From a90c8f5cf8580ec93ed1df15c778ac4280a7415e Mon Sep 17 00:00:00 2001
From: Alex Lyn <alex.lyn@antgroup.com>
Date: Fri, 29 Aug 2025 20:38:32 +0800
Subject: [PATCH] runtime-rs: Align shared fs guest path with runtime-go

As runtime-rs use the "/run/kata-containers/shared/sandboxes/" which
will be checked and denied by agent policy. To make it pass the rules,
we'd better align it with runtime-go on the guest path definition.

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
---
 .../crates/resource/src/share_fs/mod.rs       |  2 +-
 .../crates/resource/src/volume/mod.rs         |  4 ++--
 .../resource/src/volume/share_fs_volume.rs    | 21 +++++++------------
 3 files changed, 11 insertions(+), 16 deletions(-)

diff --git a/src/runtime-rs/crates/resource/src/share_fs/mod.rs b/src/runtime-rs/crates/resource/src/share_fs/mod.rs
index 57efec756f..faf6a20ccf 100644
--- a/src/runtime-rs/crates/resource/src/share_fs/mod.rs
+++ b/src/runtime-rs/crates/resource/src/share_fs/mod.rs
@@ -38,7 +38,7 @@ const INLINE_VIRTIO_FS: &str = "inline-virtio-fs";
 const KATA_HOST_SHARED_DIR: &str = "/run/kata-containers/shared/sandboxes/";
 
 /// share fs (for example virtio-fs) mount path in the guest
-const KATA_GUEST_SHARE_DIR: &str = "/run/kata-containers/shared/containers/";
+pub const KATA_GUEST_SHARE_DIR: &str = "/run/kata-containers/shared/containers/";
 
 pub(crate) const DEFAULT_KATA_GUEST_SANDBOX_DIR: &str = "/run/kata-containers/sandbox/";
 
diff --git a/src/runtime-rs/crates/resource/src/volume/mod.rs b/src/runtime-rs/crates/resource/src/volume/mod.rs
index 89f150d28c..6857dcc8a7 100644
--- a/src/runtime-rs/crates/resource/src/volume/mod.rs
+++ b/src/runtime-rs/crates/resource/src/volume/mod.rs
@@ -59,7 +59,7 @@ impl VolumeResource {
     pub async fn handler_volumes(
         &self,
         share_fs: &Option<Arc<dyn ShareFs>>,
-        cid: &str,
+        _cid: &str,
         spec: &oci::Spec,
         d: &RwLock<DeviceManager>,
         sid: &str,
@@ -108,7 +108,7 @@ impl VolumeResource {
                     share_fs_volume::ShareFsVolume::new(
                         share_fs,
                         m,
-                        cid,
+                        sid,
                         spec,
                         read_only,
                         agent.clone(),
diff --git a/src/runtime-rs/crates/resource/src/volume/share_fs_volume.rs b/src/runtime-rs/crates/resource/src/volume/share_fs_volume.rs
index f19576020f..a81f1fd974 100644
--- a/src/runtime-rs/crates/resource/src/volume/share_fs_volume.rs
+++ b/src/runtime-rs/crates/resource/src/volume/share_fs_volume.rs
@@ -30,9 +30,7 @@ use tokio::{
 use walkdir::WalkDir;
 
 use super::Volume;
-use crate::share_fs::DEFAULT_KATA_GUEST_SANDBOX_DIR;
-use crate::share_fs::PASSTHROUGH_FS_DIR;
-use crate::share_fs::{MountedInfo, ShareFs, ShareFsVolumeConfig};
+use crate::share_fs::{MountedInfo, ShareFs, ShareFsVolumeConfig, KATA_GUEST_SHARE_DIR};
 use kata_types::{
     k8s::{is_configmap, is_downward_api, is_projected, is_secret},
     mount,
@@ -342,7 +340,7 @@ impl VolumeManager {
         }
 
         // Create a new volume
-        let guest_path = generate_guest_path(&canonical_source, mount_destination);
+        let guest_path = generate_guest_path(container_id, &canonical_source, mount_destination);
 
         let mut containers = HashSet::new();
         containers.insert(container_id.to_string());
@@ -436,7 +434,7 @@ impl ShareFsVolume {
     pub(crate) async fn new(
         share_fs: &Option<Arc<dyn ShareFs>>,
         m: &oci::Mount,
-        cid: &str,
+        sid: &str,
         spec: &oci::Spec,
         readonly: bool,
         agent: Arc<dyn Agent>,
@@ -457,14 +455,14 @@ impl ShareFsVolume {
             storages: vec![],
             volume_manager: Some(volume_manager.clone()),
             source_path: Some(source_path.clone()),
-            container_id: cid.to_string(),
+            container_id: sid.to_string(),
         };
 
         match share_fs {
             None => {
                 // Get or create the guest path
                 let (guest_path, need_copy) = volume_manager
-                    .get_or_create_volume(&source_path, cid, m.destination())
+                    .get_or_create_volume(&source_path, sid, m.destination())
                     .await?;
 
                 let src = std::fs::canonicalize(&source_path)?;
@@ -552,7 +550,7 @@ impl ShareFsVolume {
                         // The current mount should be upgraded to readwrite permission
                         info!(
                             sl!(),
-                            "The mount will be upgraded, mount = {:?}, cid = {}", m, cid
+                            "The mount will be upgraded, mount = {:?}, sid = {}", m, sid
                         );
                         share_fs_mount
                             .upgrade_to_rw(
@@ -1019,7 +1017,7 @@ pub(crate) fn is_watchable_volume(source_path: &PathBuf) -> bool {
 }
 
 /// Generates a guest path with hashed source path
-fn generate_guest_path(source_path: &str, mount_destination: &Path) -> String {
+fn generate_guest_path(sid: &str, source_path: &str, mount_destination: &Path) -> String {
     // Use a hash of the source path to generate a unique but deterministic identifier
     let mut hasher = Sha256::new();
     hasher.update(source_path.as_bytes());
@@ -1031,10 +1029,7 @@ fn generate_guest_path(source_path: &str, mount_destination: &Path) -> String {
         .and_then(|n| n.to_str())
         .unwrap_or("volume");
 
-    format!(
-        "{}/{}/shared-{}-{}",
-        DEFAULT_KATA_GUEST_SANDBOX_DIR, PASSTHROUGH_FS_DIR, hash_str, dest_base
-    )
+    format!("{}{}-{}-{}", KATA_GUEST_SHARE_DIR, sid, hash_str, dest_base)
 }
 
 #[cfg(test)]