diff options
| author | Fabricio Voznika <fvoznika@google.com> | 2019-09-26 18:14:45 -0700 |
|---|---|---|
| committer | gVisor bot <gvisor-bot@google.com> | 2019-09-26 18:16:02 -0700 |
| commit | 8337e4f50955863c6aa3a7df70b1446b9dba66ae (patch) | |
| tree | 7a870c8335f84dd3e39dadb6b0d38182ab0bd223 /runsc/fsgofer | |
| parent | 543492650dd528c1d837d788dcd3b5138e8dc1c0 (diff) | |
Disallow opening of sockets if --fsgofer-host-uds=false
Updates #235
PiperOrigin-RevId: 271475319
Diffstat (limited to 'runsc/fsgofer')
| -rw-r--r-- | runsc/fsgofer/fsgofer.go | 19 | ||||
| -rw-r--r-- | runsc/fsgofer/fsgofer_test.go | 2 |
2 files changed, 11 insertions, 10 deletions
diff --git a/runsc/fsgofer/fsgofer.go b/runsc/fsgofer/fsgofer.go index a570f1a41..29a82138e 100644 --- a/runsc/fsgofer/fsgofer.go +++ b/runsc/fsgofer/fsgofer.go @@ -136,6 +136,10 @@ func (a *attachPoint) Attach() (p9.File, error) { a.attachedMu.Lock() defer a.attachedMu.Unlock() + if a.attached { + return nil, fmt.Errorf("attach point already attached, prefix: %s", a.prefix) + } + // Hold the file descriptor we are converting into a p9.File. var f *fd.FD @@ -170,12 +174,6 @@ func (a *attachPoint) Attach() (p9.File, error) { } } - // Close the connection if already attached. - if a.attached { - f.Close() - return nil, fmt.Errorf("attach point already attached, prefix: %s", a.prefix) - } - // Return a localFile object to the caller with the UDS FD included. rv, err := newLocalFile(a, f, a.prefix, stat) if err != nil { @@ -330,7 +328,7 @@ func openAnyFile(path string, fn func(mode int) (*fd.FD, error)) (*fd.FD, error) return file, nil } -func getSupportedFileType(stat syscall.Stat_t) (fileType, error) { +func getSupportedFileType(stat syscall.Stat_t, permitSocket bool) (fileType, error) { var ft fileType switch stat.Mode & syscall.S_IFMT { case syscall.S_IFREG: @@ -340,6 +338,9 @@ func getSupportedFileType(stat syscall.Stat_t) (fileType, error) { case syscall.S_IFLNK: ft = symlink case syscall.S_IFSOCK: + if !permitSocket { + return unknown, syscall.EPERM + } ft = socket default: return unknown, syscall.EPERM @@ -348,7 +349,7 @@ func getSupportedFileType(stat syscall.Stat_t) (fileType, error) { } func newLocalFile(a *attachPoint, file *fd.FD, path string, stat syscall.Stat_t) (*localFile, error) { - ft, err := getSupportedFileType(stat) + ft, err := getSupportedFileType(stat, a.conf.HostUDS) if err != nil { return nil, err } @@ -1065,7 +1066,7 @@ func (l *localFile) Flush() error { func (l *localFile) Connect(p9.ConnectFlags) (*fd.FD, error) { // Check to see if the CLI option has been set to allow the UDS mount. if !l.attachPoint.conf.HostUDS { - return nil, errors.New("host UDS support is disabled") + return nil, syscall.ECONNREFUSED } return fd.DialUnix(l.hostPath) } diff --git a/runsc/fsgofer/fsgofer_test.go b/runsc/fsgofer/fsgofer_test.go index cbbe71019..05af7e397 100644 --- a/runsc/fsgofer/fsgofer_test.go +++ b/runsc/fsgofer/fsgofer_test.go @@ -665,7 +665,7 @@ func TestAttachInvalidType(t *testing.T) { } f, err := a.Attach() if f != nil || err == nil { - t.Fatalf("Attach should have failed, got (%v, nil)", f) + t.Fatalf("Attach should have failed, got (%v, %v)", f, err) } }) } |