add /tmp/apt-key to whitelist for Dockerfiles which use command
This commit is contained in:
Tejal Desai
parent
a2aae6274d
commit
5951d9b0ee
|
|
@ -20,11 +20,13 @@ import (
|
|||
"bytes"
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"os"
|
||||
"path/filepath"
|
||||
"strings"
|
||||
|
||||
"github.com/GoogleContainerTools/kaniko/pkg/timing"
|
||||
"github.com/GoogleContainerTools/kaniko/pkg/util"
|
||||
"github.com/sirupsen/logrus"
|
||||
)
|
||||
|
||||
type LayeredMap struct {
|
||||
|
|
@ -113,13 +115,18 @@ func (l *LayeredMap) Add(s string) error {
|
|||
// from the current layered map by its hashing function.
|
||||
// Returns true if the file is changed.
|
||||
func (l *LayeredMap) CheckFileChange(s string) (bool, error) {
|
||||
oldV, ok := l.Get(s)
|
||||
t := timing.Start("Hashing files")
|
||||
defer timing.DefaultRun.Stop(t)
|
||||
newV, err := l.hasher(s)
|
||||
if err != nil {
|
||||
// if this file does not exist in the new layer return.
|
||||
if os.IsNotExist(err) {
|
||||
logrus.Tracef("%s detected as changed but does not exist", s)
|
||||
return false, nil
|
||||
}
|
||||
return false, err
|
||||
}
|
||||
oldV, ok := l.Get(s)
|
||||
if ok && newV == oldV {
|
||||
return false, nil
|
||||
}
|
||||
|
|
|
|||
|
|
@ -26,6 +26,7 @@ import (
|
|||
"net/http"
|
||||
"os"
|
||||
"path/filepath"
|
||||
"regexp"
|
||||
"strings"
|
||||
"syscall"
|
||||
"time"
|
||||
|
|
@ -61,6 +62,12 @@ var initialWhitelist = []WhitelistEntry{
|
|||
Path: "/etc/mtab",
|
||||
PrefixMatchOnly: false,
|
||||
},
|
||||
{
|
||||
// we whitelist /tmp/apt-key-gpghome, since the apt keys are added temporarily in this directory.
|
||||
// from the base image
|
||||
Path: "/tmp/apt-key-gpghome",
|
||||
PrefixMatchOnly: true,
|
||||
},
|
||||
}
|
||||
|
||||
var whitelist = initialWhitelist
|
||||
|
|
@ -674,7 +681,7 @@ func excludeFile(path, buildcontext string) bool {
|
|||
return match
|
||||
}
|
||||
|
||||
// HasFilepathPrefix checks if the given file path begins with prefix
|
||||
// HasFilepathPrefix checks if the given file path begins with prefix
|
||||
func HasFilepathPrefix(path, prefix string, prefixMatchOnly bool) bool {
|
||||
prefix = filepath.Clean(prefix)
|
||||
prefixArray := strings.Split(prefix, "/")
|
||||
|
|
@ -687,11 +694,15 @@ func HasFilepathPrefix(path, prefix string, prefixMatchOnly bool) bool {
|
|||
if prefixMatchOnly && len(pathArray) == len(prefixArray) {
|
||||
return false
|
||||
}
|
||||
|
||||
for index := range prefixArray {
|
||||
if prefixArray[index] == pathArray[index] {
|
||||
continue
|
||||
m, err := regexp.MatchString(prefixArray[index], pathArray[index])
|
||||
if err != nil {
|
||||
return false
|
||||
}
|
||||
if !m {
|
||||
return false
|
||||
}
|
||||
return false
|
||||
}
|
||||
return true
|
||||
}
|
||||
|
|
|
|||
|
|
@ -259,6 +259,14 @@ func Test_CheckWhitelist(t *testing.T) {
|
|||
},
|
||||
want: false,
|
||||
},
|
||||
{
|
||||
name: "prefix match only ",
|
||||
args: args{
|
||||
path: "/tmp/apt-key-gpghome.xft/gpg.key",
|
||||
whitelist: []WhitelistEntry{{"/tmp/apt-key-gpghome.*", true}},
|
||||
},
|
||||
want: true,
|
||||
},
|
||||
}
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
|
|
|
|||
Loading…
Reference in New Issue