btrfs: reduce permissions on plugin directories

dmcgowan · samuelkarp · commit 7c621e1fcc08 · 2021-09-24T11:57:58.000-07:00
Disallow traversal into directories that may contain
unpacked or mounted image filesystems.

Signed-off-by: Derek McGowan &lt;derek@mcg.dev&gt;
Signed-off-by: Samuel Karp &lt;skarp@amazon.com&gt;
diff --git a/snapshots/btrfs/btrfs.go b/snapshots/btrfs/btrfs.go
@@ -51,11 +51,15 @@ type snapshotter struct {
 // root needs to be a mount point of btrfs.
 func NewSnapshotter(root string) (snapshots.Snapshotter, error) {
 	// If directory does not exist, create it
-	if _, err := os.Stat(root); err != nil {
+	if st, err := os.Stat(root); err != nil {
 		if !os.IsNotExist(err) {
 			return nil, err
 		}
-		if err := os.Mkdir(root, 0755); err != nil {
+		if err := os.Mkdir(root, 0700); err != nil {
+			return nil, err
+		}
+	} else if st.Mode()&os.ModePerm != 0700 {
+		if err := os.Chmod(root, 0700); err != nil {
 			return nil, err
 		}
 	}

Original file line number	Diff line number	Diff line change
`@@ -51,11 +51,15 @@ type snapshotter struct {`
`51`	`51`	`// root needs to be a mount point of btrfs.`
`52`	`52`	`func NewSnapshotter(root string) (snapshots.Snapshotter, error) {`
`53`	`53`	`// If directory does not exist, create it`
`54`		`- if _, err := os.Stat(root); err != nil {`
	`54`	`+ if st, err := os.Stat(root); err != nil {`
`55`	`55`	`if !os.IsNotExist(err) {`
`56`	`56`	`return nil, err`
`57`	`57`	`}`
`58`		`- if err := os.Mkdir(root, 0755); err != nil {`
	`58`	`+ if err := os.Mkdir(root, 0700); err != nil {`
	`59`	`+ return nil, err`
	`60`	`+ }`
	`61`	`+ } else if st.Mode()&os.ModePerm != 0700 {`
	`62`	`+ if err := os.Chmod(root, 0700); err != nil {`
`59`	`63`	`return nil, err`
`60`	`64`	`}`
`61`	`65`	`}`