Add support for --security-opt mask and unmask

Fixes: https://github.com/containers/buildah/issues/5881 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2024-12-18 10:47:40 -05:00 · 2024-12-18 10:47:40 -05:00 · adf54cde0e
parent 996c49d8ec
commit adf54cde0e
8 changed files with 63 additions and 3 deletions
--- a/define/build.go
+++ b/define/build.go
@ -62,6 +62,8 @@ type CommonBuildOptions struct {
 	// LabelOpts is a slice of the fields of an SELinux context, given in "field:pair" format, or "disable".
 	// Recognized field names are "role", "type", and "level".
 	LabelOpts []string
 	// Paths to mask
 	Masks []string
 	// MemorySwap limits the amount of memory and swap together.
 	MemorySwap int64
 	// NoHostname tells the builder not to create /etc/hostname content when running
@ -109,6 +111,8 @@ type CommonBuildOptions struct {
 	SSHSources []string
 	// OCIHooksDir is the location of OCI hooks for the build containers
 	OCIHooksDir []string
 	// Paths to unmask
 	Unmasks []string
 }
 // BuildOptions can be used to alter how an image is built.
--- a/docs/buildah-build.1.md
+++ b/docs/buildah-build.1.md
@ -935,11 +935,17 @@ Security Options
  "label=type:TYPE"       : Set the label type for the container
  "label=level:LEVEL"     : Set the label level for the container
  "label=disable"         : Turn off label confinement for the container
  "mask=_/path/1:/path/2_": The paths to mask separated by a colon. A masked path cannot be accessed inside the container.
  "no-new-privileges"     : Disable container processes from gaining additional privileges
  "seccomp=unconfined"    : Turn off seccomp confinement for the container
  "seccomp=profile.json   : JSON configuration for a seccomp filter
  "unmask=_ALL_ or _/path/1:/path/2_, or shell expanded paths (/proc/*): Paths to unmask separated by a colon. If set to **ALL**, it unmasks all the paths that are masked or made read-only by default.
  The default masked paths are **/proc/acpi, /proc/kcore, /proc/keys, /proc/latency_stats, /proc/sched_debug, /proc/scsi, /proc/timer_list, /proc/timer_stats, /sys/firmware, and /sys/fs/selinux**, **/sys/devices/virtual/powercap**.  The default paths that are read-only are **/proc/asound**, **/proc/bus**, **/proc/fs**, **/proc/irq**, **/proc/sys**, **/proc/sysrq-trigger**, **/sys/fs/cgroup**.
 **--shm-size**=""
 Size of `/dev/shm`. The format is `<number><unit>`. `number` must be greater than `0`.
--- a/internal/mkcw/embed/entrypoint_amd64.gz
+++ b/internal/mkcw/embed/entrypoint_amd64.gz
--- a/pkg/parse/parse.go
+++ b/pkg/parse/parse.go
@ -249,6 +249,18 @@ func parseSecurityOpts(securityOpts []string, commonOpts *define.CommonBuildOpti
 			commonOpts.ApparmorProfile = con[1]
 		case "seccomp":
 			commonOpts.SeccompProfilePath = con[1]
 		case "mask":
 			commonOpts.Masks = append(commonOpts.Masks, strings.Split(con[1], ":")...)
 		case "unmask":
 			unmasks := strings.Split(con[1], ":")
 			for _, unmask := range unmasks {
 				matches, _ := filepath.Glob(unmask)
 				if len(matches) > 0 {
 					commonOpts.Unmasks = append(commonOpts.Unmasks, matches...)
 					continue
 				}
 				commonOpts.Unmasks = append(commonOpts.Unmasks, unmask)
 			}
 		default:
 			return fmt.Errorf("invalid --security-opt 2: %q", opt)
 		}
--- a/run_linux.go
+++ b/run_linux.go
@ -328,7 +328,7 @@ func (b *Builder) Run(command []string, options RunOptions) error {
 		}
 	}
-	setupMaskedPaths(g)
+	setupMaskedPaths(g, b.CommonBuildOpts)
 	setupReadOnlyPaths(g)
 	setupTerminal(g, options.Terminal, options.TerminalSize)
@ -1199,8 +1199,14 @@ func (b *Builder) runSetupVolumeMounts(mountLabel string, volumeMounts []string,
 	return mounts, nil
 }
-func setupMaskedPaths(g *generate.Generator) {
+func setupMaskedPaths(g *generate.Generator, opts *define.CommonBuildOptions) {
-	for _, mp := range config.DefaultMaskedPaths {
+	if slices.Contains(opts.Unmasks, "all") {
 		return
 	}
 	for _, mp := range append(config.DefaultMaskedPaths, opts.Masks...) {
 		if slices.Contains(opts.Unmasks, mp) {
 			continue
 		}
 		g.AddLinuxMaskedPaths(mp)
 	}
 }
--- a/tests/bud.bats
+++ b/tests/bud.bats
@ -7125,3 +7125,16 @@ EOF
  echo RUN --mount=type=tmpfs,target=tmpfssubdir test '`stat -f -c %i .`' '!=' '`stat -f -c %i tmpfssubdir`' >> ${TEST_SCRATCH_DIR}/Containerfile
  run_buildah build --security-opt label=disable ${TEST_SCRATCH_DIR}
 }
@test "build-security-opt-mask" {
  base=busybox
  _prefetch $base
  run_buildah build bud/masks
  expect_output --substring "masked" "Everything should be masked"
  run_buildah build --security-opt unmask=all bud/masks
  expect_output --substring "unmasked" "Everything should be masked"
  run_buildah build --security-opt unmask=/proc/* bud/masks
  expect_output --substring "unmasked" "Everything should be masked"
  run_buildah build --security-opt unmask=/proc/acpi bud/masks
  expect_output --substring "unmasked" "Everything should be masked"
 }
--- a/tests/bud/masks/Containerfile
+++ b/tests/bud/masks/Containerfile
@ -0,0 +1,4 @@
 FROM alpine
 COPY --chmod=700 test.sh /
 RUN /test.sh
--- a/tests/bud/masks/test.sh
+++ b/tests/bud/masks/test.sh
@ -0,0 +1,15 @@
 # !/bin/sh
 function output {
    for mask in /proc/acpi /proc/kcore /proc/keys /proc/latency_stats /proc/sched_debug /proc/scsi /proc/timer_list /proc/timer_stats /sys/dev/block /sys/devices/virtual/powercap /sys/firmware /sys/fs/selinux; do
 	test -e $mask || continue
 	test -f $mask && cat $mask 2> /dev/null
 	test -d $mask && ls $mask
    done
 }
 output=$(output | wc -c )
 if [ $output == 0 ]; then
    echo "masked"
 else
    echo "unmasked"
 fi