Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bake: prohibit read/write an arbitrary path on the client host filesystem #1518

Closed
AkihiroSuda opened this issue Jan 14, 2023 · 3 comments
Closed

bake: prohibit read/write an arbitrary path on the client host filesystem #1518

AkihiroSuda opened this issue Jan 14, 2023 · 3 comments
Labels
area/bake kind/duplicate This issue or pull request already exists kind/enhancement New feature or request

Comments

@AkihiroSuda
Copy link
Collaborator

AkihiroSuda commented Jan 14, 2023
edited
Loading

Currently, a bake file may specify an arbitrary path on the client host filesystem for reading secrets, writing outputs, etc.

Probably buildx should have a CLI flag to specify the allow list of the accessible path.

The path can be just validated in util/buildflags/*.go , but it might be nice to have landlock too on Linux clients. (And potentially pledge for OpenBSD clients)
@AkihiroSuda AkihiroSuda added kind/enhancement New feature or request area/bake labels Jan 14, 2023
@AkihiroSuda AkihiroSuda changed the title bake: prohibit writing to an arbitrary path on the client host filesystem bake: prohibit read/write an arbitrary path on the client host filesystem Jan 14, 2023
@thaJeztah
Copy link
Member

ISTR bake was largely to have a parallel with make - do you know if there's parallels to draw with make in this respect? (Does make allow for "don't create a target if it doesn't exist"?)

@tonistiigi
Copy link
Member

I think this is covered by #179

@thompson-shaun
Copy link
Collaborator

Closing since this should get coverage in #179. Please re-open if this is incorrect :)

@AkihiroSuda AkihiroSuda closed this as not planned Won't fix, can't repro, duplicate, stale Jun 11, 2024
@AkihiroSuda AkihiroSuda added the kind/duplicate This issue or pull request already exists label Jun 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/bake kind/duplicate This issue or pull request already exists kind/enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@tonistiigi @thaJeztah @AkihiroSuda @thompson-shaun