UniqAI/nvidia-container-toolkit
1
0
Fork 0
mirror of https://github.com/NVIDIA/nvidia-container-toolkit synced 2024-11-22 00:08:11 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Revert "Merge pull request #696 from elezar/check-link-resolution"

Browse Source 
This reverts commit c490baab63, reversing
changes made to 32486cf1e9.

Signed-off-by: Evan Lezar <elezar@nvidia.com>
This commit is contained in:
Evan Lezar 2024-09-20 20:29:30 +02:00
parent 9b72161b63
commit dc2ccdd2fa
1 changed files with 5 additions and 68 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

73
cmd/nvidia-cdi-hook/create-symlinks/create-symlinks.go
View File

@ -149,12 +149,13 @@ func (m command) run(c *cli.Context, cfg *config) error {
for _, l := range links { for _, l := range links {
parts := strings.Split(l, "::") parts := strings.Split(l, "::")
if len(parts) != 2 { if len(parts) != 2 {
return fmt.Errorf("invalid symlink specification %v", l) m.logger.Warningf("Invalid link specification %v", l)
continue
} }
err := m.createLink(created, cfg.hostRoot, containerRoot, parts[0], parts[1]) err := m.createLink(created, cfg.hostRoot, containerRoot, parts[0], parts[1])
if err != nil { if err != nil {
return fmt.Errorf("failed to create link %v: %w", parts, err) m.logger.Warningf("Failed to create link %v: %v", parts, err)
} }
} }
@ -165,27 +166,16 @@ func (m command) run(c *cli.Context, cfg *config) error {
func (m command) createLink(created map[string]bool, hostRoot string, containerRoot string, target string, link string) error { func (m command) createLink(created map[string]bool, hostRoot string, containerRoot string, target string, link string) error {
linkPath, err := changeRoot(hostRoot, containerRoot, link) linkPath, err := changeRoot(hostRoot, containerRoot, link)
if err != nil { if err != nil {
return fmt.Errorf("failed to resolve path for link %v relative to %v: %w", link, containerRoot, err) m.logger.Warningf("Failed to resolve path for link %v relative to %v: %v", link, containerRoot, err)
} }
if created[linkPath] { if created[linkPath] {
m.logger.Debugf("Link %v already created", linkPath) m.logger.Debugf("Link %v already created", linkPath)
return nil return nil
} }
if err := assertPathInRoot(containerRoot, linkPath); err != nil {
return err
}
targetPath, err := changeRoot(hostRoot, "/", target) targetPath, err := changeRoot(hostRoot, "/", target)
if err != nil { if err != nil {
return fmt.Errorf("failed to resolve path for target %v relative to %v: %w", target, "/", err) m.logger.Warningf("Failed to resolve path for target %v relative to %v: %v", target, "/", err)
}
parent := containerRoot
if !filepath.IsAbs(targetPath) {
parent = filepath.Dir(linkPath)
}
if err := assertPathInRoot(containerRoot, filepath.Join(parent, targetPath)); err != nil {
return err
} }
m.logger.Infof("Symlinking %v to %v", linkPath, targetPath) m.logger.Infof("Symlinking %v to %v", linkPath, targetPath)
@ -201,59 +191,6 @@ func (m command) createLink(created map[string]bool, hostRoot string, containerR
return nil return nil
} }
// assertPathInRoot ensures that the specified path is a subpath of root.
// This includes the resolution of relative paths and symlinks.
func assertPathInRoot(root string, path string) error {
resolved, err := tryResolveLink(filepath.Clean(path))
if err != nil {
return err
}
if !strings.HasPrefix(resolved, root) {
return fmt.Errorf("path %v resolves to %v which is outside the root %v", path, resolved, root)
}
return nil
}
// tryResolveLink resolves the specified path following symlinks.
// If the path does not exist, recursively resolve the parent of the path until
// one resolves successfully.
//
// For example, assuming that we call this with a path
//
// /container-root/foo/bar/baz.so
//
// If this path exists, then the symlink evaluation will succeed and the target
// will be returned.
//
// Assuming that /container-root/foo exists, but /container-root/foo/bar does
// not, the first call to EvalSymlinks with argument
// /container-root/foo/bar/baz.so will fail resulting in a recursive call to
// this function with an argument /container-root/foo/bar. Since this path also
// doesn't exist this will result in an additional recursive call with an
// argument /container-root/foo. Here EvalSymlinks will succeed and the strings
// /bar and /baz.so will be appended to the result as we return along the
// recursive call stack.
//
// If none of the parents of the path (with the exception of /) exist the path
// will be returned as is with no error.
func tryResolveLink(path string) (string, error) {
if path == "" || path == "/" {
return path, nil
}
resolved, err := filepath.EvalSymlinks(path)
if os.IsNotExist(err) {
resolvedParent, err := tryResolveLink(filepath.Dir(path))
if err != nil {
return "", err
}
resolved := filepath.Join(resolvedParent, filepath.Base(path))
return resolved, nil
}
return resolved, err
}
func changeRoot(current string, new string, path string) (string, error) { func changeRoot(current string, new string, path string) (string, error) {
if !filepath.IsAbs(path) { if !filepath.IsAbs(path) {
return path, nil return path, nil