Skip to content

Fix parsing of paths for unmask #25660

New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Fix parsing of paths for unmask #25660

wants to merge 1 commit into from

Conversation

ver4a
Copy link

@ver4a ver4a commented Mar 24, 2025

This fixes an issue where multiple paths separated by a colon were treated as a single path, contrary to what docs say and unlike how mask option works.

Does this PR introduce a user-facing change?

Fixed a bug where multiple paths could not be set in --security-opt=unmask

Luap99
Luap99 reviewed Mar 24, 2025
View reviewed changes
Copy link
Member

@Luap99 Luap99 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, please add a test for it.

Overall I hate such string.Split() calls for paths because it means all users will be unable to specify paths with a colon in them. Given it is is already done with mask I guess it is good to be consistent so I am fine with it.

@ver4a
Copy link
Author

ver4a commented Mar 24, 2025

I'll try, but I'm not exactly sure what's going on. The tests currently test for this

podman run -d --name=maskCtr2 --security-opt unmask=/proc/acpi:/sys/firmware

and that does work, both paths are masked by default. But when I try adding paths that are read-only by default, it doesn't effect them. I don't understand how the parsing changes that in any way.
Without this PR /proc/acpi and /sys/firmware get unmasked, /proc/sys and /sys/fs/cgroup remain read-only:

unmask=/proc/sys:/sys/fs/cgroup:/proc/acpi:/sys/firmware

I don't understand this behavior, I guess there could be two tests, one for masked paths and one for read-only paths, but it's strange. I'll double check this later when I have more time.

@ver4a
Copy link
Author

ver4a commented Mar 24, 2025

I still don't know why some paths worked, but I've added a simple test with one that I can reproduce doesn't.

Overall I hate such string.Split() calls for paths because it means all users will be unable to specify paths with a colon in them. Given it is is already done with mask I guess it is good to be consistent so I am fine with it.

Agree, it's not pretty, I did it this way for consistency and also because I know absolutely no GO :)

giuseppe
giuseppe reviewed Mar 25, 2025
View reviewed changes
Copy link
Member

@giuseppe giuseppe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

could you please use your real name to sign off the commit?

test/e2e/run_test.go Outdated
@@ -423,6 +423,9 @@ var _ = Describe("Podman run", func() {
session.WaitWithDefaultTimeout()
Expect(session.OutputToString()).To(Not(BeEmpty()))
Expect(session).Should(ExitCleanly())
session = podmanTest.Podman([]string{"exec", "maskCtr2", "mkdir", "/sys/fs/cgroup/testcgroup"})
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this won't work with rootless and cgroupfs because the user doesn't get a delegated cgroup.

It would be better to run something like grep /sys/fs/cgroup /proc/self/mountinfo and make sure there is rw in the mount flags.

@mheon
Copy link
Member

mheon commented Apr 1, 2025

LGTM once comment is addressed

@github-actions GitHub Actions
Copy link

github-actions bot commented May 2, 2025

A friendly reminder that this PR had no activity for 30 days.

@baude
Copy link
Member

baude commented May 6, 2025

@ver4a would you be willing to push this over the finish line? much appreciated if so.

@github-actions github-actions bot removed the stale-pr label May 7, 2025
@ver4a
Fix parsing of paths for unmask
7a16111 
This fixes an issue where multiple paths separated by a colon were
treated as a single path, contrary to what docs say and unlike how mask
option works.

Test was updated with a case that fails without this commit.

Signed-off-by: Šimon Škoda <ver4a@uncontrol.me>
@ver4a
Copy link
Author

ver4a commented May 9, 2025

Sorry for the delay, I got distracted with other stuff.

Could you please take another look at this @giuseppe? I've signed-off the commit with my legal name and made a new test based on your suggestion.

giuseppe
giuseppe approved these changes May 9, 2025
View reviewed changes
Copy link
Member

@giuseppe giuseppe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented May 9, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: giuseppe, ver4a

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label May 9, 2025
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@Luap99 Luap99 Luap99 left review comments

@giuseppe giuseppe giuseppe approved these changes

Assignees
No one assigned
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. release-note
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@ver4a @mheon @baude @giuseppe @Luap99