pr feedback: wait path can be an arbitrary path inside container

To support an arbitrary path inside container, we need to resolve the full path inside UVM, which will be: /run/gcs/c/<containerID>/rootfs/<wait-path> Fix comments referencing a wrong sandbox mount format Signed-off-by: Maksim An <maksiman@microsoft.com>
microsoft · Mar 2, 2022 · 403666c · 403666c
1 parent 8094467
commit 403666c
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 9 deletions.
diff --git a/pkg/securitypolicy/securitypolicyenforcer.go b/pkg/securitypolicy/securitypolicyenforcer.go
@@ -476,11 +476,14 @@ func possibleIndexesForID(containerID string, mapping map[int]map[string]struct{
 // is expected to take place inside LCOW UVM.
 //
 // Supported scenarios:
-// 1. expected mount is provided as a path inside the sandbox and it should resolve inside UVM
-// e.g, "sandbox://path/on/the/host, which will correspond to "/run/gcs/c/sandboxMounts/path/on/the/host"
+// 1. expected mount is provided as a path inside the sandbox, and it should resolve inside UVM
+// e.g, "sandbox://path/on/the/host", which will correspond to "/run/gcs/c/<podID>/sandboxMounts/path/on/the/host"
 // 2. expected mount is provided as a path under a sandbox mount path inside container, e.g.,
 // sandbox mount is at path "/sandbox/mount" and wait path is "/sandbox/mount/wait/path", which
-// corresponds to "/run/gcs/c/sandboxMounts/path/on/the/host/wait/path"
+// corresponds to "/run/gcs/c/<podID>/sandboxMounts/path/on/the/host/wait/path"
+// 3. expected mount is provided as an arbitrary path inside container, and it should resolve
+// inside UVM, e.g., "/arbitrary/container/path", which corresponds to
+// "/run/gcs/c/<containerID>/rootfs/arbitrary/container/path"
 func (pe *StandardSecurityPolicyEnforcer) EnforceExpectedMountsPolicy(containerID string, spec *oci.Spec) error {
  pe.mutex.Lock()
  defer pe.mutex.Unlock()
@@ -519,7 +522,8 @@ func (pe *StandardSecurityPolicyEnforcer) EnforceExpectedMountsPolicy(containerI
 
  var wPaths []string
  for _, mount := range wMounts {
- wp := ""
+ // By default, handle scenario #3 and resolve container path to the actual path inside UVM.
+ wp := filepath.Join(guestpath.LCOWRootPrefixInUVM, containerID, guestpath.RootfsPath, mount)
  if strings.HasPrefix(mount, guestpath.SandboxMountPrefix) {
  // This covers case #1, and we replace sandbox mount prefix with the sandbox
  // mounts path inside UVM
@@ -530,13 +534,13 @@ func (pe *StandardSecurityPolicyEnforcer) EnforceExpectedMountsPolicy(containerI
  // correct sandbox mount where the wait path is nested under. The mount
  // spec will be something like:
  // {
- // "source": "/run/gcs/c/sandboxMounts/path/on/host",
+ // "source": "/run/gcs/c/<podID>/sandboxMounts/path/on/host",
  // "destination": "/sandbox/mount"
  // }
  // The wait path will be "/sandbox/mount/wait/path". To find the corresponding
  // sandbox mount do a prefix match on wait path against all container mounts Destination
  // and resolve the full path inside UVM. For example above it becomes
- // "/run/gcs/c/sandboxMounts/path/on/host/wait/path"
+ // "/run/gcs/c/<podID>/sandboxMounts/path/on/host/wait/path"
  for _, m := range spec.Mounts {
  if strings.HasPrefix(mount, m.Destination) {
  wp = filepath.Join(m.Source, strings.TrimPrefix(mount, m.Destination))

diff --git a/test/vendor/github.com/Microsoft/hcsshim/pkg/securitypolicy/securitypolicyenforcer.go b/test/vendor/github.com/Microsoft/hcsshim/pkg/securitypolicy/securitypolicyenforcer.go