Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

restrict folder and file permissions created by libvirt-provider #215

Open
wants to merge 7 commits into
base: main
Choose a base branch
from
7 changes: 4 additions & 3 deletions pkg/controllers/machine_controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,8 @@ import (

const (
MachineFinalizer = "machine"
filePerm = 0666
permFile = 0660
permFileIgnition = 0640
rootFSAlias = "ua-rootfs"
libvirtDomainXMLIgnitionKeyName = "opt/com.coreos/config"
networkInterfaceAliasPrefix = "ua-networkinterface-"
Expand Down Expand Up @@ -813,7 +814,7 @@ func (r *MachineReconciler) setDomainImage(
if err := r.raw.Create(rootFSFile, raw.WithSourceFile(img.RootFS.Path)); err != nil {
return fmt.Errorf("error creating root fs disk: %w", err)
}
if err := os.Chmod(rootFSFile, filePerm); err != nil {
if err := os.Chmod(rootFSFile, permFile); err != nil {
return fmt.Errorf("error changing root fs disk mode: %w", err)
}
}
Expand Down Expand Up @@ -852,7 +853,7 @@ func (r *MachineReconciler) setDomainIgnition(machine *api.Machine, domain *libv
ignitionData := machine.Spec.Ignition

ignPath := r.host.MachineIgnitionFile(machine.ID)
if err := os.WriteFile(ignPath, ignitionData, filePerm); err != nil {
if err := os.WriteFile(ignPath, ignitionData, permFileIgnition); err != nil {
return err
}

Expand Down
11 changes: 7 additions & 4 deletions pkg/host/store.go
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,10 @@ import (
"k8s.io/apimachinery/pkg/util/sets"
)

const perm = 0777
const (
permFolder = 0750
permFile = 0640
)

type Options[E api.Object] struct {
//TODO
Expand All @@ -36,7 +39,7 @@ func NewStore[E api.Object](opts Options[E]) (*Store[E], error) {
return nil, fmt.Errorf("must specify opts.NewFunc")
}

if err := os.MkdirAll(opts.Dir, perm); err != nil {
if err := os.MkdirAll(opts.Dir, permFolder); err != nil {
return nil, fmt.Errorf("error creating store directory: %w", err)
}

Expand Down Expand Up @@ -237,8 +240,8 @@ func (s *Store[E]) set(obj E) (E, error) {
return utils.Zero[E](), fmt.Errorf("failed to marshal obj: %w", err)
}

if err := os.WriteFile(filepath.Join(s.dir, obj.GetID()), data, 0666); err != nil {
return utils.Zero[E](), nil
if err := os.WriteFile(filepath.Join(s.dir, obj.GetID()), data, permFile); err != nil {
return utils.Zero[E](), fmt.Errorf("cannot update file in store: %w", err)
lukas016 marked this conversation as resolved.
Show resolved Hide resolved
}

return obj, nil
Expand Down
8 changes: 4 additions & 4 deletions pkg/plugins/networkinterface/apinet/apinet.go
Original file line number Diff line number Diff line change
Expand Up @@ -35,8 +35,8 @@ const (

defaultAPINetConfigFile = "api-net.json"

perm = 0777
filePerm = 0666
permFolder = 0750
permFile = 0640
pluginAPInet = "apinet"
)

Expand Down Expand Up @@ -82,7 +82,7 @@ func (p *Plugin) writeAPINetNetworkInterfaceConfig(machineID string, networkInte
return err
}

return os.WriteFile(p.apiNetNetworkInterfaceConfigFile(machineID, networkInterfaceName), data, filePerm)
return os.WriteFile(p.apiNetNetworkInterfaceConfigFile(machineID, networkInterfaceName), data, permFile)
}

func (p *Plugin) readAPINetNetworkInterfaceConfig(machineID string, networkInterfaceName string) (*apiNetNetworkInterfaceConfig, error) {
Expand All @@ -106,7 +106,7 @@ func (p *Plugin) Apply(ctx context.Context, spec *api.NetworkInterfaceSpec, mach
log := ctrl.LoggerFrom(ctx)

log.V(1).Info("Writing network interface dir")
if err := os.MkdirAll(p.host.MachineNetworkInterfaceDir(machine.ID, spec.Name), perm); err != nil {
if err := os.MkdirAll(p.host.MachineNetworkInterfaceDir(machine.ID, spec.Name), permFolder); err != nil {
return nil, err
}

Expand Down
4 changes: 2 additions & 2 deletions pkg/plugins/networkinterface/isolated/isolated.go
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ import (
)

const (
perm = 0777
permFolder = 0750
pluginIsolated = "isolated"
)

Expand All @@ -31,7 +31,7 @@ func (p *plugin) Init(host providerhost.Host) error {
}

func (p *plugin) Apply(ctx context.Context, spec *api.NetworkInterfaceSpec, machine *api.Machine) (*providernetworkinterface.NetworkInterface, error) {
if err := os.MkdirAll(p.host.MachineNetworkInterfaceDir(machine.ID, spec.Name), perm); err != nil {
if err := os.MkdirAll(p.host.MachineNetworkInterfaceDir(machine.ID, spec.Name), permFolder); err != nil {
return nil, err
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ import (
)

const (
perm = 0777
permFolder = 0750
pluginProvidernet = "providernet"
)

Expand All @@ -31,7 +31,7 @@ func (p *plugin) Init(host providerhost.Host) error {
}

func (p *plugin) Apply(ctx context.Context, spec *api.NetworkInterfaceSpec, machine *api.Machine) (*providernetworkinterface.NetworkInterface, error) {
if err := os.MkdirAll(p.host.MachineNetworkInterfaceDir(machine.ID, spec.Name), perm); err != nil {
if err := os.MkdirAll(p.host.MachineNetworkInterfaceDir(machine.ID, spec.Name), permFolder); err != nil {
return nil, err
}

Expand Down
9 changes: 5 additions & 4 deletions pkg/plugins/volume/emptydisk/emptydisk.go
Original file line number Diff line number Diff line change
Expand Up @@ -24,8 +24,9 @@ const (

defaultSize = 500 * 1024 * 1024 // 500Mi by default

perm = 0777
filePerm = 0666
permFolder = 0750
// vm has to has permission for write
permFile = 0660
)

type plugin struct {
Expand Down Expand Up @@ -67,7 +68,7 @@ func (p *plugin) diskFilename(computeVolumeName string, machineID string) string

func (p *plugin) Apply(ctx context.Context, spec *api.VolumeSpec, machine *api.Machine) (*volume.Volume, error) {
volumeDir := p.host.MachineVolumeDir(machine.ID, utilstrings.EscapeQualifiedName(pluginName), spec.Name)
if err := os.MkdirAll(volumeDir, perm); err != nil {
if err := os.MkdirAll(volumeDir, permFolder); err != nil {
return nil, err
}

Expand All @@ -90,7 +91,7 @@ func (p *plugin) Apply(ctx context.Context, spec *api.VolumeSpec, machine *api.M
if err := p.raw.Create(diskFilename, raw.WithSize(size)); err != nil {
return nil, fmt.Errorf("error creating disk %w", err)
}
if err := os.Chmod(diskFilename, filePerm); err != nil {
if err := os.Chmod(diskFilename, permFile); err != nil {
return nil, fmt.Errorf("error changing disk file mode: %w", err)
}
}
Expand Down
20 changes: 11 additions & 9 deletions pkg/providerhost/host.go
Original file line number Diff line number Diff line change
Expand Up @@ -162,17 +162,19 @@ func (h *host) OCIStore() *ocistore.Store {
return h.ociStore
}

const perm = 0777
const (
permFolder = 0750
)

func PathsAt(rootDir string) (Paths, error) {
p := &paths{rootDir}
if err := os.MkdirAll(p.RootDir(), perm); err != nil {
if err := os.MkdirAll(p.RootDir(), permFolder); err != nil {
return nil, fmt.Errorf("error creating root directory: %w", err)
}
if err := os.MkdirAll(p.ImagesDir(), perm); err != nil {
if err := os.MkdirAll(p.ImagesDir(), permFolder); err != nil {
return nil, fmt.Errorf("error creating images directory: %w", err)
}
if err := os.MkdirAll(p.MachinesDir(), perm); err != nil {
if err := os.MkdirAll(p.MachinesDir(), permFolder); err != nil {
return nil, fmt.Errorf("error creating machines directory: %w", err)
}
return p, nil
Expand Down Expand Up @@ -292,19 +294,19 @@ func ReadMachineNetworkInterfaces(paths Paths, machineUID string) ([]MachineNetw
}

func MakeMachineDirs(paths Paths, machineUID string) error {
if err := os.MkdirAll(paths.MachineDir(machineUID), perm); err != nil {
if err := os.MkdirAll(paths.MachineDir(machineUID), permFolder); err != nil {
return fmt.Errorf("error creating machine directory: %w", err)
}
if err := os.MkdirAll(paths.MachineRootFSDir(machineUID), perm); err != nil {
if err := os.MkdirAll(paths.MachineRootFSDir(machineUID), permFolder); err != nil {
return fmt.Errorf("error creating machine rootfs directory: %w", err)
}
if err := os.MkdirAll(paths.MachineVolumesDir(machineUID), perm); err != nil {
if err := os.MkdirAll(paths.MachineVolumesDir(machineUID), permFolder); err != nil {
return fmt.Errorf("error creating machine disks directory: %w", err)
}
if err := os.MkdirAll(paths.MachineIgnitionsDir(machineUID), perm); err != nil {
if err := os.MkdirAll(paths.MachineIgnitionsDir(machineUID), permFolder); err != nil {
return fmt.Errorf("error creating machine ignitions directory: %w", err)
}
if err := os.MkdirAll(paths.MachineNetworkInterfacesDir(machineUID), perm); err != nil {
if err := os.MkdirAll(paths.MachineNetworkInterfacesDir(machineUID), permFolder); err != nil {
return fmt.Errorf("error creating machine network interfaces directory: %w", err)
}
return nil
Expand Down
Loading