Skip to content

Commit

Permalink
fix unsafe code to use nix
Browse files Browse the repository at this point in the history 
Signed-off-by: sat0ken <[email protected]>
  • Loading branch information
@sat0ken
sat0ken committed Nov 8, 2024
1 parent ab34d99 commit df941cd
Show file tree
Hide file tree
Showing 2 changed files with 29 additions and 46 deletions.
40 changes: 29 additions & 11 deletions tests/contest/runtimetest/src/tests.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,11 +4,12 @@ use std::os::unix::fs::{FileTypeExt, PermissionsExt};
use std::path::Path;

Check warning on line 4 in tests/contest/runtimetest/src/tests.rs

View workflow job for this annotation

GitHub Actions / check (aarch64, musl) 

Diff in /home/runner/work/youki/youki/tests/contest/runtimetest/src/tests.rs

use anyhow::{bail, Result};
use libc::{getgid, getuid};

use nix::errno::Errno;
use nix::libc;
use nix::sys::stat::umask;
use nix::sys::utsname;
use nix::unistd::getcwd;
use nix::unistd::{getcwd, getgid, getgroups, getuid, Gid, Uid};
use oci_spec::runtime::IOPriorityClass::{self, IoprioClassBe, IoprioClassIdle, IoprioClassRt};
use oci_spec::runtime::{LinuxDevice, LinuxDeviceType, LinuxSchedulerPolicy, Spec};

Expand Down Expand Up @@ -550,41 +551,58 @@ pub fn test_io_priority_class(spec: &Spec, io_priority_class: IOPriorityClass) {
pub fn validate_process_user(spec: &Spec) {
let process = spec.process().as_ref().unwrap();

let uid = unsafe { getuid() };
let gid = unsafe { getgid() };
let current_umask = unsafe { libc::umask(0) };
unsafe { libc::umask(current_umask) };
let uid = getuid();
let gid = getgid();
let current_umask = umask(nix::sys::stat::Mode::empty());
umask(current_umask);

if process.user().uid().ne(&uid) {
if Uid::from(process.user().uid()) != uid {
eprintln!(
"error due to uid want {}, got {}",
process.user().uid(),
uid
)
}

if process.user().gid().ne(&gid) {
if Gid::from(process.user().gid()) != gid {
eprintln!(
"error due to gid want {}, got {}",
process.user().gid(),
gid
)
}

if let Err(e) = utils::test_additional_gids(process.user().additional_gids().as_ref().unwrap())
{
if let Err(e) = validate_additional_gids(process.user().additional_gids().as_ref().unwrap()) {
eprintln!("error additional gids {e}");
}

if process.user().umask().unwrap().ne(&current_umask) {

Check failure on line 579 in tests/contest/runtimetest/src/tests.rs

View workflow job for this annotation

GitHub Actions / tests (x86_64, gnu) 

can't compare `u32` with `Mode`

Check failure on line 579 in tests/contest/runtimetest/src/tests.rs

View workflow job for this annotation

GitHub Actions / tests (x86_64, musl) 

can't compare `u32` with `Mode`

Check failure on line 579 in tests/contest/runtimetest/src/tests.rs

View workflow job for this annotation

GitHub Actions / oci-validation-rust (x86_64, gnu) 

can't compare `u32` with `Mode`

Check failure on line 579 in tests/contest/runtimetest/src/tests.rs

View workflow job for this annotation

GitHub Actions / oci-validation-rust (x86_64, musl) 

can't compare `u32` with `Mode`
eprintln!(
"error due to gid want {}, got {}",
"error due to gid want {}, got {:?}",
process.user().umask().unwrap(),
current_umask
)
}
}

// validate_additional_gids function is used to validate additional groups of user
fn validate_additional_gids(gids: &Vec<u32>) -> std::result::Result<(), std::io::Error> {
let groups = getgroups().unwrap();

for group in groups {
for gid in gids {
if group != Gid::from(gid) {

Check failure on line 594 in tests/contest/runtimetest/src/tests.rs

View workflow job for this annotation

GitHub Actions / tests (x86_64, gnu) 

the trait bound `Gid: From<&u32>` is not satisfied

Check failure on line 594 in tests/contest/runtimetest/src/tests.rs

View workflow job for this annotation

GitHub Actions / tests (x86_64, musl) 

the trait bound `Gid: From<&u32>` is not satisfied

Check failure on line 594 in tests/contest/runtimetest/src/tests.rs

View workflow job for this annotation

GitHub Actions / oci-validation-rust (x86_64, gnu) 

the trait bound `Gid: From<&u32>` is not satisfied

Check failure on line 594 in tests/contest/runtimetest/src/tests.rs

View workflow job for this annotation

GitHub Actions / oci-validation-rust (x86_64, musl) 

the trait bound `Gid: From<&u32>` is not satisfied
return Err(std::io::Error::new(
std::io::ErrorKind::Other,
format!("error additional gid want {}, got {}", gid, group),
));
}
}
}

Ok(())
}

// the validate_rootfs function is used to validate the rootfs of the container is
// as expected. This function is used in the no_pivot test to validate the rootfs
pub fn validate_rootfs() {
Expand Down
35 changes: 0 additions & 35 deletions tests/contest/runtimetest/src/utils.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,6 @@ use std::os::unix::prelude::MetadataExt;
use std::path::PathBuf;
use std::process::Command;

use libc::getgroups;
use nix::sys::stat::{stat, SFlag};

fn test_file_read_access(path: &str) -> Result<(), std::io::Error> {
Expand Down Expand Up @@ -472,37 +471,3 @@ pub fn test_mount_rsuid_option(path: &str) -> Result<(), std::io::Error> {
format!("rsuid error {path:?}"),
))
}

pub fn test_additional_gids(gids: &Vec<u32>) -> Result<(), std::io::Error> {
let ngroups = unsafe { getgroups(0, std::ptr::null_mut()) };

if ngroups == -1 {
return Err(std::io::Error::new(
std::io::ErrorKind::Other,
"error retrieving group count",
));
}

let mut groups: Vec<libc::gid_t> = vec![0; ngroups as usize];
let result = unsafe { getgroups(ngroups, groups.as_mut_ptr()) };

if result == -1 {
return Err(std::io::Error::new(
std::io::ErrorKind::Other,
"error retrieving group IDs",
));
}

for group in &groups {
for gid in gids {
if group != gid {
return Err(std::io::Error::new(
std::io::ErrorKind::Other,
format!("error additional gid want {}, got {}", gid, group),
));
}
}
}

Ok(())
}

0 comments on commit df941cd

Please sign in to comment.