Remove escalated privileges

gabriel-samfira · gabriel-samfira · commit 0277b9b01a49 · 2023-05-31T02:11:40.000+03:00
Signed-off-by: Gabriel Adrian Samfira &lt;gsamfira@cloudbasesolutions.com&gt;
diff --git a/integration/client/go.mod b/integration/client/go.mod
@@ -4,7 +4,7 @@ go 1.19
 
 require (
 	github.com/AdaLogics/go-fuzz-headers v0.0.0-20230106234847-43070de90fa1 // replaced; see replace rules for actual version used.
-	github.com/Microsoft/go-winio v0.6.1
+	github.com/Microsoft/go-winio v0.6.1 // indirect
 	github.com/Microsoft/hcsshim v0.10.0-rc.8
 	github.com/Microsoft/hcsshim/test v0.0.0-20210408205431-da33ecd607e1
 	github.com/containerd/cgroups/v3 v3.0.1
diff --git a/integration/client/snapshot_test.go b/integration/client/snapshot_test.go
@@ -22,6 +22,7 @@ import (
 
 	. "github.com/containerd/containerd"
 	"github.com/containerd/containerd/snapshots"
+	"github.com/containerd/containerd/snapshots/testsuite"
 )
 
 func newSnapshotter(ctx context.Context, root string) (snapshots.Snapshotter, func() error, error) {
@@ -39,5 +40,9 @@ func newSnapshotter(ctx context.Context, root string) (snapshots.Snapshotter, fu
 }
 
 func TestSnapshotterClient(t *testing.T) {
-	runTestSnapshotterClient(t)
+	if testing.Short() {
+		t.Skip()
+	}
+
+	testsuite.SnapshotterSuite(t, DefaultSnapshotter, newSnapshotter)
 }
diff --git a/integration/client/snapshot_unix_test.go b/integration/client/snapshot_unix_test.go
diff --git a/integration/client/snapshot_windows_test.go b/integration/client/snapshot_windows_test.go
diff --git a/mount/mount_windows.go b/mount/mount_windows.go
@@ -39,7 +39,7 @@ var (
 )
 
 // Mount to the provided target.
-func (m *Mount) mount(target string) error {
+func (m *Mount) mount(target string) (retErr error) {
 	readOnly := false
 	for _, option := range m.Options {
 		if option == "ro" {
@@ -70,23 +70,23 @@ func (m *Mount) mount(target string) error {
 		HomeDir: home,
 	}
 
-	if err = hcsshim.ActivateLayer(di, layerID); err != nil {
+	if err := hcsshim.ActivateLayer(di, layerID); err != nil {
 		return fmt.Errorf("failed to activate layer %s: %w", m.Source, err)
 	}
 	defer func() {
-		if err != nil {
+		if retErr != nil {
 			if layerErr := hcsshim.DeactivateLayer(di, layerID); layerErr != nil {
 				log.G(context.TODO()).WithError(layerErr).Error("failed to deactivate layer during mount failure cleanup")
 			}
 		}
 	}()
 
-	if err = hcsshim.PrepareLayer(di, layerID, parentLayerPaths); err != nil {
+	if err := hcsshim.PrepareLayer(di, layerID, parentLayerPaths); err != nil {
 		return fmt.Errorf("failed to prepare layer %s: %w", m.Source, err)
 	}
 
 	defer func() {
-		if err != nil {
+		if retErr != nil {
 			if layerErr := hcsshim.UnprepareLayer(di, layerID); layerErr != nil {
 				log.G(context.TODO()).WithError(layerErr).Error("failed to unprepare layer during mount failure cleanup")
 			}
@@ -98,11 +98,11 @@ func (m *Mount) mount(target string) error {
 		return fmt.Errorf("failed to get volume path for layer %s: %w", m.Source, err)
 	}
 
-	if err = bindfilter.ApplyFileBinding(target, volume, readOnly); err != nil {
+	if err := bindfilter.ApplyFileBinding(target, volume, readOnly); err != nil {
 		return fmt.Errorf("failed to set volume mount path for layer %s: %w", m.Source, err)
 	}
 	defer func() {
-		if err != nil {
+		if retErr != nil {
 			if bindErr := bindfilter.RemoveFileBinding(target); bindErr != nil {
 				log.G(context.TODO()).WithError(bindErr).Error("failed to remove binding during mount failure cleanup")
 			}
@@ -112,7 +112,7 @@ func (m *Mount) mount(target string) error {
 	// Add an Alternate Data Stream to record the layer source.
 	// See https://docs.microsoft.com/en-au/archive/blogs/askcore/alternate-data-streams-in-ntfs
 	// for details on Alternate Data Streams.
-	if err = os.WriteFile(filepath.Clean(target)+":"+sourceStreamName, []byte(m.Source), 0666); err != nil {
+	if err := os.WriteFile(filepath.Clean(target)+":"+sourceStreamName, []byte(m.Source), 0666); err != nil {
 		return fmt.Errorf("failed to record source for layer %s: %w", m.Source, err)
 	}
 
diff --git a/snapshots/testsuite/testsuite.go b/snapshots/testsuite/testsuite.go
@@ -820,13 +820,13 @@ func checkSnapshotterViewReadonly(ctx context.Context, t *testing.T, snapshotter
 	}
 
 	testfile := filepath.Join(viewMountPoint, "testfile")
-	if err := os.WriteFile(testfile, []byte("testcontent"), 0777); err != nil {
+	err = os.WriteFile(testfile, []byte("testcontent"), 0777)
+	testutil.Unmount(t, viewMountPoint)
+	if err != nil {
 		t.Logf("write to %q failed with %v (EROFS is expected but can be other error code)", testfile, err)
 	} else {
-		testutil.Unmount(t, viewMountPoint)
 		t.Fatalf("write to %q should fail (EROFS) but did not fail", testfile)
 	}
-	testutil.Unmount(t, viewMountPoint)
 	assert.Nil(t, snapshotter.Remove(ctx, view))
 	assert.Nil(t, snapshotter.Remove(ctx, committed))
 }

Original file line number	Diff line number	Diff line change
`@@ -22,6 +22,7 @@ import (`
`22`	`22`
`23`	`23`	`. "github.com/containerd/containerd"`
`24`	`24`	`"github.com/containerd/containerd/snapshots"`
	`25`	`+ "github.com/containerd/containerd/snapshots/testsuite"`
`25`	`26`	`)`
`26`	`27`
`27`	`28`	`func newSnapshotter(ctx context.Context, root string) (snapshots.Snapshotter, func() error, error) {`
`@@ -39,5 +40,9 @@ func newSnapshotter(ctx context.Context, root string) (snapshots.Snapshotter, fu`
`39`	`40`	`}`
`40`	`41`
`41`	`42`	`func TestSnapshotterClient(t *testing.T) {`
`42`		`- runTestSnapshotterClient(t)`
	`43`	`+ if testing.Short() {`
	`44`	`+ t.Skip()`
	`45`	`+ }`
	`46`	`+`
	`47`	`+ testsuite.SnapshotterSuite(t, DefaultSnapshotter, newSnapshotter)`
`43`	`48`	`}`
Original file line number	Diff line number	Diff line change
`@@ -39,7 +39,7 @@ var (`
`39`	`39`	`)`
`40`	`40`
`41`	`41`	`// Mount to the provided target.`
`42`		`-func (m *Mount) mount(target string) error {`
	`42`	`+func (m *Mount) mount(target string) (retErr error) {`
`43`	`43`	`readOnly := false`
`44`	`44`	`for _, option := range m.Options {`
`45`	`45`	`if option == "ro" {`
`@@ -70,23 +70,23 @@ func (m *Mount) mount(target string) error {`
`70`	`70`	`HomeDir: home,`
`71`	`71`	`}`
`72`	`72`
`73`		`- if err = hcsshim.ActivateLayer(di, layerID); err != nil {`
	`73`	`+ if err := hcsshim.ActivateLayer(di, layerID); err != nil {`
`74`	`74`	`return fmt.Errorf("failed to activate layer %s: %w", m.Source, err)`
`75`	`75`	`}`
`76`	`76`	`defer func() {`
`77`		`- if err != nil {`
	`77`	`+ if retErr != nil {`
`78`	`78`	`if layerErr := hcsshim.DeactivateLayer(di, layerID); layerErr != nil {`
`79`	`79`	`log.G(context.TODO()).WithError(layerErr).Error("failed to deactivate layer during mount failure cleanup")`
`80`	`80`	`}`
`81`	`81`	`}`
`82`	`82`	`}()`
`83`	`83`
`84`		`- if err = hcsshim.PrepareLayer(di, layerID, parentLayerPaths); err != nil {`
	`84`	`+ if err := hcsshim.PrepareLayer(di, layerID, parentLayerPaths); err != nil {`
`85`	`85`	`return fmt.Errorf("failed to prepare layer %s: %w", m.Source, err)`
`86`	`86`	`}`
`87`	`87`
`88`	`88`	`defer func() {`
`89`		`- if err != nil {`
	`89`	`+ if retErr != nil {`
`90`	`90`	`if layerErr := hcsshim.UnprepareLayer(di, layerID); layerErr != nil {`
`91`	`91`	`log.G(context.TODO()).WithError(layerErr).Error("failed to unprepare layer during mount failure cleanup")`
`92`	`92`	`}`
`@@ -98,11 +98,11 @@ func (m *Mount) mount(target string) error {`
`98`	`98`	`return fmt.Errorf("failed to get volume path for layer %s: %w", m.Source, err)`
`99`	`99`	`}`
`100`	`100`
`101`		`- if err = bindfilter.ApplyFileBinding(target, volume, readOnly); err != nil {`
	`101`	`+ if err := bindfilter.ApplyFileBinding(target, volume, readOnly); err != nil {`
`102`	`102`	`return fmt.Errorf("failed to set volume mount path for layer %s: %w", m.Source, err)`
`103`	`103`	`}`
`104`	`104`	`defer func() {`
`105`		`- if err != nil {`
	`105`	`+ if retErr != nil {`
`106`	`106`	`if bindErr := bindfilter.RemoveFileBinding(target); bindErr != nil {`
`107`	`107`	`log.G(context.TODO()).WithError(bindErr).Error("failed to remove binding during mount failure cleanup")`
`108`	`108`	`}`
`@@ -112,7 +112,7 @@ func (m *Mount) mount(target string) error {`
`112`	`112`	`// Add an Alternate Data Stream to record the layer source.`
`113`	`113`	`// See https://docs.microsoft.com/en-au/archive/blogs/askcore/alternate-data-streams-in-ntfs`
`114`	`114`	`// for details on Alternate Data Streams.`
`115`		`- if err = os.WriteFile(filepath.Clean(target)+":"+sourceStreamName, []byte(m.Source), 0666); err != nil {`
	`115`	`+ if err := os.WriteFile(filepath.Clean(target)+":"+sourceStreamName, []byte(m.Source), 0666); err != nil {`
`116`	`116`	`return fmt.Errorf("failed to record source for layer %s: %w", m.Source, err)`
`117`	`117`	`}`
`118`	`118`
Original file line number	Diff line number	Diff line change
`@@ -820,13 +820,13 @@ func checkSnapshotterViewReadonly(ctx context.Context, t *testing.T, snapshotter`
`820`	`820`	`}`
`821`	`821`
`822`	`822`	`testfile := filepath.Join(viewMountPoint, "testfile")`
`823`		`- if err := os.WriteFile(testfile, []byte("testcontent"), 0777); err != nil {`
	`823`	`+ err = os.WriteFile(testfile, []byte("testcontent"), 0777)`
	`824`	`+ testutil.Unmount(t, viewMountPoint)`
	`825`	`+ if err != nil {`
`824`	`826`	`t.Logf("write to %q failed with %v (EROFS is expected but can be other error code)", testfile, err)`
`825`	`827`	`} else {`
`826`		`- testutil.Unmount(t, viewMountPoint)`
`827`	`828`	`t.Fatalf("write to %q should fail (EROFS) but did not fail", testfile)`
`828`	`829`	`}`
`829`		`- testutil.Unmount(t, viewMountPoint)`
`830`	`830`	`assert.Nil(t, snapshotter.Remove(ctx, view))`
`831`	`831`	`assert.Nil(t, snapshotter.Remove(ctx, committed))`
`832`	`832`	`}`