diff options
author | Matthew Heon <matthew.heon@gmail.com> | 2018-07-19 11:24:42 -0400 |
---|---|---|
committer | Matthew Heon <matthew.heon@gmail.com> | 2018-07-24 16:12:31 -0400 |
commit | 7b30659629deaddafc7fc925d869324ae754c216 (patch) | |
tree | 21d3a23fe7ff811e67603eecbaae37f56b0cf1b4 | |
parent | 572fd75d226550ac1576bf38812e5417a9eddeee (diff) | |
download | podman-7b30659629deaddafc7fc925d869324ae754c216.tar.gz podman-7b30659629deaddafc7fc925d869324ae754c216.tar.bz2 podman-7b30659629deaddafc7fc925d869324ae754c216.zip |
Enforce namespace checks on container add
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
-rw-r--r-- | libpod/boltdb_state_internal.go | 5 | ||||
-rw-r--r-- | libpod/in_memory_state.go | 8 | ||||
-rw-r--r-- | libpod/state_test.go | 100 |
3 files changed, 110 insertions, 3 deletions
diff --git a/libpod/boltdb_state_internal.go b/libpod/boltdb_state_internal.go index 81c9f49f5..b03c11531 100644 --- a/libpod/boltdb_state_internal.go +++ b/libpod/boltdb_state_internal.go @@ -266,6 +266,11 @@ func (s *BoltState) getPodFromDB(id []byte, pod *Pod, podBkt *bolt.Bucket) error // Add a container to the DB // If pod is not nil, the container is added to the pod as well func (s *BoltState) addContainer(ctr *Container, pod *Pod) error { + if s.namespace != "" && s.namespace != ctr.config.Namespace { + return errors.Wrapf(ErrNSMismatch, "cannot add container %s as it is in namespace %q and we are in namespace %q", + ctr.ID(), s.namespace, ctr.config.Namespace) + } + // JSON container structs to insert into DB // TODO use a higher-performance struct encoding than JSON configJSON, err := json.Marshal(ctr.config) diff --git a/libpod/in_memory_state.go b/libpod/in_memory_state.go index 265170284..55be89d4c 100644 --- a/libpod/in_memory_state.go +++ b/libpod/in_memory_state.go @@ -172,6 +172,10 @@ func (s *InMemoryState) AddContainer(ctr *Container) error { return errors.Wrapf(ErrInvalidArg, "cannot add a container that is in a pod with AddContainer, use AddContainerToPod") } + if err := s.checkNSMatch(ctr.ID(), ctr.Namespace()); err != nil { + return err + } + // There are potential race conditions with this // But in-memory state is intended purely for testing and not production // use, so this should be fine. @@ -692,6 +696,10 @@ func (s *InMemoryState) AddContainerToPod(pod *Pod, ctr *Container) error { ctr.ID(), ctr.config.Namespace, pod.ID(), pod.config.Namespace) } + if err := s.checkNSMatch(ctr.ID(), ctr.Namespace()); err != nil { + return err + } + // Retrieve pod containers list podCtrs, ok := s.podContainers[pod.ID()] if !ok { diff --git a/libpod/state_test.go b/libpod/state_test.go index 0c924a1f1..4e9ba8850 100644 --- a/libpod/state_test.go +++ b/libpod/state_test.go @@ -331,6 +331,45 @@ func TestAddCtrDepInDifferentNamespaceFails(t *testing.T) { }) } +func TestAddCtrSameNamespaceSucceeds(t *testing.T) { + runForAllStates(t, func(t *testing.T, state State, lockPath string) { + testCtr, err := getTestCtr1(lockPath) + assert.NoError(t, err) + + testCtr.config.Namespace = "test1" + + state.SetNamespace("test1") + + err = state.AddContainer(testCtr) + assert.NoError(t, err) + + retrievedCtr, err := state.Container(testCtr.ID()) + assert.NoError(t, err) + + testContainersEqual(t, testCtr, retrievedCtr) + }) +} + +func TestAddCtrDifferentNamespaceFails(t *testing.T) { + runForAllStates(t, func(t *testing.T, state State, lockPath string) { + testCtr, err := getTestCtr1(lockPath) + assert.NoError(t, err) + + testCtr.config.Namespace = "test1" + + state.SetNamespace("test2") + + err = state.AddContainer(testCtr) + assert.Error(t, err) + + state.SetNamespace("") + + ctrs, err := state.AllContainers() + assert.NoError(t, err) + assert.Equal(t, 0, len(ctrs)) + }) +} + func TestGetNonexistentContainerFails(t *testing.T) { runForAllStates(t, func(t *testing.T, state State, lockPath string) { _, err := state.Container("does not exist") @@ -2493,7 +2532,7 @@ func TestRemoveContainersNotInNamespace(t *testing.T) { state.SetNamespace("test2") - err := state.RemovePodContainers(testPod) + err = state.RemovePodContainers(testPod) assert.Error(t, err) }) } @@ -3019,6 +3058,61 @@ func TestAddContainerToPodNamespaceOnPodFails(t *testing.T) { }) } +func TestAddCtrToPodSameNamespaceSucceeds(t *testing.T) { + runForAllStates(t, func(t *testing.T, state State, lockPath string) { + testCtr, err := getTestCtr1(lockPath) + assert.NoError(t, err) + + testPod, err := getTestPod2(lockPath) + assert.NoError(t, err) + + testCtr.config.Namespace = "test1" + testPod.config.Namespace = "test1" + testCtr.config.Pod = testPod.ID() + + err = state.AddPod(testPod) + assert.NoError(t, err) + + state.SetNamespace("test1") + + err = state.AddContainerToPod(testPod, testCtr) + assert.NoError(t, err) + + retrievedCtr, err := state.Container(testCtr.ID()) + assert.NoError(t, err) + + testContainersEqual(t, testCtr, retrievedCtr) + }) +} + +func TestAddCtrToPodDifferentNamespaceFails(t *testing.T) { + runForAllStates(t, func(t *testing.T, state State, lockPath string) { + testCtr, err := getTestCtr1(lockPath) + assert.NoError(t, err) + + testPod, err := getTestPod2(lockPath) + assert.NoError(t, err) + + testCtr.config.Namespace = "test1" + testPod.config.Namespace = "test1" + testCtr.config.Pod = testPod.ID() + + state.AddPod(testPod) + assert.NoError(t, err) + + state.SetNamespace("test2") + + err = state.AddContainerToPod(testPod, testCtr) + assert.Error(t, err) + + state.SetNamespace("") + + ctrs, err := state.AllContainers() + assert.NoError(t, err) + assert.Equal(t, 0, len(ctrs)) + }) +} + func TestRemoveContainerFromPodBadPodFails(t *testing.T) { runForAllStates(t, func(t *testing.T, state State, lockPath string) { testCtr, err := getTestCtr1(lockPath) @@ -3291,7 +3385,7 @@ func TestUpdatePodNotInNamespaceFails(t *testing.T) { state.SetNamespace("test2") - _, err = state.UpdatePod(testPod) + err = state.UpdatePod(testPod) assert.Error(t, err) }) } @@ -3325,7 +3419,7 @@ func TestSavePodNotInNamespaceFails(t *testing.T) { state.SetNamespace("test2") - _, err = state.SavePod(testPod) + err = state.SavePod(testPod) assert.Error(t, err) }) } |