[lxc-devel] [lxd/master] Smarter handling of `volatile` keys in restricted projects #7896

[jtajonera on Github]

A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 576 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20201211/224e69c5/attachment.bin>
-------------- next part --------------
From 4fe66fee77a368bf465b796bc8cb2daccae5e582 Mon Sep 17 00:00:00 2001
From: Jeremy Tajonera <jtajonera at utexas.edu>
Date: Fri, 11 Dec 2020 23:11:12 -0600
Subject: [PATCH 1/2] Issue #7896 Smarter handling of `volatile` keys in
 restricted projects

---
 lxd/project/permissions.go | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/lxd/project/permissions.go b/lxd/project/permissions.go
index 7c320bc2c4..d744db340c 100644
--- a/lxd/project/permissions.go
+++ b/lxd/project/permissions.go
@@ -152,11 +152,29 @@ func checkRestrictionsOnVolatileConfig(project *api.Project, instanceType instan
 		return nil
 	}
 
+	// List of safe keys
+	safe_keys := [5]string{"volatile.apply_template", "volatile.base_image", "volatile.last_state.power", "volatile.DEVNAME.apply_quota", "volatile.DEVNAME.hwaddr"}
+
 	for key, value := range config {
 		if !strings.HasPrefix(key, shared.ConfigVolatilePrefix) {
 			continue
 		}
 
+		// Allow given safe volatile keys to be set
+		var isSafeKey bool
+		for _, safe_key := range safe_keys {
+			// If current key is in the safe_key list, break out of for loop and set isSafeKey to true
+			if safe_key == key {
+				isSafeKey = true
+				break
+			}
+		}
+
+		// If the current key is a safe volatile key, get out of current iteration
+		if isSafeKey {
+			continue
+		}
+
 		currentValue, ok := currentConfig[key]
 		if !ok {
 			return fmt.Errorf(

From 84bd55bfd087f1b4f3aff50ef8ac0f677fe40a73 Mon Sep 17 00:00:00 2001
From: Jeremy Tajonera <jtajonera at utexas.edu>
Date: Fri, 11 Dec 2020 23:24:07 -0600
Subject: [PATCH 2/2] Issue 7896 - Removed Fail on unsafe key, delete key
 instead

---
 lxd/project/permissions.go | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/lxd/project/permissions.go b/lxd/project/permissions.go
index d744db340c..89ea97230a 100644
--- a/lxd/project/permissions.go
+++ b/lxd/project/permissions.go
@@ -177,15 +177,13 @@ func checkRestrictionsOnVolatileConfig(project *api.Project, instanceType instan
 
 		currentValue, ok := currentConfig[key]
 		if !ok {
-			return fmt.Errorf(
-				"Setting %q on %s %q in project %q is forbidden",
-				key, instanceType, instanceName, project.Name)
+			// Strip any non-allowed volatile key from the config
+			delete(config, key)
 		}
 
 		if currentValue != value {
-			return fmt.Errorf(
-				"Changing %q on %s %q in project %q is forbidden",
-				key, instanceType, instanceName, project.Name)
+			// Strip any non-allowed volatile key from the config
+			delete(config, key)
 		}
 	}