[lxc-devel] [PATCH v2 2/2] lxc-busybox: Prevent copying binaries from /usr/local to container

Tue May 12 09:45:28 UTC 2015

On certain systems, some binaries needed by the container features (dropbear,
openssh), may be placed in non-standard (aka non-distribution-managed
locations), such as /usr/local/*, /opt/local/*, etc. Don't copy the respective
binaries in the container and return a clear error why.

The user should only use these binaries if they are installed at system-wide
locations on the host, such as /{s,}bin or /usr/{s,}bin.

v2:
- check that binary paths adhere to /{,usr/}{,s}bin only

Signed-off-by: Bogdan Purcareata <bogdan.purcareata at freescale.com>
---
 templates/lxc-busybox.in | 43 ++++++++++++++++++++++++++++---------------
 1 file changed, 28 insertions(+), 15 deletions(-)

diff --git a/templates/lxc-busybox.in b/templates/lxc-busybox.in
index 17a3006..c020e66 100644
--- a/templates/lxc-busybox.in
+++ b/templates/lxc-busybox.in
@@ -38,6 +38,31 @@ am_in_userns() {
 in_userns=0
 [ $(am_in_userns) = "yes" ] && in_userns=1
 
+copy_binary()
+{
+    binary_path=`which $1`
+    if [ $? -ne 0 ]; then
+        echo "Unable to find $1 binary on the system"
+        return 1
+    fi
+
+    dir_path="${binary_path%/*}"
+    echo /{,usr/}{,s}bin | grep $dir_path >/dev/null 2>&1
+    if [ $? -ne 0 ]; then
+        echo "Binary $1 is located at $binary_path and will not be copied"
+        echo "($dir_path not supported)"
+        return 1
+    fi
+
+    cp $binary_path $rootfs/$binary_path
+    if [ $? -ne 0 ]; then
+        echo "Failed to copy $binary_path to rootfs"
+        return 1
+    fi
+
+    return 0
+}
+
 install_busybox()
 {
     rootfs=$1
@@ -164,11 +189,7 @@ EOF
 install_dropbear()
 {
     # copy dropbear binary
-    cp $(which dropbear) $rootfs/usr/sbin
-    if [ $? -ne 0 ]; then
-        echo "Failed to copy dropbear in the rootfs"
-        return 1
-    fi
+    copy_binary dropbear || return 1
 
     # make symlinks to various ssh utilities
     utils="\
@@ -224,19 +245,11 @@ $rootfs/var/run/sshd \
 
     # copy binaries
     for bin in $server_utils $client_utils; do
-        tool_path=`which $bin`
-        cp $tool_path $rootfs/$tool_path
-        if [ $? -ne 0 ]; then
-            echo "Unable to copy $tool_path in the rootfs"
-            return 1
-        fi
+        copy_binary $bin || return 1
     done
 
     for bin in $client_optional_utils; do
-        tool_path=`which $bin`
-        if [ $? -eq 0 ]; then
-            cp $tool_path $rootfs/$tool_path
-        fi
+        tool_path=`which $bin` && copy_binary $bin
     done
 
     # add user and group
-- 
2.1.4

