github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-23 19:56:01 +00:00
Code Issues Projects Releases Wiki Activity

fix VolumeMount permissions with subpaths only apply the right permissions to the last directory

Browse Source
This commit is contained in:
mengjiao.liu 2021-02-03 16:25:47 +08:00
parent 83aee3462f
commit d9138069fe
2 changed files with 32 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
pkg/volume/util/subpath/subpath_linux.go
View File

@ -433,29 +433,29 @@ func doSafeMakeDir(pathname string, base string, perm os.FileMode) error {
} }
parentFD = childFD parentFD = childFD
childFD = -1 childFD = -1
// Everything was created. mkdirat(..., perm) above was affected by current
// umask and we must apply the right permissions to the all created directory.
// (that's the one that will be available to the container as subpath)
// so user can read/write it.
// parentFD is the last created directory.
// Translate perm (os.FileMode) to uint32 that fchmod() expects
kernelPerm := uint32(perm & os.ModePerm)
if perm&os.ModeSetgid > 0 {
kernelPerm |= syscall.S_ISGID
}
if perm&os.ModeSetuid > 0 {
kernelPerm |= syscall.S_ISUID
}
if perm&os.ModeSticky > 0 {
kernelPerm |= syscall.S_ISVTX
}
if err = syscall.Fchmod(parentFD, kernelPerm); err != nil {
return fmt.Errorf("chmod %q failed: %s", currentPath, err)
}
} }
// Everything was created. mkdirat(..., perm) above was affected by current
// umask and we must apply the right permissions to the last directory
// (that's the one that will be available to the container as subpath)
// so user can read/write it. This is the behavior of previous code.
// TODO: chmod all created directories, not just the last one.
// parentFD is the last created directory.
// Translate perm (os.FileMode) to uint32 that fchmod() expects
kernelPerm := uint32(perm & os.ModePerm)
if perm&os.ModeSetgid > 0 {
kernelPerm |= syscall.S_ISGID
}
if perm&os.ModeSetuid > 0 {
kernelPerm |= syscall.S_ISUID
}
if perm&os.ModeSticky > 0 {
kernelPerm |= syscall.S_ISVTX
}
if err = syscall.Fchmod(parentFD, kernelPerm); err != nil {
return fmt.Errorf("chmod %q failed: %s", currentPath, err)
}
return nil return nil
} }

11
pkg/volume/util/subpath/subpath_linux_test.go
View File

@ -35,6 +35,7 @@ import (
func TestSafeMakeDir(t *testing.T) { func TestSafeMakeDir(t *testing.T) {
defaultPerm := os.FileMode(0750) + os.ModeDir defaultPerm := os.FileMode(0750) + os.ModeDir
maxPerm := os.FileMode(0777) + os.ModeDir
tests := []struct { tests := []struct {
name string name string
// Function that prepares directory structure for the test under given // Function that prepares directory structure for the test under given
@ -55,6 +56,16 @@ func TestSafeMakeDir(t *testing.T) {
defaultPerm, defaultPerm,
false, false,
}, },
{
"all-created-subpath-directory-with-permissions",
func(base string) error {
return nil
},
"test/directory",
"test",
maxPerm,
false,
},
{ {
"directory-with-sgid", "directory-with-sgid",
func(base string) error { func(base string) error {