openstack/ironic
Code Issues Proposed changes

Fix selinux context of published image hardlink

Browse Source 
If the published image is a hardlink, the source selinux context is
preserved. This could cause access denied when retrieving the image
using its URL.

Change-Id: I550dac9d055ec30ec11530f18a675cf9e16063b5
This commit is contained in:
Riccardo Pittau 2022-12-24 11:49:23 +01:00
parent e011922bac
commit c05c09fd3a
3 changed files with 53 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
ironic/drivers/modules/image_utils.py
View File

@ -211,6 +211,16 @@ class ImageHandler(object):
try:
os.link(image_file, published_file)
os.chmod(image_file, self._file_permission)
try:
utils.execute(
'/usr/sbin/restorecon', '-i', '-R', 'v', public_dir)
except FileNotFoundError as exc:
LOG.debug(
"Could not restore SELinux context on "
"%(public_dir)s, restorecon command not found.\n"
"Error: %(error)s",
{'public_dir': public_dir,
'error': exc})
except OSError as exc:
LOG.debug(

49
ironic/tests/unit/drivers/modules/test_image_utils.py
View File

@ -105,73 +105,96 @@ class RedfishImageHandlerTestCase(db_base.DbTestCase):
mock_swift_api.delete_object.assert_called_once_with(
'ironic_redfish_container', object_name)
@mock.patch.object(utils, 'execute', autospec=True)
@mock.patch.object(os, 'chmod', autospec=True)
@mock.patch.object(image_utils, 'shutil', autospec=True)
@mock.patch.object(os, 'link', autospec=True)
@mock.patch.object(os, 'mkdir', autospec=True)
def test_publish_image_local_link(
self, mock_mkdir, mock_link, mock_shutil, mock_chmod):
self, mock_mkdir, mock_link, mock_shutil, mock_chmod,
mock_execute):
self.config(use_swift=False, group='redfish')
self.config(http_url='http://localhost', group='deploy')
img_handler_obj = image_utils.ImageHandler(self.node.driver)
url = img_handler_obj.publish_image('file.iso', 'boot.iso')
self.assertEqual(
'http://localhost/redfish/boot.iso', url)
mock_mkdir.assert_called_once_with('/httpboot/redfish', 0o755)
mock_link.assert_called_once_with(
'file.iso', '/httpboot/redfish/boot.iso')
mock_chmod.assert_called_once_with('file.iso', 0o644)
mock_execute.assert_called_once_with(
'/usr/sbin/restorecon', '-i', '-R', 'v', '/httpboot/redfish')
@mock.patch.object(utils, 'execute', autospec=True)
@mock.patch.object(os, 'chmod', autospec=True)
@mock.patch.object(image_utils, 'shutil', autospec=True)
@mock.patch.object(os, 'link', autospec=True)
@mock.patch.object(os, 'mkdir', autospec=True)
def test_publish_image_local_link_no_restorecon(
self, mock_mkdir, mock_link, mock_shutil, mock_chmod,
mock_execute):
self.config(use_swift=False, group='redfish')
self.config(http_url='http://localhost', group='deploy')
img_handler_obj = image_utils.ImageHandler(self.node.driver)
url = img_handler_obj.publish_image('file.iso', 'boot.iso')
self.assertEqual(
'http://localhost/redfish/boot.iso', url)
mock_mkdir.assert_called_once_with('/httpboot/redfish', 0o755)
mock_link.assert_called_once_with(
'file.iso', '/httpboot/redfish/boot.iso')
mock_chmod.assert_called_once_with('file.iso', 0o644)
mock_execute.return_value = FileNotFoundError
mock_shutil.assert_not_called()
@mock.patch.object(utils, 'execute', autospec=True)
@mock.patch.object(os, 'chmod', autospec=True)
@mock.patch.object(image_utils, 'shutil', autospec=True)
@mock.patch.object(os, 'link', autospec=True)
@mock.patch.object(os, 'mkdir', autospec=True)
def test_publish_image_external_ip(
self, mock_mkdir, mock_link, mock_shutil, mock_chmod):
self, mock_mkdir, mock_link, mock_shutil, mock_chmod,
mock_execute):
self.config(use_swift=False, group='redfish')
self.config(http_url='http://localhost',
external_http_url='http://non-local.host',
group='deploy')
img_handler_obj = image_utils.ImageHandler(self.node.driver)
url = img_handler_obj.publish_image('file.iso', 'boot.iso')
self.assertEqual(
'http://non-local.host/redfish/boot.iso', url)
mock_mkdir.assert_called_once_with('/httpboot/redfish', 0o755)
mock_link.assert_called_once_with(
'file.iso', '/httpboot/redfish/boot.iso')
mock_chmod.assert_called_once_with('file.iso', 0o644)
mock_execute.assert_called_once_with(
'/usr/sbin/restorecon', '-i', '-R', 'v', '/httpboot/redfish')
@mock.patch.object(utils, 'execute', autospec=True)
@mock.patch.object(os, 'chmod', autospec=True)
@mock.patch.object(image_utils, 'shutil', autospec=True)
@mock.patch.object(os, 'link', autospec=True)
@mock.patch.object(os, 'mkdir', autospec=True)
def test_publish_image_external_ip_node_override(
self, mock_mkdir, mock_link, mock_shutil, mock_chmod):
self, mock_mkdir, mock_link, mock_shutil, mock_chmod,
mock_execute):
self.config(use_swift=False, group='redfish')
self.config(http_url='http://localhost',
external_http_url='http://non-local.host',
group='deploy')
img_handler_obj = image_utils.ImageHandler(self.node.driver)
self.node.driver_info["external_http_url"] = "http://node.override.url"
override_url = self.node.driver_info.get("external_http_url")
url = img_handler_obj.publish_image('file.iso', 'boot.iso',
override_url)
self.assertEqual(
'http://node.override.url/redfish/boot.iso', url)
mock_mkdir.assert_called_once_with('/httpboot/redfish', 0o755)
mock_link.assert_called_once_with(
'file.iso', '/httpboot/redfish/boot.iso')
mock_chmod.assert_called_once_with('file.iso', 0o644)
mock_execute.assert_called_once_with(
'/usr/sbin/restorecon', '-i', '-R', 'v', '/httpboot/redfish')
@mock.patch.object(os, 'chmod', autospec=True)
@mock.patch.object(image_utils, 'shutil', autospec=True)

7
releasenotes/notes/fix-context-image-hardlink-16f452974abc7327.yaml Normal file
View File

@ -0,0 +1,7 @@
---
fixes:
- |
Fixes an issue where if selinux is enabled and enforcing, and
the published image is a hardlink, the source selinux context
is preserved, causing access denied when retrieving the image
using hardlink URL.