github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2026-01-06 07:57:35 +00:00
Code Issues Projects Releases Wiki Activity

Verify seccomp absolute path in dockershim

Browse Source
This commit is contained in:
Pengfei Ni
2017-11-22 02:49:52 +00:00
parent 2a2a875686
commit 7e21146096
2 changed files with 24 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
pkg/kubelet/dockershim/helpers_linux.go
View File

@@ -62,7 +62,11 @@ func getSeccompDockerOpts(seccompProfile string) ([]dockerOpt, error) {
return nil, fmt.Errorf("unknown seccomp profile option: %s", seccompProfile) return nil, fmt.Errorf("unknown seccomp profile option: %s", seccompProfile)
} }
fname := strings.TrimPrefix(seccompProfile, "localhost/") // by pod annotation validation, name is a valid subpath // get the full path of seccomp profile when prefixed with 'localhost/'.
fname := strings.TrimPrefix(seccompProfile, "localhost/")
if !filepath.IsAbs(fname) {
return nil, fmt.Errorf("seccomp profile path must be absolute, but got relative path %q", fname)
}
file, err := ioutil.ReadFile(filepath.FromSlash(fname)) file, err := ioutil.ReadFile(filepath.FromSlash(fname))
if err != nil { if err != nil {
return nil, fmt.Errorf("cannot load seccomp profile %q: %v", fname, err) return nil, fmt.Errorf("cannot load seccomp profile %q: %v", fname, err)

29
pkg/kubelet/dockershim/helpers_linux_test.go
View File

@@ -20,9 +20,13 @@ package dockershim
import ( import (
"fmt" "fmt"
"io/ioutil"
"os"
"path/filepath"
"testing" "testing"
"github.com/stretchr/testify/assert" "github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
) )
func TestGetSeccompSecurityOpts(t *testing.T) { func TestGetSeccompSecurityOpts(t *testing.T) {
@@ -55,26 +59,31 @@ func TestGetSeccompSecurityOpts(t *testing.T) {
} }
func TestLoadSeccompLocalhostProfiles(t *testing.T) { func TestLoadSeccompLocalhostProfiles(t *testing.T) {
tmpdir, err := ioutil.TempDir("", "seccomp-local-profile-test")
require.NoError(t, err)
defer os.RemoveAll(tmpdir)
testProfile := `{"foo": "bar"}`
err = ioutil.WriteFile(filepath.Join(tmpdir, "test"), []byte(testProfile), 0644)
require.NoError(t, err)
tests := []struct { tests := []struct {
msg string msg string
seccompProfile string seccompProfile string
expectedOpts []string expectedOpts []string
expectErr bool expectErr bool
}{{ }{{
msg: "Seccomp localhost/test profile", msg: "Seccomp localhost/test profile should return correct seccomp profiles",
// We are abusing localhost for loading test seccomp profiles. seccompProfile: "localhost/" + filepath.Join(tmpdir, "test"),
// The profile should be an absolute path while we are using a relative one.
seccompProfile: "localhost/fixtures/seccomp/test",
expectedOpts: []string{`seccomp={"foo":"bar"}`}, expectedOpts: []string{`seccomp={"foo":"bar"}`},
expectErr: false, expectErr: false,
}, { }, {
msg: "Seccomp localhost/sub/subtest profile", msg: "Non-existent profile should return error",
seccompProfile: "localhost/fixtures/seccomp/sub/subtest", seccompProfile: "localhost/" + filepath.Join(tmpdir, "fixtures/non-existent"),
expectedOpts: []string{`seccomp={"abc":"def"}`}, expectedOpts: nil,
expectErr: false, expectErr: true,
}, { }, {
msg: "Seccomp non-existent", msg: "Relative profile path should return error",
seccompProfile: "localhost/fixtures/seccomp/non-existent", seccompProfile: "localhost/fixtures/test",
expectedOpts: nil, expectedOpts: nil,
expectErr: true, expectErr: true,
}} }}