From c8e423b55ed009a31ae40c68ff6e842b478b9127 Mon Sep 17 00:00:00 2001 From: tomsweeneyredhat Date: Mon, 24 Apr 2023 18:11:53 -0400 Subject: [PATCH] Add file swith for pre-exec The long term goal was to provide the customer a way to turn on the preexec_hooks processing of script by having some kind of configuration that could be read. I had tried putting it into containers.conf to start, but that turned out to be unyieldly quickly and time is of the essence for this fix. That is mostly due to the fact that this code is preexecution and in C, the conatiners.conf file is read in Go much further down the stack. After first trying this process using an ENVVAR, I have thought it over and chatted with others and will now look for a /etc/containers/podman_preexec_hooks.txt file to exist. If the admin had put one in there, we will then process the files in the directories `/usr/libexec/podman/pre-exec-hooks` and `/etc/containers/pre-exec-hooks`. Thoughts/suggestions gratefully accepted. This will be a 8.8/9.2 ZeroDay fix and will need to be backported to the v4.4.1-rhel branch. Signed-off-by: tomsweeneyredhat --- pkg/rootless/rootless_linux.c | 7 +++++++ test/system/950-preexec-hooks.bats | 31 +++++++++++++++++++++++++++++- 2 files changed, 37 insertions(+), 1 deletion(-) diff --git a/pkg/rootless/rootless_linux.c b/pkg/rootless/rootless_linux.c index 83c256e6b1..bf400c0594 100644 --- a/pkg/rootless/rootless_linux.c +++ b/pkg/rootless/rootless_linux.c @@ -254,6 +254,13 @@ do_preexec_hooks_dir (const char *dir, char **argv, int argc) static void do_preexec_hooks (char **argv, int argc) { + // Access the preexec_hooks_dir indicator file + // return without processing if the file doesn't exist + char preexec_hooks_path[] = "/etc/containers/podman_preexec_hooks.txt"; + if (access(preexec_hooks_path, F_OK) != 0) { + return; + } + char *preexec_hooks = getenv ("PODMAN_PREEXEC_HOOKS_DIR"); do_preexec_hooks_dir (LIBEXECPODMAN "/pre-exec-hooks", argv, argc); do_preexec_hooks_dir (ETC_PREEXEC_HOOKS, argv, argc); diff --git a/test/system/950-preexec-hooks.bats b/test/system/950-preexec-hooks.bats index 9c2f75b596..0ea6d484db 100644 --- a/test/system/950-preexec-hooks.bats +++ b/test/system/950-preexec-hooks.bats @@ -6,15 +6,39 @@ load helpers load helpers.network +# The existence of this file allows preexec hooks to run. +preexec_hook_ok_file=/etc/containers/podman_preexec_hooks.txt + function setup() { basic_setup } function teardown() { + if [[ -n "$preexec_hook_ok_file" ]]; then + sudo -n rm -f $preexec_hook_ok_file || true + fi + basic_teardown } @test "podman preexec hook" { + # This file does not exist on any CI system nor any developer system + # nor actually anywhere in the universe except a small small set of + # places with very specific requirements. If we find this file on + # our test system, it could be a leftover from prior testing, or + # basically just something very weird. So, fail loudly if we see it. + # No podman developer ever wants this file to exist. + if [[ -e $preexec_hook_ok_file ]]; then + # Unset the variable, so we don't delete it in teardown + msg="File already exists (it should not): $preexec_hook_ok_file" + preexec_hook_ok_file= + + die "$msg" + fi + + # Good. File does not exist. Now see if we can TEMPORARILY create it. + sudo -n touch $preexec_hook_ok_file || skip "test requires sudo" + preexec_hook_dir=$PODMAN_TMPDIR/auth mkdir -p $preexec_hook_dir preexec_hook_script=$preexec_hook_dir/pull_check.sh @@ -29,5 +53,10 @@ EOF chmod +x $preexec_hook_script PODMAN_PREEXEC_HOOKS_DIR=$preexec_hook_dir run_podman 42 pull foobar - PODMAN_PREEXEC_HOOKS_DIR=$preexec_hook_dir run_podman 43 pull barfoo + PODMAN_PREEXEC_HOOKS_DIR=$preexec_hook_dir run_podman 43 version + + sudo -n rm -f $preexec_hook_ok_file || true + + # no hooks-ok file, everything should now work again (HOOKS_DIR is ignored) + PODMAN_PREEXEC_HOOKS_DIR=$preexec_hook_dir run_podman version }