ebec6a80c0
Fix catchall regex to avoid privilege escalation. Related to issue : https://github.com/fgrehm/vagrant-lxc/issues/482
129 lines
4.2 KiB
Text
129 lines
4.2 KiB
Text
#!<%= cmd_paths['ruby'] %>
|
|
# Automatically created by vagrant-lxc
|
|
|
|
class Whitelist
|
|
class << self
|
|
def add(command, *args)
|
|
list[command] ||= []
|
|
list[command] << args
|
|
end
|
|
|
|
def add_regex(regex, *args)
|
|
regex_list << [regex, [args]]
|
|
end
|
|
|
|
def list
|
|
@list ||= {}
|
|
end
|
|
|
|
def regex_list
|
|
@regex_list ||= []
|
|
end
|
|
|
|
def allowed(command)
|
|
list[command] || allowed_regex(command) || []
|
|
end
|
|
|
|
def allowed_regex(command)
|
|
found = regex_list.find { |r| r[0] =~ command }
|
|
return found[1] if found
|
|
end
|
|
|
|
def run!(argv)
|
|
begin
|
|
command, args = `which #{argv.shift}`.chomp, argv || []
|
|
check!(command, args)
|
|
system "#{command} #{args.join(" ")}"
|
|
|
|
exit_code = $?.to_i
|
|
exit_code = 1 if exit_code == 256
|
|
|
|
exit exit_code
|
|
rescue => e
|
|
STDERR.puts e.message
|
|
exit 1
|
|
end
|
|
end
|
|
|
|
private
|
|
def check!(command, args)
|
|
allowed(command).each do |checks|
|
|
return if valid_args?(args, checks)
|
|
end
|
|
raise_invalid(command, args)
|
|
end
|
|
|
|
def valid_args?(args, checks)
|
|
return false unless valid_length?(args, checks)
|
|
check = nil
|
|
args.each_with_index do |provided, i|
|
|
check = checks[i] unless check == '**'
|
|
return false unless match?(provided, check)
|
|
end
|
|
true
|
|
end
|
|
|
|
def valid_length?(args, checks)
|
|
args.length == checks.length || checks.last == '**'
|
|
end
|
|
|
|
def match?(arg, check)
|
|
check == '**' || check.is_a?(Regexp) && !!check.match(arg) || arg == check
|
|
end
|
|
|
|
def raise_invalid(command, args)
|
|
raise "Invalid arguments for command #{command}, " <<
|
|
"provided args: #{args.inspect}"
|
|
end
|
|
end
|
|
end
|
|
|
|
base = "<%= lxc_base_path %>"
|
|
base_path = %r{\A#{base}/[\ -_\/\.\d\w]+$\z}
|
|
|
|
##
|
|
# Commands from provider.rb
|
|
# - Check lxc is installed
|
|
Whitelist.add '<%= cmd_paths['which'] %>', /\Alxc-\w+\z/
|
|
|
|
##
|
|
# Commands from driver.rb
|
|
# - Container config file
|
|
Whitelist.add '<%= cmd_paths['cat'] %>', base_path
|
|
# - Shared folders
|
|
Whitelist.add '<%= cmd_paths['mkdir'] %>', '-p', base_path
|
|
# - Container config customizations and pruning
|
|
Whitelist.add '<%= cmd_paths['cp'] %>', '-f', %r{/tmp/[\ -_\/\.\d\w]+$}, base_path
|
|
Whitelist.add '<%= cmd_paths['chown'] %>', 'root:root', base_path
|
|
# - Packaging
|
|
Whitelist.add '<%= cmd_paths['tar'] %>', '--numeric-owner', '-cvzf', %r{/tmp/^[\ -_\/\.\d\w]+$/rootfs.tar.gz}, '-C', base_path, './rootfs'
|
|
Whitelist.add '<%= cmd_paths['chown'] %>', /\A\d+:\d+\z/, %r{\A/tmp/^[\ -_\/\.\d\w]+$/rootfs\.tar\.gz\z}
|
|
# - Private network script and commands
|
|
Whitelist.add '<%= cmd_paths['ip'] %>', 'addr', 'add', /(\d+|\.)+\/24/, 'dev', /.+/
|
|
Whitelist.add '<%= cmd_paths['ip'] %>', 'link', 'set', /.+/, /(up|down)/
|
|
Whitelist.add '<%= cmd_paths['brctl'] %>', /(addbr|delbr)/, /.+/
|
|
Whitelist.add_regex %r{<%= pipework_regex %>}, '**'
|
|
|
|
##
|
|
# Commands from driver/cli.rb
|
|
Whitelist.add '<%= cmd_paths['lxc_bin'] %>/lxc-version'
|
|
Whitelist.add '<%= cmd_paths['lxc_bin'] %>/lxc-ls'
|
|
Whitelist.add '<%= cmd_paths['lxc_bin'] %>/lxc-info', '--name', /^[\ -_\/\.\d\w]+$/
|
|
Whitelist.add '<%= cmd_paths['lxc_bin'] %>/lxc-info', '--name', /^[\ -_\/\.\d\w]+$/, '-iH'
|
|
Whitelist.add '<%= cmd_paths['lxc_bin'] %>/lxc-create', '-B', /^[\ -_\/\.\d\w]+$/, '--template', /^[\ -_\/\.\d\w]+$/, '--name', /^[\ -_\/\.\d\w]+$/, '**'
|
|
Whitelist.add '<%= cmd_paths['lxc_bin'] %>/lxc-create', '--version'
|
|
Whitelist.add '<%= cmd_paths['lxc_bin'] %>/lxc-destroy', '--name', /^[\ -_\/\.\d\w]+$/
|
|
Whitelist.add '<%= cmd_paths['lxc_bin'] %>/lxc-start', '-d', '--name', /^[\ -_\/\.\d\w]+$/, '**'
|
|
Whitelist.add '<%= cmd_paths['lxc_bin'] %>/lxc-stop', '--name', /^[\ -_\/\.\d\w]+$/
|
|
Whitelist.add '<%= cmd_paths['lxc_bin'] %>/lxc-shutdown', '--name', /^[\ -_\/\.\d\w]+$/
|
|
Whitelist.add '<%= cmd_paths['lxc_bin'] %>/lxc-attach', '--name', /^[\ -_\/\.\d\w]+$/, '**'
|
|
Whitelist.add '<%= cmd_paths['lxc_bin'] %>/lxc-attach', '-h'
|
|
Whitelist.add '<%= cmd_paths['lxc_bin'] %>/lxc-config', 'lxc.lxcpath'
|
|
Whitelist.add '<%= cmd_paths['lxc_bin'] %>/lxc-update-config', '-c', /^[\ -_\/\.\d\w]+$/
|
|
|
|
##
|
|
# Commands from driver/action/remove_temporary_files.rb
|
|
Whitelist.add '<%= cmd_paths['rm'] %>', '-rf', %r{\A#{base}/^[\ -_\/\.\d\w]+$/rootfs/tmp/[\ -_\/\.\d\w]+$}
|
|
|
|
# Watch out for stones
|
|
Whitelist.run!(ARGV)
|