library: allow .ix-apps for ix_volumes (#1220)

truenas · Dec 23, 2024 · 269607e · 269607e
1 parent af6890d
commit 269607e
Show file tree

Hide file tree

Showing 57 changed files with 12 additions and 6 deletions.
diff --git a/library/2.1.5/__init__.py → library/2.1.6/__init__.py b/library/2.1.5/__init__.py → library/2.1.6/__init__.py
diff --git a/library/2.1.5/configs.py → library/2.1.6/configs.py b/library/2.1.5/configs.py → library/2.1.6/configs.py
diff --git a/library/2.1.5/container.py → library/2.1.6/container.py b/library/2.1.5/container.py → library/2.1.6/container.py
diff --git a/library/2.1.5/depends.py → library/2.1.6/depends.py b/library/2.1.5/depends.py → library/2.1.6/depends.py
diff --git a/library/2.1.5/deploy.py → library/2.1.6/deploy.py b/library/2.1.5/deploy.py → library/2.1.6/deploy.py
diff --git a/library/2.1.5/deps.py → library/2.1.6/deps.py b/library/2.1.5/deps.py → library/2.1.6/deps.py
diff --git a/library/2.1.5/deps_mariadb.py → library/2.1.6/deps_mariadb.py b/library/2.1.5/deps_mariadb.py → library/2.1.6/deps_mariadb.py
diff --git a/library/2.1.5/deps_perms.py → library/2.1.6/deps_perms.py b/library/2.1.5/deps_perms.py → library/2.1.6/deps_perms.py
diff --git a/library/2.1.5/deps_postgres.py → library/2.1.6/deps_postgres.py b/library/2.1.5/deps_postgres.py → library/2.1.6/deps_postgres.py
diff --git a/library/2.1.5/deps_redis.py → library/2.1.6/deps_redis.py b/library/2.1.5/deps_redis.py → library/2.1.6/deps_redis.py
diff --git a/library/2.1.5/device.py → library/2.1.6/device.py b/library/2.1.5/device.py → library/2.1.6/device.py
diff --git a/library/2.1.5/devices.py → library/2.1.6/devices.py b/library/2.1.5/devices.py → library/2.1.6/devices.py
diff --git a/library/2.1.5/dns.py → library/2.1.6/dns.py b/library/2.1.5/dns.py → library/2.1.6/dns.py
diff --git a/library/2.1.5/environment.py → library/2.1.6/environment.py b/library/2.1.5/environment.py → library/2.1.6/environment.py
diff --git a/library/2.1.5/error.py → library/2.1.6/error.py b/library/2.1.5/error.py → library/2.1.6/error.py
diff --git a/library/2.1.5/formatter.py → library/2.1.6/formatter.py b/library/2.1.5/formatter.py → library/2.1.6/formatter.py
diff --git a/library/2.1.5/functions.py → library/2.1.6/functions.py b/library/2.1.5/functions.py → library/2.1.6/functions.py
diff --git a/library/2.1.5/healthcheck.py → library/2.1.6/healthcheck.py b/library/2.1.5/healthcheck.py → library/2.1.6/healthcheck.py
diff --git a/library/2.1.5/labels.py → library/2.1.6/labels.py b/library/2.1.5/labels.py → library/2.1.6/labels.py
diff --git a/library/2.1.5/notes.py → library/2.1.6/notes.py b/library/2.1.5/notes.py → library/2.1.6/notes.py
diff --git a/library/2.1.5/portal.py → library/2.1.6/portal.py b/library/2.1.5/portal.py → library/2.1.6/portal.py
diff --git a/library/2.1.5/portals.py → library/2.1.6/portals.py b/library/2.1.5/portals.py → library/2.1.6/portals.py
diff --git a/library/2.1.5/ports.py → library/2.1.6/ports.py b/library/2.1.5/ports.py → library/2.1.6/ports.py
diff --git a/library/2.1.5/render.py → library/2.1.6/render.py b/library/2.1.5/render.py → library/2.1.6/render.py
diff --git a/library/2.1.5/resources.py → library/2.1.6/resources.py b/library/2.1.5/resources.py → library/2.1.6/resources.py
diff --git a/library/2.1.5/restart.py → library/2.1.6/restart.py b/library/2.1.5/restart.py → library/2.1.6/restart.py
diff --git a/library/2.1.5/storage.py → library/2.1.6/storage.py b/library/2.1.5/storage.py → library/2.1.6/storage.py
diff --git a/library/2.1.5/sysctls.py → library/2.1.6/sysctls.py b/library/2.1.5/sysctls.py → library/2.1.6/sysctls.py
diff --git a/library/2.1.5/tests/__init__.py → library/2.1.6/tests/__init__.py b/library/2.1.5/tests/__init__.py → library/2.1.6/tests/__init__.py
diff --git a/library/2.1.5/tests/test_build_image.py → library/2.1.6/tests/test_build_image.py b/library/2.1.5/tests/test_build_image.py → library/2.1.6/tests/test_build_image.py
diff --git a/library/2.1.5/tests/test_configs.py → library/2.1.6/tests/test_configs.py b/library/2.1.5/tests/test_configs.py → library/2.1.6/tests/test_configs.py
diff --git a/library/2.1.5/tests/test_container.py → library/2.1.6/tests/test_container.py b/library/2.1.5/tests/test_container.py → library/2.1.6/tests/test_container.py
diff --git a/library/2.1.5/tests/test_depends.py → library/2.1.6/tests/test_depends.py b/library/2.1.5/tests/test_depends.py → library/2.1.6/tests/test_depends.py
diff --git a/library/2.1.5/tests/test_deps.py → library/2.1.6/tests/test_deps.py b/library/2.1.5/tests/test_deps.py → library/2.1.6/tests/test_deps.py
diff --git a/library/2.1.5/tests/test_device.py → library/2.1.6/tests/test_device.py b/library/2.1.5/tests/test_device.py → library/2.1.6/tests/test_device.py
diff --git a/library/2.1.5/tests/test_dns.py → library/2.1.6/tests/test_dns.py b/library/2.1.5/tests/test_dns.py → library/2.1.6/tests/test_dns.py
diff --git a/library/2.1.5/tests/test_environment.py → library/2.1.6/tests/test_environment.py b/library/2.1.5/tests/test_environment.py → library/2.1.6/tests/test_environment.py
diff --git a/library/2.1.5/tests/test_formatter.py → library/2.1.6/tests/test_formatter.py b/library/2.1.5/tests/test_formatter.py → library/2.1.6/tests/test_formatter.py
diff --git a/library/2.1.5/tests/test_functions.py → library/2.1.6/tests/test_functions.py b/library/2.1.5/tests/test_functions.py → library/2.1.6/tests/test_functions.py
diff --git a/library/2.1.5/tests/test_healthcheck.py → library/2.1.6/tests/test_healthcheck.py b/library/2.1.5/tests/test_healthcheck.py → library/2.1.6/tests/test_healthcheck.py
diff --git a/library/2.1.5/tests/test_labels.py → library/2.1.6/tests/test_labels.py b/library/2.1.5/tests/test_labels.py → library/2.1.6/tests/test_labels.py
diff --git a/library/2.1.5/tests/test_notes.py → library/2.1.6/tests/test_notes.py b/library/2.1.5/tests/test_notes.py → library/2.1.6/tests/test_notes.py
diff --git a/library/2.1.5/tests/test_portal.py → library/2.1.6/tests/test_portal.py b/library/2.1.5/tests/test_portal.py → library/2.1.6/tests/test_portal.py
diff --git a/library/2.1.5/tests/test_ports.py → library/2.1.6/tests/test_ports.py b/library/2.1.5/tests/test_ports.py → library/2.1.6/tests/test_ports.py
diff --git a/library/2.1.5/tests/test_render.py → library/2.1.6/tests/test_render.py b/library/2.1.5/tests/test_render.py → library/2.1.6/tests/test_render.py
diff --git a/library/2.1.5/tests/test_resources.py → library/2.1.6/tests/test_resources.py b/library/2.1.5/tests/test_resources.py → library/2.1.6/tests/test_resources.py
diff --git a/library/2.1.5/tests/test_restart.py → library/2.1.6/tests/test_restart.py b/library/2.1.5/tests/test_restart.py → library/2.1.6/tests/test_restart.py
diff --git a/library/2.1.5/tests/test_sysctls.py → library/2.1.6/tests/test_sysctls.py b/library/2.1.5/tests/test_sysctls.py → library/2.1.6/tests/test_sysctls.py
diff --git a/library/2.1.5/tests/test_validations.py → library/2.1.6/tests/test_validations.py b/library/2.1.5/tests/test_validations.py → library/2.1.6/tests/test_validations.py
@@ -49,6 +49,12 @@ def test_is_allowed_path_direct(test_path, expected):
     assert is_allowed_path(test_path) == expected
 
 
+@patch.object(Path, "resolve", mock_resolve)
+def test_is_allowed_path_ix_volume():
+    """Test that IX volumes are not allowed"""
+    assert is_allowed_path("/mnt/.ix-apps/something", True)
+
+
 @patch.object(Path, "resolve", mock_resolve)
 def test_is_allowed_path_symlink(tmp_path):
     """

diff --git a/library/2.1.5/tests/test_volumes.py → library/2.1.6/tests/test_volumes.py b/library/2.1.5/tests/test_volumes.py → library/2.1.6/tests/test_volumes.py
diff --git a/library/2.1.5/validations.py → library/2.1.6/validations.py b/library/2.1.5/validations.py → library/2.1.6/validations.py
@@ -150,7 +150,7 @@ def valid_fs_path_or_raise(path: str):
     return path
 
 
-def is_allowed_path(input_path: str) -> bool:
+def is_allowed_path(input_path: str, is_ix_volume: bool = False) -> bool:
     """
     Validates that the given path (after resolving symlinks) is not
     one of the restricted paths or within those restricted directories.
@@ -159,15 +159,15 @@ def is_allowed_path(input_path: str) -> bool:
     """
     # Resolve the path to avoid symlink bypasses
     real_path = Path(input_path).resolve()
-    for restricted in RESTRICTED:
+    for restricted in RESTRICTED if not is_ix_volume else [r for r in RESTRICTED if r != Path("/mnt/.ix-apps")]:
         if real_path.is_relative_to(restricted):
             return False
 
     return real_path not in RESTRICTED_IN
 
 
-def allowed_fs_host_path_or_raise(path: str):
-    if not is_allowed_path(path):
+def allowed_fs_host_path_or_raise(path: str, is_ix_volume: bool = False):
+    if not is_allowed_path(path, is_ix_volume):
         raise RenderError(f"Path [{path}] is not allowed to be mounted.")
     return path
 

diff --git a/library/2.1.5/volume_mount.py → library/2.1.6/volume_mount.py b/library/2.1.5/volume_mount.py → library/2.1.6/volume_mount.py
diff --git a/library/2.1.5/volume_mount_types.py → library/2.1.6/volume_mount_types.py b/library/2.1.5/volume_mount_types.py → library/2.1.6/volume_mount_types.py
diff --git a/library/2.1.5/volume_sources.py → library/2.1.6/volume_sources.py b/library/2.1.5/volume_sources.py → library/2.1.6/volume_sources.py
@@ -58,7 +58,7 @@ def __init__(self, render_instance: "Render", config: "IxStorageIxVolumeConfig")
             )
 
         path = valid_fs_path_or_raise(ix_volumes[dataset_name].rstrip("/"))
-        self.source = allowed_fs_host_path_or_raise(path)
+        self.source = allowed_fs_host_path_or_raise(path, True)
 
     def get(self):
         return self.source

diff --git a/library/2.1.5/volume_types.py → library/2.1.6/volume_types.py b/library/2.1.5/volume_types.py → library/2.1.6/volume_types.py
diff --git a/library/2.1.5/volumes.py → library/2.1.6/volumes.py b/library/2.1.5/volumes.py → library/2.1.6/volumes.py
diff --git a/library/hashes.yaml b/library/hashes.yaml
@@ -1,2 +1,2 @@
 0.0.1: f074617a82a86d2a6cc78a4c8a4296fc9d168e456f12713e50c696557b302133
-2.1.5: 94754830801a8fa90e04e35d324a34a51b90d5919e544ebc1018e065adb02a12
+2.1.6: 84c965e8b9bea696765ab62b8ee3238162fe7807d0f0a61cf9c153994a47fa90