From cd4d4c6054107cd6c9274acb2abb4a045368a9fc Mon Sep 17 00:00:00 2001 From: Andrey Smirnov Date: Tue, 15 Mar 2022 23:19:21 +0300 Subject: [PATCH] feat: relax extensions file structure validation * allow empty directories (I see no harm in having them) * allow symlinks See also https://github.com/talos-systems/extensions/pull/20 Signed-off-by: Andrey Smirnov --- internal/pkg/extensions/extensions_test.go | 4 ---- .../testdata/bad/symlinks/manifest.yaml | 10 --------- .../testdata/bad/symlinks/rootfs/usr/local/b | 1 - .../extension1/rootfs/usr/local/lib/a.so.1 | 1 + internal/pkg/extensions/validate.go | 21 +------------------ 5 files changed, 2 insertions(+), 35 deletions(-) delete mode 100644 internal/pkg/extensions/testdata/bad/symlinks/manifest.yaml delete mode 120000 internal/pkg/extensions/testdata/bad/symlinks/rootfs/usr/local/b create mode 120000 internal/pkg/extensions/testdata/good/extension1/rootfs/usr/local/lib/a.so.1 diff --git a/internal/pkg/extensions/extensions_test.go b/internal/pkg/extensions/extensions_test.go index 8296a8422..722a368a0 100644 --- a/internal/pkg/extensions/extensions_test.go +++ b/internal/pkg/extensions/extensions_test.go @@ -76,10 +76,6 @@ func TestValidateFailures(t *testing.T) { name: "norootfs", loadError: "extension rootfs is missing", }, - { - name: "symlinks", - validateError: "symlinks are not allowed: \"/usr/local/b\"", - }, { name: "badpaths", validateError: "path \"/boot/vmlinuz\" is not allowed in extensions", diff --git a/internal/pkg/extensions/testdata/bad/symlinks/manifest.yaml b/internal/pkg/extensions/testdata/bad/symlinks/manifest.yaml deleted file mode 100644 index 45bb96b97..000000000 --- a/internal/pkg/extensions/testdata/bad/symlinks/manifest.yaml +++ /dev/null @@ -1,10 +0,0 @@ -version: v1alpha1 -metadata: - name: gvisor - version: 20220117.0-v1.0.0 - author: Andrew Rynhard - description: > - This system extension provides gVisor using containerd's runtime handler. - compatibility: - talos: - version: ">= v1.0.0" diff --git a/internal/pkg/extensions/testdata/bad/symlinks/rootfs/usr/local/b b/internal/pkg/extensions/testdata/bad/symlinks/rootfs/usr/local/b deleted file mode 120000 index 2e65efe2a..000000000 --- a/internal/pkg/extensions/testdata/bad/symlinks/rootfs/usr/local/b +++ /dev/null @@ -1 +0,0 @@ -a \ No newline at end of file diff --git a/internal/pkg/extensions/testdata/good/extension1/rootfs/usr/local/lib/a.so.1 b/internal/pkg/extensions/testdata/good/extension1/rootfs/usr/local/lib/a.so.1 new file mode 120000 index 000000000..534807a15 --- /dev/null +++ b/internal/pkg/extensions/testdata/good/extension1/rootfs/usr/local/lib/a.so.1 @@ -0,0 +1 @@ +a.so \ No newline at end of file diff --git a/internal/pkg/extensions/validate.go b/internal/pkg/extensions/validate.go index ee944d651..768f99648 100644 --- a/internal/pkg/extensions/validate.go +++ b/internal/pkg/extensions/validate.go @@ -70,11 +70,6 @@ func (ext *Extension) validateContents() error { return fmt.Errorf("world-writeable files are not allowed: %q", itemPath) } - // no symlinks - if d.Type().Type() == os.ModeSymlink { - return fmt.Errorf("symlinks are not allowed: %q", itemPath) - } - var st fs.FileInfo st, err = d.Info() @@ -88,24 +83,10 @@ func (ext *Extension) validateContents() error { } // no special files - if !d.IsDir() && !d.Type().IsRegular() { + if !d.IsDir() && !d.Type().IsRegular() && d.Type().Type() != os.ModeSymlink { return fmt.Errorf("special files are not allowed: %q", itemPath) } - // directories should be non-empty - if d.IsDir() { - var contents []fs.DirEntry - - contents, err = os.ReadDir(path) - if err != nil { - return err - } - - if len(contents) == 0 { - return fmt.Errorf("empty directories are not allowed: %q", itemPath) - } - } - // regular file: check for file path being whitelisted if !d.IsDir() { dirPath := filepath.Dir(itemPath)