mirrors/talos
1
0
Fork 0
mirror of https://github.com/siderolabs/talos.git synced 2025-12-08 19:11:54 +01:00
Code Issues Packages Projects Releases Wiki Activity

feat: relax extensions file structure validation

Browse Source 
* allow empty directories (I see no harm in having them)
* allow symlinks

See also https://github.com/talos-systems/extensions/pull/20

Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
This commit is contained in:
Andrey Smirnov 2022-03-15 23:19:21 +03:00
parent 50594ab1a7
commit cd4d4c6054
No known key found for this signature in database
GPG Key ID: 7B26396447AB6DFD
5 changed files with 2 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
internal/pkg/extensions/extensions_test.go
View File

@ -76,10 +76,6 @@ func TestValidateFailures(t *testing.T) {
name: "norootfs", name: "norootfs",
loadError: "extension rootfs is missing", loadError: "extension rootfs is missing",
}, },
{
name: "symlinks",
validateError: "symlinks are not allowed: \"/usr/local/b\"",
},
{ {
name: "badpaths", name: "badpaths",
validateError: "path \"/boot/vmlinuz\" is not allowed in extensions", validateError: "path \"/boot/vmlinuz\" is not allowed in extensions",

10
internal/pkg/extensions/testdata/bad/symlinks/manifest.yaml vendored
View File

@ -1,10 +0,0 @@
version: v1alpha1
metadata:
name: gvisor
version: 20220117.0-v1.0.0
author: Andrew Rynhard
description: >
This system extension provides gVisor using containerd's runtime handler.
compatibility:
talos:
version: ">= v1.0.0"

1
internal/pkg/extensions/testdata/bad/symlinks/rootfs/usr/local/b vendored
View File

@ -1 +0,0 @@
a

1
internal/pkg/extensions/testdata/good/extension1/rootfs/usr/local/lib/a.so.1 vendored Symbolic link
View File

@ -0,0 +1 @@
a.so

21
internal/pkg/extensions/validate.go
View File

@ -70,11 +70,6 @@ func (ext *Extension) validateContents() error {
return fmt.Errorf("world-writeable files are not allowed: %q", itemPath) return fmt.Errorf("world-writeable files are not allowed: %q", itemPath)
} }
// no symlinks
if d.Type().Type() == os.ModeSymlink {
return fmt.Errorf("symlinks are not allowed: %q", itemPath)
}
var st fs.FileInfo var st fs.FileInfo
st, err = d.Info() st, err = d.Info()
@ -88,24 +83,10 @@ func (ext *Extension) validateContents() error {
} }
// no special files // no special files
if !d.IsDir() && !d.Type().IsRegular() { if !d.IsDir() && !d.Type().IsRegular() && d.Type().Type() != os.ModeSymlink {
return fmt.Errorf("special files are not allowed: %q", itemPath) return fmt.Errorf("special files are not allowed: %q", itemPath)
} }
// directories should be non-empty
if d.IsDir() {
var contents []fs.DirEntry
contents, err = os.ReadDir(path)
if err != nil {
return err
}
if len(contents) == 0 {
return fmt.Errorf("empty directories are not allowed: %q", itemPath)
}
}
// regular file: check for file path being whitelisted // regular file: check for file path being whitelisted
if !d.IsDir() { if !d.IsDir() {
dirPath := filepath.Dir(itemPath) dirPath := filepath.Dir(itemPath)