feat: ensure namespace type matches path

nixpig · Dec 4, 2024 · dc51ba4 · dc51ba4
1 parent 249f117
commit dc51ba4
Show file tree

Hide file tree

Showing 4 changed files with 34 additions and 4 deletions.
diff --git a/README.md b/README.md
@@ -201,6 +201,7 @@ Tests are run on every build in [this Github Action](https://github.com/nixpig/b
 - [x] linux_ns_itype
 - [x] linux_ns_nopath
 - [x] linux_ns_path
+- [x] linux_ns_path_type
 - [x] linux_readonly_paths
 - [x] linux_rootfs_propagation
 - [x] linux_sysctl
@@ -223,8 +224,6 @@ Tests are run on every build in [this Github Action](https://github.com/nixpig/b
 
 ### ⚠️ To do
 
-- [ ] delete_only_create_resources
-- [ ] linux_ns_path_type
 - [ ] linux_process_apparmor_profile
 - [ ] linux_seccomp
 - [ ] pidfile
@@ -269,6 +268,7 @@ Clean: Delete:  exit status 1
 
 - misc_props (flaky due to test suite trying to delete container before process has exiting and status updated to stopped)
 - delete_resources (depends on cgroupv2, same as linux_cgroups\_\* tests)
+- delete_only_create_resources (depends on cgroupv2, same as linux_cgroups\_\* tests)
 
 ## Contributing
 

diff --git a/container/container_init.go b/container/container_init.go
@@ -7,6 +7,7 @@ import (
 	"os/exec"
 	"path/filepath"
 	"strconv"
+	"strings"
 	"syscall"
 
 	"github.com/containerd/cgroups/v3/cgroup1"
@@ -110,6 +111,10 @@ func (c *Container) Init(reexec string, arg string, log *zerolog.Logger) error {
 			cloneFlags |= flag
 		} else {
 
+			if !strings.HasSuffix(ns.Path, fmt.Sprintf("/%s", ns.ToEnv())) {
+				return errors.New("namespace type and path do not match")
+			}
+
 			// TODO: align so the same mechanism is used for all namespaces?
 			if ns.Type == specs.MountNamespace {
 				reexecCmd.Env = append(reexecCmd.Env, fmt.Sprintf("gons_mnt=%s", ns.Path))
@@ -125,6 +130,7 @@ func (c *Container) Init(reexec string, arg string, log *zerolog.Logger) error {
 				_, _, errno := syscall.RawSyscall(unix.SYS_SETNS, uintptr(fd), 0, 0)
 				if errno != 0 {
 					log.Error().Str("path", ns.Path).Int("errno", int(errno)).Msg("FAIELD THE RAWSYSCALL")
+					return fmt.Errorf("errno: %w", err)
 				}
 			}
 		}

diff --git a/container/namespace/namespace.go b/container/namespace/namespace.go
@@ -9,6 +9,30 @@ import (
 
 type LinuxNamespace specs.LinuxNamespace
 
+func (ns *LinuxNamespace) ToEnv() string {
+	switch ns.Type {
+	case specs.PIDNamespace:
+		return "pid"
+	case specs.NetworkNamespace:
+		return "net"
+	case specs.MountNamespace:
+		return "mnt"
+	case specs.IPCNamespace:
+		return "ipc"
+	case specs.UTSNamespace:
+		return "uts"
+	case specs.UserNamespace:
+		return "user"
+	case specs.CgroupNamespace:
+		return "cgroup"
+	case specs.TimeNamespace:
+		return "time"
+	default:
+		return ""
+	}
+
+}
+
 func (ns *LinuxNamespace) ToFlag() (uintptr, error) {
 	switch ns.Type {
 	case specs.PIDNamespace:

diff --git a/oci.sh b/oci.sh
@@ -9,7 +9,6 @@ tests=(
   "config_updates_without_affect"
   "create"
   "delete"
-# "delete_only_create_resources"
   "hooks"
   "hooks_stdin"
   "hostname"
@@ -22,7 +21,7 @@ tests=(
   "linux_ns_itype"
   "linux_ns_nopath"
   "linux_ns_path"
-# "linux_ns_path_type"
+  "linux_ns_path_type"
 # "linux_process_apparmor_profile" # ???
   "linux_readonly_paths"
   "linux_rootfs_propagation"
@@ -52,6 +51,7 @@ tests=(
   # UNSUPPORTED DUE TO CGROUPV2
   # ---------------------------
   # "delete_resources"
+  # "delete_only_create_resources"
   # "linux_cgroups_blkio" # use of features deprecated in Linux kernel 5.0
   # "linux_cgroups_cpus"
   # "linux_cgroups_devices"