Skip to content

Commit

Permalink
[lxd] Change instance image permissions to root only
Browse files Browse the repository at this point in the history
  • Loading branch information
Sploder12 committed Nov 13, 2024
1 parent b22bf35 commit 1e245a5
Show file tree
Hide file tree
Showing 4 changed files with 24 additions and 3 deletions.
2 changes: 1 addition & 1 deletion src/daemon/default_vm_image_vault.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -669,7 +669,7 @@ QString mp::DefaultVMImageVault::extract_image_from(const VMImage& source_image,
const ProgressMonitor& monitor,
const mp::Path& dest_dir)
{
MP_UTILS.make_dir(dest_dir, QFile::ReadOwner | QFile::WriteOwner | QFile::ExeOwner);
MP_UTILS.make_dir(dest_dir, QFile::ReadOwner | QFile::WriteOwner);
MP_PLATFORM.set_root_as_owner(dest_dir);

Check warning on line 673 in src/daemon/default_vm_image_vault.cpp

View check run for this annotation

Codecov / codecov/patch

src/daemon/default_vm_image_vault.cpp#L672-L673

Added lines #L672 - L673 were not covered by tests

QFileInfo file_info{source_image.image_path};
Expand Down
3 changes: 3 additions & 0 deletions src/platform/backends/lxd/lxd_vm_image_vault.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -93,6 +93,9 @@ QString post_process_downloaded_image(const QString& image_path, const mp::Progr
mp::vault::delete_file(original_image_path);
}

MP_PLATFORM.set_permissions(new_image_path, QFile::ReadOwner | QFile::WriteOwner);
MP_PLATFORM.set_root_as_owner(new_image_path);

return new_image_path;
}

Expand Down
4 changes: 2 additions & 2 deletions src/utils/vm_image_vault_utils.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@ QString mp::vault::copy(const QString& file_name, const QDir& output_dir)
auto new_path = output_dir.filePath(source_name);
QFile::copy(file_name, new_path);

MP_PLATFORM.set_permissions(new_path, QFile::ReadOwner | QFile::WriteOwner | QFile::ExeOwner);
MP_PLATFORM.set_permissions(new_path, QFile::ReadOwner | QFile::WriteOwner);
MP_PLATFORM.set_root_as_owner(new_path);

return new_path;
Expand Down Expand Up @@ -95,7 +95,7 @@ QString mp::vault::extract_image(const mp::Path& image_path, const mp::ProgressM

xz_decoder.decode_to(new_image_path, monitor);

MP_PLATFORM.set_permissions(new_image_path, QFile::ReadOwner | QFile::WriteOwner | QFile::ExeOwner);
MP_PLATFORM.set_permissions(new_image_path, QFile::ReadOwner | QFile::WriteOwner);
MP_PLATFORM.set_root_as_owner(new_image_path);

Check warning on line 99 in src/utils/vm_image_vault_utils.cpp

View check run for this annotation

Codecov / codecov/patch

src/utils/vm_image_vault_utils.cpp#L98-L99

Added lines #L98 - L99 were not covered by tests

mp::vault::delete_file(image_path);
Expand Down
18 changes: 18 additions & 0 deletions tests/test_image_vault.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@
#include "mock_image_host.h"
#include "mock_json_utils.h"
#include "mock_logger.h"
#include "mock_platform.h"
#include "mock_process_factory.h"
#include "path.h"
#include "stub_url_downloader.h"
Expand Down Expand Up @@ -413,6 +414,11 @@ TEST_F(ImageVault, remembers_prepared_images)

TEST_F(ImageVault, uses_image_from_prepare)
{
auto [mock_platform, platform_guard] = mpt::MockPlatform::inject();

ON_CALL(*mock_platform, set_permissions).WillByDefault(Return(true));
ON_CALL(*mock_platform, set_root_as_owner).WillByDefault(Return(true));

constexpr auto expected_data = "12345-pied-piper-rats";

QDir dir{cache_dir.path()};
Expand Down Expand Up @@ -508,6 +514,12 @@ TEST_F(ImageVault, invalid_image_dir_is_removed)

TEST_F(ImageVault, DISABLE_ON_WINDOWS_AND_MACOS(file_based_fetch_copies_image_and_returns_expected_info))
{
auto [mock_platform, platform_guard] = mpt::MockPlatform::inject();

ON_CALL(*mock_platform, is_image_url_supported).WillByDefault(Return(true));
ON_CALL(*mock_platform, set_permissions).WillByDefault(Return(true));
ON_CALL(*mock_platform, set_root_as_owner).WillByDefault(Return(true));

mpt::TempFile file;
mp::DefaultVMImageVault vault{hosts, &url_downloader, cache_dir.path(), data_dir.path(), mp::days{0}};
auto query = default_query;
Expand Down Expand Up @@ -739,6 +751,12 @@ TEST_F(ImageVault, minimum_image_size_returns_expected_size)

TEST_F(ImageVault, DISABLE_ON_WINDOWS_AND_MACOS(file_based_minimum_size_returns_expected_size))
{
auto [mock_platform, platform_guard] = mpt::MockPlatform::inject();

ON_CALL(*mock_platform, is_image_url_supported).WillByDefault(Return(true));
ON_CALL(*mock_platform, set_permissions).WillByDefault(Return(true));
ON_CALL(*mock_platform, set_root_as_owner).WillByDefault(Return(true));

const mp::MemorySize image_size{"2097152"};
const mp::ProcessState qemuimg_exit_status{0, std::nullopt};
const QByteArray qemuimg_output(fake_img_info(image_size));
Expand Down

0 comments on commit 1e245a5

Please sign in to comment.