Skip to content

Commit 05c443b

Browse files
haircommanderhaircommander
committed
config/sysctl: fail if there is a + in the value
Signed-off-by: Peter Hunt <[email protected]>
1 parent c4c89c6 commit 05c443b

File tree

2 files changed

+34
-5
lines changed

2 files changed

+34
-5
lines changed

internal/config/nsmgr/nsmgr.go

Lines changed: 12 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -88,7 +88,11 @@ func (mgr *NamespaceManager) NewPodNamespaces(cfg *PodNamespacesConfig) ([]Names
8888
}
8989

9090
if len(cfg.Sysctls) != 0 {
91-
pinnsArgs = append(pinnsArgs, "-s", getSysctlForPinns(cfg.Sysctls))
91+
pinnsSysctls, err := getSysctlForPinns(cfg.Sysctls)
92+
if err != nil {
93+
return nil, errors.Wrapf(err, "invalid sysctl")
94+
}
95+
pinnsArgs = append(pinnsArgs, "-s", pinnsSysctls)
9296
}
9397

9498
var rootPair idtools.IDPair
@@ -171,14 +175,18 @@ func getMappingsForPinns(mappings []idtools.IDMap) string {
171175
return g.String()
172176
}
173177

174-
func getSysctlForPinns(sysctls map[string]string) string {
175-
// this assumes there's no sysctl with a `+` in it
178+
func getSysctlForPinns(sysctls map[string]string) (string, error) {
179+
// This assumes there's no valid sysctl value with a `+` in it
180+
// and as such errors if one is found.
176181
const pinnsSysctlDelim = "+"
177182
g := new(bytes.Buffer)
178183
for key, value := range sysctls {
184+
if strings.Contains(key, pinnsSysctlDelim) || strings.Contains(value, pinnsSysctlDelim) {
185+
return "", errors.Errorf("'%s=%s' is invalid: %s found yet should not be present", key, value, pinnsSysctlDelim)
186+
}
179187
fmt.Fprintf(g, "'%s=%s'%s", key, value, pinnsSysctlDelim)
180188
}
181-
return strings.TrimSuffix(g.String(), pinnsSysctlDelim)
189+
return strings.TrimSuffix(g.String(), pinnsSysctlDelim), nil
182190
}
183191

184192
// NamespaceFromProcEntry creates a new namespace object from a bind mount from a processes proc entry.

test/pod.bats

Lines changed: 22 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -156,11 +156,32 @@ function teardown() {
156156
[[ "$output" == *"net.ipv4.ip_forward = 1"* ]]
157157
}
158158

159-
@test "fail to pass pod sysctls to runtime if invalid" {
159+
@test "fail to pass pod sysctls to runtime if invalid spaces" {
160160
CONTAINER_DEFAULT_SYSCTLS="net.ipv4.ip_forward = 1" crio &
161161
! wait_until_reachable
162162
}
163163

164+
@test "fail to pass pod sysctl to runtime if invalid value" {
165+
if test -n "$CONTAINER_UID_MAPPINGS"; then
166+
skip "userNS enabled"
167+
fi
168+
start_crio
169+
170+
jq --arg sysctl "1024 65000'+'net.ipv4.ip_forward=0'" \
171+
' .linux.sysctls = {
172+
"net.ipv4.ip_local_port_range": $sysctl,
173+
}' "$TESTDATA"/sandbox_config.json > "$TESTDIR"/sandbox.json
174+
175+
! crictl runp "$TESTDIR"/sandbox.json
176+
177+
jq --arg sysctl "net.ipv4.ip_local_port_range=1024 65000'+'net.ipv4.ip_forward" \
178+
' .linux.sysctls = {
179+
($sysctl): "0",
180+
}' "$TESTDATA"/sandbox_config.json > "$TESTDIR"/sandbox.json
181+
182+
! crictl runp "$TESTDIR"/sandbox.json
183+
}
184+
164185
@test "skip pod sysctls to runtime if host" {
165186
if test -n "$CONTAINER_UID_MAPPINGS"; then
166187
skip "userNS enabled"

0 commit comments

Comments
 (0)