Allow bind mounts prefixed with /mnt/ for ephemeral storage

sources/api/apiserver/src/server/ephemeral_storage.rs

@@ -114,10 +114,17 @@ pub fn bind(variant: &str, dirs: Vec<String>) -> Result<()> {
 
     let mount_point = format!("/mnt/{}", EPHEMERAL_MNT);
     let mount_point = Path::new(&mount_point);
-    let allowed_dirs = allowed_bind_dirs(variant);
+    let (allowed_exact, allowed_prefixes, disallowed_contains) = allowed_bind_dirs(variant);
     for dir in &dirs {
+        let exact_match = allowed_exact.contains(dir.as_str());
+        let prefix_match = allowed_prefixes
+            .iter()
+            .any(|prefix| dir.starts_with(prefix));
+        let disallowed_match = disallowed_contains
+            .iter()
+            .any(|contains| dir.contains(contains));
         ensure!(
-            allowed_dirs.contains(dir.as_str()),
+            exact_match || (prefix_match && !disallowed_match),
             error::InvalidParameterSnafu {
                 parameter: dir,
                 reason: "specified bind directory not in allow list",
@@ -269,18 +276,27 @@ pub fn ephemeral_devices() -> Result<Vec<String>> {
 }
 
 /// allowed_bind_dirs returns a set of the directories that can be bound to ephemeral storage, which
-/// varies based on the variant
-pub fn allowed_bind_dirs(variant: &str) -> HashSet<&'static str> {
-    let mut allowed = HashSet::from(["/var/lib/containerd", "/var/lib/host-containerd"]);
+/// varies based on the variant, a set of the prefixes of directories that are allowed to be bound.
+/// and a set of substrings that are disallowed in the directory name.
+pub fn allowed_bind_dirs(
+    variant: &str,
+) -> (
+    HashSet<&'static str>,
+    &'static [&'static str],
+    &'static [&'static str],
+) {
+    let mut allowed_exact = HashSet::from(["/var/lib/containerd", "/var/lib/host-containerd"]);
     if variant.contains("k8s") {
-        allowed.insert("/var/lib/kubelet");
-        allowed.insert("/var/log/pods");
+        allowed_exact.insert("/var/lib/kubelet");
+        allowed_exact.insert("/var/log/pods");
     }
     if variant.contains("ecs") {
-        allowed.insert("/var/lib/docker");
-        allowed.insert("/var/log/ecs");
+        allowed_exact.insert("/var/lib/docker");
+        allowed_exact.insert("/var/log/ecs");
     }
-    allowed
+    let allowed_prefixes: &'static [&'static str] = &["/mnt/"];
+    let disallowed_contains: &'static [&'static str] = &["..", "/mnt/.ephemeral"];
+    (allowed_exact, allowed_prefixes, disallowed_contains)
 }
 
 /// scans the raid array to identify if it has been created already

sources/api/apiserver/src/server/mod.rs

@@ -703,18 +703,18 @@ async fn list_ephemeral_storage_dirs(
 ) -> Result<HttpResponse> {
     let os_info = controller::get_os_info()?;
 
-    let allowed = ephemeral_storage::allowed_bind_dirs(&os_info.variant_id);
+    let (allowed_exact, _, _) = ephemeral_storage::allowed_bind_dirs(&os_info.variant_id);
     let mut text_response = String::new();
-    for dir in &allowed {
+    for dir in &allowed_exact {
         text_response.push_str(dir);
         text_response.push('\n');
     }
 
-    let allowed: Vec<String> = allowed.iter().map(|x| String::from(*x)).collect();
+    let allowed: Vec<String> = allowed_exact.iter().map(|x| String::from(*x)).collect();
     list_ephemeral_response(req, query, allowed, text_response).await
 }
 
-// Responds to a list request with the text or JSON resposne depending on the query format.
+// Responds to a list request with the text or JSON response depending on the query format.
 async fn list_ephemeral_response(
     req: HttpRequest,
     query: web::Query<HashMap<String, String>>,