podman icon indicating copy to clipboard operation
podman copied to clipboard

Published 20 hours ago verified publisher icon containers

Fix parsing of paths for unmask

Open ver4a opened this issue 8 months ago • 3 comments

This fixes an issue where multiple paths separated by a colon were treated as a single path, contrary to what docs say and unlike how mask option works.

Does this PR introduce a user-facing change?

Fixed a bug where multiple paths could not be set in --security-opt=unmask

ver4a avatar Mar 24 '25 14:03 ver4a

I'll try, but I'm not exactly sure what's going on. The tests currently test for this

podman run -d --name=maskCtr2 --security-opt unmask=/proc/acpi:/sys/firmware

and that does work, both paths are masked by default. But when I try adding paths that are read-only by default, it doesn't effect them. I don't understand how the parsing changes that in any way. Without this PR /proc/acpi and /sys/firmware get unmasked, /proc/sys and /sys/fs/cgroup remain read-only:

unmask=/proc/sys:/sys/fs/cgroup:/proc/acpi:/sys/firmware

I don't understand this behavior, I guess there could be two tests, one for masked paths and one for read-only paths, but it's strange. I'll double check this later when I have more time.

ver4a avatar Mar 24 '25 18:03 ver4a

I still don't know why some paths worked, but I've added a simple test with one that I can reproduce doesn't.

Overall I hate such string.Split() calls for paths because it means all users will be unable to specify paths with a colon in them. Given it is is already done with mask I guess it is good to be consistent so I am fine with it.

Agree, it's not pretty, I did it this way for consistency and also because I know absolutely no GO :)

ver4a avatar Mar 24 '25 23:03 ver4a

LGTM once comment is addressed

mheon avatar Apr 01 '25 23:04 mheon

A friendly reminder that this PR had no activity for 30 days.

github-actions[bot] avatar May 02 '25 00:05 github-actions[bot]

@ver4a would you be willing to push this over the finish line? much appreciated if so.

baude avatar May 06 '25 19:05 baude

Sorry for the delay, I got distracted with other stuff.

Could you please take another look at this @giuseppe? I've signed-off the commit with my legal name and made a new test based on your suggestion.

ver4a avatar May 09 '25 11:05 ver4a

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: giuseppe, Luap99, ver4a

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • ~~OWNERS~~ [Luap99,giuseppe]

Approvers can indicate their approval by writing /approve in a comment Approvers can cancel approval by writing /approve cancel in a comment

openshift-ci[bot] avatar May 12 '25 16:05 openshift-ci[bot]