root
/
buildah
mirror of https://github.com/containers/buildah.git
1
0
Fork 0
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge pull request #5978 from nalind/cache-ownership 

Distinguish --mount=type=cache locations by ownership, too
This commit is contained in:
openshift-merge-bot[bot] 2025-02-10 19:31:25 +00:00 committed by GitHub
parent a35f5fa04d 24826435f8
commit f89450213c
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 28 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
internal/volumes/volumes.go
View File

@ -557,14 +557,19 @@ func GetCacheMount(sys *types.SystemContext, args []string, store storage.Store,
return newMount, "", "", "", nil, fmt.Errorf("unable to create build cache directory: %w", err)
}
ownerInfo := fmt.Sprintf(":%d:%d", uid, gid)
if id != "" {
// Don't let the user control where we place the directory.
dirID := digest.FromString(id).Encoded()[:16]
// Don't let the user try to inject pathname components by directly using
// the ID when constructing the cache directory location; distinguish
// between caches by ID and ownership
dirID := digest.FromString(id + ownerInfo).Encoded()[:16]
thisCacheRoot = filepath.Join(cacheParent, dirID)
buildahLockFilesDir = filepath.Join(cacheParent, BuildahCacheLockfileDir, dirID)
} else {
// Don't let the user control where we place the directory.
dirID := digest.FromString(newMount.Destination).Encoded()[:16]
// Don't let the user try to inject pathname components by directly using
// the target path when constructing the cache directory location;
// distinguish between caches by mount target location and ownership
dirID := digest.FromString(newMount.Destination + ownerInfo).Encoded()[:16]
thisCacheRoot = filepath.Join(cacheParent, dirID)
buildahLockFilesDir = filepath.Join(cacheParent, BuildahCacheLockfileDir, dirID)
}

19
tests/conformance/conformance_test.go
View File

@ -3455,6 +3455,25 @@ var internalTestCases = []testCase{
dockerUseBuildKit: true,
buildArgs: map[string]string{"SOURCE": "e/**/**/*sub/*.txt"},
},
{
name: "mount-cache-by-ownership",
dockerUseBuildKit: true,
dockerfileContents: strings.Join([]string{
"FROM mirror.gcr.io/busybox",
"USER 10",
"RUN --mount=type=cache,uid=10,target=/cache touch /cache/10.txt",
"USER 0",
"RUN --mount=type=cache,target=/cache touch /cache/0.txt",
"RUN mkdir -m 770 /results /results/0 /results/10 /results/0+10",
"RUN chown -R 10 /results",
"RUN --mount=type=cache,target=/cache cp -a /cache/* /results/0",
"USER 10",
"RUN --mount=type=cache,uid=10,target=/cache cp -a /cache/* /results/10",
"USER 0",
"RUN --mount=type=cache,uid=10,target=/cache cp -a /cache/* /results/0+10",
"RUN touch -r /bin `find /results -print`",
}, "\n"),
},
}
func TestCommit(t *testing.T) {