feat: relax extensions file structure validation

* allow empty directories (I see no harm in having them) * allow symlinks See also https://github.com/talos-systems/extensions/pull/20 Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
2025-12-07 18:41:33 +01:00 · 2022-03-15 23:19:21 +03:00 · 2022-03-15 23:19:21 +03:00 · cd4d4c6054
commit cd4d4c6054
parent 50594ab1a7
5 changed files with 2 additions and 35 deletions
--- a/internal/pkg/extensions/extensions_test.go
+++ b/internal/pkg/extensions/extensions_test.go
@ -76,10 +76,6 @@ func TestValidateFailures(t *testing.T) {
 			name:      "norootfs",
 			loadError: "extension rootfs is missing",
 		},
-		{
-			name:          "symlinks",
-			validateError: "symlinks are not allowed: \"/usr/local/b\"",
-		},
 		{
 			name:          "badpaths",
 			validateError: "path \"/boot/vmlinuz\" is not allowed in extensions",
--- a/internal/pkg/extensions/testdata/bad/symlinks/manifest.yaml
+++ b/internal/pkg/extensions/testdata/bad/symlinks/manifest.yaml
@ -1,10 +0,0 @@
-version: v1alpha1
-metadata:
-  name: gvisor
-  version: 20220117.0-v1.0.0
-  author: Andrew Rynhard
-  description: >
-    This system extension provides gVisor using containerd's runtime handler.
-  compatibility:
-    talos:
-      version: ">= v1.0.0"
--- a/internal/pkg/extensions/testdata/bad/symlinks/rootfs/usr/local/b
+++ b/internal/pkg/extensions/testdata/bad/symlinks/rootfs/usr/local/b
@ -1 +0,0 @@
-a
--- a/internal/pkg/extensions/testdata/good/extension1/rootfs/usr/local/lib/a.so.1
+++ b/internal/pkg/extensions/testdata/good/extension1/rootfs/usr/local/lib/a.so.1
@ -0,0 +1 @@
+a.so
--- a/internal/pkg/extensions/validate.go
+++ b/internal/pkg/extensions/validate.go
@ -70,11 +70,6 @@ func (ext *Extension) validateContents() error {
 			return fmt.Errorf("world-writeable files are not allowed: %q", itemPath)
 		}

-		// no symlinks
-		if d.Type().Type() == os.ModeSymlink {
-			return fmt.Errorf("symlinks are not allowed: %q", itemPath)
-		}
-
 		var st fs.FileInfo

 		st, err = d.Info()
@ -88,24 +83,10 @@ func (ext *Extension) validateContents() error {
 		}

 		// no special files
-		if !d.IsDir() && !d.Type().IsRegular() {
+		if !d.IsDir() && !d.Type().IsRegular() && d.Type().Type() != os.ModeSymlink {
 			return fmt.Errorf("special files are not allowed: %q", itemPath)
 		}

-		// directories should be non-empty
-		if d.IsDir() {
-			var contents []fs.DirEntry
-
-			contents, err = os.ReadDir(path)
-			if err != nil {
-				return err
-			}
-
-			if len(contents) == 0 {
-				return fmt.Errorf("empty directories are not allowed: %q", itemPath)
-			}
-		}
-
 		// regular file: check for file path being whitelisted
 		if !d.IsDir() {
 			dirPath := filepath.Dir(itemPath)