptrs. FWIW, you don't have to actually read the file, the open fails if it doesn't exist.

[TomSweeneyRedHat]

And paranoia, there is no right level! The folks at security alert gave me two options, 1) check a config file presence, or value within one, or, 2) EnvVar check. I went with the EnvVar at first as the code change was real easy, but after further discussions/thinking, I decided to drop a file in place.

I've a hunch this will be changed further over time, but the security folks said this is sufficient for now.

[TomSweeneyRedHat]

Ooops, I've a code error here with the access call, need to touch that up. I shouldn't code when in a meeting....

[TomSweeneyRedHat]

OK, just made one last change to tweak the comment. Thanks @giuseppe for the access() suggestion, that was really slick. Fingers crossed for tests.

[mtrmac]

Implementation LGTM. (I’m not sure why this needs to exist, looking just at the stated intent.)

---

(This isn’t really worth a delay in this PR, but if we are going to add similar code to the main branch…:)

• Stylistically, putting a macro at the top, beside ETC_PREEXEC_HOOKS, would make it clearer that this is a ~choice, not an essential component of this individual function.
• It’s fine to call access("…") without the intermediate char[] variable.

[TomSweeneyRedHat]

I've implemented Ed's test suggestions from #18331

[TomSweeneyRedHat]

@Luap99 @mheon @edsantiago @giuseppe All tests are passing, except the windows smoke test which per Ed is a known issue here in this branch. Can this be LGTM'd and merged so Jindrich can build a module before he leaves today?

[edsantiago]

I truly hate this, but am holding my nose and have merged.

[giuseppe]

I am not sure why this was merged. I don't think this is needed, I had comments about this feature in #18331