github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-06-25 15:02:45 +00:00
Code Issues Projects Releases Wiki Activity

jail/validator: avoid unwrap() for safety

Browse Source 
Explicitly return error codes instead of unwrap().

Fixes: #1214

Signed-off-by: Liu Jiang <gerry@linux.alibaba.com>
This commit is contained in:
Liu Jiang 2020-12-24 09:47:10 +08:00
parent 51fd624f3e
commit 76ad32136f
1 changed files with 41 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

57
src/agent/rustjail/src/validator.rs
View File

@ -49,7 +49,11 @@ fn rootfs(root: &str) -> Result<()> {
continue; continue;
} }
stack.push(c.as_os_str().to_str().unwrap().to_string()); if let Some(v) = c.as_os_str().to_str() {
stack.push(v.to_string());
} else {
return Err(anyhow!(nix::Error::from_errno(Errno::EINVAL)));
}
} }
let mut cleaned = PathBuf::from("/"); let mut cleaned = PathBuf::from("/");
@ -75,10 +79,10 @@ fn hostname(oci: &Spec) -> Result<()> {
return Ok(()); return Ok(());
} }
if oci.linux.is_none() { let linux = oci
return Err(anyhow!(nix::Error::from_errno(Errno::EINVAL))); .linux
} .as_ref()
let linux = oci.linux.as_ref().unwrap(); .ok_or(anyhow!(nix::Error::from_errno(Errno::EINVAL)))?;
if !contain_namespace(&linux.namespaces, "uts") { if !contain_namespace(&linux.namespaces, "uts") {
return Err(anyhow!(nix::Error::from_errno(Errno::EINVAL))); return Err(anyhow!(nix::Error::from_errno(Errno::EINVAL)));
} }
@ -87,7 +91,10 @@ fn hostname(oci: &Spec) -> Result<()> {
} }
fn security(oci: &Spec) -> Result<()> { fn security(oci: &Spec) -> Result<()> {
let linux = oci.linux.as_ref().unwrap(); let linux = oci
.linux
.as_ref()
.ok_or(anyhow!(nix::Error::from_errno(Errno::EINVAL)))?;
if linux.masked_paths.is_empty() && linux.readonly_paths.is_empty() { if linux.masked_paths.is_empty() && linux.readonly_paths.is_empty() {
return Ok(()); return Ok(());
} }
@ -112,7 +119,10 @@ fn idmapping(maps: &[LinuxIDMapping]) -> Result<()> {
} }
fn usernamespace(oci: &Spec) -> Result<()> { fn usernamespace(oci: &Spec) -> Result<()> {
let linux = oci.linux.as_ref().unwrap(); let linux = oci
.linux
.as_ref()
.ok_or(anyhow!(nix::Error::from_errno(Errno::EINVAL)))?;
if contain_namespace(&linux.namespaces, "user") { if contain_namespace(&linux.namespaces, "user") {
let user_ns = PathBuf::from("/proc/self/ns/user"); let user_ns = PathBuf::from("/proc/self/ns/user");
if !user_ns.exists() { if !user_ns.exists() {
@ -133,7 +143,10 @@ fn usernamespace(oci: &Spec) -> Result<()> {
} }
fn cgroupnamespace(oci: &Spec) -> Result<()> { fn cgroupnamespace(oci: &Spec) -> Result<()> {
let linux = oci.linux.as_ref().unwrap(); let linux = oci
.linux
.as_ref()
.ok_or(anyhow!(nix::Error::from_errno(Errno::EINVAL)))?;
if contain_namespace(&linux.namespaces, "cgroup") { if contain_namespace(&linux.namespaces, "cgroup") {
let path = PathBuf::from("/proc/self/ns/cgroup"); let path = PathBuf::from("/proc/self/ns/cgroup");
if !path.exists() { if !path.exists() {
@ -184,7 +197,10 @@ fn check_host_ns(path: &str) -> Result<()> {
} }
fn sysctl(oci: &Spec) -> Result<()> { fn sysctl(oci: &Spec) -> Result<()> {
let linux = oci.linux.as_ref().unwrap(); let linux = oci
.linux
.as_ref()
.ok_or(anyhow!(nix::Error::from_errno(Errno::EINVAL)))?;
for (key, _) in linux.sysctl.iter() { for (key, _) in linux.sysctl.iter() {
if SYSCTLS.contains_key(key.as_str()) || key.starts_with("fs.mqueue.") { if SYSCTLS.contains_key(key.as_str()) || key.starts_with("fs.mqueue.") {
if contain_namespace(&linux.namespaces, "ipc") { if contain_namespace(&linux.namespaces, "ipc") {
@ -210,7 +226,10 @@ fn sysctl(oci: &Spec) -> Result<()> {
} }
fn rootless_euid_mapping(oci: &Spec) -> Result<()> { fn rootless_euid_mapping(oci: &Spec) -> Result<()> {
let linux = oci.linux.as_ref().unwrap(); let linux = oci
.linux
.as_ref()
.ok_or(anyhow!(nix::Error::from_errno(Errno::EINVAL)))?;
if !contain_namespace(&linux.namespaces, "user") { if !contain_namespace(&linux.namespaces, "user") {
return Err(anyhow!(nix::Error::from_errno(Errno::EINVAL))); return Err(anyhow!(nix::Error::from_errno(Errno::EINVAL)));
} }
@ -233,7 +252,10 @@ fn has_idmapping(maps: &[LinuxIDMapping], id: u32) -> bool {
} }
fn rootless_euid_mount(oci: &Spec) -> Result<()> { fn rootless_euid_mount(oci: &Spec) -> Result<()> {
let linux = oci.linux.as_ref().unwrap(); let linux = oci
.linux
.as_ref()
.ok_or(anyhow!(nix::Error::from_errno(Errno::EINVAL)))?;
for mnt in oci.mounts.iter() { for mnt in oci.mounts.iter() {
for opt in mnt.options.iter() { for opt in mnt.options.iter() {
@ -270,16 +292,19 @@ fn rootless_euid(oci: &Spec) -> Result<()> {
pub fn validate(conf: &Config) -> Result<()> { pub fn validate(conf: &Config) -> Result<()> {
lazy_static::initialize(&SYSCTLS); lazy_static::initialize(&SYSCTLS);
let oci = conf.spec.as_ref().unwrap(); let oci = conf
.spec
.as_ref()
.ok_or(anyhow!(nix::Error::from_errno(Errno::EINVAL)))?;
if oci.linux.is_none() { if oci.linux.is_none() {
return Err(anyhow!(nix::Error::from_errno(Errno::EINVAL))); return Err(anyhow!(nix::Error::from_errno(Errno::EINVAL)));
} }
if oci.root.is_none() { let root = match oci.root.as_ref() {
return Err(anyhow!(nix::Error::from_errno(Errno::EINVAL))); Some(v) => v.path.as_str(),
} None => return Err(anyhow!(nix::Error::from_errno(Errno::EINVAL))),
let root = oci.root.as_ref().unwrap().path.as_str(); };
rootfs(root).context("rootfs")?; rootfs(root).context("rootfs")?;
network(oci).context("network")?; network(oci).context("network")?;