Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

runtimetest: add readonly path validation #76

Merged
merged 1 commit into from
Jun 2, 2016
Merged

runtimetest: add readonly path validation #76

merged 1 commit into from
Jun 2, 2016

Conversation

Mashimiao
Copy link

Signed-off-by: Ma Shimiao [email protected]

@wking
Copy link
Contributor

wking commented May 25, 2016

On Tue, May 24, 2016 at 08:52:20PM -0700, Ma Shimiao wrote:

  • runtimetest: add readonly path validation

Travis is missing ‘spec’ in main.go around line 194 1.

wking
wking reviewed May 25, 2016
View reviewed changes
cmd/runtimetest/main.go
@@ -191,6 +191,20 @@ func validateSysctls(spec *rspec.Spec) error {
return nil
}

func validateROPaths(spec, *rspec.Spec) error {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Drop the comma?

@Mashimiao Mashimiao force-pushed the runtime-test-readonly-path-validation branch from 7a11ef4 to bee2090 Compare May 25, 2016 04:12
@wking
Copy link
Contributor

wking commented May 25, 2016

On Tue, May 24, 2016 at 11:11:04PM -0700, Ma Shimiao wrote:

Yes, but runtimetest as configured process in config.json, it
should be executed in container namespace.

Ah, that's the piece I was forgetting. This looks good to me then.

liangchenye
liangchenye reviewed May 26, 2016
View reviewed changes
cmd/runtimetest/main.go
@@ -191,6 +191,20 @@ func validateSysctls(spec *rspec.Spec) error {
return nil
}

func validateROPaths(spec *rspec.Spec) error {
fmt.Println("validating Readonly Paths")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

using 'validating readonlyPaths' as Mrunal suggested match what is expected to be the property name.

@Mashimiao Mashimiao force-pushed the runtime-test-readonly-path-validation branch from bee2090 to d55b619 Compare May 26, 2016 03:29
@Mashimiao
Copy link
Author

@liangchenye fixed.

@liangchenye
Copy link
Member

LGTM

wking
wking reviewed May 26, 2016
View reviewed changes
cmd/runtimetest/main.go
func validateROPaths(spec *rspec.Spec) error {
fmt.Println("validating readonlyPaths")
for _, v := range spec.Linux.ReadonlyPaths {
fi, err := os.Stat(v)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This stat-based approach should be changed to an attempted-write approach.

Copy link
Contributor

@wking wking May 26, 2016
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

And it's probably worth making “is this path readonly?” a separate function so it can be shared with the check in #81.

Copy link
Author

@Mashimiao Mashimiao May 27, 2016
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@wking The spec says "readonlyPaths will set the provided paths as readonly inside the container."
It seems not to remount readonlyPaths and just change their permisson inside container. If this is true, I think current implementation is OK.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

On Thu, May 26, 2016 at 07:30:15PM -0700, Ma Shimiao wrote:

It seems not to remount readonlyPaths and just change their
permisson.

I think the spec wording leaves the implemenation ambiguous. And
attempting a read clearly covers all possible implementations, while
checking the mode only covers a single implementation.

@cyphar
Copy link
Member

cyphar commented May 27, 2016
edited
Loading

This has the same problem as #78 -- mounting something readonly doesn't change the mode. We should check that it is actually readonly by attempting a write and making sure it fails with EROFS.

@Mashimiao Mashimiao force-pushed the runtime-test-readonly-path-validation branch from d55b619 to 3c250a9 Compare June 1, 2016 02:01
@liangchenye
Copy link
Member

3c250a9 LGTM

@cyphar
Copy link
Member

cyphar commented Jun 1, 2016

IANAM, but LGTM 3c250a9.

@mrunalp
Copy link
Contributor

mrunalp commented Jun 1, 2016

Looks good but needs rebase.

@Mashimiao Mashimiao force-pushed the runtime-test-readonly-path-validation branch from 3c250a9 to 447a73b Compare June 2, 2016 01:09
@Mashimiao
Copy link
Author

@mrunalp rebased.

@mrunalp
Copy link
Contributor

mrunalp commented Jun 2, 2016

LGTM

@mrunalp mrunalp merged commit 89907b6 into opencontainers:master Jun 2, 2016
@Mashimiao Mashimiao deleted the runtime-test-readonly-path-validation branch November 14, 2016 09:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@Mashimiao @wking @liangchenye @cyphar @mrunalp