Merge pull request #264 from NERSC/feature/allow_var_tmp

Feature/allow var tmp

configure.ac

@@ -2,7 +2,7 @@
 # Process this file with autoconf to produce a configure script.
 
 AC_PREREQ([2.62])
-AC_INIT([shifter], [18.03.0], [[email protected]])
+AC_INIT([shifter], [18.03.3], [[email protected]])
 AC_CONFIG_SRCDIR([src/shifter_core.h])
 AC_CONFIG_HEADERS([config.h])
 AC_CONFIG_AUX_DIR([auxdir])

extra/CI/integration_test.sh

@@ -83,6 +83,9 @@ shifterimg pull ubuntu:16.04
 shifterimg lookup ubuntu:16.04
 ls /images
 
+echo "var/tmp exists"
+ls -ld /var/tmp
+
 echo "Ensure container gets basic setup"
 python $CIDIR/integration/test_shifterConfig_format.py ubuntu:16.04
 

shifter.spec

@@ -13,12 +13,14 @@
 %{!?systemd_requires:  %global _without_systemd --without-systemd}
 %endif
 
+%{!?shifter_release: %global shifter_release 1.nersc%{?dist}}
+
 %{?_with_slurm: %global with_slurm %{_prefix}}
 
 Summary:   NERSC Shifter -- Containers for HPC
 Name:      shifter
-Version:   18.03.2
-Release:   1.nersc%{?dist}
+Version:   18.03.3
+Release:   %{shifter_release}
 License:   BSD (LBNL-modified)
 Group:     System Environment/Base
 URL:       https://github.com/NERSC/shifter

src/VolumeMap.c

@@ -67,6 +67,7 @@ int validateVolumeMap_userRequest(
         const char *to,
         VolumeMapFlag *flags)
 {
+    const char *toExactAllowed[] = {"/var/tmp", NULL};
     const char *toStartsWithDisallowed[] = {
         "/etc", "/var", "etc", "var", "/opt/udiImage", "opt/udiImage", NULL
     };
@@ -76,8 +77,9 @@ int validateVolumeMap_userRequest(
     size_t allowedFlags = VOLMAP_FLAG_READONLY | VOLMAP_FLAG_PERNODECACHE;
 
     return _validateVolumeMap(
-            from, to, flags, toStartsWithDisallowed, toExactDisallowed,
-            fromStartsWithDisallowed, fromExactDisallowed, allowedFlags
+            from, to, flags, toExactAllowed, toStartsWithDisallowed,
+            toExactDisallowed, fromStartsWithDisallowed, fromExactDisallowed,
+            allowedFlags
     );
 }
 
@@ -86,6 +88,7 @@ int validateVolumeMap_siteRequest(
         const char *to,
         VolumeMapFlag *flags)
 {
+    const char *toExactAllowed[] = { NULL };
     const char *toStartsWithDisallowed[] = { NULL };
     const char *toExactDisallowed[] = {
         "/opt", "opt",
@@ -105,8 +108,9 @@ int validateVolumeMap_siteRequest(
         | VOLMAP_FLAG_PRIVATE;
 
     return _validateVolumeMap(
-            from, to, flags, toStartsWithDisallowed, toExactDisallowed,
-            fromStartsWithDisallowed, fromExactDisallowed, allowedFlags
+            from, to, flags, toExactAllowed, toStartsWithDisallowed,
+            toExactDisallowed, fromStartsWithDisallowed, fromExactDisallowed,
+            allowedFlags
     );
 }
 
@@ -585,6 +589,7 @@ int _validateVolumeMap(
         const char *from,
         const char *to,
         VolumeMapFlag *flags,
+        const char **toExactAllowed,
         const char **toStartsWithDisallowed,
         const char **toExactDisallowed,
         const char **fromStartsWithDisallowed,
@@ -628,25 +633,32 @@ int _validateVolumeMap(
         return 4;
     }
 
-    for (ptr = toStartsWithDisallowed; *ptr != NULL; ptr++) {
+    /* checking "from" before "to" since the "to" checks can return early */
+    for (ptr = fromStartsWithDisallowed; *ptr != NULL; ptr++) {
         size_t len = strlen(*ptr);
-        if (strncmp(to, *ptr, len) == 0) {
+        if (strncmp(from, *ptr, len) == 0) {
             return 1;
         }
     }
-    for (ptr = toExactDisallowed; *ptr != NULL; ptr++) {
-        if (strcmp(to, *ptr) == 0) {
+    for (ptr = fromExactDisallowed; *ptr != NULL; ptr++) {
+        if (strcmp(from, *ptr) == 0) {
             return 1;
         }
     }
-    for (ptr = fromStartsWithDisallowed; *ptr != NULL; ptr++) {
+
+    for (ptr = toExactAllowed; *ptr != NULL; ptr++) {
+        if (strcmp(to, *ptr) == 0) {
+            return 0;
+        }
+    }
+    for (ptr = toStartsWithDisallowed; *ptr != NULL; ptr++) {
         size_t len = strlen(*ptr);
-        if (strncmp(from, *ptr, len) == 0) {
+        if (strncmp(to, *ptr, len) == 0) {
             return 1;
         }
     }
-    for (ptr = fromExactDisallowed; *ptr != NULL; ptr++) {
-        if (strcmp(from, *ptr) == 0) {
+    for (ptr = toExactDisallowed; *ptr != NULL; ptr++) {
+        if (strcmp(to, *ptr) == 0) {
             return 1;
         }
     }

src/VolumeMap.h

@@ -105,6 +105,7 @@ int _validateVolumeMap(
         const char *from,
         const char *to,
         VolumeMapFlag *flags,
+        const char **toExactAllowed,
         const char **toStartsWithDisallowed, 
         const char **toExactDisallowed,
         const char **fromStartsWithDisallowed,

src/shifter_core.c

@@ -625,6 +625,7 @@ int prepareSiteModifications(const char *username,
     _MKDIR("var", 0755);
     _MKDIR("var/spool", 0755);
     _MKDIR("var/run", 0755);
+    _MKDIR("var/tmp", 0755);
     _MKDIR("var/empty", 0700);
     _MKDIR("proc", 0755);
     _MKDIR("sys", 0755);
@@ -948,6 +949,12 @@ int prepareSiteModifications(const char *username,
     mntBuffer[PATH_MAX-1] = 0;
     _BINDMOUNT(&mountCache, "/tmp", mntBuffer, 0, 1);
 
+    /* mount /var/tmp, checking if executable as an existance check */
+    if (access("/var/tmp", X_OK) == 0) {
+        snprintf(mntBuffer, PATH_MAX, "%s/var/tmp", udiRoot);
+        mntBuffer[PATH_MAX-1] = 0;
+        _BINDMOUNT(&mountCache, "/var/tmp", mntBuffer, 0, 1);
+    }
 
 #undef _MKDIR
 #undef _BINDMOUNT

src/test/test_VolumeMap.cpp

@@ -261,6 +261,9 @@ TEST(VolumeMapTestGroup, ValidateVolumeMap_basic) {
     ret = validateVolumeMap_userRequest("/test1Loc", "/var/log", NULL);
     CHECK(ret != 0);
 
+    ret = validateVolumeMap_userRequest("/test1Loc", "/var/tmp", NULL);
+    CHECK(ret == 0);
+
     ret = validateVolumeMap_userRequest("/test1Loc", "/opt", NULL);
     CHECK(ret != 0);