[lxc-devel] [lxd/master] Smarter handling of `volatile` keys in restricted projects #7896
jtajonera on Github
lxc-bot at linuxcontainers.org
Sat Dec 12 05:28:05 UTC 2020
A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 576 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20201211/224e69c5/attachment.bin>
-------------- next part --------------
From 4fe66fee77a368bf465b796bc8cb2daccae5e582 Mon Sep 17 00:00:00 2001
From: Jeremy Tajonera <jtajonera at utexas.edu>
Date: Fri, 11 Dec 2020 23:11:12 -0600
Subject: [PATCH 1/2] Issue #7896 Smarter handling of `volatile` keys in
restricted projects
---
lxd/project/permissions.go | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/lxd/project/permissions.go b/lxd/project/permissions.go
index 7c320bc2c4..d744db340c 100644
--- a/lxd/project/permissions.go
+++ b/lxd/project/permissions.go
@@ -152,11 +152,29 @@ func checkRestrictionsOnVolatileConfig(project *api.Project, instanceType instan
return nil
}
+ // List of safe keys
+ safe_keys := [5]string{"volatile.apply_template", "volatile.base_image", "volatile.last_state.power", "volatile.DEVNAME.apply_quota", "volatile.DEVNAME.hwaddr"}
+
for key, value := range config {
if !strings.HasPrefix(key, shared.ConfigVolatilePrefix) {
continue
}
+ // Allow given safe volatile keys to be set
+ var isSafeKey bool
+ for _, safe_key := range safe_keys {
+ // If current key is in the safe_key list, break out of for loop and set isSafeKey to true
+ if safe_key == key {
+ isSafeKey = true
+ break
+ }
+ }
+
+ // If the current key is a safe volatile key, get out of current iteration
+ if isSafeKey {
+ continue
+ }
+
currentValue, ok := currentConfig[key]
if !ok {
return fmt.Errorf(
From 84bd55bfd087f1b4f3aff50ef8ac0f677fe40a73 Mon Sep 17 00:00:00 2001
From: Jeremy Tajonera <jtajonera at utexas.edu>
Date: Fri, 11 Dec 2020 23:24:07 -0600
Subject: [PATCH 2/2] Issue 7896 - Removed Fail on unsafe key, delete key
instead
---
lxd/project/permissions.go | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)
diff --git a/lxd/project/permissions.go b/lxd/project/permissions.go
index d744db340c..89ea97230a 100644
--- a/lxd/project/permissions.go
+++ b/lxd/project/permissions.go
@@ -177,15 +177,13 @@ func checkRestrictionsOnVolatileConfig(project *api.Project, instanceType instan
currentValue, ok := currentConfig[key]
if !ok {
- return fmt.Errorf(
- "Setting %q on %s %q in project %q is forbidden",
- key, instanceType, instanceName, project.Name)
+ // Strip any non-allowed volatile key from the config
+ delete(config, key)
}
if currentValue != value {
- return fmt.Errorf(
- "Changing %q on %s %q in project %q is forbidden",
- key, instanceType, instanceName, project.Name)
+ // Strip any non-allowed volatile key from the config
+ delete(config, key)
}
}
More information about the lxc-devel
mailing list