[lxc-devel] [PATCH 2/2] lxc-busybox: Prevent copying binaries from /usr/local to container

[Bogdan Purcareata]

On some systems, some binaries needed by the container features (dropbear,
openssh), may be placed in /usr/local/* directories. Since semantically they are
destined for the local machine only, and it can further imply the associated
libraries are also available in /usr/local/lib* directories, prevent them from
being copied in the container rootfs.

The user should only use these binaries if they are installed at system-wide
locations on the host, such as /{s,}bin or /usr/{s,}bin.

Signed-off-by: Bogdan Purcareata <bogdan.purcareata at freescale.com>
---
 templates/lxc-busybox.in | 42 +++++++++++++++++++++++++++---------------
 1 file changed, 27 insertions(+), 15 deletions(-)

diff --git a/templates/lxc-busybox.in b/templates/lxc-busybox.in
index 4f27bd8..6cd570a 100644
--- a/templates/lxc-busybox.in
+++ b/templates/lxc-busybox.in
@@ -38,6 +38,30 @@ am_in_userns() {
 in_userns=0
 [ $(am_in_userns) = "yes" ] && in_userns=1
 
+copy_binary()
+{
+    binary_path=`which $1`
+    if [ $? -ne 0 ]; then
+        echo "Unable to find $1 binary on the system"
+        return 1
+    fi
+
+    echo $binary_path | grep "/usr/local" >/dev/null 2>&1
+    if [ $? -eq 0 ]; then
+        echo "Binary $1 is located at $binary_path and will not be copied"
+        echo "(/usr/local path not supported)"
+        return 1
+    fi
+
+    cp $binary_path $rootfs/$binary_path
+    if [ $? -ne 0 ]; then
+        echo "Failed to copy $binary_path to rootfs"
+        return 1
+    fi
+
+    return 0
+}
+
 install_busybox()
 {
     rootfs=$1
@@ -172,11 +196,7 @@ EOF
 install_dropbear()
 {
     # copy dropbear binary
-    cp $(which dropbear) $rootfs/usr/sbin
-    if [ $? -ne 0 ]; then
-        echo "Failed to copy dropbear in the rootfs"
-        return 1
-    fi
+    copy_binary dropbear || return 1
 
     # make symlinks to various ssh utilities
     utils="\
@@ -232,19 +252,11 @@ $rootfs/var/run/sshd \
 
     # copy binaries
     for bin in $server_utils $client_utils; do
-        tool_path=`which $bin`
-        cp $tool_path $rootfs/$tool_path
-        if [ $? -ne 0 ]; then
-            echo "Unable to copy $tool_path in the rootfs"
-            return 1
-        fi
+        copy_binary $bin || return 1
     done
 
     for bin in $client_optional_utils; do
-        tool_path=`which $bin`
-        if [ $? -eq 0 ]; then
-            cp $tool_path $rootfs/$tool_path
-        fi
+        tool_path=`which $bin` && copy_binary $bin
     done
 
     # add user and group
-- 
2.1.4