Merge pull request #5544 from jonahbull/fix-up-env-var-secret-mounts-…

…for-chroot-isolation fix secret mounts for env vars when using chroot isolation
containers · May 27, 2024 · 6ad7efb · 6ad7efb · packit-as-a-service · May 27, 2024
2 parents bb4c8b0 + 939a58b
commit 6ad7efb
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 1 deletion.
diff --git a/chroot/run_linux.go b/chroot/run_linux.go
@@ -518,7 +518,12 @@ func setupChrootBindMounts(spec *specs.Spec, bundlePath string) (undoBinds func(
 		if effectiveImportantFlags != expectedImportantFlags {
 			// Do a remount to try to get the desired flags to stick.
 			effectiveUnimportantFlags := uintptr(fs.Flags) & ^possibleImportantFlags
-			if err = unix.Mount(target, target, m.Type, unix.MS_REMOUNT|bindFlags|requestFlags|mountFlagsForFSFlags(effectiveUnimportantFlags), ""); err != nil {
+			remountFlags := unix.MS_REMOUNT | bindFlags | requestFlags | mountFlagsForFSFlags(effectiveUnimportantFlags)
+			// If we are requesting a read-only mount, add any possibleImportantFlags present in fs.Flags to remountFlags.
+			if requestFlags&unix.ST_RDONLY == unix.ST_RDONLY {
+				remountFlags |= uintptr(fs.Flags) & possibleImportantFlags
+			}
+			if err = unix.Mount(target, target, m.Type, remountFlags, ""); err != nil {
 				return undoBinds, fmt.Errorf("remounting %q in mount namespace with flags %#x instead of %#x: %w", target, requestFlags, effectiveImportantFlags, err)
 			}
 			// Check if the desired flags stuck.

diff --git a/tests/bud.bats b/tests/bud.bats
@@ -6825,3 +6825,12 @@ _EOF
   # both of these should have just been the base image's ID, which shouldn't have changed the second time around
   cmp ${TEST_SCRATCH_DIR}/image1.txt ${TEST_SCRATCH_DIR}/image2.txt
 }
+
+# Verify: https://github.com/containers/buildah/issues/5185
+@test "build-test --mount=type=secret test from env with chroot isolation" {
+  skip_if_root_environment "Need to not be root for this test to work"
+  local contextdir=$BUDFILES/secret-env
+  export MYSECRET=SOMESECRETDATA
+  run_buildah build $WITH_POLICY_JSON --no-cache --isolation chroot --secret id=MYSECRET -t test -f $contextdir/Dockerfile
+  expect_output --substring "SOMESECRETDATA"
+}
diff --git a/tests/bud/secret-env/Dockerfile b/tests/bud/secret-env/Dockerfile
@@ -0,0 +1,3 @@
+FROM alpine
+RUN --mount=type=secret,id=MYSECRET \
+     printf "%s\n" $(cat /run/secrets/MYSECRET)