libpod: fix lookup for subpath in volumes

a subdirectory that is below a mount destination is detected as a subpath. Closes: https://github.com/containers/podman/issues/15789 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
author: Giuseppe Scrivano <gscrivan@redhat.com> 2022-09-14 13:01:43 +0200
committer: Giuseppe Scrivano <gscrivan@redhat.com> 2022-09-14 17:09:04 +0200
commit: 14e5d1c15da82f7eb315c320765aeca69f4b58af (patch)
tree: 4d1b162552e80c1c5a267110310dfc2bc1638679
parent: 92dc61d5edb1b5ce85f7e4563d400cc861a28359 (diff)
download: podman-14e5d1c15da82f7eb315c320765aeca69f4b58af.tar.gz
podman-14e5d1c15da82f7eb315c320765aeca69f4b58af.tar.bz2
podman-14e5d1c15da82f7eb315c320765aeca69f4b58af.zip
3 files changed, 59 insertions, 4 deletions
diff --git a/libpod/container_path_resolution.go b/libpod/container_path_resolution.go
index eddfd361e..cd86df540 100644
--- a/libpod/container_path_resolution.go
+++ b/libpod/container_path_resolution.go
@@ -119,15 +119,29 @@ func findVolume(c *Container, containerPath string) (*Volume, error) {
 	return nil, nil
 }
 
+// isSubDir checks whether path is a subdirectory of root.
+func isSubDir(path, root string) bool {
+	// check if the specified container path is below a bind mount.
+	rel, err := filepath.Rel(root, path)
+	if err != nil {
+		return false
+	}
+	return rel != ".." && !strings.HasPrefix(rel, "../")
+}
+
 // isPathOnVolume returns true if the specified containerPath is a subdir of any
 // Volume's destination.
 func isPathOnVolume(c *Container, containerPath string) bool {
 	cleanedContainerPath := filepath.Clean(containerPath)
 	for _, vol := range c.config.NamedVolumes {
-		if cleanedContainerPath == filepath.Clean(vol.Dest) {
+		cleanedDestination := filepath.Clean(vol.Dest)
+		if cleanedContainerPath == cleanedDestination {
 			return true
 		}
-		for dest := vol.Dest; dest != "/" && dest != "."; dest = filepath.Dir(dest) {
+		if isSubDir(cleanedContainerPath, cleanedDestination) {
+			return true
+		}
+		for dest := cleanedDestination; dest != "/" && dest != "."; dest = filepath.Dir(dest) {
 			if cleanedContainerPath == dest {
 				return true
 			}
@@ -157,10 +171,14 @@ func findBindMount(c *Container, containerPath string) *specs.Mount {
 func isPathOnMount(c *Container, containerPath string) bool {
 	cleanedContainerPath := filepath.Clean(containerPath)
 	for _, m := range c.config.Spec.Mounts {
-		if cleanedContainerPath == filepath.Clean(m.Destination) {
+		cleanedDestination := filepath.Clean(m.Destination)
+		if cleanedContainerPath == cleanedDestination {
+			return true
+		}
+		if isSubDir(cleanedContainerPath, cleanedDestination) {
 			return true
 		}
-		for dest := m.Destination; dest != "/" && dest != "."; dest = filepath.Dir(dest) {
+		for dest := cleanedDestination; dest != "/" && dest != "."; dest = filepath.Dir(dest) {
 			if cleanedContainerPath == dest {
 				return true
 			}
diff --git a/libpod/container_path_resolution_test.go b/libpod/container_path_resolution_test.go
new file mode 100644
index 000000000..f906c752d
--- /dev/null
+++ b/libpod/container_path_resolution_test.go
@@ -0,0 +1,28 @@
+package libpod
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestIsSubDir(t *testing.T) {
+	assert.True(t, isSubDir("/foo", "/foo"))
+	assert.True(t, isSubDir("/foo/bar", "/foo"))
+	assert.True(t, isSubDir("/foo/bar", "/foo/"))
+	assert.True(t, isSubDir("/foo/bar", "/foo//"))
+	assert.True(t, isSubDir("/foo/bar/", "/foo"))
+	assert.True(t, isSubDir("/foo/bar/baz/", "/foo"))
+	assert.True(t, isSubDir("/foo/bar/baz/", "/foo/bar"))
+	assert.True(t, isSubDir("/foo/bar/baz/", "/foo/bar/"))
+	assert.False(t, isSubDir("/foo/bar/baz/", "/foobar/"))
+	assert.False(t, isSubDir("/foo/bar/baz/../../", "/foobar/"))
+	assert.False(t, isSubDir("/foo/bar/baz/", "../foo/bar"))
+	assert.False(t, isSubDir("/foo/bar/baz/", "../foo/"))
+	assert.False(t, isSubDir("/foo/bar/baz/", "../foo"))
+	assert.False(t, isSubDir("/", ".."))
+	assert.False(t, isSubDir("//", ".."))
+	assert.False(t, isSubDir("//", "../"))
+	assert.False(t, isSubDir("//", "..//"))
+	assert.True(t, isSubDir("/foo/bar/baz/../../", "/foo/"))
+}
diff --git a/test/e2e/run_working_dir_test.go b/test/e2e/run_working_dir_test.go
index ff91a420f..84792481f 100644
--- a/test/e2e/run_working_dir_test.go
+++ b/test/e2e/run_working_dir_test.go
@@ -46,6 +46,15 @@ var _ = Describe("Podman run", func() {
 		Expect(session).Should(Exit(126))
 	})
 
+	It("podman run a container using a --workdir under a bind mount", func() {
+		volume, err := CreateTempDirInTempDir()
+		Expect(err).To(BeNil())
+
+		session := podmanTest.Podman([]string{"run", "--volume", fmt.Sprintf("%s:/var_ovl/:O", volume), "--workdir", "/var_ovl/log", ALPINE, "true"})
+		session.WaitWithDefaultTimeout()
+		Expect(session).Should(Exit(0))
+	})
+
 	It("podman run a container on an image with a workdir", func() {
 		dockerfile := fmt.Sprintf(`FROM %s
 RUN  mkdir -p /home/foobar /etc/foobar; chown bin:bin /etc/foobar
author	Giuseppe Scrivano <gscrivan@redhat.com>	2022-09-14 13:01:43 +0200
committer	Giuseppe Scrivano <gscrivan@redhat.com>	2022-09-14 17:09:04 +0200
commit	14e5d1c15da82f7eb315c320765aeca69f4b58af (patch)
tree	4d1b162552e80c1c5a267110310dfc2bc1638679
parent	92dc61d5edb1b5ce85f7e4563d400cc861a28359 (diff)
download	podman-14e5d1c15da82f7eb315c320765aeca69f4b58af.tar.gz podman-14e5d1c15da82f7eb315c320765aeca69f4b58af.tar.bz2 podman-14e5d1c15da82f7eb315c320765aeca69f4b58af.zip