aboutsummaryrefslogtreecommitdiff
path: root/libpod
diff options
context:
space:
mode:
authorMatthew Heon <matthew.heon@gmail.com>2018-07-19 11:24:42 -0400
committerMatthew Heon <matthew.heon@gmail.com>2018-07-24 16:12:31 -0400
commit7b30659629deaddafc7fc925d869324ae754c216 (patch)
tree21d3a23fe7ff811e67603eecbaae37f56b0cf1b4 /libpod
parent572fd75d226550ac1576bf38812e5417a9eddeee (diff)
downloadpodman-7b30659629deaddafc7fc925d869324ae754c216.tar.gz
podman-7b30659629deaddafc7fc925d869324ae754c216.tar.bz2
podman-7b30659629deaddafc7fc925d869324ae754c216.zip
Enforce namespace checks on container add
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Diffstat (limited to 'libpod')
-rw-r--r--libpod/boltdb_state_internal.go5
-rw-r--r--libpod/in_memory_state.go8
-rw-r--r--libpod/state_test.go100
3 files changed, 110 insertions, 3 deletions
diff --git a/libpod/boltdb_state_internal.go b/libpod/boltdb_state_internal.go
index 81c9f49f5..b03c11531 100644
--- a/libpod/boltdb_state_internal.go
+++ b/libpod/boltdb_state_internal.go
@@ -266,6 +266,11 @@ func (s *BoltState) getPodFromDB(id []byte, pod *Pod, podBkt *bolt.Bucket) error
// Add a container to the DB
// If pod is not nil, the container is added to the pod as well
func (s *BoltState) addContainer(ctr *Container, pod *Pod) error {
+ if s.namespace != "" && s.namespace != ctr.config.Namespace {
+ return errors.Wrapf(ErrNSMismatch, "cannot add container %s as it is in namespace %q and we are in namespace %q",
+ ctr.ID(), s.namespace, ctr.config.Namespace)
+ }
+
// JSON container structs to insert into DB
// TODO use a higher-performance struct encoding than JSON
configJSON, err := json.Marshal(ctr.config)
diff --git a/libpod/in_memory_state.go b/libpod/in_memory_state.go
index 265170284..55be89d4c 100644
--- a/libpod/in_memory_state.go
+++ b/libpod/in_memory_state.go
@@ -172,6 +172,10 @@ func (s *InMemoryState) AddContainer(ctr *Container) error {
return errors.Wrapf(ErrInvalidArg, "cannot add a container that is in a pod with AddContainer, use AddContainerToPod")
}
+ if err := s.checkNSMatch(ctr.ID(), ctr.Namespace()); err != nil {
+ return err
+ }
+
// There are potential race conditions with this
// But in-memory state is intended purely for testing and not production
// use, so this should be fine.
@@ -692,6 +696,10 @@ func (s *InMemoryState) AddContainerToPod(pod *Pod, ctr *Container) error {
ctr.ID(), ctr.config.Namespace, pod.ID(), pod.config.Namespace)
}
+ if err := s.checkNSMatch(ctr.ID(), ctr.Namespace()); err != nil {
+ return err
+ }
+
// Retrieve pod containers list
podCtrs, ok := s.podContainers[pod.ID()]
if !ok {
diff --git a/libpod/state_test.go b/libpod/state_test.go
index 0c924a1f1..4e9ba8850 100644
--- a/libpod/state_test.go
+++ b/libpod/state_test.go
@@ -331,6 +331,45 @@ func TestAddCtrDepInDifferentNamespaceFails(t *testing.T) {
})
}
+func TestAddCtrSameNamespaceSucceeds(t *testing.T) {
+ runForAllStates(t, func(t *testing.T, state State, lockPath string) {
+ testCtr, err := getTestCtr1(lockPath)
+ assert.NoError(t, err)
+
+ testCtr.config.Namespace = "test1"
+
+ state.SetNamespace("test1")
+
+ err = state.AddContainer(testCtr)
+ assert.NoError(t, err)
+
+ retrievedCtr, err := state.Container(testCtr.ID())
+ assert.NoError(t, err)
+
+ testContainersEqual(t, testCtr, retrievedCtr)
+ })
+}
+
+func TestAddCtrDifferentNamespaceFails(t *testing.T) {
+ runForAllStates(t, func(t *testing.T, state State, lockPath string) {
+ testCtr, err := getTestCtr1(lockPath)
+ assert.NoError(t, err)
+
+ testCtr.config.Namespace = "test1"
+
+ state.SetNamespace("test2")
+
+ err = state.AddContainer(testCtr)
+ assert.Error(t, err)
+
+ state.SetNamespace("")
+
+ ctrs, err := state.AllContainers()
+ assert.NoError(t, err)
+ assert.Equal(t, 0, len(ctrs))
+ })
+}
+
func TestGetNonexistentContainerFails(t *testing.T) {
runForAllStates(t, func(t *testing.T, state State, lockPath string) {
_, err := state.Container("does not exist")
@@ -2493,7 +2532,7 @@ func TestRemoveContainersNotInNamespace(t *testing.T) {
state.SetNamespace("test2")
- err := state.RemovePodContainers(testPod)
+ err = state.RemovePodContainers(testPod)
assert.Error(t, err)
})
}
@@ -3019,6 +3058,61 @@ func TestAddContainerToPodNamespaceOnPodFails(t *testing.T) {
})
}
+func TestAddCtrToPodSameNamespaceSucceeds(t *testing.T) {
+ runForAllStates(t, func(t *testing.T, state State, lockPath string) {
+ testCtr, err := getTestCtr1(lockPath)
+ assert.NoError(t, err)
+
+ testPod, err := getTestPod2(lockPath)
+ assert.NoError(t, err)
+
+ testCtr.config.Namespace = "test1"
+ testPod.config.Namespace = "test1"
+ testCtr.config.Pod = testPod.ID()
+
+ err = state.AddPod(testPod)
+ assert.NoError(t, err)
+
+ state.SetNamespace("test1")
+
+ err = state.AddContainerToPod(testPod, testCtr)
+ assert.NoError(t, err)
+
+ retrievedCtr, err := state.Container(testCtr.ID())
+ assert.NoError(t, err)
+
+ testContainersEqual(t, testCtr, retrievedCtr)
+ })
+}
+
+func TestAddCtrToPodDifferentNamespaceFails(t *testing.T) {
+ runForAllStates(t, func(t *testing.T, state State, lockPath string) {
+ testCtr, err := getTestCtr1(lockPath)
+ assert.NoError(t, err)
+
+ testPod, err := getTestPod2(lockPath)
+ assert.NoError(t, err)
+
+ testCtr.config.Namespace = "test1"
+ testPod.config.Namespace = "test1"
+ testCtr.config.Pod = testPod.ID()
+
+ state.AddPod(testPod)
+ assert.NoError(t, err)
+
+ state.SetNamespace("test2")
+
+ err = state.AddContainerToPod(testPod, testCtr)
+ assert.Error(t, err)
+
+ state.SetNamespace("")
+
+ ctrs, err := state.AllContainers()
+ assert.NoError(t, err)
+ assert.Equal(t, 0, len(ctrs))
+ })
+}
+
func TestRemoveContainerFromPodBadPodFails(t *testing.T) {
runForAllStates(t, func(t *testing.T, state State, lockPath string) {
testCtr, err := getTestCtr1(lockPath)
@@ -3291,7 +3385,7 @@ func TestUpdatePodNotInNamespaceFails(t *testing.T) {
state.SetNamespace("test2")
- _, err = state.UpdatePod(testPod)
+ err = state.UpdatePod(testPod)
assert.Error(t, err)
})
}
@@ -3325,7 +3419,7 @@ func TestSavePodNotInNamespaceFails(t *testing.T) {
state.SetNamespace("test2")
- _, err = state.SavePod(testPod)
+ err = state.SavePod(testPod)
assert.Error(t, err)
})
}