-
Notifications
You must be signed in to change notification settings - Fork 39.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Filter seccomp profile path from malicious .. and / #27036
Filter seccomp profile path from malicious .. and / #27036
Conversation
Added unit tests for profile loading. |
}, | ||
{ | ||
annotations: map[string]string{ | ||
"seccomp.security.alpha.kubernetes.io/pod": "localhost/../..//foo/../sub/subtest", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this should be considered an invalid value
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed.
|
||
for _, test := range tests { | ||
dm, fakeDocker := newTestDockerManagerWithVersion("1.10.1", "1.22") | ||
_, filename, _, _ := goruntime.Caller(0) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like this is having issues in jenkins:
--- FAIL: TestSeccompLocalhostProfileIsLoaded (0.04s)
manager_test.go:1915: dm.seccompProfileRoot=/go/src/k8s.io/kubernetes/_output/local/go/src/k8s.io/kubernetes/pkg/kubelet/dockertools/fixtures/seccomp
<autogenerated>:31:
Error Trace: manager_test.go:1952
Error: "[seccomp:unconfined]" does not contain "{"foo":"bar"}"
Messages: The compacted seccomp json profile should be loaded.
manager_test.go:1915: dm.seccompProfileRoot=/go/src/k8s.io/kubernetes/_output/local/go/src/k8s.io/kubernetes/pkg/kubelet/dockertools/fixtures/seccomp
<autogenerated>:31:
Error Trace: manager_test.go:1952
Error: "[seccomp:unconfined]" does not contain "{"abc":"def"}"
Messages: The compacted seccomp json profile should be loaded.
manager_test.go:1915: dm.seccompProfileRoot=/go/src/k8s.io/kubernetes/_output/local/go/src/k8s.io/kubernetes/pkg/kubelet/dockertools/fixtures/seccomp
<autogenerated>:31:
Error Trace: manager_test.go:1952
Error: "[seccomp:unconfined]" does not contain "{"abc":"def"}"
Messages: The compacted seccomp json profile should be loaded.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed.
a03e515
to
ded3dca
Compare
name := strings.TrimPrefix(profile, "localhost/") | ||
cleanName := strings.TrimPrefix(path.Clean("/"+name), "/") | ||
if name != cleanName { | ||
return nil, fmt.Errorf("invalid seccomp profile name: %s", name) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I talked with @pmorie on irc an we think ideally we'd have a helper function to do this, as it's needed in multiple places. There's already private validation code at
kubernetes/pkg/api/validation/validation.go
Line 742 in 5288a25
func validateSubPath(targetPath string, fldPath *field.Path) field.ErrorList { |
Given that we probably shouldn't change the validation code during the 1.3 code freeze, it's probably best to copy the logic from validateSubPath into here and put a TODO to create a helper and unify this code and the other places we need this logic after 1.3 is out.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In fact, the validation logic belongs into api/validation. I have added a commit implementing that. It's purely additional validation code, nothing old changed. I hope that's fine for 1.3. If not, I can split it and leave the upper code as it is, with an addition PR for post-1.3.
054d320
to
e771f76
Compare
@ncdc ptal |
I won't be able to look soon. Could you please find another reviewer? On Monday, June 13, 2016, Dr. Stefan Schimanski notifications@github.com
|
@pmorie ptal for a final review |
@@ -2711,6 +2767,62 @@ func TestValidatePod(t *testing.T) { | |||
DNSPolicy: api.DNSClusterFirst, | |||
}, | |||
}, | |||
"must be a valid pod seccomp profile": { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
how about a test for the container annotation without a container name?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed.
e771f76
to
87fa159
Compare
@pmorie ptal |
87fa159
to
3826d25
Compare
Thanks for the patch @sttts! |
@k8s-bot test this issue: #IGNORE |
@k8s-bot test this [submit-queue is verifying that this PR is safe to merge] |
GCE e2e build/test passed for commit 3826d25. |
Automatic merge from submit-queue |
Without this patch with
localhost/<some-releative-path>
as seccomp profile one can load any file on the host, e.g.localhost/../../../../dev/mem
which is not healthy for the kubelet./cc @jfrazelle
Unit tests depend on #26710.