From 6123f1fec7a42a5b441711d8c15f908124faedad Mon Sep 17 00:00:00 2001 From: Tonis Tiigi Date: Thu, 19 Dec 2024 16:45:30 -0800 Subject: [PATCH] bake: make FS entitlements error by default Change FS entitlements checks from warning to error by default as expressed in initial PR. Users can still opt-out with environment variable if the choose to. Signed-off-by: Tonis Tiigi --- bake/entitlements.go | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/bake/entitlements.go b/bake/entitlements.go index 8d6d0c37f27..00a0cc69084 100644 --- a/bake/entitlements.go +++ b/bake/entitlements.go @@ -257,7 +257,7 @@ func (c EntitlementConf) Prompt(ctx context.Context, isRemote bool, out io.Write fmt.Fprintf(out, "%s %s %s\n\n", strings.Join(args[:idx+1], " "), strings.Join(slices.Concat(flags, flagsFS), " "), strings.Join(args[idx+1:], " ")) } - fsEntitlementsEnabled := false + fsEntitlementsEnabled := true if isRemote { if v, ok := os.LookupEnv("BAKE_ALLOW_REMOTE_FS_ACCESS"); ok { vv, err := strconv.ParseBool(v) @@ -265,8 +265,6 @@ func (c EntitlementConf) Prompt(ctx context.Context, isRemote bool, out io.Write return errors.Wrapf(err, "failed to parse BAKE_ALLOW_REMOTE_FS_ACCESS value %q", v) } fsEntitlementsEnabled = !vv - } else { - fsEntitlementsEnabled = true } } v, fsEntitlementsSet := os.LookupEnv("BUILDX_BAKE_ENTITLEMENTS_FS") @@ -279,11 +277,11 @@ func (c EntitlementConf) Prompt(ctx context.Context, isRemote bool, out io.Write } if !fsEntitlementsEnabled && len(msgs) == 0 { - if !fsEntitlementsSet { - fmt.Fprintf(out, "This warning will become an error in a future release. To enable filesystem entitlements checks at the moment, set BUILDX_BAKE_ENTITLEMENTS_FS=1 .\n\n") - } return nil } + if fsEntitlementsEnabled && !fsEntitlementsSet { + fmt.Fprintf(out, "To disable filesystem entitlements checks, you can set BUILDX_BAKE_ENTITLEMENTS_FS=0 .\n\n") + } if term { fmt.Fprintf(out, "Do you want to grant requested privileges and continue? [y/N] ")