mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-08-09 12:07:47 +00:00
make pathWithinBase public
This commit is contained in:
NickrenREN
parent
159a4358e8
commit
7157d4582b
@ -331,8 +331,8 @@ func HasMountRefs(mountPath string, mountRefs []string) bool {
|
|||||||
return count > 0
|
return count > 0
|
||||||
}
|
}
|
||||||
|
|
||||||
// pathWithinBase checks if give path is within given base directory.
|
// PathWithinBase checks if give path is within given base directory.
|
||||||
func pathWithinBase(fullPath, basePath string) bool {
|
func PathWithinBase(fullPath, basePath string) bool {
|
||||||
rel, err := filepath.Rel(basePath, fullPath)
|
rel, err := filepath.Rel(basePath, fullPath)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return false
|
return false
|
||||||
|
|||||||
@ -665,7 +665,7 @@ func findMountInfo(path, mountInfoPath string) (mountInfo, error) {
|
|||||||
// point that is prefix of 'path' - that's the mount where path resides
|
// point that is prefix of 'path' - that's the mount where path resides
|
||||||
var info *mountInfo
|
var info *mountInfo
|
||||||
for i := len(infos) - 1; i >= 0; i-- {
|
for i := len(infos) - 1; i >= 0; i-- {
|
||||||
if pathWithinBase(path, infos[i].mountPoint) {
|
if PathWithinBase(path, infos[i].mountPoint) {
|
||||||
info = &infos[i]
|
info = &infos[i]
|
||||||
break
|
break
|
||||||
}
|
}
|
||||||
@ -736,7 +736,7 @@ func (mounter *Mounter) PrepareSafeSubpath(subPath Subpath) (newHostPath string,
|
|||||||
|
|
||||||
// This implementation is shared between Linux and NsEnterMounter
|
// This implementation is shared between Linux and NsEnterMounter
|
||||||
func safeOpenSubPath(mounter Interface, subpath Subpath) (int, error) {
|
func safeOpenSubPath(mounter Interface, subpath Subpath) (int, error) {
|
||||||
if !pathWithinBase(subpath.Path, subpath.VolumePath) {
|
if !PathWithinBase(subpath.Path, subpath.VolumePath) {
|
||||||
return -1, fmt.Errorf("subpath %q not within volume path %q", subpath.Path, subpath.VolumePath)
|
return -1, fmt.Errorf("subpath %q not within volume path %q", subpath.Path, subpath.VolumePath)
|
||||||
}
|
}
|
||||||
fd, err := doSafeOpen(subpath.Path, subpath.VolumePath)
|
fd, err := doSafeOpen(subpath.Path, subpath.VolumePath)
|
||||||
@ -964,7 +964,7 @@ func cleanSubPath(mounter Interface, subpath Subpath) error {
|
|||||||
// removeEmptyDirs works backwards from endDir to baseDir and removes each directory
|
// removeEmptyDirs works backwards from endDir to baseDir and removes each directory
|
||||||
// if it is empty. It stops once it encounters a directory that has content
|
// if it is empty. It stops once it encounters a directory that has content
|
||||||
func removeEmptyDirs(baseDir, endDir string) error {
|
func removeEmptyDirs(baseDir, endDir string) error {
|
||||||
if !pathWithinBase(endDir, baseDir) {
|
if !PathWithinBase(endDir, baseDir) {
|
||||||
return fmt.Errorf("endDir %q is not within baseDir %q", endDir, baseDir)
|
return fmt.Errorf("endDir %q is not within baseDir %q", endDir, baseDir)
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1052,7 +1052,7 @@ func getMode(pathname string) (os.FileMode, error) {
|
|||||||
func doSafeMakeDir(pathname string, base string, perm os.FileMode) error {
|
func doSafeMakeDir(pathname string, base string, perm os.FileMode) error {
|
||||||
glog.V(4).Infof("Creating directory %q within base %q", pathname, base)
|
glog.V(4).Infof("Creating directory %q within base %q", pathname, base)
|
||||||
|
|
||||||
if !pathWithinBase(pathname, base) {
|
if !PathWithinBase(pathname, base) {
|
||||||
return fmt.Errorf("path %s is outside of allowed base %s", pathname, base)
|
return fmt.Errorf("path %s is outside of allowed base %s", pathname, base)
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1079,7 +1079,7 @@ func doSafeMakeDir(pathname string, base string, perm os.FileMode) error {
|
|||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Errorf("error opening directory %s: %s", existingPath, err)
|
return fmt.Errorf("error opening directory %s: %s", existingPath, err)
|
||||||
}
|
}
|
||||||
if !pathWithinBase(fullExistingPath, base) {
|
if !PathWithinBase(fullExistingPath, base) {
|
||||||
return fmt.Errorf("path %s is outside of allowed base %s", fullExistingPath, err)
|
return fmt.Errorf("path %s is outside of allowed base %s", fullExistingPath, err)
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1241,7 +1241,7 @@ func doSafeOpen(pathname string, base string) (int, error) {
|
|||||||
// sure the user cannot change already existing directories into symlinks.
|
// sure the user cannot change already existing directories into symlinks.
|
||||||
for _, seg := range segments {
|
for _, seg := range segments {
|
||||||
currentPath = filepath.Join(currentPath, seg)
|
currentPath = filepath.Join(currentPath, seg)
|
||||||
if !pathWithinBase(currentPath, base) {
|
if !PathWithinBase(currentPath, base) {
|
||||||
return -1, fmt.Errorf("path %s is outside of allowed base %s", currentPath, base)
|
return -1, fmt.Errorf("path %s is outside of allowed base %s", currentPath, base)
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1298,7 +1298,7 @@ func searchMountPoints(hostSource, mountInfoPath string) ([]string, error) {
|
|||||||
// We need search in backward order because it's possible for later mounts
|
// We need search in backward order because it's possible for later mounts
|
||||||
// to overlap earlier mounts.
|
// to overlap earlier mounts.
|
||||||
for i := len(mis) - 1; i >= 0; i-- {
|
for i := len(mis) - 1; i >= 0; i-- {
|
||||||
if hostSource == mis[i].mountPoint || pathWithinBase(hostSource, mis[i].mountPoint) {
|
if hostSource == mis[i].mountPoint || PathWithinBase(hostSource, mis[i].mountPoint) {
|
||||||
// If it's a mount point or path under a mount point.
|
// If it's a mount point or path under a mount point.
|
||||||
mountID = mis[i].id
|
mountID = mis[i].id
|
||||||
rootPath = filepath.Join(mis[i].root, strings.TrimPrefix(hostSource, mis[i].mountPoint))
|
rootPath = filepath.Join(mis[i].root, strings.TrimPrefix(hostSource, mis[i].mountPoint))
|
||||||
|
|||||||
@ -413,7 +413,7 @@ func TestPathWithinBase(t *testing.T) {
|
|||||||
},
|
},
|
||||||
}
|
}
|
||||||
for _, test := range tests {
|
for _, test := range tests {
|
||||||
if pathWithinBase(test.fullPath, test.basePath) != test.expected {
|
if PathWithinBase(test.fullPath, test.basePath) != test.expected {
|
||||||
t.Errorf("test %q failed: expected %v", test.name, test.expected)
|
t.Errorf("test %q failed: expected %v", test.name, test.expected)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@ -309,7 +309,7 @@ func lockAndCheckSubPathWithoutSymlink(volumePath, subPath string) ([]uintptr, e
|
|||||||
break
|
break
|
||||||
}
|
}
|
||||||
|
|
||||||
if !pathWithinBase(currentFullPath, volumePath) {
|
if !PathWithinBase(currentFullPath, volumePath) {
|
||||||
errorResult = fmt.Errorf("SubPath %q not within volume path %q", currentFullPath, volumePath)
|
errorResult = fmt.Errorf("SubPath %q not within volume path %q", currentFullPath, volumePath)
|
||||||
break
|
break
|
||||||
}
|
}
|
||||||
@ -499,7 +499,7 @@ func (mounter *Mounter) SafeMakeDir(subdir string, base string, perm os.FileMode
|
|||||||
func doSafeMakeDir(pathname string, base string, perm os.FileMode) error {
|
func doSafeMakeDir(pathname string, base string, perm os.FileMode) error {
|
||||||
glog.V(4).Infof("Creating directory %q within base %q", pathname, base)
|
glog.V(4).Infof("Creating directory %q within base %q", pathname, base)
|
||||||
|
|
||||||
if !pathWithinBase(pathname, base) {
|
if !PathWithinBase(pathname, base) {
|
||||||
return fmt.Errorf("path %s is outside of allowed base %s", pathname, base)
|
return fmt.Errorf("path %s is outside of allowed base %s", pathname, base)
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -534,7 +534,7 @@ func doSafeMakeDir(pathname string, base string, perm os.FileMode) error {
|
|||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Errorf("cannot read link %s: %s", base, err)
|
return fmt.Errorf("cannot read link %s: %s", base, err)
|
||||||
}
|
}
|
||||||
if !pathWithinBase(fullExistingPath, fullBasePath) {
|
if !PathWithinBase(fullExistingPath, fullBasePath) {
|
||||||
return fmt.Errorf("path %s is outside of allowed base %s", fullExistingPath, err)
|
return fmt.Errorf("path %s is outside of allowed base %s", fullExistingPath, err)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@ -576,8 +576,8 @@ func TestPathWithinBase(t *testing.T) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
for _, test := range tests {
|
for _, test := range tests {
|
||||||
result := pathWithinBase(test.fullPath, test.basePath)
|
result := PathWithinBase(test.fullPath, test.basePath)
|
||||||
assert.Equal(t, result, test.expectedResult, "Expect result not equal with pathWithinBase(%s, %s) return: %q, expected: %q",
|
assert.Equal(t, result, test.expectedResult, "Expect result not equal with PathWithinBase(%s, %s) return: %q, expected: %q",
|
||||||
test.fullPath, test.basePath, result, test.expectedResult)
|
test.fullPath, test.basePath, result, test.expectedResult)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@ -320,7 +320,7 @@ func (mounter *NsenterMounter) SafeMakeDir(subdir string, base string, perm os.F
|
|||||||
evaluatedBase = filepath.Clean(evaluatedBase)
|
evaluatedBase = filepath.Clean(evaluatedBase)
|
||||||
|
|
||||||
rootDir := filepath.Clean(mounter.rootDir)
|
rootDir := filepath.Clean(mounter.rootDir)
|
||||||
if pathWithinBase(evaluatedBase, rootDir) {
|
if PathWithinBase(evaluatedBase, rootDir) {
|
||||||
// Base is in /var/lib/kubelet. This directory is shared between the
|
// Base is in /var/lib/kubelet. This directory is shared between the
|
||||||
// container with kubelet and the host. We don't need to add '/rootfs'.
|
// container with kubelet and the host. We don't need to add '/rootfs'.
|
||||||
// This is useful when /rootfs is mounted as read-only - we can still
|
// This is useful when /rootfs is mounted as read-only - we can still
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user